[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Re: Computer forensics to uncover illegal internet use

To: "Craig, Tobin \(OIG\)" <tobin.craig@xxxxxx>
To: echow@xxxxxxxxxxxx
To: security-basics@xxxxxxxxxxxxxxxxx
To: jbeauford@xxxxxxxxxxxxxxxxx
To: "dave kleiman" <dave@xxxxxxxxxxxx>
To: "Sadler, Connie" <Connie_Sadler@xxxxxxxxx>
Subject: [Full-disclosure] Re: Computer forensics to uncover illegal internet use
From: "Jason Coombs" <jasonc@xxxxxxxxxxx>
Date: Fri, 2 Sep 2005 23:30:13 +0000 GMT
Tobin Craig (tobin.craig@xxxxxx) wrote:
> I have spent considerable time
> researching ad discussing with
> lawyers your fantastic notion that
> corporations are exempt from
> reporting electronic crimes against
> children.

What is this thing you believe in, an 'electronic crime against a child' ?

Are you even aware of the self-contradiction in your own position?

I understand the psychological conditioning that law enforcement and 
prosecutors experience that results in your sort of enthusiastic or zealous 
enforcement and application of law. To a great extent I admire those who 
undergo this conditioning, and value those persons who are willing to live 
under its effects in service of my safety and to protect and defend my rights.

However, it is my duty, as your employer, to make sure that you receive the 
mental health care that you need when you begin to believe in fantastic things 
such as these 'electronic crimes against children'.

Your intentions may be fine, but your reasoning is actually quite insane. An 
'electronic crime against a child' ? Absolutely outrageous and patently absurd. 
There is no such thing.

Tobin Craig (tobin.craig@xxxxxx) wrote:
> Title 18, USC 3:  Accessory after
> the fact.
> "Whoever, knowing that an offense
> against the United States has been
> committed, receives, relieves,
> comforts or assists the offender in
> order to hinder or prevent his
> apprehension, trial or punishment, is
> an accessory after the fact."

You presume to deprive me of my right to wipe my hard drive because, in your 
expert opinion and in the legal opinion of some prosecutors, doing so causes me 
to violate Title 18, USC 3 - making me an accessory to your so-called 
'electronic crime against a child' - and you are mistaken.

You fail to understand the very important distinction between merely suspecting 
that a crime may have been committed and actually KNOWING.

To violate Title 18, USC 3 you must actually know, not merely suspect, that an 
offense has been committed. You are wrong when you think that the mere presence 
of data on a hard drive prove to you, the trained computer forensic examiner, 
that a crime has occurred.

Seeing child porn may make you feel as though you have been assaulted, but that 
is your own subjective and purely emotional reaction, and does not prove 
anything to you. It does not cause you to KNOW that an offense has been 
committed. You may choose to report your suspicion, and the reasons for it, but 
you most certainly do not have any obligation pursuant to Title 18, USC 3 until 
and unless you actually KNOW.

Seeing digital content that you know perfectly well is not a live broadcast of 
an act in progress should not give rise to your feeling that you KNOW an 
offense has been committed.

A highly-trained and credentialed 'IT Forensic Director, Computer Crimes and 
Forensics' professional such as yourself should understand the difference, but 
you don't. Your technical training ignores this extremely important awareness 
and your personal bias coupled with the fact that you never work on behalf of 
the defense render you unable to know the difference between opinion and fact.

Seeing such pornography on a computer that you are responsible for maintaining 
or which you own may prove that somebody (e.g. a spyware operator, an intruder, 
or a porn purveyor, or Microsoft) has harmed you in some fashion. You are a 
victim both of your own emotional reaction to what you have seen, and your 
computers show that somebody has likely trespassed against you. The trespassing 
was electronic, but under law that is now a crime as well. Are you an accessory 
to the crime against yourself if you do not report it and attempt to press 
charges? No.

More to the point, you only have proof of your own wrongdoing: possession of 
contraband data. You are absolutely permitted to destroy that evidence, else 
you would be compelled to offer evidence against yourself in reporting your 
crime to law enforcement.

Perhaps, in your view, we need everyone, everywhere, to know, as soon as 
possible, that they do not have the right to wipe hard drives because the 
legislature has passed these laws, you see, and, well, some law enforcement 
people and some lawyers who law enforcement have spent considerable time 
talking with believe that it would be a violation of Title 18, USC 3 for either 
a natural person (or a person incorporate) to continue to exercise their 
property rights, or to enjoy any of their other Constitutional protections, 
when their property becomes an electronic crime scene where an electronic crime 
against a child may have occurred?

Do you believe that the government has the right to press every one of us into 
both a) self-incrimination, and b) the service of the State in enforcing its 
various criminal laws?

