CS Undergrad Hacks the Gibson Uses Command Prompt

Print Friendly

Reading the search warrant affidavit was painful and illustrates what I see as a trend in law enforcement circles – and not a good one. The rules governing what constitutes expertise seems an afterthought in situations where a computer is involved.

Background:
A computer science undergrad at Boston College had most of his electronics seized (computers, cellphones, etc) during the execution of a search warrant. Riccardo Calixte, the undergrad, had what was described as a “domestic dispute” with his roommate. The individuals lived in campus housing, and the dispute was being handled by residential life; the police came out to investigate and then things started tumbling down hill into what I can only describe as a witch hunt.

The straight forward domestic dispute was exacerbated when Calixte’s room mate told the police Calixte was a hacker and was involved in “some computer hacking incidents” including changing grades.

Let’s look at this from a realistic perspective. Despite the fantastic story lines movie writers portray, we no longer live in a simple world of easily changed grades. Modern systems have log files, audit trails, and a complexity that makes grade changing a far more involved task than say opening someone’s excel sheet and changing F to A. Also, could the description “some computer hacking incidents” be any more vague?

The officer makes a claim the room mate is a reliable witness in another investigation – what that has to do with his allegations against Calixte, made while a domestic dispute between the two of them is being handled, is unclear.

The officer, Kevin Christopher, interviewed the room mate again for some background information. The room mate then told the officer Calixte was a CS undergrad, and worked in Boston College’s IT department. It is not specified if this is the campus wide IT department, the department IT department, student help desk, etc. There is also some nonsense about Calixte being considered a “master of the trade” which is a silly phrase seemly intended to make Calixte sound technically dangerous. This is silly for several reasons, first Computer Science is not a trade so there is no concept of the “apprentice-journey man-master” trade ranking system, and second in the context of academia if he were implying Calixte was a master, as in M.S., he’d be wrong since Calixte is an undergrad. Now don’t get me wrong, undergrad CS students are usually very competent, but they still have a lot to learn so I wouldn’t go painting this individual as some kind of dangerous cyber ninja unless his name popped up on some blackhat presentations. There’s also some more references to Calixte having a reputation as a hacker – dollars to donuts lots of people in their CS department have that reputation, the term’s meaning depends a lot on context.

Then there is a description of Calixte often having laptops and other equipment in his possession which he is field testing or fixing. Actually it was termed “fixing” why the quotes, I don’t know but it is hardly uncommon for CS students to be bugged for help by anyone and everyone who clogged their system with malware and he did work for some on campus IT department so field testing isn’t out of the question either.

Here’s the kicker, “[room mate] reported that Mr. Calixte uses two different operating systems to hide his illegal activities.” OH MY GOD, he uses TWO different operating systems! He’s in the CS department, if he’s like any other CS student he’s dual booting windows for gaming, and linux for working. My iPod can dual boot these days! Now as horrendously ignorant as that statement was, it turns out the officer was even more ignorant than that, “One is the regular B.C. [Windows?] operating system and the other is a black screen with white font which he uses prompt commands [sic] on.” So… he’s using the command prompt, not another operating system. Wow.

Following this is a litany of accusations of, well I’m not sure what the list is supposed to be telling us.

  1. The room mate has observed Calixte hacking into the grading system to change grades. This brings up a question of why he waited until now to disclose this, and whether not disclosing it violates any honor code the school has.
  2. “…he has ‘fixed’ computers so that they cannot be scanned by any [*ANY*] system for detection of illegal downloads and illegal internet use.” This could mean anything, a firewall does that for network scans, bitlocker does that for stored data, both are included as part of Windows Vista (bitlocker only on ultimate edition.) I have to nit pick the use of “any” too, any is just too powerful a word to use in cases like this from a scientific perspective. Also, any tool which prevents scanning of a system has a legitimate use too – that being preventing the, presumably unauthorized, scanning of a system. It’s called privacy.
  3. “‘jail breaks’ cell phones, possibly stolen ones, for people so that the phone can be used on networks other than they are meant for and downloaded program software (sic) against the licensing agreement for free.” If they own the phone, they can do anything they please with it; I assume this involves iPhone(s) since their lock in with at&t spawned the jail break movement. As for downloading software, is it software without a license, or is it software the phone’s EULA prohibits, or is it software that does not involve a phone but has been conjunctioned onto the jail break bit randomly?
  4. Calixte has 200+ movies and music from the internet. And the room mate doesn’t? I’d be surprised if you could find one student system on the whole campus without some music or movie downloaded from the net.
  5. “…Mr. Calixte has personally implicated himself in illegal activity to him [the room mate] on previous occasions.” Such as? Mr. Calixte sent his specter to harass the room mate perhaps? (Salem witch trials reference.)

