[Dailydave] Weev's collateral damage.

J. Oquendo joquendo at e-fensive.net
Wed Nov 21 14:21:21 EST 2012


On Wed, 21 Nov 2012, Daniel Clemens wrote:

> 
> Raises Hand ( 1 ) . 
> A few times.... 
> 
> In one case that I can share I was sitting through the Jury selection process. 
> It was interesting since this ended up being a child exploitation case and the defendant was stating that somehow a 'virus' has systematically downloaded , organized and labeled his collection. I didn't make it through the second round of selection after they asked if anyone had 'forensic experience' or 'malware analysis experience'. 
> They somehow thought that since I had a clue then this wasn't good for the weirdo even if their defense was weak. 
> 
> Takeaway;
> We have to remember each side has a role to play.
> 
> 
> I think it has more to do with the the record that if you have federal charges brought against you, they will win 99% of the time. 
> They generally don't pick up cases they will loose easily. 
> 
> The threat of ignorance by the our population is a greater threat than the `computer experts`. 
> 
> 
> One would have to disagree.  Each case is different. 
> While we can agree that they will have a hard time statistically, we can't say the end will always be despair.
> In the end our justice system doesn't suffer fools lightly. This goes both ways for idiots as well as those who would attempt to corrupt the system through common 3rd world methods. 
> 


I don't know how many instances of malware I have analyzed
in say the last two years. Had I to guess... To the tune
of at least 80-100 samples easily. 

Minor stats for lack of me documenting it all
https://www.virustotal.com/user/efensive/
http://www.malgenomeproject.org/policy.html (#23)

I have TO DATE yet to find/analyze an instance of malware
that dumped, pulled or pushed child porn onto a machine
or from a machine. Not to say it doesn't exist... However,
evidence is evidence and this is what matters at the end
of the day. The fact you can label someone a weirdo shows
you were likely not a good pick. Not being critical but
you need to put aside personal prefs, likes and dislikes
as a juror.

As for the "takeaway" I can tell you from experience, there
is a lot that never makes the light of day in a trial. This
is evidence that gets argued way before jurors are seated.
Much of this evidence is helpful/hurtful to either party.
This is the game of a trial - "how best to present things
that are favorable to your cause" where an argument by
either side, dictates what a jury will and will not see. In
weev's case, his attorney may not have been fully prepared
to deal with this tidbit. There aren't that many "techie"
lawyers and both sides will butcher technology descriptions
often annoying and confusing the jury. 

As for "more to do with the record" this is a farce. It all
boils down to politics and money period. I have had companies
I provided incident response/forensics compromised, worked
with authorities in document EVERY DETAIL to the letter and
that includes chain of command response/documentation, etc.
To date, this number has been 4... All four instances? Nada.
Zip, zilch, nothing. Wasn't sexy enough to go after some
telco fraudsters. Now, when you throw uber companies into
the mix, "nefarious" characters. Its a no brainer. The mere
fact weev has a prior on his record, gives a DA the green
light to make it a spectacle (set an example). Next up?
Don't know maybe a cybercrime center with weev as the prime
case... Been there done that. 

Logically, justice should be just that justice. Do not let
our interpretations and realities of justice fool you. Its
all about the Benjamins at the end of the day and the high
likelihood the prosecutor need buffer his/her resume for
their foray into the private sectors of law. "Responsible
for the prosecution of the most dangerous cybercriminal
who compromised a Fortune 50" ... So boring/distorted most
of these cybercrimes are. Again, from experience, NO ONE
here will see/know/understand that case. To do so, one need
get every transcript, read through it all, see all evidence
presented. dot dot dot... Been there done that. Had two
machines worth of EVERYTHING printed submitted as evidence.
Really? Yes two machines with man pages, whatever was
installed in /usr/local/share, etc. all printed. Obviously
when pallets full of "evidence" was presented it showed
overwhelmingly... You get the point.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF


More information about the Dailydave mailing list