If you really have the depth of experience with the application of law in a 
courtroom as you imply, you will know that lawyers give educated opinions, but 
that they are still just opinions. You will get a different answer from the 
lawyers with whom you speak when you do a better job of explaining to them that 
their belief that some unconstitutional legislation that creates the fantastic 
notion of an 'electronic crime against a child' is both impossible, in reality, 
and misinformed, in practice. Make a better showing of fact on this important 
issue and you will hear a different educated opinion. You are literally hearing 
your own thoughts echoed back to you as legal opinion because you are failing 
to properly construct the argument you make in defense of your own rights.

I assure you that your lawyer friends are wrong, but what is more wrong is your 
own forfeiture of your rights because you choose to believe that they do not 
exist. When you phrase your questions to them presuming that you have no 
rights, well, you get the legal opinion and the answer that you deserve.

When my hard drive becomes contaminated with child pornography because of the 
actions of some third-party, I have two conflicting duties:

1) to clean my hard drive of the offensive material as soon as it is practical 
for me to do so, and,

2) to be careful not to recklessly endanger other persons by destroying the 
only evidence that may clear them of any potential accusations of wrongdoing, 
or by spawning an irrational witch hunt or a stampede where I know ahead of 
time that somebody will be hurt.

Because of #2, it is still the best decision for a company to image, encrypt, 
and store with counsel the hard drive images of concern.

No report should be made to any law enforcement agency.

A logged record of wiping the drive where the log entry is designed 
intentionally to mislead an unskilled reader, so as to conceal from casual 
observation the fact that the encrypted drive image was made and placed in 
storage before the drive was wiped, is absolutely the right decision to make.

Give me a subpoena and you will get the truth, and the hard drive images, and 
the decryption keys. Without a court order, you will get only a misleading log 
of a hard drive having been wiped during incident response.

If we live in a rational world, and if time permits, I would say that carefully 
wiping a drive image of all contraband images so as to preserve any 
potentially-valuable exculpatory evidence and so as to remove any fear of 
prosecution for allegedly possessing or distributing the contraband would be 
the best approach. But, are we supposed to just accept the economic harm that 
such enormous time investment causes? I think not.

Furthermore, the law should not, in my opinion, be interpreted so as to 
actually encourage employees to spend dozens of hours looking at child porn on 
the job in order to wipe it selectively from retained drive images.

Despite your assertions to the contrary, every child porn statute that I have 
reviewed in a variety of jurisdictions stops short of criminalizing the viewing 
of child pornography incidental to one's necessary job function or without the 
intent to possess the material or participate in commerce with another person 
surrounding the viewing, as for-pay.

Your suggestion that simply viewing child pornography outside the presence of 
law enforcement is a criminal offense, even for a defense attorney, is 
completely wrong.

However, as you have demonstrated, much better than I could have done, we 
actually live in an irrational world where law enforcement-affiliated persons 
such as yourself, and even full-fledged sworn LEAs, currently believe in 
fantasies like so-called 'electronic crimes against children' -- and worse yet, 
believe that the crime actually occurs over again, and is even commited 
automatically (by computers) every time contraband bits are copied or moved.

Tobin Craig (tobin.craig@xxxxxx) wrote:
> You have openly stated in this
> forum that your position is to wipe
> the drive which might otherwise be
> used in the investigation of crimes
> against children.

Yes. Wipe the drive. Any person who has any knowledge of this subject and any 
common sense would do the same. If you have any reason to believe that a real 
crime against a real child may have occurred or may be occurring, then you will 
obviously adjust your response accordingly.

If you actually believe that thumbnail child porn imagery downloaded from the 
Internet, and every occurrence of the electronic storage to a hard drive of any 
child porn digital imagery, constitutes another crime against a real child, 
then you will immediately take whatever steps you believe are appropriate to 
help apprehend a suspect. To do otherwise, given your belief, is probably an 
actual offense under Title 18 USC 3, as was claimed.

What? You say that this sounds rather like a self-fulfilling prophecy? Hmm... 
No matter, it's the law of the land.

Let the observer decide if they feel like there is such a thing as an 
electronic crime against a child, and if they believe there is one then make it 
a crime not to treat it as one.

Let the witch hunt begin.

Burn the witches! Burn them!

You there, sitting next to that computer, you're a witch, aren't you? No? Prove 
that you aren't one. Prove it, or burn!

I repeat that this thinking is insane.

You have to be insane in order to believe in electronic crimes against 
children, and once you are insane you are bound by law to help burn somebody 
for the crime because you believe in its existence...

How very sick.

Whatever happened to the good old days when the definition of 'crime' was 
objective rather than subjective? And what happened to law enforcement training 
that people have rights that are not to be infringed?

Where have all the LEAs gone who used to believe in conducting investigations 
to uncover all possible exculpatory evidence in addition to that which is 
inculpatory?

LEAs have had their position usurped by forensic expert opinion testimony.

This has resulted in LEAs not even doing investigations. They are now just the 
hands and the legs of the forensic investigator who uses deductive reasoning, 
fancy technology, and their valuable learnings in order to eliminate reasonable 
doubt through the power of thought alone.

