Re: RE: Computer forensics to uncover illegal internet use

[Steve Kudlak <chromazine () sbcglobal net>]

dave kleiman wrote:

> Jason,
>
> You are definitely off here.
>
>
> """Companies and their lawyers who fail to keep up with child pornography
> law do so at their peril. The bipartisan resolve of state and federal
> legislators to combat child pornography has led to laws that put the fate of
> those who innocently possess child porn -- such as counsel and their forensic
> experts -- largely at the mercy of prosecutorial discretion.
> Dealing administratively with employees who use company computers to view or
> download child pornography no longer suffices. In fact, company lawyers or
> managers risk serious criminal penalties if they merely terminate an
> offending employee and delete only visibly illicit images from his desktop
> computer.
> The law generally treats child porn like heroin: mere knowing possession of
> it is a crime. Possession on behalf of a client to assist in an
> investigation or  defense is no exception. As one court put it: "Child
> pornography is illegal contraband."""
>
> """Criminal liability may also be triggered by knowing possession of a
> single child porn image. A limited statutory affirmative defense is
> available when a defendant possesses fewer than three such images, but only
> if the defendant: (1) does not retain any offending visual depiction; (2)
> does not allow any person other than a law enforcement agent to access the
> offending visual depiction; and (3) promptly takes reasonable steps to
> destroy each such visual depiction or reports the matter to a law
> enforcement agency and gives the agency access to each such visual
> depiction. """
>
> """Notably, this statutory affirmative defense is not available if three or
> more images are found -- and usually where there is one such image, there are
> dozens or hundreds more. Thus, if a company finds multiple child porn images
> on an employee's computer, the affirmative defense evaporates, and handling
> or even destroying the images may expose the company to criminal
> liability."""
>
> I think you need to read the following:
>
> http://www.strozllc.com/publications.html
>
>
> October: Beryl Howell and Paul Luehr co-authored the article, "Child Porn
> Poses Risks to Companies That Discover it in the Workplace." It appeared in
> the October 4, 2004 issue of the New York Law Journal http
> "ChildPornPosesRisks.pdf"
>
> January 5: Eric Friedberg's article, "To Cache a Thief: How Litigants and
> Lawyers Tamper with Electronic Evidence and Why They Get Caught;" published
> in The American Lawyer magazine  "To Cache A Thief.pdf"
>
> http://www.ijclp.org/Cy_2004/ijclp_webdoc_6_Cy_2004.htm
>
>
> Characteristics of a Fictitious Child Victim: Turning a Sex Offender's
> Dreams Into His Worst Nightmare
> BY JAMES F. MCLAUGHLIN
> Reference: IJCLP Web-Doc 6-Cy-2004
>
>
>
> There are cited cases pertaining to this exact subject proving your comments
> and methodologies are wrong!!
>
> You do not have the right to wipe the drives!!
>
>
>
> Regards,
>
> Dave
>
>
>
>
>  
>
> > -----Original Message-----
> > From: Jason Coombs [mailto:jasonc () science org]
> > Sent: Friday, September 02, 2005 19:30
> > To: Craig, Tobin (OIG); echow () videotron ca;
> > security-basics () securityfocus com;
> > jbeauford () EightInOnePet com; dave kleiman; Sadler, Connie
> > Cc: Bugtraq; Full-Disclosure; Antisocial
> > Subject: Re: Computer forensics to uncover illegal internet use
> >
> > Tobin Craig (tobin.craig () va gov) wrote:
> >    
> >
> > > I have spent considerable time
> > > researching ad discussing with
> > > lawyers your fantastic notion that
> > > corporations are exempt from
> > > reporting electronic crimes against
> > > children.
> > >      
> > What is this thing you believe in, an 'electronic crime
> > against a child' ?
> >
> > Are you even aware of the self-contradiction in your own position?
> >
> > I understand the psychological conditioning that law
> > enforcement and prosecutors experience that results in your
> > sort of enthusiastic or zealous enforcement and application
> > of law. To a great extent I admire those who undergo this
> > conditioning, and value those persons who are willing to live
> > under its effects in service of my safety and to protect and
> > defend my rights.
