1 00:00:00,240 --> 00:00:03,429 Hey, everybody. Listen up. We're a little early. We'll get started. This is "legal aspects 2 00:00:03,429 --> 00:00:10,429 of active defense." I am always pleased when techies come and want to see how law intersects 3 00:00:10,530 --> 00:00:15,570 with technology. And years ago I mentioned that to, Marcus Sax, who is a SANS instructor 4 00:00:15,570 --> 00:00:19,510 at Verizon and all that stuff. And I said Marcus I am always amazed that like the orom 5 00:00:19,510 --> 00:00:22,960 will fill up and people actually show up. And he said yeah, or the other rooms are all 6 00:00:22,960 --> 00:00:28,240 full and they don't have any other place to go. So if you're here because you want to 7 00:00:28,240 --> 00:00:31,759 see how they intersect, great. Wonderful. This is great. But if you're here because 8 00:00:31,759 --> 00:00:35,810 all the other rooms have filled up and you couldn't go anyplace else, sorry about that. 9 00:00:35,810 --> 00:00:41,480 We'll try to get bigger rooms next time. So legal aspect of computer network defense. 10 00:00:41,480 --> 00:00:46,380 The agenda, the things we're going to talk about here as we go through, to figure out 11 00:00:46,380 --> 00:00:51,570 what are those things that you need to do to be able to do computer network active defense. 12 00:00:51,570 --> 00:00:56,470 Disclaimer aspect on things. I am here in a personal capacity. I represent no employer, 13 00:00:56,470 --> 00:01:02,140 entity, Government organization. Anything. So I hope to be informative to you and give 14 00:01:02,140 --> 00:01:06,439 you some information and yet still may be a little bit entertaining. 15 00:01:06,439 --> 00:01:11,670 I have spoken at numerous Black Hats and DEF CONs before and typically I have the only 16 00:01:11,670 --> 00:01:17,280 million dollar give away. And what that is is for any question or the best question, 17 00:01:17,280 --> 00:01:23,780 best comment or even best heckle, I usually will give away a $5, a $10 or a $25 chip under 18 00:01:23,780 --> 00:01:27,939 the million dollar give away. Now you have to take the chip and go out to the casino 19 00:01:27,939 --> 00:01:31,249 and parlay that into a million dollars on that. 20 00:01:31,249 --> 00:01:34,520 (Laughter) Now I normally, that's what I do. I'm going 21 00:01:34,520 --> 00:01:37,829 to apologize. That's been canceled due to sequestration. 22 00:01:37,829 --> 00:01:41,409 (Laughter) So if you're pissed at your Government for 23 00:01:41,409 --> 00:01:46,069 things, let me explain something. Talk to my wife about having 20 percent pay taken 24 00:01:46,069 --> 00:01:50,789 away. That's when you get pissed, when you have to deal with that on the home front. 25 00:01:50,789 --> 00:01:57,789 There is a current topic out there, that is quite pressing. It is ripe for comedy, and 26 00:01:59,950 --> 00:02:06,179 I've been having fun with it. It involves the United States Government. And while the 27 00:02:06,179 --> 00:02:10,910 United States Government was founded on happiness, I think if you look at the Declaration of 28 00:02:10,910 --> 00:02:16,280 Independence in there you will see that basically, you know, it is founded on happiness. We are 29 00:02:16,280 --> 00:02:21,090 the only happy country. You look at any of the other documents out there, the Magna carta 30 00:02:21,090 --> 00:02:26,950 or anything, they don't mention happiness. With that said, I have spoken to sources familiar 31 00:02:26,950 --> 00:02:32,560 with the matter and they tell me that the Government has no sense of humor on this topic. 32 00:02:32,560 --> 00:02:37,200 And so, therefore, we will not be making any folks about that whatsoever. 33 00:02:37,200 --> 00:02:43,930 As we go along, I have an active defense scenario to talk about. A spoiler alert here. If you 34 00:02:43,930 --> 00:02:48,200 don't want to know how it comes out at the end, please turn away from the screens and 35 00:02:48,200 --> 00:02:55,200 look the other way. Because the way that it ends, he's the bad guy on this. 36 00:02:55,230 --> 00:02:59,650 And if you're from my generation, actually, he's the bad guy. 37 00:02:59,650 --> 00:03:03,290 (Applause) And I know we're not supposed to do any sponsorships 38 00:03:03,290 --> 00:03:07,760 or plugs, but because I'm a Chrysler kid from Detroit, Mighigan, and I can also get fine 39 00:03:07,760 --> 00:03:14,760 Corinthian leather from him on that. This is the first year that I'm going to hand 40 00:03:15,450 --> 00:03:19,959 out a Robert Clark cybersecurity award. Drink. 41 00:03:19,959 --> 00:03:26,959 ROBERT CLARK: What? Oh, drink. There was a different one last year at Black hat. They 42 00:03:27,040 --> 00:03:32,430 said any time anybody says "cyber," you're supposed to shout out something else. I can't 43 00:03:32,430 --> 00:03:37,300 stand the word "Cyber." Absolutely hate it. I'm a computer network guy from the aspects 44 00:03:37,300 --> 00:03:41,430 of a decade. But if you want to have money thrown at anything, you've got to have the 45 00:03:41,430 --> 00:03:47,100 word "cyber" in it. If you wanted port-a-pottys for DoD, you would say these are cyber port-a-pottys 46 00:03:47,100 --> 00:03:52,380 and they would give you thousands of dollars for these things. And of course you would 47 00:03:52,380 --> 00:03:58,840 say wait a second, what makes it a cyber port-a-potty? Well, there's a key pad --> don't even go there. 48 00:03:58,840 --> 00:04:03,810 So I would like to give the first Robert Clark cyber security award to someone who has done 49 00:04:03,810 --> 00:04:08,480 something to advance cyber security. So who should this possibly go to? You've got folks 50 00:04:08,480 --> 00:04:13,600 like, you know, Leo La Port out there doing stuff, Tom Merits doing good work. Like Steve 51 00:04:13,600 --> 00:04:18,859 Gibson's aspect, and I even like Patrick Gray and the risky business. All of these folks 52 00:04:18,859 --> 00:04:23,009 are out there. And while I would like to kiss up to them and to get onto their shows, I 53 00:04:23,009 --> 00:04:25,189 really actually want to kiss up to Steven Cobert. 54 00:04:25,189 --> 00:04:29,949 (Laughter) Now, if you're wondering why? Well, you know, 55 00:04:29,949 --> 00:04:36,419 he knows the technology. Now granted a couple years ago it was very archaic. Of course this 56 00:04:36,419 --> 00:04:40,759 might be the securest way to communicate these days. I can't see below the table to see if 57 00:04:40,759 --> 00:04:45,610 there is anybody in the middle, but you never know. But he knows the technology. I mean, 58 00:04:45,610 --> 00:04:50,499 he gets customized technology that he gets to use. One of the first users of a tablet. 59 00:04:50,499 --> 00:04:57,499 Into that virtualization aspects. Even invented his own Google Glasses. So from that aspect 60 00:04:57,669 --> 00:05:01,199 what more could you want from somebody? He knows the technology so much he even advised 61 00:05:01,199 --> 00:05:06,740 Anthony Wieder, a/k/a Carlos Danger, they should be using snapchat. So, you know, the 62 00:05:06,740 --> 00:05:13,740 guy is there. He knows the web. He knows iTunes. He's got Google down, Bing, Twitter. Big coin 63 00:05:14,550 --> 00:05:19,139 even talks about him and even PalTalk. If you someone can come and tell me what PalTalk 64 00:05:19,139 --> 00:05:25,819 is afterwards, I'd appreciate that. He knows the people, you know, from Jobs, to Schmidt 65 00:05:25,819 --> 00:05:30,580 and Gates and even knows Anonymous. As a matter of fact, he probably knows Anonymous a little 66 00:05:30,580 --> 00:05:35,740 too well and too closely. If that's not enough for this award, he's 67 00:05:35,740 --> 00:05:40,840 got a virtual presence. He's on the international space station and he's even in animations. 