Full Disclosure mailing list archives
Re: Fw: [IACIS-L] Statement by Defense Expert
From: <Glenn.Everhart () chase com>
Date: Thu, 7 Jun 2007 10:33:52 -0400
Ayup, true enough re jury confusion. Once a machine has had a malware infection though, the point a layman needs to understand is simply: it is not possible in under (a large number, maybe 1000) man years) to determine that the machine has not been remotely controllable if connected to an outside net. Further it is not possible to say with certainty that an apparently clean machine, so connected, has not been infected in the past by something that removed its traces. One is left with probabilities. If for example I am looking for a worm author and find on his computer lots of partial code, edited versions of the worm, and maybe the final one, compilers etc., while it is possible these were inserted by an evil outsider, I might reckon that local creation is more likely. If all I find is a cache of warez, nasty pictures etc., and some server running, it is harder to exclude the idea the box might be in use by an evildoer as a hiding place for material the outsider is unwilling to risk serving out himself. As long as "experts" are suitably modest about what they can know, and explain the probabilities honestly all could be well. The more of these "elderly jury selectees" that are informed ahead of time about the limits of what can be found, the better. The story about Mr. Ballmer (Microsoft CEO) having a box infected, taking it to work to get it cleaned, and having all the experts he could access be unable to clean it save by wiping and reloading, may be a useful one to spread to said jury pool folks. It makes it clear the level of expertise and time needed to clean a box up, suggesting that Mr. 20something-self-proclaimed-forensic-guy who swears "there could never have been external meddling on this box" might be just a tad out of his depth. -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk]On Behalf Of J. Oquendo Sent: Thursday, June 07, 2007 8:42 AM To: Valdis.Kletnieks () vt edu Cc: Full Disclosure; Jason Coombs Subject: Re: [Full-disclosure] Fw: [IACIS-L] Statement by Defense Expert Valdis.Kletnieks () vt edu wrote:
So I take it that law enforcement computer examiners and prosecutors *do* have the years of experience in software engineering and exploit construction and use, to qualify them to translate a bit of data into forensic evidence of guilt?
Catch 22. This is why prosecutors often rely on expert witnesses who even then are lacking. One of the things many omit in their methods of thinking when it comes to perhaps going to trial is the following, and please take it very seriously... Will the JURY understand it first and foremost, secondly will the jury even give a rats ass. From experience, 1) the jury WILL NOT understand even 1/2 of the terminology nor concepts, analogies you can throw at them. This works to the benefit of whichever side is willing to exploit the jurors. "Overwhelm them with so much technology they'll have to believe the accused is guilty. After all, why bring in all of these *experts*" (for the prosecution). "Overwhelm them with so much technology to counter the former experts expertise and throw in doubt..." For the defense. On the latter... While "guilty until proven innocent is the American dream, it is seldomly practiced. If so there would be no need for bail since the defendant is after all innocent. (Bottom line holding true to the letter of the law... Not practical but this concept of innocent until proven guilty is flawed). Anyhow, if one were to find themselves on trial this is what you SHOULD expect... You will get a jury of your so called peers.. So let's define peer: Noun 1. peer - a person who is of equal standing with another in a group. Your peers will never be in equal standing from a technological perspective period. For one, it would take a miracle to gather a bunch of computer literate users for jury duty. Heck you will likely find 0 even if one appears for jury duty, it is likely the prosecution will try to rid this person from selection. Its not in their best interest to have someone fully technical on trial for a few reasons. 1) The juror might associate his experiences with the case being tried and taint an outcome based on HIS experience, not the facts presented. Would be the main reason. It might not be in the best interest of the defendant for the same reason. No sir, your peer will consist of someone who's likely going to be computer illiterate, likely twice your age, etc., they'll 1) be frustrated they have to go through jury duty and want to get things over with to return to normal life. 2) They'll be looking like a deer in headlights trying to understand what the hell an expert is talking about: "SMTP is a protocol used to deliver electronic mail. This mail consists of binary zeros and ones which when converted formed a corrupted gif image which caused Microsoft's Windows Small Business Server to suffer a buffer overflow." Might sound like clockwork to anyone here, but will sound Klingon to a juror. I could go on and on... But one should be able to envision the possibilities of jurors being lost and irrate. I may or may not do a write up based on my case, but that is likely going to irritate a lot of federal agents and it will likely mean I will end up posting my case files online which will further piss off more federal agents and perhaps place me back to square one. Who knows maybe I will discuss this with an attorney beforehand. Lest I face the wrath of again breaking into an employer while on an airplane. But hey... An expert can always be called in on my defense on how it would have been impossible to spoof over the Atlantic Ocean... Then again, a counterexpert could show the possibility of me hijacking satellite after satellite after satellite for said connection to leave "a teasing message saying... Hi I pwnd you" for shits and giggles. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato ----------------------------------------- This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fw: [IACIS-L] Statement by Defense Expert Jason Coombs (Jun 06)
- Re: Fw: [IACIS-L] Statement by Defense Expert Valdis . Kletnieks (Jun 06)
- Re: Fw: [IACIS-L] Statement by Defense Expert J. Oquendo (Jun 07)
- <Possible follow-ups>
- Re: Fw: [IACIS-L] Statement by Defense Expert Glenn.Everhart (Jun 07)
- Re: Fw: [IACIS-L] Statement by Defense Expert Valdis . Kletnieks (Jun 06)