So Paper (Mail-In Ballots) are not “Hackable”?

So Paper (Mail-In Ballots) are not “Hackable”?

One of the things I like to do is have a coffee and watch the Sunday news shows. Granted sometimes I run a bit behind like this week. Today was one of those occasions when I watched a segment of Face The Nation from Sunday, August 16, 2020. It was a segment in which Margaret Brennan interviewed Dmitri Alperovitch, co-founder and former CTO of CrowdStrike, about his concerns about our election being “hacked.”

During the interview Breanan noted that Alperovitch appeared to stress … “that is the best option is to go old school, go paper.” He follow-up with the following:

Well, paper cannot be hacked, however, there is a legitimate concerns about logistics. I’m not so much concerned about foreign entities interfering in the paper process, but we do need to make sure that states are prepared to take in the huge number of mail-in ballots that will come in. They’ll be able to do the signature verification that is necessary to make sure that there is no fraud. It can be done.”

The thing that caught my attention is that “paper cannot be hacked.” I don’t like phrases that reflect such absolutes. Documents can be altered. They can be forged, duplicated, and counterfeited. The trick is to accomplish it so that it can be accepted as if it is a true original. Prime examples of where counterfeiting occurs are currency, identification documents (drivers license) and trademark labels on counterfeit goods.

As a result, governments and companies have incorporated increasing complex methods to make it easier to differentiate the fakes from the legitimate. However, even with methods it sometimes takes an “expert” to clearly identify which are fakes and which are not. This is one reason why law enforcement frequently has a company representative on hand when investigating counterfeit trademarks/goods.

Years ago in my career I worked with the U.S. Department of Labor (USDOL), which sometimes took on the role of supervising union officer elections. Union officer elections by federal law provide that members are able to cast their votes in “secret” in such elections. Many union officer elections were conducted solely by mail-in ballots. There had to be an accounting for all ballots printed and cast. A clear indication of fraud would be more ballots cast then printed.

The law required that only members could cast their vote without their actual choice being attributed specifically to them. Ballot numbering was sometimes a mistake for unions starting out with mail-in ballot elections. They would number the ballot and that number would coincide with the list names of who were sent a ballot. This they felt would insure integrity in the voting. However it violated the law as the vote was not cast in secret as the member’s votes could be specifically attributed to them via a comparison of the ballot number to the list of individuals sent particular ballot.

Members also for obvious reasons couldn’t case more than one vote. If for some reason they didn’t get a ballot they could request a second ballot. Predetermined procedures were in place to ensure if multiple ballots were returned from one member only one ballot, usually the last received was counted.

Mail-in ballots for elections face the same challenges. A citizen must be allowed to cast their vote in secret. However, steps must be taken to insure that only those legitimate voters can cast a ballot. Additionally, voters can’t cast more than one ballot successfully.

Currently there is much concern about mailing ballots to voters. There are legitimate arguments on both sides. Some argue it will lead to fraud. Those on the other side noted if we don’t allow mail-in voting we will disenfranchise the citizenry that is afraid to cast an in-person ballot due to Covid concerns. The truth is mail in ballots has worked for years for unions as well as in general elections and can be accomplished successfully provided fair and established rules are followed.

Now let’s go back to what started this discussion, specifically “paper cannot be hacked.” This implies to me that one can’t “hack” the system via paper. Having worked in law enforcement for over 30 years I know that any criminal committed to an endeavor will find a way to overcome the restrictions. Modern technology has made it possible for anyone with the criminal intent to make it possible. Granted they don’t always get away with it but they will try. Governments intent on illegal methods to gain their ends are no different, with the exception they have the resources to get away with it successfully.

I would agree that disrupting the election via “hacking” digital means is likely the cheapest method for those willing to attempt it. However, I would not discount the ability to “hack”paper, with the mail-in ballot being the most likely target of such attempts. The “voter’s signature” noted by Alperovitch as a verification method, is not something that is immune to forgery/counterfeiting, thanks to modern computers/printers. His assessment that “we do need to make sure that states are prepared to take in the huge number of mail-in ballots that will come in,” is the crux of the problem. Here is how I see it most likely happening:

  • There will be a number of “lone wolf” actors of a variety of political beliefs/motivations with home computers, scanners, printers, etc. that will attempt to cast counterfeit mail ballots. They will most likely be caught, depending upon their abilities and the sophistication of the election process where the attempts are made.
  • Countries with resources are likely looking at methods to interfere with mail-in ballot voting and have some plans in place already. They will look to not only cast mail-in ballots in specific races of their choice but more likely just to disrupt the overall election process. They have the means/resources to request and receive legitimate ballots for fraudulent purposes, either counterfeiting or casting. Additionally, they have the resources to produce and deliver those counterfeit ballots. I also wouldn’t discount criminal organizations for hire being involved in the process either via a country or organization/individual willing to pay for election interference/fraud.

These organizational attempt’s success will also be dependent upon the sophistication of the election process where the attempts are made. The issue noted by Alperovitch about the volume of mail-in ballots that officials have to deal with becomes my concern.

