What do you get when you allegedly mix Wireshark, a gumshoe child molester, and a court PC? A judge facing hacking charges A judge in the US state of Georgia is facing hacking charges after she allegedly hired private investigators to look into what she believed was a spyware infection on her office computer. Lawyers for Judge Kathryn Schrader are challenging a September indictment of three counts of computer trespass against herself and three …
Regarding the network intrusion claim, I'd think it would depend on how Wireshark was used. If it was putting the network adapters into promiscuous mode, then yes, there is meat to the charge. If not, then WIreshark would only be seeing the packets that are going to and from that particular machine. It would be hard to argue that's actually intruding into the network at large.
I tend to disagree. Even in promiscuous mode, packets that reached her machine was likely to be read by her machine, being destined to her address or broadcasted.
Unless there is a major flaw on the network, times are gone when a machine could see packets that were not for itself.
Maybe, maybe not. Depends on what the "private investigator" did. If he changed her PC's MAC address to the DA's PC's MAC address and received traffic destined for the judge's computer then it would be very much illegal. Yes, it can be prevented if the switch is set up to be secure and only allow certain MAC addresses on certain ports, but that's doubtful here.
Regardless, the PC isn't her property, she's not free to install packet sniffing software on it, let alone allow a third party access to her work PC. She deserves to be in trouble, regardless of the details.
> the PC isn't her property, she's not free to install packet sniffing software on it,
Well, to install packet sniffing software you need at least local admin privileges, so unless her contract and IT use policy explicitly prohibits the installation of packet sniffing software...
But yes, as it seems to be a work PC and thus property of the court, she does deserve to be in trouble for letting unvetted/unapproved people have access to her PC.
She is "the court". Everything belongs to her... That's what a judge is. Until she's replaced and then someone else is the court... She's not the employee. (Close to an executive type--still subject to some rules, but not many.... Which is why the PC keeps getting described as hers)
Even if the network is hub-based and the NICs were in promiscuous mode, I'd consider this a case of overhearing rather than spying. If the court's IT department can't secure their network properly, that's their fault, not the judge's or the investigators'.
Circa 2002, I moved house and got cable Internet service. I was investigating a problem with my work VPN and had done some tcpdump tracing on a machine connected directly to the cable modem. I was talking with a network engineer about some of the traffic I was seeing, and he got all bent out of shape: "You can't look at packets on my network!".
Well, as it happens, I can. If you don't want me to, don't send them to my device, buddy.
Fortunately that cable company went bankrupt and was bought by one that employed adults.
"If the court's IT department can't secure their network properly, that's their fault, not the judge's or the investigators'." If you leave your door unlocked and someone walks in an steals your belongings then your insurance company may not pay up but the perp will still be arrested for burglary. Carelessness is not a permit to do what you want.
On the other hand, it isn't her PC or her network, it is a PC provided by the court/county/state and she probably has no right to do such an investigation on her own.
Certainly here, it would come under the equivalent of the UK Computer Misuse Act, if an employee started using Wireshark or any unathorized hardware or software in our company network or on company devices.
Surely her first stop should have been the court's IT department. They should be capable of scanning the device for spyware. If not, they would be able to authorize an external specialist.
It seems naive of her to have got her own investigator in, without informing those responsible for the PC and the network. Certainly here, she'd have been out on her tail, if she had tried something like that.
Or if one or more IT staff members were colluding with Porter. Some of the commentators here seem to have a peculiar belief in the trustworthiness, not to mention competence, of the IT staff at the Gwinnett County Superior Court.
Personally, I suspect asking the Gwinnett County IT to look for spyware on a machine is likely an exercise in futility. Just a guess based on my experience with IT departments of other public institutions.
Schrader's real error, in my opinion, was in hiring Ward, who apparently wasn't diligent or wise enough to avoid hiring Kramer. Kramer is the real source of the defendants' troubles here.
promiscuous mode on the computer (not the routers) doesn't mean SQUAT.
Unless, of course, they're 30 years behind in net tech and are using HUBS instead of SWITCHES for their ethernet...
Unless you place a switch into permanent 'learning' mode or program it to be promiscuous, it will filter out any packets on the network that are NOT yours. Upstream routers will do the same thing.
It is EXTREMELY unlikely that Wireshark could capture ANY network traffic on this network of any consequence, other than the occasional "Who has this IP address" ARP packet (and other similar housekeeping traffic that's broadcast or multicast).
A properly designed network wouldn't have problems with this.
