John Benson dot com

Shmoocon was a tremendous experience. I had a great time, met some new people and ate some sushi. I’ve posted a handout to serve as a supplement to the talk itself. Those that attended (or view it online later on) will notice that the slides themselves aren’t worth much on their own so I’ve pulled this together which hits most of the high points.

###

When I got to Dulles last Monday I received word from Evil that I’ve been selected to speak once again at LayerOne in Pasadena. For those who haven’t attended before, I highly recommend it. The venue is very nice and Pasadena always has excellent weather. I missed the GSM talk at Shmoo because I was finishing up my slides, but look forward to hearing David Hulton’s talk as well as David Bryan’s which I’ve already heard good things about.

###

I’ve been neck deep at work from the firm and a design project that I’m completing for a dear friend of mine, Chris Benjamin, who is running for Missouri State Senate. He’s a great guy who shares many of my beliefs and know he’s going to be a tremendous senator.

###

The comments should appear automatically now. I had Wordpress set to keep them all in a moderation queue, but wasn’t receiving any notification that I needed to clear some out.

While the website doesn’t reflect it yet, I received word that I’ll be presenting at Shmoocon 2008.  I’ll be talking about how the e-discovery process works, how organizations can reduce the cost of litigation, and how truly frightening the security surrounding e-discovery is.If you’re going to be there and would like to get together for a beverage…drop me a line. ###On a theoretically related note, the video and audio for my talks at DEFCON 15 should be available in their RSS feed soon. 

A couple years ago my trusty Dell laptop started to take a turn for the worst. Like many Windows users I could see the telltale signs that things were up. Our old friend, the Blue Screen of Death, reared its ugly head a few times and the system felt unstable in general. This was well outside my reinstall cycle so I quickly ran a full backup to make sure I didn’t lose everything and within an hour there was a lovely clicking noise coming from the hard disc.

I quickly dispensed with a couple first level help desk personnel and eventually found a person with authority to authorize a replacement for me. The drive would arrive in a couple days and as long as I was comfortable with it, I could do the replacement myself. Expecting a long wait without a laptop, I was pretty pleased until I learned the catch. I had to mail the old drive back to Dell for remanufacturing. I wasn’t about to send my drive anywhere, let alone to have my data given to some future participant in a similar process.

I explained that I wasn’t going to have it because there was sensitive information on the drive. Explaining to the support guy that I was obligated to keep the information secret, he put me on hold to find a solution. The only way that Dell would allow me to keep the drive was to sign an affidavit…which was fine with me until I read the affidavit which read that I was a US Government Contractor with classified material on the drive. I had neither.

After some critical thinking by both of us, we came to the conclusion that since Dell was expecting a drive with a mechanical problem that it could be in any form imaginable. This was a great deal because

1. I got my first hands on experience with the inner workings of a laptop hard drive.
2. I found out how hard it is to actually smash platters.
3. Dell got a drive with some mechanical problems to salvage.

Fast forward to a couple months ago when the logic board on my Mac went out. It wouldn’t turn on so the girl at the Genius Bar went right into the paperwork. She explained that if the hard disc had to be replaced I wouldn’t be getting any of my old data back. I asked about receiving the old one for a while so I could try and retrieve the data in that case and she told me that couldn’t happen. I didn’t really sweat that since I had a week old backup at home. Then she brought the house down with this one..

What is your administrator password?

I looked at the other guy working the Genius Bar who knows my background a bit more and we both started to laugh. I needed a new logic board…there’s no reason for them to know any of my passwords…let alone the root. She said it was so they could test it to make sure it would boot. She was sympathetic and we both settled on something random to put on the form.

Is keeping hard drives a security issue as Dave Winer thinks? Not really.

Your machine belongs to the person at the keyboard whether it be you, the Geek Squad kid making $7 an hour and stealing all the porn he can find, or the guy who took your laptop out of the back seat of your Range Rover sporting that trendy Apple sticker.

This is one of the many reasons to use encryption. If I send my Mac to be serviced and the hard disc has to be replaced tomorrow I’m confident that the recipient has access to none of my information. While it’s true that Apple needs to take security more seriously and certainly shouldn’t be asking people for their passwords just keeping the drive is only a vulnerability if you make it so.

Something tells me that Bruce Schneier doesn’t lose sleep over this.

One of the things I’ve learned over the past few weeks of intense e-discovery research is that there are lots of vendors peddling lots of “enterprise level solutions” for organizations who are concerned with e-discovery.  These vendors target firms and companies alike and are definitely taking advantage of the uncertainty about what future litigations will be like.   
I don’t want to come down too hard on these vendors considering my level of experience at this point, but it has been quite a shock to the system to hear some of the prices for products which they provide.  E-discovery is currently a very expensive process…one which is driving up costs of litigation which will cause many ill prepared organizations to simply write checks instead of fighting an issue out in court.  
This article from BusinessWire is pretty over the top and I fear that it will be used to scare organizations into buying into products that they may not need. 
The headline practically jumps off the page and drives home that e-discovery is changing the legal landscape in a major way.  1 in 5 businesses has settled because they feared the e-discovery process?  That number seemed very high and raised some significant questions in my mind. What is the driving force here?  Difficulty in conducting the collection?  Costs of conducting the collection?  Loser cases to begin with?  Attorneys that were more comfortable telling the client that it’s better to settle than even conduct the litigaiton in this rapidly changing environment? These are all questions which I’m sure to be asking myself for months and years to come.  But I digress.. The real FUD kicks in with the following paragraph: 

