 I would like to introduce, do you want to go by Major? What are you like? I'd like to introduce Major Bob Clark. He's with the US Army Judge Advocate General Corps. And he's going to be discussing precedence in computer and internet security law. So let's give it to Bob. Good evening. I'm on East Coast time, and it's my bedtime. So the fact I said good evening is pretty good as opposed to good afternoon. And that's it. I hope you enjoyed it. And we'll be back next year because nothing's happened in computer security. All right, the agenda. We're going to look at some of the issues of the past year, what's happened as far as computer and internet security law, some of the precedents, a few of the prosecutions and the arrests and the indictments that happened in the past year. I'm required to give this fun little disclaimer. It's a great little thing. What my bosses want you to make clear is that any errors that I give in this presentation remain with me. I'm responsible for all the mistakes. And anything I say here solely resides with Bob Clark, US citizen, as opposed to any representative of any possible government agency. Again, my name is Robert Clark. For those of you who don't speak English and speak code, it's there. I am a government hack. The nice thing about being a government hack, it's interesting to see in this forum what you've got. I'm always curious to see how many techies are interested in the legal piece. Scott Moulton is talking right before this. And I ran in there because I knew I would be talking now. And in his bio, he was a civil suit for actually excessive pinging. And it held that that's not access to a computer system. And when you get people who are involved in that, you go talk to them because they'll have some great war stories on exactly how to talk to lawyers about the things you do. A talk I'm giving tomorrow night will have part of the pitch. It says facts are king. And that's something that every lawyer is taught in and out. Facts are king. In this field, very important, your facts are king. Because you change one little fact and an Intection Prevention System, an IPS or an IDS, can become a honey pot and a heartbeat. And you've got electronic monitoring things that can all come into play. So it's very important that you take and explain to your lawyer in excruciating, painfully great detail at a third grade level so they can understand it because we're going to have to take it and go explain it to a judge at a first grade level. Because he's going to write his opinion or his clerk will write it at a kindergartner level. And then all the lawyers in the world are going to take that and read that at a, well you fill in the blank on that one, so. The one thing, EFF, I was joking with them, we were out at dinner the other night and I was joking with these guys and I said, hey, can I have a hat? So I can go give my presentation and they won't give me a hat. They wanted 30 bucks. And I thought, 30 bucks, Christ, that's expensive. But they're a nonprofit so I can understand that. But they've got that Bill of Rights card that you can get and buy from them. Years ago, one of my first bosses gave me a copy, a little pocket copy of the Constitution. And it's a great little document and we're going to talk about it in a little bit. And I have it on the corner of my desk and the reason I have it there is that's the reason I'm a government lawyer. I work for a judge, going through law school and I used to see attorneys take the facts and warp them to their own weird image. And it's an amazing thing when two people would stand up and you were positive, they were not talking about the same case. And I said, you know, I don't want to do that. I want to be able to go and at least do the right thing at the end of the day. And I know that's a strange thing to say with a couple of things we're going to look at today. But I don't work for those three of our agencies that might be somewhere on the East Coast between Pennsylvania and Virginia. And so we'll talk about those things but that's why I did become a government hack is because I really do at the end of the day get to do the right thing, hopefully. Lawyers, well let me go with a couple of things. First off, what's not here? I have no information on area 51. My claim check had it on there so I kind of thought there was something going on. I'm staying at the Luxor. I thought maybe I was going to lose my stuff but some of the technology I've heard is pretty cool but I've got nothing to fill in on that. I apologize. When you talk to lawyers, this is the one aspect you're going to hate and I apologize but this area is unsettled. We are trying to keep up to speed with this. There are very few precedents. We're stealing from the physical world to bring it into the virtual world. You hear that a lot. So before I started I did want to give you some good solid advice that nobody but nobody will debate that is settled advice. We're in the desert so wear sunscreen. It's a proven fact this will keep you from getting cancer so that's one thing. We're in the desert again. I understand this is a little different because people are going to be drinking a lot. You get dehydrated so drink water. It's proven to help you out. And drink while you're here because it makes these presentations go a lot better and the to drink minimum I really like so in Try the Veal I'll be here all week. All right I was thinking how to jump off on this and how to get started and I actually had a different order on the materials that I presented and a part of the materials. I gave you a lot of information. There's a lot of words on the slide. There's a lot of crap up there because we're lawyers and we like to hear ourselves talk. And on the slides I've been in many presentations and I've always felt there's a case site up there and that's it. It's like well what the hell does it mean? And that's why the material will have a lot of information. It's six o'clock. We're two hours late. I know nobody wants to read now. I don't want to read. So we'll talk