[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [legalxml-enotary] FWD: Re: some thoughts on the impropercertificatevalidationimplementation
This is a continuation of the same thread which was posted yesterday, also for inclusion in a discussion the scope of the TC. ---------- Original Message ---------------------------------- From: Gib Sorebo <gib@CAIS.COM> Reply-To: Gib Sorebo <gib@CAIS.COM> Date: Wed, 4 Sep 2002 13:35:35 -0400 The irony is that Members of Congress are pushing legislation that would >shift the burden to those accused of possessing child pornography to >prove that the images were not of actual children because of the >difficulty in deciphering electronic evidence. The Members argue that >prosecutors are saying that it is becoming very difficult to prosecute >those suspected of possessing child pornography because the defendants >can argue that the child isn't real and force law enforcement to find >the actual child. If that weren't enough, legislators also needed to >assuage the mainstream film industry that it wouldn't be getting a visit >from the porn police for movies like Traffic and plays like Romeo and >Juliet that use adults to simulate the sexual exploitation of children. >To address those concerns and those of the Supreme Court, which had just >struck down provisions of a similar law, the proposed legislation limits >its application to "computer image[s] and computer-generated image[s]." >That means that an artist who is particularly skilled at creating >life-like images of imaginary children in sexually explicit situations >on canvas cannot be prosecuted, but if he scans that image onto his >computer, he can be. Of course, being the the fair legislators that >they are, the legislation provides an affirmative defense for these >would-be child porn offenders if they can prove that the computer images >were not actual children. (See H.R. 4623 >-http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bill >s&docid=f:h4623rh.txt.pdf) > >So it seems that prosecutors are talking out of both sides of their >mouthes. By their way of thinking, if the computer generated evidence >is used to support the government's case, then the evidence should be >admitted without question. On the other hand, the defendant must >produce extrinsic evidence to support its contentions. I would argue >that electronic evidence created by the same party that is proferring it >is not sufficiently reliable "to speak for itself." Prosecutors' >arguments that we can't tell the difference between imagination and >reality only help to defeat the reliability of the other electronic >evidence they seek to present. There's a reason the public record >exception doesn't apply to government investigations. It shouldn't >apply to computer generated evidence either. > >Gib > >-----Original Message----- >From: Steven W. Teppler [mailto:steppler@TIMECERTAIN.COM] >Sent: Wednesday, September 04, 2002 12:21 PM >To: ST-ISC@MAIL.ABANET.ORG >Subject: Re: some thoughts on the improper certificate >validationimplementation > > >Bob, et al.: > >If MS has run afoul of custom and usage in the industry, or proffers >sloppily written security software, I agree that a couple of well >pleaded complaints will be of enormous influence. To me, these are >"market forces" because they can have sever economic impact on a >tortfeasor. > >My point was not to unearth a bug in MS security architecture, but to >underscore the point that law enforcement personnel do not include >people such as yourself or Hoyt. To them the GIGO law is something not >taught in Law School. They believe what a computer spits out, simply >because it did. Prosecutors in the abuse case mentioned are close to >declaring that digital images impliedly adopt a variant of the "res ipsa >loquitor" theory, in which the evidence "speaks for itself" and thereby >needs no corroboration, and in abuse cases, not even a complainant. >Untrusted Digital evidence emphatically does not speak for itself. To >murder an already hackneyed phrase, it's impossible to know what digital >evidence content is, because we haven't defined what "is" is. > >Steven > > >----- Original Message ----- >From: Robert Jueneman <mailto:bob@jueneman.com> >To: ST-ISC@ABANET.ORG ; Steven <mailto:steppler@TIMECERTAIN.COM> W. >Teppler >Sent: Wednesday, September 04, 2002 11:56 AM >Subject: Re: some thoughts on the improper certificate >validationimplementation > > >Stephen, I don't agree. To the extent that the MS implementation fails >to conform to the relevant technical standards in this area, it is not >only a bug, but an egregious architectural/design failure that violates >the entire intent and purpose of digital signatures. In my eyes, at >least, this certainly ought to fall under the "fitness for purpose" >exclusion with respect to the software industry's general "claim >everything, admit nothing" approach to licensing and liability. > >To use your analogy, the situation is akin to an automobile manufacturer >providing a brake pedal, but limiting its travel so the brakes can only >be applied with moderate force, not enough to prevent injury or death in >the event of a panic stop. > >But I don't think it will take a legislative or judicial mandate to >solve this problem -- winning a couple of juicy tort suits, and the >defense bar being able to demonstrate "reasonable doubt" in a couple of >high profile criminal cases will have a very salutary effect on the >general state of knowledge within law enforcement and prosecution. The >same is true for unsigned digital photos, etc. If someone can't >demonstrate a complete chain of custody (via the Internet??), then the >evidence properly ought to be excluded under the hearsay rule. Even >then, the defense ought to be able to grill each of the evidence >custodians in order to be able to give some credence that each one of >them might have been in a position to tamper with the evidence without >detection. > >Bob > > >Jueneman Consulting , LLC -- "Security Solutions for an Insecure World" >Robert R. Jueneman, President >1154 E. Dover Dr. >Provo, UT 84604 >1-801-765-4829 (Office) >1-866-430-4685 (Toll Free) >1-801-765-4378 (Fax) >1-801-372-5501 (Cellular) >consulting@jueneman.com >www.jueneman.com > >This message and any attached documents may contain Jueneman Consulting, >LLC confidential or proprietary information and may be subject to >privilege or exempt from disclosure under applicable law. These >materials are intended only for the use of the intended recipient. If >you are not the intended recipient of this electronic message, you are >hereby notified that any use of this message is strictly prohibited. >Delivery of this message to any person other than the intended recipient >shall not constitute any waiver of any privilege. If you have received >this message in error, please delete this message from your system and >notify the sender immediately. Thank you. > >>>> Steven W. Teppler<steppler@TIMECERTAIN.COM> 09/04/02 09:09AM >>> > > >Hoyt's post is germane and supports the contention in my prior post. It >is proper policy implementation that will prevent such man-in-the-middle >attacks. Reading through the rather inflammatory article to the source >materials used by the Register as set forth in the links in my post, it >is clear that this was not an MS "bug." Ignoring proper "Basic >Constraints" settings resembles more a situation in which having brakes >but not using them while driving constitutes an alleged defect in an >automobile. I sincerely doubt, however, that without some legislative >or judicial mandate, law enforcement persons will investigate, wonder or >even care whether the "digital evidence" that "can't be easily altered" >is the result of such a scenario, whether generated from inside or >outside the "custodial" framework. For those who are well versed in >this arena, such as Hoyt, the issue is perhaps mundane. For those not >PKI-centric, I doubt that the definitions as well as the implications of >improper certificate validation implementation is understood. My >position is that this can and will have dire effects in law enforcement. > > >Steven > >----- Original Message ----- >From: Hoyt L. Kesterson II <mailto:hoytkesterson@EARTHLINK.NET> >To: ST-ISC@MAIL.ABANET.ORG >Sent: Wednesday, September 04, 2002 3:54 AM >Subject: some thoughts on the improper certificate validation >implementation > > > ><snip> > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC