Tuesday, July 31, 2012

Fourth Circuit adopts narrow reading of the CFAA

We have discussed previously the tension between a wide and narrow reading of the CFAA - see Jeffrey's original take on Nosal Ninth Circuit en banc adopts narrow reading of CFAA, and my analysis of the dissent - Why Nosal’s dissent is surprisingly persuasive.

Well, the Fourth Circuit has sided with the "narrow" camp, in WEC Carolina Energy Solutions v. Miller. Not surprisingly, it is another case of employee disloyalty that has been dressed up to be a federal hacking violation.  Essentially, Miller (or his assistant) downloaded documents while he was still employed and was authorized to access such information and then twenty days after his resignation used allegedly proprietary information (from the downloaded documents) in a presentation to customers for his new employer (a competitor of WEC). WEC eventually lost the contract and sued under the CFAA, alleging that the downloading of the documents was a violation of the CFAA because "'[u]nder WEC's policies they were not permitted to download confidential and proprietary information to a personal computer.' Thus, by doing so, they 'breache[d] their fiduciary duties to WEC' and via that breach, they either (1) lost all authorization to access the confidential information or (2) exceeded their authorization."

The court reviewed the panel decision in Nosal (which was later overturned en banc), and candidly called its interpretation of the CFAA a "non sequitur." Recall that a reading of the CFAA under the Nosal panel's interpretation would essentially criminalize employee violations of acceptable use policies. And lets not forget what the fight is really over - it is the plain text of the CFAA, which defines in pertinent part "exceeds authorized access" as:

to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.

The key word, as I have highlighted, is "so." Nosal defined so as "in that matter." The Fourth Circuit's responded:

To us, defining "so" as "in that manner" only elucidates our earlier conclusion that "exceeds authorized access" refers to obtaining or altering information beyond the limits of the employee's authorized access. It does not address the use of information after access. Indeed, the Ninth Circuit indicated as much in its en banc reversal, when it declined to hold that the interpretation of "so" as "in that manner" necessarily means employees can be liable for use-policy violations.  
The Fourth Circuit thus rejected the wide interpretation of "so," and applying the rule of lenity, held that "Congress has not clearly criminalized obtaining or altering information 'in a manner' that is not authorized. Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter."

The court went on to clearly reject the Seventh Circuit's interpretation of the CFAA as a "cessation-of-agency theory," in Citrin.  Namely, that the Seventh Circuit's interpretation is deficient because:

Such a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer's use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer's computer systems.
The Fourth Circuit stated that in drafting the CFAA, Congress did not intend to legislate on the agency relationship and did not intend "the imposition of criminal penalties for such a frolic."

As Orin Kerr reported on the Volokh Conspiracy, subsequent to this decision the DOJ asked for an extension of time to file the petition for certiorari for the Nosal decision. That seems like a no-brainer to me. The government will need to craft an argument to sidestep this landmine, and I'm not sure they'll be able to do it.

I am highly persuaded by Judge Floyd's reasoning, and I absolutely agree that Congress never intended any interaction between agency theory and the CFAA. I agree because any other interpretation is illogical.  Congress was legislating computer intrusions (a.k.a. hacking) in 1986 (26 years ago) -and its intent in legislating the act is borne out by the record; it is further clarified when one considers documents such as the Hacker Manifesto (published Jan. 1986) which was all about breaking into systems, not use violations. Recall 1986 technology:



1986 wasn't the land of the "internets," the Googlemaker, or the MyFaceTube - it was a completely different technological standpoint. Which just reinforces a point I keep making - that the CFAA is anachronistic and should be revised; however, until it is, it should not be used as the sword of enforcement for violations of every and any use policy an entity can dream up.  Such an interpretation is not borne out by the text, the history, the intent, nor does it comport with the real function that the law was enacted to serve.

Minnesota district court holds defendant does not have standing to challenge GPS use

In United States v. Barraza-Maldonado, 2012 U.S. Dist. LEXIS 99992 (D. Minn. 2012), the district court ruled that evidence acquired from the use of a GPS device should not be suppressed because the defendant did not have standing in the vehicle.

Following an order from a magistrate, the defendant argued that the GPS evidence should be suppressed. However, the court found that in order for the use to have been unconstitutional under Jones, he would have "to be able to maintain an action for trepass," requiring him to have a property interest in the vehicle. Here's the Jones test as the district court interprets it:
When the government installs a GPS device (or similar device) on a piece of property before the defendant has any legal interest in the property, the installation of the device is not a trespass on the property of the defendant and therefore is not a search of the defendant for purposes of the trespassory test. (It may, of course, be a trespass on the property — and therefore a search — of someone else.) Moreover, when a defendant takes possession of a piece of property on which a GPS device has already been installed, the continued monitoring of that device is also not a trespass on the property of the defendant, and therefore is not a search of the defendant for purposes of the trespassory test. But the continued monitoring of the device may (or may not) be a search of the defendant under the reasonable-expectation-of-privacy test. That would depend on the facts of the case.
Because the defendant did not have any property interest in the car, it was not protected under either the Jones trespass test or the reasonable expectation of privacy test. He was not the owner, and his possession was "temporary and non-exclusive." Further, because it occurred in the Eighth Circuit, the Davis good faith argument saves the evidence from suppression.

Monday, July 30, 2012

Tennessee district court awards man $20,000 in wiretap violation suit against his ex-wife

In November, I wrote a post about the Tennessee case of Klumb v. Goan, involving a man suing his ex-wife under the federal Wiretap Act after she installed spyware on his computers. Last week, a federal district court ruled in favor of the husband, awarding him $10,000 in statutory damages and $10,000 in punitive damages. Klumb v. Goan, 2012 U.S. Dist. LEXIS 100836 (E.D. Tenn. 2012).

Prior to the marriage, the soon-to-be wife purchased eBlaster, a common spyware application. The program records all keystrokes and websites visited, takes screenshots, and sends all of that data to a designated e-mail address. It also intercepts all incoming e-mails and forwards them to the designated e-mail address. Shortly after the marriage began, the wife installed eBlaster on the husband's work computer.

Some time later, while the husband was in rehab, the office administrator discovered what the wife had done after she attempted to print an e-mail she had intercepted using eBlaster. When the husband returned from rehab, the administrator notified him about the software and the wife having tried to print the e-mail. (Via a subpoena duces tecum, the husband later received a copy of all eBlaster reports received by the wife.)