68 00:05:40,840 --> 00:05:46,300 So in my book he deserves the first Robert Clark cybersecurity award. And if this isn't 69 00:05:46,300 --> 00:05:50,610 enough to get me on his show, I really don't know what it's going to take. It's not going 70 00:05:50,610 --> 00:05:54,949 to be my intellect, from that aspect of it. So now getting on to things. Disclaimer, again, 71 00:05:54,949 --> 00:05:59,620 I am here in a personal capacity. All the opinions are my own. 72 00:05:59,620 --> 00:06:06,449 Cyber education is a big piece. I am actually leaving the United States Army cyber command, 73 00:06:06,449 --> 00:06:12,990 which is not the same agency as the United States cyber command. I work for General Hernandes. 74 00:06:12,990 --> 00:06:18,110 This is my last day, actually, working for him. And tomorrow I start at the Naval Academy 75 00:06:18,110 --> 00:06:21,379 out at Anapolis on their faculty to educate -- 76 00:06:21,379 --> 00:06:25,300 (Applause) So I'm a professor of law, this is sweet, 77 00:06:25,300 --> 00:06:32,300 to teach midshipmen on the nontechnical content for cyber operations, the law and policy aspects 78 00:06:33,430 --> 00:06:38,909 on life. And so they have two core classes that every midshipman must take, and we're 79 00:06:38,909 --> 00:06:44,550 developing a cyber operations major. West Point also has an Army cyber center, so I'll 80 00:06:44,550 --> 00:06:50,650 mention that with my Army heritage, and then the other service has something they're doing, 81 00:06:50,650 --> 00:06:55,520 too. But I have no affiliation with them. So if I say something wrong, please by all 82 00:06:55,520 --> 00:07:00,360 means say you heard it from an officer at Army Cyber Command. And if I say something 83 00:07:00,360 --> 00:07:05,379 right, please say that this brilliant professor from the Naval Academy said. I'd appreciate 84 00:07:05,379 --> 00:07:06,379 that. (Laughter) 85 00:07:06,379 --> 00:07:12,469 When I go to a conference, I'm really hoping that I'm taking away only one or two golden 86 00:07:12,469 --> 00:07:16,629 nuggets of information, because if I'm not then I'm really stupid and I really should 87 00:07:16,629 --> 00:07:20,379 be studying a lot more. And so the one golden nugget I want to give 88 00:07:20,379 --> 00:07:25,120 right up front, if you're interested in this area, the American Bar Association cyber security 89 00:07:25,120 --> 00:07:28,849 task force is going to be coming out with a report that's supposed to be coming out 90 00:07:28,849 --> 00:07:34,009 soon with a report on active defense. So I would say tuck this away if this is an area 91 00:07:34,009 --> 00:07:37,999 you are really interested in, and go to their site down the road and see if they have that 92 00:07:37,999 --> 00:07:41,849 coming out. Because they're going to talk about some beaconing and some other aspects 93 00:07:41,849 --> 00:07:45,279 of it, so it might be something to tuck away in a back pocket as we're moving about, talking 94 00:07:45,279 --> 00:07:51,819 about doing active defense. So law and computer network operations. If 95 00:07:51,819 --> 00:07:56,919 you ask the same question to two attorneys, you will get a lot of --> you'll get four answers 96 00:07:56,919 --> 00:08:03,559 and there are only two attorneys there. The thing is, I'm not your lawyer, and please 97 00:08:03,559 --> 00:08:08,089 ask questions at any time. Stand up, shout. We will be glad to address them. The interaction 98 00:08:08,089 --> 00:08:12,819 is really what makes this thing go. But I'd like to talk, if anyone was in Mark 99 00:08:12,819 --> 00:08:18,960 Weathorford's talk on the growing irrelevancy of the US Government information sharing, 100 00:08:18,960 --> 00:08:24,330 he made a point about attorneys. He didn't say which ones. And he said that they were 101 00:08:24,330 --> 00:08:29,129 very risk adverse and didn't understand the technology. We'll get into Clark's law about 102 00:08:29,129 --> 00:08:33,610 dealing with your lawyers and technology a little bit here. The aspect about being risk 103 00:08:33,610 --> 00:08:40,250 adverse and what a lawyer's role is, and this is kind of for you, I provide advice. I give 104 00:08:40,250 --> 00:08:44,320 counsel. If it's something illegal I'll say this breaks the law. If it violates a policy, 105 00:08:44,320 --> 00:08:51,320 but I provide advice. The responsibility to act on that belongs to my client or the commander 106 00:08:51,610 --> 00:08:57,240 or the Government. And it's their job to say got it? Okay. But you don't let your general 107 00:08:57,240 --> 00:09:01,860 counsel run your company from that aspect. And that's kind of an interesting take that 108 00:09:01,860 --> 00:09:08,060 I had a problem with, with Mark Weatherford's comments. And it's not --> I understand the 109 00:09:08,060 --> 00:09:11,310 scenario. Yes, senior leadership's not going to do anything unless their general counsel 110 00:09:11,310 --> 00:09:15,470 says yes, you can do that. That's backwards. The senior leadership is 111 00:09:15,470 --> 00:09:20,110 supposed to listen to their general counsel, it's their attorney. But they make the decisions 112 00:09:20,110 --> 00:09:25,019 and if they're not going to make the decisions, then they're the ones who are risk adverse. 113 00:09:25,019 --> 00:09:27,089 So that's the aspect and that's kind of the role. 114 00:09:27,089 --> 00:09:31,220 Because when the day is over, I'm going to go home and have a steak dinner. You guys 115 00:09:31,220 --> 00:09:36,370 might be led away with handcuffs on, but I'm going to go home and have a steak dinner on 116 00:09:36,370 --> 00:09:38,470 that one. Before we get started, there are a couple 117 00:09:38,470 --> 00:09:44,779 cases I always like to point out. The United States versus Proctor was the courts recognizing 118 00:09:44,779 --> 00:09:51,029 that computer security professionals are a special skilled group. Proctor had the right 119 00:09:51,029 --> 00:09:56,190 to remain silent but he didn't have the ability. He gave a nice detailed confession, to which 120 00:09:56,190 --> 00:10:01,069 the Judge elevated his sentence and said you've got special skills and the Court's going to 121 00:10:01,069 --> 00:10:06,660 recognize that, though that's probably not a great thing on the computer security side. 122 00:10:06,660 --> 00:10:11,100 There is an Ishing wifi case that came out. Now it's a civil case and it's one of those 123 00:10:11,100 --> 00:10:18,100 patent trolling cases, In re Innovacio, from this aspect. They're suing coffeehouses and 124 00:10:18,430 --> 00:10:22,380 people that are using WiFi. And it's that wonderful legitimate suit where, you know, 125 00:10:22,380 --> 00:10:27,480 basically you send the coffeehouse a notice saying for $7,000 I'll go away or we're going 126 00:10:27,480 --> 00:10:34,399 to sue you. And they did it to 7100 hotels, coffee shops. And they had a motion to enter 127 00:10:34,399 --> 00:10:41,399 how they were going about sniffing and grabbing the communications going across the WiFi. 128 00:10:41,750 --> 00:10:48,750 And how it worked was they were using --> grabbing data packets going over the unencrypted WiFi, 129 00:10:49,420 --> 00:10:54,509 using things that are readily accessible to the general public, and that the sniffing 130 00:10:54,509 --> 00:10:58,560 protocol they were using again was available to the general public. And the court was basically 131 00:10:58,560 --> 00:11:03,100 saying it falls under the wire tap exception and so there is no problem with them doing 132 00:11:03,100 --> 00:11:07,509 this. You can have, with the proper foundation, this evidence can come in. 133 00:11:07,509 --> 00:11:12,750 So what they were doing is they were using a Riverbed Air PCAP packet capture adapter 134 00:11:12,750 --> 00:11:19,720 for 700 bucks. Wire shark. So with the laptop software and the packet capture adapter, they 135 00:11:19,720 --> 00:11:24,790 could get any communications, as long as they were in range. All of these things are provided 136 00:11:24,790 --> 00:11:30,209 by commercial providers. And so it didn't violate the wire tap statute. 