Re: layered deception (timestamping logs)
On Wednesday, May 2, 2001, at 10:12 PM, Anonymous wrote: At 11:00 PM 05/01/2001 -0500, Harmon Seaver wrote: Has anyone given any though to how log files could be accepted as evidence in the first place? They're just text files, and exceedingly trivial to alter, forge, erase, whatever. They get edited all the time by hackers -- how can anyone, even the sysadmin, swear that they are true? Seems to me that secure digital timestamps on the logs would be really interesting to anyone wanting to preserve their usefulness as evidence. This would obvisouly cut both ways, could be used for either good or ill. Any collective wisdom on the ramifications of such a technology? I'd put it into my messaging infrastructure if I cared about such things. The asymmetry arises this way: almost _never_ does an ISP/operator benefit from having logs, but prosecutors can use logs to prove various crimes and thoughtcrimes. Like digital signatures, they are best used sparingly. (To see this, imagine the benefits of signing everything. What is gained by Joe Sixpack in using digital signatures ubiquitously? Very little. What is potentially lost? Ask Jeff Gordon.) A digital signature, a timestamp, is not something to be given away lightly. --Tim May
Re: layered deception (timestamping logs)
Tim May wrote: The asymmetry arises this way: almost _never_ does an ISP/operator benefit from having logs, but prosecutors can use logs to prove various crimes and thoughtcrimes. Well, that's not quite true -- logs are pretty useful, in fact even necessary, for a number of things. Troubleshooting system problems, for instance. Every time you make a change to the named config on a DNS server, then restart named, you then immediately look in the log to see if everything worked okay. Or say someone is having problems getting to a website, and blaming your firewall or proxy server, you can perhaps find in the DNS server log that the real problem is at the ISP for the webserver they are trying to hit. Mail is the same way. And some customers want the statistics from a webserver's logs -- for a whole year or more, same with the proxy server. Another thing logs are useful for is if someone is trying to hack you, and his IP# is showing up in your logs, so you can cut and paste that portion of the log into email to the hacker's ISP and ask them to do something about the guy -- although with my latest firewall and packet filtering that might be a thing of the past. Other than the afore mentioned web and/or proxy logs for statistical purposes, however, I can't see any rationale for keeping logs very long, certainly not over 30 days, maybe not over a week, possibly just one day. I was at a meeting once with people from the state IT group (who were the ISP for all the higher eds) who were insisting to us that everybody had to log *everything*, including router traffic, and keep it for years. When I asked what law required that, they said there wasn't any, but you'd be in trouble with the FBI or Secret Service if you didn't and they needed those logs. -- Harmon Seaver, MLIS CyberShamanix Work 920-203-9633 [EMAIL PROTECTED] Home 920-233-5820 [EMAIL PROTECTED]
re: layered deception (timestamping logs)
At 10:12 PM 5/2/01 -0700, Anonymous wrote: Seems to me that secure digital timestamps on the logs would be really interesting to anyone wanting to preserve their usefulness as evidence. If you protected some logs (say, local user logins) really well, and left other logs (say HTTP) unprotected then it would be *mighty easy* to bring up degrees-of-trust in a trial. I can imagine good operational reasons why lots of users might need write access to an HTTP log. (E.g., different user-level CGIs writing to the same HTTP log) and why you might want to track user logins more reliably than http hits.
RE: layered deception
At 11:36 AM 5/2/01 -0700, Greg Broiles wrote: In any scenario, it seems like a few points are likely to be crucial - 1. Was the logging foreseeable at the time the statement/promise regarding no logging was made? If there was no intentional misrepresention, pretty much everything except breach of contract fails. 2. Was the transaction between user and service provider a sale - e.g., was there consideration? a contract? If the activity between the parties did not involve the exchange of value, then it's hard to argue that there's been a fraud, a breached contract, or an unfair business practice. So, if I were designing a system which hoped to rely (only in part, hopefully) on legal impediments to the creation of logs, I would make that system one which (a) involved an exchange of value and (b) frequently restates the operator's promise not to keep logs, ideally as part of the transaction, such that the transaction can be aborted if the promise is missing or otherwise unsatisfactory .. and can be said to rely (perhaps detrimentally) on the statement about the lack of logging. And conversely: there is no legal impediment for a self-claimed free anonymizing website to keep logs. Even so, that's pretty weak protection. Yep, this is all academic, rely on math physics not law.