> >
> > However, it is my duty, as your employer, to make sure that
> > you receive the mental health care that you need when you
> > begin to believe in fantastic things such as these
> > 'electronic crimes against children'.
> >
> > Your intentions may be fine, but your reasoning is actually
> > quite insane. An 'electronic crime against a child' ?
> > Absolutely outrageous and patently absurd. There is no such thing.
> >
> > Tobin Craig (tobin.craig () va gov) wrote:
> >    
> >
> > > Title 18, USC 3:  Accessory after
> > > the fact.
> > > "Whoever, knowing that an offense
> > > against the United States has been
> > > committed, receives, relieves,
> > > comforts or assists the offender in
> > > order to hinder or prevent his
> > > apprehension, trial or punishment, is
> > > an accessory after the fact."
> > >      
> > You presume to deprive me of my right to wipe my hard drive
> > because, in your expert opinion and in the legal opinion of
> > some prosecutors, doing so causes me to violate Title 18, USC
> > 3 - making me an accessory to your so-called 'electronic
> > crime against a child' - and you are mistaken.
> >
> > You fail to understand the very important distinction between
> > merely suspecting that a crime may have been committed and
> > actually KNOWING.
> >
> > To violate Title 18, USC 3 you must actually know, not merely
> > suspect, that an offense has been committed. You are wrong
> > when you think that the mere presence of data on a hard drive
> > prove to you, the trained computer forensic examiner, that a
> > crime has occurred.
> >
> > Seeing child porn may make you feel as though you have been
> > assaulted, but that is your own subjective and purely
> > emotional reaction, and does not prove anything to you. It
> > does not cause you to KNOW that an offense has been
> > committed. You may choose to report your suspicion, and the
> > reasons for it, but you most certainly do not have any
> > obligation pursuant to Title 18, USC 3 until and unless you
> > actually KNOW.
> >
> > Seeing digital content that you know perfectly well is not a
> > live broadcast of an act in progress should not give rise to
> > your feeling that you KNOW an offense has been committed.
> >
> > A highly-trained and credentialed 'IT Forensic Director,
> > Computer Crimes and Forensics' professional such as yourself
> > should understand the difference, but you don't. Your
> > technical training ignores this extremely important awareness
> > and your personal bias coupled with the fact that you never
> > work on behalf of the defense render you unable to know the
> > difference between opinion and fact.
> >
> > Seeing such pornography on a computer that you are
> > responsible for maintaining or which you own may prove that
> > somebody (e.g. a spyware operator, an intruder, or a porn
> > purveyor, or Microsoft) has harmed you in some fashion. You
> > are a victim both of your own emotional reaction to what you
> > have seen, and your computers show that somebody has likely
> > trespassed against you. The trespassing was electronic, but
> > under law that is now a crime as well. Are you an accessory
> > to the crime against yourself if you do not report it and
> > attempt to press charges? No.
> >
> > More to the point, you only have proof of your own
> > wrongdoing: possession of contraband data. You are absolutely
> > permitted to destroy that evidence, else you would be
> > compelled to offer evidence against yourself in reporting
> > your crime to law enforcement.
> >
> > Perhaps, in your view, we need everyone, everywhere, to know,
> > as soon as possible, that they do not have the right to wipe
> > hard drives because the legislature has passed these laws,
> > you see, and, well, some law enforcement people and some
> > lawyers who law enforcement have spent considerable time
> > talking with believe that it would be a violation of Title
> > 18, USC 3 for either a natural person (or a person
> > incorporate) to continue to exercise their property rights,
> > or to enjoy any of their other Constitutional protections,
> > when their property becomes an electronic crime scene where
> > an electronic crime against a child may have occurred?
> >
> > Do you believe that the government has the right to press
> > every one of us into both a) self-incrimination, and b) the
> > service of the State in enforcing its various criminal laws?
