 I hate being wedded to a podium. Good evening. This is the legal aspects of computer network, aggressive self-defense, our agenda. We're going to talk about the aspects of active response, self-defense, self-help, and things like that, and we're going to look into some scenarios that go along with that. The disclaimer, I am a member of the Armed Services, and I am here in a personal capacity. This comes from the Joint Ethics Rag. It's a wonderful reading if you have ethics in government and you believe that. Here, all my errors rely with me. This is my personal presentation. It has no view from the Department of Defense or the Department of the Army, and so there's the disclaimer. I am Major Robert Clark. I am the legal advisor for the Army's First Information Operations Command. As part of that, I am the legal advisor for the Computer Network Operations Division, which contains the Army's Computer Emergency Response Team. So that's how I got tied into doing this computer and internet legal aspect of life. I find it very fascinating, and the fun aspect is I get to learn as much of the technical stuff as I can possibly grasp with my one megabyte hard drive in my head. I've tried to expand it, it's just not working, and the alcohol keeps erasing things. Again, there's that disclaimer again. I'm not your lawyer. I'm at the present, not DoD's lawyer or the Department of the Army's lawyer. I'm up here personally doing this. With that in mind about me, you can very easily make me look stupid in this presentation, because I'm going to try to go and deal with a lot more technical aspects of strike back technology and kind of the legal ramifications of it. So, if you want to make me look stupid, that's going to be easy. If you want to help out, please do, but I'm not going to cut my speaking fee with you. I'm going to keep that. I might buy you a drink, but we'll go on that one later. One of the aspects, I'm curious here, how many people saw my other pitch that I did a year in review? All right. At that one, you heard some things, which are up here. Facts are king, and that's the important aspect when you're getting into this area. If you're doing this or thinking about doing this, which is an interesting aspect, I met with the publisher for one of the reps from Singress Publishing, and we were talking about getting together to do a book on legal aspects for progressive network self-defense. And we said it'd be great if we could find somebody in the financial institution who would anonymously step forward, but at least come up with things that are actually being done so we could write about that and get the hook into people wanting to read it instead of dealing with hypotheticals. This area, by the way, if you have questions, please pipe up. If you want to go in a different direction in a different scenario, please pipe up because I have no problem with this because, again, this is one of those areas where I wish I had a better grasp on the technical aspects of it. We'll go through it and hopefully grasp these right. If you're dealing in this area and you're dealing with your general counsel or legal counsel or attorneys in general, you've got to explain this in excruciating detail. For those of you who come out of their act, I apologize for repeating myself, but you're going to have to explain this in third grade level. The reason is so they can understand it because they're going to have to take this and explain it to somebody at a first grade level. That's kind of how it works, some of the legal profession. The other aspect, if you're dealing in this, you've got to get lawyers who are dealing with computer and internet security. They are few and far between. You just can't look in the phone book and pick one and go over and say, hey, I need some representation. Oh, yeah, I'll be glad to do it because they're not going to know about the Electronic Communication Privacy Act and all the different things, the Computer Fraud and Abuse Act and all the other statutes that kind of play into this. By all means, you've got to find some lawyers who specialize in this. Another aspect I said about my previous slide and this is because the guys who saw my previous pitch all my good jokes are gone, so I apologize about that. There's kind of a small take on that. I said this at the other one. Computer and Internet Security Law is unsettled. There are very few precedents out there. We're trying to develop them as we go. And at the other one, I said, therefore I wanted to give some really good sound advice, something that you take back and so maybe you've already seen it. Part of it was we're in the desert, so we're sunscreen. It's a proven fact that sunscreen will prevent skin cancer and that's very important. Well, there's one thing I should have probably said. If you're at the pool and you're under a tree, if you can look at my face, my face and my body is the same color right now. I was under a tree all day today and I didn't know that you need to put sunscreen on even when you're under a goddamn tree because you'll get burned. So now, better legal advice. We're in the desert, wear sunscreen and if you're under a tree in shade, still put the sunscreen on. It will help you a lot. Something else I'm curious about. It's 8 p.m. What the hell are you people doing here? You know, that's true. This is early for you. This is classic. I was at an NSA conference and we had some guys from EI up and it was like 2 o'clock in the afternoon and they're talking about doing analysis of some Microsoft patches that came out and again, I'm learning and they were doing the analysis. Four patches were released, but in the code that came out were like four others that Microsoft didn't tell anybody about and they're breaking apart and going, the guy's yawn and he goes, what's wrong with me? And we're like, it's 2 in the afternoon and it's like, this is getting late for me. I need my nap. So yeah, you're right. This is still early for you guys and so I realize that. But I am curious. Always know your audience and who you're working on. And I'm wondering by a show of hands, who's operating on one of the three major food groups right now? One being alcohol, caffeine and sugar and that's what I... Let me tell you, that was law school, folks. That was law school. I'm being paused. Did you notice I didn't move while you paused me? I was trying to do that technical thing, but self-defense. Everybody kind of understands the aspect of self-defense. You know from the physical role, the aspect of threats that you face. You can exercise reasonable force when you find yourself threatened on that has to be proportionate which is always the classic. You know, it's the little girl coming up and saying, give me your wallet and you pull out an AK-47 and blow her away. It's not quite proportional to the threat there. You've got to keep it proportional to the threat that you're facing. Personal property can also be defended on that one. But again, it has to be reasonable in what we are doing. The difference between self-defense and self-help has a little bit of a kicker to it. Self-help has an element of retrieving something that was yours under the doctrine of trespass to chattel. Intel vs. Hamadi was, I hope most of you have heard about it. Good old Mr. Hamadi was peppering Intel with thousands of emails to their employees and they brought a trespass to chattel case. And one of the aspects of the things it said in this case was that trespass to chattel in the law that deals with it really favors prevention over post-trespass