The case of the Trojan Wookiee

The complex nature of trials involving Trojan horses and flaws in Windows not only puts juries to sleep, it also potentially opens the door to some wacky defence arguments

Aaron Caffrey walked free from Southwark Crown Court last week after being cleared of launching a DDoS attack on one of the busiest ports on the US, even though both the prosecution and defence agreed that Caffrey's machine was responsible for launching the attack. He had a list of 11,608 IP addresses of vulnerable servers on his hard drive, and there was a 'suspicious' script on his system, which was signed by someone called Aaron, but he was found not guilty by a jury.

This is not the first time a Trojan horse has been used to explain illegal activity. In two recent cases, defendants were acquitted of child pornography-related offences by arguing that images found on their computers were placed there by hackers using Trojan horse programs.

In Caffrey's case, a Trojan horse was never discovered, but the defence counsel argued that a Trojan armed with a 'wiping tool' was responsible, giving control of the computer to an attacker who launched the DDoS attack, edited the system's log files and then deleted all traces of the Trojan.

Had the jurors been technology experts, or even computer-literate, I wonder if the ruling would have been the same. I spent most of the first week of the trial in the public gallery and found it didn't take long before the jury's eyes glazed over because the technical arguments sounded like a Russian version of Moby Dick that had been translated into English using Babelfish. By the third day, one of the jury members had to be discharged because of a severe migraine, which was indubitably brought on by the jargon.

The prosecution were confident they had enough evidence to prove their case, which in my own opinion was justified. However, it was the jury that had to be convinced and it was impossible to do so unless they could present the evidence in a manner that made sense -- but however they tried, they could not.
Professor Neil Barrett, technical director at Information Risk Management, seemed like the most knowledgeable person in the room and did a great job. With the help of a diagram, he tried to explain how it was impossible for anyone to have edited Caffrey's log files -- he said that if they had, the physical blocks of data on Caffrey's hard drive relating to the log file would have shown some fracturing. But seeing as Barrett did not examine the actual hard drive, only a "forensically sound" image of it on CD, there was probably enough doubt to dismiss his testimony.

Another witness the police conjured up was a member of their Computer Crime Squad, who was responsible for forensically examining Caffrey's PC. He told the court it was impossible to cut some text from one log file and paste it into another log file from a remote computer: "The technology does not exist," he said, with a straight face. This probably meant nothing to the jury, but caused a smirk among the tech journalists sitting with me in the public gallery.

The problem this kind of case presents is that, however improbable the scenario, it is possible that a Trojan opened a back door for a hacker and then removed any evidence of itself and the uninvited guest. It is also possible that Caffrey decided to attack someone that insulted his virtual girlfriend in a chatroom, but didn't realise the damage his script would cause.

Regardless of who did what to whom, the real problem is that there are far too many servers and desktops that are vulnerable to attack. There are also far too many people that know how to code these scripts and even more that know how to download and use them.

So what is the solution?

In a recent interview with The New York Times, Linus Torvalds said that IT systems are being brought down by teenagers because people that know nothing about Internet security are connecting up computers that were not designed for use on the Web. "Should we blame the teenager?" asked Torvalds, "Sure, we can point the finger at him and say, 'Bad boy!' and slap him for it. Will that actually fix anything? No. The next geeky kid frustrated about not getting a date on Saturday night will come along and do the same thing without really understanding the consequences. So either we should make it a law that all geeks have dates -- I'd have supported such a law when I was a teenager -- or the blame is really on the companies who sell and install the systems that are quite that fragile."

So next time this happens, as well as putting the suspected hacker in the dock, maybe they should be joined by a certain Bill Gates. After all, Gates was responsible for supplying the operating systems used by both Caffrey and the Port of Houston.

Alternatively, if Bill Gates is not available, there is a variation on the Chewbacca defence, which as far as I know, has only been used in the South Park animated television series by a Johnny Cochrane-like lawyer; but it is perfect.

It goes:

Ladies and gentlemen, this is Microsoft Windows. It is the most popular operating system in the world. But Windows is full of security holes, cannot be trusted, and costs lots of money. This does not make sense.

Why would a leaky and bloated operating system be used on virtually every desktop in the world? There are alternatives, such as the Mac OS or Linux, which are far more secure and hardly ever get attacked by viruses; but they are only used by a relatively small number of people, most of whom have the technical ability to adequately protect themselves, if they chose to run Windows. Why is this? It does not make sense.

But we have to ask ourselves what has this got to do with the case? Nothing! Ladies and Gentlemen of this supposed jury, it has nothing to do with this case. Look at me, I'm a lawyer, talking about a port in America that was supposedly attacked by a British teenager who wanted to get his own back on someone that insulted his American girlfriend (whom he has never met) in a South African chatroom. None of this makes any sense.

So, when you're in that jury room debating and conjugating the emancipation proclamation, you must ask yourself this question: Does it make sense?

No. It does not make sense. If people use Windows you must acquit. The defence rests.