Officials will be tasked with how they handle these mail-in ballots, specifically differentiating counterfeit votes from legitimate votes. If organizations are successful in flooding particular jurisdictions with counterfeit votes, they may over tax those election officials, possibly dragging the vote tally out for weeks if not months. These counterfeit ballots don’t have to actually be counted if the goal is merely to task the system.

Granted this would call for significant resources to be expended. But is not likely going to involve the entire nation. To be more successful, it will target key battleground locations, i.e, those of importance for the electoral college. Remember the 2000 election of Bush vs. Gore and the confusion over the counting of chads and the aftermath of discord generated. Now imagine such confusion in this particular political environment and how much discord will be generated if it were to occur again. You get the picture.

Combining an attack of the mail-in ballots with digital hacking efforts would further maximize the negative effects. I seriously doubt a committed actor is only going to deploy one method to accomplish their objective, ie. chaos. These kind of acts are made possible due to technology. In the end if you don’t care about the results but want to generate discord you have met your goals.

As for me, I am not sure whether I will vote by mail or in person. If I vote in person I am reasonably certain it will be counted as cast. I know the mail-in ballot issues but may decide to mail it, weighing the pros/cons against my own personal Covid concerns. I know I will vote one way or the other.

Regardless, of the outcome, I sincerely hope that anyone, countries included, who are found to have mucked around in our election are held accountable to the fullest extent of the law. On that note, I left a cigar smoking somewhere. Take care and get out and vote!


Todd and I will be presenting at the Mob Museum in Las Vegas, NV on May 4, 2019 at 2:00 p.m. (PST) in the Organized Crime Today Exhibit Space. The announcement reflects:

In an era when the Internet has become central to our lives, it is imperative to be educated on cybercrime – and how to avoid becoming a victim. Join us for a videoconference presentation and hear from two of the foremost experts, Art Bowker and Todd Shipley, who are co-authors of an invaluable guide that provides step-by-step instructions for investigating internet crimes and all aspects surrounding it.




About two weeks ago we had another school shooting tragedy. Like so many in the past the suspect appears to have telegraphed online his evil madness prior to its eruption. The FBI was apparently notified of at least one of those posts prior to the act and acknowledged there was a breakdown of their response protocols. Unfortunately, one of the troubling aspects of these events is the occurrence of “copycats,” who either create similar evil posts or videos as “jokes” (NOT FUNNY) or worse as harbingers of their sinister destructive plans.

We were alerted by a concerned citizen to one of those copycat’s online rants almost immediately via our book’s Facebook page. They forwarded the troubling link seeking our assistance. (Important Note:  Neither our Facebook page or this blog suggestions we investigate online crimes or take such reports). We strive to empower individuals through knowledge. We will give suggestions on how citizens might obtain the authorities’ assistance on cyber-malfeasance. We gave the citizen such suggestions and we have decided to share this advice to others who maybe find troubling posts online and want to make sure the proper officials are notified.

First thing we suggest is follow the advice of the Department of Homeland Security (DHS). Specifically,

contact your local law enforcement agency. Describe specifically what you observed, including:

Who or what you saw; 

When you saw it; 

Where it occurred; and 

Why it’s suspicious

Who or What You Saw

IMPORTANT:  The below advice includes taking screen shots or copying the material. This is not applicable to every situation. When dealing with online child abuse images don’t commit your own crime by copying the images or screen shooting the image. You can copy the URL but do not print, copy, etc. the images or videos. Make handwritten notes about where it was found, when (date, time, time zone) and who the posters identity.  For more details on dealing with these kinds of material click on law enforcement.  Additionally, Internet Service Providers will also take such reports. Google for instance has as such a system for reporting offensive images appearing on its site. They will forward it on to law enforcement as well.  

What Did You See

Okay this is pretty self explanatory but as they say a picture is worth a 1,000 words. We suggest taking a screen shot of the troubling information (with the exception noted above).  (For instructions on taking screen shots see Windows, MacSmartphone or do a Google search for “your specific device + Screenshot”). The below example uses our Facebook Group The Cyber Safety Guys to give you important focus areas.  You likely will have to take several screen shots to make sure you get it all the information.  Be aware where the screen shots are being saved as you are going to need that information later. If you can’t take screen shots, consider printing the material out. You also might take digital pictures of the material.


When You Saw it

Okay, so you have taken screen shots, printed it out, or taking digital pictures. Maybe it includes the date and time but maybe not. You need to document it when you saw it, i.e., date, time, and your time zone.  If you have go “old school” do so and write it down.

Where It Occurred

Okay, DHS is talking about a place in the brick and mortar world.  Sometimes a post will include information that reflects where the author is located or maybe their intended target. If you can ascertain that from the post, document it.

When we are in cyberspace we also need to provide an “address” of where it was seen. In our above image it is clear from the screen shot that it viewed on Facebook, particular as it includes the URL.  However, don’t be happy with just saying Facebook. Get the entire address not just the domain name. Sometimes it is not so clear from the screen shot. Maybe it occurred in a chatroom or instant message.  You might have to actually write it down if you can’t get the location documented in the screen shot.  Again, be complete in your documentation. For instance, it was seen at date/time/time zone at this particularly cyber-location (specific complete URL, specific chat, specific instant message, etc.)

