At 12:18 PM 5/2/2001 -0500, Harmon Seaver wrote:
>Eric Murray wrote:
>
> > If you testified that you couldn't swear that the log file was correct,
> > the prosecutors next question would be "to the best of your knowledge,
> > did you or someone else modify the log file entries in question?". Unless
> > you knew that you had, or that the machine had been hacked and the logs
> > edited, you'd have to answer "no", making it acceptable as evidence[1].
> >
>
> Not ITYFll -- I'd answer that I'd found log files that had clearly been
>altered so many times that I would never assume they hadn't been. And that
>my log
>files in particular were constantly in danger of being altered on a daily
>basis,
>since the tool I use to view them is vi and it's more than easy to
>absentmindedly
>delete or alter lines with a keystroke.
This is why, if you end up with log files which might be of interest to law
enforcement, there's a good chance that the machine itself will be seized
immediately, or you'll be served with an order to preserve the evidence ..
and then absentminded use of vi can get you some time in jail, and it's not
one of those nice chroot() ones.
> The law requires "proof beyond a reasonable doubt" --- when you
> are dealing
>with digital bits and bytes, whose to say they weren't altered? That provides
>reasonable doubt easily enough -- maybe the legal world needs educating on
>these
>points.
The legal world has already been there and done that several hundred years
ago - starting with oral testimony about things held in human memory, which
is even more susceptible to change and misrepresentation than electronic
evidence.
While criminal cases do use a "beyond a reasonable doubt" standard, that's
not the standard which is applied to decide whether or not evidence is
admissible - or to decide whether or not admitted evidence is credible, or
dispositive.
The legal world doesn't need a lot of education about proof - apparently
you need a reminder to use common sense. Juries are made of boring normal
people, who make decisions about who to trust and what to believe in the
same way that they make those decisions in their normal lives. Let's
imagine Juror X, who comes home after a day in court to find their cookie
jar empty, crumbs on the counter, and a kid who's not hungry at dinner
time. Juror X asks the kid what happened - the kid says he doesn't know,
that apparently a burglar got in and took the cookies, and he's
coincidentally not hungry for dinner because he had a big lunch. Does Juror
X conclude "I don't really know what happened - I guess I'll never know.
Houses do get broken into sometimes - burglaries are pretty common. I don't
see signs of forced entry, but some people can pick locks. I guess I can't
punish my kid for eating the cookies, because I can't rule out alternative
explanations for their disappearance."
No. Juror X punishes the kid - probably twice for lying.
Juror X will use the same kind of common sense and information about human
nature and the probability of exceptional events when evaluating testimony
in court.
The other aspect of this that you seem to be missing - both from a
practical and from a theoretical standpoint - is that individual items of
evidence rarely stand alone .. or if they do, they're not as credible. If
the only evidence against a defendant were entries in a logfile which had
been sitting on an insecure computers for months, it's unlikely that there
would be a prosecution in the first place. In the real world, there are
likely to be a number of logfiles and other items in evidence which agree
with each other. If the prosecution can show that an e-mail appears in the
"Out" folder on the defendant's computer, and that the same email was the
one which the victim received - and especially if the intermediate
mailservers also show receipt and retransmission of that message, with
dates & times which are at least a rough match - then the "tampering"
argument goes nowhere fast.
No individual item of evidence needs to show guilt beyond a reasonable
doubt - it's the combination of many pieces of evidence - some oral, some
physical, some documentary - which needs to add up to "beyond a reasonable
doubt". Because it's the combination that matters - and because the
combination is made in jurors' minds - evidence doesn't need to be perfect,
or individually dispositive - before it's admitted, or before it gets some
credibility.
The proof process turns into a big Bayesian problem - the sum of evidence
received is likely to point at a lot of different possible explanations,
but freqently one (or a cluster) of explanations seems likely enough to
meet the plaintiff/prosecution's burden of proof. Jurors don't even need to
agree about which items of evidence they personally found credible or
convincing - they just have to agree on a verdict.
--
Greg Broiles
[EMAIL PROTECTED]
"Organized crime is the price we pay for organization." -- Raymond Chandler