137 00:11:30,209 --> 00:11:34,630 Now this is kind of interesting, meaning so back in the day --> and the way with technology 138 00:11:34,630 --> 00:11:39,490 being generally available to people, it came back out of a case called Kila where DEA looked 139 00:11:39,490 --> 00:11:44,410 into a house using thermal imaging. The court said no, that is not technology that's readily 140 00:11:44,410 --> 00:11:48,579 available to the public. They don't have their own helicopters with their own thermal imaging 141 00:11:48,579 --> 00:11:53,300 radar, so we're not going ot let you do that. God, you know, what you folks are doing now 142 00:11:53,300 --> 00:11:57,750 and the technology that's available to the general public, it is a very interesting area 143 00:11:57,750 --> 00:12:01,550 where we're going into in terms of what you can sit there and sniff and grab that courts 144 00:12:01,550 --> 00:12:06,449 are holding not a violation of the Electronic Communication Privacy Act. And of course he 145 00:12:06,449 --> 00:12:09,410 said the public's lack of awareness of this was irrelevant. 146 00:12:09,410 --> 00:12:12,930 So it's an interesting civil case that's out there. It's not a criminal case that's out 147 00:12:12,930 --> 00:12:18,319 there, but it was kind of interesting. The constitution, pretty damn good document 148 00:12:18,319 --> 00:12:24,040 to run a country of 350 million people or so, written in 1787, and then what happened 149 00:12:24,040 --> 00:12:28,269 next were computers. Well, DOJ set up the computer crime unit in 1991. There's a little 150 00:12:28,269 --> 00:12:33,639 gap there on that. And a little bit before that, they did the Computer Fraud Act. 151 00:12:33,639 --> 00:12:39,379 So how does this law stuff apply to we the geeks from that aspect? Now on the constitution, 152 00:12:39,379 --> 00:12:43,940 there is the Article 2 powers are the President's powers, so it's kind of an interesting aspect. 153 00:12:43,940 --> 00:12:48,069 There is a little known footnote in here that you've got to kind of look for that Madison 154 00:12:48,069 --> 00:12:52,649 put in there. You know, he envisioned people like Jobs inventing communication devices 155 00:12:52,649 --> 00:12:58,040 that were incredible. So under the Article 2 powers, the President can conduct a peer 156 00:12:58,040 --> 00:13:01,319 network operations. He goes I don't know what a computer is, but I'm sure it's going to 157 00:13:01,319 --> 00:13:05,399 be important in a couple years and please keep an eye on the IRS for us. 158 00:13:05,399 --> 00:13:09,699 (laughter) So legal aspects of computer network defense. 159 00:13:09,699 --> 00:13:13,819 We had a preconversation up front here. We were talking about some certain things. An 160 00:13:13,819 --> 00:13:18,209 important lessen learned which is relevant to the area we're in right now, and this is 161 00:13:18,209 --> 00:13:23,870 very true, bad legal advice put OJ in jail. It was an interesting aspect where again he 162 00:13:23,870 --> 00:13:28,319 wanted to get his property back and his lawyer told him, hey, if you don't breech the peace, 163 00:13:28,319 --> 00:13:32,779 don't use force, you can go get your property. Of course, the facts of the case is that he 164 00:13:32,779 --> 00:13:37,360 went there with a couple buddies that had guns, breeching the peace, and he's in jail. 165 00:13:37,360 --> 00:13:40,870 And so basically he kind of needs that number right there. 166 00:13:40,870 --> 00:13:45,250 If you are out there, I've seen some of the attendees doing things, this is a valid number, 167 00:13:45,250 --> 00:13:48,610 you may want to jot this down for the weekend on that. 168 00:13:48,610 --> 00:13:54,370 So, again, I am not your lawyer. When I try to come up with a topic for DEF CON, I want 169 00:13:54,370 --> 00:13:58,629 to make sure that it is relevant to what's going on. And this IP Commission report just 170 00:13:58,629 --> 00:14:03,939 came out recently, and it was interesting from an aspect of again the DOJ had a chance 171 00:14:03,939 --> 00:14:09,000 to put in there that they say hacking back is illegal. So don't do it. The report was 172 00:14:09,000 --> 00:14:14,639 written by Dennis Blair, who was the first DNI director, and Huntsman who used to be 173 00:14:14,639 --> 00:14:19,639 the ambassador to China. The report really said that hey, if I can retrieve my digital 174 00:14:19,639 --> 00:14:25,199 property without damaging that person's computers, I should be able to do that. So we're talking 175 00:14:25,199 --> 00:14:29,439 about self defense. There are 21 state constitutions that say 176 00:14:29,439 --> 00:14:34,199 that you have a constitutional right to defend your property on that. It is recognized in 177 00:14:34,199 --> 00:14:38,290 common law and goes back a long time that you have the right to defend yourself and 178 00:14:38,290 --> 00:14:42,750 your property, from that aspect. And it kind of flows into this thing called trespass to 179 00:14:42,750 --> 00:14:48,740 chattel. Now the Intel versus Hamadi case was that blasting of emails to Intel by Hamadi. 180 00:14:48,740 --> 00:14:54,600 And one of the things that the court said was we favor in this area trespass prevention 181 00:14:54,600 --> 00:14:58,800 over post-trespass recovery. That's kind of the theme of what we're going to be talking 182 00:14:58,800 --> 00:15:03,050 about here. We're going to be talking about those things you do ahead of time so you don't 183 00:15:03,050 --> 00:15:08,550 have to do post-trespass recovery. The active defense scenario obviously is going to be 184 00:15:08,550 --> 00:15:13,389 a post-trespass recovery scenario as we go down there. 185 00:15:13,389 --> 00:15:16,939 Self defense, you have to be in a place you have the right to be. A whole bunch of other 186 00:15:16,939 --> 00:15:19,910 factors that go with it. But you've really got to be in that place that you have a right 187 00:15:19,910 --> 00:15:25,720 to be. It is not unlimited for property. You can't usually use deadly force to defend your 188 00:15:25,720 --> 00:15:30,569 property, under certain circumstances. That actually will come back into play. So you've 189 00:15:30,569 --> 00:15:34,699 got to be in a place you have the right to be with all the factors that go in there. 190 00:15:34,699 --> 00:15:39,329 We were also talking earlier about if we were going to do this, you know, who are the experts 191 00:15:39,329 --> 00:15:46,040 we listen to. Stewart Baker, formerly of Steptoe and Johnson, actually he is with them now, 192 00:15:46,040 --> 00:15:50,199 is quite the advocate that you should be able to hack back. And I was at the FC conference 193 00:15:50,199 --> 00:15:55,819 in Maryland and he offered to represent anyone who did it and was prosecuted by the DOJ, 194 00:15:55,819 --> 00:16:00,720 for free. Now, you can call him p and say hey, I heard from this guy --> and he might 195 00:16:00,720 --> 00:16:05,970 hang up on you, but that's what I heard. Orin Kerr who is a professor at George Washington 196 00:16:05,970 --> 00:16:10,879 University and who writes the book on computer crime has pointblank said I don't think there 197 00:16:10,879 --> 00:16:15,439 is a digital self-help as the way things stand right now. So sorry to ruin that for you for 198 00:16:15,439 --> 00:16:20,009 where we're going to go with our scenario, but if it's me and I'm going to be prosecuted, 199 00:16:20,009 --> 00:16:25,439 I'm going to get Jennifer Granick or Orin Kerr to represent me. And both of them have 200 00:16:25,439 --> 00:16:28,670 there is no digital self-help, you know, self-help defense here. 201 00:16:28,670 --> 00:16:34,610 Jennifer was on Patrick Gray's Risky Business pod cast 272 talking about this extensively. 202 00:16:34,610 --> 00:16:38,350 And, again, she said there is no digital self defense. 