John Benson dot com

Shmoocon was a tremendous experience. I had a great time, met some new people and ate some sushi. I’ve posted a handout to serve as a supplement to the talk itself. Those that attended (or view it online later on) will notice that the slides themselves aren’t worth much on their own so I’ve pulled this together which hits most of the high points.

###

When I got to Dulles last Monday I received word from Evil that I’ve been selected to speak once again at LayerOne in Pasadena. For those who haven’t attended before, I highly recommend it. The venue is very nice and Pasadena always has excellent weather. I missed the GSM talk at Shmoo because I was finishing up my slides, but look forward to hearing David Hulton’s talk as well as David Bryan’s which I’ve already heard good things about.

###

I’ve been neck deep at work from the firm and a design project that I’m completing for a dear friend of mine, Chris Benjamin, who is running for Missouri State Senate. He’s a great guy who shares many of my beliefs and know he’s going to be a tremendous senator.

###

The comments should appear automatically now. I had Wordpress set to keep them all in a moderation queue, but wasn’t receiving any notification that I needed to clear some out.

While the website doesn’t reflect it yet, I received word that I’ll be presenting at Shmoocon 2008.  I’ll be talking about how the e-discovery process works, how organizations can reduce the cost of litigation, and how truly frightening the security surrounding e-discovery is.If you’re going to be there and would like to get together for a beverage…drop me a line. ###On a theoretically related note, the video and audio for my talks at DEFCON 15 should be available in their RSS feed soon. 

A couple years ago my trusty Dell laptop started to take a turn for the worst. Like many Windows users I could see the telltale signs that things were up. Our old friend, the Blue Screen of Death, reared its ugly head a few times and the system felt unstable in general. This was well outside my reinstall cycle so I quickly ran a full backup to make sure I didn’t lose everything and within an hour there was a lovely clicking noise coming from the hard disc.

I quickly dispensed with a couple first level help desk personnel and eventually found a person with authority to authorize a replacement for me. The drive would arrive in a couple days and as long as I was comfortable with it, I could do the replacement myself. Expecting a long wait without a laptop, I was pretty pleased until I learned the catch. I had to mail the old drive back to Dell for remanufacturing. I wasn’t about to send my drive anywhere, let alone to have my data given to some future participant in a similar process.

I explained that I wasn’t going to have it because there was sensitive information on the drive. Explaining to the support guy that I was obligated to keep the information secret, he put me on hold to find a solution. The only way that Dell would allow me to keep the drive was to sign an affidavit…which was fine with me until I read the affidavit which read that I was a US Government Contractor with classified material on the drive. I had neither.

After some critical thinking by both of us, we came to the conclusion that since Dell was expecting a drive with a mechanical problem that it could be in any form imaginable. This was a great deal because

1. I got my first hands on experience with the inner workings of a laptop hard drive.
2. I found out how hard it is to actually smash platters.
3. Dell got a drive with some mechanical problems to salvage.

Fast forward to a couple months ago when the logic board on my Mac went out. It wouldn’t turn on so the girl at the Genius Bar went right into the paperwork. She explained that if the hard disc had to be replaced I wouldn’t be getting any of my old data back. I asked about receiving the old one for a while so I could try and retrieve the data in that case and she told me that couldn’t happen. I didn’t really sweat that since I had a week old backup at home. Then she brought the house down with this one..

What is your administrator password?

I looked at the other guy working the Genius Bar who knows my background a bit more and we both started to laugh. I needed a new logic board…there’s no reason for them to know any of my passwords…let alone the root. She said it was so they could test it to make sure it would boot. She was sympathetic and we both settled on something random to put on the form.

Is keeping hard drives a security issue as Dave Winer thinks? Not really.

Your machine belongs to the person at the keyboard whether it be you, the Geek Squad kid making $7 an hour and stealing all the porn he can find, or the guy who took your laptop out of the back seat of your Range Rover sporting that trendy Apple sticker.

This is one of the many reasons to use encryption. If I send my Mac to be serviced and the hard disc has to be replaced tomorrow I’m confident that the recipient has access to none of my information. While it’s true that Apple needs to take security more seriously and certainly shouldn’t be asking people for their passwords just keeping the drive is only a vulnerability if you make it so.

