The Secret to Becoming More-Than-Competent in Your Job

The Secret to Becoming More-Than-Competent in Your Job

I was part of an interesting and product online podcast today.   You can check it out at: http://nopskids.com/live/

The topics ranged from hacking, forensics, how to catch hackers, and a little on how criminals sometimes get away with it. Although I didn’t give any tips on how to get away with a crime, other than DON’T DO IT, I did speak a little on some of the things that can be found forensically on a hard drive.  Actually, I think I only had time to talk about one thing (the Windows registry) for a few minutes and nothing of which that has any impact on a criminal using the information to get away with a crime.

The one thing I wanted to stress that even if every top secret, secret squirrel, spy and investigative method was exposed, criminals would still get caught using the very techniques they know.  Proof in the pudding is seeing cops being arrested for committing crimes.  You’d figure they would be the most knowledgeable of not getting caught, but they get caught. Same with accountants being arrested for fraud, and so forth.  I’ve even arrested criminals when they had in their possession, books on how not to get caught.   The most diligent criminal can be identified and arrested by simple mistakes made and sometimes by sheer massive law enforcement resources put on a single case to find a criminal or take down an organization.

With that, I learned a few things from the podcast too.  One of the moderators was actually a case study in my latest book (Hiding Behind the Keyboard).  To be an expert, to be knowledgeable, and to be more than just competent requires talking, listening, and sharing.  That doesn’t mean sharing trade secrets or confidential information, but it does mean having conversations to learn your job better.

When I worked as a jailer, I talked to every person I booked (at least the sober arrestees and those cooperating with the booking process).  I asked personal questions like, “how did you get started with drug use?” and “how did you start doing X crime”?  I learned a lot after hundreds of bookings.  I learned so much that when I make it to patrol and hit the streets, I had a big leg up on the criminal world, in how it worked with people.  That directly helped me in undercover work.  I spoke to so many criminals, both as a police officer and as an undercover (where they didn’t know I was a police officer), that I learned how to investigate people who committed crimes.  I was darn effective.

The point of all this is that talking to “the other side” is not a terrible idea.  Working on the law enforcement side, I promise that if you have a conversation with a criminal defense expert, you will learn something to help win YOUR case.  If you talk to a hacker, you will learn something to help figure out YOUR cases.  The best part, like I said, nothing you give will make a criminal’s job easier.  In fact, anything you say will only make them worry and make more mistakes.

If you are more-than-competent, you can do your job like a magician.   My first undercover case was buying a gram of meth from a cold phone call of a guy I didn’t even have a name for.  As soon as we met, I recognized the meth dealer as someone I arrested a half dozen times when I was in patrol.   Luckily for me, he didn’t recognize me and believed my UC role.  Arrested, booked, and convicted.  This was a career criminal with dozens of arrests who probably met more cops that I ever did at that time.  Still, he was arrested, by me, because I was more-than-competent in my job.  Digital forensics work is no different.

Talk to everyone and share.  I promise you will get more than you give.  And there is no shame in learning that you don't know it all, because none of us do.

1191 Hits

I'm just a Tor exit node! I'm just a Tor exit node!

I'm just a Tor exit node!  I'm just a Tor exit node!

Never thought I would still see this happening…

http://www.ibtimes.co.uk/seattle-police-raid-home-privacy-activists-who-maintain-tor-anonymity-network-node-1552524

I have personally seen warrants served on the wrong address on two occasions.  The first was a drug investigation where the lead detective went to the wrong door to an apartment.   The warrant was correct in having the correct address, but the detective didn’t take the time to check the numbers on the door…

The second time I witnessed a wrong door entry was when the lead detective had the wrong address on both the search warrant and affidavit.  The detective never even corroborated the information to find the right address.  Basically, the detective looked down the street and picked the house she thought was the drug dealer’s house.  After SWAT kicked in the door and broke a few things in the process, it took all of 5 minutes to realize that it was the wrong house.  The drug dealer was on the next street over…the victim house got a new door from Home Depot and carpet cleaning paid for by the task force.  

