"The allegations submitted for review appear to be limited to misdemeanor violations which do not rise to a threshold for assigning a case to the CID Special Investigations Unit," the commander of the CID wrote in a September 29 letter declining the request.
I guess felony hacking charges are only for teenagers changing desktop backgrounds.
I wonder if codifying this in law specifically would counteract what happens in reality (DA's operating by creationist logic when the perp is of Blue ethnicity).
It seems from what I've read that this event goes to `chain of custody`, and by nicicacity invalidates ALL digital evidence for EVERY case handled by this police office unless provenance can be reliably established beyond all doubt, and that provenance can be proven not to effect 'original' copies in this or other cases.
It is a catastrophic failure of procedure, that invalidates this, and possibly all copies of this evidence causing it to be judged inadmissible.
From wikipedia[1]:
When evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to prevent tampering or contamination. The idea behind recording the chain of custody is to establish that the alleged evidence is in fact related to the alleged crime, rather than having, for example, been “planted” fraudulently to make someone appear guilty.
Regarding other comments in this thread about law enforcement being held to a higher standard, they would be. The higher standard is that when they fail to follow proper procedure like this, the effect is the evidence (and often the entire case) is summerly dismissed, and the defendant cannot be tried again for the same crime. the entire US legal system has this built in bias. Whereas a defendant in a similar position of supplying discovery documents would not be held to the same standard risking summery judgement, and might be able to provide replacement copies for discovery, and continue with the definse more or less normally.
There are quite a few ways that this sort of software could be on the drive without malicious intent by the police department. This article is pretty light on details but it doesn't sound like anyone has actually examined these drives to determine this.
Some possibilities:
* if the police computer was itself infected and the malware was trying to propagate
* The data was copied from a drive or computer that was infected
If the malware came from the Police computers then wouldn't that likely taint all the data supplied, to well everyone? Every defendant for at least the last year will be taking a shot at this and why not?
There's really only 4 possibilities, and they're all significant.
1) PD is responsible, and intentionally infecting defense attorneys with malware. Major obstruction of justice.
2) PD is responsible, and has been hacked. At a minimum, all their computer evidence is tainted; who knows if someone has been using their access for ill as well. Access to police DBs is useful for all sorts of nefarious purposes.
3) Defense attorney has faked the whole thing. Noteworthy in its own right; defense attorneys are pretty used to losing as a matter of necessity so for one to go on some kind of intentional crusade against the local PD, especially in such a public and falsifiable way... No judge will sign off on criminal sanctions here without a thorough investigation, so this is extremely unlikely barring a psychotic break (which does happen now again, it's a high-stress job).
4) Defense attorney has been hacked. Who hacked him? Have any of his clients been affected? Is someone, perhaps a technically sophisticated someone, targeting defense attorneys?
That fourth one is the killer. Regardless of its truth or falsehood, it gives everyone an out because none of the interesting consequences of the first three have to happen.
Perhaps the proper move would have been to surveil the malware without revealing that you know of it. Could prove/falsify #4, or implicate PD conclusively if #1.
Seems like a few people here didn't read the article in full:
"Additionally, the placement of these trojans, all in the same sub-folder"
All in the same directory! Whoever it was, he certainly was even tidy.
Besides, we're talking about evidence here. Even if it was "just" the case of police computers infected with... three (three!) backdoors, that would be extremely serious.
The article points out that the police claim to have "real-time AV protection." And it would probably have passed through a police computer at least once, I doubt they'd be booting into a seized hard-drive.
Those of use in the AV industry know that in practice AV software misses a lot of stuff, and updates need to be deployed properly as well. It's quite possible that AV software was installed but failed to catch this infection.
What you say is generally true. But we know that the lawyer's AV caught it. I have trouble believing that a law firm has better IT than a police digital forensic group. I guess one way of determining if it would have been caught by outdated or marginal AV software would be to figure out when the variants mentioned in the article were identified and added to most AV DBs. A project for another day perhaps.
"Never attribute to malice that which is adequately explained by stupidity." My guess is that one of the police computers is infected, but it shouldn't be too hard to install this malware on a VM and see where it phones home.
Good thing they weren't complacent and they had the drive checked. It's appalling that this came from a police department, but it could happen with any drive someone gives you, accidentally or maliciously.
What's the best way to counteract this? Only plug foreign drives into a dedicated computer, probably running Linux, so you can scan it and copy the files you need before letting them touch other machines?
Linux isn't necessarily immune to USB malware. There are a lot of drivers for USB devices in Linux and any of them could have a bug. For example people only recently started doing fuzzing on filesystem drivers.
Nowadays I check any drive that's been out of my house, after my spouse brought a virus home from her workplace. A dedicated Linux box, a quick booting distro on a trusted flash drive, or even a Raspberry Pi can be used for this purpose.