Why it’s Suspicious

We are dealing with posts, which might be a written, a picture, and/or video.  Be prepared to describe why you believe it warrants action beyond just providing the screen shots. For instance, you saw the video and the person talks about shooting up something and is standing with a weapon. Don’t just rely on the screen shots you took.  Provide an explanation of why you believe it is suspicious.

Reporting it

Okay, you have taken screen shots of everything. You have made notes of what you saw.  Now it is time to report.  Clearly if this is in your area and is an emergency, call 9–1–1.  Explain what you saw, saved and why you think it warrants attention. Be prepared to provide copies of you screen shots, printouts, pictures and documentation to law enforcement, either electronically via e-mail or via a storage device.

Now lets suppose it is not in your area. It is out of state. Can you determine the area it is at? If so, contact the local law enforcement in that area (Do a Google search).  Now don’t rely on communicating this kind of information via that local law enforcement’s social media site. Those sites aren’t always monitored. Don’t also rely on their e-mail or websites. Again, they might not be monitored 24-7. Call them.

Okay, you can’t determine where the post is from. What now? Contact the FBI.  Okay, again, call them.  They allow cybercrime to be reported online, but we are dealing with someone posting information about threats, harms, etc. This warrants a call. The FBI link above provided above will give you the telephone numbers to local FBI offices, which is the one you should call.  They will forward up the chain to where it might go. Explain the situation and that you have screen shots, etc. to provide them.

Okay, you have attempted to notify law enforcement. Maybe you left a message or the line was busy or something.  (The beauty of calling them is you know if your message got through. Posting via a website or email doesn’t mean a real person has got the information).  What now?  Look for information about the location where you saw the troubling information.  For instance, in the above example it was Facebook. They have a security division and will take action on the post.   Just because it is on their site doesn’t mean they are aware of it. Tell them about it.  Be prepared to provide them copies of the screen shots and your information. They will document information on their side (which by the way is a lot more than what you are seeing. If they believe it apparent that there is a danger they also will directly contact the appropriate law enforcement  agency foe their action. They also will likely remove the troubling post.

Cyberspace has made the world much smaller, making us all netizens with one another. Being good netizens requires us to take notice of smoking amiss, particularly if it means the potential of harm in the real world. So, if you see it report it! Take care and be safe out there.


How NOT to Investigate Questionable Online Behavior

pexels-photo-534204We are being inundated with news of high profile misconduct incidents, notably sexual assault and/or harassment. Many of the reports pertain to dated allegations and most if not, all were never officially reported to the authorities. However, there is one recent case involving 9th Circuit federal Judge Alex Kozinski that did have an “official” inquiry and highlights how NOT to investigate an online case.


Washington Post journalist Matt Zapotosky reported on December 8, 2017,  that Judge Kozinski had allegedly sexually harass court employees. Specifically, he would show porn to staff and ask for their input, including whether it excited them. He also allegedly made sexual suggestive comments, like publicly telling a female court employee she you should workout naked. These incidents were never reported for fear that there would be reprisals from the powerful judge.

However, as noted by Zapotosky the judge was investigated in 2008 for misconduct of a sexual nature.  I would argue that had this investigation been conducted differently it could very well have lead to his undoing and may have detected or prevented conduct that has since been discovered.

The 2008 misconduct came to light after the LA Times ran a story  that Judge Kozinski was running a public website that maintained pornography. By they way this was not just any pornography but involved images which included;

a photo of naked women on all fours painted to look like cows and a video of a half-dressed man cavorting with a sexually aroused farm animal.”

At the time Judge Kozinski was presiding over an obscenity case. After the LA Time story appeared Judge Kozinski declared a mistrial and recuse himself. He also reported his conduct for investigation by the 9th Circuit Judicial Conference.

The matter ended up being investigated by a committee in the 3rd Circuit and not the 9th Circuit, which is kind of interesting. Why that circuit? Why not another? I will get back to that later. Judge Anthony J. Scirica was chair of the committee charged with doing the investigation and noted they completed the following investigative steps:

… by making written and telephonic inquiries; reviewing relevant documents and the image, audio, and video files provided by the Judge; engaging a consultant to advise the Special Committee on certain computer technology issues; and examining the Judge in person, under oath, and on the record.’

pexels-photo-207580The thing that stands out in all this is no one apparently actually examined Judge Kozinski’s server. Let me repeat that for a moment. The case involved a website and no digital evidence was apparently independently collected or forensically examined.  They took the judge’s word for what was on it and received images he provided. There was no forensic examination of this server, which might shed light on the following:

  • What exactly was on the sever, was it legal or illegal pornography?
  • Who accessed the sever and when? (Such as during normal court business hours)
  • More specifically were pornographic images on the server accessed during court hours and by someone working in the judiciary?

