Hooking Your Computer Up To Government Owned Networks and Fourth Amendment Protection:
This week, the Ninth and Tenth Circuits have each decided interesting cases on how the Fourth Amendment applies when a person hooks up their personal computer to a government-owned computer network, leading to a search of the personal computer by a government official. I'd like to blog about both opinions at length, because there is a lot here -- some of it right, some of it a bit off. But in the meantime I'll just note the opinions: United States v. Heckencamp (college student connects to college network; retains REP in his computer, but remote search by university system administrator okay under "special needs" exception) (hat tip: Tom Cross); United States v. Barrows (town government employee who brought computer to work and connected it to townn's internal network on permanent basis lost reasonable expectation of privacy in machine's contents). Very interesting cases.
Garbage. Inexcusable. If they wanted the computer off the network, they could have easily traced the switch port is was connected to and walked into the closet to unplug it. Absolute worst case, it was an unmanaged hub/switch and they had to unplug a couple of dozen students. And with a little extra effort, they could have, by process of elimination, identified where exactly the connection was comming from. Done properly, they could have quickly and easily gotten everything they needed to get a warrant without breaking any laws in the process. When I worked for the U of MN, we had strict rules about these sorts of things. Breaking into a student's computer would have been grounds for termination and a referral to law enforcement.
But this isn't what happened. They already determined Heckencamp was the likely source of the intrusion. The further investigation on the part of the administrator was to determine if he had switched to another IP address in the same IP block. The network would have been better protected by simply blocking any administrative access to the mail server from the block of IP's assigned to the dorms. It was noted earlier in the ruling that:
This would have prevented the unauthorized access the university was concerned with and it wouldn't require searching any computers or inconveniencing students, who shouldn't have administrative access to the mail server anyway.
There are also non-intrusive ways to reasonably determine if a computer, having switched IP addresses, is indeed the same computer. Every network interface card is assigned a unique MAC address by the manufacturer. This address is visible to the network and does not change with the IP address. There are, of course, ways to change the MAC address, but it would have been a reasonable first step for the admin to take before breaking into the students computer. There is no indication that the admin tried any non-intrusive methods before breaking into the computer
Since the admin's actions were not protective, but rather investigative and unnecessarily intrusive, I don't think this would be covered under the special needs requirement. My expertise is more on the computer side of this, however, so my legal opinion may be off.
As NWD said, they could have disconnected the computer at the switch, which is under the university's control, rather than enter his room. The admin would have to be remarkably incompetent to think this was the best way to go about protecting the network.
This was evidenced by its public location, always-on status, lack of password protection, use for work activities, as well as its connection to the network. By the judge's reasoning, the first four facts would be sufficient to prove "his failure to take affirmative measures."
As an aside, on the balancing analysis- since when does the government's interest have to be compelling?
Based on what I can gather on the opinion, they have either IP addresses associated with each room. Savoy blocked (probably from the Mail2 server the device using .117.
Then Savoy "checked the networking hardware", probably via looking at the ARP cache of a routing switch, and noted that the computer that was using the .117 address was now using the .120 address.
What I don't understand is what caused the light-bulb to go off for Savoy as is noted on 3884: "that the Mail2 server ‘security could be compromised at any time’, particularly because "the intruder at this point knows that he's being investigated". If that is a reasonable conclusion and knowing Hekencamp's previous history, what did Savoy go home? Geeesh.
On 3884, Savoy determined that the machine needed to "get off line immediately or as soon as possible". Again, Savoy should have come to that conclusion much earlier in the process, given what they knew.
Given the proper software, of which we don't know that University of Wisconsin has, if the IP address or MAC address of a suspect device is known, it would take all of 2 minutes to find the switch port the device was connected to, and disable the switch port. I say switch port because I am doubting that a residential network would still be using hubs.
So, speaking from a technical and response standpoint, I believe
FifeSavoy acted slowly and should acted more proactively than he did, considering what he knew of Heckencamp, and there was in all likelihood an easier way to disconnect the device from the network. I am not condoning what Heckencamp did – but Savoy needs to bone up on how he responds to network incidents.Also, if you log on to a Federal Government network the first thing you see is "this is a government network, you have no expectation of privacy" and pretty much the same thing on most university networks today. End of story.