Both of these warrants taught me something that I will never forget.  Before you kick in the door, make sure you got the right door.  After you make sure you got the right door, make sure again.  Then ask your partner to double-check that you got the right door. Then get a warrant and kick it in if the suspect doesn’t open it for you.

After investigating drug crimes, I went into cyber cases.  The same fear of entering the wrong house became even more worrisome since relying on IP addresses is not the same as relying on your eyes. You have to rely upon a fax from an Internet service provider for the address.  In an investigation case of following a suspect to his home, it is easy to physically see the house for which you plan to swear to in an affidavit.  But with an IP address, you have to rely on some third party service provider to give you the subscriber at the physical address where the IP address exists and trust that the information is accurate. That is at least one step before swearing to an affidavit to ask for authority to force your way into someone's home.  Investigators must still confirm that their suspect and/or evidence is at that particular and specific address, which requires at least some legwork to confirm the physical address.

When Tor is used by a criminal, relying on the IP address is worse than a bad idea, especially since it is so common knowledge that an exit node on the Tor network has nothing to do with the origin of any data that flows through it, other than the data flows through it.  I have taught and wrote about Tor as it relates to criminal/civil investigations for several years now, each time repeating:

IP address ≠ a person

MAC address ≠ a person

Email address ≠ a person

Tor IP address ≠ the address you want

CSI Cyber regularly does one thing right…whenever the cybercriminal uses Tor (proxies) on the show, the Hollywood FBI hackers don’t even try to trace it because they know that a proxy is not going to lead back to the cybercriminal.   They then resort to other means to find the cybercriminal before the hour ends.  Not that any of their other methods are realistic, but at least they got Tor right.  Anyone watching CSI Cyber even one time is exposed to explanations that tracing cybercriminals using Tor is virtually impossible.  This is the “CSI effect” in reverse.

Since TV show viewers can figure it out, you can imagine my surprise seeing this tweet today:

I don’t have access to the case reports, nor know anyone involved, but the one thing I can tell is that if this case was based on an IP address alone, I cannot fathom why no one checked to see if the IP address was a Tor exit node.  Checking a Tor exit node takes about 10 seconds.  The Tor Project even helps and provides everything you need.

https://check.torproject.org/cgi-bin/TorBulkExitList.py

Certainly, there are probably other details that could have led to going to the ‘wrong’ house, but running a Tor relay should not be one of those details.  At least currently, it is not illegal to run a Tor exit node.

The best analogy I can give to how relying on a Tor exit node to accurately reflect the physical address is that using an envelope.  Consider a criminal committing a crime through the mail (mailing drugs or something like that).  Instead of putting his address as a return address, he puts your address as the return address, drives to another city, and drops the package in a mail box on the side of the street.  Let’s say the police seize the package of drugs at its destination and then kick down your door because your return address was on the package.  Any investigator charged with tracking criminals online must (not should) be aware of how Tor works.  Even in the private sector investigating employee misconduct, or IP theft, knowing how Tor works is mandatory when IP addresses are involved.  You just can't get around knowing it unless you don't mind kicking down the wrong door one day..

https://www.torproject.org/about/overview.html.en

On side note, I am one of the biggest advocates of those who have the job of tracking, investigating, arresting, charging, prosecuting, convicting, and incarcerating predators of children.  I have not a bit of compassion for these criminals and I cannot imagine anyone feeling any different.

Coincidently, I gave a presentation on this very topic at an ICAC conference in the Seattle area last year…oh well.

 

UPDATE: APRIL 8, 2016

Link to the search warrant affidavit:  AFFIDAVIT

1605 Hits

The four corners of the Apple v FBI encryption debacle

The four corners of the Apple v FBI encryption debacle

If only the FBI had picked a case where the issue was clear cut…that would make this encryption issue so much easier.