through them so you don't have to be minimum amount of reading on that. And one other aspect I've been told that my voice has a certain tone level that has a habit of putting people asleep of a certain diminished intellect. So if the person next to you is falling asleep you're smarter than they are. And the real worst part is if I fall asleep while I'm doing this, well then we all know who the real smart people in the room are on that. And I wanted to jump in on a case that was relevant to my audience and I felt what better way to start with cases that deal with probation for violators. People have been prosecuted for computer crimes and what they're calling special skills. One other aspect, if your name's not up here and I don't mention your case specifically, please don't jump up and shout or anything because this is probably a violation of your probation. And there are some federal officers wandering around. So I'd hate to have that thing where it's just a mess. When we're talking, this is a neat thing, special skills. If you're not familiar with what this actually is, is it's when you're getting sentenced for committing the crime, if you use some kind of special skills or knowledge to commit the crime, they elevate your sentence. You know, it's a great way to put your way for longer. And in United States versus Proctner, this guy basically he got, it was an identity theft and he challenged on appeal his use of special skills where his sentence got a two level enhancement. Well the nice thing, and when you read a court opinion you always like to hear this when you're reviewing it. In his written statement to law enforcement, that's your first tip, okay? Don't do a written statement to law enforcement, okay? You know, it's not a good thing. But he wrote down that after accessing the internet via Telnet and MIRC slash PIRCH and accessing websites, order logs via cart 32, scan 20 some cards, and it goes on for what he did and he said, look, anybody can write CGI scripts. This is, you know, script kiddies can do this. So it's not really any expert thing that I've done here. And the judge said, you know, and I love this, it might reasonably take with a grain of salt Proctner's assertion that even a novice internet surfer could do what he indicated. But here's the thing you guys need to understand. A skill can be special even though the activity to which the skill is applied is mundane. The critical question is whether the defendant's skill elevates him to a level of knowledge and proficiency that eclipses that possessed by the general public. So, with that in DOJ's hands, you may just want to consider that the next time you're pursuing this activity. One of the other aspects they look at with special skills is how you obtain that skill. Typically, one of the things they cite for special skills is they look at training that requires pilots, lawyers. Hey, thank you. Good judges, doctors, accountants, chemists, and demolition experts. Those are your special skills. Now, they say you do not need formal training for this. This can be self-taught, which is kind of the neat thing that really, you know, kind of hits on your field. So that's one of the aspects of special skills. Probation, supervision. There's a lot of cases out there. Nothing really recent that talks about supervised probation and the requirements that they can put on you once you've been released from your halfway house on that. But they can put monitoring stuff on your internet there to see what you're doing and what you're looking at. As a matter of fact, one of the guys that's up here, good old, whoever wants to give this a shot for good old Yugnokovich, his probation officer just grabbed his machine without any probable cause or anything to search it because he's entitled to do that and found child porn all over it and so the guy was headed back to jail again. If you're gonna commit these crimes, one thing, this guy, United States versus King, was basically prosecuted for selling firearms illegally. And while he was in jail, they get to supervise everything he wants. Well, he wanted to get some books on computer programming and bring that in and in the jail, the warden didn't want to give him these books because the idea was, well, if I give him these books, he could hack the warden, the prison computer systems and cause all kind of havoc. And the judge looked and said, you mean to tell me that the prisoner's computer system is hooked up to the prison system's computers? And they said, well, no, but it could be. And the judge said, look, he's in jail for firearms. We're trying to encourage rehabilitation and the fact that he wants to learn computer programming is rehabilitation. So we're gonna let him have the computer books. I figured that kind of works both ways. So if you guys go to jail for computer stuff, you can get books on importing firearms and selling them illegally. You know, it's one of those things. All right, let's talk about this three letter agency. If you want to. I've got about another 40 minutes. This could take up 39 of them, depending if you want. What I'm going to present and what we're gonna talk about here are the positions of what's going on with the surveillance and the NSA stuff. Let's go back to my first slide for who I work for. The last thing I want is this gentleman sitting up front here that I think I remember being part of the press from Black Hat last year and the Cisco gate press conference that was had, I'd like to avoid that. So I don't want to have a separate press conference. I'm gonna set out the positions that everybody's talking about. And I guess the reason I do that is EFF's speaking after me on this one. And so you can go in with them. It's an interesting aspect when you look at their website, and again, this is all lawyers. They have no reasonable basis. And you hear that all the time. And in the legal world, if you have no reasonable basis whatsoever, within 30 days you follow a motion for summary judgment. The judge comes back and says, yeah, looking at the facts as