RE: layered deception
At 07:45 AM 05/02/2001 -0700, David Honig wrote: Yeah but is there a (contract etc.) *law* being broken or is this a legally-null claim? After all, if click-through EULAs are legally binding... Maybe a real lawyer could tell you. The answer may depend on whether there's valuable consideration exchanged, and viewing banner ads probably doesn't count (especially since the banner ads typically come from banner ad companies who aren't giving you any promises of keeping your information private.) While occasionally there may be a web site deliberately lying about whether they're keeping logs No, we won't sell your information to spammers!, a more likely scenario is - web site content provider isn't keeping logs of content access but they're using a shared hosting service. - web hosting provider is keeping logs for technical support, debugging, problem resolution, etc. - banner ad vendor keeps everything they can get - web site's ISP keeps logs of connections (e.g. IP addresses and TCP port numbers, but not content of communications.) Actually, many corps have explicitly decided to shred their email after a while. You can thank Ollie North the MS judges for cluing in the public. So the corp counsels are actively blowing off the suggestion you're claiming. A long time ago, in a phone company far, far away, we had incredibly detailed sets of requirements for record-keeping because of the regulatory environment. My wife had a summer job in college translating one database from a hand-rolled mostly-undocumented format into a (then-)current commercial database system so they could get the data just in case they got sued about it - something along the lines of promptness or pricing of wholesale telecom services in PacBellLand. Of course, the commercially available database also rotted into technical obsolescence after a few years, but by then nobody'd sued them about it in enough years that there was no need to preserve it longer.
Re: layered deception
At 12:34 AM 5/2/2001 -0500, Harmon Seaver wrote: Greg Broiles wrote: Hmm. Can you identify any problems with log files as evidence which aren't also present in, say, eyewitness testimony, audiotape recordings, video recordings, fingerprints, photographs, tool die marks, paper records, and all of the other evidence which courts admit on a daily basis? Not so with log files. I could totally delete and manufacture anew a log file anyway I wished, and nobody could prove it. You are making unreasonable assumptions about (a) evidentiary law and practice and (b) current capabilities regarding computer/electronic forensics, and those unreasonable assumptions are apparently limiting your ability to reason further. You might see if you can find a copy of _Evidentiary Foundations_ by Edward Imwinkelried at a local law school's library, for part (a); and newspaper articles concerning the investigations and prosecutions of Aldrich Ames, Robert Hanssen, or CJ Parker for part (b). Or take a look at the materials collected regarding the investigation and prosecution (and conviction, and losing appeal) of Randal Schwartz (yeah, the Perl guy), the canonical I'm a smart computer guy, you stupid cops don't know nothin' case, at http://www.lightlink.com/spacenka/fors/. This is not an area of the law where reasonable people differ. This is easy black-letter stuff that's only mysterious or controversial to people who aren't familiar with the field. If you are trying to make the argument that a few hundred years' worth of evidence law ought to be discarded, your argument will probably be more favorably received if you can show that you at least understand that which you're trying to replace. The mere possibility of tampering or fabrication is nowhere near sufficient to render evidence inadmissible - in fact, it's not even a start. Most trials feature conflicting evidence, all of which was admitted under oath, which cannot all simultaneously be accurate. Life goes on, and the jury or judge (as appropriate) pick out the bits of truth they choose to rely upon, discarding the rest. You're arguing about admissibility when you ought to be arguing about credibility - but even if you make that shift, what you're not seeing is that the you can't trust evidence which might conceivably be false argument is a big loser, practically speaking. Sure, you can make it - just like CJ did, as did Jim Bell, twice. That argument is 0-for-3, in recent cypherpunk experience. Maybe Keith Henson tried it too, I don't know - but it's a dead end, especially without a plausible explanation for the fabrication/modification. (Not only is it unconvincing, it shifts the defense away from a was a crime actually committed? argument onto a a crime was committed, but the defendant isn't the guy who did it argument, which is frequently harder to make .. especially if the defendant looks and acts like the sort of person who would do the sort of thing they're accused of. The rest of the defense's case has got to fit that theory, too - you can't mix no crime occurred and it wasn't me and it was an accident in front of a jury ..) I don't care - believe what you want. But the mutability of electronic evidence argument is not going to keep anyone's butt out of jail, no matter how many sysadmins you put on the witness stand. If you can show actual tampering with evidence in a specific case - sure, that's interesting. If not, look for a better issue to fight over. -- Greg Broiles [EMAIL PROTECTED] Organized crime is the price we pay for organization. -- Raymond Chandler