They are just being ANAL RETENTIVE ASSHATS. It's like going after security researchers for "cracking" an encryption algorithm when they're actually just verifying that it's a good one.
I agree; but in a fight between a judge and a DA, you have to expect that legal weapons, however inappropriate, will be deployed.
It may be worth noting that according to various sources Schrader was suspended specifically for (indirectly) giving a felon access to the court IT system - not for letting someone run Wireshark. As I wrote in another post, I believe her real mistake was in employing Ward, who clearly wasn't sufficiently careful in choosing his subcontractors.
as a tiny step towards preventing malware I always install Wireshark on all friends and family 'puters.
Also throw in a few virtualisation tools, such that any self-respecting spyware will notice its environment and possobly self-delete, just in case it is being tested in a VM.
I still haven't worked out why those "Russian Hackers" from Glos. managed to grow/gift me a 3.1GB single cookie file from a .co.uk website, so don't actually listen to me for security stuff....
How many here work for firms (or government agencies) that consider the computer you were issued and which is maintained and updated by the I.T. department, to be _your_ computer?
Most folks have to content themselves with being "reasonably comfortable" with some corp/office nerd harvesting contacts and passwords or turning on the web-cam and microphone for giggles.
I agree with the first sentence, not with the second.
Surely there was an IT department, and they would be responsible, in the first instance, for searching the PC for spyware? And they would have to be informed, before she or her gumshoe, put any unauthorized hardware or software on the network.
Certainly she would have been dismissed and prosecuted, had she tried that at my employer.
Surely there was an IT department, and they would be responsible, in the first instance, for searching the PC for spyware? And they would have to be informed, before she or her gumshoe, put any unauthorized hardware or software on the network.
Unless she suspected (someone in) the IT department had gone to the rogue, in which case her actions are completely understandable.
Without help from (someone in) the IT department???
Certainly conceivable. It's not difficult. Parents put spyware on their kids' machines all the time. Abusers do it to spouses and other victims. It's trivial for someone to purchase spyware and get instructions on how to install it. There are plenty of vectors for non-privileged attackers to do so, such as social engineering and hardware keystroke loggers.
Or, if Schrader's suspicions are correct, Porter could have co-opted someone in the IT department. Or someone with the requisite skills to gain unauthorized access in the Gwinnett County Superior Court network, which I bet is not tremendously secure.
But conversely there's plenty of reason to be suspicious of the IT department in this situation, even if you have some reason to believe that they'd be at all useful in finding spyware in the first place.
"Parents put spyware on their kids' machines all the time"
Yes, but parents have physical access to their children's computers. If this is a personal computer (laptop) of the judge or one that lives in the judge's office, it would be very unusual for the DA to have access. For the DA to be in the judge's chambers without the judge present could cast doubt on the proceedings underway in the same way that a defendent's attorney in the judges chamber alone would be problematic.
I didn't get any take on why the judge felt as if it were the DA that had installed the spyware or caused the spyware to be installed. I do see it as entirely possible that a member of the IT staff could have done it with or without their knowledge. Both the DA and the Judge are likely served by the same IT department.
If you are doing something illegal, like installing spyware on somebody's PC, the last thing you want to do is rope somebody else in on the crime, unless you absolutely have to - and then you probably wouldn't want to use the internal IT staff, they'd probably report them.
How many here work for firms (or government agencies) that consider the computer you were issued and which is maintained and updated by the I.T. department, to be _your_ computer?
Semantics, it is a lot shorter (and thus clearer) than saying something like "the computer my/our employer assigned to me to use for work". I'd say you are also referring to "your desk" at your place of employment.
"Sounds to me like it was a bring your own device deal. " Very possibly. That is the case where I work.
"So if so she has every right to have her machine checked." If she had it checked outside of work, yes.
"Sounds like its a bullshit charge in an attempt to maybe get her off certain "Cases" shes refused to take brown envelopes for, maybe." Pure speculation.
I would really hope that a judge or someone else in such a position would put some effort into making sure that their computer really is secure and not being monitored for nefarious reasons. She should be commended for looking after sensitive data. There has to be more going on behind the scenes that isn't being reported, a judge on judge conflict with the other side just having more strings to pull?
You say that like there was a 'correct' way to do it? So say she goes to the local court IT people and says she suspects spyware. They go to her office to grab the PC and it's gone, with the D.A. smirking out in the hallway. She announces she had imaged the hard disk to capture the evidence. He arrests her for ... hacking.