well as they could possibly present it to me, they can't win. So you're right, they have no reasonable basis. So clearly, there are a lot of positions going on here. So we'll look at these. I put this up here because some people like this symbol better than the other one. Take a look, I gotta have you read. I apologize on this one. In the military, I'm required to do an intelligence oversight training annually to my entire organization. And we do it twice a year. And I'm not even an intelligence organization. But we deal with US person's data. And the reason we have intelligence oversight in the government was because of this. Now you look at this and you think about what's going on today. And you think, OK, I can see that. All right, not a problem. I can see they're busy, you know, the war on terror. That was the 1976 church report after the Vietnam War. So we're talking the nice thing. Again, I'm a lawyer because I can't do math. But that's 30 years ago. See, even I can figure that out by looking at the numbers. And so after the Vietnam War, and we had the Church Commission because we were doing some domestic national security, there was a race between Congress and the executive branch for the government to regulate how we do intelligence oversight. How we're going to collect information on US person's. And basically, an executive order came out. If you're in the biz and you want to be cool, you got to be cool where you can be cool. You guys are the techies. You have all the knowledge. And God love you because, like I said, I want to talk to you in those excruciating details so I can understand it. It's a great passion and I really respect the knowledge you folks have. In this thing, I get very few chances to be cool, but the executive order is one, two, three, three, three. If you want to be cool, you can say EO12 triple three. Okay, repeat after me. EO12 triple three. See, it's a cool thing to do when you're in the biz, buzz and you're in the know. And it regulates how we're going to get and collect information on US person's. Now, the operation chaos was actually a CIA operation back then. Going in and looking at mail. And again, they had a database. You know, it's funny. They had a database of 1.5 million names. Now, there's 250 million people in the United States. You know, that's, okay, I won't go there. What we're going on and what's going on with the NSA? There are, it's a clash of the Constitution. The Constitution says the president is going to be commander in chief of the military. But Congress is going to have some powers too. This is a constant clash that's been going on. Now, the main thing that I didn't want to have left out was my favorite little guys here, the third branch. Because you're talking about the president saying, I can collect this information, I have to. You have Congress saying, no, we're telling you how you can collect this information. Well, that left a little judicial branch out there saying, geez guys, we want to play too. And years ago, in a case, as a matter of fact, in Dover versus Gonzalez, that just came out, they were talking about some aspects. And they're talking about what is the judicial review of both the president when he's doing something in his commander in chief hat. And it says that heavily circumscribed role for the courts, the government has suggested, instead of noting that the US Constitution ensures a role for all three branches when individual liberties are at stake. The notion that the judiciary should abdicate its decision-making responsibility to the executive branch whenever national security concerns are present is extremely troubling. So you're going to have our good old judicial branch looking at this to resolve this. The court recognizes that the executive is entitled to great deference on issues of national security. But that's where the judicial branch is going to come in looking at that. When you are talking about the powers of the president, and I'm sorry, I'm putting you a little bit through law school, we're going to try to move through this and I'm going to get to some other aspects. The president's powers from the Constitution, the case that really covers this one, deals with, it's called Youngstown Steel and Tube. The president's powers are supposed to be at his highest when he's acting as Commander-in-Chief and they are very broad. Again, you got to love this when you're looking at the authority that's being quoted as from a 1970 memorandum, particularly by Charles W. Coulson, who did time. You guys might all be too young to understand that, but there was this thing called Watergate. For those of you who don't know what that was, Nixon, it was really messy, people went to jail. I think Coulson was one of them. So it's nice that we're relying on him saying, oh, Prez, you got all the power in the world, go at it. Now, foreign intelligence. Foreign intelligence is not assigned in the Constitution to the president. So again, while this is a broad power, you're looking at what's the scope of the president's authority to commit armed forces or this, and there's some interesting aspects that the power of the president, he can seize private property. He can regulate prices and commodities. He can control rents. We can do that draft thing. He can take over railroads and operate them. So you see, his powers can be held to be very, very broad. And there's been some recent cases about Hamadi versus Rumsfeld with everything that's going on that has kind of specifically stated that they're very broad. Now, when you are looking at these things, you've got to look at the requirements to gather intelligence. And way back when, the case that really was talking about domestically gathering intelligence and information, I like personally because it's the United States versus the United States District Court for the Eastern District of Michigan, and I just happen to be from the Eastern District of Michigan. This either goes by the Plalaman, it's called the Keith case for all of us in the legal world. And the nice aspect was