Equally troubling is the investigating committee never bothered to ask the 9th Circuit Court for information on whether court systems were used to access Judge Kozinski’s server. We know he admitted that he used the server for sharing files with other judges etc. but we have only his word on what was shared and accessed.

The 9th Circuit system could have provided independent information about what was shared/accessed and when. Imagine how this information might shed a bright light on the allegations being made today. For instance, the 9th Circuit court might have shown that their systems were used to access the judge’s server on a specific time and location (directory). Which would have raised questions about what was accessed and by whom and why.  Remember we now have allegations that the Judge Kozinski was accessing pornography and showing it to court employees.

By examining the 9th Circuit systems in 2008, there might have been evidence of sexual harassment. For instance, logs might have reflected that the court’s systems were used to access the judge’s server at 10:00 a.m. on a workday and the access was to a specific directory and/or file. What was in that directory and what was the file? Was it the judge and who was he with at the time? But those inquires were not made because they never apparently thought computer logs were important in an investigation concerning a website.

At a minimum, one would have thought the investigation would have asked the 9th Circuit for an examination of Judge Kozinski’s work computer to see when and how it interacted with his server. Again, this might have shown access to directories and files that might lead to inquiries of a more troubling nature for the judge.

The investigative report reflects actual digital evidence was not as important as Judge Kozinski’s “unbiased” statements on what occurred. This case had all the earmarks of something requiring computer forensics but that was not done. Imagine any obscenity or child pornography investigation only being conducted by asking the target what they did.

Now one might argue that Judge Scirica committee was trying to be narrow the investigation’s scope and only asking questions pertaining to certain issues. They didn’t want to pry into his personal or private life. Equally compelling is that Judge Sciricia did not want to push the issue about accessing the judge’s work computer and the 9th Circuit system as Judge Kozinski was at the forefront of forcibly objecting to Internet monitoring of judges as reflected by the LA Times in 2001.

Gee, we can only speculate now why he was objecting to monitoring. Maybe, that was why he had the personal server in the first place. He could access porn without fear of an alert because his sever did not have “porn” titles in files and directories that would triggered a notification by a monitoring program.  He noted in his sworn testify that he did not maintain images with suggestive titles making it a tough task to remove porn from various directories. Maybe that was to avoid getting caught looking at porn during working hours.

The accommodation given to Judge Kozinski is the exact opposite of how a Sixth Circuit misconduct committee operated in Judge John Adam’s case. His case centered not on sexual misconduct or financial/ethical concerns but that he was considered recalcitrant by a small minority of his judicial colleagues. Judge Scirica was also involved in a review of that investigation. His committee agreed that is was entirely appropriate for the Sixth Circuit tribunal to demand Judge Adams’ medical records as well as order him to submit to a mental health evaluation as they had broad investigative authority.

So, under Judge Sciria’s thinking it is okay to expand an investigation into one judge’s medical records and compel a mental health evaluation, but it is not appropriate or justified to look at another judge’s work computer and/or personal server concerning inappropriate online conduct. Am I the only one puzzled by that reasoning?

As a side, why agree that Judge Adams should be subject to a mental health evaluation for conduct that basically centers around him being independent minded with his colleagues but not suggesting or ordering a mental health evaluation for a judge who apparently was maintaining images that had an obscene if not bestiality theme? It is any wonder that Judge Adams, with the support of Judicial Watch, has filed suit to have the law allowing such disparate and unjustified actions by the judicial branch declared unconstitutional.

Now recall I mentioned that Judge Scirica is in the 3rd Circuit and Judge Kozinski is in the 9th Circuit. Well Judge Adams is in the 6th Circuit. Considering the apparent differences in how Judge Scirica operates in two different cases one must wonder if his investigative actives are “picked” not based upon his record of thoroughness but on his track record of steering the investigation to the desired conclusion. Based upon the allegations now being made against Judge Kozinski, one can only speculate that these newly disclosed victims could have been spared had a proper and through inquiry been completed in 2008 by Judge Scirica and his committee.

It is troubling that the 2008 “investigation” was completed by a federal judiciary body that should have known better. Investigations involving computer activity must involve the independent forensic collection of all available digital evidence and the examination of that evidence in a forensic manner. To do otherwise is call into question the legitimacy of the activity and the motives of the parties involved. Judge Scirica’s involvement in these two cases support that the judiciary cannot police itself. An independent Inspector General’s Office, with investigative procedures and protocols, needs enacted to ensure that the public is objectively protected against individuals who are appointed for life. On that note I left a cigar lit somewhere. Take care.

A Case of Cyberstalking or Cyber-Annoyance?

A story recently caught my eye from woman noting how she has been a cyberstalking victim for “15 years.”  My first impression was how could this be and her victimization must be stopped.  However, upon critical examination the catchy headline is really not supported by the story’s content.  In some ways, the woman is quick to criticize the law enforcement response to her plight, which I believe is somewhat misdirected. Based upon the information she provided it is clear she is a victim but the duration and the illegality of the situation is being overstated.