recovery. And it said reasonable force to retain possession is okay, but after possession has been lost, not so much. Well, that kind of went against a lot of case law that was out there that said no, reasonable force can be used after I lose my property and to retrieve it. It has to be reasonable. And typically what we're talking about is if you're doing this in the physical world it's not breaching the peace. Which, you know, the thing everyone thinks is okay, my neighbor borrowed my lawnmower and I want to go back to get it, it's middle of night, I hop the fence, go in there, grab it, open his gate, now I go and I haven't breached the peace. Now if your neighbor is a paranoid asshole and you open the gate and lights and sirens and the damn lawnmower and he's got there with a shotgun and you're going to take a buck in your ass that might breach the peace and you may want to rethink it. So that's kind of the standard we're looking at when we're talking about a self-help standard for doing this. We take from the legal world physical cases and try to parlay them into virtual cases. I saw this case and you're thinking how the hell did an abortion protest end up with any kind of relevance to this? But it does tie in to our warped legal minds and again that's what you have to deal with when you're talking to the lawyers. A guy had a sign who was out there protesting and the clinic director didn't like it went out there, grabbed the sign and brought it into the clinic. So the protestor walked into the clinic to retrieve his sign and left with a sign and he was charged with a trespass on this criminally. Well, he was not convicted because they said he had the right to go in there retrieve his property he thought it was going to be destroyed he did it with a reasonable amount of force didn't elevate it was proportional he did it quickly within 90 seconds of it going in there and out he went. Okay, so the reason that kind of kicks in my mind is the aspect of you know what happens trade secrets are stolen and taken somewhere. Documents, things of this nature what can you do to retrieve your property and how fast do you have to act so that's one of the things that kind of comes into a legal mind. One of the other aspects that we deal with are some of the standards that are out there expectations to privacy and that special skill aspect that we talked about before the special skill is going to kind of come in when I'm being hacked and individuals are retrieving things and bad things are happening in their systems what's my liability in an active response am I allowed to attribute to them special skills so that when they grab something off my box I shouldn't be liable so that's one of the cases that we look at when we're dealing with this reality the aspects of this are very simple right now they're kind of four level or two levels that you need to worry about in dealing with reality criminal charges and civil charges this is a defense if you do an active response you could possibly now be prosecuted by DOJ because they don't need a victim the state and the government's a victim and you can also be sued now one thing you need to know about being sued the first thing you need to know if you're going to do this is do you have any money if you have no money then what the hell does it matter if you're civilly sued you haven't got anything so the first thing the lawyer is going to say is who do you want to sue does he have any money no get out of my office it's a pretty simple thing so that's one of the considerations if you have no money knock at it what a lot of the law review articles that are dealing with self defense, active defense are talking about is they're trying to break down those two things into four things you have a criminal and your civil charges and they're trying to come up with a privileged exception or a defense to both of those so you'd have four things to look at civilly you might have a real good chance of seeing that happen criminally there's a three letter agency just north of northern virginia just south of maryland that does not want to go down that path probably they are not very big fans of active response and a lot of the law review articles that you see written about this is good god we're going to be back to the wild west with everybody shooting at everybody else and we hear that a lot and so that's kind of one of the other aspects you see and again there's that damn disclaimer because everything I talk about here again my previous pitch when you ask a lawyer a question and start talking about things the first thing personally I like to hear out of his or her mouth is you know it depends it's kind of a standard joke for us you know you ask an engineer or a mathematician what's one plus one and they'll give you a whole analysis about integers and positives and negatives and they'll say but if you're talking about a positive one and a positive one that's usually two if you ask a lawyer what's one plus one typically they say what do you want it to be um and so that's kind of the aspect of it depends um when you're dealing in this area and you start asking questions you want your lawyer to be asking you a lot of questions to break it down because again facts are king and that's the thing that we're working on those scenarios this is not a shameless plug because I have absolutely nothing to do with Singers publishing I asked them if I could use their scenarios from their book and they said yes and so I thank them for the permission they granted me to use their scenarios from here because as a lawyer I need to get into some technical and if this is like at the technical level of a comic strip I apologize that's where my brain works if it's more technical then I guess I'm doing kind of good if I can grasp some of this um and the reason I use this is because when you talk about an active response and you get lawyers in the room we always seem to jump to the worst case scenario you know I'm getting hacked god damn it I'm pissed off they're in my system I'm going to fire back and melt the machine and the first thing the lawyer will say is how do you know that's not a server that is running a hospital and when you fire back it's going to bring the entire hospital down someone's going to be operating table having some appendix removed and everybody's going to die and dogs and cats will be living together and we'll have to go back to that area and you know that's typically how we go so the reason I wanted to go with this is because I wanted to get to attribution I didn't want attribution to be a problem although there's some aspects when I get into these scenarios of am I hitting an innocent third party's box when that's where the attacks coming from there is some legal aspects to that and we might touch upon that and again if you want to go off script and go in a different area please let me know and we will go there for that I a bunch of guys some friends of mine are at this conference and they came in here and they're staying up in the Bellagio there's like 10 of them up in a suite I've never seen so much goddamn electronics in my life I've seen some pictures of some bus that DOJ have done where like entire sections are wired and everything's going off and of course everybody now has got their little PDA's which apparently could launch Apollo 13 with enough that it's there so clearly these are devices that qualify under the computer fraud and abuse act for a computer device on this the scenario in this one was written by Seth Foggy and again it was