some really nice students from my alma mater went and decided to blow up a building there that was getting funding from a three letter agency. And these U of M students were surveilled under foreign intelligence, but the information was taken to prosecute them in a criminal court. Now, at this time, FISA didn't exist, the Foreign Intelligence Surveillance Act. So collecting the information was done under the president's inherent authority to collect information on foreign intelligence. Because every president from Nixon, all the way back to Washington, has done it. All of them. And in this case, you know, they make some, you know, clear little fun facts. I wanna make sure you're confident in your Supreme Court justices. They said, intelligence requires stealth and secrecy. That was good. And they also said traditional criminal law warrant requirements might not apply in even in internal security surveillance. So these are our leading cases on this. Now, I mentioned this Youngstown Sheet and Tubing case. This is the case that's gonna tell you where the president's acting with his authority. When he acts, and he's got Congressional Authorities Act, Congress stands up and you actually hear them say, damn, go at it, man, we're right behind you. He is at his highest power, Congressional and Constitutionally. At that second level is when the president acts and everybody's standing there doing the E.F. Hutton thing. And you don't hear anything. Or worse, you got a bunch of congressmen standing around with a who farted look on their face because they don't know what's going on, which happens sometimes. That's where he's at his next highest level. The lowest level when he operates act is what you might surmise. When he acts and Congress says, damn wrong, dude, back off. All right, when Congress says, you're not acting properly. So it makes a lot of sense on the three levels that he can operate at. So, where does that put us today? As you might imagine, what the president is relying on, the executive branch is relying on, is that authorization for the use of military force that came out after 9-11. Now, when we're looking at this, you're looking at Hamadi versus Rumsfeld, which is one of the cases that deal with detainees. And five justices concluded that the authorization for the use of military force authorized the president to detain citizens of the United States, that it was fundamentally an incident of waging war. And they also stated, a fundamental incident of waging intelligence activity constitute to use the language of Hamadi clearly and unmistakably authorizes such activities directed against the communications of our enemy. Accordingly, the president's authority is at its maximum. And it excites that Youngstown steel case. This was the Supremes in Hamadi versus Rumsfeld, which is an interesting aspect. So, they're looking at Justice Jackson's three-part test and saying authorization for use of military force, Congress spoke, you're at your highest level for this. Well, that's an interesting aspect because has Congress been silent in the president's authority to do this? Now, the fallout that you've heard, not everybody's standing up saying he shouldn't be doing this to the congressman saying that. What I'm talking about is actually when you look at the FISA and foreign intelligence surveillance, that Keith case I had up there where we were spying on US citizens under ECPA, which is the Electronic Communication and Privacy Act, there was a third section in there that gave the president his inherent authority to spy on US citizens if it was related to a foreign intelligence and national security. After the Keith case, the Supreme Court said, you were spying on US citizens for a foreign intelligence purpose. Okay, that's cool, that's not a problem. But then it became domestic and you were doing domestic national security warrantless without any judicial review, that's not okay. And they threw the evidence out. So, these guys find students from U of M and got to go back to school. And when I went there, I never saw this crater where the bomb went off, but fortunately I'm not that old. And so the judges at that time said, if you're gonna do this, Congress might wanna open their mouth and come up with something. They just suggested it to them, which they always do. And that's when they wrote the Foreign Intelligence Surveillance Act. Now, this is the fun aspect. You have the executive branch looking at after FISA was passed, they're saying basically there have been, all of the courts that have considered this issue appears to say the president has inherent authority to do this. Well, what they fail to specify is the cases they're looking at are pre-FISA cases. So, now it becomes after FISA and this was United States versus, I guess it's Coyomizhan. It was a 1991 case out of the Ninth Circuit. Now, if anybody here understands where the Ninth Circuit is from, one guy does over here. I'm sorry, I usually have prizes to give out, but my pay was scaled down and I don't have prizes to give out, I apologize. See me afterwards, I buy you a drink. The Ninth Circuit's out of California and it has a lot of fun with the US government. A lot of fun, which is great because I got all the buddies in DOJ and it's great when they piss them off and you can see them running around with their hair on fire. And basically, they said in this case that FISA eliminated the exemption that was in the executive branch to spy and the executive branch has no inherent authority to undertake electronic surveillance even in national security and counterintelligence cases. They replaced it with a detailed set of procedures with some exceptions that are nearly identical to the provisions of Title III. So, they're saying Congress spoke. Congress is regulating how you're gonna do this. So, now, you know, this is the great aspect of being, you know, a lawyer. You know, we get to say before President has the inherent authority, so he's okay. Now I've gotten to say Congress specifically spoke, so it doesn't? Well, guess