203 00:16:38,350 --> 00:16:43,310 So what you've got to do as we're talking about building that case of reasonableness, 204 00:16:43,310 --> 00:16:46,920 what are those things you're going to do that are necessary and reasonable. So when we're 205 00:16:46,920 --> 00:16:50,279 building that case of reasonableness, you've got to think what are the things you're doing 206 00:16:50,279 --> 00:16:55,819 to secure and defend. And it's that aspect of technology, your open source and situational 207 00:16:55,819 --> 00:17:01,310 awareness, intelligence, your policies, your training, information control, active defense 208 00:17:01,310 --> 00:17:05,750 things you may need to do, which might be deception, recovery operations. You know, 209 00:17:05,750 --> 00:17:10,039 the stopping the pain aspects on life. And what is the one thing that was missing 210 00:17:10,039 --> 00:17:16,640 from all those slides that is extremely important to DOJ? Previous and ongoing coordination 211 00:17:16,640 --> 00:17:21,939 with law enforcement agencies. And why is this important? Because if you're planning 212 00:17:21,939 --> 00:17:27,230 on doing this, in reality, why are you preparing for this? Because you're trying to convince 213 00:17:27,230 --> 00:17:31,870 DOJ not to prosecute you or any other type of law enforcement agency or prosecutorial 214 00:17:31,870 --> 00:17:36,860 office to prosecute you. What are the things I did ahead of time that were reasonable that 215 00:17:36,860 --> 00:17:42,240 I had to take the next step. Or worse case scenario, you're going to have to try to convince 216 00:17:42,240 --> 00:17:46,039 a Judge or jury that you have a self defense claim. 217 00:17:46,039 --> 00:17:51,200 So the reality and the practicality of this is simply DOJ is always and has always been 218 00:17:51,200 --> 00:17:56,580 taking a hard look at this and a hard stance on this. Until the law is amended, they feel 219 00:17:56,580 --> 00:18:01,529 that this is a crime. Now, don't blame DOJ. You don't beat the monkey 220 00:18:01,529 --> 00:18:07,309 if the organ grinder is not present. Go see Congress, because Congress is the ones that 221 00:18:07,309 --> 00:18:10,210 is responsible to amend the law for that aspect of it. 222 00:18:10,210 --> 00:18:16,029 So the requirements for self defense, or a necessity defense, require that there are 223 00:18:16,029 --> 00:18:23,029 no other lawful means available. Meaning you've gone to CNLEA. All your remedies have been 224 00:18:23,650 --> 00:18:28,950 exhausted, meaning no law enforcement, the civil lawsuits have been filed on that. And 225 00:18:28,950 --> 00:18:34,320 I go back to this prosecuting computer crimes manual that DOJ has had out for a long time. 226 00:18:34,320 --> 00:18:38,809 Again, doing so may be illegal regardless of your motive. 227 00:18:38,809 --> 00:18:44,700 The other aspect for you all that I've had conversations with some techies on, it's the 228 00:18:44,700 --> 00:18:50,440 aspect of resource intensive. So if you've got this honeypot with a bunch of fake documents 229 00:18:50,440 --> 00:18:55,059 in there and they say no, the big problem with this is my clients can't manage their 230 00:18:55,059 --> 00:18:59,309 real stuff and now you want them to have a bunch of fake stuff on there? I don't have 231 00:18:59,309 --> 00:19:04,700 time managing the real stuff. So this is very resource intensive from my perspective. So 232 00:19:04,700 --> 00:19:07,330 I don't think it's a mom and pop shop thing that they're going to be doing. 233 00:19:07,330 --> 00:19:12,710 I did government contract litigation and we had a lot of mom and pop third-party suppliers. 234 00:19:12,710 --> 00:19:15,919 I can't see they're the ones doing this. It has got to be somebody that's got a lot of 235 00:19:15,919 --> 00:19:20,240 resources to dive into this. So building that case of reasonableness, the 236 00:19:20,240 --> 00:19:24,610 things I think you need to do so you can actually get to that active defense scenario. 237 00:19:24,610 --> 00:19:27,820 There's the technology you've go to have in place. And you guys, I'm talking to the experts 238 00:19:27,820 --> 00:19:30,830 that know all of that. So you're talking about your different, you know, your firewalls, 239 00:19:30,830 --> 00:19:36,730 your intrusion systems, realtime network awareness, SL proxy things, your logging, your monitoring 240 00:19:36,730 --> 00:19:41,900 on that. And you've got some honeypots flowing from that aspect. So you're doing all this. 241 00:19:41,900 --> 00:19:45,890 And of course legally you can do this, because to do this you've got to comply with the law, 242 00:19:45,890 --> 00:19:49,830 which would be the wire tap statute. So you're either getting consent of your users through 243 00:19:49,830 --> 00:19:54,539 log-ins or banners from that aspect on life, or you're doing it in the service providers 244 00:19:54,539 --> 00:19:59,390 aspect, with the exception to the wire tap statute that says hey, it's my property. I 245 00:19:59,390 --> 00:20:03,860 can defend it. It's necessary to the defense of the property. And these are the cases that 246 00:20:03,860 --> 00:20:07,570 came out of the Blue Box cases, where they had to find out --> you know, after taking 247 00:20:07,570 --> 00:20:12,330 the whistle out of the Captain Crunch box. It's back in the way where they recorded the 248 00:20:12,330 --> 00:20:15,860 beginning part of the conversations, half of it and all of it. And when the cases got 249 00:20:15,860 --> 00:20:19,899 to the court, the Judge said okay, you recorded the front part of it, that was tailored. You 250 00:20:19,899 --> 00:20:23,149 identified what the phone number was. Those are going to go forward. And when they recorded 251 00:20:23,149 --> 00:20:29,890 more of the conversation, like half of it, where the prosecutor could submit why they 252 00:20:29,890 --> 00:20:33,429 needed to record half of it, those cases went forward. And if they couldn't, they were thrown 253 00:20:33,429 --> 00:20:36,620 out. And pretty much when they recorded the whole thing, the Judge said you didn't tailor 254 00:20:36,620 --> 00:20:40,220 this at all, we're throwing this out. So now how do you tailor computer network 255 00:20:40,220 --> 00:20:44,330 defense? How do you tailor your intrusion detection systems? It's not like I can record 256 00:20:44,330 --> 00:20:48,350 the first part of a three-way handshake. And kind of, in my opinion, it means like I'm 257 00:20:48,350 --> 00:20:52,179 going to run my snort sensors out there and I'm going to grab everything. You know, see 258 00:20:52,179 --> 00:20:55,750 how much my storage space is going to have, whether this is overwritten in 4 hours or 259 00:20:55,750 --> 00:20:59,100 whether it stays on there for 30 days. And when I get my alerts I can go back and grab 260 00:20:59,100 --> 00:21:02,690 the information and take a look at it to review my computer security. So from that aspect 261 00:21:02,690 --> 00:21:06,080 that seems reasonable. It's tailored. And there hasn't been an argument or a debate 262 00:21:06,080 --> 00:21:10,270 on that aspect of it from the technology speaking aspect. 