 Good afternoon. It's nice to see everyone here. My purpose today in talking, I will not be discussing any cases that Jennifer Granick and EFF talked about earlier today, so that kind of fits in well with what they presented. My purpose today is to give you some cases and things that have happened in the law and present it from a perspective of what the judge is looking at. So I'm going to be talking about the facts that the judges are looking at in their cases and the rationale that they're coming with so you can see how they are dressing and how they are treating this technology thing that is still new to judges but old to you. It's nice to see everyone. I was having a conversation with Marcus Sacks back in DC and I said, you know, it always amazes me how many people actually come in from the technology field and want to see what's going on in the law because these packs are always talked. And it's always nice to see you people here. And then Marcus said, yeah, all the other rooms are filled up. They got to go somewhere. So I said thank you for that endorsement. I appreciate that, Marcus, on that. But what you may want to see but what the courts do see is that you are very special. In this case back in 2005, to enhance a sentence two degrees, they said that using computer skills and a nefarious method can increase your sentence by two degrees on the scale. Some of the examples they also said for people using skills to commit crimes, pilots, lawyers, and I like the demolition experts, too. So you're in good company with those folks. One aspect that just got nixed was that if you used a proxy, they were going to change the sentencing guidelines to say that is a skill requiring you to get a degree enhanced sentence out there that did get knocked down. So if you're using a proxy, that doesn't mean special skills. The agenda. A couple of cases came out before I gave my CD to DEF CON. So we're going to talk about a couple of the latest, greatest cases that came out. Look at some cases talking about an encrypted hard drive. Consent is always a big thing when you're doing computer investigations, destruction of evidence, revoking that consent. Some border searches. Earlier, EFF had mentioned that they wanted to do this conference on a cruise ship in international waters and thought that would be very interesting. And that'd be great for all the things you could do in international waters, not violating any crimes. The problem is when you come back, yeah, that's when the border search comes in and there's been some interesting cases going on with that. A hot topic has been cyber warfare. And I've lived that in the past, so we're going to talk about some aspects of cyber warfare and the definitions that we use when we go in there. And one of Jennifer was commenting on how she won a case and all dealt with a comma. And in the legal world, definitions and the word you choose is critical. So we're going to talk a little bit about that. Look at a cyber spy, some cases, some ex-spouses cases, putting keystroker things on there. Always give us some good cases to look at. A little bit on responsible disclosure. What makes a hacker? Hey, that was the Klexi case with the two operating systems. So we'll skip right through that. And Nimini, we'll look at some computer fraud and abuse things. And I just want to give a little bit of a tip on what I think for the future holds for both the legal world and the tech world. I am with the government, but I'm here in personal capacity. But anything I say is all personal. Any errors I make reside with me and not the government. So I got to give you my disclaimer. And one other aspect on that disclaimer. If you have a town with one attorney, an attorney can make a good living. If you have a town with two attorneys, they can make a great living. And that's kind of, we'll touch upon that a little bit later too. And that's because if I ask you all what 1 plus 1 is, a lot of the scientific and the math background that you'll give me, you'll say 1 being a positive number, 1 being a positive number, that sets 2. If you ask a lawyer what 1 plus 1 is, they'll say, what do you want it to be? And so when you sit there and part of this telling you how judges and attorneys look at this. I worked for a judge for many years and we used to schedule our motions on Wednesday afternoon. And when we had tough cases, we'd schedule 2 for about a 6 hour period. They check in. The attorneys would tell me about their case. I had an attorney come in and give me all his facts. And I had another attorney check in giving me all his facts. I called the case and they both stood up and I was amazed. I swear I thought they were in different cases. And that's an interesting thing that you need to tuck away when you're doing this. When Jennifer was mentioning that a TRO, a temporary restraining order, was filed on a Friday afternoon after hours so no one could respond to it, that's how all temporary restraining orders are filed. You do that on a purpose so that you get the injunction that you want without the other side being heard. So you need to remember these things on how this works back and forth between attorneys. Your attorney is going to take your facts and give them to the judge in the best light they can. The other side being corporate counsel or counsel that the corporation has hired are going to give the facts in the best light to the corporation. So when a corporation comes in and says, yeah, these guys are punks. And then your attorney comes in and says, excuse me, they're MIT grad students. It's very important you understand that that's how they're going to be represented. Now who looks better in that light? The guy who calls them punks aren't going to look very well at all if they're sitting there in coat and ties. They go to MIT and they've got professors backing them up. So that's one of the things you need to understand how you present your case to an attorney. One other aspect, I'm not your attorney. I do not provide you legal advice. So by all means, if you need an attorney, go talk to EFF. They do great work because at the end of the day it's very important. You need to understand something. Giving money and power to the government is kind of like giving whiskey and car keys to teenage boys. And so from that aspect, you need someone to keep that checks and balances that are going on there. And at the end of the day, if whatever the party may be, can't win that case, then they probably shouldn't have won that case. So they do great work and they're much needed. If you have a question, please feel free to ask it. I will try to answer it. If I mention your case, it's not on purpose. And if I forget to mention your case, sorry, get me afterwards and I'll work it in here. This area is huge. You could have a question that goes all over the place for internet and computer security law. Not everybody can know the answer. If I don't know the answer, give me your email address. I will research it and get back to you. My background, I was a legal advisor to the Army SIRT for several years. Jumped over, jumped ship, so to speak, and