what? One of the exemptions is you have to spy according to FISA or under some other statute. And now, you've got the executive branch saying that statute was the authorization for the use of military force. And that's where it sits right now. So, if your email's being read because you're coming from a foreign source, that's where you're sitting right now. The fun experts on this are speaking after me, EFF. Now, I was wondering, you know, what I would do up here as a government hack if someone bellowed out, hey, what do you think about the EFF? And it's a very simple answer. Giving power money to the government is kind of like giving whiskey and car keys to teenage boys. Only a fool would trust either. So, with that said, I think some of the greatest organizations we've got are the EFF and the ACLU. All right. Now, with that said, because being a government hack, that's the whole aspect of being a government hack. I get to do the right thing at the end of the day. I get to write my legal briefs and stand up and do my oral argument in front of, and, you know, before you guys mind, oral argument's something where we speak to a panel of judges and nothing else. Because I got to talk about whacking and joy writing later, and I didn't want anybody else going down there, so. But when we get to do these presentations, if I can't win at the end of the day based on the legal briefs and the arguments we make, then that's the way the Constitution was set up. And so that's a great thing, and they'll be talking a little bit later after me, and you can ask them on their views. Now, the interesting aspect, on that case, and they'll talk about it, you know, the state secret thing didn't fly, so it's still active and still going from that aspect. And they'll talk to you more about that. All right, let's not jump to the end. So we did that, we talked, sorry, talked through it. All right, other things that happened this past year. This is an interesting aspect. I don't want to go in, you guys probably know the technical ends and out of this a hell of a lot better than I do, because I was trying to read this and understand everything that was going on with the root kit that was put on there. And the settlement agreement that went in was a wonderful little settlement. We'll give you like a CD and seven bucks or some crap like that, you know, which is just, you know, fantastic. The aspect that I had on this one is I do have some sources, and not that I'm quoting any sources, but I said, why weren't these guys prosecuted? And because, I mean, hey, this is an unauthorized access to a lot of computer systems out there. And the fun aspect is, are any of you guys system administrators that had to deal with this being loaded onto your corporate or work network or anything? I heard a lot of stories about this, and I thought, man, that would have really sucked to have been these guys. But, you know, beside your 15 year old doing it, you know, it's like, okay, great, are you doing it? Because, you know, you didn't see the warning on there. But I said, why weren't these guys prosecuted? And the answer I got was because you had a lot of state attorney generals doing civil suits. You had the big civil suit, again, worked out and helped out with the EFF going on that. So they had that going. So I'm sitting there thinking, oh, okay, great. So, if I hack city bank and get millions and millions of dollars from all the other customers, and the customers file a class action against me, I might have to pay some money back, but I won't go to jail for this. I'm thinking, that's pretty cool. Good deal. You know, I'm gonna have to, I'm gonna work that out when my lawyer make that argument. Well, again, think about DOJ. They have sections. They have intellectual property, and they have, you know, they're computer crimes guys in the same shop that are prosecuting. So why wasn't a case opened up? Who's working with DOJ intellectual property? Any organization jumped to your mind? A four letter agency. Starts with an R. Some of you are shouting it out. I leave it at that. There was another spyware case that came out, and the interesting aspect on this was, it was done under a trespass to chattel theory. There's a lot of aspects, and I'm gonna be looking at the theory of trespass to chattel tomorrow in my pitch, and I'm gonna go and hopefully we'll get through as much of the material as we can. If I start cruising fast, I'll start talking fast, try to listen slow, and we'll get through some stuff. The trespass to chattel is, you know, the aspect of, you know, my computer's my property, and if you interfere in metal with it, you know, that's a trespass to chattel. Tomorrow night, we're gonna get into the aspect that people like. I'm allowed to defend my property to some extent. I can't spring a lot of shotguns, so when you walk through my front door and open it up, it blows you away right here. But I kinda am at your ankle, and so when you stand on this side, you're six four, and this side, you're five three. The problem with that case is then you sue me, and I have to pay you money, so maybe I should go back up to here. So, in this one, good old direct revenue was monitoring where you're surfing on the web. And they bundled it in there, you didn't know they were doing it. The end user license agreement, I like, didn't specify, it didn't specifically talk about spyware, or was misleading, well no shit. And this one, the neat thing was the Newsweek reported that in one month 1.5 billion pop-up ads came up on this. And just as it reached its class certification, it did settle, and they had to come out with a new end users agreement, plus an additional explanation of what's going on here, plus the click yes, if you wanna continue, which again, you guys know how well our users are gonna read that and understand that. So that's how that one settled before it went out there with good old direct revenue. I thought it was neat, but it was another spyware case that was going on on that. This is up here only because whenever you can see the