| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Aug 9 18:32:10 2005 From: jasonc at science.org (Jason Coombs) Subject: Operation Site-Key computer forensic searches ruled illegal Dear Robert, In reference to your computer forensics-related article (below) from July 13, 2005, detailing computer searches ruled illegal because of the period of time that had elapsed from the date of alleged online purchase to the date of search of a defendant's Windows computer please consider the following: I worked as an expert witness on behalf of the defense in a case brought before a military court martial under UCMJ where the defendant's name and credit card number was found in the site-key database. A computer forensic examination of the defendant's Windows computer revealed the presence of a Trojan and a keylogger that would have enabled a third-party intruder to intercept the defendant's credit card number and use it to purchase child pornography from a Web site that processed credit card payments using the site-key service. Since this time, other cases involving site-key prosecutions have come to me seeking computer forensics and expert witness services. Thus far in these other cases I have not been provided with copies of computer evidence to analyze, but I have been performing as much preliminary work as possible and the possibility has arisen that the crimes of which the defendants are accused may be nothing more than a "failure of imagination" on the part of law enforcement. Rather than the site-key database contents reflecting true purchases of child pornography by actual paying customers, I believe it is possible that site-key was in fact a bank robbery. From my experience with e-commerce payment processing and online merchant services, I know that a merchant will be allowed to withdraw funds from a merchant account after a relatively short period of time, subject to the holding "in reserve" of a pool of funds to cover expected "charge backs" where the customer claims fraud must have occurred and disputes the credit card charge. A sophisticated group of criminals could have used the site-key service to commit a bank robbery by intercepting a victim's credit card information and taking control of the victim's Windows computer through the Internet by exploiting security vulnerabilities in the Windows operating system and through the use of spyware. Once in control of the victim's Windows computer, and after the criminal is in possession of the victim's credit card information as a result of the installation of a keylogger program, it would have become possible to "shop" online at a site-key child pornography website, impersonating the victim. For those suspected child pornography customers who are arrested within a month or two after the bogus "purchase" by them of the child pornography, disputing the credit card charge would have been quite difficult as they would have been in jail. Disputing the charge becomes impossible upon examination of their Windows computer's hard drives, due to the fact that corroborating evidence would have been found on the suspect's computer. I have attempted to alert law enforcement to this possibility and have shared the details of the court martial case in which both a Trojan and a keylogger were found prompting this notion that site-key was a bank robbery rather than truly a child pornography online business that attracted actual paying customers. As you clearly have contact with the Dallas, Texas-based investigators and attorneys on behalf of various Operation Site-Key defendants, will you please make inquiries along these lines or help me make contact with the appropriate parties so that I may explain this theory in more detail? Thank you kindly, Jason Coombs jasonc@...ence.org -- Stale warrants doom porn cases Exclusive: Searches that turned up images of children ruled illegal 09:55 PM CDT on Wednesday, July 13, 2005 By ROBERT THARP / The Dallas Morning News When Dallas police and federal agents wrapped up a sophisticated Internet child pornography investigation in April 2004, authorities boasted at a news conference that arrests could number in the thousands and circle the globe. But just a few blocks away at the Dallas County criminal courthouse, attorneys are now quietly getting their clients' child pornography cases thrown out by exposing what they call a fatal flaw in the way investigators proceeded with their work. The problem: Detectives obtained many of their search warrants based on information that was more than a year old, far longer than what constitutional protections from unreasonable searches allow. "I don't think there's a line, but certainly a year is stale under anyone's definition," said attorney Reed Prospere, who got the charges thrown out for three clients. In at least nine Dallas arrests stemming from the Internet pornography investigation dubbed Operation Site-Key, attorneys have successfully argued that child pornography seized from their clients was found during illegal police searches. At least four judges have heard the arguments and ruled that the search warrants were in fact illegal. The cases were then dismissed because prosecutors had no evidence to use during trial. Prosecutors have downgraded dozens of