Crimes are now often a matter of opinion, not a matter of reasonable proof. 
Does that not concern you substantially?

Are you teaching your children that somebody else's opinion will send them to 
prison under the modern day criminal jutice system?

I am teaching mine this, because it is the truth. In my opinion, that is more a 
crime against my child than what you propose to be an 'electronic crime' 
against somebody else's.

Your training and experience are biased against the defense because you are 
trained by law enforcement and you are never exposed to fundamental principles 
that would equip you to properly apply an unbiased and well-informed approach 
to your work. Ask yourself why not? Is there something wrong with 'computer 
forensics' that these truths must be ignored in order for 'computer forensics' 
to be used in practice?

My answer is yes, there is. You are what's wrong with so-called 'computer 
forensics' -- it is a biased system for telling lies under the guise of expert 
testimony, and these lies are being told over and over again in jurisdictions 
around the world. The purpose of the lies is to advance the cause, bias, and 
belief system of those who tell them. Your stated cause (today) is to catch 
everyone who commits an 'electronic crime against a child' -- the methods and 
thinking from which you derive this cause will, naturally, allow you to choose 
a different cause in the future and pursue it as well. Go get those 'electronic 
terrorists' who spread speech that harms commercial interests. Anyone who 
expresses hate toward Microsoft and its dangerous products must be an 
electronic criminal. Your expert testimony can take them off the street, so go 
to it. Hate speech, and speech against the interests of commerce, are against 
the law.

Go enforce the law to the best of your opinion. We depend on you to do just 
that, and to do it well.

Moderator:

This discussion is very important to the basics of information security. Please 
approve this and other postings that include the word 'insane' -- you can see 
that the term is not being used to flame, but to express accurately a technical 
issue that is fundamental to security:

Namely, that security is a belief - and not all beliefs are reasonable, nor 
healthy. Adopting the wrong set of beliefs will actually harm your ability to 
understand what security is.

A loss of legal protections for us as computer owners and operators, if we 
choose to forfeit our rights or allow ourselves to be tricked into thinking 
they do not exist, is a security risk just as certainly as any worm or Trojan 
(malicious software that grants an attacker further access to our computers at 
a future time, after it has infected a host).

A large number of people believe, incorrectly, that law enforcement is a form 
of security. This discussion helps to illustrate clearly that this is a flawed 
belief and that law enforcement can be one of the security threats against 
which we all must defend ourselves and our companies.

This is especially true today given the fact that law enforcement, as viewed 
individual by individual, frequently believe in irrational legal fictions like 
'electronic crimes against children'.

What is the penalty under law for triggering and fueling an irrational witch 
hunt, or a panicked stampede that crushes and tramples its victim-participants, 
in your jurisdiction?

Every person who comes into contact with evidence that may be interpreted to be 
proof of an 'electronic crime against a child' should find out the answer to 
this question before they decide to try to report it to anyone.

Wipe your drives and get on with life. It is not your job to protect electronic 
children from virtual harm.

Sincerely,

Jason Coombs
jasonc@xxxxxxxxxxx

P.S. Tobin, does the signature line of your e-mail (below) indicate that you 
are the very person of whom, having just been wrongfully convicted of a child 
porn offense at a court martial hearing where his own defense side so-called 
'computer forensics expert' testified against him by doing nothing more than 
finding and documenting the porn, the military service member who appealed to 
me (too late) for expert witness testimony on his behalf (to help the judge 
understand the technical evidence in a fashion that his incompetent law 
enforcement-affiliated 'computer forensics' expert refused to do or was 
incapable of doing) must ask help after he is released from confinement in two 
years and is dishonorably discharged? Is it your opinion that the presence of 
child porn on his hard drive is proof enough of his guilt? That was the opinion 
given by the 'computer forensics expert' that his attorney hired, and his 
career in the service has come to an abrupt end as a result. Perhaps he!
  will never become a 'veteran' such that his affairs are none of your concern. 
Just wondering. If you weren't so badly confused, you could actually help some 
innocent people who are deserving of your expert assistance.

> Just my opinion.
> ___________________________
> Tobin Craig, MRSC, CISSP, SCERS, EnCE, CCE
> IT Forensic Director, Computer Crimes and Forensics
> Department of Veterans Affairs
> Office of Inspector General
> 801 I Street NW
> Washington DC 20001
> 
> Tel: 202 565 7702
> Fax: 202 565 7630
> ___________________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Follow-Ups:
- [Full-disclosure] RE: Computer forensics to uncover illegal internet use
  - From: dave kleiman
Prev by Date: [Full-disclosure] LSADump2 Crashing Windows
Next by Date: [Full-disclosure] [SECURITY] [DSA 795-2] Updated i386 proftpd packages fix format string vulnerability
Previous by thread: Re: [Full-disclosure] LSADump2 Crashing Windows
Next by thread: [Full-disclosure] RE: Computer forensics to uncover illegal internet use
Index(es):
- Date
- Thread