The couple separated, and it was at that time that the husband discovered that the couple's prenup (designed to protect his interest in the family business), which had been drafted by the wife (an attorney), had inserted a null and void clause for adultery into her copy of the prenup, though his copy - they one they went through line by line - did not contain the clause.

While going through the e-mails on the computer and comparing them to those intercepted by the wife, it was determined that several of them had multiple versions. Ultimately, the court held that evidence showed the wife had modified the e-mails to add language so that it appeared he was having an affair. It was also discovered that a document that the wife sought to enter as a modification to the prenup (giving her 75% of assets in the event of the husband's infidelity), had also had two versions. After the husband signed one, she inserted a substitution page with the infidelity clause without his knowledge.

At trial, the wife argued that no wiretap had occurred because eBlaster did not "intercept" the communications. However, the court applied the "router switching analysis," finding that "a wiretap occurs when spyware automatically routes a copy of an email, which is sent through the internet, back through the internet to a third party's email address when the intended recipient opens the email for the first time." The court found "ample evidence" to show that a wiretap had occurred.

The wife also argued that she had consent because (1) the couple had agreed to monitor their son's computer usage, and (2) the software would prevent the leak of trade secrets to competitors. However, the court did not buy this argument for multiple reasons, including the fact that when the husband learned of the eBlaster usage and confronted his wife, she denied having knowledge of the software's existence.

As such, the court ordered statutory damages of $10,000, punitive damages of $10,000, and attorney's fees and costs.

Friday, July 27, 2012

Fifth Circuit reverses CP sentencing enhancement due to government's failure to prove "relevant conduct"

The Fifth Circuit vacated and remanded a sentence due to an enhancement for possession of 277 images of child pornography because the defendant was charged with distribution and no evidence was presented that the additional images were "relevant conduct" under the guidelines. United States v. Teuschler, 2012 U.S. App. LEXIS 15284 (5th Cir. 2012).

The defendant had communicated with what he thought was a 13-year-old girl in an Internet chatroom, though in reality it was a police officer. Ultimately, he sent images of adult and child pornography, leading to his arrest and guilty plea of distribution of child pornography. At sentencing, three levels were added because a total of 277 images of child pornography were found on his computer.

On appeal, the defendant argued that the images found on his computer (other than the nine he transmitted) were not "relevant conduct" under the federal sentencing guidelines. The government countered that the images were "part of a 'common scheme or plan'" because the defendant's inventory of images could all be used to entice children and were "relevant conduct to the crime of distribution." The Fifth Circuit agreed with the defendant as there was no evidence of an ongoing scheme or that the images were possessed at the time of the act for which he was charged.

Thursday, July 26, 2012

Pennsylvania district court suppresses GPS evidence

I won't continue to belabor the details of these cases unnecessarily, but in United States v. Ortiz, 2012 U.S. Dist. LEXIS 101245 (E.D. Pa. 2012), the district court held that pre-Jones GPS evidence violated the Fourth Amendment and does not fall under the Davis good faith rule.

Law enforcement used two GPS devices in the investigation - one for about a month and the second for two weeks. The second device led to the discovery of $2.3 million in suspected drug money.

UPDATE: Professor Orin Kerr has written about Ortiz on Volokh Conspiracy, discussing how judges should draft warrants to ensure compliance with the Fourth Amendment.

Wednesday, July 25, 2012

District court to consider whether reasonable suspicion makes GPS use reasonable

In a pending case before a federal district court in Missouri, the government is arguing that use of GPS without a warrant was not unreasonable because officers had reasonable suspicion. In Jones, the Supreme Court decided when GPS use is a search but did not consider when it is reasonable. Here's the language from the magistrate's order (available here):
From this information, the undersigned concludes that the investigating agents had a reasonable suspicion that defendant Robinson had previously engaged in and was currently engaging in criminal activity. The agents believed that tracking the movements of defendant’s vehicle would enable them to confirm or dispel their suspicion. By tracking defendant’s vehicle, the agents would be able to observe defendant’s daily pattern accurately and cost-effectively.  
Therefore, the agents did not need to obtain a judicial warrant prior to installing the GPS tracker device on defendant’s vehicle and using the device to monitor the vehicle’s movements. The evidence obtained from the GPS tracker device should not be suppressed for lack of reasonable suspicion.
The ACLU has filed an amicus brief before the district court arguing "that warrantless searches are presumptively unreasonable" and the GPS evidence should be suppressed.

Monday, July 23, 2012

The End of DarkComet RAT - Part 3: Could the creators of RATs (or similar software analogues) be prosecuted (law)

And now, on to the finale - could DarkCoderSc be prosecuted for creating, supporting, and distributing the DarkComet RAT.

NO (in the United States)

First, DarkComet RAT can be easily distinguished from Mariposa and Blackshades, on the following grounds:

1. DarkCoderSc never sold what he made - there was no profit motive, and thus one could argue, no intent to defraud.

2. As far as I know, DarkCoderSc was never affiliated with any illicit group as the Blackshades RAT creator was - which would make that person liable for numerous charges, not the least of which would be conspiracy under the CFAA.

3. At least with respect to Mariposa, DarkComet RAT had legitimate uses. You could use it for remote administration, to monitor your kids, and for legitimate purposes not otherwise specified. On the other hand, it is hard to argue legitimate uses for a botnet such as Mariposa.

Second, as many readers have pointed out, there is the "what about Metasploit and Backtrack argument." Namely, those two tools, combined, have probably pwned more computers than DarkComet RAT, yet the creators of those tools (who do have a profit motive) are not prosecuted for such activity. Circumventing these types of arguments would be a prosecutor's nightmare; I would love anyone's possible argument around those, or a different way to distinguish DarkComet/DarkCoderSc.

As I mentioned in the previous post, an interesting argument could be made along the lines of MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005) - specifically, that a tool that had no legitimate legal uses could be a violation of XXX law. I say XXX law, because the Grokster case was based on the Lanham Act (and a judicially created standard of contributory infringement). However, as stated above, this sort of law might be used to prosecute other software creators - but because DarkComet has legitimate uses (see above), even this law would be ineffective. But, is law XXX, making it illegal to create illicit hacking tools off the table? I don't think it should be. 

