Police blotter: Trojan horse leads to porn convictions

By Declan McCullagh
Staff Writer, CNET News.com Published: August 25, 2006 6:00 AM PDT

Tools

Related Stories: Police blotter: Mortgage 'spammers' sued by ISP
July 14, 2006; Police blotter: SBC sued over deleted screenplay
July 7, 2006; Police blotter: Student sues over IM-related suspension
June 30, 2006; Police blotter: Husband spies on wife's computer
June 16, 2006; Police blotter: eBay suit over $380,000 Porsche
May 26, 2006; Police blotter: 911 dispatcher misuses database, kills ex-girlfriend
May 19, 2006; Police blotter: Enhanced video used to convict arsonist
May 12, 2006; Police blotter: Wells Fargo not required to encrypt data
April 14, 2006; Police blotter: Porn-dialing firm loses appeal
March 31, 2006; Police blotter: Schools' IT chief loses bribery appeal
March 24, 2006; Police blotter: Judge orders Gmail disclosure
March 17, 2006; Judge to help feds against Google
March 14, 2006; Police blotter: Ex-employee faces suit over file deletion
March 10, 2006; Police blotter: Cell phone tracking rejected
March 3, 2006; Police blotter: Dot-com magnate loses fraud appeal
February 24, 2006; Judge: Firm not negligent in failure to encrypt data
February 14, 2006; Police blotter: Patriot Act e-mail spying approved
February 9, 2006; Verbatim: Search firms surveyed on privacy
February 3, 2006; Police blotter: Sysadmin loses e-intrusion case
January 13, 2006; Police blotter: Alleged eDonkey pirate gets trial
January 6, 2006; Police blotter: Nude 'profile' yields Yahoo suit
December 9, 2005; Police blotter: Legal flap over secret sex video
November 25, 2005; Police blotter: Judge questions Patriot Act bugs
November 4, 2005; Police blotter: Feds' cell phone tracking denied
October 28, 2005; Trojan horse spies on Web banking
November 11, 2004

"Police blotter" is a weekly News.com report on the intersection of technology and the law.

What: Alabama man tries again to throw out his conviction instigated by a hacker who broke into his computer and found child pornography.

When: U.S. District Judge W. Harold Albritton rules on Aug. 2.

Outcome: Albritton denies a request for a new trial.

What happened, according to court documents:
In early 2000, a computer hacker who used the now-defunct e-mail address unknownuser1069@hotmail.com seeded a Usenet newsgroup called alt.binaries.pictures.erotica.pre-teen with a clever bit of malicious Windows software.

The Trojan horse program, called SubSeven or Sub7, can look innocuous. But once installed, it installs a backdoor in the victim's computer and can allow files to be extracted and a keystroke logger to be installed.

SubSeven did its job. On July 16, 2000, "1069" sent e-mail to the Montgomery, Ala., Police Department saying, "I found a child molester on the Net." The e-mail included an attached photograph of what looked like a girl no older than 6 being sexually abused.

At the urging of Montgomery Police Capt. Kevin Murphy, "1069" eventually turned over more and more information that led back to a computer owned by Bradley Joseph Steiger, who had worked as an emergency room physician in Alabama. The hacker's finds included information from Steiger's AT&T WorldNet account, records from his checking account, and a list of directories on his computer's hard drive where sexually explicit photographs were stored.

"1069" refused to be identified, saying he was living in Istanbul, Turkey, and did not want to be involved in any court proceedings. During Steiger's trial, the prosecutor said "we have not seen anything to indicate that this person is other than?a citizen of Turkey." That turned out not to be entirely true: The FBI actually had made contact with "1069" through a U.S. phone number. (Click here for PDF.)

A year later, "1069" fingered another man, William Adderson Jarrett, who lived in the Richmond, Va., area. He again contacted Murphy, who started an investigation that led to Jarrett's arrest.

That's when an odd thing happened. Instead of informing "1069" that he was committing federal felonies and should cease immediately, Murphy and the FBI encouraged the hacker to continue. The FBI wrote "1069" in January 2002: "The FACT still stands that you are not a citizen of the United States and are not bound by our laws. Our federal attorneys have expressed NO desire to charge you with any CRIMINAL offense. You have not hacked into any computer at the request of the FBI or other law (enforcement) agency. You have not acted as an agent for the FBI or other law enforcement agency. Therefore, the information you have collected can be used in our criminal trials."

Steiger was convicted of sexual exploitation of children, possession of a computer containing child pornography, and receipt of child pornography. He was sentenced to more than 17 years in prison. In January 2003, the 11th Circuit Court of Appeals upheld his conviction, saying that Congress had left a loophole open in federal privacy law that lets hackers like "1069" get away with turning information over to the government and having it used in court. (The 11th Circuit called it a "legislative hiatus in the current laws purporting to protect privacy in electronic communications.")