hopefully kind of semi simple so I could understand it and the way it works is the guy rides the metro into DC all the time and he likes to get into these you know, wireless games played there and you know if he doesn't have the game or they downloads it which kind of goes into that aspect of you know if you're in this business and you've got that special skill if someone's going to offer you something you know what's the liability if all of a sudden you've got a key logger on your system I mean are you just going to sit there and blindly put something on your own stuff but that would you know kind of and our example here if I said you know he has no defense and that's what happens here he gets a nice little Trojan put on his device here and he discovers it because he notices there's a reduction in the RAM going on so he does the forensics on it to find it and he finds Bob server execute which is a backdoor FTP my name's Bob whatever, what the hell why is it always when you log into an anonymous FTP it's Bob at AOL I couldn't forget that everyone's like I'm like how did Bob get to be the asshole in this but what the hell what is it so he does the forensics on this and the scenario is interesting because he feels violated he wants revenge now he's got an unknown attack what the hell is going to happen if he goes to the cops and says hey my system here my device I got this virus that came in I don't know who gave it to me what the hell should I do you know cops underpaid, overworked they're going to say there's a public clinic down the road get out the door they're not going to understand what's going on so what can he do now he can in my mind going out and start doing a little forensics to find out where this came from because this is a threat if it happened to him it could be happening to other people and if this guy's out there getting access to PDAs you're starting to download a lot of information off of there especially with the amount of processing and information these things can hold think about think of our typical users not our special skills folks our folks that have got their pocket quicken on there their financial records in their address book they say my pin number it says pin so they can remember it their credit cards all the information that could possibly be in there the typical users might put in there this actually could be kind of dangerous so he's going to go out and learn the identity of this individual and at that point in the book it says he's going to learn the identity and cause severe data loss now right up to that point with that two phase attack if you're going to learn the identity hey this is kind of self defense I can kind of understand it because he's going to keep riding the metro and he wants to find out what happened it's the severe data loss that's going to start getting him in a little bit of trouble so he's going to look for a reverse attack on this to do that and again that's the part that I'm concerned about he wants to do a trick the guy into downloading a file and it's going to contain a hard reset is what he wants to do to go with this so phase one the reverse engineering and that's what we're going to do the reverse engineering he wants to do is he wants to have something that's going to alert him when it happens he wants to protect his files and he wants basically the attacker to grab something that's interesting obviously and take him back and put it on his machine so he creates a virus Bob execute and because when the file's there it's got to do something so he says I'm going to let it launch the calculator the guy will probably think what the hell this kind of an error in here I'll close it out and that way it's on there he's going to include this polymorphic routine to ensure the copy of it does not launch it every time and the plan is he does some research and he finds that there's this this trojan called Bredor I'm from near Canada I always thought Bredor was a beer so I kind of thought this was pretty cool and so he's going to do this it's going to made up and it's going to get put on his victims machine and that's the direction he's going to do as part of it some of this he's going to kill the Bob server execute that was put on there he's going to name it put it in here and you guys probably understand this a lot more than I do my previous demonstration or pitch you guys didn't have to read I'm making you read this time sorry about that so you guys understand this so he's going to plant this out there and hope the guy will take it and away we go as part of that he's going to get notified when it goes and executes he's going to create the backdoor server so basically what he's going to do is put on his victims machine so he can connect to it and start taking information off of it is there any problem here so far as far as violating the computer fraud abuse act who thinks so well see that's the aspect of it you know yeah he's clearly going down that path what choice does he have I mean he doesn't know where the attacks coming from doesn't he have the right to find out where the attacks coming from and is this proportional to what's happened to him so we're still operating within that self defense aspect of life in terms of proportional timely in the response now this is a crime but again is this a defense to it now one other aspect I didn't point out the way defense lawyers all think the same way about one aspect with their client at the end of the day when the verdict comes back the defense attorney is going to go home and have a steak dinner with a nice glass of red wine and the fact that the client might be going to jail and under a suicide watch for the next 72 hours actually you know he's going to go home and have that glass of red wine this is something you want to think about so this is the aspect of is this a defense so our guy here is going to send it out and the plan after the reboot he'll have the FTP server on there and he'll have access and he's going to put the hard reset on there the next time he reboots so the day comes he hops back on the metro he starts playing snails and he gets the alert that everything's going fine so he connects to the victim's PDA or the attacker does and on there he put a mini stumbler on there which again I think that's pretty cool it would get me, probably wouldn't catch you guys but it would get me and he executes it and up comes the calculator he's kind of like well that's weird he turns off but the victim has everything the guy wanted on his machine so the next day it didn't go quite exactly as he wanted but the next day the alert comes in he's got the back door and this is how the scenario goes in the book the documents folder and downloaded a few files of interest alright any problems there I have a question for you if you want to find out who your attacker is on this and you've got access what's a better way to do it come on guys, Texas what's any other way better address book, good one that you know that's what my lawyers at our criminal shop that I work with tell me, you know look at the registry to find out if they've done that now see I'm a stupid enough user that on my palm you know I fill it out you know the owner of this is you know Bob Clark cell phone number thinking that good Samaritans that find it might return it but you know the other aspect is because my handspring is like you know 50 years old so why wouldn't you return it give me what's going on on that so that's what all my law enforcement guys say you know do the search not in going to my documents