In fact, it is the law in other countries - Germany's "Anti-Hacking Law" Section 202c of the StGB states "[w]hosoever prepares the commission of an offence under section 202a or section 202b by producing, acquiring for himself or another, selling, supplying to another, disseminating or making otherwise accessible… (2) software for the purpose of the commission of such an offence" is subject to prison time up to a year.  See this document describing the law a little further with recommendations for security professionals. As the article states, the regular use of penetration testing tools does not fall within the ambit of the law, as long as the purpose is legal, and everything is above board. The law is aimed at those tools that are developed or aimed at perpetrating cybercrime.

Such a law for the United States, to return to a normative argument for a second, should be considered. It would immunize Metasploit, Backtrack, etc., but go after those who create the software solely for criminal intentions.

To see the earlier parts of this series follow the links below:

The End of DarkComet RAT - Part 1: The Introduction
The End of DarkComet RAT - Part 1: The Introduction - Update
The End of DarkComet RAT - Part 2: Should the creators of RATs (or similar software analogues) be prosecuted (ethics)
The End of DarkComet RAT - More Technical Details

Facebook attempts to identify sex predators actions, cyberbullying

A recent Reuters article discusses what little is known of a Facebook attempt to identify sex predators on the social networking site. The program screens for inappropriate language and exchanges and flags certain conversations for review. Upon finding an inappropriate conversation, Facebook notifies law enforcement. The article details how other companies handle the issue and what other options exist.

Facebook has also modified their "report" option to help teens report cyberbullying. Users ages 13 and 14 can now click "This post is a problem," and according to CNN, a child will then
go through a series of casually worded questions to determine what kind of issue he's having and how serious it is. There's even a grid for ranking his emotions. 
Once he finishes the questions, a list of suggested actions is generated based on how pressing his complaint is. If the boy is more annoyed than than fearful, he might choose to send a pre-written message to the other person saying that the post makes him uncomfortable. If he is afraid, he will be prompted to get help from a trusted friend or adult. There are links to catch anyone who may be feeling suicidal and direct them to professionals and Facebook's own suicide chat hotline.

Sunday, July 22, 2012

Cybercrime Review will be onsite at Defcon 20, Blackhat, and BSides LV

I will be out in Las Vegas next week for the trifecta of Defcon, Blackhat, and BSides. I hope to do some reporting from there if any of the presentations have a good legal or criminal flavor. Feel free to send messages to myself at @cybercrimerev while I am there.

For a look at the respective conferences, see:

Defcon 20

Blackhat USA 2012

BSides Las Vegas 2012

Friday, July 20, 2012

Google Play app containing malware may have been downloaded 100,000 times

Symantec blogger Irfan Asrar has found malware in the Google Play market known as Android.Dropdialer that sends text messages to premium-rate numbers, resulting in expensive charges on the user's phone bill. The malware, hidden in downloads entitled "Super Mario Bros." and "GTA 3 Moscow City," was available for download for over two weeks and may have been downloaded nearly 100,000 times.

Google attempts to scan all apps in the market for malware, but as here, some apps fall through the cracks when the actual harmful code is downloaded by the app after the initial download from Google Play (full process explained here).

Here are a few tips to follow to help ensure you avoid malware:
  1. Read online reviews. Most malware will not function as a normal app.
  2. Never download apps outside of the market for your phone.
  3. Check out the publisher to see what other apps they offer. Research the company to be sure it is the actual developer (some malware will have the same name but be listed under a different publisher).
  4. Review permissions that the app requires. Games, for example, do not need access to make phone calls or see your contacts.
  5. Get antivirus protection for your phone.
Trend Micro predicts an epidemic of Android malware by the end of 2012.

Thursday, July 19, 2012

Scholars debate Fourth Amendment doctrine after Jones

At this year's Privacy Law Scholar's Conference, a panel presented their views on Jones's transformation of Fourth Amendment doctrine. Each panel member submitted a proposal as part of a competition won by Professor Susan Freiwald.


All proposals are available on the USvJones.com website. Hat tip to Professor Orin Kerr (a participant in the panel) for posting the video on Volokh Conspiracy.

District court okays warrantless pre-Jones GPS use, holds that good faith rule doesn't require binding precedent

A Massachusetts district court judge has held that evidence acquired as the result of GPS use before Jones is not subject to suppression because law enforcement acted in good faith, pursuant to nonbinding precedent. United States v. Baez, 2012 U.S. Dist. LEXIS 97969 (D. Mass. 2012). In 2010, law enforcement suspected the defendant of having committed arson and placed a GPS device on his car. The device was active for 347 days. He was later arrested after another fire and sought suppression at trial.

The district court found that "the warrantless GPS tracking of Baez's vehicles [was] at a time when there was unanimous support for its validity in the face of Fourth Amendment challenge" as his arrest took place just three days after Maynard, the only federal appellate court opinion to find that warrantless GPS use was a constitutional violation. "Given the vast weight of authority—albeit not formally binding in the First Circuit—permitting warrantless GPS monitoring until Jones was handed down, it is apparent the Baez investigators were acting in good faith when they made use of that technique."

If you read this blog often, you know that I write often about cases applying the Jones decision, and with a few exceptions, there is one basic rule - courts in the Seventh, Eighth, and Ninth Circuits apply the Davis good faith rule to pre-Jones GPS use, while courts outside of the those circuits do not do so because they did not have binding precedent at the time. As one Kentucky court noted, allowing the use of nonbinding authority to support a good faith argument would allow officers to "beg forgiveness rather than ask permission in ambiguous situations involving ... basic civil rights." (United States v. Lee, 2012 U.S. Dist. LEXIS 71204 (E.D. Ky. 2012) (read more here)).

Regardless of all of the existing cases, the Baez court decided to create its own Davis interpretation, finding that the Supreme Court never intended Davis to be so "static". The judge notes he was only able to find one post-Jones GPS case in a circuit that did not have binding precedent. Here are a some more:
In the case that was discovered (United States v. Katzin, 2012 U.S. Dist. LEXIS 65677 (E.D. Pa.)), the judge distinguished it because the GPS device in Katzin was placed after the decision in Maynard, creating doubt as to whether a warrant was needed. The judge reasoned that law enforcement should be encouraged to rely on good faith so as not to make them "unduly cautious in pursuing investigatory initiatives." Further, "[a] rigorous and realistic cost-benefit analysis recognizes that there is no meaningful deterrence value to be gained" by discouraging law enforcement from acting on non-binding precedent.