I would second the Raspberry Pi, it would be more or less immune to malware that targets x86 land, even Linux based malware. Still, I'd not have it connected to the network and I would wipe the Pi's SD card afterward, just to be sure. Scripts can run on any architecture.
The Pi doesn't have a BIOS or EFI on board, it uses a special partition on the SD card to POST from, so there's no worry of the device itself being infected.
The Pi doesn't have a BIOS or EFI on board, it uses a special partition on the SD card to POST from, so there's no worry of the device itself being infected.
It might be possible for a malicious script that gains root access to replace the SD card firmware with something that looks clean on the Pi, but delivers malware when some conditions are met.
Wiping the SD card using standard disk tools would not affect the SD card's firmware. SD cards are not dumb storage devices; they have built-in CPUs that handle DRM, protocol interfacing, and wear leveling, possibly among other things. That CPU has its own firmware, which might be reprogrammable by an attacker that knows the right commands to send.
Fair enough, I didn't think about that. I guess if you were using a RPi for a quarantine job like this, you would consider the SD cards as one time use devices and destroy them after use. The RPi itself shouldn't be affected though.
From what I've heard recently, targetting ARM may be problematic because two ARM processors may not support the same features, or function the same way. Then again, maybe there's a low-end subset of ARM instructions that should work an any chip, similar to the instruction set for the i386?
The Arm specification primarily focuses on the protected mode opcodes used by applications. This is why Arm application binaries are portable across machines.
The real mode opcodes needed to bring up a kernel are a mess on Arm, with each manufacture using their own instruction set.
This explanation is garbled. The opcodes are not fundamentally different (although more are added from ARMv6 to ARMv7 e.g. the Pi 1 to Pi 2 transition), and there isn't the X86 different set of "real mode" opcodes.
What is different is the boot sequence and system register layout. On a PC you can write one bootloader that works across multiple systems because either the peripherals are at the same place or BIOS/UEFI code is provided to sort it out for you. This is not the case on ARM; uboot and devicetree are attempts to fix it.
Since I got a couple of RPi's for fun, I've been thinking of uses for them, that would augment the security of my regular Windows PCs. I've set up a file backup method, where the RPi "pulls" files from my PC via my home network, but does not grant the PC read or write access. This is all just garden variety Linux commands, mounting the Windows share, and copying files from it. I think that my method is immune to "ransom ware" attacks. To cloak itself, the ransom-ware has to decrypt files when they are fetched, until it decides to lock you out.
Disabling AutoPlay and any other "automatically run a program when media is inserted" feature would be a good first step. Not running executable files (Windows users: unhide those file extensions!) that have no reason to be executable, and using AV software (or multiple, like those online services) to scan the files you are interested in is also a good idea.
If you're really paranoid, do everything with a separate machine.
People have put little nano atmel's in usb drive cases that have emulated a virtual keyboard. Sending ~a few strokes could open command, download, and run an executable.
I'm having a hard time picturing a local police department in Arkansas having the technical skills needed to make use of this malware. But maybe they paid someone. Or it's a false flag. Who knows.
That's assuming they're working alone for their own intent. Given how federal government agencies are responding to FOIA requests to local police departments regarding stingray operations, it wouldn't be completely ridiculous to consider they had help/orders from federal agents. That's just speculation, but it's possible.
"the district doesn't have the technical resources to conduct such a probe"
I love how they dont have resources for this, but if the plaintiff happens to speak some International language for which they dont have a translator, they fly one in from wherever they are available and pay them huge amounts of money for maybe 2 hours of work (I know its a but more complicated then that, but its still resources), but you cant dedicate a few thousands to verify the how the stuff got on to the hard drive.
So... The FBI might have such resources? A whole department of dirty cops attempting to obstruct justice using cybercrime (their remit) being... a big target.
Police officers take oaths to protect the public on behalf of the US federal & state governments, and to uphold the Constitution. Breaking these oaths and abusing the power they are granted for personal gain or to cover up things that occurred on duty is, to be blunt, treason. It's easy to be a bad police officer who deserves to be fired for egregious negligence or excessive force or poor performance, but premeditated attempts to protect their own from the justice system represent the worst sort of insurrection this country can realistically face. I don't see why a terrorist or a Soviet spy should receive one sentence, and an officer running a corrupt police department should receive another: They are all trying to overthrow our functioning government.
Did that happen here? I don't have any idea. But when internal affairs ceases to act aggressively to investigate this sort of thing, it casts the entire department's fidelity into doubt.
"Says police department brass tried to infect him, seeks criminal sanctions."
First, the lawyer most likely found the malware via an anti-virus software and did not detect a new malware specifically targeted to him. Second, the police probably used the drive at an unsafe machine.
Is it only me who finds this illogical nonsense?
It sounds like if I get a "real world" infection like xyz flu - I have the right to seek criminal action against the person who got me that infection.
