[Talk] using linux suspicious activity? :)

[talk@flux.org]

On Wed, Apr 29, 2009 at 3:04 PM, Aaron Wolfe - aawolfe@gmail.com >> [...]
>>>>
>>>> So I blame the expert, not the cops.
>
> One of my clients recently fired an employee because he was spending
> large amounts of time surfing porn sites on company time using a
> company computer.   The company directs all web traffic through a
> proxy server that requires user authentication and logs all urls
> visited.  They had hundreds of pages of logs showing the user's
> activities.  They also used a commercial tool on the client PC that
> confirmed what the logs showed by searching the browser cache.
>
> I don't know the legal terms, but basically the guy wanted
> unemployment pay and the company didn't feel that it should pay him.
> It went to court and when the CIO presented the logs as evidence, the
> judge literally said "I don't know what this is, it looks like a
> source code or binary language".

It is reasonable for a judge (or a juror, in many courtrooms, you are
allowed to ask questions, typically in writing through the judge) to
say, "Your evidence is incomprehensible to me, please try to explain
it more simply."

>  When the CIO showed her a simplified
> log of a period in time where the user logged into a porn site using
> the same username and password that he had used to log into his
> personal web mail just seconds before,

The ideal way to establish this is to have secure computers that log
and authenticate stuff - they could have established that there was no
such process running.  Not on Windows, likely, but on a properly
mil-specced computer where logs are a bit more trustworthy...also,
when I have been involved in dealing with systems where we had to be
able to try and piece together network flows after the fact, we had
monitors that recorded all UDP and all syn and fin packets as well as
the first 500 bytes of each side of conversations, also arps, so
forth.  I had a lot of this stuff working on the IBM AIX based
firewalls, and I ran it on some high profile stuff. It did not produce
as much data as you might think but it was enough to reconstruct a lot
of stuff - and we burned a lot of CDs.

They could have had someone say, "we were looking for evidence of a
external access to this computer and there was no such evidence.  We
don't think that a hacker could have accessed his computer."  They
knew they were going to fire this guy based on some evidence - all
they had to do was to take this same tightly viewed area of time and
do a little more looking.  But they didn't.

> the user's attorney said "we
> believe that a hacker was controlling my clients computer.  the hacker
> was reading his mail and looking at the porn.".  the judge accepted
> this and my client lost the case.

Based on the evidence presented, the reality is that there is really
no way to say that either (a) a hacker was reading the e-mail and porn
remotely or (b) the guy was using it.

Because the guy was fired, as opposed to quitting, the burden of proof
is on the company to prove that the firing was for cause - that it was
earned for misconduct.  According to Wisconsin's state unemployment
web site, "Misconduct may include chronic tardiness, theft,
falsification of employer documents, insubordination or various other
actions."  But, again, the burden is on the employer, not the
employee.

The proper evidence would have been easy to present. They could have
actually recorded the keyboard traffic on a hardware device that was
not accessible to the computer - I've read of such.  But there is a
simpler way - someone looks over the guy's shoulder, perhaps a
nannycam that they installed to coordinate with the logs that they
were using to build the case, and the cam or the person says, "Unless
the hacker had control of his mind, he was typing the commands to do
the surfing on his computer himself.

This is why I thought that they seized the bad guy's stuff in Mass. He
has the same defense - if you don't see him doing something, the
unseen hacker can make it look like he did something - it could have
been a frame. So you want to look at the bad guy's actual computer -
and maybe his memory sticks.  You find proof that his computer did
this - and you find no evidence of a back door program, and it becomes
harder for him to say, "gosh, that wasn't me."

Of course, what it really comes down to is what the judge believes.
Companies pay unemployment insurance.  They pay different rates based
on how often people collect on their unemployment.  Highest rates are
paid by people who work in seasonal businesses - and who regularly lay
off large numbers of people and then rehire them three months later -
like hotels in areas where there are tourist seasons.  Best rates are
paid by companies that provide steady employment and rarely fire
anyone.

So companies who fire for cause fight the unemployment claims to avoid
having their rates go up.

If the judge smells a case where the evidence is too good, he might
suspect a witch hunt - in many places, employment is at will - you are
allowed to fire someone because they rub you the wrong way, so long as
you do not regularly fire minorities or protected classes. But they
are allowed to collect unemployment as they look for a new job.

So if you have evidence and it is too good, then well, one question
would be, "did they ever talk to the guy about whether he was actually
looking for porn?"   Did they counsel him?  If he had been looking for
porn hundreds of times, over weeks or months, had they determined to
fire him immediately or had they told him that he was in violation of
policy and asked him to stop on pain of losing his job?

Had they told him to stop and had he denied doing it, it might be
worth looking for a hacker.  A "hacker" could be a co-worker. Lots of
places, people share passwords - and a co-worker is in a great
position to run a sniffer, get those passwords, install an illicit
copy of VNC and read someone elses e-mail - or pick the person who is
the best worker in the office and read porn from their computer just
to get them in dutch with the management.

If you look at your logs and decide someone is guilty - without ever
talking to them about it - or looking over their shoulder to see if
they are actually doing it, or anything else, it is bad practice
(IMHO) and you really know nothing.