Jarrett, the Richmond-area man, also went to Club Fed. In May 2004, a federal judge accepted his guilty plea and sentenced him to more than 19 years in prison. That was after the 4th Circuit Court of Appeals rejected his argument that "1069" was effectively acting illegally with the government's blessing. (The judges said that "1069" apparently had that kind of "relationship" with the government "going forward," but not at the time the illegal intrusions took place.)

Since his conviction, Steiger has been trying to overturn it, first with the help of a federal public defender and then by filing legal briefs that he wrote himself. His latest one was filed last month, alleging that FBI agents who testified may have withheld evidence relating to the identity of "1069" and that a new trial is necessary.

Albritton, the U.S. District judge, rejected the request on Aug. 2. Albritton ruled: "There is simply no basis from which to conclude that Unknown User 1069 was acting as an informant of the FBI so as to allow for discovery as to whether the FBI concealed information."

Excerpt from the court's opinion in the Jarrett case:
At some point after sending the e-mail message, Agent Duffy, working with Agent Faulkner, composed a list of questions to ask Unknownuser in the event that Agent Duffy was able to talk with Unknownuser.

A few days after sending the e-mail, Duffy received a phone call in response to the message. The caller had a Turkish accent and identified himself as "Unknownuser." Agent Duffy spoke with Unknownuser and asked him the list of questions he had prepared with Agent Faulkner. Unknownuser responded that he would get back to Agent Duffy with the answers. They also discussed the method by which Unknownuser searched Steiger's computer, with Unknownuser explaining that he used a Subseven Trojan Horse virus and describing his activity as "hacking" into the computer.

Also during the telephone conversation, Agent Duffy thanked Unknownuser for what he had done, stated that he appreciated what Unknownuser had done, and told Unknownuser that he had possibly saved two young girls. Agent Duffy asked Unknownuser to reach out to him because Agent Duffy (wanted) to speak with and meet with Unknownuser. Agent Duffy claims that he did not provide directions to Unknownuser or encourage him to do additional searches. The written evidence in Agent Duffy's e-mails as described herein indicates otherwise, however, and the Court does not give great weight to this assertion by Agent Duffy.

On November 28, 2000, Unknownuser called Agent Duffy's office a second time, but Agent Duffy missed the call.

Agent Duffy sent another email on Nov. 29, 2000. In this message, titled "Good news," Agent Duffy confirms that the United States authorities do not desire to prosecute Unknownuser and that they would like to interview Unknownuser. Agent Duffy suggests a date to meet at the United States Consulate and asks Unknownuser to "please answer this request." Agent Duffy further states, again, that "(you) will not be arrested--that is a promise. You have helped to save at least two lives in the U.S. and (you) should be proud of that fact."

More from News.com on this story's topics: Hacking
Create an email alert | RSS feed; Lawsuits
Create an email alert | RSS feed

See more CNET content tagged:
SubSeven, conviction, Alabama, Police Blotter, Turkey

107 comments (Page 1 of 4)

SubSeven can be used to install software remotely and copy files
by unknown unknown August 25, 2006 6:31 AM PDT: it therefore stands to reason that this individual could have very easily have planted the content. The fact the FBI etc was willing to take the word of an unknown individual who was spreading a trojan and illegally gained access to these computers is somewhat frighting. Does this mean that hackers can now ruin people's lives more than already do, and even cost them their freedom and reputation?; Reply to this comment View all 7 replies
Processing

This is no different
by jaspercomp August 25, 2006 8:44 AM PDT: In MO than a member of a drug dealer team, mob or similar informants. They get the information by being on the inside, and then rat their buddies out, usually to save their own azzes, but in this case it sounds like he just wanted to do the right thing. These guys are stupid enough to go into an obviously child porn group, without firewalls, without antivirus (which would quickly hit on the sub-seven), etc...then they deserve what they got.; Reply to this comment