  1. The FBI doesn’t want Apple to simply “unlock” the phone.

Apple (and just about every other high tech company) has been unlocking devices and allowing access to data for law enforcement for decades.  That’s not the issue here.  The FBI wants the encryption to be broken. They want software to be rewritten or written that compromises security features. That’s a lot different than just unlocking a device.  That request breaks security.  Worse yet, it sets a precedent.  Law enforcement knows about precedent setting laws. Sometimes it is good, but sometimes it is not.

  1. It’s not the end of the world if encryption is broken.

Our lights will still turn on. Cars will still run.  Kids will still be able to go to school.  However, online payment systems will be as protected as a wet paper bag, secure communications will be as secure as Windows 3.1, and anything you send electronically is fair game to hackers (and government).  But don’t worry. If encryption is banned or broken, there will still be those able to use encryption (hint: one is government and the other is not law-abiding citizens).

  1. “Terrorist will Go Dark” is the best marketing ever created by government. 

The only time terrorists are not operating in the dark is when they use social media in the open, print terrorism training manuals (which are then posted online), and killing people in the open.  Plus, they still have to drive, fly, walk, eat, sleep, talk, go to the doctor, read a book, watch TV, and surf the Internet.  Terrorist and criminals have all the faults of ‘regular’ folks like complacency, laziness, incompetence, and bad luck when they plan and commit terrorist acts.  I've published two books on catching criminals (and terrorists) with online and forensic investigations.  You can put both books in the hands of a terrorist and the methods to find and catch them will still work.  "Going dark"? If a criminal or terrorist can do all the things needed to carry out their devious plans in encrypted emails ONLY, their plans are going to stink.  Planning an attack or conspiring to commit a crime requires way more than sending encrypted emails.  Working undercover in criminal organizations did teach me a thing or two in how it really works and how they really think and plan.

  1. You have nothing to hide, so what’s the big deal?

The government claims that since you cannot build a house that is impenetrable, you should not have use of encryption that can’t be broken.  Well..if I could make my home impenetrable, you bet I would. If I could buy a safe that was unbreakable, I would.  They just don’t exist.  It’s not that I have anything illegal to hide in a safe, but I don’t want anyone to steal what I have.  It’s not that I have anything top secret in an email, but I just don’t want strangers reading what I am sending to a friend, or to a business colleague.  The point is NOT having something to hide, but rather, NOT hanging my underwear in the front yard on a clothesline for anyone to see or steal (that is, if they wanted to steal my undies…).

And of course, if Apple loses, or bows down to government pressure, I can think of at least one less customer who will buy a "secure" device from Apple since the definition of "secure" will change to "that which you can't break, but hackers and government can". 

1532 Hits

Let's not go all Patriot Act on this Apple - FBI encryption thing.

Let's not go all  Patriot Act on this Apple - FBI encryption thing.

I’ve been involved in about a half dozen conversations, three different email threads, and twice as many emails with friends and clients about this Apple – FBI encryption issue.   It seems to be a divided opinion with no compromise, at least as far as I can see.

 

FBI's Fight With Apple Over Encryption May Erode European Trust in US - Newsweek

http://news.google.com Sat, 20 Feb 2016 19:24:00 GMT

NewsweekFBI's Fight With Apple Over Encryption May Erode European Trust in USNewsweekMax Schrems, the Austrian who brought the Safe Harbor case to the European Court of Justice and won, tells Newsweek that the FBI's possible victory over Apple isn't too concerning to Europeans because it is a targeted access to data—not the pre ...and moreᅠ»

Read more ...

Here is my opinion: “Let Apple develop their software as they see fit for business and consumer demand, as long as their actions do not violate law.” 

That means that I am in agreement with Apple choosing to not decrypt a dead terrorist's phone. I am not a pro-terrorist or pro-criminal person. In fact, in my previous law enforcement career, I arrested more criminals personally than the rest of my 100+ officer department did…combined.  Not once did I have to break the law, bend the law, or misinterpret the law to make any of my cases in patrol or as a detective. Not once did I ask for any leniency or looking the other way ‘just this one time’ to make a case or to gather evidence. Not once. Ever.