went and was the legal advisor to the Navy CIO. Stepped up, went and became the legal advisor for the US SIRT, left out of that office. So I'm no longer an attorney with the government and that's why I can stand here in a personal capacity, but I'm still somewhere in DHS. First case, I always like to come up with a case that's got some interesting facts, and this one really just jumped out June 30th. It deals with blogging, and the case is too much media versus hail. Sometimes the facts are more interesting than the case, but this one was dealing with anonymity and the right to actually blog, and it did present a case of first impression for this jurisdiction, and it's about posting defamatory comments on a blog or an internet message board and whether you could protect that information or who the source was to that. In this particular case, the blogger sued for defamation. She basically is a life manager, but the case deals with too much media and they have a software product called NATS, and NATS acts as a financial connection between two websites so money can go back and forth, and there was a vulnerability in it and she found out about this. Now, the defendant operates two websites and she kept a blog and she has a private investigators license. She's a respiratory therapist but no journalistic degrees and she's not employed by any news agency and never has been paid for any publication. Again, let's look at how judges are looking at these are the facts they take into consideration for where they're going. She has a website called Pornafia. Now, at some point during her business venture she became aware of cyber flashing. Apparently it's using webcams to expose yourself in a very quick method and that goes off. She got incensed by this and started investigating this. So she was going to launch this website and collect information. She never kind of got it off the ground, but she did join a couple porn web blogs to do research and she used a headshot of herself for her avatar or another one which showed the lower half of a naked woman with her wearing spiked high heels lying on her back with her legs partially spread. Now, again, when you're a judge considering the facts that you've got to come down to to decide where you're going to fall on the law, she's trying to say, hey, I work for the newspaper industry. I want to use the shield law from New Jersey which has apparently a very broad shield law so I don't have to reveal my source. These are the facts the judge is looking at. So she is saying that I have responsibility to inform the public on this. Now, the shield law protects people who are engaged or employed by the news media and they do keep that kind of broad for what a news agency must be. Newspapers, magazine, press, news agencies, wire service. So it's pretty broad but the judge keeps going through the case and he says, the rate the internet's grown, you've got several universal sources of news now but we can't sit here and expand it to everybody who's got a blog. I mean, it's a digital soapbox but we're not going to take this and move it that far. You've got a private investigators license, a degree in respiratory therapy. You're not connected with the news media at all. So having a self-titled web page does not make you basically part of the news media. So basically the court said, we're not going to let you use the shield law. You're going to have to take a deposition and you're going to have to basically tell all that's going on for that. So again, how courts look at the facts, if you're blogging out there and you're blogging as part of the computer security industry and you defame one of your colleagues, don't try to claim that you're part of the news media and informing the public because right now that's not working. Zango versus Kaspersky Lab. How many people have heard about this one? I kind of thought you would. This is an interesting case. Kaspersky was blocking through their product Zango's products coming out. It's interesting where you see where people fall down on this. EFF filed a Mika on this for Kaspersky. Interesting on that one because it blocks the Zango product. But again, it depends. Zango, during this case, one of the footnotes they drop in here is their FTC settlement that they had a while back, which means if you're going into this case and you've got an FTC settlement for deceptive practices for spyware, you're probably going to lose this one. And that's where it came down on this. They used the Good Samaritan Law under the CDA to say, no, no, no, you've got a lot of software vendors out there that can block malicious, spam, bad traffic, and we're going to allow that to happen. Especially they made a point that with all the companies that are going to be growing on this and the software products that are going to be going out there, we're going to allow this to stand. And so basically Kaspersky was on solid ground blocking the Zango spyware on this one. Those are two cases that recently came out. One of the cases I was waiting for for a long time was this Inray Boosher case. And it started coming across the border with the laptop, which is always a bad thing. And they were directed to a secondary inspection. They opened up the laptop and started looking at it. And they came across part that was encrypted. So they asked Mr. Boosher to come over and say, could you open this section up? Which he did. That's mistake number one, is volunteering to agree to do this. And while they do this, they saw some images they thought were child pornography. So they stopped doing their search at that time, shut it down, took the computer, got the warrant. And then when they went to reopen it up again, they found out that the hard drive or that part of the hard drive was encrypted by PGP and they couldn't open it up anymore. So they asked Boosher to provide the passphrase so they could get into the encrypted hard drive. Now I had a question a couple years back here about searching for different things. And someone asked if they're searching for a hard drive on my property and I haven't locked in a safe, do I have to open that up for the cops to get at? Now when you're searching something, you have to search those areas where it can reasonably be found. A hard drive is one of those things that's small enough that could be in a safe. And I said that's a very good question on that. Obviously if you're searching for a hard drive, you would have to open a safe. Now in the magistrate dismissed, he quashed the subpoena on the first case. And that's what we were waiting for. We were waiting for the appeal on this to come out because you knew the government was going to appeal it. And when it was quashed, that's what the judge seized on. And when the question was asked to me, I kind of missed a point on this, the question becomes, am I asking you to produce a key to the safe or am I asking you to produce the combination? And that's been one of the things that the magistrate looked at. If it's a combination that goes to your mind and that's a testimonial that he says, you know what the combination is in there, so you know