> >
> > If you really have the depth of experience with the
> > application of law in a courtroom as you imply, you will know
> > that lawyers give educated opinions, but that they are still
> > just opinions. You will get a different answer from the
> > lawyers with whom you speak when you do a better job of
> > explaining to them that their belief that some
> > unconstitutional legislation that creates the fantastic
> > notion of an 'electronic crime against a child' is both
> > impossible, in reality, and misinformed, in practice. Make a
> > better showing of fact on this important issue and you will
> > hear a different educated opinion. You are literally hearing
> > your own thoughts echoed back to you as legal opinion because
> > you are failing to properly construct the argument you make
> > in defense of your own rights.
> >
> > I assure you that your lawyer friends are wrong, but what is
> > more wrong is your own forfeiture of your rights because you
> > choose to believe that they do not exist. When you phrase
> > your questions to them presuming that you have no rights,
> > well, you get the legal opinion and the answer that you deserve.
> >
> > When my hard drive becomes contaminated with child
> > pornography because of the actions of some third-party, I
> > have two conflicting duties:
> >
> > 1) to clean my hard drive of the offensive material as soon
> > as it is practical for me to do so, and,
> >
> > 2) to be careful not to recklessly endanger other persons by
> > destroying the only evidence that may clear them of any
> > potential accusations of wrongdoing, or by spawning an
> > irrational witch hunt or a stampede where I know ahead of
> > time that somebody will be hurt.
> >
> > Because of #2, it is still the best decision for a company to
> > image, encrypt, and store with counsel the hard drive images
> > of concern.
> >
> > No report should be made to any law enforcement agency.
> >
> > A logged record of wiping the drive where the log entry is
> > designed intentionally to mislead an unskilled reader, so as
> > to conceal from casual observation the fact that the
> > encrypted drive image was made and placed in storage before
> > the drive was wiped, is absolutely the right decision to make.
> >
> > Give me a subpoena and you will get the truth, and the hard
> > drive images, and the decryption keys. Without a court order,
> > you will get only a misleading log of a hard drive having
> > been wiped during incident response.
> >
> > If we live in a rational world, and if time permits, I would
> > say that carefully wiping a drive image of all contraband
> > images so as to preserve any potentially-valuable exculpatory
> > evidence and so as to remove any fear of prosecution for
> > allegedly possessing or distributing the contraband would be
> > the best approach. But, are we supposed to just accept the
> > economic harm that such enormous time investment causes? I think not.
> >
> > Furthermore, the law should not, in my opinion, be
> > interpreted so as to actually encourage employees to spend
> > dozens of hours looking at child porn on the job in order to
> > wipe it selectively from retained drive images.
> >
> > Despite your assertions to the contrary, every child porn
> > statute that I have reviewed in a variety of jurisdictions
> > stops short of criminalizing the viewing of child pornography
> > incidental to one's necessary job function or without the
> > intent to possess the material or participate in commerce
> > with another person surrounding the viewing, as for-pay.
> >
> > Your suggestion that simply viewing child pornography outside
> > the presence of law enforcement is a criminal offense, even
> > for a defense attorney, is completely wrong.
> >
> > However, as you have demonstrated, much better than I could
> > have done, we actually live in an irrational world where law
> > enforcement-affiliated persons such as yourself, and even
> > full-fledged sworn LEAs, currently believe in fantasies like
> > so-called 'electronic crimes against children' -- and worse
> > yet, believe that the crime actually occurs over again, and
> > is even commited automatically (by computers) every time
> > contraband bits are copied or moved.
> >
> > Tobin Craig (tobin.craig () va gov) wrote:
> >    
> >
> > > You have openly stated in this
> > > forum that your position is to wipe
> > > the drive which might otherwise be
> > > used in the investigation of crimes
> > > against children.
> > >      
> > Yes. Wipe the drive. Any person who has any knowledge of this
> > subject and any common sense would do the same. If you have
> > any reason to believe that a real crime against a real child
> > may have occurred or may be occurring, then you will
> > obviously adjust your response accordingly.
> >
> > If you actually believe that thumbnail child porn imagery
> > downloaded from the Internet, and every occurrence of the
> > electronic storage to a hard drive of any child porn digital
> > imagery, constitutes another crime against a real child, then
> > you will immediately take whatever steps you believe are
> > appropriate to help apprehend a suspect. To do otherwise,
> > given your belief, is probably an actual offense under Title
> > 18 USC 3, as was claimed.