You may not have an expectation of privacy for traffic that goes across the government network, but the computer itself remains private.
In the case of the student, once the administrator knew the MAC address his search was done -- he should have been ready to call the cops. Most installations that I know require you to register your MAC address before DCHP will give you an IP address. In any case even if the evidence uncovered is admissible, they school employee should be charged with computer trespass etc. I believe there are laws against it.
The city employee's case has nothing to do with networking as such. Rather, if you leave your computer on at work day and night without password protection and it seems to be the cause of a network problem then it is quire reasonable for someone to root around the computer trying to fix the problem. They are probably trying to do you a service. If you are doing something secretive with the computer then turn it off. If the city was monitoring network traffic it would have been a different case.
After all, when I am in a dorm, the College is both my landlord and my ISP. Worse, I have no other choice for ISP. By this logic, can my ISP at home rifle through my transmitted and received data so long as they put me on notice that they might do so?
All right! I can legally hack into my neighbor's computer through his unencrypted WiFi connection!
That said, my second-guessing would be rather different than that of several of the other commenters. I would a lot less quick to jump to the conclusion that Savoy was incompetent -- though I also would have liked the court to be less quick to accept his statements at face value. Perhaps Heckencamp's lawyers were not very aggressive in this regard? If so, the court can hardly be blamed for not going into the matter.
Some of the commenters seem to have lost sight of the fact that the events in question took place in 1999, not 2007. Network management was a lot more primitive then. Heck, we still have unmanaged hubs and switches in a lot of our dorms even in 2007, just because it is too expense to replace a whole campus worth of more-or-less-functional equipment and -- we upgrade as opportunties present themselves. Aside from the year, one clear sign that they were not working with today's state of the art equipment was the very fact that Heckencamp was able to change his IP address; nowadays the switch would lock the MAC address down to the assigned IP address. Speaking of the assignment of the IP address -- one of the commenters said something about DHCP. This is toally irrelevant. DHCP is a way to ask what IP address you should be using. Heckencamp could still choose to use a different IP address than what DHCP told him, or for that matter not ask the quesiton in the first place. What is needed is the switch refusing to carry packets with the wrong IP address, which is a seperate matter than the DHCP service. And while Savoy could probably have cut off a whole floor of the dorm, or something like that, I will remind you that doing that at finals time is not a popular choice -- even leaving aside the issue that I bring up in the next paragraph.
Finally, and perhaps most importantly, some comenters seem to make too easy a distinction between protective and investigative purposes. In particular, I would like to emphasize that activities that are in the themselfves investigative can be (and often are) carried out with an ultimate goal of protection, rather than of law enforcement. Real world analogy: consider protecting yourself using a bullet-proof vest vs. protecting yourself by using a flashlight to see your assailant vs. trying to gain evidence for criminal prosecution by using a flashlight. The court, as I understand it, isn't inquiring into whether Savoy used the moral equivalent of a flashlight or not. They are inquiring into whether he was gathering information to protect the systems or gathering evidence for prosecution.
The reason why this is very important is because the adversary Savoy was trying to keep out of the university's sensitive computers wasn't Heckencamp's computer (whether with IP address 117 or 120), but rather Heckencamp himself. The prior commenters seem to think the university server could be protected just by blocking a sufficiently large IP address range. But Heckencamp can take his special knowledge with him and go to a different computer, perhaps one with a quite different IP address, such as in the computer science department. We don't know what that special knowledge was. Root password? Backdoor that he had previously installed? Some exploitable vulnerability in the server software? The commenter who said root access shouldn't have been allowed from dorms seemed to assume that Heckencamp was just logging in as root through the normal front-door way. But maybe that isn't what was going on. Most importantly, I suspect that Savoy at this early point in the investigation didn't know what was going on either. Even if he knew what particular method Heckencamp was using to gain access to this particular server (which he observed), he didn't know what other servers Heckencamp had unauthorized means of accessing, nor what those means were. There was every reason to suppose that such other servers did exist and were at risk. (Remember, Heckencamp had a past record and was known to be breaking into Qualcomm.) In this context, disconnecting one computer by whatever means -- in the closet in the room, by software -- and sending Heckencamp and his knowledge out into the night to find another computer somewhere else -- would have been a very risky thing for Savoy to do. In order to protect against that risk, Savoy needed to neutralize Heckencamp's special knowledge.