what's in there. If I ask you to produce a key, which is just a physical aspect that exists, I'm really just saying, do you know a key exists? And yes, okay, that's not incriminatory. So give me the key and I'll go open it up and see what's in there. Now the magistrate kind of said the same thing on this too when he looked at it. When it got to the appellate court, they said, no, we're not asking for anything that the government doesn't already know is there. They saw two images on there that were child pornography. If there's more images on there, then are they asking for something that they already know is there, or are they not asking for something that's already there? It's an interesting question. On appeal, they said, no, no, they know it's there, so we want the unencrypted hard drive. They changed what they were asking for from the passphrase. So they know the grand jury said, now I want you to just give us the unencrypted hard drive. Like, that's a lot different than just getting the passphrase, because obviously to get the unencrypted hard drive, you have to know the passphrase. And so they said, you know the existence, the files are there, so you're not asking for anything new. And the other aspect is, by giving us this information, you can't authenticate that this is, these documents, or this hard drive unencrypted, is connected with you. And the government said, no, no, no, we will prove that by other evidence, so we won't use it for authentication, but we know the files are there. He already showed us and cooperated, so he should provide it. And they said, you're right. And so now the case is being appealed again by his counsel, who's doing a great job in this, and so now we have to wait to find out what the next court's going to rule on as far as whether this is going to stand or not. I don't know how this case is going to go. Both arguments are very good on this on both sides, so we're going to keep an eye on this in terms of providing a encrypted hard drive. I don't have this one in my slides. I apologize. It happened to do with a border search, and again, it dealt with a passphrase. This was an interesting case. A guy came across the border, they searched the computer, but when they turned it on, its pass were protected, so he logs in so they can see everything. Now, facts get muddled because, you know, cops never lie. And so, you know, when you've got them in front of you, you're trying to figure out who's telling the truth or not, and he says, no, no, no, I didn't consent to giving them my passphrase. Cops saying, no, yeah, he did because he showed it to us. And so they looked at this from the aspect of the border search, and they said, well, it's a border search. We can do anything at the border. The government's interest, and this is the aspect, because border searches are really coming up. The government's interest in preventing the entry of unwanted people and effects is at its zenith at the international border. Time and time again we have stated, searches made at the border have that long right to the sovereignty being able to protect itself are reasonable simply by the virtue that they occur at the border. There's legislation pending right now to try to make it that you need a reasonable suspicion to search laptops at the border. The part on this is reasonable suspicion are non-routine searches. Just so you know, non-routine searches are body cavity searches, strip searches, X-rays of persons are all non-routine searches. I used to work at the counter drug command, and they used to do the X-rays of guys smuggling in drugs by swallowing them in balloons. So it's an interesting aspect on this. What is interesting, again, to give you how judges are thinking about this, the court is not persuaded by the defendant's contention that this is more intrusive. Incredible amounts of personal and sensitive information are already subject to scrutiny at ports of entries in people's wallets. Purses lock gloveboxes and lock containers and luggage. People carry personal items such as social security cards, state and federal identification medicine and medical records. You know, again, given the size of hard drives now, I really have to disagree. This is weird because I'm usually a, I had a lot of professors that said I've never seen a bad search, and usually I'm out there on that one, but I think this whole aspect of searching hard drives is a little bit different than peeking in my wallet, especially the amount of information that I can have on there. So that's how courts are looking at your border searches. So if you are traveling internationally and coming back in and bringing those things in, they are subject to search. The question is the aspect on the Boucher case, because there's an aspect on this on contempt proceedings. What if he forgets the password so he can't give it to it and he's frustrated? There is a defense out there that frustration that if you can't remember something, that that is a defense to a contempt charge. That's the other aspect. This is the Webster Hubble thing with Clinton. This is where he wouldn't produce the records until he threw them in jail for a long time until he produced it. You know, that's the aspect, and that's the other part of this case. You can either face child porn or obstruction of justice in contempt of court. You know, it's kind of like, you know, which one do I want to be a registered sex offender or do I want to hang out with Webster Hubble at the bar in D.C., you know, and just be obstructing justice? And so that's an interesting point on that one. And the other aspect is, when I was looking at contempt of court, frustration is, hey, I forgot the password. I mean, let's be serious. You know, you get so many passwords, and we're told good security practice don't use the same password everywhere, use a different one everywhere else, and don't write it down. Judge, I was told don't use the same password, don't write it down. I got thousands of them. I forgot it. What can I do? And of course, he's going to escort me off to jail until I can remember on that. All right. So that's some bad things going on. Let's look at some fun cop cases. When cops don't have enough information to go get a search warrant, they will come and do what's called a knock and talk. This is very important for you guys because we're going to deal with scope of consent here, okay? Now, in these two cases, the cops were doing child porn investigations. You know, it's amazing how much law we get coming from child porn. And they would come and they'd do a knock and talk. Now, when they're greeted at the door, obviously being cops, they don't say, you know, hi, Mr. Richardson, hi, Mr. Parsons. Hey, we're investigating child porn. Can we come in and talk to you? You know, because doors are going to be slammed and off they go. They come up and they say, hey, now Richardson was interested. They came in and said, we've had some problems with credit card misappropriation going on on the internet. Can we come in and talk to you about that? Okay, mistake number one. Mr. Richardson says, sure, come on in. One