In October, 2002 Julian Green was arrested in Devon, England after police searched his home PC and found examples of child pornography. ISP had logs identified Green as the person responsible for the downloads, and the existence of the child porn on his PC seemed to be all the corroboration the constable would have needed to obtain a conviction. However, a defense forensic expert also found evidence that there were Trojans planted on Green's computer that were designed to piggyback his browser, and log into porn sites. The Trojans probably were downloaded as e-mail attachments -- made all the more likely by the fact that Green had a teenage son. Unable to definitively prove that Green knowingly and intentionally downloaded the files, the prosecution dismissed the charges. . . .
According to Greek mythology, the seer Laocoon, a priest of Apollo, warned the residents of Troy against accepting into their city the giant wooden horse designed by Odysseus and created by the architect Epeius. His famous warning, "Trojans, trust not the horse. Whatever it be, I fear the Greeks, even when bringing gifts," applies equally today to importing unknown files as it did to the Trojans 4,000 years ago.

We think we know all about the dangers of Trojan horses, but there is a new and more dangerous legal wrinkle to consider. In the past few months, a couple of people in England were acquitted based upon the so-called "Trojan defense" -- what we criminal lawyers used to call the "SODDI" defense: Some Other Dude Did It.

The Trojan defense presents two equally frightening problems: the possibilities of acquitting the guilty, or convicting the innocent.

In the first case, given the nature of electronic evidence, virtually all computer crime prosecutions rely on "circumstantial" evidence. To prove that John Doe, for example hacked into ABC company, you collect IP history logs and other corroborating data, maybe engage in an IRC chat with John Doe, get a warrant or subpoena for his ISP information, show a pattern of activity consistent with the hacking, and then (if you are a law enforcement agent) get a warrant to kick in Mr. Doe's door and seize his computer. If the forensic examination of the computer shows hacking files, access to hacking sites, relevant e-mail, and even versions of the malicious code, it's a slam-dunk case for conviction. Right?

But what if, in addition to all of this "evidence," you also find the existence of a Trojan horse server -- say, a version of Optix Pro or another remote access program. Does the mere existence of such a program provide a Get Out of Jail Free card? Probably not. However, given the ephemeral nature of electronic evidence, and the fact that it can always be altered, how confident would you be that Doe was in fact guilty beyond a reasonable doubt?

The higher the hacker's profile, the more attractive a target he or she may make for other hackers. And after all, if you were a hacker, would you want to store your contraband files on your own machine, or, like the cuckoo, would you keep your eggs in another bird's nest? Such "file parking" strategies have been used by hackers for years.

The link for this article located at SecurityFocus is no longer available.