J Wolfgang Goerlich's thoughts on Information Security
Criminal Intent and Cryptography (IANAL)

By wolfgang. 28 February 2009 14:36

The question is back in the news: is using encryption a sign you are criminal? 

 

In May of 2005, a Minnesota court filed a ruling that upheld a conviction in part based on the presence of encryption software (State v. Levie). The chilling sentence in the filing was: “We find that evidence of appellant’s internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state’s case against him.” This was but one in a chain of legal cases involving cryptography. In fact, the software in question in the Levie case has, almost from its inception, been the subject of legal scrutiny. Yet the ruling set off a firestorm in part because it appeared to imply that encryption by itself was indicative of criminal activity.

 

 

The view was reinforced by Bruce Schneier, a prominent InfoSec analyst and cryptographer. “An appeals court in Minnesota has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent.” As sometimes happens on the Internet, the resulting discussion involved many who did not read the ruling and many more who employed fallacy of extension arguments. For example, one commentator responded "Next I suppose they'll consider finding a knife in your kitchen is 'evidence' on criminal intent to commit some gruesome attack on an innocent bystander." 

 

The actual ruling was significantly more balanced than it appeared from Schneier’s summary. When placed into context, it is clear that the presence of cryptography along with the existence of searches related to the crime were introduced to demonstrate the Levie’s state of mind. It was only in relation to the primary crime that they, in fact, became admissible. Other writers were quick to point this out. “The court did not hold that encryption is a signal of criminal activity. All it did was say that in one case, where a crucial witness testified about the presence of a computer file on a computer, that the presence of encryption software on the computer in early 2003 was "at least somewhat relevant" to the question of whether the defendant was a skilled computer user who had intentionally removed any traces of that file from the hard drive. (Kerr, 2005) 

 

The concern remained, however, that the ruling would be interpreted and used in future cases. This concern was best voiced by Jennifer Granick; the “hacker lawyer” and director of Stanford Law School's Center for Internet and Society. Granick repeated Kerr’s argument that the ruling suggested the presence of encryption software simply shows the defendant could have destroyed the evidence. She then repeated the argument that was most concerning: the ruling could demonstrate that encryption “suggests a consciousness of guilt.” That is, why encrypt if you have nothing to hide? While Granick is careful to say that both interpretations are valid, the primary concern should not be “what this opinion says or doesn't say, but how it could be used by courts looking at this issue in the future.” 

 

Where do we stand some today? The legal opinions are still a mixed bag. Because encryption is such a wide field, let us take another example that deals with PGP. A federal judge ruled in 2007 that a decryption passphrase was protected under the Fifth Amendment (United States v. Boucher). This was celebrated at the time but the celebrations were short lived. In February of 2009, the court reversed its decision. At its heart was the definition of a PGP passphrase: was it speech or was it a key? The original ruling came down on the side of speech and thereby protected the passphrase. The reversal saw the passphrase like a key or combination, which prior rulings had established are unprotected by the Fifth Amendment.  

 

A person can be legally required to open a safe and reveal incriminating documents or books. Likewise, according to States v. Boucher, a person can now be required to decrypt a folder to review digital documents. The issue is whether the presence of encrypting software or, for that matter, illicit digital materials is relevant to prosecution.     

 

While this topic has not been specifically taken up in law journals, the related topic of suspicious materials has been covered in depth. See, for example, Swiss Cheese That's All Hole: How Using Reading Material To Prove Criminal Intent Threatens The Propensity Rule (Murphy, May 2008). Murphy details the legal precedence and evidentiary rules that allow for reading materials to be used by the prosecution. Such materials can be submitted if they are relevant in demonstrating the defendant’s mental state or aptitudes. But books cannot be used to demonstrate motive or intent. By itself, a book cannot be used to demonstrate a defendant had the inclination towards criminal acts (this is the propensity rule).  

 

The same legal structures likely apply to digital materials. In State v. Levie, illicit web searches were relevant to Levie’s mental state at the time of the crime. The presence of PGP was relevant to Levie’s ability to obfuscate or remove digital evidence. Yet neither the web searches nor PGP were used to demonstrate his propensity to perform the criminal act. The digital materials, just like written materials would have been, were not used to define motive or intent. That proof was from the primary evidence: an eye witness testimony. People can continue to safely use PGP and other encryption technologies. The propensity rule prevents these from being admitted as evidence of criminal intent. 

