Hacker Court 2008 Post Mortem

Another Black Hat conference for the record books! It’s traditional for me to have a panic attack on the eve of Black Hat, trying to pull the Hacker Court team together to work on our presentation (“Hack MyFace”) and swearing I’m never doing this again. This year was even worse: the defendant, Simple Nomad, and the judge, Richard Salgado, both had to cancel at the last minute. We still had to work out evidence details (as Simple Nomad once pointed out, it would be easier to actually hack into a system than generate fake evidence) and now had to find replacement players. Richard Salgado noted that “anyone can be a judge”, but who could fill Simple Nomad’s stylish boots?

Fortunately, fellow NMRC member and Hacker Court veteran, Weasel, came to the rescue to play “Simplé Gnomad”, complete with bathrobe, and sunglasses. Hacker Court co-founder, Jonathan Klein, stepped in as a very intimidating Judge.

This case hinged on the fact that the defendant , responding to a journalist’s inquiry, used a zero-day exploit to hack into a presumed social networking site, “MyFace” with the encouragement of the site’s owner, Mudge, who was really a Secret Service Agent investigating social networking exploits. The site was actually a Virtual Machine (VM) on a server that housed other case VMs (agency budget cut-backs). The defendant not only compromised the security of the “MyFace” site but also broke out of “MyFace” and obtained information about sensitive on-going investigations.

In his opening statement, Prosecutor Paul Ohm accused the defendant of three charges of computer crime: Unauthorized Transmission of a Program; Unauthorized Access to Computers; Obtaining Information by Computer from Government Computer.

Defense attorney Jennifer Granick countered that the defendant was entrapped and that the real villain in this case was the inept Agent Mudge who authorized the defendant to test the security of a system that he owned and who clearly told the defendant there were “no limits.” There was no way the defendant could know that he should stop at the first VM since he was told by the site’s alleged owner that there were “no limits.”

Agent Mudge testified that he engaged the defendant to test the security of the “MyFace” and determine if the defendant had a working zero-day exploit. He described monitoring the system during the defendant’s exploit attempt and finally receiving an email from the defendant that noted “eight VMs are a lot for the hardware your host is running on.” This referred to the other VMs used for other investigations. Mudge did not think these VMs were at risk because “they were all perfectly sandboxed from one another.” Apparently, he was mistaken.

During forensic analysis, it was discovered that the defendant obtained a highly sensitive file named “OngoingSecretInvestigations”, which contained the name of the case agent and target for each VM. This was a serious problem since Mudge did not know the identity of the hacker and could not have this sensitive information made public.

Mudge testified that he traced the intruder’s IP address to the “L33t’s Coffee & Tea” in Burbank, California, an Internet café. The barista remembered the journalist being with a regular customer who always wore a bathrobe and sunglasses. Mudge staked out the coffee shop, finally observing the suspect leaving and followed him to a Ralph’s market, where the suspect bought a carton of half & half and paid with a check for $0.73. After the suspect left, Mudge obtained a copy of the check, which contained the suspect’s home address, where Mudge discovered the zero-day exploit in a briefcase. The briefcase was introduced into evidence and opened in front of the judge, who gazed with astonishment at the glowing light and asked “Is that what I think it is?”

Mudge was badgered by Jennifer Granick on cross and forced to admit that he did not impose limits on Simplé Gnomad’s testing.

The next witness called was the journalist who allegedly met with Simplé Gnomad in the coffee shop, Simon Ross (played by Brian Martin). Mr. Ross testified that he ran a blog called “simonsayssecurity.gryppad.com”. When asked to identify the person he met in the coffee shop, Mr. Ross’s attorney, Kurt Opsahl, objected and cited that his client was protected by the reporter’s privilege and should not be required to answer the question. Judge Klein ruled that the government had not exhausted its means to get the IP address from other sources so the journalist could not be compelled to turn that information over. However, it was also ruled that the journalist could be compelled to testify to events he witnessed in the coffee shop and Simon Ross (aka Brian Martin) was ordered to testify. When he (quite rudely) refused to cooperate, Mr. Ross was held in contempt and (forcefully) subdued by the bailiff.

The final witness was the defendant himself, Simplé Gnomad (played by Weasel in bathrobe and sunglasses). Jennifer Granick tried to talk her client out of testifying, since this could add additional charges of obstruction if he is found guilty. However, Simplé Gnomad wanted to clear his name and stated that he was framed.

After closing statements by the prosecution and defense, Judge Klein read the Jury Instructions and the case was turned over to the audience for deliberation with about two minutes left in our time slot. An informal show of hands produced the following verdict:
18 U.S.C. § 1030(a)(5)(A)(i)– Unauthorized transmission of a program
Not Guilty
18 U.S.C. § 1030(a)(5)(A)(ii) - Unauthorized Access to Computers
Not Guilty
18 U.S.C. § 1030(a)(2)(B)–Obtaining Information by Computer from Government Computer
Guilty as charged

Ok, so this was running roughshod over the legal process but most trials don’t have to clear the room so that Caesar’s catering staff can clean up all the beer bottles and plates left on the floor. As we wearily parted ways at the bottom of the escalator, Paul Ohm asked “So, ready to start work on next year’s?”