Wednesday, July 18, 2012

Measuring the cost of cybercrime

In case anyone was a skeptic as to the financial impact of cybercrime, I'd like to draw attention to a recently released paper entitled Measuring the Cost of Cybercrime.  The paper was submitted for the Workshop on the Economics of Information Security, which was held in Berlin, Germany at the end of June.

The presentation has also been posted, which will give you the abridged version if you want to avoid reading all 26 pages.

Anonymous launches plan to destroy all CP websites



Hacktivist group Anonymous has launched a campaign to "eradicate [child pornography] from the Internet." Anonymous plans to take down message boards and other websites that are "dedicated to pedophiles for chat and picture sharing."

They claim to have already invaded several sites, posting the users' IP addresses and e-mail addresses publicly on the Internet (such as here).

Tuesday, July 17, 2012

Second circuit vacates CP conviction after officers violate terms of search warrant

In United States v. Voustianiouk, 2012 U.S. App. LEXIS 14317 (2d Cir. 2012), the Second Circuit reversed a motion to suppress and vacated the conviction and sentence after law enforcement searched the defendant's home in violation of the Fourth Amendment.

The agents obtained a search warrant to search a first floor apartment listed as the contact for an ISP, but when they arrived, they learned that the person listed on the account actually lived on the second floor. When they found the defendant, they showed him the search warrant and proceeded up the stairs to conduct the search. Thousands of images of child pornography were found in the apartment, and the defendant was subsequently found guilty of receipt and possession of child pornography.

On appeal, the defendant argued that the search violated the Fourth Amendment. The Second Circuit held that the search was a constitutional violation - no name was specified in the warrant - only an address, and thus no other location could properly have been searched without obtaining a new warrant. Officers had the defendant's name but intentionally concealed it from the magistrate because it was the location they were interested in searching.

Further, because the officers could have detained the defendant outside his home until a new warrant could be obtained but did not do so, the court ordered suppression of the evidence. 

Monday, July 16, 2012

Mississippi district court refuses good faith argument for warrantless GPS use despite arguable precedent

In May, I wrote about an Alabama district court upholding the use of a GPS device prior to Jones under a good faith argument because the Eleventh Circuit has precedent (old Fifth Circuit which includes today's Fifth and Eleventh Circuits) allowing a beeper to be placed on the exterior of a car. United States v. Rosas-llescas, 2012 U.S. Dist. LEXIS 74594 (N.D. Ala. 2012).

A Mississippi district court refused to do the same in United States v. Lujan, 2012 U.S. Dist. LEXIS 95804 (N.D. Miss. 2012), holding that the use "was per se unreasonable without a warrant under the Fourth Amendment."

The defendant was being investigated for narcotic trafficking, and a GPS device was placed on his vehicle and was used for six days of monitoring. Thereafter, he was pulled over in Arkansas for a traffic violation, and he was subsequently charged with a variety of crimes. He sought suppression due to the use of GPS.

The district court analyzed the application of good faith to post-Jones cases throughout the country and held:
[T]he Fifth Circuit's standing precedent at the time the GPS tracker was placed was that the placement of a beeper, not specifically a GPS tracker, without a warrant was justified where the officers had reasonable suspicion that the defendant was engaged in criminal activity. Accordingly, the Court finds that application of the good faith exception in this instance, where the Fifth Circuit precedent at the time the tracker was placed could only apply to GPS by analogy, is overly broad.
However, because the evidence was obtained due to the traffic stop and valid consent as an independent source, the court denied evidence suppression.

Friday, July 13, 2012

900,000 account details released, password "123456" remains popular

In case you hadn't heard, nearly a million account details were publicized within the last two days. Here's the breakdown:
  • Yahoo - 453,492
  • Formspring - 420,000
  • Billabong.com - 20,000-35,000

The Yahoo accounts were acquired by hackers through a vulnerability in its Yahoo Voice subdomain, which might also reveal access info to many other users' accounts. The group behind the attack, D33Ds, noted, "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat." The release also included 2,700 database table or column names and 298 MySQL variables.

On Tuesday, social network Formspring revealed that 420,000 accounts had been compromised. The company responded by resetting passwords for all of its 28 million users. "Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach," wrote Formspring founder Ade Olonoh. "We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database."

Billabong is an Australia-based clothing retailer. Only 1,435 of the accounts stolen from there server were publicly released.

A CNET investigation into the Yahoo reveal noted that the most popular password was "123456," followed by "password." Come on people... really?

UPDATE: Android discussion forum Phandroid has informed users that a hacker accessed and may have downloaded account information for its more than a million users.

Thursday, July 12, 2012

Fourth Circuit remands Vicky series restitution award

In a case concerning the Vicky child pornography series, the Fourth Circuit held that a child pornography victim is entitled to restitution in an amount "only for harm that he proximately caused." On remand, if the district court determines that proximate cause is established, they will then calculate "the quantum of loss attributable to [the defendant] for his participation in Vicky's exploitation."

The victim had suggested that general cause, rather than proximate cause, is the proper structure. This, the Fourth Circuit held, "would expand the availability of restitution for even the most attenuated damages."

At sentencing, the district court had ordered restitution of $305,219.86, which represents the total amount of Vicky's loss to date that has not already been paid by other defendants.

The case is United States v. Burgess, 2012 U.S. App. LEXIS 14152 (4th Cir. 2012). Many circuit courts have already dealt with this issue (read more here).

The End of DarkComet RAT - More Technical Details

For more technical information on the DarkComet RAT, and how it has been used in concerted campaigns against governments, dissidents, and even gamers, see this Threatpost Article - Dark Comet RAT Tailored For Attacks On Gamers, Governments.

For the deeper technical analysis - check out the write up by Arbor Networks that is referenced in the Threapost piece - Exterminating the RAT Part I: Dissecting Dark Comet Campaigns. That is the first of a series that Curt Wilson of Arbor is doing on the technical side.  The links at the bottom of the Arbor piece are (to a security nerd), absolutely fantastic - especially the piece on its use within Syria - DarkComet Analysis – Understanding the Trojan used in Syrian Uprising.