Attorney General's name in a case, it's a great case to talk about. In this, both the Southern District of New York and Connecticut ruled that national security letters were unconstitutional. National security letters are where I go to your librarian and say, I would like all the books that you have checked out in the last year. Now, the neat thing about this is George Christian, great name, must have been possessed with a kind of swashbuckling spirit not usually associated with librarians. He went and talked to one of those four letter agencies, the ACLU, and they got involved and held that in this particular case, they were gonna do this without any disclosure to the individual whose records were gonna be gotten. Now, you gotta love courts to some extent. The nice thing about appellate courts is if I can pass on something or find a way to resolve a case without ruling on it, this is great and I'll do it. And that's what happened in this case. After this case, when it went to appeal on this, the judge basically used section 2709 of the US Patriot Act and believe it or not, I've gotta go this, who here knows or could tell me what that acronym stands for? The US Patriot Act. Every time I'm at DOJ conferences, the same DOJ attorney asks that question and every time I still can't answer it, but it's the United and Strengthening America by providing appropriate tools required to intercept and obstruct terrorism act of 2001. Aren't you thrilled that somewhere on the hill, some poor little intern schmuck is being paid to come up with these kind of acronyms? So it's a wonderful thing. This thing was amended after these cases were filed which kind of took out some of the aspects of it being unconstitutional and the aspect of it was is that there was no judicial review in these pre, the new statute that came out. After that, they put in the new statute that they would go through and having a judicial review. That was great. That takes care of the fourth amendment aspect. The first amendment aspect of non-disclosure or free association, free speech was never resolved. So what did the government do in the Connecticut case? Judge, don't worry. We'll go back and tell the person who it is that we're gonna get his stuff. That renders this issue moot. You don't even have to rule on it. And to judge being a good government employee, you know, one of the fastest people in the world because he can work eight hours a day and be home by three o'clock in the afternoon, work at nine to five, be at home at three. He said, good idea dismissed. So that got kicked back to the lower courts. I'm sure a lot of you guys have heard about the Wi-Fi crime in Illinois, this poor schmuck that some state attorney decided to make an example of and prosecuted him for, this is the Dunesbury cartoon that I had last year where the guy's sitting out on the side of the road, you know, using his neighbor's Wi-Fi. Hey, you using my Wi-Fi? Hey, it's a free country. You know, hey, this is free. And so he got, you know, the wonderful 250 bucks and he said, I just wanna get the word out that this is a crime and dammit, I'm gonna prosecute it. You know, when this came out, you know, Jennifer Granick out of Stanford and a whole bunch of folks and Orrin Kerr, who are the leading experts that I'm not sure that this was a crime. Now what you're getting now is you have a lot of state statutes out there that are basically doing the theft of service statutes on this and it's the cable aspect and that's the article here. There's a great article. If you wanna surf and find it, it's Benjamin Kerr's and that's the aspect I love. Wacking, joyriding and you know, if you just, if I stopped it right there, I'd probably get in a lot of trouble so that's why I put the rest of it up here. Do the search, the Google search, you'll find it. It talks a lot about the state statutes that are out there for theft of services and this is the interesting aspect and you gotta love talking to any prosecutor and I was a prosecuting hack too and when you said, who's the victim of this crime? Oh, I don't need a victim. You know, the state's the victim and so therefore I can prosecute. You know, I don't need a victim on this and the Electronic Communication Privacy Act says that uncontrolled radio signals are not a trespass and is not a violation of ECPA if I'm just getting uncontrolled radio signals. You have not violated the Electronic Communication Privacy Act. Okay, great, but yet if I hop on my neighbor's Wi-Fi which is uncontrolled radio signal, I'm being prosecuted for stealing the Wi-Fi aspect of life. So again, joyriders out there and folks who are having this, have at it, you'll get to your defense attorney, you're gonna have to explain this too because again, they're gonna look at whacking and joyriding when you tell those two things. They're gonna be going, oh, Jesus, this guy's going to jail forever for use whacking and joyriding with somebody. It's that George Michael's thing and so you're gonna have to have him coming up and go this. Now, you know, the aspect, one of the things is when I talk about that trespass to chattel thing, here's the fun aspect because here's where your expertise comes in. It's intermeddling with someone's property and that's the aspect they're looking here. When I hop on someone's Wi-Fi, am I diminishing that use? Now, granted again, if House A has the Wi-Fi unrestricted and House B is right here and House A does all his child porn surfing from eight to nine, which has huge files and House B does his at the same time too and he's diminishing his bandwidth, well then you could see that that could be an argument for that. But that's kind of the things that they're looking at and they're still saying that any little bit, diminishing it is sufficient and so it's an interesting aspect in terms of looking at good old Wi-Fi. David off versus David off. I like this one from a hacker's perspective. In this one, I can't remember if this guy was a doctor or not, but you always love it when you have these facts because the plaintiff