> >
> > What? You say that this sounds rather like a self-fulfilling
> > prophecy? Hmm... No matter, it's the law of the land.
> >
> > Let the observer decide if they feel like there is such a
> > thing as an electronic crime against a child, and if they
> > believe there is one then make it a crime not to treat it as one.
> >
> > Let the witch hunt begin.
> >
> > Burn the witches! Burn them!
> >
> > You there, sitting next to that computer, you're a witch,
> > aren't you? No? Prove that you aren't one. Prove it, or burn!
> >
> > I repeat that this thinking is insane.
> >
> > You have to be insane in order to believe in electronic
> > crimes against children, and once you are insane you are
> > bound by law to help burn somebody for the crime because you
> > believe in its existence...
> >
> > How very sick.
> >
> > Whatever happened to the good old days when the definition of
> > 'crime' was objective rather than subjective? And what
> > happened to law enforcement training that people have rights
> > that are not to be infringed?
> >
> > Where have all the LEAs gone who used to believe in
> > conducting investigations to uncover all possible exculpatory
> > evidence in addition to that which is inculpatory?
> >
> > LEAs have had their position usurped by forensic expert
> > opinion testimony.
> >
> > This has resulted in LEAs not even doing investigations. They
> > are now just the hands and the legs of the forensic
> > investigator who uses deductive reasoning, fancy technology,
> > and their valuable learnings in order to eliminate reasonable
> > doubt through the power of thought alone.
> >
> > Crimes are now often a matter of opinion, not a matter of
> > reasonable proof. Does that not concern you substantially?
> >
> > Are you teaching your children that somebody else's opinion
> > will send them to prison under the modern day criminal jutice system?
> >
> > I am teaching mine this, because it is the truth. In my
> > opinion, that is more a crime against my child than what you
> > propose to be an 'electronic crime' against somebody else's.
> >
> > Your training and experience are biased against the defense
> > because you are trained by law enforcement and you are never
> > exposed to fundamental principles that would equip you to
> > properly apply an unbiased and well-informed approach to your
> > work. Ask yourself why not? Is there something wrong with
> > 'computer forensics' that these truths must be ignored in
> > order for 'computer forensics' to be used in practice?
> >
> > My answer is yes, there is. You are what's wrong with
> > so-called 'computer forensics' -- it is a biased system for
> > telling lies under the guise of expert testimony, and these
> > lies are being told over and over again in jurisdictions
> > around the world. The purpose of the lies is to advance the
> > cause, bias, and belief system of those who tell them. Your
> > stated cause (today) is to catch everyone who commits an
> > 'electronic crime against a child' -- the methods and
> > thinking from which you derive this cause will, naturally,
> > allow you to choose a different cause in the future and
> > pursue it as well. Go get those 'electronic terrorists' who
> > spread speech that harms commercial interests. Anyone who
> > expresses hate toward Microsoft and its dangerous products
> > must be an electronic criminal. Your expert testimony can
> > take them off the street, so go to it. Hate speech, and
> > speech against the interests of commerce, are against the law.
> >
> > Go enforce the law to the best of your opinion. We depend on
> > you to do just that, and to do it well.
> >
> > Moderator:
> >
> > This discussion is very important to the basics of
> > information security. Please approve this and other postings
> > that include the word 'insane' -- you can see that the term
> > is not being used to flame, but to express accurately a
> > technical issue that is fundamental to security:
> >
> > Namely, that security is a belief - and not all beliefs are
> > reasonable, nor healthy. Adopting the wrong set of beliefs
> > will actually harm your ability to understand what security is.
> >
> > A loss of legal protections for us as computer owners and
> > operators, if we choose to forfeit our rights or allow
> > ourselves to be tricked into thinking they do not exist, is a
> > security risk just as certainly as any worm or Trojan
> > (malicious software that grants an attacker further access to
> > our computers at a future time, after it has infected a host).