The End of DarkComet RAT - Part 2: Should the creators of RATs (or similar software analogues) be prosecuted (ethics)

I pose the question above at a high level of generality to include in this discussion not just the writer of DarkComet RAT, but writers of other RATs, and more importantly, writers of similar software, for-profit or otherwise. Because I do believe there is one line to be drawn when the person who created the software intended to, or does profit from it. It is clear from my previous post that law enforcement surely does believe that writing software for these motives may be criminal - the Mariposa botnet creator and the Blackshades RAT creator were both taken into custody - however, I would argue that those situations are distinguishable.

But what should the collective "we" think about DarkComet and its creator? And more importantly, how does an enforcement scheme fit within the framework of existing "hacker" software, such as Metasploit (for profit), Backtrack (totally free - but... paid training - Offensive Security) , Samurai WTF (free), Katana (free, and even more underground) -- yes, I could go on. And, is there a "paid-for" vs. "free" dichotomy?

I want to approach this question normatively, first, because I believe this to be somewhat of a novel issue, wrapped inside an already contemplated dilemma; however I am (secretly, but not so much anymore) really hoping to hear at least one person propose an outcome similar to MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005), based not necessarily on statutory law (contributory infringement is not in the Lanham Act), but through judicial interpretation. Remember, forget the law - we're proposing what the law should be, here.

I would like to reiterate that the purpose of this series is to strike a lively debate. First, the easiest analogue to this debate is the "guns kill people" argument. Namely, we don't outlaw guns, even though we know they can kill people but are also used lawfully (the majority of the time); therefore, the argument goes, we can't punish makers of guns because of the potential harm they may cause - we leave the criminal consequences at the doorstep of the individual, instead - they are boxed in by the confines of the law as their state has legislated (most often) and absent just cause (e.g., the Castle Doctrine), murder is murder. But can we dispose of this argument that simply? I (personally) don't think so.

You can't just say DarkCoderSc made a program that is used nefariously and should have known that it would be used in unethical, criminal, and fundamentally immoral ways - and thus he should be punished. Because can't the same argument be used for makers of guns (as the simplified argument above asserts), or maybe the makers of Metasploit (HD Moore), Backtrack, the list goes on.  And, you can't walk away arguing the converse; see below. At the center of the issue is the question - who is more culpable - the tool creators, or the tool users? Or, to put it a couple of other ways - who is more responsible - (a) the gun maker or the shooter; or (b) the scientist who described the process to enrich uranium or the nation-state who launched the nuclear bomb.

So, let's dig in to the heart of the issue. Not surprisingly, it reverberates on a variety of fronts - ethical, legal, and even moral. To name a few: personal responsibility v. governmental intervention; notions of negligence, duty of care, and the reasonable person; foreseeability; national security (the budding argument); material or conspiratorial assistance; and if you want to delve into morality, the argument against such assistance based on natural law (a la righteousness) -- (for example, see Romans 1:18-32)


I do not propose to have the right answer to this question (in all honesty I am troubled by it), but - I also do not agree with the blanket assertion that because we have already implicitly condoned tools such as Metasploit and Backtrack, that we cannot walk that back. Conversely, I think that would be an inspiring debate. And remember the parallel (yet disparate) personal responsibility argument that turns this issue on its head - it goes like this: we cannot control the end result of every societal interaction, but, we can control the predicate for those interactions. For the lawyers out there, I analogize this (maybe in an over-simplistic way), to the stream of commerce argument. Do you provide a framework to punish the original maker of the faulty product (see Asahi) or do you rein that in and inject (not my words) "objective rationality" (see Dunlop) to shield makers from unintended and unforeseeable outcomes?

Back to the monetary debate - because I like the theme of this argument - that the Blackshades RAT creator and the Mariposa botnet creator went down because they were a part of the criminal enterprise that was taken down. And furthermore, that we look down on individuals who attempt to profit from the (insert belief word here (moral, ethical, religious)) wrong that they have caused. Clear example - we do not allow murders to profit from the story of their offense. Is that analogous to the DarkComet RAT? Should a profit motive be involved?

In the last (third) part of this series, I will discuss whether or not DarkCoderSc (or other RAT creators) could be prosecuted or held legally liable for his RAT.

Just as a little poke - my first post should make it clear that use of DarkComet RAT as a hacking tool is transcendently clear. If you attempt to use lack of foreseeability as the basis of your argument, you automatically lose. Let the debate begin.

Wednesday, July 11, 2012

The End of DarkComet RAT - Part 1: The Introduction - Update

I forgot to mention the story from last year about how DarkComet was ported to Mac computers - facts are important -  if for no other reason than to bolster the argument that DarkComet's uses are likely more malicious than condoned.

Before you rail against me - let me note as an aside that I recognize the Metasploit, Backtrack, Core Impact, etc, etc, etc. argument against criminal enforcement. They are legal tools that do the same, and they generate more money (exponentially) than DarkCoderSc could have ever made with DarkComet. That's the beauty of a three-part series. At the end, rail away. Comments are not only allowed, but encouraged throughout the process. But please, vindicate or vilify me when appropriate.

~J

The End of DarkComet RAT - Part 1: The Introduction

If you are not aware, the author of the DarkComet RAT (Remote Administration Tool) has stopped offering the software, and stopped updating it - a move that has somehow been argued to be a victory for law enforcement, although they didn't actually do anything.  Yes, I have heard of deterrence. However, I will leave for another day whether or not the creator of this software should or could actually be liable for the damage it has caused. Thus, in this three part series, I will: (1) introduce the tool, (2) discuss whether there should be legal implications for creators of such tools, and (3) discuss whether there could be legal implications.