So for any law enforcement agency asking ‘just this once’ to do something does not mean ‘just this one time’. It means, “just this one time until we ask again.”  Technical issues aside, whether or not Apple can unlock the phone or just doesn’t want to unlock the phone, the bigger question is why should they?  If a landlord refuses to give a key to a residence that SWAT has a search warrant for, SWAT will just boot the door. They can't force the landlord to give up the key.  I know this analogy is weak in the key area since you can't break unbreakable encryption, but the concept holds true. You can't force the landlord to give up the key unless the key is some how evidence.

Yes, yes, yes, I know this is a terrorist case. I’ve been involved in terrorism cases before  and exactly know how important these cases are (as I have also investigated murders..they are also important). I have seen quite enough to know how important it is to catch pedophiles, murderers, and terrorists. None should be on the street.  But that doesn’t mean taking shortcuts, bypassing Constitutional Rights, or asking a corporation to bend the rules a little to make a case.  Investigators can do this in Hollywood films, but not in real life.  

And yes, I have had cases where evidence was so little that probable cause to arrest didn’t exist. But such is life in the USA. Get PC (probable cause) and make the case or go back to square one.

After 9/11 and we panicked as a country to capture every terrorist responsible, the PATRIOT Act was typed, printed, signed, sealed, delivered, and implemented in 60 seconds flat. I was a federal task force officer at the time the PATRIOT when into effect. I have never seen such authority given to federal law enforcement in such short order without hardly a concern by the citizens the PATRIOT Act targeted (as in, it targets everyone's communications).  We do not need to continue along the lines of granting more authority to do what can already be done under the authority that already exists which is restricted to protect individual rights.  I’ve seen it misused before and it ain’t pretty. It's wrong.

As far as encryption goes, when any encryption is broken or perceived to broken, no one should use it. When TrueCrypt was reported to be flawed, it practically died, as it should.  Broken encryption is like a wet paper bag. It looks like it will hold your groceries until you actually put groceries in it.

Former NSA Chief Michael Hayden Sides With Apple, Though Admits 'No Encryption Is Unbreakable' - Billboard

http://news.google.com Thu, 18 Feb 2016 15:38:22 GMT

The Week MagazineFormer NSA Chief Michael Hayden Sides With Apple, Though Admits 'No Encryption Is Unbreakable'BillboardTim Cook's opinion that Apple should not develop a way to hack into the encrypted phone belonging to one of the San Bernardino shooters has earned an endorsement from an unlikely source, though it comes with a big "but." Michael Hayden, the former NSAᅠ...Ex-NSA, CIA chief Michael Hayden sides with Apple in FBI iPhone encryption fightThe Week MagazineFormer Director of CIA and N ...

Read more ...

As for me, any software provider (or secure device provider) that tries to sell me encryption that is so good that no one, including the NSA, can get into it, they better mean it. A disclaimer of, “well, sometimes we might let the FBI access our encryption” means that I am going somewhere else. I have nothing to hide, but I also am not going to cut a hole in my bedroom wall for anyone to peer in and look whenever they want.

For those who fall back on the ‘if you have nothing to hide, you have nothing to worry about’, I fully support your beliefs in waiving your protections. After all, I have given Miranda warnings more times that I can remember and I always asked the suspects if they wanted to waive their rights. Most said yes. It’s their right to waive their rights.  But for me, I’m not waiving anything and I’m not in agreement that the choice to waive or exercise my rights can be taken away because a case agent can’t get enough evidence without resorting to bending the rules ‘just this one time’.

I mean, really. Would you buy a safe to hold your most prized and valuable possessions  knowing that a master key exists? That's like trusting the safe in your hotel closet....

1516 Hits

Tech Talk Can Get You Lost in Lingo

Tech Talk Can Get You Lost in Lingo

    Every career and academic field has its own “lingo” to the extent that a conversation buried deep in lingo sounds like a foreign language. I have experienced military lingo, law enforcement lingo, and technical lingo in my life to the point that I practically dream in acronyms, speak with words not recognized by Webster’s Dictionary, and instantly recognize the glazed-over look when speaking to an non-native lingo listener.