> >
> > A large number of people believe, incorrectly, that law
> > enforcement is a form of security. This discussion helps to
> > illustrate clearly that this is a flawed belief and that law
> > enforcement can be one of the security threats against which
> > we all must defend ourselves and our companies.
> >
> > This is especially true today given the fact that law
> > enforcement, as viewed individual by individual, frequently
> > believe in irrational legal fictions like 'electronic crimes
> > against children'.
> >
> > What is the penalty under law for triggering and fueling an
> > irrational witch hunt, or a panicked stampede that crushes
> > and tramples its victim-participants, in your jurisdiction?
> >
> > Every person who comes into contact with evidence that may be
> > interpreted to be proof of an 'electronic crime against a
> > child' should find out the answer to this question before
> > they decide to try to report it to anyone.
> >
> > Wipe your drives and get on with life. It is not your job to
> > protect electronic children from virtual harm.
> >
> > Sincerely,
> >
> > Jason Coombs
> > jasonc () science org
> >
> > P.S. Tobin, does the signature line of your e-mail (below)
> > indicate that you are the very person of whom, having just
> > been wrongfully convicted of a child porn offense at a court
> > martial hearing where his own defense side so-called
> > 'computer forensics expert' testified against him by doing
> > nothing more than finding and documenting the porn, the
> > military service member who appealed to me (too late) for
> > expert witness testimony on his behalf (to help the judge
> > understand the technical evidence in a fashion that his
> > incompetent law enforcement-affiliated 'computer forensics'
> > expert refused to do or was incapable of doing) must ask help
> > after he is released from confinement in two years and is
> > dishonorably discharged? Is it your opinion that the presence
> > of child porn on his hard drive is proof enough of his guilt?
> > That was the opinion given by the 'computer forensics expert'
> > that his attorney hired, and his career in the service has
> > come to an abrupt end as a result. Perhaps he!
> >  will never become a 'veteran' such that his affairs are
> > none of your concern. Just wondering. If you weren't so badly
> > confused, you could actually help some innocent people who
> > are deserving of your expert assistance.
> >
> >    
> >
> > > Just my opinion.
> > > ___________________________
> > > Tobin Craig, MRSC, CISSP, SCERS, EnCE, CCE IT Forensic Director,
> > > Computer Crimes and Forensics Department of Veterans
> > >      
> > Affairs Office of
> >    
> >
> > > Inspector General
> > > 801 I Street NW
> > > Washington DC 20001
> > >
> > > Tel: 202 565 7702
> > > Fax: 202 565 7630
> > > ___________________________
> > >      
> >    
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>  
Hate to play alwyer here but doesn't all of this get shot down by 3rd 
Circuit Federal Court of Appeals decisions regarding the FBI's  Innocent 
Images project?  It basicly shot down the concept of  "you clicked on a 
chold porn link therefore you're guilty."  This is all enshired in 
Federal Cases. No one must admit that a good prosecutor can indioct a 
ham sandwich and all that. But overall that doesn't happen. Now Federal 
Prosecutors and Investigations staffs are very good at sort of getting 
warrants and raiding someone's house or business and going thru 
everything. But if the person doesn't scare and cop to something they 
never did, then federal prosecutors generally have to back off in cases 
where it is just things accumulating on disks etc. Futhermore in states 
with a high privacy expectation like California there is a good reason 
to say "We don't go through our customers data looking for things out of 
the ordinary". One might argue it to be different it were one's 
employees. However if you are offering a primo privacy service then you 
can legitimately scrub disks as a part of the biz plan.

Much of Law Enforcement and theiir Public Providers of services depends 
on scaring people and businesses into good behavior when it is neither 
necessary or ethical. My suspicion is that one can ignore this tactic if 
one wishes as one is reasonably careful.. I am sure that people will be 
offereing  "Computer Forensics Services" to find the scary things on 
your compnys disks for $500 a pop but no good reason one has to engage 
in such silliness.

Excuse my flipness. I just got through friends caught up in this call 
people stranded and alone by the hurricane in the SOuthland and all 
these other things do ring silly right now.

Have Fun,
Sends Steve

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/