THE INTRODUCTION
From the beginning - a RAT is a Remote Administration Tool. Essentially, this type of tool allows a remote user to exercise control over your machine - it take pictures of the user of the computer, make changes to the computer's configuration, read/write documents, and pretty much anything else you can think of - in hacker terms, you have been "pwned." It is a complete invasion of privacy for the individual, and a complete breach for a corporation. Hackers prepare to take advantage of a RAT by "packing" it - which means the guts of the program are rearranged (code-wise), or the tool is compressed using a novel method. A good packer will allow this program to scoot by an average (or high-security) user's anti-virus, and coupled with an exploit, allow the hacker to take full control as described above. There are a plethora of "packers" and new ones everyday - so anti-virus companies (whose methods are typically signature based) cannot keep up with the evolution of newly packed malware that, in the end, is the same malicious piece of software. Hackers will often test their newly packed versions against VirusTotal - a site which runs a binary through a multitude of anti-virus products, and reports whether or not it is picked up. The holy grail is 0/40, aka undetectable - and this is even taking account of the heuristics and "learning" that AV vendors claim to have injected into their detection engines.  Individuals might also use "crypters," which encrypt the code in various ways to defeat antivirus detection - see below.

What is novel about the DarkComet RAT is that it has always been free to whomever wanted to use it, for whatever purpose. Now, instead of being able to download it, users are greeted with a message from the creator, DarkCoderSc, noting his decision to stop allowing it to be downloaded and further updated. There has been speculation that this decision was tied to the discovery of Syria using this tool to spy on dissidents as well as the software writer's fear that he could be prosecuted for the criminal acts of others - from his statement: "Like it was said above because of the missuse [sic] of the tool, and unlike so many of you seem to believe i can be held responsible of your actions [sic], and if there is something i will not tolerate is to have to pay the consequences for your mistakes and i will not cover for you."

If you doubt the prevalence or wide-spread use of this tool - allow me to demonstrate. The images below are from hacker forums (one underground, one a russian clearnet site):


Click image to enlarge

The first image is from an underground hack bulletin board, asking for information about how to use tor and DarkComet. The second post is a person advertising a "crypter" - which is like a "packer" but as the name states, it encrypts instead of packing. As I described above, using crypters or packers makes anti-virus unlikely to detect the trojan. The service this person is offering is to make it "100% FUD" which is hacker jargon for "(F)ully (U)n(D)etectable," updated every 24 hours to continue to evade antivirus.

There is no doubt that DarkComet is all over the place, and even as he has withdrawn it from the market by not allowing anyone to download it from his site anymore, there are plenty of versions floating around the interwebs - so it is not going away soon.  As others have reported, the author's change of heart likely arises from the arrests of the Mariposa botnet creator and also, more recently, the arrest of the Blackshades RAT creator as part of the Carder Profit bust.

I think the creator of DarkComet can be separated from the cases above, though, because he has always offered his software for free, and thus does not make a profit on illicit use of it. A small distinction, but a legally significant one.


In the next part I will discuss whether or not DarkCoderSc (or other RAT creators) should be prosecuted or held legally liable for his RAT.

Tuesday, July 10, 2012

Application of American law to online casino theft

Courtesy of morguefile.com
With the potential for online gambling to soon become widespread in the United States through the Justice Department's December opinion, there are many issues that need to be addressed. One such issue is discussed in a paper I have recently uploaded to SSRN entitled "Cyber Thieves in Online Casinos: Applying Real-World Laws to Virtual Acts."

The paper deals with the ways in which money may be stolen in online casinos and discusses how current U.S. law should apply to those acts. Also addressed are the difficulties theft victims may face in seeking redress in court.

Please feel free to send any comments you have to me at .

Report reveals 1.3 million requests for cell phone subscriber information in 2011

Rep. Ed Markey
For those who have assumed that requests for subscriber information from phone companies were minimal and that there was often no charge, a release of reports today shows just how pervasive and expensive these activities are. In July, Congressman Edward Markey (D-Mass.) requested figures from nine cell phone companies and revealed the information today.

Markey, first elected to the House in 1976, said of the findings, "We cannot allow privacy protections to be swept aside with the sweeping nature of these information requests, especially for innocent consumers."

In all, law enforcement made 1.3 million requests in 2011. Sprint estimates that it received 500,000 subpoenas in 2011 and has performed over 50,000 wiretaps in the last five years.

AT&T received over 260,000 requests last year including nearly 50,000 2703(d) orders and search warrants. The company has more than 100 full-time employees fulfilling these requests and charged over $8 million in 2011 alone.

The largest mobile phone provider in the country, Verizon, also received about 260,000 requests in 2011, about half from subpoenas. They claim that requests have grown about 15% per year over the past five years. Verizon has 70 employees working around the clock to meet law enforcement's demands.

The New York Times notes these figures may be severely underestimated in terms of requests and the number of subscribers involved:
Because of incomplete record-keeping, the total number of law enforcement requests last year was almost certainly much higher than the 1.3 million the carriers reported to Mr. Markey. Also, the total number of people whose customer information was turned over could be several times higher than the number of requests because a single request often involves multiple callers. For instance, when a police agency asks for a cell tower “dump” for data on subscribers who were near a tower during a certain period of time, it may get back hundreds or even thousands of names.
Full responses from the providers can be viewed on Congressman Markey's website.

Monday, July 9, 2012

Sixth Circuit okays warrantless seizure to prevent destruction of evidence

In United States v. Bradley, 2012 U.S. App. LEXIS 13752 (6th Cir. 2012), the Sixth Circuit held that a 26-hour delay in obtaining a search warrant after seizing a laptop was not unreasonable as the defendant may have deleted evidence.

A Kentucky investigator was using hash values to search for distributors of child pornography over a peer-to-peer network. After finding a distributor's IP address, it was tracked to a local fire station. Police went to the station and asked the defendant if they could use software to search his computer for child pornography. He consented, but the search did not load correctly. The defendant then consented to allow the investigator to obtain his GUID (a unique number for each installation of the software). The GUID matched the computer they were looking for, the investigator seized the computer and obtained a warrant the next day in order to perform a further search.

On appeal, the defendant argued that the seizure of the computer without a warrant was a violation of the Fourth Amendment because there was no consent or exigent circumstances. The Sixth Circuit, however, disagreed, finding that exigent circumstances existed. Had the laptop been left with the defendant, he might have destroyed the data or the laptop itself, reasoned the court. Further, "the government's interest in deterring the production and dissemination of child pornography is significant," outweighing the property interests of the defendant. Because the investigator waited until a search warrant was obtained before continuing the search, the seizure was only a de minimis intrusion upon the defendant's rights.

The court also determined that the seizure was reasonably executed. The defendant argued that another officer could have stayed at the fire department to ensure that data was not deleted while the investigator obtained a warrant. The court noted that this was "the better path" but the seizure was not necessarily unreasonable. Also, because of "the intricacies of the warrant application, ... the 26-hour delay was not unreasonable."