in this case is suing the defendants and the defendants are the ones committing these acts. The defendants were, when you go this way, it goes great. The defendants were first, an ex-wife, she's always a good one, and then her aunt and her uncle on this. From their home in Florida, entered his website and changed his information and of course he said this, people are looking at this, I've been defamed, I'm losing business and so he sues them in New York because that's where he's at. Now the big question here is can I sue someone in Florida for hacking my website and changing the information? And they're in Florida and I'm in New York so can I sue them in New York? So this is kind of important. I'm gonna go through a couple of these to get to the fun one. We learn in law school and by the way, you need to know this if you get a lawyer. When we go into work in the morning as lawyers we're tired because our day starts usually around eight o'clock and really anally retentive people who like to bill a lot of hours, that's how we make our money will be in there at 7.30 and this is after they've read a couple of statutes, polished their shoes to a high shine, polished their teeth to a high shine and they'll be in the office working away billing you because they're working on your case and every six minutes they work, they get to bill. Well one of the neat ways we're taught in law school to get around this when the partners are walking around is as you've got CNN up on there and you're actually checking out like who won the sports last night and as you see the partner walking by you sit there and pick up the phone and go yeah I'm working on an international shoe because that's the jurisdiction case that gets jurisdiction in there and any partner who hears that says okay the dude's working. So international shoe is if you're, I'm gonna sue you in my state if I'm from Michigan and you're from Ohio you've gotta have some kind of minimum contacts in Michigan before I can haul you up there because otherwise you're not gonna get a fair shake because people from Michigan hate people from Ohio and vice versa. It's on a lot more friendly terms now that we don't have a football coach that can do shit but we still hate people from Ohio on that, we're working on that too. So we need minimum contacts. Now what do you think? These people from Florida hack this guy's website change the information is that sufficient minimum contact to get them up to New York to be sued? What's the key fact that I've left out? Where's the web server? Asshole? It was in Florida. What are you doing being a New York using a web server in Florida? And that's what the court said. Now the neat thing about, well I need to call it, yeah I can read between the lines maybe that's what they did say. Now when you read this thing as a lawyer and again we get paid to kind of you know it's kind of like being John we all want to be Grisham we always want to write that novel that churns and changes. When you read this opinion it starts off to say look we've got to look at the reality of facsimiles, computers, banking, you know which is kind of thinking all right man they're gonna bring this asshole up to New York. He's gonna have to travel and be well the ex-wife and the aunt and uncle and be probably you know face a civil suit up there. Well then the court says no. Uh-uh sorry the fact that they did this on there if we had to sit there and say when you hack this website where the information is read that means you'd be liable and all 50 jurisdictions in the United States to be sued somewhere and that's not enough. So we're not gonna do it where the information was read. So the moral destroyer for you guys are if you're hacking something from somebody and they're out of state somewhere make sure you're hacking interest state. So you don't have any problems being sued someplace else. Now with that said and I haven't mentioned it here there was a child porn case where the guy was downloading child porn and he was getting it from his ISP and the servers were all in the same state and he made the argument I didn't do anything interest or interstate I was interstate this is a federal statute that requires interest or interstate you can't prosecute me under this and the judges got the technical experts to say we cannot say that this was solely routed internally through your state and they got the experts to testify routing takes the least path to its route so we can't say plus even interest state computers are connected interstate and they still upheld the prosecution so it's an interesting aspect when you're looking at that and that's just how things go. Prosecutions of the rest of the diamonds this was not as an exciting year as last year when Shadow Crew got busted. I mean DOJ was really proud of our secret service and DOJ was really proud of that there was a lot of press out on it I picked a couple things that kind of had some personal interest Kenneth Quack a buddy of mine is actually the IT guy for the Department of Education and so that's why I picked this one and this guy basically put a key log on his boss's computer so he could read his emails and everything and the motive behind this for doing this was personal entertainment you know five months in prisoners five months home confinement three years that supervised release that's that probation stuff and a fine of $40,000 it's kind of like that was great entertainment on that one. Scott Levine the reason I've got Scott Levine in here is he was the controlling owner of Sniper Mail anybody familiar with this? The reason I like this one is because he's still more than one billion records containing personal information so I call him my Dr. Eva I can't do it well but anytime you can throw one billion out there and quote you know Austin Powers and it's a great thing this dude got 96 months for Sniper Mail it was out of Arkansas and I didn't know the prosecutors who were working on this it was a long case they finally pled it out again sophisticated decryption software to obtain the