1996-11-30 - Re: denial of service and government rights

Header Data

From: Greg Broiles <gbroiles@netbox.com>
To: attila@primenet.com
Message Hash: 8aec89f0901fe2ef0b789c046b077c3a13d8b0744808346bf1f56e658963b20e
Message ID: <3.0.32.19961129195752.00730f7c@mail.io.com>
Reply To: N/A
UTC Datetime: 1996-11-30 03:56:45 UTC
Raw Date: Fri, 29 Nov 1996 19:56:45 -0800 (PST)

Raw message

From: Greg Broiles <gbroiles@netbox.com>
Date: Fri, 29 Nov 1996 19:56:45 -0800 (PST)
To: attila@primenet.com
Subject: Re: denial of service and government rights
Message-ID: <3.0.32.19961129195752.00730f7c@mail.io.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

I see two general arguments that go in the direction of the SAIC
consultant's comments:

1.	Seizure & retention as evidence or instrumentality of a crime - e.g., if
someone breaks into my house, steals my gun, and uses it to shoot someone,
it'll be a long damn time before I get my gun back. The prosecution will
likely want to do various forensic tests, the defense may want to do its
own, the prosecutor will want to wave it around at trial, it may even go
back to the jury room to pass around while they deliberate - and if there's
a mistrial/new trial granted, the cycle starts again. (Off of the top of my
head, I can't remember what happens to physical evidence after trial but
during appeal.) Generally, people who are unfortunate enough to have
property which gets sucked into a criminal investigation/trial are just out
of luck. Bummer. I don't see any reason why this wouldn't be true for a
computer. Fed.Rul.Crim.Pro. 41(b)(1) allows the seizure (but seizure is not
forfeiture) of "property that constitutes evidence of the commission of a
criminal offense". 

2. 	Forfeiture of the instrumentality of a crime, or of a nuisance - cf.
_Bennis v. Michigan_ <http://www.law.cornell.edu/supct/cases/94-8729.html>,
the recent Supreme Court case where the "Justices" (cough cough) upheld the
forfeiture of a wife's half interest in a car which was used (without her
knowledge/consent) by her husband to facilitate the crime of prostitution.
The Supreme Court rejected the idea that the Fifth Amendment's takings
clause or the Fourteenth Amendment's due process clause prevents the
forfeiture of the instrumentality of a crime without a showing of
culpability on the part of the owners. Some forfeiture statues (e.g., 21
USC 881, 1989 Oregon Laws Chapter 791, both re drug-related forfeitures)
provide for an "innocent owner" defense to forfeiture, but the Supreme
Court doesn't seem to think that's required as a matter of constitutional
law.  Fed.Rul.Crim.Pro 41(b)(3) allows the seizure of "property designed or
intended for use or which is or has been used as the means of committing a
criminal offense".

 There's an excellent resource available re computer search & seizure at
<http://www.epic.org/security/computer_search_guidelines.txt> - it's the US
DOJ's "Guidelines for Searching & Seizing Computers", pried loose by an
EPIC FOIA request and scanned.

But there's a big difference between "seizure" and "forfeiture". It's
possible that recent legislation has done for computer crime what the drug
forfeiture laws have done with respect to title in property - 21 USC 881(h)
indicates that "All right, title, and interest in property described in
subsection (a) of this section [e.g., property used in connection with a
drug crime] shall vest in the United States upon commission of the act
giving rise to forfeiture under this section." Given the innocent owner
defenses available in an 881 forfeiture, (h) sounds scarier than it works
out to be.

So yes, there may be a statute which gives title to the government in
computers used to commit crimes, and no, the Supreme Court won't
necessarily care about an "innocent owner". (Then again, it may make a
difference if we're talking about a computer owned by a corporation with
political clout, instead of the half-owner of a $600 car used for
surreptitious blow jobs. Your cynicism may vary.) I can't seem to find any
such statute, but like Ben Laurie pointed out w.r.t. security reviews,
there's a line between what folks are willing to do for free, and what
feels like work. Digging through a lot of teeny type in the Federal
Register/Congressional Record isn't my idea of a good time, so I'll leave
the "is there a statute?" question for someone else. I poked around on
EPIC's web site and thomas.loc.gov and in 18 USC without finding a computer
crime seizure statute, but I may just be too tired. :( 
 
At 07:26 PM 11/29/96 +0000, Attila wrote:

>        I got tired of paying Lexus $150 for idle months after dumping
>    West for almost $500/month --otherwise I would run down the Feds
>    kangaroo ruling which seems to grant them this absurd right. 
>    Several on the list are still maintaining accounts...  ?
>
>        ====== begin forwarded text ======
>
>Computer Attacks Show New Patterns
>
>The major trends in computer break-ins involve denial of service 
>and data-driven attacks, says a Department of Justice lawyer.  
>Denial of service occurs when an attacker "bombs" an Internet 
>service provider with so many e-mail messages that the server 
>becomes overloaded and shuts down. Data-driven attacks occur when 
>a virus program is disguised as a data-only file.  The file can be 
>hidden in a Java program on a Web page, and when a visitor clicks 
>on the site, he or she unwittingly downloads the virus.  A computer 
>crime consultant with SAIC warns that these attacks can be launched 
>on an innocent party's Web server, but once that happens, the server 
>can become the subject of a wiretap and a search warrant.  "The title 
>of your computer vests with the government as soon as a hacker uses 
>it to commit a crime," he says.  
>
>[BNA Daily Report for Executives 25 Nov 96 A20]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMp+GSv37pMWUJFlhAQHEmgf+IfYnc0w47Ja/ETFlt08uHA7OWV9NJetd
l3gA4av00CwST1FRtdizAC0C4t2MHT6kzHb1j8NzncazAvgjdTEa9Vd31UTR0HgU
4dYbu9e+YtYT6NcaD4HszewxVo/gfpUKBobOA2lVe1QLR1Dzqbx2cbsmxKgDsdzE
Y/TATalZ7c7BkAXJBBgmXs8QYpsBWGUpmf8PUB3731MpGyF6H4gpmssxefjvGghE
eQ27k3hkPlZiKGI5MeZrFhUZXJj3VPu4B3/gC+ZFm2M8Jh4z5Wo4r7w690eb9hky
dGkUzQOb6sdh3ee1oJzwNWXE7R6DCL+3uiGA8Slt0hPOSBo2LBY2Zg==
=dQn5
-----END PGP SIGNATURE-----

--
Greg Broiles                | US crypto export control policy in a nutshell:
gbroiles@netbox.com         | 
http://www.io.com/~gbroiles | Export jobs, not crypto.
                            | 





Thread