Let me first say that this woman notes in the article that her stalker, “Danny,” had made no “threats of violence.” His conduct has been of a harassing nature. This is important. Under the federal cyberstalking statute, “cyberstalking” includes any course of conduct or series of acts taken by the perpetrator on the Internet that place the victim in reasonable fear of death or serious bodily injury, or causes, attempts to cause, or would be reasonably expected to cause substantial emotional distress to the victim or the victim’s immediate family (See 18 U.S.C. § 2261A and Blanch and Hsu).  Based upon the women’s story we are limited to conduct that would reasonably expected to cause … “substantial emotional distress.”

The second issue is the victim has known Danny for 15 years. Not all of those years of interaction could be termed “harassment” in a legal sense, let alone stalking. She indicated that she started interaction with Danny when she was 12 and he was 14.  At first the interaction appears to have been mutual but he became too obsessive, so she blocked him. I am not sure if she told him to buzz off or just blocked him. If she just blocked him without telling him to stop then he might not have realized she had enough. We know from her article that she blocked him sometime in high school.

In about 2006, Danny sees her on Facebook and sends her a “friend” request, which she accepts.  If she felt the previous interactions were that disturbing why in heavens name did she accept?  We clearly are running into difficulty equating her response as indicative of someone who suffered “substantial emotional distress.”

Danny shows up unexpected and she agrees to have coffee with him, accepts his gift, and interacts with him. Does she block him from Facebook afterwards? No, she continues to allow him to send messages to her and have him as a Facebook friend until 2012. So for six years she keeps him as a Facebook friend. Again, is that indicative of someone suffering “substantial emotional distress?”

Finally, for the first time in 2012, she tells him to mediate his behavior noting in part… “sent him a message asking him to please stop messaging me so much or I’d block him.” He continues to send messages and she FINALLY blocks him.   Note, that she was willing to continue him being a friend, provided he quit sending so many messages.

From then on, the situation has gotten to what is clearly negative and indicative of harassment. In short, this is a case were possible criminal conduct has been going on for really about four or five years, not fifteen years, as she portrays.

Finally, she decides to make an official police report and goes to some lengths to point out law enforcement’s apparent ineptitude.  She goes so far as citing New York penal code, on cyberstalking, noting Danny’s conduct was “…is likely to cause such person to reasonably fear that his or her employment, business or career is threatened, where such conduct consists of appearing, telephoning or initiating communication or contact at such person’s place of employment or business.” I believe based upon her version of events that his conduct likely does fit this particular statutory element. Ironically, the women also included in her story an additional statutory element … “the actor was previously clearly informed to cease that conduct.”  She then glosses over the second element concluding that law enforcement was wrong in telling her no crime was committed.  The problem is for a crime to be successfully prosecuted ALL elements must be proven.

However, her own facts fail to support that her harasser was “clearly informed” to cease his conduct. Sure, she blocks Danny on AOL, only to later accept his friend request on Facebook.  We have one incident where she tells him to stop sending so many messages or she will block in on Facebook. She later blocks him after he sends more messages.  After that she appears to accept his conduct and there is no indication in her story that she told Danny in clear terms to stop communication with her in any manner.  She knows him after all and could send him a letter, instant message, or email to stop communicating and to cease all interaction. The article does not mention her sending him a “cease” notice.  Under federal cyberstalking the “cease” notice could also be evidence to establish that Danny was causing her “substantial emotional distress.”

The writer goes on to discuss her interactions with several legal scholars who conclude that law enforcement doesn’t know how to deal with cyberstalking/harassing cases.  Law enforcement does have to work on its cybercrime responses. In this case, I think the victim should have been directed to tell “Danny” in clear terms stop contacting and harassing the victim.  Law enforcement has been known to also reach out to the harassing person, if identified, to cease and decease their behavior or they will take action. Obviously, any such notification should be documented.   Additionally, it should have been reinforced that she should stop communication with him after that notice was provided. No more accepting his friend requests, etc.

I think in fairness to law enforcement, they are focused on acts which are threatening of person or property. If she had evidence of threats of harm or Danny’s acts were clearly causing her emotional distress, such as occurs with revenge porn or forwarding obscene material, they would have been more aggressive in their response.  Another indication that would have shown the communication was causing emotional distress was it if was from an unknown person. However, the victim knew it was Danny and from her tone she just found him to be a growing annoyance. I don’t think our only response as citizens to non-threatening annoyances from individuals we know is to call the police.

Documentation of the communication and interactions is just one prong to helping law enforcement.  But like law enforcement, victims also have to learn how to deal with cyber misbehavior in a manner that either ends the troubling conduct or results in situations where law enforcement and prosecutors can go after the cybercriminal.  Nipping an annoyance with clear notification to a person that their communication is unwanted and to cease, may stop the activity before it escalates to something much more serious. Who@ (Working to Halt Online Abuse) provides the following advice on such notices:

Generally speaking, it is unwise to communicate with a harasser. However, as soon as you determine that you are truly being harassed by someone, you must very clearly tell that person to stop. Simply say something like “Do not contact me in any way in the future” and leave it there. You do not need to explain why, just state that you do not want the person to contact you.

