Re: [PEN-TEST] Implications for "Looking around?" [FBI confiscation of allegely curious student]

[David Ford <david () LINUX COM>]

DA Smith wrote:

> This has been posted to Slashdot and I saw one very good comment on
> Nanog about this.  It bothers me, on the PEN-TEST level as many of us
> started out by simply looking around.  And, from reading posts here
> and on Bug-Traq, still do.  (The person in question details exactly
> what he did).

The person in question Andres (public) was looking around a crime scene.
 He states comparing it to a crime scene is preposterous but that begs
to be answered, what is his definition of a crime scene?

In my professional opinion as an investigator, yes he was in a crime
scene and yes because his connections were slightly more than the
normal, his activity is now suspect albeit low on the list.

The normal visitor doesn't connect to a variety of ports and do zone
transfers.  This activity is surely what brought him above the noise
level.  Any investigator worth his beans would take note.

Just as investigators are on the watch for people who visit a crime
scene afterwards in real life, the feds will also watch.  One of the
most common traits with criminals is their desire to watch the ensuing
activity.  In cyber world, one of the most common traits is to check
back and see if the site is still vulnerable, your backdoor is still
there, and nobody else is claiming your territory.

It's certainly unfortunate that an innocent person is caught up in the
melee but not unexpected.  People yammer about rights, invasion of
privacy and et cetera, but it is not my right or expectation thereof to
investigate a crime scene, particularly when I have no relation to it.

If I step into such a situation, I must be prepared to answer why I was
there and defend my activity.

If you read the article Andres wrote, you'll note that they didn't take
everything. They took only equipment that could have been used for this
activity.  He retains possession of several things he requested
including mass storage discs.

He appears to feel that the feds shouldn't have the ability to come in
and "yank away for weeks or [longer] ..."  Without this ability, any
incriminating data can be destroyed in minutes if not seconds.

Stop and weigh the balance for a moment then continue.

Put yourself in the shoes of the victim.  Do you want the purported
criminal to be able to know the feds are coming and have the ability to
destroy any evidence because the feds must wait outside for you to bring
the computer to them?

There isn't a perfect solution between law enforcement granted abilities
and the rights of an individual.  They have to be weighed.

This isn't operation sundevil or even close to it.  It's something that
happens everyday to people.  Someone gets nosey in the wrong place and
the investigator comes knocking.

The feds aren't "out to get you."  I've been facing the feds several
times due to cyber incidents and I've never had my equipment confiscated
even when that was their intent when they arrived and the evidence was a
whole lot more damning than port scans and zone transfers and I didn't
carry an investigative business card.

To summarise, looking around is fine, turning things over at a crime
scene to see what's underneath is for the investigators, not bystanders.

-d

--
"The difference between 'involvement' and 'commitment' is like an
eggs-and-ham breakfast: the chicken was 'involved' - the pig was
'committed'."

Attachment: david.vcf
Description: Card for David Ford