other key point here. If a police officer ever comes up to you and says, hey, can I talk to you? Most of my friends who are defense lawyers say the answer to that question is no. It's not that hard. It's just just say no. This is a new mantra for you guys. Well, he comes on in and they sit down. And an interesting case, they're talking about this misuse of the credit card information and he volunteers that, well, when I was over in Germany and his wife's sitting there right next to him, we had a problem with child porn being on our computer from our credit card being used. We went and talked to the authorities over there and the FBI. Now he brings up the aspect of child pornography so we can see where the judges are going. That's not true. That's a red herring. Don't follow it. They keep talking to him about this misuse of the credit card. Keep going on that path. They'll say, can we, you know, image your hard drive and take a look at this? Mistake number two. Sure, go ahead. So they image the hard drive, leave with that, go back, file the child porn and arrest the guy. Scope of consent. If I come to your house and I say, can I get your consent to search? I'm searching for a shotgun. Yes, that's where I can't go back and look in the safe that's this big unless it's a really small shotgun. But if it's not, if it's a normal sized shotgun, I can't open that safe because I have to look in places where it can be because that's the consent that you gave me to search for. And in this case, the court said, no, you came to search for evidence of credit card or misuse of credit cards, not child porn. That's so far of a ruse that's outside the normal scope of things. We're going to grant his motion and dismiss the case. It was an aspect where the ICE agents in Pennsylvania, both of these cases are out of Pennsylvania, got shot down. One of the next cases in the Parsons case, they want so far as to say, you're allowed to use ruses, you're allowed to fib a little bit, but it can't be a material misrepresentation that would actually overcome the voluntariness of the consent. It makes an involuntary consent by using so much of a lie. Mitchell. Mitchell was another ICE knock and talk case. And this is one that you can tuck away on an aspect if someone comes and knocks on your door and takes your stuff. The interesting aspect of this is they came, they did knock and talks. Now this one, okay, now the ICE agents did show up and they did say, we're investigating child porn in this case. So when Mitchell says, yeah, come on in, okay, this is really a stupid guy. And so, but they did, so ICE, the agents are getting better because they said, yeah, we are investigating child porn. Invites them in, says, yeah, they got them here. They imaged a hard drive and took that with them on it. Now here's the aspect. When you seize property, and again, this was a knock and talk, so they didn't have a warrant yet. It sat three weeks, and they didn't do anything to move it forward. If you come and you seize property, you have to within the Fourth Amendment make reasonable steps to search or secure a warrant to search that property. And it sat for three weeks, and they didn't do anything, and the guy went TDI, he went to a training course for two weeks, and they said, well, couldn't someone else have done it? No, I'm the guy that does it. I'm the only one. And the judge actually vacated the case saying, you didn't use any diligence whatsoever to move this thing forward. The fact that you went on a training thing for two weeks is no excuse for it. Now, they did specifically say, we are going to look at cases on a case-by-case, fact-specific case. So, if they come and seize your hard drives, and they don't do anything for 21 days, don't just start waiving this case, say, hey, y'all want it dismissed, come and give it back. And one other aspect I should point out, if cops show up at your door and knock and say, hi, we're here investigating child pornography, can we come in and search your computer? Now, this is something to tuck away. Say yes, because if they're looking for your hacking tools and they find them and your crimes are that, you'll be able to get out of court down the road because you'll say, hey, they were looking for a child porn judge. I said, yeah, come on in, not a problem. They didn't say anything about seizing all my zero-day exploits that I've got sitting in my box. So, just tuck that away. Very good point, very good. All right, nighting. Oh, and one other aspect. So, if they come and knock on your door on this, don't start deleting evidence. Nighting, they came, knocked on his door and said, again, we're investigating child porn and he invites them in because can we see your computers? And so, he shows them two computers, one downstairs, one upstairs. So, he goes up to the upstairs computer with them, shows it to him, turns it on. It has an automatic program that will start washing and deleting cookies and files when he turns it on. Now, I think this is a slight miscarriage of justice because the guy's consenting, he is cooperating but the fact of the matter is he's coming up some of the evidence that was actually on one of the boxes. So, it's kind of like, you know, I always had my cops, they'd come and, you know, they'd say, we want to charge this guy with a resisting arrest and you're like, why? Well, when I went to arrest him and identify myself, he ran. And you're just kind of like, what the hell did you think he was going to do? That's in your job description. You're supposed to go chase them. You know, there was only one time I actually didn't do that and that's when the cop was putting him in a new cop. He's putting him in the seat, he leans his head right in front of him as he's putting the seatbelt on him and the guy head butts him and knocks him out. You know, great case, but you know, the cop never put a guy in the kid without putting that arm across the throat in the next time. But this one, what did you expect him to do? And the judge elevated his sentence two degrees because it was obstruction of justice because he turned the machine on, which the cops asked him to do, and started washing a lot of the evidence. So, again, interesting things, interesting facts. Meg Head, this is revoking consent. This is an interesting aspect and with computers, I've always been, I've been waiting for the case on this. The case that this falls under that they used for the precedent for this was a case where a taxpayer turned over his records to the IRS, consented to give them to him. The IRS made copies of the records and like a couple days later, the guy thought, wait a second, I just helped the case. I revoked my consent. I want my documents back. And so the court said, yeah, you've got to give him, he has an expectation of privacy, he consented to this. You've got to give him the documents back. Oh, but you don't have an expectation of privacy in the copy that you made. So we don't have to give you the copy back. And here the cops are investigating this guy for kind of terrorist things making bombs. So they had a search warrant and they got the consent