263 00:21:10,270 --> 00:21:16,909 When I talk to techies, I always ask one thing. Why aren't the crown jewels, air gapped off 264 00:21:16,909 --> 00:21:21,320 and why aren't they encrypted in data at rest? Again, being the lawyer and the stupid one 265 00:21:21,320 --> 00:21:25,120 in the room, I'm thinking okay, it has got to be expensive, it's got to take time, it's 266 00:21:25,120 --> 00:21:31,409 got to slow things down. And I've actually had techies come back and go no, not so much. 267 00:21:31,409 --> 00:21:36,140 So if I'm wrong at that, please tell me on that aspect of it. But I'm always curious 268 00:21:36,140 --> 00:21:41,909 at why the crown jewels of a company aren't separated off, air gapped, and aren't things 269 00:21:41,909 --> 00:21:46,950 in place to protect them? Again, steps that are reasonable to defend the information that 270 00:21:46,950 --> 00:21:50,899 you want to do. I did mention beacons before. I will note 271 00:21:50,899 --> 00:21:57,899 that DOJ has a --> again, it's one of the absurdities of law, the way it's written. If you're not 272 00:21:58,240 --> 00:22:02,760 an electronic service provider, you can't do beacons. It's a strange thing on that. 273 00:22:02,760 --> 00:22:07,010 Again, that's something I'm hoping that the ABA task force report will talk about as we 274 00:22:07,010 --> 00:22:12,549 go down the road. Pen testing and red teaming. One of the things 275 00:22:12,549 --> 00:22:17,960 you need to be kind of concerned about actually is the Landem Act. It's a national system 276 00:22:17,960 --> 00:22:24,960 for trademark registration to protect your trademarks from either consumer confusion 277 00:22:25,049 --> 00:22:30,450 or dilution. And that means if you're using that mark and it reduces people's perception 278 00:22:30,450 --> 00:22:36,179 of it, you can have a problem. Why would this come into this field? So you have --> you go 279 00:22:36,179 --> 00:22:40,620 to your lawyer and you go hey, we want to do spear fishing. Okay. And Beyonce's concert 280 00:22:40,620 --> 00:22:45,799 is coming up, so we want to send that out to our employees that for $45 if you click 281 00:22:45,799 --> 00:22:50,750 here, you can get $45 tickets front row to Beyonce. Is that a problem? The lawyer doesn't 282 00:22:50,750 --> 00:22:55,000 know much about technology. He's busy with other things, so he says go ahead. So they 283 00:22:55,000 --> 00:22:59,020 ahead and they sent that out. The next thing you know they forward it to two friends and 284 00:22:59,020 --> 00:23:01,870 they forward it to two friends and they forward it to two friends and it goes outside your 285 00:23:01,870 --> 00:23:06,850 network and now everyone's sitting there going wow, we can get Beyonce tickets for $45. 286 00:23:06,850 --> 00:23:10,630 And Beyonce's attorney comes knocking at your door going who the hell are you and what the 287 00:23:10,630 --> 00:23:15,460 hell you doing? So that's the aspect. If you don't plan for these things and make them 288 00:23:15,460 --> 00:23:19,870 so they can't get released into the wild, you can have a problem here. 289 00:23:19,870 --> 00:23:26,490 Now, I am not a Landem Act attorney. And before you blast me to the evaluation boards and 290 00:23:26,490 --> 00:23:30,330 everything, you need to understand one thing. You're going to go hire the law firm of Dewey, 291 00:23:30,330 --> 00:23:33,399 Cheatem and Howe. And they're going to give you their legal advice for what you need to 292 00:23:33,399 --> 00:23:38,090 do, and there are a whole bunch of people in this law firm. And one of the branches 293 00:23:38,090 --> 00:23:41,860 you're going to have to go see is the Landem Act branch to talk to them about this and 294 00:23:41,860 --> 00:23:46,370 how to go about doing that. So that's one situation in your law firm that you're going 295 00:23:46,370 --> 00:23:50,010 to have to deal with. Intelligence and situational awareness. You've 296 00:23:50,010 --> 00:23:53,190 got to know what's going on out there. So you've got your open source intelligence, 297 00:23:53,190 --> 00:23:56,440 where you're going to have your bulletins from the OSERT. You're going to hire a commercial 298 00:23:56,440 --> 00:24:00,260 company to give you added intelligence on that. Because we know the Government doesn't 299 00:24:00,260 --> 00:24:04,500 get anything first. And so you're going to get that private information there. You're 300 00:24:04,500 --> 00:24:08,029 going to do active business intelligence, which you're going to do that competitive 301 00:24:08,029 --> 00:24:13,240 intelligence. And you've got to be careful not to step on the side of economic espionage. 302 00:24:13,240 --> 00:24:19,159 Economic espionage. So that's set up to protect trade secrets and information. Again, in the 303 00:24:19,159 --> 00:24:24,590 time of this high technology information age. So a couple things. It's getting that information 304 00:24:24,590 --> 00:24:28,110 without authority. You know, you kind of kwow when you got it without authority, and then 305 00:24:28,110 --> 00:24:31,720 the trade secrets. Now. Good old dog and Christian here kind 306 00:24:31,720 --> 00:24:37,169 of wrote an article dealing with looking at these aspects of economic espionage. And they 307 00:24:37,169 --> 00:24:41,559 say hey, it's a very broad topic. And you've got to kind of be aware of it. You can get 308 00:24:41,559 --> 00:24:46,580 into trouble when you're doing this aspects of getting open source intelligence. Some 309 00:24:46,580 --> 00:24:52,149 lawful means of going out and grabbing information can in fact become misappropriation. And so 310 00:24:52,149 --> 00:24:55,820 you've got to be careful because that combination of all that public information could get you 311 00:24:55,820 --> 00:24:59,429 into trouble. Again, this is kind of dogging Christian's take on this. 312 00:24:59,429 --> 00:25:05,450 Now, there is a case out there that kind of said look, possession of open source information 313 00:25:05,450 --> 00:25:10,110 or readily ascertainable information is clearly not espionage. So you've got some case law 314 00:25:10,110 --> 00:25:13,870 on your side there. But Bill Bradford kind of went down this path 315 00:25:13,870 --> 00:25:16,559 and was talking about the different aspects of economic espionage when he was looking 316 00:25:16,559 --> 00:25:21,200 at firms routinely getting this stuff. And that practice of getting open source publicly 317 00:25:21,200 --> 00:25:24,730 available information for that. So what are you talking about? The desired information 318 00:25:24,730 --> 00:25:29,409 you're looking at. You know, research plans, R&D, things of nature, strategies out there, 319 00:25:29,409 --> 00:25:33,860 publicly available information. You're looking at, you know, common ways to 320 00:25:33,860 --> 00:25:39,000 do this. Data mining, patent. I like the psychological modeling of rival executives. I think that's 321 00:25:39,000 --> 00:25:44,559 kind of neat. That's like my wife wants me to have that done, too. So there's that. 322 00:25:44,559 --> 00:25:50,820 Areas that kind of raised some questions that he looked at when you're talking about ethical 323 00:25:50,820 --> 00:25:54,549 questions was interesting. Because he was like appropriating documents that are misplaced 324 00:25:54,549 --> 00:26:00,820 by rivals, which gets into okay, if I've got an iPhone left behind, if you go to your lawyer 325 00:26:00,820 --> 00:26:04,870 and say hey, I found this. Oh, abandoned property. Hey, it's abandoned. There are no rights to 326 00:26:04,870 --> 00:26:08,929 that property anymore. Let's rip it apart. Okay. Well, there might be that theory. 327 00:26:08,929 --> 00:26:13,640 He talks about overhearing rivals, executives. You know, I'm a fan of if you come talk to 328 00:26:13,640 --> 00:26:17,279 me about this one, I'm like hey, that is misplaced trust. I mean, that's the third party doctrine 329 00:26:17,279 --> 00:26:20,929 where if you're going to say something, broadcasting it out. You know, again, these are areas where 330 00:26:20,929 --> 00:26:24,220 it could raise ethical questions, not quite blank illegal. 