Tags:

Cryptography

Patience and Persistence

By wolfgang. 13 February 2009 10:29

Within time, within budget, that is my credo. I do not like my projects to run late. Yet in IT, some things often do run late. So it was today that I emailed a colleague to say that the computer I was updating was running about fifteen minutes longer than I expected. He pinged me back to say that patience was a virtue. To which I responded with my old family saw: patience is for those who cannot have it RIGHT NOW.

The timing was great, incidentally, as the update finished at the same time as my email. So I could have it right now. Good deal.

But that got me thinking about patience. I am not what one would consider a patient person. Patience brings to my mind a content bearing of a delay.

Yet so many saying revolve around patience. Take the Chinese proverb: “patience is power. With time and patience the mulberry becomes silk.”

I wouldn’t call that patience. It isn’t like you are waiting for the mulberry to become silk. No, not at all. You are actively engaged in the process. You are steadfast and firm, consistently working toward the goal. You are persistent.

Patience is waiting. Persistence is building. Now persistence, persistence is a virtue.

Tags:

General

DRP Training, Testing and Auditing

By wolfgang. 11 February 2009 16:23

What role does Disaster Recovery Plan training, testing and auditing play in a successful Business Continuity program?

Testing. Things are only known to be good at the time you check. The time to find out that components of the DR plan are not good is not during an actual disaster. That time has a premium cost. No, the time to identify and correct weaknesses is during test runs. The only cost for that time is the time for those testing.

Training. Those testing the plan have to know what to do. Furthermore, they have to know it to an extent that executing the plan becomes second nature. This is because actual disasters are stressful affairs. It is easy to make mistakes, omit steps, or forget details when under stress. The role of planning and training is to ingrain the steps and make the plan easier to perform if needed.

Auditing. A second set of eyes is always needed, particularly when that pair of eyes belong to an auditor. No good author would publish a book without an editor. Likewise, no good InfoSec professional should publish a plan without an auditor. A trusted third-party will always find ways to improve upon your plan.

Tags:

Business Continuity

CA Case Study on our use of ARCserve and Hyper-V

By wolfgang. 10 February 2009 21:36

After looking at several P2V-V2P solutions, we chose CA ARCserve. The choice has several benefits. The primary one is that it allows us to use a single tool for both data protection and for physical/virtual conversions. Essentially, this means a flat learning curve for my team. The other benefit is that CA ARCserve is significantly less expensive that dedicated P2V tools. CA did a case study on how we use their product and it is now online.

http://www.ca.com/us/success/collateral.aspx?cid=201041

Tags:

Business Continuity | Hyper-V

Relying on Third Parties for DR

By wolfgang. 2 February 2009 18:41

"A winter storm continues to ravage the Midwest and Northeast, cutting power, phone and Internet connectivity to millions of homes and businesses. Disaster recovery provider Agility Recovery Solutions is currently recovering 21 businesses and government entities in Kentucky, Missouri, Illinois and Florida with electrical and network services. An additional nine organizations have Agility on standby for potential recoveries in the next 24 hours."
http://www.pitchengine.com/agilityrecoverysolutions/disaster-recovery-company-responds-to-21-disastersresulting-from-winter-storm/3776/

Many of us rely upon vendors and third-parties for our disaster recovery efforts. For example, I personally rely upon a refueling company to keep my generator topped off and a maintenance company to keep it running. Other companies rely upon shared data centers, data backup/recovery companies, and DR plannters like Agility Recovery.

A weakness in these plans occurs when a regional disaster impacts multiple companies. In these scenarios, the third-party may lack the capacity to handle all the requests and be overwhelmed. One thing that happened to my data center during the winter storm (which knocked power out for five days) was that the fuel trucks were delayed for 48 hours, and the maintenance crew delayed for 24. The times are well within tolerances, but well beyond normal service levels.

Tags:

Business Continuity

Modulo automates risk management

By wolfgang. 2 February 2009 13:05

"Leading investment firm announces gains in productivity by deploying Modulo´s IT Governance, Risk and Compliance software."
http://www.modulo.com/press-release/press-release.jsp?p=20090202

"Effective risk management and control imply the development and maintenance of a process that enables the identification, analysis, evaluation and treatment of risks that may impact an organization. 'The only time you know a system is secured is when you check. Modulo Risk Manager automates auditing, which enables us to check more systems more regularly. The software's risk console also gives us a score and reporting mechanism. These reports focus our efforts and prioritize our remediation,' said Goerlich."

 

Tags:

Risk Management

    Log in