 As you discover sensitive information by poking around, hence password, hacker, network, hacker, the correct term for this sense is cracker. Now this morning, you're going to see me using the term hacker. I personally agree with the crackers one there, but hacker or hacking was a term that was used throughout the trial. So I'm going to go ahead and stick with that. I'm going to also apologize here. I'm going to stand up and wander around a little bit and apologize to the camera dude here. But I get somewhat passionate about this topic and I get nervous and excited and I start wandering around and I want to talk and use my hands and fling them around. So please excuse me for that. I notice a number of law enforcement slash fed types in the audience that I recognize. I welcome you folks. I want to stay almost as a caveat before I get started to say I am not anti-government. For heaven's sakes, I worked for the Air Force for 19 years, 13 of which I was involved in computer security in one way shape or form, including my dissertation topic, which is on the subject of intrusion detection. I am, however, not convinced that the government doesn't make mistakes periodically and that they're not infallible and that's what I'm here to talk about today is what I might refer to as a cautionary tale to both sides because what can happen when it goes wrong? What could happen to you? We have to be aware of this situation around us here. Okay, first slide. Okay, that's the obligatory corporate slide. That's who I work for now. There was a guy who was paying my bill, a little computer security company down in San Antonio, Texas. I'm in charge of the consultants and yes, we are hiring. Okay, and never that. The case, the case I'm going to talk about was kind of an interesting one. This is one where it was built as the first of its kind in the Air Force and in fact I think it was the first of its kind in the military because as we all know, the military, we heard yesterday in the Meet the Fed panel sometimes the government gets hit daily by individuals trying to break into the government systems but this was the first case where we had an individual in the government, a military member who was accused of breaking into or attempting to break into systems that were owned by industries, other individuals using equipment that was owned by the government. So we have a member inside the military using government resources to break into other people's computer systems. So it was the first one of its kind in that sense. It was accused of hacking, there's that term again, into at least three different companies. There are a number of other companies that they suspected but there was really only what they referred to as evidence for potentially three of them. A possible 17-year sentence in Leavenworth. We're talking real honest, goodness, Leavenworth time here folks. That's including the actual jail time based on the title 18, US code, 1030, you know the whole thing. As well as other UCMJ or military justice system kind of fun stuff that the kid was facing. The evidence, what they had as evidence, you notice that's in quotation marks there, was basically two failed login attempts that tied the cadet to one of the systems, to one of the systems. The individual attempted to gain access to two accounts which are unauthorized accounts. We'll get into that discussion in a little while but that's what they had that showed and they were able to trace that back to the cadet and by the way he admitted to doing that. On day one when the OSI came in and did the investigation and the interview of him, he admitted to that. But we'll get to why in just a second. They saw a lot of undernet activity. The kid was doing a lot of IRC stuff on the undernet. That becomes real important in a few minutes we'll see why. Egg drop and Bitch X were found on both his PC, actually references to them on his PC as well as an ISP, one of the companies that was broken into. You'll see why that's important in a second. The cast of characters, the kid had a couple, once again I'm not anti-air force, anti-government for heaven's sakes. It was the air force that was defending him and it was the air force members that were on the jury. There were two prosecuting attorneys, two folks that were defending the cadet at begin with that actually came in two more later on because he ends up firing his first set that we're going to do that to. There's a military trial, a military judge with a military jury. Okay. Nobody works in the military here. We have what we refer to as an Article 32 hearing, which is basically the military version of a grand jury. This is where the prosecution gets to present its case basically to present the evidence that they have and an individual supposed to be impartial, sit there, listen to the evidence, listen to the defense, explain that evidence and decide whether there's enough evidence to forward this or to recommend that this be forwarded to court-martial. The Article 32 hearing, all of this by the way started, originally occurred in the fall of 1997. By the way, it is still going on. It's not over yet, so this is being dragged on for several years. The Article 32 hearing occurred in the fall of 1998. What was interesting was a day before this Article 32 hearing, there was a security briefing. Now, I got dragged into the whole trial at one point because the cadet came walking to my office. At the time, I was the deputy head of the computer science department at the Air Force Academy. I taught the operating systems course, I taught the networks course, and I taught a course that I developed in computer security and information warfare. A number of the cadets knew me because of that because a lot of folks were interested in the security thing. It was the most popular elective course in the major. One of these cadets had a friend who he sent to me and said, Sir, you need to talk to this guy, he needs some