but the registry or something like that to get the information something a little less requiring work the authentication keys for the OS and so you take that give that to the cops and they can trace them to find out where they're at you're done you've done your forensics and away you go and both on your computers both are bogus outstanding he has two anybody got three four four four five five sorry anybody who admitted on that so he goes into my documents looks at a couple things jumped in the compact flash card and found several copies of my log file all right self-help can you delete those personally I think so this got into an aspect where I was just up at Harvard with a bunch of maybe smart folks maybe not and there was a guy from DOJ Canada there and we started talking about self-help as lawyers are wanting to do and he was like I don't understand why you'd even want self-help I said okay I'm a corporation I have trade secrets and one of my guys is monitoring the logs and sees that I've got data exfiltration going out and in that it's going to it's going to an anonymous FTP of course that's what my guys telling me in my logs he's seeing the FTP with the password to get in so as the guy sees it goes out he grabs the password to the FTP goes to the FTP site which just happens to be belonging to a US corporation logs into it uses the password to retrieve the stolen trade secrets on that elevates his privileges so he can wipe the logs no way actually in the scenario the guy didn't elevate his privileges because he didn't wipe the logs and that's how they get back to the guy who did it who had a problem with that but if I'm smart I'm going to elevate my privileges wipe the logs I've got my trade secrets back self-help what's the problem and the guy from DOJCAN goes hey I didn't think about that that's a good scenario so that's again coming back from a corporate world how that would play out and what's going on but in this one so he's deleting those files which I think is a defense it's my channel why can't I get rid of them he pops over to the internal storage folder once again cherry picks a few interesting files again but then he deletes the contents of the folder you're starting to get out of the proportional aspect of things here the final act is he uploads the hard reset execute into the startup folder which will completely wipe the PDA on a reboot interesting aspect of this now from a proportional aspect of life we talk about the different ways to find out who this belongs to you know my documents might be a real good way to find out you know who you know has a guy signed some documents a gal signed some documents to find out the identity of this individual so if you can get the identity from this individual on that aspect of it before you put the hard reset on there you know and he goes and gives it to the cops and the cops can go do the knock on the door with the subpoena and the affidavits to search because kind of based on the forensics this guy did you know they've got the affidavit there the search warrant going bust the guy collect up all his computer information you might be able to do something with that of course now the guy who's doing this what's he gonna say I didn't do any of this this guy put all this stuff on my machine and that's probably what the feds are gonna say forensically speaking you've dorked around with this guy's system so much I have no chain of custody on this one so I really can't prosecute this the other aspect about this is this gonna become public information is the guy when he does a hard reset and loses his little PDA device gonna go running to DOJ or law enforcement and say hey I've been hacked I lost all this stuff oh well what were you doing I was hacking that other gentleman and when this happened to me so again another aspect in the field there you know am I gonna be sued is there gonna be a criminal case you know how's this all gonna play out in the scenario on this one final chapter on this is a knock knock from the cops and they say we have a warrant for your arrest because apparently the attacker posted a copy of his my virus bob execute online and since he had signed the code with a small note to the attacker it wasn't very hard for the feds to track him down on that one it's kind of an interesting aspect when we talk about doing these kind of things and these kind of devices out there in the real world the aspect is are you liable for someone else's crimes so if you take someone else's code that they've done and you use it is the person who wrote that code gonna be liable for your acts and that could they be criminally charged the closest thing we've got are gun cases actually where owners of guns have left captured guns out and either there's kind of a divided line between knowing that people with violent tendencies get their hands on their gun and go out and shoot somebody and there's a case that really just came out in Boston I think of Massachusetts where the gun owner had secured the gun in a locked cabinet and his stepson who was an adult was 19 years old but had some violent psychological aspects in the past the guy should have known about or knew about didn't take the keys and open the thing he undid the screws on the cabinet to open up the case took the gun and went out and shot a cop and the wife's wife of the cop brought a lawsuit against the parents for the criminal act in Civil Court to get damages and they held yes you should be civilly responsible for that because you knew the stepson had violent propensities and he didn't take enough steps to get that weapon so my question becomes if you got code and it's part of your job to write code and experiment with them in closed environments what steps do you need to take on your computers to protect it to make sure somebody doesn't get access to it it's just something kind of throw out there and the answer to that is it depends so on this one the manufacturers of the weapons on that one when it comes back to the code aspect that people are stealing you are the manufacturer of that code when it comes back to did I modify the code or did I write the whole code and again you tell me I'm seeing the guy who writes that code as the manufacturer of the gun now actually that's a good one on that aspect except the line stops with the guy who manufactures the code there's another line behind the gun owner but that's the other aspect you write the code and you're in the security field and it's a great zero day exploit and you've tested it in your lab and everything and you're checking with a buddy and he says well you go here do an assessment on this one see if your system is going off see if you can pick it up so you give it to a buddy to use put it on his or her machine and someone hacks that machine and takes it out it depends and again it comes back to because that's the first thing and again I'm talking about the civil aspect of life as opposed to criminal because typically we are not liable for someone's criminal acts there are a lot of exceptions to that but again it depends there's a bunch of facts what aspects did that individual take when you pass the weapon to that individual what did they take to secure it how were they handling that aspect of it the person who took it what was the skill of the person who took it to get around the protection that person put on there so again a whole bunch of factors to look at in terms of what gets out there for that yes the comparison aspect to kitchen knives there's an interesting aspect about that because there