RE: layered deception
Eric Murray wrote: ...I most definitely agree with Tim and Bill that the best way to deal with this is [keeping logs] thru technology. Careful, you're beginning to sound like a Cypherpunk. :-D S a n d y
RE: layered deception
Honig: Is it in fact a crime of fraud to advertise that you don't keep logs when in fact you do? Seems deceptive... I look for the continued development of tortious evidentiary spoliation in a digital context, which includes negative legal presumptions, sanctions up to default judgment, takes into account prior acts/decisions, and has proven most painful for some companies. So, if you get caught datahavening - under the right facts - there could be more at issue than mere 'contempt.' For example, while there is no 'requirement' or 'reg' to keep email, American courts have '$trongly $ugge$ted' doing so pursuant to a good faith electronic document retention policy. See Lewy, Prudential. ~Aimee
Re: layered deception
On Tuesday, May 1, 2001, at 06:05 PM, Aimee Farr wrote: Honig: Is it in fact a crime of fraud to advertise that you don't keep logs when in fact you do? Seems deceptive... A profound new insight. We still await some real insights from a real graduate student (!), beyond her saying that we don't know as much as she says she knows. BTW, I have removed the additional addresses (David Honig [EMAIL PROTECTED], Declan@Well. Com [EMAIL PROTECTED], Steve Schear [EMAIL PROTECTED]). When a list is replied to, there is no need to carry along the baggage of everyone who has added to a thread. --Tim May
RE: layered deception
At 12:13 AM 4/30/01 -0400, Phillip H. Zakas wrote: i agree...unless you're specifically directed to do so, maintaining log files is completely optional. Is it in fact a crime of fraud to advertise that you don't keep logs when in fact you do?
RE: layered deception
On Tue, 1 May 2001, David Honig wrote: Is it in fact a crime of fraud to advertise that you don't keep logs when in fact you do? If someone winds up losing money (or suffering other damages) because of it, it is at least a tort. If you were planning some kind of money-making scam that hinged on the deception, I'm pretty sure it would be fraud as well. I wonder whether evidence from logfiles could be excluded in a court case on the grounds that the logfiles were collected under false pretenses? *That* would be a laugh riot... (I am not a lawyer, nor studying to become one - these are just my opinions.) Bear
Re: layered deception
Has anyone given any though to how log files could be accepted as evidence in the first place? They're just text files, and exceedingly trivial to alter, forge, erase, whatever. They get edited all the time by hackers -- how can anyone, even the sysadmin, swear that they are true? We just saw a case of FBI hackers breaking into a computer in Russia -- why couldn't they break into a server as an ISP and alter the logs? It would be quite easy for them to do that, even easier if they had a Carnivore box in house. -- Harmon Seaver, MLIS CyberShamanix Work 920-203-9633 [EMAIL PROTECTED] Home 920-233-5820 [EMAIL PROTECTED]
Re: layered deception
One thing to also remember is that standard log files are nothing more than text files and can be faked fairly easily... Which would make it wide open for a defending attorney to argue against.. Jon - Original Message - From: Ray Dillinger [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, May 01, 2001 10:03 PM Subject: RE: layered deception On Tue, 1 May 2001, David Honig wrote: Is it in fact a crime of fraud to advertise that you don't keep logs when in fact you do? If someone winds up losing money (or suffering other damages) because of it, it is at least a tort. If you were planning some kind of money-making scam that hinged on the deception, I'm pretty sure it would be fraud as well. I wonder whether evidence from logfiles could be excluded in a court case on the grounds that the logfiles were collected under false pretenses? *That* would be a laugh riot... (I am not a lawyer, nor studying to become one - these are just my opinions.) Bear
Re: layered deception
At 12:04 AM 4/30/2001 -0500, Kevin L Prigge wrote: On Mon, Apr 30, 2001 at 12:13:01AM -0400, Phillip H. Zakas wrote: i agree...unless you're specifically directed to do so, maintaining log files is completely optional. there are no regs requiring isps or websites or mail providers to do so, other than the standard 'you need to comply with a court order or search warrant, etc.' From recent experience, LE provides us with an order to preserve certain logged information. The order is in advance of obtaining a search warrant, and specifies what information will be requested in the warrant. In an incident earlier this year, we received the order six weeks before the warrant was issued. The existance of the order was sealed. What if the sysadmin is intentionally located in an offshore location so that they cannot be kept from notifying all users of the logging order? steve
Re: layered deception
