Aaron Caffrey walked free from Southwark Crown Court last week after being cleared of launching a DDoS attack on one of the busiest ports on the US, even though both the prosecution and defence agreed that Caffrey's machine was responsible for launching the attack. He had a list of 11,608 IP addresses of vulnerable servers on his hard drive, and there was a 'suspicious' script on his system, which was signed by someone called Aaron, but he was found not guilty by a jury.
This is not the first time a Trojan horse has been used to explain illegal activity. In two recent cases, defendants were acquitted of child pornography-related offences by arguing that images found on their computers were placed there by hackers using Trojan horse programs.
In Caffrey's case, a Trojan horse was never discovered, but the defence counsel argued that a Trojan armed with a 'wiping tool' was responsible, giving control of the computer to an attacker who launched the DDoS attack, edited the system's log files and then deleted all traces of the Trojan.
Had the jurors been technology experts, or even computer-literate, I wonder if the ruling would have been the same. I spent most of the first week of the trial in the public gallery and found it didn't take long before the jury's eyes glazed over because the technical arguments sounded like a Russian version of Moby Dick that had been translated into English using Babelfish. By the third day, one of the jury members had to be discharged because of a severe migraine, which was indubitably brought on by the jargon.
The prosecution were confident they had enough evidence to prove their case, which in my own opinion was justified. However, it was the jury that had to be convinced and it was impossible to do so unless they could present the evidence in a manner that made sense -- but however they tried, they could not.
Professor Neil Barrett, technical director at Information Risk Management, seemed like the most knowledgeable person in the room and did a great job. With the help of a diagram, he tried to explain how it was impossible for anyone to have edited Caffrey's log files -- he said that if they had, the physical blocks of data on Caffrey's hard drive relating to the log file would have shown some fracturing. But seeing as Barrett did not examine the actual hard drive, only a "forensically sound" image of it on CD, there was probably enough doubt to dismiss his testimony.