are a lot of good self-defense cases dealing with kitchen knives so I'll have to look into that and see if I can't parlay some over into the other aspect of the world there and I don't want to get off track on the gun manufacturers aspect but one of the aspects you've got to look at when you're doing your job in security is how well you are securing the things that you've got on there and what people could be getting in their hands to be used and you guys are the experts so you'd have to tell me what can be traced back to you with signatures on that aspect some things are very easy to trace back to you other things from my telling your field are not so easy to trace back so that's kind of the first scenario I was looking at the reason I like that one is because it does work with also kind of changing your device to a wifi on that this next one is going to kick my ass this is trying to get into kind of a dog fight what I'm being told by most corporations and their systems and their intrusion detection aspect of life the defender in this one was told to actually start developing strike back technologies for his firm so he's already thinking ahead of this most of the stuff I'm told is done retroactively you don't usually see the dog fight and have things there because most of the defense systems are passive defenses where they go off after someone's come in a signature or an IP address but this guy has this one's being a scenario written by Haroon I think it's Mere and Roliff terming if I'm getting that right I apologize if I'm not and so they're looking at some actually doing some active defenses and so I apologize when I butcher the technology on this one but I will do my best it's going to start off with the attacker trying to gather some intel on what he's looking for because he's been hired to find some specific information on hydrogen fuel cells this could be any corporate information in the world that someone could be hired to target so it could be trade secrets go give me the coke trade secrets so go give me next year's model for the Dodge Challenger that's coming out so it's kind of an interesting aspect for that and after doing his intel his aspect points towards this company called Primulus I like this one because in the book they used he starts talking about good old Jules here and the line he used to use before he'd whack somebody which was probably my favorite scene in Pulp Fiction when he says lay down with our vengeance it's kind of like it's pretty cool because he thought it was cool shit to say before he popped a cap on somebody and on this so what he's going to do is he's going to populate his DNS zone with two million different entries some with some nice three little agencies on this one and you guys the reason I like this one is because he says nobody would ever legally get to the really key entries in here because he was going to make the top three machines in the 11 network with some special reverse NDS entries again I'm a lawyer so I'm reading through this or ask this as best I can and when I had my techies at work start looking at this they started laughing out loud and because I was not really aware of what the RM-RF and all that aspect was really going to do and then they explained it to me I thought oh shit that's pretty cool on this and the reason I like this is because when he explained it to me when you're doing your reverse DNS lookup information is going to start flowing back and he's requesting this information and it's going to melt his machine so am I sending or am I transmitting this code out there I'm not I just got it sitting there somebody's going to come and grab it have I transmitted any code out there to melt this guy's machine am I going to be no I didn't now what's my intent my intent is to wipe his machine but the other aspect on this is he says nobody would ever get to this if they got to this this is somebody with a malicious intent right oh a couple aspects here do I have a victim no I'm not going to have a victim because this guy's hacking so he's not like he's going to run to LEA and law enforcement say hey this guy just melted my machine so I did like this it's proportional it's staying within his system so arguably you could say hey it's just self defense again I've got a hacker that gets attributed special skills and knowledge so anything he grabs and brings back hey he's liable for it it's his or her mistake they're responsible I do kind of like that aspect on it and again my techies like this one so they explain it to me and I enjoyed it self defense will that hold up in court the conference that I was at that had that we got into this health help conversation I asked a representative of DOJ was he aware of anybody being prosecuted for an active response and he said I'm not aware of any case whatsoever the question is is this the same as RIAA going after people to delete their files and the root kit that was put on there is this kind of the same thing self help aspect of it and specifically going after music and everything was what RIAA doing was that self help was that an active response who here says yes ask EFF they're going to tell you yes it was now were they prosecuted well they're pursuing some legislation are you talking about the root kit they put on there I mean because well that actually self help I mean that's DRM that's monitoring that way but that was actually put in spyware on there it seems to me to be quite the aspect of self help go ask DOJ why they weren't prosecuted it's reasonable no wait wait I didn't express an opinion on that see now don't jump to the conclusion that I'm saying RIAA was correct in doing that if it seems reasonable to put it there you're assuming your clients are going to steal something or do something malicious with it preemptive preemptive self defense wait preemptive self defense okay I can't go there I work for that guy and the last guy who commented about somebody being a general and Air Force had stars and said something about a president doing something he was showing the door really fast I have no stars on my shoulders whatsoever so we won't go there honest the questions are very valid and what you're asking and it's all that aspect it depends on this one question back here banners is that what you're talking about banners signs warning someone to come into my property okay my house do I have a trespass sign on my house but if I have attack dogs I've got this great lab she's wonderful and she'll bark but then she'll show you where the China is of course on that one so again attack dogs this aspect again my aspect to defend my property has to be reasonable in what I'm doing and what I'm setting up you guys are the experts so I'm going to go back on this one he populates it with two million entries for this is it going to take some time for you guys to get through that stuff to find out what's real and what's not yes or no I see some heads nod and nobody wants to split my fee and step up and say yeah it's going to take time on this it depends I like that one that's a good one but I'm sorry I thought this was a hard science I didn't think you guys could say that from what I understand for this scenario to get through the real ones you've got to run a script to filter out the bad ones and get to the real ones and again I'm going off of this that basically it said in here when I read it this is going to take some real malicious intent to get here and that's kind of the aspect that you're going to look at when you're doing this I'm going to go back to the question of