to come in and search for everything that could be related to bond making, which using the computer to do information or do research is one of those things. The dad gave consent to this. This is a third party consent. Dad's got control over a common area. You can give consent when you've got control over a common area. They're the third party consent. We talk about it a lot. So they take the computer. Well, they make a copy of it. They image the hard drive. And dad and son come down there and say, we want to revoke consent. We want the property back. And so the judge said, okay, you can have the property back, but you don't have an expectation of privacy in the internet history files that have already been copied and they're searching them. Now, it's not quite clear from the case when that image of the hard drive was made or whether they started searching that image of the hard drive. That's about the only area that could give you some wiggle room and saying, okay, they made the copy, but they hadn't started searching it yet, so I revoked my consent so I want it back. Those facts haven't been presented, but it's something to kind of keep an eye on. Cotterman, this is the moving, I think, of a computer. Yeah. These are the border search cases again. And the interesting aspect about this is where can you do a border search? They came across the border, went to a secondary spot, based on some information that, you know, he had had a conviction years earlier. They start searching the computer or they want to search the computer, but of course the forensic stuff isn't there at the border. So what they do is they decide to take it from Tucson, which is 170 miles away, to search the computer. And there's a difference between where can I do the border search? Well, the functional equivalent of a border can be, you know, the ports and entry or your airports where you're coming in on international travel, but the judge said, you know, no, you needed to bring the equipment from Tucson down to here. I'm not going to move the functional equivalent of a border from here up to there to do the forensic search of it. The comments on this have been, if I take your computer and you're in the holding area, how do you know where I'm looking at it? You know, it's an interesting aspect of you mean tell me I've got to go get the forensics and bring it down here? I mean, typically it's not at the border in a border town. It's going to be up in Tucson in a bigger area or something like that. So there's a question on that aspect, but the judge here said, no, you need a reasonable suspicion, back to that reasonable suspicion, to move the border on that. This is going to be appealed, we think, and it'll be interesting to see. I would not be surprised if a judge said, no, this is reasonable under the border standard for you to do this. You know, it's, you know, where the border's going to hit. One of the things that is in my neck of the woods and nape of the way has been this whole thing about cyber warfare. I didn't submit this year on this topic because I thought, eh, no big deal. And then in June, everybody in the world started, well, actually, thanks to July. Something early in July happened to some federal websites you may know about. And everyone started screaming, the sky's falling, the sky's falling. We're being attacked. This is one of the areas where I do get a pebble in my claw on what is an attack and what isn't an attack. To do, and cyber security, I hate the word cyber, to do computer network security and how the government does it, we're allowed, you know, to protect you'd want us to protect the network. This is a definition here in terms of what we are to protect. There's no words that say for the federal government, defend your network. There's FISMA, which gives each department an agency responsibility. DOD has a statute where they're told to do it. But for the federal government, it doesn't exist because multiple agencies and multiple authorities are used to do computer network security. For DHS, it falls on the Homeland Security Act. For each department agency under FISMA, they're supposed to defend their properties. And you see where the principal authority is for the Department of Homeland Security to do this. The debate becomes when, what you're dealing with. And this is where, as professionals out there, I would ask you to choose your words carefully. Again, being back to that lawyer thing about what word you choose, because when you have an event, that can determine who's supposed to be responding to this. And what I always used to get was when my guys would come running in and they'd say, hey, one of the sensors went off, we've got porn. And you're like, surprise, surprise. Now, I mean, it never fails. The guy in the military doing porn is like the general's aide. He's right next to the flagpole. And it's his computer. It is amazing how close to the top they're at. But it's always the aide. Go figure. Now, so when it hits, now I've got to pick up my phone and I've got to call cops, because I've got an incident where I've got basically cis admins and acceptable use policies and employers who are going to want to cover this. But I've got cops because I might have a crime. And so I pick up the phone to my cops and I say, hey, one of my sensors went off and it's porn. And they all say the exact same thing across the board. Is it child porn? I don't know. I didn't look at it. And they're like, well, go check. And you hang up the phone and you go back and you ask, hey, is it child porn? And if it's not, then cops are gone. They're not even there. And so here's the thing. What could have been an investigation is now just an employer and a system administrator acceptable use policy violation of your policies. So each incident can be one of these things. It can be have law enforcement, intelligence. So who has primary jurisdiction over what's going on is very important, whether you've got an event, incident, intrusion, or attack. You know, these attacks that are going on, a couple years back a judge ordered the Department of Interior to disconnect from the internet because they were so hosed up and they had an Indian trust fund that they were responsible for and they were being sued and actually were told disconnect from the internet. If you're under attack and feeling so much pain, at what point are you under attack or I just have to disconnect from the internet and suffer a pain here so I can correct my own house? These are interesting things and interesting choices of words. This is one of the better law of law articles I've seen and this is the distinction which is important for the computer security field. Security, computer security for the government is done by the Department of Homeland Security. Defense is done by the Department of Defense. If you're under attack, you know, the Department of Defense and its mission is to fight and win the country's wars. Where does that fall in the cyber aspect of life? What qualifies as an attack requiring a government response as opposed to just a really big denial of service pain in my ass that