Friday, July 6, 2012

Computers with DNSChanger virus lose Internet Monday

In case you've forgotten, computers infected with the DNSChanger virus will lose Internet access on Monday. The virus once redirected computers to fake DNS servers, but the system was shut down by the FBI. A new server safely redirected Internet traffic temporarily, but it is scheduled to be taken down next week.

 To check to see if your computer is infected and to learn how to fix the problem, visit the DNS Changer Check-Up site or the FBI's site.

UPDATE: Ars Technica estimates that 300,000 computers may still be infected with the virus.

Thursday, July 5, 2012

ACLU releases app for recording police action

The ACLU has released "Police Tape," an Android app that allows users to "securely and discreetly record and store interactions with police, as well as provide legal information about citizens' rights when interacting with the police." Videos are automatically uploaded to an external server, preventing deletion by law enforcement, and the app itself can run in the background while recording so it isn't obvious what is happening.

Recently, some states have enacted laws banning the recording of police action, though such a ban may be a violation of the First Amendment (read more here).

Tuesday, July 3, 2012

Exciting stories from the Twitterverse

For those of you who aren't following us on Twitter, I wanted to highlight a few recent stories we posted. But also, you should follow us on Twitter (@CybercrimeRev) - we put up some great stuff!
  • How a lone grad student scooped the government and what it means for your online privacy
  • @NeedADebitCard retweets images of credit cards people put on Twitter. Have a good laugh, and then remind people not to do this!
  • Kansas website posts names, mugshots, and addresses of those arrested and allows then to pay a fee to be removed.
  • SWAT team gently reminds a girl to secure her Wi-Fi network by raiding her house with flashbangs
  • Federal and state wiretaps decrease by 14% in 2011
  • Leap second (a real thing!) shuts down websites

Washington court finds no constitutional protection for texts after reaching recipient

A panel of the Washington Court of Appeals held in State v. Hinton, 2012 Wash. App. LEXIS 1510 (Wash. Ct. App. 2012), that the United States Constitution does not provide protection for text messages once they are received by the intended recipient.

In Hinton, the recipient of the text message had been arrested earlier in the day on drug charges. An officer heard the incoming message sound from the phone, read the message, and engaged in a conversation with the sender. Here's the dialogue:
[Hinton]: Hey whats up dogg can you call me i need to talk to you.
[Officer]: Can't now. What's up?
[Hinton]: I need to talk to you about business. Please call when you get a chance.
[Officer]: I'm about to drop off my last.
[Hinton]: Please save me a ball. Please? I need it. I'm sick.
The two then agreed to meet, and Hinton was arrested and charged with attempted possession of heroin. At trial, he argued for suppression, suggesting that he had a legitimate expectation of privacy in the text messages he sent. The appellate court, however, held, "The Fourth Amendment does not protect Hinton's 'misplaced trust that the message actually would reach the intended recipient.' ... [A] text message user would expect that any privacy of the text message would terminate upon delivery to the receiving party and be subject to government trespass."

Judge Van Deren dissented in Hinton (and in its companion case, State v. Roden, 2012 Wash. App. LEXIS 1503, concerning another text messaging conversation on the same phone by the same officer), arguing that the "continuing search" after simply reading the e-mails required a search warrant, and thus the evidence should have been suppressed. The bulk of Van Deren's dissent relied upon the Supreme Court rulings in Quon and Jones, which he suggests create a reasonable expectation of privacy in text messages.
I agree with Justice Sotomayor and ... would hold under ... the Fourth Amendment that the State violated Roden's privacy rights and that the fruit of the illegal search of Lee's iPhone should have been suppressed. ...
Broadly interpreted, the majority's holding provides that all citizens of this state consent to police intrusion of their cell phone communications and that they have no expectation of privacy in any form of electronic communication under ... [the] federal constitution. That holding undermines every individual's legitimate privacy interests in communications afforded by evolving and existing technology.
As you may know depending on how often you read this blog, we talk about Jones a great deal, but my interest in this case is not to see how Sotomayor's opinion might apply, but rather to get back to some of the basics of Fourth Amendment law. The actions taken by the officer in this case, while common, leave open many problems.

One issue is that the phone's owner was in jail for a drug charge. His alleged illegal act had already happened so no text message received after that crime should be searched during the investigation for that crime. Of course, the message may simply appear, but Hinton's original message does not alone suggest any illegal act and is not, therefore, plain view. The search of the phone - and thus the entire scope of what law enforcement could use it for - should have been restricted to finding evidence for the owner's previous crime. 

Here, however, the officer worked to create new evidence for new crimes. It's one thing to look at the messages on a phone, but another to author new ones. In Hinton, the officer simply responded to a new message, and in Roden, the companion case, he responded to an old message and created a new conversation. But how far can this go? Could the officer message everyone in the phone's contacts? Could they send e-mails from the phone owner's account as well? Could they use technology that allows text messages to be masked with any phone number in order to collect (or create) evidence? And imagine the scenario where there is a defendant like Hinton, and the officer sends a text message implying the defendant is a drug dealer when, in fact, he is not, severely damaging his reputation. Allowing officers to send messages on behalf of a defendant (or anyone else) recklessly gives them a significant amount of power that is highly unnecessary and irresponsible.

Monday, July 2, 2012

Court upholds verdict that defendant did not "knowingly exceed authorization" when he clicked on and viewed emails in an open Yahoo! inbox

In an unpublished decision, the Superior Court of New Jersey, Appellate Division denied the plaintiff's motion for judgment not withstanding the verdict in a case where the defendant opened emails in an inbox that was left logged in on a computer next to him. The case is Marcus v. Rogers, 2012 N.J. Super. Unpub. LEXIS 1523 (June 28, 2012).