additional cases to misdemeanors rather than face a judge's ruling on the searches. So far, Dallas prosecutors have secured 31 convictions from the cases. "I hate letting bad guys go," prosecutor Ada Brown said. "The issue in all of them is staleness." Dallas police Lt. Ches Williams, who supervises the department's Internet Crimes Against Children squad, said that he'd prefer to execute search warrants no more than a few days after detectives develop suspicion of a crime but that it's just not possible in the Site-Key cases. It's a time-intensive task to sort through the information and determine which cases to investigate, he said. The cases are all based on several large lists of clients subscribing to child pornography sites that were seized by Dallas police. Operation Site-Key listed more than 30,000 paid subscribers. Names on the lists were referred to prosecutors and other law enforcement agencies, which typically had to verify that names on the lists didn't belong to people who had their identities stolen. Search warrants then had to be sought to search homes and computers of the suspects. Handling massive numbers of cases can take months. "You want to get to them as quickly as you can, but there's just a practical matter of not having enough hours in the day and fingers on the keyboard," Lt. Williams said. British investigation Operation Site-Key and an earlier Dallas Internet investigation known as Operation Avalanche have spun off thousands of investigations around the world, some of which are also drawing criticism. In a companion investigation in England dubbed Operation Ore, police arrested some people solely for having their names on the child porn subscription site, even if detectives did not find illegal child porn during searches of their homes and computers. Several of those cases have been thrown out or suspects found not guilty because of a lack of evidence. But authorities in England said they've secured at least 1,500 convictions from Operation Ore. "The arrests are based on inference, circumstance and extremely weak links of reasoning," said forensic expert Jim Bates, who has testified for the defense in several of the U.K. cases. Unlike the investigations in England, Dallas police say all of their arrests involved the seizure of what police said was child pornography. "You can argue the legal niceties, probable cause, staleness of information ? only if we found it on your computer did we arrest you," said Bill Walsh, a Dallas police lieutenant who presided over the investigation until he retired this year. Dallas attorney Tommy Mayes said it was immediately obvious to him that there was a problem with a search warrant that led to the seizure of suspected child pornography on his client's home computer in Dallas in June 2003. 'Hard to justify' According to court records, the 46-year-old hospital worker became a suspect in the Operation Site-Key investigation in February 2002. His case was typical for Operation Site-Key detectives ? because he was believed to be a subscriber, police sought a search warrant to examine his home computer for illegal pornography. But Mr. Mayes argued in court that the warrant was illegal because police had waited too long ? more than 16 months ? to act on their suspicions. "It's hard for anyone to be in favor of child pornography. I'm a grandfather," Mr. Mayes said. "But it's hard to justify the behavior of the government. ... I'm more concerned about the government using this method of getting the evidence." In each of the search warrant challenges, prosecutors have argued that the long police lag time should not pose a legal problem because those who possess child porn are different than other criminal suspects. Unlike a drug dealer or a murder suspect, those who view child pornography tend to save evidence and rarely destroy or get rid of it, prosecutors argued. Judges presented with the argument have not agreed. Ms. Brown said she has had no choice but to dismiss the cases after judges suppressed the search warrants. The dismissed cases include ones where suspects have given police confessions about possessing illegal porn. But even the confessions have been thrown out because judges have ruled that they were also the products of the illegal searches. Federal inquiries Federal authorities have had more success in their investigations related to Operation Site-Key. The cases were initially parceled out to federal agents and local police based on which agency could get the highest punishment range for each charge, said Kathy Colvin, a spokeswoman for the U.S. attorney's office. "We're not aware of any federal child porn charge in this district which has been dismissed, had charges dismissed, or a conviction that was overturned," Ms. Colvin said. Ms. Brown said that such Internet investigations are complicated and take time to work, but court rulings do not support such delays. Perhaps legal precedents have not caught up to the complicated nature of these investigations, she said. "At best the case law gives you a couple of weeks or a month or two," Ms. Brown said. "Some of mine were as long as a couple years." Staff writer Tim Wyatt contributed to this report. E-mail rtharp@...lasnews.com
Powered by blists - more mailing lists