I've got to fix with my sysad guys? That's where definitions come into play. Definitions are very important. When I first got into this business, I had two peers when I first got into this business. One who gave me a lot of great knowledge and another one who basically just tried to give me a headache as fast as possible. And he said, what's the law of the internet? And I said, you know, well, you've got internet, wiretap law, so he goes, no, no, no, no. RFC. Now, being brand new and having thousands of acronyms, I had no idea what RFC was. I do know. And so I use this for my definitions from the RFC. But when you go into some other definitions, computer network attack, actions taken, disrupt, deny, degrade. Now, early in one of the talks, and I actually had to pull this out again because I like Scott Mutin, and Scott and I talked a while back. And if you want to know what's like to be sued and arrested, go talk to Scott. Scott got away with this. Well, it got away. At one of the EFF talks, they were talking about unauthorized access to cases and what qualifies for it. And in Scott's case, he was doing some security that he was supposed to be doing. And he was pinging a network to find out what the vulnerabilities were and what was open. And he's doing a ping flood on this one. Now, how Scott got away from this one when he got sued is the defendant agreed that the degration on their internet was minuscule. That's kind of changed a little bit. Scott said that any diminutive part that's going on there is going to be a degration of your services, so we're going to say that that's unauthorized access. Scott actually won because he said, well, there was no degrading of it because he was doing his ping flood here. He said there was no degrading, so we're going to dismiss the case, and Scott won this case on this. But he did end up getting arrested and having that fun stuff. So it's Scott Mutin versus VC3. It's not that hard to find on it. Well, is a denial service an attack? Well, if it's an attack, then computer security, homeland security is over. It's called DOD. It's like, okay, my Miami beach home is being overrun by a bunch of bohemian hordes coming over here. I'd like to call a small surgical strike-in to take care of this little Marine Corps. Can you help me? So you mean to tell me when you've got a denial service going on, you're going to pick up the phone and say, well, it looks like a cyber attack. Come take care of it. That's not actually the direction we go. And these things are being debated on who's supposed to be doing it and where. One of the aspects that I find going on now that I've also seen is this hyperbola of a cyber attack. There are a lot of articles out there about who can bring down the network. And you look at, let's see, what you guys are included in the conversation, organized crimes included in it, terrorists, and nation states. Then you look at who would want to do this. All right? Well, you guys could do it, and you may want to do it, but if you do, like all your colleagues are going to get really pissed because they're not going to have internet access anymore. And do you really want that unwanted attention for it? Well, we'll get it a little bit into responsible disclosure, but do you want that much attention? Organized crime. They're making money on this thing. It's just past the counter-drug trade as the most profitable business in the world. By the way, I used to work for DOD counter-drugs, and then I worked for DOD in Army Security, Computer Security. I think the problem might be me. So if I go work someplace else, find out what that is, because that might become profitable, might be the next step. So crime folks aren't going to do it. And so what you're really looking at is a nation state, but again, this thing is like nuclear weapons. I mean, if I use one, I'm going to screw it up for everybody else. So you've got to use it sparingly when you're going to be doing that. This was an interesting article that came out talking about the 10 things you don't know about cyber warfare. The one, and there's been a huge, huge conversation between private sector and public sector saying, look, this hasn't been defined. We have not set up what the rules of engagement are. We want to be included when we set these things up. And I have to kind of back up and say, no, there's been a lot of research and things written on this. The nice aspect of this that I always liked was when private networks are hit, DOD will assume control. I'm sorry, but this goes back to the 1934 telecommunications law for basically when the president's going to invoke, things are so hosed up, he's got to take them on for a national vital interest. So the law goes way back there, and that's where it's going to go, but it's going to have to come from the top on down from that aspect. Back to my point of the fact that there's been a lot of legal research done on this, the use of force, different aspects on this. There's recently been blogs on it. Well, wait a second. If I'm a private company and I know this is going on, and I block that traffic, can I do it? And there's law of neutrality, law of neutrality for states. Once again, my first slide I said, Internet security law is all over the place. It's very wide. Well, yeah, so is this area, and there's a lot of research that basically hits all these areas when you're talking about it. So my point on this is, if you're calling it cyber warfare, if you think you're cyber warfare years or war years, DOD is cyber warriors, so I don't think you want to be grouped into that. I mean, so you guys go off and find the group you want to do for that, but that's the aspect on this, is who is in charge and who's doing what when you're getting to this level of an attack. Yes, sir? Yes, sir. We see as a U.S. cyber company, and the word cyber space, for better or worse, working its way through the nomenclature and maybe into the statues. My question is, it's being treated as a war-fighting domain. For better or worse, it's being treated as a war-fighting domain, and the Marines you call are going to say, this is a war-fighting domain. So my question is, it's this, why shouldn't the crime-fighting versus war-fighting puzzle that you're talking about be solved the same way as it is in land, air, space, sea, under space, and in planetary space. It's a war-fighting domain. I'm not presuming an answer, but I'm saying some Marine is going to say that to you. That's the question. Well, interesting aspect, and I heard it shout out over here, posse comitatis. When you go, let's see, well, you don't even hear that word in law school. When you go to the JAG school and become a young military lawyer, you go in and learn military law in a wonderful, I think mine was a 10-week course, fortunately they've expanded it more. And in that course, they teach you the word posse comitatis, to which someone will always reply, are you calling me a pussy communist? And when you get that guy to sit down, you say, no, posse comitatis. And it's using the military to do a law enforcement function. And as you're going through the JAG school