And though I have all faith,
by Pluqueric August 25, 2006 9:03 AM PDT: so that I could remove mountains, but have not love, I am nothing (1 Cor. 13:2) By no means do I condone child pornography nor do I have any sympathy for those who are responsible for such unforgivable misuse of childhood innocence. But I am an American, and I believe in the principles for which this nation stands. One of those principles is the right to confront one?s accusers. The Congress and the courts have so grotesquely subverted the meaning and the intent of our Constitution that it sickens me almost as much as kiddy porn, itself. And there is no reason to believe that we ?need? the suspension of our freedoms and our rights to ensure that the guilty are punished. In the cases being discussed here, none of the accused was permitted to confront their accusers. The courts have distorted the meanings of certain words and have established that the accuser is not (as in this case unknown user 1069) but rather the agency prosecuting the offense ? i.e.: the FBI or the Justice Dept. or whomever. The District Attorney takes on the mantle of the accuser, and the real accusers are deemed only to be instruments of documentation as to the nature and legitimacy of the evidence relied upon. As one reader points out: 1069 was capable of installing executable programs on someone else?s P.C. ? who is to say the he did not also install the incriminating photos relied on as evidence by the so-called accusers? Moreover, how can a conscientious judge, sworn to uphold our constitutional rights for us, be so cavalier as to dismiss out of hand any assertion that the defendant was denied his right to confront his accusers? If the defendant is truly guilty (and not just being ramrodded or railroaded by law enforcement agencies), there should be no difficulty in proving as much and the man should be strung up by his ? well, you know what I mean. But no matter what ? until he has been PROVEN guilty in a court of law, he is entitled to every protection and every benefit of the doubt provided for by the Founding Fathers. As a nation, as a people who believes in the rule of law, we cannot sit idly by and allow our government to set itself above the law in order to fight crime of terrorists. If one person is stripped of his rights and the courts permit this, every man, woman, and child is subject to the same abrogation of freedom and is just as vulnerable to the abuses of power as the most heinous criminal. Law enforcement is constantly asking for more funding, more manpower, and more power to circumvent the laws of the land ? all in the name of the necessity to do their job. Horse manure! What they need is to get off their fat elbows and work at their job with the tools and weapons already at their disposal. Once 1069 has done his dirty work, the way has been paved to legally obtain search warrants ? there is no reason to bypass the Constitutionally mandated necessity of petitioning the courts to issue warrants upon an allegation of probable cause. There is no reason to deny the defendant the right to confront those who accuse him. If 1069 insists on remaining unreachable and totally anonymous, then the prosecution does not have a legitimate case and they should abandon any future dealings with 1069. Then they should go after him with the same energy and dedication as they showed in bringing the kiddy porn perps to justice, or with the same conviction to bring him to justice as they once claimed they held to bring Bin Laden to justice. The 1069?s of this world are not champions on white horses; they are disgusting scum who invade the sovereignty of your home through your Personal Computer. The plant malware on your PC that can plague you for months and become unbearable irritations with their constant pop-ups and the way they take over your personal settings. I have sympathy whatsoever for the 1069s in this world. They should be brought to justice just as swiftly as the regurgitated vomit that violate the beauty and innocence of childhood to satisfy their distorted and perverted lusts. Frankly, law enforcement does a fairly good job of patrolling the web for predators and sickos. What very little is contributed by the 1069s is negligible. Do not be too quick to rush to judgment. Our Savior tells us to love one another and not to judge others lest we be judged ourselves. We are admonished by Him to cast no stone unless we, ourselves, are guiltless. We have an obligation to do all we can to protect our children, but let us not forfeit their future rights while doing so. Thus, when an allegation exists, when it is discovered, or reason surfaces to believe, that someone is engaging in the molestation of innocence, let us proceed with diligence, but with respect for the rights of all men.; Reply to this comment View reply
Processing

Wow - we're all in danger!
by missingamerica August 25, 2006 9:08 AM PDT: As noted, if you have a back door into a system (or a front door), file time stamps don't mean anything and the presence or absence of a file doesn't mean anything. Heck, I made the unfortunate mistake of annoying my old company's human resources department when I told them that I could not testify in court that an individual's archived email records indeed were received by or even originated from that user. How could I, when the VMS servers in question had 20-30 people with "god" privileges able to access them, the majority of those people were located off-site, they did not practice either good password control or even basic "don't loan your account out to others" security practices, and themselves left emails scattered around saying things like "I'll do whatever it takes to grow our business within [blank] corporation" (most of them were contractors)? The forensics of I.T. just aren't good enough if you can't prove single, restricted access to a computer (in my opinion, that would include biometrics, but most definitely NOT fingerprint scanning ("MythBusters" on Discovery Channel successfully demonstrated three [yup, three] methods to defeat them the other day). If the law applied this precedent across the board, all I'd have to do if I wanted to get away with murder is kill somebody, drag the body into the neighbor's house, and call the cops and say "hey, I saw a body through the window in the neighbor's house". Then, while the neighbor was in jail, I could obviously apply the same legal precedent to my other neighbors...although that would probably play hell with my house's resale value.; Reply to this comment