help. And this cadet came up and came in the door of my office and plopped down in a chair and handed me this notebook and said, Sir, I need some help. I'm accused of working through a number of computer systems. I didn't do it. This is what they say is evidence with a notebook full of information. And I need some help. His lawyers, his defense lawyers, had basically no offense to them, their lawyers, but they didn't know anything about computer science. And all this IP address, MAC address stuff was just zooming over their heads. They didn't understand what was going on. And so he came in to see if I would help. I looked and started flipping through the pages of this and said, You got to be kidding me, this is evidence. I got more stuff on my computer for heaven's sakes than you had on your machine. In fact, any one of the cadets in my operating system had more nasty stuff on their machines than this kid did. And I'm looking at this and saying, man, if this guy is going to go to jail for this, I'm going to be able to take a look at my machine because I'm in a heap of trouble. So I went ahead and said, yes, I'd love to help you. And I called the defense, his attorneys who said, Oh, would you be willing to help? Okay, we'll get you appointed as a defense witness, expert witness. There were a number. Oh, the security, I know they got to that point. The day before the Article 32 hearing, this is great, I love this. The Article 32 hearing was supposed to occur. There was a security briefing held in the Air Force at every base, basically where it might be considered a pretend that they had a high potential for being a target outside of the world. They have to have this annual briefing where the OSI comes in and they start talking about the threat and what's going on and what you have to watch out for. And I was because I required all the cadets in my operating systems class to load and the networks class to load Linux on the machine. And it was still connected to the network. The security folks at the Academy were worried that this provided another platform, an avenue potentially for individuals to get into the Air Force Academy network. And so they were initially not going to allow me to do that and how the cadets run Linux on their systems. I said, no, they are going to run Linux on their systems. Let's figure out a way we can do this. And so the agreement that we reached was that I would have to attend all these security meetings and they would send me all the bulletins about securing Linux and we would enforce and make sure the cadets implemented those patches or whatever needed to be done on their Linux boxes. And I was all for that anyway because I'm trying to teach them security anyway. So that was the compromise that we reached. The day before the Article 32 hearing was supposed to occur they had this annual briefing at the Air Force Academy where they invited all the security officers to come in and they had a couple of OSI special agents stand up in front to give this briefing. What was interesting was they started off this briefing with, I don't know why we're standing here in front of you guys. For heaven's sakes, I was a fraud investigator for 17 years. You guys are the experts. You know, both of them commented on, you know, I've just been doing this for a year now. You guys are the experts. I'm sitting here going, these can't be the same guys. They're going to testify tomorrow. But I started taking notes of comments that they were making throughout this little security briefing. And sure enough, the next day when we start presenting evidence, they introduced the OSI officers with the same two officers. This case was the first one for either one of them in computer crime. One was a fraud investigator that had been for 17 years and the other one was a fresh brand new OSI agent type individual. This was their first computer crime case. We had from the word girl, I was looking through them saying, look at the log files. And the Air Force Base has this intrusion detection system that is monitored by the Information Warfare Center. This is a system called ACIMS. I said, where are the ACIM logs? It's showing, you know, what's been going on here. If you're doing this stuff here, ACIMS should have alerted on this. And we were told, well, you know, the murder, this is about, oh, nine months into it. I mean, it's been nine months. And nobody had even bothered to check for some of these logs, because most of them didn't know that the, in fact, I don't think anybody realized they existed in the prosecution side of the defense. And so we were told at that point, well, you know, someone checked, there are no logs. No logs existing. I'm linking, well, I don't know how long they keep ACIMS logs, but, you know, that's a tremendous amount of information. So if they deleted after six months, it didn't surprise me. But we were being told there was no logs. But throughout the trial, miraculously, log files just magically appeared. Just periodically, generally, like the day before, we were supposed to do something. You know, the prosecution would say, oh, by the way, we found something. Who did you find this? Well, we had it a couple of weeks ago, but we forgot to give it to you. That occurred time and time again. It was getting to be, you know, it was past being funny. It was a morning, shall we say, at the very least. There were numerous mistakes that were made in the testimony by the investigator during this, which painted a picture of this individual, which I think affected the investigating officer. Now, what are the mistakes that I'm going to refer to here? Let's take a look at some of these things. These are pretty good. We have, for example, BitchX, which I mentioned before, which was used. Everybody knows what BitchX is. Everybody plays around with IRC and knows what BitchX is used for. What was described as a tool worded by hackers to gain illegal access to computer systems.