for that first time, they tell you, don't worry about it. You're never going to use this. You're never going to have to be worried about it, because there's just very fine people, finite people who are going to have to deal with that. So on my second tour, I found myself at the counter-drug command, which I'm very proud of now at the JAG school, when they put up the two examples of violations of posse comitatis with a counter-drug command where I was at, and I actually got to investigate those things because we had some guys who thought they were cops and it went out a little too far. Balancing cybercrime, this is the aspect of what do you have? Event, incident, intrusion, or attack. Who has primary jurisdiction over this? Who's going to come in? And you know something, sometimes those even conflict where every time we had a hit where the cop said, it's a crime, I have jurisdiction, and you have the intelligence community saying, no, it's a foreign IP address. I have jurisdiction because it's foreign. And you got cops going, excuse me? Do you really think just because it's a foreign IP address that it didn't start here somewhere, which was the famous case where they thought it was in Israel and actually turned out to be in two teenage kids, I think it's in Montana if I remember correctly. And so from that aspect, getting all these people to work together in terms of what it is between being law enforcement, intelligence, or military is a challenging thing that we're working on right now. Yes, you have a cyber command being stood up under DOD. The aspect of that is to get things a little more organized from the military's point of view on that. Who gets primary jurisdiction on that? Again, it is very fact specific on what was hit, what was targeted, what was the effect, and what was the exploit. So there are some aspects of talking in those wonderful closed rooms to say, where do we think this is going to go and who has primary jurisdiction and who has an investigation opened up on it already. FDC versus Cyber Spy. This caught my eye for a reason going back to what was called the Sony case. When Sony first came out with their video recorders, they came out with a fine distinction to let these things go forward where if it's got a legitimate use, then we're going to let these things go forward and be products on this. On this one, you could argue they had spy, well, I'm sorry, that was the wrong word, remote spy, they had monitoring software that you could put on a computer to surreptitiously monitor the computer. And they got an injunction from the FDC to stop selling it because, well, basically they were marketing it from the aspect of, hey, get this and you can put it on a computer and no one will know it's there. Which is a little different than the way a lot of the other companies monitor their parental controls and the different products that are available for that. So from that aspect, in a temporary restraining order, Cyber Spy went for a motion for somebody judgment saying, hey, this is a crap judge, we have a legitimate purpose. You got to dismiss it and he denied it. So you've got the TRR going on. So we're keeping an eye on this litigation and it didn't help that these guys, again, were in front of the FDC earlier solving some of their problems that they had going on. I saw the 10 minutes, so I want to go through a couple things here. I think I'm into my, yeah, this is my cases and marriage cases. A lawyer's ex-wife installed, basically, a keystroke logger onto his computer, sending the virus there to do it. And the question becomes, is this a violation of the wiretap law or the Story Communications Act or Computer Fraud and Abuse Act? So this is very important. When you go and put your keystroke logging on someone else's machine so you can, you know, steal passwords and things like that, there's not a wiretap problem right here if it's not contemporaneous with the transmission of it. And that's the big thing for this aspect of it has to be contemporaneous and in transit while I'm stealing it. If it's just on the box and the computer there, they held that wasn't a violation of the wiretap act. The Computer Fraud and Abuse Act did survive and it did move forward on that. Other interesting aspects that we're seeing noted on this one are these cases that are not so much computer crime cases, but the research and the things that they're doing. Wendy May Davis basically killed her husband and she did some Google searches that might kind of give it away. One of the Google searches was decomposition of body in water. So they found that out and on that, Lee David Harbert, basically let's see, his searches were Autoglass Las Vegas, Auto Parts, Hit and Run, Reporting for Insurance Purposes. He did a Hit and Run, nailed somebody and killed them and by searching his computer and his Google searches they found him out. Justin Barber might be my favorite. His Google searches dealt with trauma cases, gunshot, right chest and Florida divorce. I mean, the guy like, you know, walked his wife down to the beach, violent, violent aspect of blunt instrument, drowning in the water and then took a gun and shot himself in the right chest and stumbled up to cops to try to get away with this. An interesting aspect. Responsible disclosure is always an interesting aspect. I get an extra five minutes. Alright. I'm going to go... Ah, okay, no, I'm just kidding. I want to talk about responsible disclosure. I know EFF really hammers away on this and I just want to point it out from this aspect. They put up a slide they're saying about, you know, if you're getting into this, what are you getting involved in so you know it's tedious, it is grueling and nobody enjoys it. That's not really true. Attorneys live for this stuff. I mean, they're enjoying it. They're talking about my two attorneys in the town thing and again, when you're going to do this, you've got to think what your motive is for doing this. Now, again, my first rule, I hated the movie, what was it, did you say I can't remember it? Tom Cruise, A Few Good Men. I hated it when it first came out because I was a jag at the time. You know, you sit there, whenever there's a movie like you guys probably do with a hack of movies you sit there and you analyze everything that goes on in the movie to point out what's wrong. And so we did the same thing in A Few Good Men. Except for one, well, then you find out there's several things that are really accurate. Like when he's telling the guy, look, it's two years, it's six months, it's a hockey season and you're out and I actually had to use that same thing on a guy who was accused of rape in Germany and he was going to go away for 25 years and I said, it's eight years. You'll see your daughter's third birthday and the one thing in that movie that's really accurate is when he goes in the courtroom and he's leaving and he goes, oh, so this is what a courtroom looks like? You know, that's true. You never want to see the inside of a courtroom. Never. So when you're going to do this and you've got a responsible disclosure aspect of life there, that's one of the