Will the Real Criminal Please Stand Up?

[security curmudgeon <jericho () ATTRITION ORG>]

UNIX SECURITY --- March 15, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters


Will the Real Criminal Please Stand Up?
By Carole Fennelly

Computer crimes present a monumental challenge to legal systems worldwide.
Charged with administering justice, the courts generally do not understand
the complicated technical evidence required to conclusively prove guilt in
a computer crime. Meanwhile, law enforcement agencies advocate stiffer
penalties and prosecutors employ hacker stereotyping rather than hard
evidence to sway juries.

Recently, the UK approved legislation equating computer crimes with
terrorism
(http://www.cnn.com/2001/TECH/internet/02/20/hackers.terrorists.idg/inde
x.html). Hence forth, electronic vandals are on the same level as people
who consciously murder children in the name of a "cause". A pretty harsh
characterization, but one that makes it all the more critical that we
ensure justice is properly served. Sadly, the legal system remains
incapable of understanding technical evidence. My recent involvement in a
trial of an accused computer criminal made this point quite clear.

Try explaining computer science to your grandmother sometime? She will
seem easy compared to a court. Reading through the trial's transcripts, I
noticed some confusion concerning the legality of portscanning. The
transcripts showed someone stating that it, "...can be done legitimately
and not legitimately." If you remember nothing else, then remember this: A
portscan is not an attack! A portscan equates to walking down the street
and checking for open doors and windows. Sure, it can indicate that
someone is "casing the joint", but a portscan in and of itself is
harmless. The prosecution made much ado about the defendant possessing
portscanning tools and using them in the past (gasp!). Now remember,
portscanning is not a crime; however, it was used to establish the
defendant's state-of-mind, intent, and ability to attack computers.
Factors such as this take center stage when the prosecution relies largely
on circumstantial evidence.

Evidence is defined as direct proof of a fact or circumstantial -- an
inference made by the jury based on experience and logic. Jurors are asked
to used their common sense in evaluating a case. A recent Florida case saw
a teacher file Federal wiretapping charges against a student for taping a
lecture without the teacher's express consent
(http://www.cnn.com/2001/LAW/02/28/recording.charge.01.ap/index.html).
Fortunately, the prosecutor's common sense and experience kept this
ridiculous case from trial. Well, most juries *have* no experience in
computer forensics, so how can they fairly evaluate circumstantial
evidence?

The average person's computer science knowledge likens to an 18th century
farmer's physics knowledge. For most people, science is indistinguishable
from magic (a prime reason the Inquisition persecuted so many scientists).
My case involved over 100 pages of testimony describing how the intruder
ftp'd in from a trusted machine, brought over a sniffer package, failed to
compile it, and then removed a critical database file. No direct evidence
showing the attacker's identity, just an account of the events. I watched
two days of irrelevant testimony describing simple commands that anyone
could have run. The jury and the court seemed clueless when the witness
spoke, but it sure sounded technical. I found it tedious and I *did*
understand him.

The technical evidence, mind-numbingly boring and meaningless to the jury,
did not conclusively prove the attacker's identity, so the prosecution
turned to circumstantial evidence. Labeling the defendant a "hacker"
certainly helped convince the jury of the defendant's guilt. What are
average people's real-life experiences with hackers? The media? Movies?
Using images in a courtroom may make the prosecutor's life easier, but
it's a dangerous practice. Take Robert Hanssen, the FBI agent accused of
being a Russian spy, for example. Judging by appearances, which everyone
did for the past 25 years, he seemed to be model citizen. Hell, even his
wife had no idea (http://www.cnn.com/2001/US/03/01/spy.wife)!

Obviously, determining guilt for a crime must hinge on the technical facts
that are presented, not "hacker" labels. Interpreting facts so the juries
and courts will understand presents the real difficulty, though. Having an
online handle is not a crime. Studying methods of defeating computer
systems' security is not a crime. Running a Web site about hacking is not
a crime. Breaking into a system without authorization *is* a crime.
Stealing or destroying data that belongs to someone else *is* a crime. And
abusing a position of authority and trust is a *very* serious crime.

As the legal system begins understanding computer crime (but it has a very
long way to go), labeling hackers as terrorists is unreasonable and a
further burden to the system. In fact, this legislation could backfire
when a jury is unwilling to convict a defendant to hard time when they
don't think he deserves it. The alternative would be to let them go free,
which is also wrong. When a crime is committed, appropriate justice must
be served. Labeling computer crime as terrorism just sanitizes terrorism.

About the author(s)
-------------------

Carole Fennelly is a partner in Wizard's Keys Corporation, a company
specializing in computer security consulting. She has been a Unix system
administrator for almost 20 years on various platforms, and provides
security consultation to several financial institutions in the New York
City area. She is also a regular columnist for Unix Insider
(http://www.unixinsider.com). Visit her site (http://www.wkeys.com/) or
reach her at carole.fennelly () unixinsider com.
________________________________________________________________________________

ADDITIONAL RESOURCES

Maylasian Hackers face indefinite detention
http://www.cnn.com/2001/TECH/computing/01/10/malaysian.hackers.idg/index.html

Australians prosecute hackers as terrorists
http://www.zdnet.com/zdnn/stories/news/0,4586,2691323,00.html

Interesting article on Unblinking News showing Robert Hanssen's online
activities
http://tbtf.com/unblinking/arc/2001-02a.htm

Spy Hypocrite
http://www.time.com/time/nation/article/0,8599,100391,00.html

CERT Intrusion Detection Checklist
http://www.cert.org/tech_tips/intruder_detection_checklist.html

Basic Steps in Forensic Analysis of a Unix System (Dittrich)
http://staff.washington.edu/dittrich/misc/forensics/

Interview with Jennifer Granick, famed defense attorney for computer
crime:
http://www.infosecuritymag.com/articles/march01/features2_q&a.shtml

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".