This simple notice to stop provides evidence any reasonable person can interpret that a victim finds the interaction distressing. I have included links to additional resources for individuals being victimized below. On that note, I left a cigar lit somewhere.


PS: The victim noted that Danny’s lawyer called her and indicated that he would stop all communication. She noted that Danny’s lawyer would not tell her if he had harassed other victims, citing attorney client privilege. Danny’s lawyer contacting her may well have been the result of her formal law enforcement compliant, which was found during a probation officer’s investigation if Danny caught a criminal cyberstalking or harassment case.  If true, law enforcement may have indirectly helped the victim by documenting her concerns. The victim could do a search of Danny’s true name through online court records to determine if he had a criminal case. If Danny has such a criminal case she could reach out to the Court and/or probation office to insure they were aware of her plight as a further preventive step.  If he is on supervision he can be ordered to cease contact or face a sanction (location monitoring, jail time, etc.)

Some Resources

Stalking Resource Center

Who@ (Working to Halt Online Abuse)


The Dark Net Archive

A recent article in the Economist magazine “Shedding light on the dark web” brought to light the work of Gwern Branwen (reportedly a pseudonym). Branwen as a researcher decided to collect information on the dark net. According to the article, roughly once a week from December 2013 through July 205 he crawled 90 different Dark net market places (including Agora, Evolution and Silk Road 2) and archived a snapshot of each page.  The Economist reports that the data collection is 1.5 terabytes of data. Included in the various 360,000 sites is information on the items sold, the Bitcoin price of the item, the date of the sale, shipping information, customer ratings and the vendor’s pseudonym.  On his website Gwern says “I scraped/mirrored on a weekly or daily basis all existing English-language DNMs as part of my research into their usage, lifetimes/characteristics, & legal riskiness”.

Dark Archives

Wow, that is a heck of a data set to crawl through.  Anyone investigating crimes on the dark net finally has some historical data with which to do research.  This can provide investigators with some valuable information as to targets and suspects. The article admits that the collection was not everything on those sites and excluded certain data..  Still this is a treasure trove of information not previously available to researchers and law enforcement. Gwern also states on his website that the data set contains various vendor PGP keys, username (even clearnet names), and email addresses.

You can find the complete archive at Or by going to the ever popular where they have a Torrent link to download the data


“The Government Did Not Need a Warrant….” — In support of NIT’s

WOW, that is all I have to say up front. A federal Judge responding to motions filed in one of the Tor hidden service cases against users of the “Playpen” child pornography site found that the FBI did not need a warrant to use a Network Intrusion Tool (NIT). If you have not read Judge Henry Coke Morgan, Jr’s finding in the Playpen child pornography case you need to, find it here Judge Morgans Ruling.

After you read it come back and let’s chat….

Okay, now that you have done your light reading, let us review a few things.  First, I am a huge proponent of law enforcement use of “Policeware” (for full disclosure my company received a grant from the USDOJ Bureau of Justice Assistance to build a NIT for local law enforcement’s use).  Judge Morgan hpolicewareas done a fine job of recognizing and validating the use of these tools by law enforcement. He commented in his decision, “As noted in Levin, “NITs, while raising serious concerns, are legitimate law enforcement tools.” 2016 WL2596010, at *8.”.  Judge Morgan presents, in his 58-page opinion, several serious points of interest to law enforcement investigators. After reviewing numerous motions before the Court, he concluded “The Court finds that no Fourth Amendment violation occurred here because the Government did not need a warrant to capture Defendant’s IP address,”. This decision alone is significant in that the Court felt that no warrant was needed for the FBI to deploy their Network Intrusion Tool (NIT), even though they had originally obtained one for its use in this case. Partly it was because of the nature of the tools limited identification of information from the target computer. The Defense had said that the original warrant was not specific enough, but the Judge pointed out the FBI was only seeking 7 pieces of information and specified exactly what that information was that they sought.

Judge Morgan supported his opinions with well thought out reasoning. However, this does not mean that everyone agrees. The Judge’s decision has met with much consternation by those viewing this as an overreach by government and an invasion of privacy. Mark Rumold of the Electronic Freedom Foundation complained in a recent blog posting that the decision was “…a dangerously flawed decision …”. Rumold further commented “The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all.” Well, that is a little bit of an overreach of what the Judge said. In fact, I think the Judge succinctly put that based on the architecture of the Internet and how browsers work the targets of the investigation traveled to Virginia over the Internet. This then gave the Magistrate Judge the authority to issue a warrant because the target had traveled to Virginia to access the Tor Hidden Service.

As anyone knows on the law enforcement side, law enforcement is never free to search anything and this decision did not extend the reach of law enforcement. What it did do, was to help define what technology can be used in a cyber-investigation. It also helped to legitimize law enforcement’s deployment of NIT’s and make them Legitimate law enforcement tools… This is fantastic, it is about time that law enforcement can use the technology available to them in a meaningful way to fight crime online.  Although, the larger media and its audience will not recognize it, this decision is to cyber-crime investigators what the North Hollywood shootout was to patrol officers. Instead of crazies with machine guns and bulletproof vests being fought off by police officers with revolvers, this case has the chance to change cyber investigators still using Window XP into cyber-crime SWAT guys. Special Weapons and Tactics will take on a completely new meaning within the cyber-crime arena. The deployment of NIT’s will change how we collectively seek out those committing crimes on the Internet.