331 00:26:24,220 --> 00:26:28,760 Hiring employees away from rivals, you've got a Computer Fraud And Abuse Act thing that 332 00:26:28,760 --> 00:26:31,250 really comes into play on that one you've got to be careful on. 333 00:26:31,250 --> 00:26:34,860 And I love the dumpster diving aspect on life. Because actually there are some court cases 334 00:26:34,860 --> 00:26:39,100 out there that once you put your trash out by the curb, anybody can go diving into it 335 00:26:39,100 --> 00:26:42,440 as much as they want. Those areas that are clearly illegal, yeah, 336 00:26:42,440 --> 00:26:48,880 the kind of stuff that you all are really good at on that, and so you've got to be careful 337 00:26:48,880 --> 00:26:53,500 on those things. Again, I'm not an economic espionage lawyer, 338 00:26:53,500 --> 00:26:56,230 so you're going to go to your law firm of Dewey, Cheatem and Howe. You're going to go 339 00:26:56,230 --> 00:27:00,740 up to the economic espionage branch and say: Here is what I'm planning on doing on this. 340 00:27:00,740 --> 00:27:05,029 You know, what do you think? And you've got to take them through step by step those things 341 00:27:05,029 --> 00:27:09,110 that you're going to do. Ironically enough there was a case that came 342 00:27:09,110 --> 00:27:15,909 out just a while ago, the Lenikov case. A lot of times when you read facts or opinions 343 00:27:15,909 --> 00:27:20,539 on a case, they kind of tell you where they're going as you go through them. So Serge was 344 00:27:20,539 --> 00:27:25,549 a computer programmer for Goldman Sachs. He was responsible for one of their high end 345 00:27:25,549 --> 00:27:32,549 important aspects. And it did market developments. It was proprietary information and he was 346 00:27:33,850 --> 00:27:39,710 one of 25 programmers in the highest paid at $400,000. And this was where the facts 347 00:27:39,710 --> 00:27:43,720 get fun, and he's going to be hired at a competitor for a million bucks. 348 00:27:43,720 --> 00:27:47,289 So we can kind of see where things are going, especially when the court says on his last 349 00:27:47,289 --> 00:27:53,630 day of employment, and then it gets better, just before his going away party going, he 350 00:27:53,630 --> 00:27:58,850 decided to give himself a little gift, which was 500,000 lines of code. He sent that off 351 00:27:58,850 --> 00:28:05,580 to Germany and then downloaded it later from Germany. And of course he deleted everything 352 00:28:05,580 --> 00:28:09,940 that he did. And of course he's surprised when he has a "who farted" look when they 353 00:28:09,940 --> 00:28:14,110 come around and arrest him. You're kidding? And he ends up getting convicted of economic 354 00:28:14,110 --> 00:28:21,110 espionage for stealing the source code. Well, he appeals this on the --> at the appellate 355 00:28:21,429 --> 00:28:26,049 level. The appellate court held that this was not a violation of the Economic Espionage 356 00:28:26,049 --> 00:28:30,539 Act. So before you think about going and doing that, it's been modified and amended to take 357 00:28:30,539 --> 00:28:36,600 that into consideration, so don't go do that. The next area of reasonableness and things 358 00:28:36,600 --> 00:28:42,159 you need to do prior to going and hacking someone's computer, your information insurance 359 00:28:42,159 --> 00:28:46,080 policies and training. The big aspect on this is having them in place. You have got your 360 00:28:46,080 --> 00:28:50,750 banners and user agreements. Being consistent with then and enforcing them when something 361 00:28:50,750 --> 00:28:54,909 goes wrong. So especially with the insider threat aspect, if you're going to do a civil 362 00:28:54,909 --> 00:28:59,960 suit for computer fraud and abuse, were employees being disciplined for violating these different 363 00:28:59,960 --> 00:29:03,269 procedures? So you want to make sure that you're enforcing these policies and you're 364 00:29:03,269 --> 00:29:07,620 actually on top of them. Information control. It's the stuff you all 365 00:29:07,620 --> 00:29:11,850 know about. It's the access lists, encryption, digital rights management. Again, another 366 00:29:11,850 --> 00:29:15,510 step for reasonableness. So if I have got to be in front of a Judge, I can say here 367 00:29:15,510 --> 00:29:20,559 are all the things I did before I had to actually go and retrieve my property. 368 00:29:20,559 --> 00:29:25,559 The deception piece is a very interesting aspect. When you get a bunch of lawyers sitting 369 00:29:25,559 --> 00:29:29,120 around just talking this stuff around, somebody invariably will bring something up like, hey, 370 00:29:29,120 --> 00:29:32,260 did anybody ever think about the SEC? And you're like what the hell does the SEC have 371 00:29:32,260 --> 00:29:38,909 to do with a deception plan aspect? The companies have responsibilities to actually do reporting. 372 00:29:38,909 --> 00:29:43,990 And thanks to good old Reid Hastings and Netflix, you know, the SEC said we can come out and 373 00:29:43,990 --> 00:29:50,519 we can investigate anything that we want that we think is a possible violation of the SEC 374 00:29:50,519 --> 00:29:55,360 laws. Now I'm not an SEC attorney and I don't want to be an SEC attorney. So you're going 375 00:29:55,360 --> 00:29:58,809 to go over to Dewey, Cheatem and Howe and go over to the SEC branch to start getting 376 00:29:58,809 --> 00:30:02,039 their advice. Now, the disclosure piece on this becomes 377 00:30:02,039 --> 00:30:07,190 a very interesting aspect when you're in this area. So you want to do a deception plan, 378 00:30:07,190 --> 00:30:11,799 so you're going to have things out there internal to your network that is not going to be out 379 00:30:11,799 --> 00:30:17,940 there, that are wrong, that are erroneous, that are deception. So it's no intent. You're 380 00:30:17,940 --> 00:30:24,429 not going to make this public. Then they're stolen and they're leaked to the media. 381 00:30:24,429 --> 00:30:29,720 Is this a disclosure that you've made? I know, they're stolen. They are leaked to the media, 382 00:30:29,720 --> 00:30:34,710 you know, is this an SEC violation or not? I really don't know. Tell me how it works 383 00:30:34,710 --> 00:30:39,950 out when you're in front of SEC attorneys. Because When you're talking about deception 384 00:30:39,950 --> 00:30:42,620 plans or deception examples, what are you going to be putting out there? 385 00:30:42,620 --> 00:30:46,580 Requests for proposals. Now, those could be your requests for proposals that you're putting 386 00:30:46,580 --> 00:30:51,130 out to your suppliers. Or they could be requests for proposals that you have received as you're 387 00:30:51,130 --> 00:30:55,630 doing your bid preparations. So you're putting false information out there, on there, to 388 00:30:55,630 --> 00:31:00,809 be grabbed by your competitors so they don't know what you're doing. 389 00:31:00,809 --> 00:31:06,000 Blueprints and designs. All right. Minor defects. We went back and we said self defense of property, 390 00:31:06,000 --> 00:31:10,940 you can't harm somebody when you're going to defend your property. So it's a minor defect 391 00:31:10,940 --> 00:31:16,700 or a major defect. Are you going to cause harm? If it's a product that has engineering 392 00:31:16,700 --> 00:31:21,120 aspects of it, if it's computer code and somebody looks at it and downloads it and melts their 393 00:31:21,120 --> 00:31:26,559 server, are you liable? If it's a car and the brakes don't work, are you liable? So 394 00:31:26,559 --> 00:31:30,610 these are all things that you need to talk to your folks about when you're planning on 395 00:31:30,610 --> 00:31:33,190 doing this. Business plans and financial records. Again, 396 00:31:33,190 --> 00:31:37,289 you're sitting around. I'm not a mergers and acquisitions guy, but somebody comes up and 397 00:31:37,289 --> 00:31:41,450 goes whoa! Wait! Mergers and acquisitions. You've got information about other people's 398 00:31:41,450 --> 00:31:46,970 real companies in here, and if that's stolen and leaked to the media that could harm them. 399 00:31:46,970 --> 00:31:51,909 What if they come knocking on your door saying this was your document. It's not true. I've 400 00:31:51,909 --> 00:31:57,179 suffered a harm. I want some money from you. Now, your lawyers are going to say --> again, 401 00:31:57,179 --> 00:32:01,809 being risk adverse --> I don't want to invite litigation in from this aspect. So you're 402 00:32:01,809 --> 00:32:05,610 going to have to be very specific as you go through this, talking to your attorneys. You 403 00:32:05,610 --> 00:32:08,269 know, how you're going to protect this from happening. 