things you've got to think about. What am I going to give up if I do this? I mean, you know, the case I got here, Dr. Munier Perdue, he taught computer science. One of his students reported a webflaw in one of the applications on the physics department. He reported it. Two months later, the place was hacked and cops came knocking on his door to say who was that student and he's sitting there thinking, I don't want to name who this was, responsible disclosure on this and so when he refused, the cops basically do what cops do. They started pushing him and you want me to get a court order? You want me to take you into court? You want me to get you arrested? So you've got to think when you get into this, what you're willing to give up and what you're willing to get in return and how important is this? I know Juniper pulled a presentation this year that dealt with ATMs from that aspect. We all know about Michael Lynn. You know, beforehand, Apple was getting nailed because they weren't fixing some problems with Java. So the aspect becomes why am I doing this? Why should I do it? There's different things for researchers and employees that you've heard. Employees, you do have an aspect where you could be revealing trade secrets or theft of trade secrets. You could be exceeding your authority facing a computer fraud and abuse act aspect. Researchers, depending how you're doing your work, you're going to be looking at the Digital Millennium Copyright Act, things of that nature. So I will agree with the first thing that they said, if you're in this line of work and you're doing this. The one thing I've always said in this field is that you need to take the technology and explain it to your attorney at a third grade level. Because he's going to take that and he's going to explain it to a judge or a jury at a first grade level. Now, it sounds silly. It gets a little laugh, but the aspect of this is it has got to be done and it has got to be done. It has got to be done. It has got to be done. It has got to be done. The aspect of this is it has got to be dumbed down so a judge or a jury can understand it. And that's why you've got to get your attorney involved early. Educate them. Tell them at the third grade level, but then educate them on what's going on, why it's important, why when I change that zero to a one, it changes from a normal honey pot to a fully operating honey pot. There are different aspects where I'm trapping everything. Where now I've got a wire tap issue going on, as opposed to maybe just, you know, capturing some information that's not in transit here and there. It's very important to be clear what you're telling your attorneys for that so they can tell people. Kalexy, they went over this. You got some last from this one. Kalexy was the case that they handled up in Boston where the kid had two operating systems and he was a hacker. So go figure. If you missed it, like I said, there's a first presentation on that one. A kid got complained on by his roommate and they went and seized all his equipment. Again, this is where bad facts end up with bad things. This is where the cops who actually executed the search warrant probably should be facing some liability on this one. Now you get the government immunity and good faith when you rely on a warrant, but when you're still outside the scope of what your employment should be, you can actually find, get personal liability. Now cops have, all the associations they belong to, they have insurance so when this happens to them, they have an attorney that is hired for them but the aspect on this is cops do face the liability if they act really outside the scope of the warrant. Side note, there's a great case that came out where cops were executing a warrant. It was like six months later. It had to do with a drug case and so they went to the address and in the warrant it specified they were looking for four African-American males, they kicked down the door, they go in and there's a couple in bed and they order them out of the bed with guns drawn and the guy says we can't, we're naked and the cops screams like a cop would do get out of bed and the wife and the guy get out of bed. They're not African-American, they're white and so they order them out of bed and the guy keeps pleading, can my wife at least get a robe and he says yeah, go get the robe so after keeping them there they finally let him get dressed and they go in there, they do the search and obviously what happens is four guys they were looking for had moved out four months earlier, I mean the warrant was that stale on it and of course these two people turn around and sue the cops and the cops won. It was a good faith basis that they had on a warrant they went in there, it doesn't necessarily when you're dealing with drug cases mean that you're going to find anything, something dangerous could have been under the bed so when you're talking about getting outside that cop aspect of things it does get a little hard to get out of there. One thing to point away on this this is Goumen versus Klein. This was a very litigious case it had been in five years earlier that had been some orders of preservation of evidence and finally when the defendant I'm sorry, when the plaintiff got the defendant's laptop he thought it had been tampered with and they hired a court forensics expert to look at it and he came in and said yeah judge, basically point blank this thing not only were files deleted but they actually went back in and then changed the time stamps on it to say when the files were actually there or deleted and it was a pretty, pretty harsh case and the judge has to figure out what to do when you're spoiling evidence and there's sanction so you can give to the attorneys, you can get attorney fees, things of that this was so bad the judge actually gave them a default judgment meaning when the plaintiff came in and said I'm suing him for whatever dollars the judge says yeah, you're entitled to it it was that bad of a case again, aspects of where forensics are coming in very important computer fraud abuse act, cases have been used to basically say when you're leaving a company and you take information from the computers you've exceeded your access and your authority based on an agency law relationship we're seeing basically the case is suing the other way, we're court just saying you know something, sum under an agency theory we're not going to let you use the computer fraud and abuse act for this anymore independent news goes back to the blogging aspect if you're a blogger, kind of try this one is in the materials on the CD that I gave you there it gives you the five things to look for to determine if you're going to get protection or not in a defamation case or if they're going to let somebody who's got a screen name actually find out who the heck you are behind that screen name contact information if you have any questions please feel free to contact me you know it's a DHC don't hack it that's why I didn't give you mine so by all means I hope you enjoyed it if you have any questions we're going to 104 I guess on that thank you very much