So what does this mean going forward? It means law enforcement can actually catch more bad guys committing crimes on the Internet. It means cyber-crime investigators can come Snip from orderout of the dark and become aggressive members of the law enforcement establishment.   According to Judge Morgan “The Government’s efforts to contain child pornographers, terrorists and the like cannot remain frozen in time; the Government must be allowed to utilize its own advanced technology to keep pace with our world’s ever-advancing technology and novel criminal methods.”

Thank you Judge Morgan for understanding the technology, and making sense of the Internet policing front line. Sadly, at this time this is only a single Judges ruling. We can only hope that our well-reasoned and intelligent Judiciary will understand the technology and come up with similar findings in other cases.

Hey Lets be “Friends”: Why Police Need to be Careful with Personal Cell Phones

Well it happened again. You know what we are talking about. A police officer either issues a ticket or arrests someone, and the suspect concludes it is a good idea to go to Facebook and make a threat against the officer.  This time it happened in Jackson County, MI, when Joey Jason Holliman allegedly posted a threatening message on Officer Michael Strickland’s timeline shortly after being ticketed Wednesday.

We don’t know how Holliman located Officer Strickland’s profile.  It may be that Officer Strickland didn’t set his privacy settings properly. For instance, he may have allowed search engines to index his profile, a feature that can be turned off rather easily.

But then again it might not have anything to do with the settings. Let us explain. About two weeks ago, I started seeing individuals appear in my suggested friends page that should not be there. For instance, offenders that I supervised and had sent to prison. Todd and I discussed how this might happen. We ruled out that I had searched for them with my profile or I had their telephone number in my personal address book.  I theorized that they may have searched for me. Even though they couldn’t find me as my privacy setting was locked down, Facebook, thought I might want to connect with them, so it suggested them as possible “friends.” How helpful! (We haven’t ruled that theory out yet.)

However, it appears there is another possibility that is even more troubling. If two Facebook users connect to Facebook from the same IP subnet or they are using Facebook on their cell phone from near-overlapping geocodes, the social networking site assumes the users are “friends” or potential “friends.” Yep, you guessed. It then populates the suggested “friends” to both users.  How nice!

In the ticket incident above, if both Holliman and Officer Stickland had cell phones on, with Facebook connecting to the Internet, they would have likely been using an overlapping geocode.  Even if Holliman’s didn’t remember Stickland’s name, Facebook would likely have suggested him as a potential “friend.”

Many of us carry our personal cell phones on our person in the field.  We also have them in our office.   But by allowing Facebook to connect to the Internet from our cell phones, we are exposing ourselves to “friend” suggestions from those we would prefer not know we even have a Facebook profile.  How many times do those of us in law enforcement go into high crime areas with criminals nearby with cell phones on their person? How many times do suspects have cell phones on their person in police waiting areas or outside courtrooms? Do we really want our Facebook profile offered up as a “friend” suggestion to EVERYONE?  Unfortunately, Facebook does not offer restrictions on appearing in “friend” suggestion lists.

It would seem the solution is to turn off one’s geolocation  (Suggestions can be found here). But, this would seem only to limit Facebook from sharing it with other users. This suggestion does not prevent Facebook from gathering your geolocation and using it for its own purposes, such as in suggesting “friends” in the same area.  The really only secure why to stop this is not have Facebook installed on your phone OR at a minimum limiting your cell phone/Internet usage. For instance, turning it on when needed and turning if off when not in use.  This way it is not consistently connected to the Internet, looking for “friends.”  Additionally, limit or eliminate your cell phone/Internet usage in “high “risk” areas, such as where you might run into someone you are going to arrest, are arresting, and/or did arrest. Finally, individuals involved in law enforcement must be continually vigilant to how their personal devices may be inadvertently “leaking” information to other devices in a way that poses a risk to them and their loved ones. Of course, that is really sound advice for all of us, regardless of our occupations. On that note I left a cigar lit somewhere.

Riddle Me this Batman: Doing Google Search Warrants

One of the unique aspects of my “job” is I get to see investigative reports on various cases and how they develop. Recently, I was looking at the investigative efforts of an agency on a child porn case. It was a simple case really. The suspect used a gmail account to send illegal images to a covert account, which also happened to be a gmail account. But I have my questions.

The investigative agency got a search warrant and served it on Google. However, for some reason the matter was not sealed. If one searches the gmail account name you can actually still find the case which references the search warrant, i.e., USA v. actual name of the gmail account.

Yeah, big problem Batman. And guess what? The suspect went missing for a year. First question, why was the search application not sealed in this day in age, particularly on a case seeking a search warrant an email account? I am just guessing but maybe this suspect did a Google search on his email or even had an alert set up to notify him when his email showed up on the web. Hence, the reason he was missing for a year.