404 00:32:08,269 --> 00:32:15,269 Joke. Because I need a thinking break. Okay. So NSA is going to store a whole bunch --> yes, 405 00:32:15,630 --> 00:32:21,070 it's controversial. So all of the aspects of terabytes, petabytes, zettabytes, yottabytes. 406 00:32:21,070 --> 00:32:26,659 So I don't know --> so I was wondering, what's a zettabyte? Well, I dated a Zeta at Michigan, 407 00:32:26,659 --> 00:32:33,659 so talk to me afterwards about that. A petabyte. Do you realize if you Google the 408 00:32:33,669 --> 00:32:37,799 site of peta, like this is the cleanist image you can actually put on a conference like 409 00:32:37,799 --> 00:32:42,740 this. So I guess that's a petabyte. And obviously the yottabyte is easy. You have that yottabyte, 410 00:32:42,740 --> 00:32:48,340 you have that yottabyte. And if that's not enough, then you'll have a stream all over. 411 00:32:48,340 --> 00:32:51,889 So I don't have a sponsor. So, active defense. 412 00:32:51,889 --> 00:32:57,580 Actually, I did have a sponsor, but I don't want to get into trouble. Ask me afterwards. 413 00:32:57,580 --> 00:33:04,580 Active defense. Recovery operations. The Kobayaski Maru. I do like the new Star Trek. I like 414 00:33:05,179 --> 00:33:11,120 the old one, but I like the new one, too. There is a certain aspect of a no win situation 415 00:33:11,120 --> 00:33:16,049 when you're dealing with this. So I had colleagues ask are you going to actually talk about Clark's 416 00:33:16,049 --> 00:33:19,350 law that nobody has ever heard of? And I'm like yeah, I am. 417 00:33:19,350 --> 00:33:24,630 Clark's law. Get your attorneys involved early and often. Explain the technology to them 418 00:33:24,630 --> 00:33:28,289 at a third grade level so they can understand it. Because they're going to have to turn 419 00:33:28,289 --> 00:33:32,850 to a Judge, jury, or seniors leaders and explain it at a first grade level. 420 00:33:32,850 --> 00:33:39,850 So it is very important --> no. You're all smart, so you're going to hire good lawyers 421 00:33:40,090 --> 00:33:45,200 that have been very well trained to be analytical, to be able to ask the right questions on this 422 00:33:45,200 --> 00:33:49,419 aspect. And that's what lawyers should be trained to do. Be analytical and ask the right 423 00:33:49,419 --> 00:33:52,580 questions. So when you're explaining the technology to 424 00:33:52,580 --> 00:33:56,789 them, you're walking them through that at that third grade level and they should be 425 00:33:56,789 --> 00:33:59,830 able to ask the questions and really understand it. 426 00:33:59,830 --> 00:34:04,409 There's another aspect of Clark's law. Because my active defense scenario, I am not a PowerPoint 427 00:34:04,409 --> 00:34:10,730 ranger so I have some very simplistic graphics to go through our active defense scenario. 428 00:34:10,730 --> 00:34:16,000 So we have our intruder. He's going through the innocent third-party, over to the victim. 429 00:34:16,000 --> 00:34:21,000 He's going to ex-fill some information over to an open FTP server. He has his other boxes, 430 00:34:21,000 --> 00:34:25,389 his other hop-in point, and he's going to download the information from there. So that's 431 00:34:25,389 --> 00:34:30,510 kind of our scenario for our active defense scenario aspect on life. 432 00:34:30,510 --> 00:34:34,280 So what can I do? You know, the aspect on logging. Yeah, we can can log until the cows 433 00:34:34,280 --> 00:34:38,569 come home. You can log that third-party coming in. You're going to kind of look, see has 434 00:34:38,569 --> 00:34:42,819 this third-party touched me before? What have I got from my records? So logging is a piece 435 00:34:42,819 --> 00:34:47,679 of cake from that aspect. The FTP server. Do you log the exfiltration 436 00:34:47,679 --> 00:34:51,020 of data going out? I'm getting ahead of myself because I'm going to knock off the exigent 437 00:34:51,020 --> 00:34:56,810 circumstances right now. I always get the argument, but they went to my R&D shop and 438 00:34:56,810 --> 00:35:00,880 got all of the documents and took out a terabyte of stuff, I have got to go after it and get 439 00:35:00,880 --> 00:35:06,470 it. All right. Fine. Then your lawyer needs to ask a question, you saw them do that. When 440 00:35:06,470 --> 00:35:11,020 they exfilled the documents, what were the documents? Most of the time we're finding 441 00:35:11,020 --> 00:35:16,240 out that they encrypted them so you have no clue what was taken. Now you do have --> part 442 00:35:16,240 --> 00:35:20,930 of an argument to say yeah, but I know it came from my R&D section, as opposed to just 443 00:35:20,930 --> 00:35:25,460 HR, which is probably nothing but Social Security numbers and personal information. Who cares 444 00:35:25,460 --> 00:35:32,109 about that? This is the company over here. So the circumstances of having to go after 445 00:35:32,109 --> 00:35:36,710 it, it's kind of a challenge on that. But you see on your logs that they went to your 446 00:35:36,710 --> 00:35:39,730 FTP server out there, and you can get that from your logs. 447 00:35:39,730 --> 00:35:46,730 Now, can you see the intruder on the FTP server? It's an open FTP server. Now this is the part 448 00:35:47,180 --> 00:35:51,430 when Marsha Hoffman from EFF was talking at Black Hat, and she said the Computer Fraud 449 00:35:51,430 --> 00:35:56,700 And Abuse Act is kind of vague when it starts getting into the aspect of without authority 450 00:35:56,700 --> 00:36:03,060 or in excess of your authority. Yes, the Computer Fraud and Abuse Act is vague. But I hate to 451 00:36:03,060 --> 00:36:08,569 go to the definition that I use for my children, you know what the right choice is. Are you 452 00:36:08,569 --> 00:36:13,680 in a place that you have a right to be? And it kind of comes down to that. If you're in 453 00:36:13,680 --> 00:36:17,859 that gray area, you going to want to make sure you're in a place you have a right to 454 00:36:17,859 --> 00:36:20,550 be. So that FTP server, when you get in there, 455 00:36:20,550 --> 00:36:23,800 if it's open and you can log on there, go ahead. Hop on there. See where your files 456 00:36:23,800 --> 00:36:28,890 are from that aspect. I'm not aware of logs of somebody else logging into the FTP server 457 00:36:28,890 --> 00:36:32,960 is usually something you can see. So usually you're going to have to elevate your privileges 458 00:36:32,960 --> 00:36:38,569 to see those logs from the FTP server to get to the intruder. Now, if that's the case then 459 00:36:38,569 --> 00:36:42,109 you've probably exceeded your authorities and that access that you had, and that's probably 460 00:36:42,109 --> 00:36:46,010 count one of the Computer Fraud and Abuse Act, be that as it may. 461 00:36:46,010 --> 00:36:49,280 We're going to cruise along here because I want to talk about deleting data. So can you 462 00:36:49,280 --> 00:36:54,440 delete the data on an FTP server? If I'm in an open FTP, you can log in, I can log in, 463 00:36:54,440 --> 00:36:59,490 you can log in, anybody can get on. I think that, if we're all in agreement, I'm in a 464 00:36:59,490 --> 00:37:02,410 place I have a right to be. Would that be correct? Okay. 465 00:37:02,410 --> 00:37:07,640 There are files on there. They are available. I can open them up and look at them. You can 466 00:37:07,640 --> 00:37:11,450 open them up and look at them. I can download them, I can upload them. Again, is that kind 467 00:37:11,450 --> 00:37:15,869 of the way it's set up? Can I delete files that are uploaded by somebody 468 00:37:15,869 --> 00:37:22,540 else on there? Yes or no. Is the answer --> if the answer is both, then say both. To my world, 469 00:37:22,540 --> 00:37:27,710 it's typically no. Now this is probably one of the stupidest, silliest things. My files 470 00:37:27,710 --> 00:37:33,410 have been stolen. Uploaded there by somebody else. It's my property that was taken. I'm 471 00:37:33,410 --> 00:37:39,720 in a place I have a right to be. Can I delete those files? Logic says hell yeah, they're 472 00:37:39,720 --> 00:37:45,930 my files. Yes. But if I don't have that authority to delete files on that server, arguably, 473 00:37:45,930 --> 00:37:51,750 I don't have that authority. What am I going to do? Go talk to your attorney and don't 474 00:37:51,750 --> 00:37:54,690 tell me. From that aspect, you know, it's an argument 475 00:37:54,690 --> 00:37:58,589 of whether I can delete that information or not. Can I go to the intruder and delete that 476 00:37:58,589 --> 00:38:02,920 information that I've seen him take off of there, a closed, protected computer? I have 477 00:38:02,920 --> 00:38:08,950 no authority to be on that box. So from that aspect, like I said, if you're going to do 478 00:38:08,950 --> 00:38:11,900 this, go talk to your attorneys from that part and see how it works. 