6 min read

UPDATE: Can You Ever Trust A Hacker? UBS Trial Puts It To A Test

The defense cast doubt on the role that a one-time famous hacker played in the investigation.
In February 1999, members of the L0pht reported finding a vulnerability in Windows NT. The flaw would allow any NT user to take administrator-level control of the computer. The group alerted the public and Microsoft, which released a security advisory and a fix. But while they were issuing alerts for software flaws and painting themselves as white hats, they also issued L0phtCrack, a password-cracking tool for Windows NT.

At the time, L0phtCrack was believed to be one of the most widely distributed hacking tools. However, it also could be used to benefit a company's IT department. In fact, Microsoft advised customers in a 1998 security bulletin to consider evaluating a tool such as L0phtCrack to check the quality of users' passwords.

Does any of this make Kasper, or any of the other members of the L0pht, part of the "murky underworld of cybercrime," as the defense called them repeatedly throughout the trial?

When a reporter put the question to him, Kasper laughed at the suggestion. ''I don't see them calling me to the stand," he said. "I'd say the Senate and the White House wouldn't have invited us in if we were that shady.''

Plagiarism Raised As Another Issue

Someone else in the forensics community who wasn't called to the stand was Michael Michalowicz, a partner at Protiviti, the company the Duronio defense team hired to do its forensics investigation. Kevin Faulkner, a senior consultant with Protiviti, did the investigation and acted as a defense witness in court. Michalowicz is his supervisor, reviewing Faulkner's forensics analysis and signing off on his ultimate report.

Michalowicz was on the defense's potential witness roster but he never was called to the stand. Faulkner did take the stand. He was the defense's first of only two witnesses called. Once the government had a chance to cross-examine Faulkner, the prosecutor quickly began questioning the forensics investigator about his boss. After asking Faulkner about Michalowicz's level of participation in the case, Assistant U.S. Attorney Mauro Wolfe directly asked him if he knew his boss had plagiarized an article.

The judge wouldn't allow the evidence into the case but the prosecution was pointing to the fact that Michalowicz had an article, entitled Data Forensics--In Search of the Smoking Gun, published by the Boston College Law School: Intellectual Property and Technology Forum in March 2005. A longer version of the same article, similarly entitled Data Forensics--The Smoking Gun May be a Click Away, was published in the New Jersey Law Journal on Sept. 13, 2004 with the byline Paul G. Lewis.

While Michalowicz's article was longer than Lewis', they were highly similar. The first sentence in the Lewis article reads: "The term 'data forensics' suggests a high-tech process reserved only for cases centered around proprietary technology." The first sentence in the Michalowicz article reads: "The term 'data forensics' sounds like a high tech process reserved only for those select cases encompassing proprietary technology." The second sentences are identical. The similarities--or outright duplicate phrases--continue throughout the pieces.

When questioned about it, a spokesperson for Protiviti said the article is the property of the company so any of Protiviti's partners can put their name on it. She said the article was the "intellectual property of the firm."

But that begs the question of whose ideas they are and why Michalowicz would have an article published under his own name when it had been published under someone else's name a full year earlier. In a court case where the reliability and trustworthiness of the security companies involved came into such dramatic play, such a move might make the waters even murkier.

Name That Hacker

In the current trial, defense attorney Adams repeatedly pointed out that Kasper used the Tan pseudonym when dealing with U.S. Secret Service agents investigating the attack on UBS. He even signed official forensic documents, such as chain-of-custody documents for evidence, as John Tan.

Greg O'Neil, the lead Secret Service agent on the case, testified during the first weeks of the trial that he hadn't been aware until late 2004 or early 2005 that John Tan was not his real name. "He lied to you about the most basic information," Adams asserted during O'Neil's cross examination.

Kasper says he was up front with the Secret Service about the fact that he uses two names and would be going by John Tan during the UBS investigation. He says he made a point of bringing it up during his first meeting with Secret Service agents. O'Neil testified he was out of the office the day of that meeting and was brought in for subsequent meetings.

Brand Name

"When we get involved [in investigations], we use the pseudonyms," Kasper says, "but we're open and more than willing to share our real identities." Kasper, who says he even has credit cards under his Tan name, began using the pseudonym when he was in the L0pht, which tested various products and offered critical reviews. It was a way to protect his employer at the time (a financial institution that he declined to name) from vengeful tactics by IT vendors in the event they were angered by unfavorable reviews.

Now, the name has market value. "The public works that I put out in the security field were under my pen name, and my Senate testimony was under my pen name," he points out. "There definitely was a brand name in it. When we were building @Stake, part of the idea was to retain the brand name we built up in the L0pht. There was absolutely no recognition for the real names, so we stuck with the brand."

Kasper also rebutted the defense's suggestions that evidence he handled can't be trusted. He says he kept the evidence safe, using government-rated classified document containers to lock it away. @Stake also maintained chain-of-custody documents and used video surveillance to monitor the main entry to the company's office, labs, and document containers.

The jury's decisions should shed some light on what tech industry outsiders think of people like Kasper. Is prodding software for security flaws while operating under an assumed name grounds for lifelong suspicion--or front-line training that's perfect for investigating real criminals?