Now the the for something to take this back to the playground. The room mate blames problems with his computer crashing on Calixte, then goes on to state the computer was looked at by several experts who cannot fix the problem. So… it’s obviously Calixte because experts can’t figure out the problem. Who are these ‘experts’ exactly and what qualifies them at such? Please tell me they aren’t the sort wearing white socks with black shoes and working at a certain retail store… Then someone, they presume Calixte, set up a profile on adam4adam.com (gay personals site) and then sent out emails to a mailing list purporting to be the room mate coming out of the closet. Childish yes, and the IT Security Director for the campus did some checking and found yes, it probably was Calixte who did it. Oh no! A college student called someone else gay!

What does this all mean?
Two students got into a fight, as room mates will, and one of them started making accusations against the other being a super l33t hax0r pirate, yarrrr. The investigating officer, for some reason, has gone completely out of his mind blowing the situation out of proportion. Why is he doing this? No one really knows but him, but I can conjecture. Some police officers and investigators, in my experience, have significant authority issues and the “thin blue line” mentality can send them chasing after shadows and punishing the innocent in a search for someone, anyone, to blame.

His motivations aside, the real danger I see with this situation is the positioning of the investigator as an expert when he really is not. Section (5) “Affiant’s Experience, Education, Training & Study” is an example of an individual with some overview knowledge but not enough to be called an expert. The three bullet points are vague and cannot be used to gage any technical competence he may or may not possess. For example, “Over the course of my career I have been involved in the investigation and prosecution of numerous serious crimes including; (sic) Narcotic Investigations, Computer crimes (sic), Identity Theft, Identity Fraud, Attempted Murder and other crimes against people and property.” Fantastic, but how many total and what percentage of those involved computer related crimes? What was your specific roll in those investigations? What was the result of the investigation and later prosecution? This could mean anything, it could be as ridiculous as riding shot gun on a flubbed investigation which happened to relate to computer crime or as impressive as single handedly breaking a 512 bit AES encrypted drive with pencil and paper.

He then references one Sargeant Murphey who has a more impressive list of credentials; impressive for a layman at any rate. The trouble with these lists is the impression they are meant to give of great knowledge, when in fact most of them are short seminars and training sessions which are not sufficiently in-depth to create an expert. Do not misunderstand, this type of training is a great way to make police officers more cognizant about what to look for and when to call in a real expert, but it is insufficient for them to act as the expert. To put some of this in perspective, the more advanced expert with the huge list of things attended had between 24 and 36 hours of training per year from 2005-2007. Sound like a lot? Look at an undergraduate class for 3 credit hours; it entails 45 hours of in class time split over 15 weeks meaning he earned barely over 2 university classes worth of training in 3 years. This does not an expert make.

He closes with a standard list of quirky facts about computers which can give information in an investigation used to justify the list which follows asking for permission to take everything and let a “Civilian Computer Expert” search it.

Conclusion:
Two students get into a fight. One makes wild accusations of undetermined validity to the police. The investigator presumably gets all excited about flexing his expertise and possibly netting some personal glory and decides to dust off the malleus maleficium. Meanwhile the CS undergrad has all of his gear taken for an extended period of time, his privacy violated on extremely flimsy evidence and a whole lot of tattle-tailing hearsay from the individual Calixte was fighting with.

The more of these cases I come across the more I see the subtext from law enforcement “if you have nothing to hide you wouldn’t be using all these scary technologies.” People do have things to hide and there is a legitimate need to recover that information, I know this from first hand experience in digital forensics investigations, but the invasive nature of digital forensics combined with its ability to lay all bare without regard for privacy is a very dangerous tool which should be wielded cautiously. Thankfully those with the ability to wield it most effectively are the same ones who trend towards valuing privacy and anonymity the most.

Thankfully the EFF got involved so Calixte is in good hands. This case really gets to me on a personal level because any of a number of undergrads I see every week could be another Calixte with no way to fight the deck stacked against them.

Check back at the EFF page for the full text of the warrant affidavit and the follow up motion to quash.

Posted in Digital Forensics, Law Tagged with: , ,