Now, one way to do that in princple would be to lock Heckencamp away where he couldn't to any harm. But we fortunately live in a world where lots of due process stands in the way of this approach. (I wouldn't want it to be easy for me to be locked up.) So I gather that the approach Savoy chose.
Instead, he took a very standard computer security approach, which is to try to learn as much as you can about your adversary. If you know which vulnerabilities he is aware of in which of your systems, then you can close up all those vulnerabilities. That way it doesn't matter where he goes and which computer he uses. This explains why Savoy wanted a disk image. That is part of what the other commenters are missing. The protective action didn't just consist of unplugging the network cord. If that were all that Savoy did, they he really would have deserved all the scorn heaped on him by other commenters. (How hard can it be to get another cord and plug the computer back in?) But that was just one quick initial step in a much more intensive investigation, which investigation was motivated (or so the court tells us) by protective considerations rather than law enforcement ones.
Sprint, Verison, Cingular, etc. would all be happy to provide you with wireless internet connectivity.
If Heckencamp was able to carryout his attack from any computer, not just his own, this initial trespass wouldn't reveal any information about that either way. The trespass was limited to determining if it was the same computer.
As for the subsequent steps taken, including "running commands" on his computer and copying his hard drive, these were done with the consent of Heckencamp and so are not at issue.
Certainly there are suggestions in the rather muddy court record that Savoy did not behave perfectly. Perhaps if he had it to do over again, after careful reflection, he might do it differently himself. I am reluctant to Monday-morning quarterback him in part because it is perfectly normal for judgment to slip somewhat during a crisis situation, and there is a big gap between less-than-perfect and utterly incompetent. However, I am also unwilling in large part because I doubt I really understand what Savoy actually did. He certainly didn't explain his actions to the court the way he would to a professional peer, and the court certainly has its limitations as a means of conveying what he said to us. Before I jump to a conclusion that would reflect poorly on him, I'd like to be able to ask him to explain just what commands he ran, and why. What is it that he was after that the network log didn't already tell him? The very fact that this is perplexing from the court's version of the story makes me assume there must be something lost in translation, rather than assuming that he was so incompetent as to log into a computer to obtain information he already had from a log.
By the way, speaking of less than perfect performance under pressure, I apologize for how evident my hurried typing is.
Anyhow, back to the fact that the court didn't really delve into Savoy's story in any meaningful way, but rather took it at face value. I turned up an earlier news story that suggests Heckencamp's attorneys may have been rather hamstrung in their ability to give him effective representation. It makes interesting, if sad, reading.
I will call into question Savoy leaving work, going home and then checking on Heckencamp. If someone wants to learn more about their adversary, I would suggest staying on-campus where access to a fuller suite of network monitoring tools probably existed. The actions of Savoy going home do not indicate (to me) that he was very concerned about this matter, especially given Savoy's knowledge of Heckencamp's prior activities.
If the University of Wisconsin did not have switch ports to the dorm room in question in 1999, then disabling a switch port was not an option. But "back in the day", so to speak, there were several other options to restrict the traffic of Heckencamp. MAC based filters implemented at the network core could have been effective. Savoy was able to determine that Heckencamp's PC had switched from using the .117 address to the .120 address, so there was some capability to track what IP address a specific MAC address was bound to.
I'm not condoning the actions of Heckencamp, but do believe that the response by Savoy was confusing. It was finals week and if the situation was a grave as was being indicated, then trying to learn more about the adversary was I believe secondary to ensuring that services remain available for students. Going to Heckencamp's room could have been accomplished earlier in the process, and also saved Savoy a trip home and back.
Of course, much of the response by Savoy could have been stipulated in whatever policies the University had in place at the time concerning network security. Speaking for the college I work at, resource availability has always been the priority. If additional information on a unusual event is needed, it is obtained while keeping in mind that priority if at all possible.