You Are Not a Scientist

Print Friendly

Paul Ohm, an associate professor at the University of Colorado Law School, opened a new blog segment called “You Are Not a Lawyer (YANL)” with an opening salvo targeting “computer scientists and other technically minded people.” It was a nice touch to lump computer scientists with anyone possessing a tivo. Tit for tat, in this critique of his post I will title mine “You Are Not a Scientist (YANS)” in an attempt to dissuade lawyers and other legally minded people of the implied assertion that just because it is so, it should be accepted.

Professor Ohm seems to take issue with concerns some individuals raise regarding the level of uncertainty present in some types of digital evidence. He names these the ‘”open wireless access point defense,” the “trojaned computer defense,” the “NAT-ted firewall defense,” and the “dynamic IP address defense.”‘, though I have not heard the concepts referred to as such previously. All of these ideas can be collapsed into a question of 1:1 linkage of an IP address to an individual. To avoid any confusion let me define how I interpret the terms Professor Ohm selected:

Open wireless access point defense (“OWAP”)– Wireless access points without proper encryption are subject to access by unassociated individuals. Home users with little technical knowledge often set up their access points with a default or insecure configuration. Because home users generally have a single IP address assigned, every machine accessing the internet from their connection uses the same public IP. Thus a situation where Alice is accused of action X, she claims she did not do X, but rather her unsecured router allows some unknown, Bob, to access the internet and perform X. If Bob exists and committed X while connected to Alice’s router, the trail of external evidence ends at Alice’s router where the public/private IP boundary is.

NAT-ted firewall defense (“NAT-F”)– This concept is identical to the above. Network Address Translation, NAT, is a technique which allows multiple machines to share fewer, often one, IP addresses than the number of machines. This is ubiquitous in home settings and often in business settings as well. The OWAP defense simply does not work without NAT, and likewise a NAT-F defense requires a method for the unknown party to access the internet through the network in question.

Dynamic IP defense (“DIP”) – I am unsure what the Professor is referring to with this. I think he is likely talking about the possibility an IP address will be reassigned to a different user which is very common in home settings where public IP addresses are normally not static. Identification by IP address would have to include a timestamp for the event in question to be useful at all, so if the ISP is recording who had the IP they will also know when they had it making (what I assume to be) the Professor’s point, invalid.

Trojaned Computer defense (“TC”) – More appropriately broadened as Malware rather than just Trojan horses, the TC defense would presumably result from malware infecting a user’s computer and allowing an unknown party to access the internet through it like a proxy. This is very common especially with self-propagating malware and botnets. The idea is Alice had a virus, the virus allowed Bob to access the internet using Alice’s computer as a proxy so the trail of evidence for X, some deed committed by Bob, is traced back to Alice instead.

Professor Ohm then goes on to detail not a critique of the merits and flaws in these concepts, but rather to summarize how the criminal justice system would handle it. In a nut shell law enforcement, without needing to approach “beyond a reasonable doubt”, will instead obtain your identifying information from your ISP due to it being “relevant and material to an ongoing criminal investigation.” They will then use “probable cause” to “read all of your stored email, rifle through your bedroom dresser drawers, and image your hard drive.”

He goes on to paint a picture in which the accused, before even getting to trial, has had his or her life “turned upside down.” (The fresh prince principle?) Because the accused is likely not wealthy, their legal defense will be headed by an overworked public defender “who has no time for far-fetched technological defenses and prefers you take a plea bargain” or an expensive private attorney who is essentially experimenting on your dime and with your freedom.

I think that summarizes the post nicely, but very sadly. The picture Professor Ohm presents is not of the technical qualities of these “defenses”, but rather of a severely flawed system of justice in which there is none. The crux of his blog post revolves around his disdain for ‘techies’ “dreaming up ways people can use technology to inject doubt into the evidence to avoid being convicted.” In fact, his closing line reads simply, “By meeting any of these standards, they [law enforcement, the government, etc] can seriously disrupt your life, even if they never end up putting you away.”

Punishing the accused so seriously before even getting to trial is such an outrage to what should be our sense of fairness and liberty I am flabbergasted a law professor would take such a cavalier attitude towards it. Dealing with the philosophical issues involved is beyond my scope here. Instead I am going to discuss a counterpoint, a real scenario involving an AOL hack in the year 2000. It took me a while to track down some of the original articles since this event is coming from memory and the original website which reported on the hack,, is no longer around. In the end I found a CNN archive article with the pertinent details.

America Online (“AOL”) was a huge behemoth of an ISP back then when broadband was just making its first appearance. AOL had an internal tool called the Customer Record Information System (“CRIS”) which contained all their customer, account, and billing information for AOL members. After some high profile hacks, AOL implemented more stringent security policies governing access to CRIS including limiting access to employees who were on the premises or whose accounts were secured with a security token. The AOL internal network was protected by a firewall to prevent users outside their offices from accessing CRIS.

Despite their efforts, CRIS was hacked with an outsider penetrating the firewall and accessing the tool. There were two parts to this hack. The first part is not interesting for this discussion and consisted of a piece of malware which performed a reverse connection from an internal employee’s workstation to a system on the internet (thereby penetrating the firewall.) The second part is very pertinent. Let me quote a seemingly innocuous part of the archived article:

“The Trojaned computer opens a connection to and acts as an intermediary, allowing CRIS access. Retired said CRIS can be accessed without a special account by having the tcp.ccl file connect to a cable modem, which can’t be traced to the attacker’s computer. The cable modem then relays commands to the Trojan on the AOL employee’s workstation.”
[The writer of the original article was slightly off here in that it is the infected computer, not the cable modem, which relayed the commands.]

In this attack, two separate systems were compromised. The internal AOL employee’s workstation, and an innocent party who happened to have a cable modem. Instead of having the AOL employee connect to his or her own computer, the hacker used another system as a proxy hoping from it into the AOL internal net to access CRIS. The following diagram shows how the attack played out:

Attack overview

What’s my point? The “defenses” Professor Ohm identifies represent legitimate doubt due to technical uncertainty. Linking these doubts to dreams implies they are invalid defenses, made up tales like a child caught with their hand in the cookie jar trying to explain it away. The question is NOT whether these are valid concerns, NOT whether some guilty parties use them in a sham attempt to explain away their action, but rather ARE reasonable depending on the context. In the real life example above, the network logs on AOL’s side would have led law enforcement to an innocent person with a Trojan horse installed on their computer acting as a proxy for the real culprit. Home users don’t maintain network logs; an innocent party left holding the bag would have no way to point the law to the real criminal. Sadly, law enforcement lacks the expertise to perform more than the bare minimum investigation and would almost certainly miss a tiny little Trojan especially if it were well designed.

Imagine you were this innocent user and law enforcement came knocking on your door. It wasn’t you! It was a Trojan Horse! The TC-Defense eh? That is just a techie dreaming, trying to inject doubt. Sure, there is nothing on your computer proving you did it, but law enforcement doesn’t need to prove it because “they can seriously disrupt your life, even if they never end up putting you away.”

Shame on you, Professor Ohm, for disparaging legitimate doubt! These “defenses” are possible, whether they are probable or reasonable depends on the context. If the accused is going to be punished before mounting a defense because the bar is so low, then perhaps we should be encouraging so-called techies to inject doubt and raise the bar law enforcement needs to meet before destroying someone’s life.

Posted in Digital Forensics, Law Tagged with: ,