Next few questions in this case revolve around the search warrant affidavit and what they were seeking. In this case they only asked for “the email account”, which apparently is all they got. They got email to and from the suspect and their attachments. This was the meat of the issue and showed he sent and received illegal images. However, why didn’t they seek and obtain other aspects of the Google account in their application?

Specifically, they interacted with this suspect via email from another gmail account. Why not have also interacted with him using Google chat function too? It is after all highly likely that this suspect also used Google’s chat service to trade child porn, if not worse. Additionally, what about asking for everything on the Google drive too? I mean, individuals don’t just store data on hard drives now. Why not also explain that law enforcement also needed data from this subject’s Google drive in the search application?

Additionally, individuals often times will search via Google while they are signed into their account. Guess what? Google will frequently have that history saved. Won’t it be good to also have that evidence that subject was searching for these images too?
These last two questions, concerning the Google drive and the search history, become particularly important when we consider that when they found this suspect his computer was long gone. Sure they have the emails messages and attachments sent back and forth. But is it possible that he still has images saved in his Google drive?

Additionally, this suspect initially claimed his account was “hacked.” One way to overcome the “hacked” defense is the person was doing other activity at the time they were looking for porn. For instance, one minute he is looking for an address for a job and the next he is surfing for porn followed by searching for a car part etc. Also, having the IP address from where the account was accessed during the email and browsing sessions would also have been helpful to defeat the hacker defense, particular as they didn’t have the suspect’s computer. Thankfully, he later admitted he was using the account to trade child porn and dropped the hacker defense.

Final question is they apparently never went back and got search warrants for the original Google account and additional email accounts after his admission over a year later. Do we really believe that he only traded child porn for a two month period? With his admission and the evidence already gathered it appears that there would be plenty of probable cause, which wasn’t stale, to get additional search warrants for these accounts. I get that they had plenty of evidence but shouldn’t they make sure they checked these accounts again. We don’t stop searching a building because we found drugs in one room. What if there were more than just additional images in those accounts, such as evidence that he was involved in molesting a child?

Granted I am playing arm chair detective here and they have the guy. My point to all this is we need to start looking at Google as more than just an email service. It is cloud storage provider and in many ways contains as much and maybe more pieces of electronic evidence than a traditional computer. So Batman, what you think? On that note, I left a cigar lit somewhere.

Use of Policeware on the Rise


The challenge for law enforcement and intelligence agencies investigating Internet crimes are those users who hide themselves using various “anonymization” techniques. Internet anonymization techniques allow targets of criminal and terrorist investigations to hide themselves from other Internet users. In normal circumstances, this can be a privacy concept employed to prevent others from identifying a user in legitimate situations. The issue for law enforcement investigators and the intelligence community becomes when criminals and terrorists use this same technology to prevent their victims or government from identifying who they are and hiding their location.

The misuse of Internet anonymization poses unique investigative challenges. However, criminals and terrorist can be identified given certain circumstances and the appropriate application of social engineering skills and investigative tools and techniques. The challenge is; 1) knowing that there are methods to employ; and, 2) obtaining training regarding employing those methods.

In recent years, a new category of computer coding for government agencies has developed and are referred to as “policeware” or “govware”.  The recent exposure of one of the companies involved in this industry “HackingTeam”, from Italy, has shed light on these tools’ use by law enforcement and the intelligence community. HackingTeam’s company servers were broken into by as yet unknown hackers and their company and client information exposed to the world.  Retaliatory strikes by the hacking community, purportedly as supporters of freedom and protecting the innocent, is nothing new. Just a few years ago Gamma Group from Germany, another large company in the Policeware industry, also was hacked and had internal material and code exposed.

What both of these incidents revealed to the world the extent to which the law enforcement community (mainly at an involved county’s  National level) and the intelligence community’s efforts are to identify investigative targets. It also shows that there are a series of tools available that can further investigations into anonymous users.  Generally, most investigators are unaware that there are several categories of tools to assist in the investigation of anonymous users. These can include: Server side scripting, Target side scripting, and Total device compromise (complete takeover of a machine). Other traditional methods of evidence collection against targets can include general Network surveillance (sniffing your network for clues), Physical access compromise and Lawful interception techniques like a traditional wiretap but of a computer).  These varied investigative techniques require additional training and education for the law enforcement community. This training and education not only includes the technical aspects of the tool deployment but also the legal implications of employing these techniques against a criminal target. Unfortunately, this information is currently not generally available. Law enforcement should look to a broader acceptance of these more offensive techniques to continue their efforts in protecting their communities. Certainly, the U.S. federal law enforcement agencies are using these techniques. In his recent comments to the House Intelligence Committee hearing on cybersecurity, FBI Director James Comey said about criminals using the Darknet that if they “use the onion router to hide their communications.. They think that if they go to the dark web… that they can hide from us.” But, he says: “They’re kidding themselves, because of the effort that’s been put in by all of us in the government over the last five years or so, that they are out of our view.” The methods and techniques to reveal criminals online is diverse.  Law enforcement investigators are beginning to employ a variety of methods that will further their investigations and catch criminals who thought they were untouchable.