I’ve recently hit a run of folks who seem to think that the router on their home computer is some sort of Romulan Cloaking Device, hiding the home network from evil forces (primarily law enforcement.) Tis a case of Alexander Popes’ “A little learning is a dang'rous thing; Drink deep, or taste not the Pierian spring:”
Here’s the scenario. Routers (like the Linksys WAP-11) basically isolate all of the computers on the LAN side from the WAN (Internet side) by hiding the local IP addresses. It’s sort of like a phone system in which there is only one outside number but each company phone has its own extension. The router magically (sorta) keeps up with which outside call (website) is talking to which extension(computer).
So when someone tries to trace data packets to a specific computer, the router blocks access. It is trivial to find out the IP address of the router but it is impossible to find out the IP address of the actual computer that the data is going to.
So folks are blithely downloading, torrenting, lime wiring because they know that the router is hiding the final destination of all of the illegal material.
Wrong, ever so wrong. Well, they are not wrong that the outside world can’t see the final destination, but they are dead wrong that they are safe. The courts have adopted the old Mean Joe Green philosophy. "I just tackle the whole backfield, and throw 'em out one by one 'til I get to the quarterback.
In U.S. v. Carter, 2008 WL 623600 (U.S. District Court – District of Nevada 2008), the courts basically held the there only needed to be a “fair probability” that the illegal material was somewhere on the other side of the router and law enforcement could seize and search every computer connected to the router. And don’t bother hiding behind the wireless link either. U.S. v. Perez, 484 F.3d 735 (2007) shot that down.
An in-depth discussion of these cases can be found on Professor Brenner’s cyb3rcrim3 blog at http://cyb3rcrim3.blogspot.com/search?q=spoofing
So here come the rubs. Law enforcement swoops in, tackles the whole backfield and discovers illegal material on one or more computers.
Rub 1- Who did it? We just moved from “fair probability” to “beyond reasonable doubt”. Can the material actually be traced forensically to a specific person.
Rub 2- Did Law Enforcement lose exculpatory evidence. The First Responders Handbook recommends that computers be unplugged before any analysis of what’s going on in the process stack/RAM world be done. This loses all of the Application/Process/RAM etc information. Including if there was a remote login in progress ( or remote assistance), a Trojan running or a variety of Terminate and Stay Resident evils.
Wikipedia defines the SODDI (Some Other Dude Did It) defense as a multi-person scenario in which each person could assert that someone else downloaded the illegal material. Forensically, I'm not real sure that there's enough information in the logs and other non volatile meta-data to solidly connect a user to a file without the volatile data too. I don't think this has been tested in court yet but I’m willing to bet it’s on its way.
Notice that I haven’t really said what the illegal material is. That’s not an oversight. The range of illegal material I’ve heard about ranges from minor copyright infringements to serious felonies. It’s sort of funny that type of material is seems to change the opinion of how safe the downloader feels. But that’s another BLOG.
No comments:
Post a Comment