On Sun, Apr 29, 2001 at 11:24:09PM -0700, Steve Schear wrote: What if the sysadmin is intentionally located in an offshore location so that they cannot be kept from notifying all users of the logging order? Then we pass a cybercrime treaty to require them to follow U.S. laws. Law enforcement has a long time horizon. -Declan
Re: layered deception
At 10:56 AM 4/30/2001 -0400, Declan McCullagh wrote: On Sun, Apr 29, 2001 at 11:24:09PM -0700, Steve Schear wrote: What if the sysadmin is intentionally located in an offshore location so that they cannot be kept from notifying all users of the logging order? Then we pass a cybercrime treaty to require them to follow U.S. laws. Ahhh, but who is the them? My understanding is that under state and Federal law only executives and those with signature authority can be held criminally responsible for their actions. U.S. corporations can be created and administered solely by non-residents (only an in-state legal service point is generally required.). Nevada corporations can be held in bearer form shielding beneficial owners. steve
Re: layered deception
Steve, Even assuming that what you say is true, and I suspect it is, you'd be relying on protections enshrined in the law. The purpose of this treaty, of course, is to change the law. :) -Declan On Mon, Apr 30, 2001 at 10:07:33AM -0700, Steve Schear wrote: At 10:56 AM 4/30/2001 -0400, Declan McCullagh wrote: On Sun, Apr 29, 2001 at 11:24:09PM -0700, Steve Schear wrote: What if the sysadmin is intentionally located in an offshore location so that they cannot be kept from notifying all users of the logging order? Then we pass a cybercrime treaty to require them to follow U.S. laws. Ahhh, but who is the them? My understanding is that under state and Federal law only executives and those with signature authority can be held criminally responsible for their actions. U.S. corporations can be created and administered solely by non-residents (only an in-state legal service point is generally required.). Nevada corporations can be held in bearer form shielding beneficial owners. steve
RE: layered deception
Declan wrote: I rather like the idea of encrypting the logs on the fly and shipping them offshore. Your offshore partner will be instructed to turn over the logs only if you are not asking for them under duress. (A reasonable protocol can probably be worked out. Would a court order instruct you to lie? If so, would it be valid?) The only protocol that works 100% is to require that the client of the datahaven show up in person in a jurisdiction with no extradition treaty with the client's home country. Even then, a judge might be spiteful with respect to holding the client in contempt for setting up such an arrangement. S a n d y
Re: layered deception
On Sunday, April 29, 2001, at 07:41 PM, Declan McCullagh wrote: I think Matt is a bit too quick to conclude a court will charge the operator with contempt and that the contempt charge will stick on appeal. Obviously judges have a lot of discretion, but it doesn't seem to me like the question is such a clear one if a system is set up in the proper cypherpunkish manner. As there are no ex post facto laws, setting up an offshore/non-duress log haven in 2001 cannot result in a charge in 2003 that this was illegal or contempt of court. Not even today's fool judges will claim that is contempt. (It is only contempt if a judge orders an action which a witness is _able_ to comply with but which he does not...and of course not always then.) Judges cannot require time machines be used to undo past actions. --Tim May
RE: layered deception
i agree...unless you're specifically directed to do so, maintaining log files is completely optional. there are no regs requiring isps or websites or mail providers to do so, other than the standard 'you need to comply with a court order or search warrant, etc.' as for the 'encrypt it' or 'store it overseas' method, i'd be concerned that a court would force the isp to produce the key or produce the decrypted or stored log files. would prefer to see no log files or daily deleted log files (which is good enough for most ids needs anyway.) if one doesn't collect log files at all, i wonder if LE could force an isp to turn on logging for all users (then munge the results) or if the isp would be allowed to selectively log only the information sought in an investigation. plus, what happens to the entire log files turned over in an investigation? do the unrelevant entries get destroyed, or does munging a file destroy the cyber forensics value? phillip Tim May responds: On Sunday, April 29, 2001, at 07:41 PM, Declan McCullagh wrote: I think Matt is a bit too quick to conclude a court will charge the operator with contempt and that the contempt charge will stick on appeal. Obviously judges have a lot of discretion, but it doesn't seem to me like the question is such a clear one if a system is set up in the proper cypherpunkish manner. As there are no ex post facto laws, setting up an offshore/non-duress log haven in 2001 cannot result in a charge in 2003 that this was illegal or contempt of court. Not even today's fool judges will claim that is contempt. (It is only contempt if a judge orders an action which a witness is _able_ to comply with but which he does not...and of course not always then.) Judges cannot require time machines be used to undo past actions. --Tim May