<quote>You say that like there was a 'correct' way to do it?</quote>
Actually, there is. Especially, in her case, after all, she is a judge. And, that way is to contact the FBI, and let the Feds handle it. IF the DA is spying on her without the backing of a court order, then (s)he (the DA) is in a lot of hot water, and could face Federal charges.
The problem is that the person she hired subcontracted to a felon who had just allegedly violated the terms of his release. That's what got the police involved in the first place, and that's why the Judicial Qualifications Commission suspended her.
Of course, picking a fight with a DA - even if you're a judge - is problematic. Prosecutors in the US generally have way too much power and too little oversight. Though the same can generally be said of judges (many of whom don't even have legal training).
Not necessarily. Sadly, the USA elects judges. This one was elected in 2012, and re-elected in 2016. There is no indication how much training a newly elected judge gets on the arcane intricacies of I.T.
Admittedly, she is/was a lawyer, and did serve as a municipal judge prior, so maybe there is. I find the whole idea judges chosen by popularity rather than competence to be... very odd. And worrisome.
We already have to dance around wondering if simple things like port scans are legal or not and WiFi packet capture. Now we have to worry about packet analysis?
Pentesting is going to become a joke if every one of the methods used for reconnaissance becomes a grey area and requires specific permission and disclosure to execute.
Pentester: *sneaks into office building, spends a while navigating the building and observing, finally reached target PC*
Pentester: Hello Sue in accounts. I am here to perform a penetration test to gauge the level of security on your company network. Please sign this form to give me permission to attempt to access your PC. I will also be plugging in a USB keylogger and ethernet wiretap that you should find suspicious, they look like this. I will be assessing to see whether you notice them and report them in accordance with the IT security policy.
I may also send you phishing emails and attempt to social engineer you into handing over credentials without due care. The telephone number I will call from is 555-123455 the email address the phishing attack will arrive from is 1337_phishing@gmail.com.
Please sign here if you agree to be tested, and sign here to confirm that you will at least try and work normally now that you know you're under attack and specifically how I am going to attack you.
Thanks.
Cop: FREEZE! GET DOWN IN THE FLOOR AND PUT YOUR HANDS ON YOUR HEAD.
Pentester: Dude, I've been hired to test this company.
Cop: All your methods are illegal!!!!
An authorized pentester has a contract that stipulates exactly what is and isn't in scope. Exactly what thex can and can't do. They have a letter of authorization and they have a list of contacts who can verify they are working legally - unless you are in Dallas County, Iowa, it seems.
In this case, she did not get authorization, she did it off her own hat, bypassed the IT department and didn't inform her superiors that she was performing an illegitimate analysis of the PC and the court network. That would be a sacking offence here.
What would be a sacking offence in your company is completely irrelevant, yet you keep saying it as if it matters. In some cases, going through the "correct channels" is the incorrect thing to do, and justice demands that the rules are inadequate. However, there is seemingly more to this story than we have access to at the moment, so I'll wait for developments.
So it's perfectly legitimate for a firm to secretly hire someone to test the firm's security and practices to protect the firm, but it's not cool for an employee to hire someone to test whether their confidentiality is being breached by their employer / colleagues etc?
Oh...ok then.
An employee usually has to sign some sort of IT Policy framework that outlines what they can and can't do on company equipment and outlines how the company will monitor equipment, maintain the policy and so on.
A company can hire someone to test the IT Policy and check to make sure everyone is in line with the policy (as outlined in the policy)...all good.
But if an employee suspects that the policy is being breached, they're not allowed to perform their own independent checks on the employer to ensure they're holding up their side of the policy.
Sounds fair.
How is an employee supposed to detect and report malicious behaviour of an employer if they can't use their own independent means of investigation?
Usually not, because it isn't their equipment or network and doing an investigation would break company policy.
If the employee thinks the company is illegally spying on them, they should contact their union rep, if there is one, the police, an employment lawyer or the data protection authorities etc. there are a lot of legitimate avenues open to them.
"So it's perfectly legitimate for a firm to secretly hire someone to test the firm's security and practices to protect the firm, but it's not cool for an employee to hire someone to test whether their confidentiality is being breached by their employer / colleagues etc?" Yes, because they own the equipment!
Your logic is bizarre.
IF the network connected device is your own then yes, you can take it home and analyze it. What you don't have a right to do is connect it to the network owned by your employer and monitor that network in any way!
She hired a security company, wouldn't have been a legal issue if their IT team was part of the investigation to at least know what is going on with their systems. I doubt most "support only" IT depts. can even use Wireshark effectively. There is clearly much more going on here though I don't doubt her concerns are real, but this was all her opponents needed to get rid of her.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
