Print
Discuss
Send to friend
RSS feedsA big boy did it and ran away. Get used to hearing those words, because following a recent court case you're going to be hearing them again and again in what is known as the "Trojan defence" - that it wasn't the apparent operator of a computer who performed an illegal act but a third person who hacked into the computer and controlled it remotely.
I was one of the prosecution expert witnesses in the case of Aaron Caffrey. His computer was used to launch a distributed denial-of-service (DoS) attack. One of the computers used for the DoS attack belonged to the Port of Houston, and it crashed as a result of the DoS script intrusion. On Caffrey's computer there were IRC logs in which he apparently discussed the launching and probable effect of the DoS attack; there was the DoS script itself; and there were logs of the program being run. It seemed an open and shut case, in which a love-struck 17-year-old defended his American girlfriend's honour by responding to insulting IRC behaviour by launching a DoS attack.
But Caffrey denied responsibility, and said his computer had been hacked by someone else, who loaded the DoS script, pretended to be him in a two-hour IRC session and launched the DoS attack.
I analysed the seized computer and found no viruses or Trojan programs infecting any of the applications loaded on it. There was no evidence of any backdoor services having been enabled; there was no evidence of any logs having been altered; there was no evidence of any vulnerable services that could have been used to hack into the computer; and there was no trace of any secure deletion tool having been used. In short, there was no evidence that the computer had ever been remotely controlled. Though the defence effectively claimed a big boy did it and ran away, I could find no footprints where I would expect to have found them.
Caffrey's defence was that such footprints could have been completely erased; the prosecution's assertion was that it is not possible to erase all the footprints, and that the attempt to do so would leave distinctive remains. For the defence, no computer expert witness was called to offer support to the claim. Caffrey himself served as his own expert witness.
Despite no evidence beyond Caffrey's assertion that running programs could delete themselves without a trace, the jury found him not guilty.
This leaves the prosecution of computer crime in the UK in a difficult position. Every case will now offer the defence of an untraceable Trojan horse program having been responsible. As a result of this decision, internet paedophiles and careless hackers have been offered a "get out of jail free" card that we will have to work very hard to counter. We will have to find better ways of presenting our arguments and of explaining how computers work - it's not going to be easy, but it is going to be necessary.
del.icio.us
Digg this
reddit!