when I asked DOJ has anybody ever been prosecuted for an active response he said he wasn't aware of a case public knowledge there's a case out of the eastern district of Virginia where the prosecutor in the eastern district of Virginia declined to prosecute an active response case on this so I'm aware of one where the prosecutor declined to prosecute it it's the only one I'm aware of on that so I would like to try to do this as best I can and continue on with this scenario where I'm at with Nathan Nathan starts doing his lookup and he's noticing that it's big 17 megabytes he's like kind of surprised this is going on he's noticing a lot of duplicates so he's going to type in a command to kind of try to get through that and he finds apparently 11,310 unique DNSs and he goes through this and he starts digging through some stuff and the reason I go through this is maybe you guys understand this better than I do I'm sure you do because as he goes through this all of a sudden the book says he looked at his screen his eyes become water he felt his heart pumping ice cold water he knew the feeling all too well and he jumped across there and started pulling the ethernet cord from his firewall knocking over coffee and found out he had been had on this one and then using he analyzes this notices he catches with his eyes the the RM-RF in there and laughed about it on this in this scenario it keeps going on and these guys start discovering that this is going on that they're going back and forth and so on this one the next thing is the guy he messes with his IP tables to kind of look at deal with the end map and he puts some listeners out there on this so the next connection when the guy does this you know they'll be he'll get more again an announcement they start sending emails back and forth so they know what's going on he realizes there's a honey pot going on there which is pretty good and from this he starts going back and forth now one of the things the guy does at the end here is he creates you know you guys will understand this a lot better than I will I'll let you look at these things going through here because I want to get kind of to the last aspect where he creates the new directory and the guy does steal the data and that's how he gets rid of them he does get had he loses his directory populates it here and the guy steals a bunch of documents to get information on hydrogen fuel cells and when he goes in this file he sees a lot of technical stuff so he just grabs it wraps it up sends it up to the guy who hired him and away he goes well when the guys open up the file back at their corporation it gets a nice little message saying you're owned and their entire system is locked up right from there which again is that proportional to what's going on the question becomes they go through a bunch of scenarios and this back and forth defenses, re-defenses the dogfight imaging that's going on so my question becomes this guy didn't go away so is this proportional or not? how much is the data worth? you know the idea is that's a good question what are you trying to get to what are you trying to defend this is a corporation so let's say trade secrets and you know does it have to be worth $5,000 or $5 million those factors are going to depend on how big I am my mom and pop shop that's working on a specific government contract that if I lose this north of Grumman or Boeing or somebody is going to grab for that aspect so it does come into play there so what can I do how far can I go to get rid of someone who's persistent and if I'm your lawyer I'm pretty damn far the guy didn't go away you put all the experts up there to show all the different techniques they were using all the things I did now the other aspect about this active response the other argument is everything I did was internally I personally didn't send anything out yes I intentionally wrote stuff so when the guy grabbed it he'd take it back again one of the things I want to say is hey special skills I thought the guy sucks alright if he's going to bring this stuff back and open it on his machine that's his problem not mine now the question becomes I'll get to you in a second I asked some guys could this be launched from an innocent third party could all these commands and all this in the scenario of the book it's the Lennox aspects that he's running from his box and his machine so the question becomes if I'm doing this from an innocent third party what if I fry their machines what if the server is from city bank because the argument is here and their server goes down and they lose millions of dollars my favorite one is what if I am city bank and my guy is doing active response and he goes and fries the innocent third party machine and that innocent third party machine is a chase Manhattan machine what does that now look like in the press city bank fries chase Manhattan highlights at seven now the downside is you're going to have DOJ knocking on your door the good side is think of all the new customers you're going to be getting from chase coming over to city bank so there's that plus and minus thing that you're going with it the question is the robbing of the bank and the ink thing going off on you those two and that's the aspect that physical world case you're just talking about where the ink thing explodes all over them and you find them when lawyers start getting into this area that's exactly what we started talking about in terms of isn't that isn't this the ink thing exploding to protect my trade secrets now a couple aspects on that this scenario and the PDA scenario the PDA scenario identified who it was you know what I'm saying he really didn't find out or do anything with the information that he obtained on that one so your scenario is if I'm getting the information do I have to hard kill this person's operating system to gather information for that red die to be all over me you know the aspect is he's killing the machine now the question becomes alright am I going to find out where this person is or can they come in for such a non at a attributable line then I'm never going to really find who this is so the aspect becomes can I get attribution again you guys are the experts are you ever going to open up something on your box it's going to be a web bug or a beacon it's going to give me your real IP address so I'm going to know where you're at and I can find you I would hope any self-respecting hacker would not you never know I've been told you know yeah I might get some low hanging fruit but not the real top dog top dog guys so there's that aspect it's kind of an aspect where I can't find where this is coming from I've got a persistent threat so you know the hard kill on the machine you know this particular scenario the stealing of the trade secrets was the guy going away no he kept coming back coming back the only time he went away was when he got data and left you know real world if you really want to be malicious you get the data the guys are looking at it actually that hired the hacker they know it's shit what are you going to do come on baseball bats let me introduce you to my little friend yeah that or call the guy back say get back at it or find someone better which means this company has a persistent threat that they have to respond to and those persistent threats seem to be a reason for why you should be able to respond building a booby trap on your property you know that's you get me a lot of these debates and you get all the lawyers sitting around the table and that's where the honeypot aspect starts