[Infowarrior] - Hacker Court @ Blackhat

Richard Forno rforno at infowarrior.org
Tue Aug 5 01:09:46 UTC 2008 

(Disclosure: I know the HC folks quite well, have participated in HC  
at BH Federal, and consider these folks good securitygeek  
friends.....but having said that, it's still a fun and quite  
informative event!! -rf)

http://blog.tenablesecurity.com/2008/08/hacker-court-at.html

Hacker Court at Black Hat!

Hacker Court is once again returning to the Black Hat Briefings! For  
our seventh Black Hat presentation, we will be conducting a mock court  
trial focused on the issues of entrapment, journalist privilege and  
wiretapping, titled "Hack MyFace."

What is "Hacker Court?"

Hacker Court is a loose organization of attorneys, security  
professionals and hackers with the goal of demonstrating the dynamics,  
frustrations and complexity of computer crime trials.

Teaching Points
The Hacker Court mock trials endeavor to teach a technical audience  
the reality of computer crime trials.
Before joining Tenable, I was a free-lance security consultant and  
developed a particular interest in computer crime cases after personal  
experience in dealing with an intrusion. I thought I knew a lot about  
the process, but it wasn’t until I actually worked on a case with the  
Federal Defender’s Office in NY that I realized just how naïve I was  
on how the legal system really worked. The defendant was even more  
naïve and honestly thought that a “jury of his peers” meant that  
people like Simple Nomad, Jericho and Rain Forest Puppy would serve on  
the jury. After all - his “peers” were hackers!

Since then, I’ve been involved in other cases and these are a few of  
the major lessons I’ve learned:
1. Defendants lie, even to their own defense team
2. Admissibility of evidence is up to the judge, not the technology or  
its merit
3. A jurist with an infosec background would be disqualified from  
serving on a computer crime case
4. Defense experts cannot talk about the case no matter how much the  
defendant smears them to his friends
5. There are no “Matlock” moments
6. The trial is all about the attorneys’ performances
7. Technical evidence is boring, especially to the jury
8. A case will most likely not be prosecuted unless there is a 95  
chance of a conviction. Corollary: if you go to trial, you're probably  
going down.
9. Cross examination of witnesses is brutal
10. The trial may take place years after the crime

The most important (and scary) lesson I learned is that the case will  
be won or lost by the side that makes their story compelling and  
interesting. Technical details are neither.

How it's Done
The Hacker Court mock trials demonstrate these points by enacting a  
courtroom environment where the audience is the jury. There is no pre- 
set outcome and we take great pains to make the sure the deck is  
pretty evenly stacked (which differs from most trials where the  
prosecution usually wins). Although we work out the facts of the case  
ahead of time, much of the testimony from witnesses is ad-libbed,  
often with amusing results.

Hacker Court differs from an actual trial in that we streamline the  
process and have some fun with it. An actual trial can take weeks - we  
have 2 hours, which normally wouldn’t cover the opening remarks. Most  
trials are also extremely boring, despite what you may see on TV. We  
take many liberties to make it fun, which no judge in his right mind  
would tolerate in an actual trial. For example, our 2004 presentation  
“Pirates of the Potomac: The Curse of the Bl4ck Perl” featured Simple  
Nomad as “Captain Jack Hack” (aka “Cracker Jack”), a hacker accused of  
“war-sailing” up the Potomac.

This Year's Case
This year’s presentation will once again feature Simple Nomad as the  
defendant, a “l33t” hacker who frequently posts to a blog run by a  
journalist who investigates cases of identity theft and exposure of  
personal information. Nomad claims to have a zero-day exploit that  
will work on any social networking site and is goaded by another blog  
poster to prove it by exploiting a social networking site called  
“MyFace.”

A more complete case summary, along with Speaker bios, may be found at  
the Black Hat site.

More information about the Infowarrior mailing list