                The reasons for individualized lingo range from the coolness factor such “oh dark thirty”  in order to express time as ‘really damn early’ to efficiency such as using “HMMWV” instead of saying “High Mobility Multi-purpose Wheeled Vehicle”.  Many acronyms are spoken as works when gives an added effect of the listener not having a clue of what you are talking about.  For example, “I’m going to pick up a hum-v” means “I’m going to pick up a high mobility multipurpose wheeled vehicle”. Even in law enforcement, the acronyms can irritate the most patient listener if they are not in the club.

b2ap3_thumbnail_hmmwv.JPG

                There are two situations where lingo can get you killed, or at least make you feel like you are getting killed. One is in court. The other in your writing.

                Getting killed in court by lingo as a witness is painful. In fact, I’ve seen witnesses get physically ill as if the roach coach burrito eaten at lunch has suddenly reached its final destination in all its glory. Getting beat up on the stand by an attorney or judge is so unpleasant, that time actually slows to a stop and you wonder why you even got up that morning. Using lingo on the stand can give you a bad case of ‘why did I say that?” when being cross examined.

                I talk about lingo today, because I recently experienced one of the best cases of using lingo in all the wrong ways in a federal district court.  I gave my testimony first as the defense expert in a class action lawsuit, and spoke as simply as I could to make sure the judge understood what I intended to say. Then the opposing expert was called. One of the attorneys asked her a question, she answered, but her answer was not only complicated, it was complex, full of lingo, and I even felt a sway of arrogance. I barely understood what she said and took notes to make sure I got correct what she said.

b2ap3_thumbnail_courtrooom.JPG

                Then the beating started. The judge asked her to repeat her answer. She did. Then the judge asked her the same question by rephrasing it and asked for a better explaination. The expert answered again but it sounded even more complex. After three more tries with increasing tension and the judge telling the witness that she does not understand the answer, the judge turned to me at the back of the courtroom and said, “Can you tell me what she is trying to say?”

                That is when I knew this cross country trip for court was worth the trip. I translated the opposing expert’s answer, the judge understood it, and the opposing expert said I was correct.  Boom. Lingo killed that day, but luckily it didn’t kill me.

                The other place where lingo can kill is in writing. I’ve written more police reports and affidavits for search warrants than I could ever count and the one thing I learned is to keep lingo out unless it is pertinent, relevant, and understandable. Jurors don’t get lingo and much of what they hear in the movies is incorrect or misused. Judges don’t like it either.  Don’t be the only person in the room that understands what you are saying…

In fiction books where computer technology is a key element or theme, using lingo without explanation is like using a foreign language to frustrate a reader. I say this because I just read an unnamed book that when I read it, I had to really slow down my reading in order to understand what was being described. I don’t like reading slow...which means I won’t finish reading it if I don’t have to.

It is one thing to use a technical term in a sentence, but there comes a point that when the majority of words in a sentence are acronyms and “words” not found in a dictionary, the reader becomes lost and frustrated. That’s not good. It’s not good for reports, testimony, or fiction writing. Nonfiction technical writing is a little different since generally, the reader of a technical writing is a technical person.  For those types of writing, give the definition once and move on since the audience is a technical reader audience. In the other types, even though you give the definition once, the reader/listener is going to forget by the time the uncommon word or acronym is used again. So be sparse in the lingo unless it really matters or that it is used so often, your reader won’t be frustrated trying to figure out what it means.

I’ve given a few talks of putting ‘cybercrime’ into writing for fiction authors who are not computer experts.  Some of the talk is showing what forensics look like (hint: it’s not like what you see in James Bond…) as well as how to use technical terms without turning off the reader or sounding like you don’t know what you are talking about. For me, when I read, I just want to read without having to say to myself, “Excuse me, that’s not how Tor works…”.

Remember, lingo kills.

2012 Hits