Something tells me that Bruce Schneier doesn’t lose sleep over this.

Julie Amero was granted a new trial by Judge Hillary Strackbein, paving the way for the facts of this case to be found anew.  The decision was based upon Judge Stackbein’s opinion that the jury may have relied on false information which was presented during trial.  This statement is surprisingly harsh in stating that the information and not the way it was presented was untrue.  While this is a victory for justice, the underlying circumstances which led to Ms. Amero’s initial conviction remain, and most individuals seem to be missing the point.  Ms. Amero had an attorney who lacked a basic understanding of the issue and expert witness who’s attitude and failure to prepare for trial.  In the confusion which ensued, the jury failed to correctly apply the facts to the law and convicted her of on an improper basis.
Trials which involve technical issues are often turn on which attorney does a better job of helping the jury understand the facts.  Experts are utilized to explain the circumstances and give conclusions, but ultimately it is the responsibility of the attorney to boil the testimony down into a broth which is easily consumed by the jurors.  Testimony into the mechanics of malware and forensic analysis will no doubt fly over the heads of some of the jurors.   The direct examination of technical witnesses must be designed in such a way as to not lose the jury along the way, and make sure they have an understanding of the facts presented.  The terms and phrases used should be introduced slowly and explained in such a way that everyone in the court understands them.  In order to do this, the attorney must understand these terms himself.  If he doesn’t, he runs the risk of allowing the expert to run away with his testimony and leave the jury confused and perplexed by the tedious testimony which they just heard. Ms. Amero’s original attorney stated that he was computer illiterate during his closing statement.  While an effective tool to find common ground with the jurors, this ignorance leads to poor advocacy for the client. Expert witnesses are expected to be exactly that.  Experts at being witnesses.  First and foremost they should have the necessary background to effectively testify to the facts, but at trial they should be every bit as smooth as the attorneys.   Herbert Horner, the defense expert, stated in todays article (http://www.norwichbulletin.com/apps/pbcs.dll/article?AID=/20070606/NEWS01/70606018) about the decision that he had a two hour long presentation of his findings and conclusions.  While I haven’t made any estimations as to the length of the testimony by other witnesses, I feel comfortable concluding that this would be the longest testimony given if it had been allowed in full.  That, in and of itself, is poor form on the part of the expert.  Malware infections are something that most, if not all, computer users have faced before.  Pop-ups are far less difficult for an average juror to comprehend then hardware rootkit infection or DRM circumvention.  It wasn’t the length of the testimony which led to the conviction.  It was Mr. Horner’s failure to provide his testimony in advance and appalling lack of respect to the court.  Providing testimony in advance is nothing new or unique to Judge Strackbein’s court.  An expert witness who is paid for his testimony should know the procedures and comply with them.  Mr. Horner’s statement to the judge that the trial was a “train wreck” did nothing for his reputation as an expert and hurt Ms. Amero’s case. If Ms. Amero is tried again, she will be represented by a new attorney, William Dow III.  His reputation is that of a superb trial attorney, and I’m confident that she will achieve the acquital whcih she so rightfully deserves.  However, if Mr. Dow doesn’t find a more effective defense expert and gain a greater understanding of the issues of malware infection Ms. Amero may once again face the same result. 

On June 6, 2007 Julie Amero will be sentenced for a crime of which she has no culpability.  Since word of her conviction on charges of causing risk of injury to a minor there has been a great deal of criticism of the judicial system for failing to allow a defense expert to testify fully to the forensic analysis that he conducted of the machine in question.
The judge acted properly, limiting the testimony because it had not been shared with the prosecution in advance.  While this may seem unreasonable to those who aren’t versed in trial procedure, the practice of sharing evidence before a trial is crucial to the just administration of justice.
When the transcript of the trial is examined, much more disturbing facts come to light which highlight a lack of understanding of the core issues by both the local media and the attorneys involved.  The case highlights what can happen when attorneys lack a fundamental understanding of the facts and juries come to their own conclusions as a result.
The Defense Expert Was Allowed to Give His Conclusion
Much of the uproar from the security community has centered around the idea that the defense witness, Mr. Horner, was not allowed to testify fully.  While it is true that his presentation which would have shown the websites that infected the machine with malware was kept out, his testimony regarding his conclusions was not.
Mr. Horner’s testimony was unequivocal in stating to the jury that an individual looking for one thing, could end up having pornography appear on the computer (Trial Transcript pp208 lines 16-19) 