No, an independent forensic expert who received the drive found the malware.
And the malware was inside a folder that had been created on the drive called "Bates Court Order". Meaning that the drive wasn't infected already, but somehow -after- the folder copying all the documents for discovery onto there, these several different pieces of malware all decided the best place to load themselves onto this drive was in this particular folder.
I think it's a deliberate choice on HN to not have it because it promotes hive-mind behavior/opinions. You can see your own comment's points for kicks though.
Under that assumption, upvote should not be a way to voice agreement, as that implies that downvote is disagreement. But downvote leads to graying-out and disappearance, which is just perfect to induce the hive mind.
And yes, downvoting into oblivion articulate comments not at all devoid of content really has become endemic here, and many (though certainly not all) of those I read anyway were obviously downvoted for disagreement, often political. The result is a strong hive mind at HN. (I've seen seen that opinion on HN voiced outside of HN more than once.)
> downvoting into oblivion articulate comments not at all devoid of content really has become endemic here, and many (though certainly not all) of those I read anyway were obviously downvoted for disagreement, often political
Maybe I'm biased, but I personally had the opposite feeling, the majority of the comments I see grayed out are usually somehow aggressive/salty rants that don't really try to bring anything useful to the thread, and the few other ones are comments with technical details that are plain wrong.
I probably unconsciously undercount "legitimate" grey-outs, so... maybe. Still, you really can't have all three of these: (1) Votes to register (dis-)agreement and (2) very prominent visual effect of downvotes, yet (3) no hivemind induction.
I'm not lobbying for changes. The whole up/downvote business is really hard, maybe there's no better way. Just thought people here might be interested in the fact that HN has been getting somewhat of a hivemind reputation, lately.
Are they asking thought provoking questions or contributing new information or insights, or is it a me-too comment? The latter does not really contribute to the conversation.
At this point, there is absolutely no evidence, beyond the defense attorney's claim, that the malicious software neither existed prior to him handing it over to the police department, nor that it was installed after the fact, by the defense attorney. It is just as likely that, in either of those possibilities, this is a self-inflicted attempt by the defense attorney to discredit the police. Arstechnica, and every comment that I've read, both there and here on YC, reach conclusions based on a potentially, and just-as-likely-false, premise: that the act of the software installation occurred as a result of some action or inaction of the police. False premise = potentially false conclusion. Brains, people, brains. Use them, please.
Maybe the Arstechnica article is biased towards the defense attorney's side of the story - but I definitely don't see the primary issue here as being law enforcement officers installed said software (as you pointed out, this is yet an unproven hypothesis - though quite a likely one perhaps). At least for me the substantiated and proven issue is that the CID Special Investigations Unit refused to investigate whether such a thing occurred.
> Brains, people, brains. Use them, please.
Adding insults to your comment does not make for a better discussion.
The answer, which I'm confident that you know, based upon your allowance that perhaps the attorney is making a falsified claim, is that there is nothing, at that point. Charges for different crimes require different levels of evidence. Charges for the same crimes, committed in different circumstances (motive, for example) require different evidence (and intention). Charges in different locales require different levels of evidence. All these facts, and plenty more, are far beyond the scope of an uninformed Arstechnica columnist.
Edit: the fact that someone saw fit to down vote this comment is proof of idiocy, in and of itself. Just because you don't understand how the criminal justice system works, is no fault of mine.
Is it an insult or a plea for reasoning? No, I have a Bachelor's degree in CJ, but outside of that, if the primary issue is the determination to pursue charges, then what happens if there are no actions which precipitate charges?
And, potentially biased, from the Arstechnica side?? That's an understatement, to say the least. I can say, with a fair amount of certainty, that nearly every, if not every writer on the Arstechnica payroll, is absolutely biased toward the defense side, in this case, and just about every other one. Scrape their site and return the pro-law enforcement vs negative-law enforcement articles, and there will absolutely be an enormous bias present.
If law enforcement is on average generating more negative newsworthy incidents than positive ones, then the unbiased thing to do is to publish a proportionally higher number of negative articles. You'd have to weight the incidents by importance and see if they are more likely to publish less important negative articles and less likely to publish more important positive articles.
This, too, begins with a false premise: that journalists are equally likely to seek out positive and negative stories, and to give both of them equal importance. That is a naive assumption, unfortunately, and the facts of reporting - bad events make for good copy - prove it entirely false.
> This is incredibly easy to prove. Count all the good stories that have happened, and all the bad. Compare the ratios to different publications.
I think that's likely to be a lot more difficult than you think: how does an independent observer know what the count of good and bad events is, rather than the count of good & bad published events? The trouble is that if an event isn't published, it's practically invisible to an observer.
This is a related issue to the fact that many sensational crimes are less common today, but perceived to be more common due to over-coverage in the media.
I guess felony hacking charges are only for teenagers changing desktop backgrounds.