Re: decoy traffic and legal admissibility of logs in court

[Adam Shostack <adam () netect com>]

Peter Sommers, of Kings College London, did a paper on this subject
for RAID 98 which I enjoyed.  Peter was an expert for the defense of
the fellow accoused of hacking Rome Air Force Base.

Adam


On Sat, Apr 10, 1999 at 04:07:25PM -0400, Ken Williams wrote:
| during conversation recently about some network hacks in which a number
| of machines were compromised, and while i was going through logs of 
| several machines that have been compromised on a couple of different 
| networks that i admin, an interesting legal issue regarding decoy traffic
| came up.  after analysis of logs, it has become clear that some of the
| traffic can definitely be attributed to decoys/spoofing.  consequently,
| the question of the validity of system logs and the legal admissibility of 
| logs in court, in general, has arisen.  the recent issue regarding 
| Linux kernels <= 2.0.35 and blind tcp spoofing figures into the equation
| too now, especially with the release of the receive.c and lin35.c spoof 
| code.
| 
| thoughts? comments? suggestions? flames?
| 
| take it easy,
| 
| Ken Williams
| jkwilli2 () csc ncsu edu 
| 
| Packet Storm Security                 http://packetstorm.genocide2600.com/
| Trinux: Linux Security Toolkit http://www.trinux.org/ ftp://ftp.trinux.org
| PGP DH/DSS/RSA Public Keys     http://packetstorm.genocide2600.com/pgpkey/
| NCSU Computer Science    http://www.csc.ncsu.edu/    jkwilli2 () csc ncsu edu
| SHANG: Secure Highly Available Networking Group http://shang.csc.ncsu.edu/
|