At 12:18 PM -0500 5/2/01, Harmon Seaver wrote:
>Eric Murray wrote:
>
>> If you testified that you couldn't swear that the log file was correct,
>> the prosecutors next question would be "to the best of your knowledge,
>> did you or someone else modify the log file entries in question?". Unless
>> you knew that you had, or that the machine had been hacked and the logs
>> edited, you'd have to answer "no", making it acceptable as evidence[1].
>>
>
> Not at all -- I'd answer that I'd found log files that had clearly been
>altered so many times that I would never assume they hadn't been.
>And that my log
>files in particular were constantly in danger of being altered on a
>daily basis,
>since the tool I use to view them is vi and it's more than easy to
>absentmindedly
>delete or alter lines with a keystroke.
I tend to agree with Harmon. Though Eric makes a good point about how
applying infosec standards to courtroom issues is usually an
engineer's idea of how the law ought to work.
However, we have seen several trials where defendants merely
_shrugged_ when asked if e-mail allegedly composed and sent by them
actually was.
"I have no idea if that was something I wrote. I could maybe check my
own archives of the e-mail I've sent over the years, but there are
big gaps.
"
"Yes, I suppose it looks like something I could have written, but I
don't know for sure."
"There are at least three people who used to attach my name to e-mail
they sent out. Sometimes they even used port 25 hacks to make it look
like my account was the originating address. So mail allegedly from
me may well not be."
"The best way of authenticating e-mail is with digital signatures.
Are these items you say were sent by me actually _signed_ by me? And,
of course, even signed mail may have been signed by someone who got
my keys via the Special Collections Service or by one of the many
black bag jobs authorized in RICO and similar cases."
As per Eric's point, these may sound too "legalistic."
I think just shrugging and saying "I'd have to check my own records
very carefully" is a reasonable answer to any question asking about
the authenticity and veracity of e-mail or machine logs.
(This is a more plausible argument in today's age, where one may have
sent out tens of thousands of e-mail messages. A lot harder case to
make in the days of handwritten letters, which were both analyzable
in handwriting style and were limited in numbers sent.)
--Tim May
--
Timothy C. May [EMAIL PROTECTED] Corralitos, California
Political: Co-founder Cypherpunks/crypto anarchy/Cyphernomicon
Technical: physics/soft errors/Smalltalk/Squeak/agents/games/Go
Personal: b.1951/UCSB/Intel '74-'86/retired/investor/motorcycles/guns
