No Evidence That Hacker Was Hacked
from the tracks-covered-too-well dept
It appears that the hacker who was accused of shutting down computers at the Port of Houston is trying to go with the “it wasn’t me, it was someone else who hacked my computer” defense made popular by the guy who claimed that a trojan horse program filed his fraudulent tax returns. It appears that defense isn’t working in this case, as the prosecution has brought up a witness who points out that there’s absolutely no evidence that anyone hacked into the kids machine. Not sure about the details in this particular case, but I imagine we’ll still be seeing a lot of people using just such a defense for any sort of computer related crime in the future.
Comments on “No Evidence That Hacker Was Hacked”
guess who else will use this ruse
If RIAA sues the wrong people, they’ll probably use this excuse as well.
Forensically sound???
This guy’s argument about blocks being out of order when logs are edited after the fact is fine, and as far as I can see it is correct. But there are definately ways around this argument though, such as a hacker moving the log, or the victim “defragging” their hard drive.
Windows logs may be protected from defrags and movement of the files within the OS, but in this case, shouldn’t they also be protected from modification after the fact? Seems to me that the defense lawyer might be able to shoot holes through this argument.
The only way I could truely say something wasn’t modified is if they took cryptographically locked checksums of the files and compared them, then they could argue that the attacker didn’t modify the logs. Otherwise it is swiss cheese. Not that I don’t think the hacker is guilty (ok, so maybe I don’t, I do not have all the facts.) However this expert cannot believe that this evidence alone will convience a smart jury, nor will it stand up to ridicule by the competent defense lawyer.
As somebody that *has* been used and abused....
…I can’t tell you how disconserting it is to hear the investigator say “but that’s just a theoretical vulnerability in TCP/IP”. Of course this was in the telnet to SSH transition period. Nobody uses telnet any more… still, 6 months after they were still trying to decide if they had a case, explits like hunt and jugernaught began to surface from the underground. Theoretical indeed…
Computer “evidence” is *extremely* ephemeral and if the computer is connected to the Internet in any way, shape or form…
Any good professional (and what I mean by “good professional” is that they don’t have a record — not even a FBI case file entry — and they make a living from their efforts) cracker knows to get a patsy before doing anything that anyone will take any notice of.
Re: As somebody that *has* been used and abused...
> “but that’s just a theoretical vulnerability in TCP/IP”. Of course this was in the telnet to SSH transition period. Nobody uses telnet any more…
…and nobody is even really sure SSH is completely safe these days either.