Based on the results, nearly half (47 percent) of respondents do not agree that their legal team can effectively review relevant email in the 99-day window before the meet and confer session. To address this, 51 percent say they have implemented, or are planning to implement technology that allows them to easily search and review email. Similarly, more than one-third of businesses (36.7 percent) are already enforcing a formal retention policy for email, while another 40 percent are currently in the planning stage to enforce a formal policy. Think for a second about what this is saying.   

The Federal Rules set the meet and confer meeting early in the process so that the background issues of how evidence will be produced can be addressed before the litigation gets heated.   At the point of the meet and confer the attorneys merely need to have a grasp on what kind of data exists and how it is best utilized to get to the root issue of the suit.  There is no reason for a full review to be completed by then.    This may be hard for some to believe, but clients and attorneys can speak to each other regarding the issues without having to read a single email.  Through collaboration attorneys and clients can identify one or two individuals who hold relevant email and the relevant dates without unleashing GREP on an entire machine.  The point where relevance gives way to responsiveness and the data dump begins on the adversary comes after the meet and confer.  After reading the methodology of the survey I remained skeptical, especially after reading that this was a vendor press release.  Some quick checking revealed that in the middle of the survey period, the vendor was openly soliciting people to fill out their survey in the hopes of receiving a cash prize for their time.  I’m no statistician, but this carrot and stick method of conducting a survey along with my suspicion that many of their potential customers were encouraged to fill out one of these surveys leaves me completely dismissing many of the statistics presented. E-discovery preparedness is as low as it will ever be, but the driving forces behind developing plans of attack need to come from those with the best interests of the company in mind…not vendors producing data to use on sales calls. 

Julie Amero was granted a new trial by Judge Hillary Strackbein, paving the way for the facts of this case to be found anew.  The decision was based upon Judge Stackbein’s opinion that the jury may have relied on false information which was presented during trial.  This statement is surprisingly harsh in stating that the information and not the way it was presented was untrue.  While this is a victory for justice, the underlying circumstances which led to Ms. Amero’s initial conviction remain, and most individuals seem to be missing the point.  Ms. Amero had an attorney who lacked a basic understanding of the issue and expert witness who’s attitude and failure to prepare for trial.  In the confusion which ensued, the jury failed to correctly apply the facts to the law and convicted her of on an improper basis.
Trials which involve technical issues are often turn on which attorney does a better job of helping the jury understand the facts.  Experts are utilized to explain the circumstances and give conclusions, but ultimately it is the responsibility of the attorney to boil the testimony down into a broth which is easily consumed by the jurors.  Testimony into the mechanics of malware and forensic analysis will no doubt fly over the heads of some of the jurors.   The direct examination of technical witnesses must be designed in such a way as to not lose the jury along the way, and make sure they have an understanding of the facts presented.  The terms and phrases used should be introduced slowly and explained in such a way that everyone in the court understands them.  In order to do this, the attorney must understand these terms himself.  If he doesn’t, he runs the risk of allowing the expert to run away with his testimony and leave the jury confused and perplexed by the tedious testimony which they just heard. Ms. Amero’s original attorney stated that he was computer illiterate during his closing statement.  While an effective tool to find common ground with the jurors, this ignorance leads to poor advocacy for the client. Expert witnesses are expected to be exactly that.  Experts at being witnesses.  First and foremost they should have the necessary background to effectively testify to the facts, but at trial they should be every bit as smooth as the attorneys.   Herbert Horner, the defense expert, stated in todays article (http://www.norwichbulletin.com/apps/pbcs.dll/article?AID=/20070606/NEWS01/70606018) about the decision that he had a two hour long presentation of his findings and conclusions.  While I haven’t made any estimations as to the length of the testimony by other witnesses, I feel comfortable concluding that this would be the longest testimony given if it had been allowed in full.  That, in and of itself, is poor form on the part of the expert.  Malware infections are something that most, if not all, computer users have faced before.  Pop-ups are far less difficult for an average juror to comprehend then hardware rootkit infection or DRM circumvention.  It wasn’t the length of the testimony which led to the conviction.  It was Mr. Horner’s failure to provide his testimony in advance and appalling lack of respect to the court.  Providing testimony in advance is nothing new or unique to Judge Strackbein’s court.  An expert witness who is paid for his testimony should know the procedures and comply with them.  Mr. Horner’s statement to the judge that the trial was a “train wreck” did nothing for his reputation as an expert and hurt Ms. Amero’s case. If Ms. Amero is tried again, she will be represented by a new attorney, William Dow III.  His reputation is that of a superb trial attorney, and I’m confident that she will achieve the acquital whcih she so rightfully deserves.  However, if Mr. Dow doesn’t find a more effective defense expert and gain a greater understanding of the issues of malware infection Ms. Amero may once again face the same result.