Mr. Cocheo:  ”If a novice person such as myself were to be on the computer looking for hairstyles, they could wind up in a pornographic site?”Mr. Horner:  ”Yes, you could, absolutely”The most fascinating exchange comes during the recross by the prosecutor.  Keep in mind that cross examinations are idealy conducted with a series of leading questions where the witness has no option but to answer yes or no.  Mr. Smith throws traditional trial advocacy techniques to the wind and the following was said in court (Trial Transcript pp228-229):Mr. Smith:  ”I have to ask, what is your conclusion?”Mr. Horner:  ”I could have displayed it for you very clearly.”Mr. Smith:  ”What is your conclusion?  You didn’t ever state it, I don’t think.  What is your conclusion?”Mr. Horner:  ”The conclusion is (sic) because of the lack of an updated firewall, because of the lack of anti-spyware, because of the lack of anti-adware programs, this computer was subject to advanced – to the opportunity for that person to go to pornographic sites totally out of their control because there was no protection.  And if I were allowed to show my findings there were forty adware spyware programs tracking the person’s interests.” 

While it certainly have been more effective for the jury to hear Mr. Horner’s testimony in full as he prepared it his conclusions were very clearly given.  Not only were his conclusions given, they were given at the behest of the prosecutor, Mr. Smith.
Reading the testimony of Mr. Horner is extremely frustrating.  He is extremely combative with both Mr. Smith and with the court.  His attitude clearly did not sit well with the jury, and because of this they may have chosen to ignore it in full.  Sadly it appears that Mr. Horner himself through his failure to provide his testimony in advance and poor attitude that contributed greatly to Ms. Amero’s conviction.
Ignorance of the Law is No Excuse
Much has been said about what Ms. Amero should have done in this situation.  It would have been very easy to cover the screen, turn off the monitor, or unplug the computer.  Her negligence in taking further measures are completely irrelevant under the law.  The charge to the jury, as read by the judge is as follows (Trial Transcript at pp.330-332):

One, that at the time of the incident the children in question were under sixteen years old.  Two, Ms. Amero wilfully or unlawfully cased or permitted the victims to be placed in a situation that was likely to impair their morals…. 

To summarize, for the defendant to be guilty of risk of Injury to a Minor, the state must have proven beyond a reaonsble doubt, once again, that at the time of the incident the victim’s were under sixteen years old; that the defendant did act in a way likely to impair the morals of these children; the defendant had an intent to perform those acts.
The judge makes it very clear that in order to be convicted, Ms. Amero had to have acted purposefully in her actions.  Ms. Amero did not purposefully access the pornographic web sites and the fact that she could have done more to protect the children is largely irrelevant.  
The local media largely ignored this fact.  
The jury largely ignored this fact.  
One of the jurors, in an interview with the Norwich Bulletin, said, “One of the things we tried to decide is, did she do due dilligence in not exposing the kids?  Did she do what any reasonable person would have done in that situation?”
If that was the case, then the jurors were served poorly by the attorneys in explaining the standards set by the statute.  Nowhere in the statute or the jury charge is the phrase “reasonable person” used.  This statement strongly supports a motion for judgment notwithstanding the verdict.
At the end of the day, Ms. Amero’s sentence will be much lighter than the maximum 40 years she faces.  The amount of material that has been written about the case has no doubt reached the judge, and she will take the whole picture into account when handing down the verdict.  
Ms. Amero’s case underlines the desperate need for attorneys with technical expertise to become involved with cases such as this at an early stage.  Neither attorney had much business trying to help the jury find facts of which they had no understanding.  When the jury was confused, they took the law into their own hands.  It is only through strong advocacy that justice will be administered correctly.
Full Trial Transcript and Juror Interview (http://www.norwichbulletin.com/apps/pbcs.dll/article?AID=/20070225/NEWS01/702250334)