479 00:38:11,900 --> 00:38:15,910 What if that's an innocent third party over there? And what if you go to your and say 480 00:38:15,910 --> 00:38:20,540 we went to the FTP server, our documents went out, and they're being stored by that party 481 00:38:20,540 --> 00:38:25,480 box, can I get the logs from that? On an innocent third-party box. Can I go touch that box? 482 00:38:25,480 --> 00:38:27,970 And this innocent third-party, they don't even know it's there. How do they know it's 483 00:38:27,970 --> 00:38:34,970 not there? Because they've got terabytes of data there. There's a bunch of movies on there, 484 00:38:34,990 --> 00:38:37,900 a bunch of stuff on there. There's no way they know what's on their system. Let's just 485 00:38:37,900 --> 00:38:42,430 go in there, take our stuff off and away we go. Well, again, the best way to do it is 486 00:38:42,430 --> 00:38:46,230 contact the third party and get consent. Any time you get consent --> hear, talk to any 487 00:38:46,230 --> 00:38:50,240 law enforcement officer. Consent? Yeah, great, let's go. Any time you get consent, that's 488 00:38:50,240 --> 00:38:52,609 the way to go for it when you're talking about that. 489 00:38:52,609 --> 00:38:56,050 Can you go back and trace them back? No. Say you've got an innocent third-party, and they 490 00:38:56,050 --> 00:38:59,579 let you into their logs, and you get back over to that intruder there, again we're still 491 00:38:59,579 --> 00:39:03,890 in that same situation where we're stuck. You know, have you gone to law enforcement? 492 00:39:03,890 --> 00:39:07,220 Is law enforcement involved? Can they get there fast enough from that aspect? If it 493 00:39:07,220 --> 00:39:11,990 is a protected box, typically I cannot go there and get that information. 494 00:39:11,990 --> 00:39:17,930 Deleting the data --> I want to move to if it's a closed FTP server. If this is a closed 495 00:39:17,930 --> 00:39:24,930 FTP server and you see what the log-in information is from your logs, can you go hop on it? Yes 496 00:39:25,020 --> 00:39:32,020 or no. I hear some nos. So when we listen to NSA and EFF up here, they talk about Smith 497 00:39:33,069 --> 00:39:38,000 versus Maryland. That's that case where when I give my phone record to the phone company, 498 00:39:38,000 --> 00:39:42,119 I've exposed it to a third party, I've got no expectation of privacy in that. If I give 499 00:39:42,119 --> 00:39:49,119 you my log-in information, what's the difference? Here's the aspect. So you've got the log-on 500 00:39:49,310 --> 00:39:54,940 information. It was exposed to you. I now know it. Why can't I use it? All right. So 501 00:39:54,940 --> 00:40:01,339 you borrow --> you loan to your neighbor your baseball mit, some property. And you want 502 00:40:01,339 --> 00:40:04,900 to get it back. And you go to their house and they have got a cipher lock on their door. 503 00:40:04,900 --> 00:40:09,550 Now they gave you that code because your kid had to take care of their cat. So you had 504 00:40:09,550 --> 00:40:12,440 the authority to go over to take care of the cat and use it. Do you have the authority 505 00:40:12,440 --> 00:40:15,520 to go over to your neighbor's house to get your baseball mitt back by using that cipher 506 00:40:15,520 --> 00:40:21,690 code at that particular time? No. Typically you don't. You're in your post trespass recovery 507 00:40:21,690 --> 00:40:25,710 phase from this aspect of it. It's the OJ Simpson, don't breach the peace. Don't do 508 00:40:25,710 --> 00:40:29,200 anything. I mean, that's the aspects of it. So when you go talk to your lawyers about 509 00:40:29,200 --> 00:40:32,960 this aspect, you're going to say here's the information I've got. Anybody can log into 510 00:40:32,960 --> 00:40:37,849 it using this information. Why can't I log into it and using this information and go 511 00:40:37,849 --> 00:40:41,510 do it? Again, these are all these gray areas, this 512 00:40:41,510 --> 00:40:46,050 is the great part on providing the advice, because then you get to make the decision 513 00:40:46,050 --> 00:40:50,950 and if it's wrong you're led away in hand cuffs, and I'm having a steak dinner. And 514 00:40:50,950 --> 00:40:55,220 I won't have you as a client anymore. But, at least I had my steak dinner. 515 00:40:55,220 --> 00:41:01,160 So clearly when we're talking about these areas, they're very fact specific. And so 516 00:41:01,160 --> 00:41:05,609 it's kind of difficult to try to get to the questions on it. If a fact changes, it changes 517 00:41:05,609 --> 00:41:09,400 what you can and cannot do. So you need to get involved with your attorneys as you're 518 00:41:09,400 --> 00:41:14,059 walking through this. And, you know, obviously doing this requires good computer network 519 00:41:14,059 --> 00:41:18,809 exploitation in terms of your attribution and your log-ins that you've got for this. 520 00:41:18,809 --> 00:41:22,260 You know, there is an aspect that I always get to as far as stopping the pain when you're 521 00:41:22,260 --> 00:41:28,250 dealing with a denial of service tack. The part that I would say you really want to look 522 00:41:28,250 --> 00:41:33,700 at for this is DOJ has done the Coroflood botnet takedown, and those documents are all 523 00:41:33,700 --> 00:41:39,010 publicly available. And the steps that they go through to be able to do this kind of gives 524 00:41:39,010 --> 00:41:43,720 you a blueprint for how to legally do it. And of course they are doing it with the courts 525 00:41:43,720 --> 00:41:49,040 involved from that aspect. So if you're curious about doing that part of it, the DOJ documents 526 00:41:49,040 --> 00:41:53,589 that are publicly available out there are a good starting point to take a look at that. 527 00:41:53,589 --> 00:41:58,770 As I mentioned before, the IP Commission report talks about a lot of different areas that 528 00:41:58,770 --> 00:42:01,730 you may want to do this. And the American Bar Association is going to be coming out 529 00:42:01,730 --> 00:42:06,740 with their report down the road. Here is the big thing, and Jeff Moss talks 530 00:42:06,740 --> 00:42:10,430 about this down the road. If you're going to do stuff like this, you need to get a good 531 00:42:10,430 --> 00:42:15,119 team of lawyers. Jeff is actually a fan. I've been at talks where he is like we need more 532 00:42:15,119 --> 00:42:21,400 lawyers who do this to advance this. Not that anybody really likes lawyers. Be that as it 533 00:42:21,400 --> 00:42:25,069 may, you're really going to need a good team of lawyers to do this. Or if you're really 534 00:42:25,069 --> 00:42:30,599 going to do this, you just need one really good lawyer on that. 535 00:42:30,599 --> 00:42:35,470 So with that said, I will be going to a Q and A session, I've got three minutes for 536 00:42:35,470 --> 00:42:40,290 questions right now, from what I understand. So if there's any questions, I'll be hanging 537 00:42:40,290 --> 00:42:43,420 out up here. Thank you for coming. I hope you got a golden 538 00:42:43,420 --> 00:42:46,020 nugget out of this. If not, I hope there was a joke that you laughed at. 539 00:42:46,020 --> 00:42:46,519 Thank you. (Applause)