coming up that that's entrapment and I know a lot of Rich Logato who works for Yahoo now was in DOJ and wrote the legal section on the aspect by the way you're staying here of your own free will right now so if you want to get up and go go ahead we're past our time somebody give me a beer because now I can drink um on this one because now I'm on my own I could drag for a little bit um the aspect on a honeypot and entrapment um that argument coming up it's always been I've always heard it thrown up there now the question becomes the aspect of if I've got my network there that's being mapped out and I'm leaving things clearly vulnerable to direct you into that is that entrapment to get in there um I don't say no because the aspect of entrapment has to be you can't be predisposed to commit this crime um now if I you know if I'm law enforcement and I build this out there and then I go into all the IRC chat rooms and I start going hey you know this whole you know IP address over here it's easy it's been compromised go use it it's got these vulnerabilities hop on in there that's starting to get more from a law enforcement perspective under the definition of entrapment remembering of course I'm not your lawyer and I'm not giving you any legal advice well yeah and that's the aspect that he's saying entrapment is typically a problem if you're the government doing it as opposed to a private person yeah absolutely so but you know the question became the entrapment aspect and again that's not so much an issue unless I'm out there you know from a government perspective advertising to come on into that so you know I I'm really gonna have to embarrass myself here um guys this is something about the cuckoo egg and um well now okay well it's an interesting point that's coming out on this one because it comes actually in the computer network defense there's a line when you're defending your network and you have a threat and you see it and you tell the cops about it and especially under the computer fraud abuse act with the computer trespass exception the cops being able to come in and now immediately start monitoring that and watch what's going on with the trespass that you're coming in system administrators when they're doing forensics have got to be careful because if you're doing your own system forensics for defense you're entitled to do that if you start acting at the discretion or the direction of law enforcement you Fourth Amendment protections can be put on top of you and you can become a pseudo law enforcement officer and so what you do in terms of what you're downloading to get if you don't the Fourth Amendment can be suppressed in court from a Fourth Amendment perspective the nice thing about the electronic communication privacy act if you violate that or cops violate that the remedy is not that the evidence will be thrown out in court it still comes in you get to civilly go sue the cop and get damages from the cop for doing it kind of an interesting aspect on that cops did that they violated the electronic communication privacy act in the kidnapping case and the kidnapper sued them and won the case I don't think got any money but won the case on that but as a system provider if you start acting at the directions of a cop you could violate the Fourth Amendment and make the cops case all screwed up ask me about that a signature sorry my aspect this is a soft kill I'm going to reboot everything's back up so blue screen death okay so you're going to and I'm going to try to do this again so basically someone's scanning your system for a vulnerability that's been out there for a long time you know it's there you want to put a decompression bomb in there to give them a blue screen of death when they're doing it to stop them from doing it scenario I want to case the guys in back didn't hear it could you write a signature so when they do that and you see it directs them into a honey pot and then you kind of let them just kind of fool around and do whatever they're doing while they're in there okay so if that you know my aspect is the signature to block that you know the blue screen of death is that proportional if it's a persistent problem and again you know like the gentleman behind you it depends you know if it's a persistent problem and you can show it's a persistent problem now here's the other aspect because I get this from you know from certain law enforcement lawyers all the time okay is it a persistent problem can you show it can you show which IP addresses it's constantly coming at you from because we always get from a system administrator perspective they always say why don't you just block the IP when you see the vulnerability coming in and I'm like because I blocked the IP and then they come from 50,000 other IP addresses what is wrong with you and so that aspect that persistent threat I'm going to guess there's something probably a little more tame you could do than that am I going to say you're outside the realm of proportionality again no as a lawyer no not at all by all means I'll go have my steak and red wine at the end of the day what was your intent for doing that I mean your intent was to have code go out there to their machine and that's what happened are you legally responsible to patch I can't answer that the way I really want to answer that on that again that's kind of my aspect of third-party liability if I fire and melt somebody's machine because they didn't patch their boxes and someone compromised it and that's where they came from and as a self-defense I'm going to say I got to stop the pain and you know pulling my plug taking me offline is not stopping that persistence lawyers say well go ahead hit that box then the third party wants to sue me for doing that there's another theory in the world out there called contributory negligence and comparative negligence there are two different standards and I apologize for not having looked at these carefully one of them is if you're 51% at fault you can't sue me there's another one where it's I'm sorry if you're at 97.5% well you can sue me and get that 2.5% of your recovery and it was probably to a great case on that where a gal sued for a bad haircut what happened was she was working on a routing machine they rewired it to make it go faster to operate it was a turret drill and it ripped her scalp off now she gerryried the machine to work faster but the argument is the reason I did it was because my company wanted me to work faster on non product liability which we don't have in software someone else had asked before they found the company who made the machine was not liable for 97.5% and she was so they were still responsible for 2.5% so that aspect on there is contributory negligence but unsecured machine what is your responsibility and your liability for that machine and what you've left vulnerable in the back there sir a couple aspects good points when you're tracing it back and finding out these again that's why I went with scenarios where they had positive identification on who they were dealing with attribution aspect these are the arguments that always come up as far as attribution immediately getting that positive aspect and the fact that it goes outside the United States now extraterritorial jurisdiction aspects of life you strike back on a box outside the United States it's still a violation of the computer fraud and abuse act so it's still a crime on the aspect again don't need a victim because according to a lot of people the state's the victim I don't need to worry about that aspect of it