passwords authorizing or exceeding his authorization Yu Li a Chinese national this guy is not Ferris Bueller he's at the University of Utah he hacked the computers to change his grade and got busted he got his professor's username and emails and it's just kind of like alright that was thrilling so on that one the botmaster dude this one good old Jensen James got 57 months he got three years supervised release $15,000 went to China Lake it's a naval facility out there in California I just like that because I used to have to do work at China Lake China Lake blows shit up I mean so he's hacking their computers it could be kind of interesting with what they're doing out there the reason I like this one is because you know it was the big bot aspect of life and this guy had a $460,000 and his BMW I like that because you know it's like it says up there I do a BOT lose a BMW he got apparently $107,000 by downloading adware to more than 400,000 infected computers that was pretty good on that and good old Enrique Perez here he was basically selling spyware for people to use and of course he was using it too riding on the heels of that and so he basically was out of San Diego a thousand folks on that one I'm not sure that this guy's been sentenced yet he's pled guilty and they're waiting and sentencing on this one I believe so those are my arrests and prosecutions I asked some folks at DOJ any obscure cases that I might be missing they're getting in under the wire because we all sit there and we all have the same list servers giving us information and I actually asked Paul Ohm who was at DOJ and he's now a professor at the University of Colorado Boulder Law School anything I might have missed and the first thing he said was well you're gonna talk about the NSA case aren't you? And I said no obscure cases that I may have missed and he said no and my DOJ guy said some aspects of employers using the Computer Fraud and Abuse Act the presentation before this was looking at the different changing roles of DEF CON how it's actually become more networking and aspects of that and so I thought I'd talk about this when giving the aspects of being in computer security and the things that you do and the number of different organizations that are out there and how quickly you guys can move from one consulting firm to another really fast and these cases that are up there are specifically talking about that aspect when you're in negotiations with possibly someone else that's gonna hire you and you're talking about that aspect of having the non-disclosure agreements the use policies the no competition clauses that are going on and again that my ninth circuit guys on California again, big computing aspect area they hate anything that limits competition in this they really don't honor these things a lot and what's happening is they say at that point when you say I'm leaving security firm A and I'm gonna go work for security firm B your authority to access those computers has ceased it's stopped so anytime you log in there you have now had an unauthorized access in elevation of your privileges which is civilly liable under the computer fraud and abuse act so your employer can now sue you when you go over there so it's kind of an interesting aspect that you might wanna be aware of if you're starting to do that the aspect of this is it's based on that fiduciary duty of agency that we say again, if you ever had a cocktail party and you wanna impress some folks say well I had a fiduciary duty to do with my employer wanted me to do but they were gonna offer me a lot more money and so I just went and wiped the logs that aspect what they're saying is once you make that determination to switch employers it's not even going and putting in the two weeks notice you stop that agency relationship has been breached you're no longer working for that employer so any access you've got there is gonna be a little illegal the V chip case I mean this guy was involved with patents he went in there and you know download you know this is the classic aspect downloaded all the stuff he was working on deleted all the files and took it with him so it was a pretty easy case to rule on with that the other case the PC Yonkers is actually they're like party stores they're like these party cities and basically all they were stealing was the information of the different customers that they had on that one but again because they accessed the computers they were going to rule on the computer fraud abuse aspect of it I think in this particular case it went against them because they could not specifically identify at what point in time they accessed the computers and if they did get any really beneficial information on that so that was the one case that kind of cut the other way on it for that using pen registers trapped trace devices on your email accounts I did not get a 10 minute warning I did I didn't see it I was laughing damn attorneys we are at the end couple cases there's a inray for Gianno the daughter hacks ex-boyfriend and they go to the parents house and sees all the computers no criminal charges filed and they kept all the computers so be careful your system that you're setting up there and the last thing I had which I knew is going to make sure I'd go over in time is the case on the United States versus Garcia it deals with web bugs and web beacons and it deals with the government's use to put those to get to your machines for attribution is that a search is that a seizure there's a great case out there uh... that basically says there is no expectation of privacy and contraband and so if you steal something and it's yesterday's versus more you have no expectation of these stolen goods so I can put whatever I want on it and you can go right to your computer just got to talk that away if you have any questions about that come up and talk to me if you enjoyed this presentation please make that known to def con now the only thing standing away from positive evaluations is for you guys get into the beer so thank you very much go get a beer