The facts of the case are interesting - the defendant was involved in a dispute over his salary with the school district he worked for. While surfing the internet in the computer room, he accidentally bumped the mouse of a computer next to him and the screen came alive to reveal an open Yahoo! Inbox. It happened to be one of the members of the education association that he was in dispute with. There were two emails that clearly pertained to his dispute, so he clicked on them to read them. They were not flattering to the education association, so at the next meeting, the defendant distributed the emails as evidence of failing to bargain in good faith.  The emails included conversations between multiple members of the association, and accordingly they all filed suit for various charges; of importance here was a cause of action under N.J.S.A. 2A:156A-27, which reads in pertinent part:
A person is guilty . . . if he (1) knowingly accesses without authorization a facility through which an electronic communication service is provided or exceeds an authorization to access that facility, and (2) thereby obtains, alters, or prevents authorized access to a wire or [an] electronic communication while that communication is in electronic storage.
The court initially found that the defendant did not access the facility without authorization because the previous user who had logged in was actually the one to access the facility. So the question for the jury turned on exceeding authorized access. The court framed the case in that regard as follows: "the question for this court is whether the undisputed facts precluded a finding that Wayne [the defendant], the non-moving party, knew Marcus [the inbox owner] had not consented to — stated differently, had not impliedly or tacitly authorized — access to the contents of the e-mails that she left accessible to all by failing to close her inbox and log off her account." 


The court reviewed the jury's finding, noting that the Judge below had been careful in crafting his instructions regarding the statutory requirements:
In fact, the judge in this case submitted questions to the jurors that were carefully crafted to ascertain whether Wayne [the defendant] knew he lacked authorization or knew he exceeded his authorization. Their answers demonstrate that they found he did not know. All seven of the deliberating jurors found that he "knowingly accessed" the facility providing the service and that he obtained an electronic communication in electronic storage, but six of the seven found that he had not "exceeded an authorization to access that facility," and seven found that Wayne had "tacit authorization" to do so. 
The court declined to overturn such a verdict, noting that a question of subjective intent was a question for a jury unless no reasonable fact-finder could reach such a conclusion, and the court did not ascribe to the latter notion.


In short, I do not agree with this decision. I agree that there is tacit authorization to skim all of the contents on the screen of the computer with the open inbox, but as soon as you click on an email and open it, I cannot understand how that does not violate the statute. I believe the court erred in dismissing the "knowingly accesses without authorization" leg of the test - yes, the first user knowingly accessed it, but that does not preclude a second user from knowingly accessing as well. More specifically, the knowingly accessed portion cannot be a one and done sort of query - the user who first logged in did so, but the defendant also did so when he committed an overt act to open an email of another person without their authorization. The court is conflating access with "logging in," which as an altogether way too narrow reading of the statute. 


"Accesses" is being used as a verb in the statute above, and a quick look at the dictionary shows where the court went wrong:
Verb: Obtain, examine, or retrieve (data or a file).
I access something, inter aliawhen I log in, when I click on something, or when I make a query to a database. Accordingly, I knowingly access without authorization and obtain electronic communication in electronic storage when I click on somebody else's email in an inbox.

Leaving your inbox open is stupid and gives tacit authorization to view that which is in front of you - the inbox. It does not give you authorization to then click on anything within there.

District Court: CP mandatory minimum leads to unconstitutional sentences

An Ohio district court sentenced a man convicted of child pornography possession to five years in prison (the mandatory minimum), despite sua sponte arguments from the court suggesting the sentence is unconstitutional considering the defendant's background, conduct, and mental health. United States v. Marshall, 2012 U.S. Dist. LEXIS 90487 (N.D. Ohio 2012).

The court began the opinion:
Child pornography remains one of the fastest growing areas of prosecution by the Justice Department. Law enforcement teams are policing the internet and catching people who have the false impression their habit is personal, harmless, and anonymous. Without a doubt, child pornographers deserve no sympathy -- they are serious offenders who capitalize on the vulnerability of innocent children, many of whom will have permanent emotional scars. However, these crimes, now appearing regularly on federal court dockets, raise a number of alarming issues, including the severity of punishment, which is often the result of harsh sentencing guidelines and mandatory minimum sentences usually reserved for violent felons and major drug dealers. Indeed, approximately 70% of the federal bench considers the current sentencing regime for child pornography possession and receipt cases too severe, and over 70% believe the mandatory minimum in receipt cases is too high.
Next, several studies concerning the psychological issues behind child pornography were discussed, as well as an in-depth look at the way sentences are mandated under the federal sentencing guidelines. Specific to the defendant in this case, the court noted:
The mandatory minimum of five years is not a proverbial "slap on the wrist," especially for someone who has never spent a day in jail and with no history of violence or assaultive conduct, who suffers from a human growth hormone deficiency and other developmental conditions, and who voluntarily provided much of the evidence used to prosecute him. Defendant will also have the life altering consequences of probation and reporting that naturally flow from a conviction for this sex offense. When this Court weighs these individual considerations, the Guidelines produce a sentence range that is not reflective of the crime.
...
[T]his Court is persuaded that the Section 2252 mandatory minimum is inconsistent with the Section 3553 sentencing factors, and further believes that the mandatory minimum, as applied to this Defendant, might well be unconstitutional.
However, because courts are not allowed to sentence below the mandatory minimum, the court imposed a sentence of 60 months "while at the same time emphasizing its strong disagreement."

RELATED CASE: In 2011, a New York district court held that the mandatory minimum was "cruel and unusual punishment." United States v. C.R., 792 F. Supp. 2d 343, 496 (E.D.N.Y. 2011).

Kentucky district court applies good faith to warrantless use of GPS placed on vehicle in Seventh Circuit

In United States v. Shelburne, 2012 U.S. Dist. LEXIS 85368 (W.D. Ky. 2012), a federal district court has refused to suppress evidence acquired after the warrantless use of a GPS device because the device was placed on the vehicle in a circuit where GPS use was allowed pre-Jones

The GPS device was placed by Indiana (Seventh Circuit) law enforcement, and the defendants then traveled to Kentucky (Sixth Circuit) where they were arrested. The government argued, and the court accepted, that since the relevant actors were in the Seventh Circuit and relying on precedent there, the Davis good faith analysis should be based on Seventh Circuit law as opposed to the location of the arrest and trial.

Since the Supreme Court's decision in Jones, lower courts have generously applied the Davis good faith rule. Because the Seventh, Eighth, and Ninth Circuits had found GPS use without a warrant to be constitutional, there is no suppression requirement (see previous discussion here and here). Further, a district court in the Fifth Circuit has held that a 1981 case will allow the evidence use under Davis (applied to the old Fifth Circuit, which now also includes the Eleventh Circuit) (discussion here).