yes? now again let's understand some aspects on this no to do all these things the timeliness, the proportionable reasonable use of force all these aspects are the aspects of self defense self help the physical world alright so far doing this active response in the virtual world again my DOJ guys have told me I'm not aware of any cases ever being prosecuted for this but doing it is a crime now I hope the videotape is still going on this one so I started with that and can kind of go towards an end on that doing this now again the scenarios that I've used here were all things put on my machine and they were gotten by a hacker and taken back I mean so again the way computers work you're going to say hey you came to me that was consent you consented the secure socket with my machine so you took it back that was on you the problem with that of course is what was your intent in putting it on my machine was it you know I intend to fry your machine for me again depending on you got 50 prosecutors 50 states with 50 US attorneys with numerous prosecutors working for them they want to make a name for themselves on something you know you don't want to be in the wrong jurisdiction you know that's the other aspect about this a couple aspects of things active response is a crime yes and no again it depends where that line is going to come down to you just say what is a permissible active defense and what's not you touched on the other aspect on that too which was when I go and do this what have I just done to the law enforcement's case on this one are they going to be able to prosecute this guy doesn't make him any less you know less guilty the aspect you said if I got this correctly you want this easy less guilty you know again no I mean and that's the aspect of what you have to work with with what you want to do and that's kind of you know interesting we sit there we talk when we say the question becomes do you know anybody doing this I personally don't but you talk to guys in infregard which was set up to bring law enforcement and businesses and everything together ask them do you know any financial companies doing this any corporations doing this I don't know the answer to that and it goes back to what you said doesn't make that individual any more less guilty for hacking my box and these are all aspects that as a administrator or you know someone who's running the IT section has to decide what is my ultimate goal is it the persistent threat that I'm never going to get attribution on because you know there's too many people doing it they're coming out you know what is my response to that is it the persistent threat that maybe I can get attribution and I think I'm getting it that I want to see a prosecution on so that's how you know in the military computer network that's made up of multiple disciplines it's kind of the same way in the private sector I mean in the military it's made up of system administrators law enforcement counterintelligence and military operators military operations and they all bring their inherent authorities in to do this same thing in the private sector it's made up of all those people too and they all bring in their inherent capabilities or lack of them together to bear on that problem and the decision on what you want to do as well as things that's worked out ahead of time no go the question was am I seeing any laws that are kind of making the progression keeping up to date with the technology I think is the thing that was always said and asked interesting enough I'm going to give an answer that's not mine because that question was asked to a DOJ attorney and his answer on that one was typically um no congress gets a bug up their butt on a specific issue and you quickly see something done about it the cans spam act spyware something that comes up and they immediately and very quickly rush it through and the problem you have probably or one of the aspects of it is is explaining trying to have them come up with laws and legislation that isn't going to be obsolete six months from now and that's what they're really working very hard on to write laws to capture an idea of the aspect of the virtual world that don't become obsolete because the technology changes and that is a very difficult thing to do because your people writing these laws and writing these policies very few of them are technical I don't mean to put in a plug for DOJ here but the ccps guys the computer crimes and intellectual property section have a lot of really sharp guys and gals who all have the computer science engineering undergraduate degrees I wish I had their resumes because they've done the engineering and the technical stuff undergrad and they've gone on and got their law degrees so they understand it and they're trying to help in the crafting and the writing of the legislation to kind of combat that but you typically in the legal field don't see that one of the areas that really had develop to respond to a new invention was our tort law and our negligence and our product liability aspect when this new really cool invention came out that had four wheels and replaced a horse and the aspect of torts and negligence and product liability really had to grow and again you've got to take what was there and apply it to the car and unfortunately that's the way the legal world works I have a question well and you'll see again a lot of large articles written about applying the physical aspects to the virtual world going back and forth arguing you'll never be able to do it yeah you can do it, yeah it's a hybrid I mean it's just there's a lot of reading on that aspect alright so say you're a vendor that provides an active response or a library of active responses is there any concerns about liability providing more aggressive responses or even providing an say an open tool box to conduct all sorts of active or aggressive responses or is this sort of fall under where there's no software liability talking sort of third party liability we give them the software and they blow them up again if you talk about having access to more of a they pay us I'm sorry? More of a provided for a fee service software they're going to be used by putting third party's hands to use on that it kind of goes back to the manufacturer question of hey I'm manufacturer but he's using it am I criminally liable for a third party's app typically you're on pretty safe grounds for not being liable for someone else's criminal acts from that aspect in a civil suit that's a whole another question of risk management and again the first question becomes do I have any money would I be sued and that's a different question from the civil aspect of it yes the intent of the aspect of what I'm writing Microsoft writes an operating system there with vulnerabilities they put it out there and user agreements and all the aspects that we have out there going on for the software you writing something with the intent that's an active response again the intent changes on that and that can be one of the key linchpins on what's going on with that again I assume you're a self-respecting security specialist so your systems are going to be hardened so anybody who gets to you and takes anything out of your system you'll be able to stand up and say I not only secured it as reasonably as any reasonably prudent person in the public sector would be because judge look at the users that we've got out there you can't even turn your computer on I've taken these steps to secure it even further I think it's Miller time come down here for a quick question