Re: layered deception
On Mon, Apr 30, 2001 at 12:13:01AM -0400, Phillip H. Zakas wrote: i agree...unless you're specifically directed to do so, maintaining log files is completely optional. there are no regs requiring isps or websites or mail providers to do so, other than the standard 'you need to comply with a court order or search warrant, etc.' From recent experience, LE provides us with an order to preserve certain logged information. The order is in advance of obtaining a search warrant, and specifies what information will be requested in the warrant. In an incident earlier this year, we received the order six weeks before the warrant was issued. The existance of the order was sealed. We keep email transaction logs for seven days based on disk considerations. Each of our popmail machines (45000 users) generates 350MB of compressed logs per week. Until a warrant is received we don't turn over anything. as for the 'encrypt it' or 'store it overseas' method, i'd be concerned that a court would force the isp to produce the key or produce the decrypted or stored log files. would prefer to see no log files or daily deleted log files (which is good enough for most ids needs anyway.) Actually, seven days works out well for us. Sometimes it takes several days for a user to report a problem. if one doesn't collect log files at all, i wonder if LE could force an isp to turn on logging for all users (then munge the results) or if the isp would be allowed to selectively log only the information sought in an investigation. plus, what happens to the entire log files turned over in an investigation? do the unrelevant entries get destroyed, or does munging a file destroy the cyber forensics value? When we turn over information persuant to a warrant, we only turn over that specific information, not entire logfiles. We do keep the logs the information was extracted from, in case there is some question of the validity of the information. -- Kevin L. Prigge Internet Services U of MN, Twin Cities
RE: layered deception
Kevin wrote: From recent experience, LE provides us with an order to preserve certain logged information. The order is in advance of obtaining a search warrant... What form do these orders take? Who, specifically, makes the order? What authority is cited to back up the power to make such orders? What does your lawyer say about the validity of these orders? S a n d y
Re: layered deception
On Sun, Apr 29, 2001 at 10:11:40PM -0700, Sandy Sandfort wrote: Kevin wrote: From recent experience, LE provides us with an order to preserve certain logged information. The order is in advance of obtaining a search warrant... What form do these orders take? Who, specifically, makes the order? What authority is cited to back up the power to make such orders? What does your lawyer say about the validity of these orders? It's a written notice that a search warrant is being prepared. The ECPA allows for orders to preserve electronic evidence (section 2704 deals with this). I'm one step removed from the paperwork, but our lawyers make the call on validity of all the paperwork and what we're required to turn over. In this specific case, they wanted mail transaction logs and mailbox contents including backups. These were turned over when we recieved the warrant. I think the delay was due to jurisdiction issues (Federal/State) and they were trying to decide if they should get a wiretap order for the users PC. Usually the order precedes the warrant by a few days, this took 6 weeks. -- Kevin L. Prigge Internet Services U of MN, Twin Cities
Re: layered deception
On Sunday, April 29, 2001, at 10:59 PM, Kevin L Prigge wrote: On Sun, Apr 29, 2001 at 10:11:40PM -0700, Sandy Sandfort wrote: Kevin wrote: From recent experience, LE provides us with an order to preserve certain logged information. The order is in advance of obtaining a search warrant... What form do these orders take? Who, specifically, makes the order? What authority is cited to back up the power to make such orders? What does your lawyer say about the validity of these orders? It's a written notice that a search warrant is being prepared. The ECPA allows for orders to preserve electronic evidence (section 2704 deals with this). I think the issue is one of basic Bill of Rights issues. The Constitution refers to search warrants--it does NOT say that acts of Congress may cause actions BEFORE a search warrant is duly authorized by a judge. I have no doubt that the ECPA (and probably the Digital Telephony Act and other such recent abridgements of freedom) _say_ that citizen-units must begin organizing their papers in advance of a raid and must begin compiling logs of various things in advance of a court order, warrant, etc. Someday maybe a Supreme Court case will be heard. It is unlikely that any modern court will strike down these acts of Congres, but they should. The language about due process and freedom from unreasonable searches and seizures does not say a ministerial (non-court) agent may do these things. This goes for Carnivore, too. What part of the Fourth Amendment are they missing? But all of these things show how far down the road to a police state we have gone. --Tim May