All they would have had to do was to have someone testify that he
looked over the guy's shoulder and he was actually reading his e-mail
or porning.

> I know that logs can be faked and my client probably didn't have the
> proper evidence to prove wrongdoing.  It's even possible that spyware
> or a hacker did do this.  However, the statements made in that
> courtroom really blow my mind.  To top it off, my client's lawyer said
> that he's seen other cases where the evidence was much more
> questionable but the company won.  it's basically a crapshoot.

Yep. Furthermore, a lot of it depends on who the judge or jury
believes.  Why was OJ found innocent in his original murder trial?
The jury exercised their prerogative to find that evidence, despite
being attested to, was not believable. They caught one guy lying
outright about something not properly connected with the evidence. The
LA police had a rep for testilieing - making up stories so that their
probable cause was good enough - so that their warrantless searches
were justified, and so forth.

You have a company and an employee - and the company comes in with an
IT director and hundreds of pages of logs - and they never talked to
the guy about doing better.  So the judge decides that they are not
being reasonable - he wouldn't have wanted to be treated that way -
and he decides to believe the theory put forth by the ex-employee.

> I am seriously worried, especially being in the IT security industry,
> that some day I might end up accused of something I didn't do, in
> court unable to defend myself because the court cannot understand my
> defense.

It isn't only about IT.  Your neighbor could get into a fight with you
over your dog and his rosebushes, and one day you get stopped by the
cops - oddly, by three cops and they are all standing there with their
hands on their gun butts and you open your glove compartment to get
your registration and - then you are on the ground with your hands
behind you - because there was a plastic bag in there with $20 worth
of crack cocaine.  The cheapest you get off is $3000, for a basic
lawyer and for bail bond.  And you probably have a record - although
if you pee clean you might be able to argue that it wasn't yours.
Yeah, they got a tip and they were going to find an excuse to make you
open your glove compartment.

My absolute best friend in high school (other than girlfriends) was
James Scarborough.  One day he was arrested for WWB (Walking while
black) where the walking was in the immediate vicinity of an armed
robbery within the last 30 minutes,

After two weeks in jail he was finally put in a line-up, and was not
identified, in fact, the witnesses statement was, "Him? I described
the man who robbed me and that boy looks absolutely nothing like the
description I gave you - I told you he was medium build to heavy, and
that boy is rail thin. I told you he was six feet and that boy is at
least six three. I told you 25 to 35. that is a teenager.

He had no money for a lawyer, so he didn't lose that.  Now, you'd
think that the cops would be upset and sorry because they made a
mistake. They were upset - at him, because he was not guilty.  If they
arrest you, you should be guilty and not waste their time.  So they
kept arresting him - for cohabitation - he was arrested for living
with someone of the opposite sex - in Gainesville Florida, in 1971.
This is a college town, and probably 20% of the people in town are
cohabitating, but he was a black man and the girl he was living with
was white.  He was forced out of college and his life went downhill
from there - arrested for something he actually did a few months later
as he got desperate, he did hard time.  I saw his name -- in the
social security death database. His death certificate was signed by a
prison coroner in Cook County, Illinois.

I know more stories, but look at the number of people who are being
cleared by DNA - after doing 20+ years.  There are just too many
jurors who believe that if the man wasn't guilty he would not have
been arrested. Their job is simply to rubber stamp the police work,
without questioning much of anything.

Yep...the IT stuff we do puts us at a little bit more risk.  When I
consulted I had co-workers doors kicked in (and they had the letter of
authorization - but the guy was still booked.

Being involved with life puts you at risk. I was working late - and my
co-worker decided we had put in so many hours we were babbling and it
was time for breakfast. I bought it, and packed to leave.  As I came
down the elevator, my co-worked, an absolute gorgeous blonde who was
completely out of my league (and I had a girlfriend) is in the lobby
at 3 AM talking to some scrawny redneck.  Suddenly he grabs her and
starts hitting her.  I jump in, to defend her. Turns out this is her
ex-husband (she has a 12 year old daughter) and he has been stalking
her.  Beat her frequently when they were wed.  I stop him, since I
outweigh him by about 100 pounds and I'm a foot taller - I just grab
him in a headlock and ram him into the wall and then tell her to call
the cops.  She is all scratched and bruised, and I am scratched and my
glasses are broken.

That is why my fingerprints and mug shot is on file.  See, when the
cops got there he said, "he attacked me for no reason," so I was
arrested.  In my case the prosecutor dropped it.  But had I been
nervous, I would have been lawyered up, and it would have cost me a
thousand.

I could go on.  Cops can say anything, they live by different
regulations than we do, both in fact and in theory. They pick the
wrong people to be cops, in general, and in Hendry county, where I
live now, there is a deputy who is in when one sheriff is elected and
out when he loses office - and he tried to get out the vote but the
sheriff was just put out in a close race. He defends the families he
likes, keeps their kids out of jail, and it is so overt that my
feeling is that sheriffs in Florida need supervision.

Maybe we will get together over beer someday.

> Sorry for the long ramblings.
> -Aaron

That is what talk is for.

>


-- 
A man can't live in the everglades
Where a man can hide and never be found and have no fear of the bayin' hound
But he better keep movin' and don't stand still
If the skeeters don't get him then the gators will