In loco parentis revisited
by bdennis410 August 25, 2006 9:18 AM PDT: "In loco Parentis" is a latin phrase meaning, substantially, "in place of the parents." Courts have determined that in certain circumstances, schools, day care centers, even public officials can act in a child's interests if parents are unwilling or unable to do so, or,when "constructive custody" is given over to say, the school system. Whistle blowers are encouraged to discover and report illegal acts perpetrated by government or state and local officials and employees to "serve the public interest" in protecting citizens. So, in spite of the illegal act of "hacking" A well developed legal construct, developed from common law, is called a "citizen's arrest," a circumstance when a citizen can effect an arrest "on behalf of the government" when law enforcement personnel are not around and there are "exigent circumstances" which might allow a crime to be committed or a lawbreaker to get away without the intervention of a citizen acting on the government's behalf. I find it telling that we can use this evidence because the hacker was not a US citizen, therefore his hacking could not automatically be excluded from evidence. So, in spite of the illegal act of "hacking" perhaps we can find ways to avoid the definition of "fruits of the poisonous tree," the legal phrase used to prevent evidence obtained illegally from being used to prosecute a lawbreaker.If it weren't so disgusting, I could find irony in the attempts of the convicted lawbreakers to appeal their convictions on the basis of a crime being committed against them. Oh well, Kafka would be pleased. Perhaps we could do a lot more prevention and eradication by taking the approach of engaging "citizens" (that's you and me, folks)in the fight against crime by educating them on the "citizen's arrest" concept. Diogenes; Reply to this comment

Some Lawyers
by drpixel2 August 25, 2006 10:37 AM PDT: While it is true that subseven can allow for extractions of files, with a touch of tweaking, it can also allow for the uploading of files to a users hacked comp. If the pedophiles would have been a little smarter, they could have claimed that the files were maliciously installed by the hacker and pertinent info of other identifications could have been altered. First off, they were hacked by an unidentifiable hacker who refused to testify and claims he is from Turkey. Just those circumstances should have denied a search warrant. Don't get me wrong, I can't stand pedophiles as much as the next guy but the governments ways & means are illegal most of the time.; Reply to this comment

This sets precedent admissible evidence obtained illegally
by rxbudian August 25, 2006 10:44 AM PDT: Soon you'll have the Department of Homeland Security hack into your computer or pay someone to do it under the pretext of National Security. One, if the police can't use illegaly obtained evidence in court, none should either. Two, this will embolden DHS to illegally hack anyone that someone else in the Department mark as a threat.; Reply to this comment View all 2 replies
Processing

Justice Ginsberg: Lower Age of Consent to 12 ...
by Too Old For IT August 25, 2006 11:12 AM PDT: (... well, at least in 1974 she felt that was the good thing to do. Maybe children have become stupider since.) Then put the police back to work on real crime rather than making a nake for themselves with high profile, interstate chest thumping.; Reply to this comment

Justice Ginsberg: Lower Age of Consent to 12 ...
by Too Old For IT August 25, 2006 11:12 AM PDT: (... well, at least in 1974 she felt that was the good thing to do. Maybe children have become stupider since.) Then put the police back to work on real crime rather than making a nake for themselves with high profile, interstate chest thumping.; Reply to this comment

That third thing
by VaMinion August 25, 2006 1:26 PM PDT: Forgot the third. 3) Another possibility, btw: if the perv used Windows to burn the pictures onto a CD, it's likely that the ISO that was created was still on the machine.; Reply to this comment

1 | 2 | 3 | 4 | Next 10 Comments >>

Powered by Jive Software

RSS Feeds: Add headlines from CNET News.com to your homepage or feedreader.; Google; Yahoo; MSN; More feeds available in our RSS feed index.

Today's Top Stories: 7.8 earthquake stuns Chinese tech region; Patent Reform Act stalls in Senate; Early player leaves as Facebook goes corporate; Video: Monday QuickCast, 1st edition; RIM makes Bold Blackberry debut

Most Popular Stories: Google to launch Friend Connect for the social Web; Stolen Mac helps nab burglary suspects; RIM makes a Bold BlackBerry debut; FBI probe nets counterfeit Chinese networking parts; A modest proposal to fix Dell's customer service

Markets: Dow Jones Industrials (0.19%) 24.83 12,770.71; S&P 500 (0.05%) 0.73 1,389.01; NASDAQ (0.64%) 15.70 2,461.22; CNET TECH (0.20%) 3.40 1,727.68

CNET.com

Welcome (log out) |View profile

Log in | Sign up Why join?

On MP3.com: Worst MP3 Players of 2007

Start Doing More with Windows Mobile

Copyright ©2008 CNET Networks, Inc. All rights reserved.
Privacy policy
Terms of use