When I was at the public defender's I had a few cases involving CSAM and none of them even gave counsel access to the actual material. It was all matched by hash - which is problematic on its own because at that point, they used MD5. It was 2014. There's no reason to base a case on a single MD5 hash hit passed down from a federal case passed down a level. I couldn't ask anyone in the office for help, since the lack of budget really stretched the investigators extremely thin, and also, I appeared to be the only person who knew anything about cryptography. There are others I went to school with who certainly knew, but they did the rational thing and went into IP or in house work that paid actual money. Some even had parking spots. I worked at a place where it was normal to excuse oneself every 4 hours to fill up the parking meter, even if it was mid-trial. So I guess on some level I shouldn't have been surprised, but without anyone having seen the material, really if I didn't suppress the evidence there wasn't much of a defense. Juries tend to take evidence at face value and prosecutors can easily find some expert that I can then try to impeach, but it would create a circus and unlikely to convince the jury since as soon as "child" comes out, I mean, I didn't really have a shot.
Except it was also impossible to explain to the judge to exclude the evidence, because the best way to demonstrate would be to create a collision, and I couldn't bring in my computer, it had to be on paper. Since I'm entirely self-taught when it comes to technology it's impossible to discern what is jargon and what isn't. None of it sounded like jargon to me. All of it sounded impenetrable to everyone else. Client pled guilty after the motion was denied. God knows how sound the actual case was, but I think the whole point is to not test that part at all. It was strict liability so intent didn't matter, it was binary, and strict liability crimes are next to impossible to win in trial without nullification, but if I said the word I'd be hauled off myself. It was frustrating as hell.
But the worse part was that most such cases were handled by the juvenile unit. Everyone had too many cases so unless it was a murder or on that level in terms of potential time, everyone is on their own. Most cases were actually the result of the age of consent in the state being 16, but federally it is 18. I was never good at dealing with kids and it wouldn't make any sense to put me in juvenile court just in case, but I didn't do anything with the CFAA until I briefly took CJA work on the federal level before moving cross country. Mostly the problem was that the actual alleged crime is very ordinary in most senses but a small piece of it required someone to call out the expertise of the prosecutor's witness during cross. I don't know where they find their witnesses, but if a 25 year old with nothing remotely relevant on a resume can impeach your credibility, well, shit.
I hope things have improved, although I'd be happy if all of the attorneys can read their emails without printing them out. It's always the best trial attorneys who did that and it was wild. In 2014 we had cryptocurrencies, people were providing evidence by sending videos from their phone to mine (with a ROM that debloated my phone I got a staggering amount of storage - close to 100GB in my pocket. I even made a rudimentary but perfectly workable internal app that aggregated the sentencing guidelines so at least for the year, nobody needed to waste time flipping through the tome published yearly and then add up points, my very ugly app can read the data from a mysql db on a surplus machine from the county that I had to get a hard drive for but ran like a champ. Sadly since the data needed to be refreshed yearly pretty much as soon as I left the office reverted.
But somehow, MD5 hash matching meant that there's someone who has 4 more years of sex offender registration left, today, over a decade after the case was closed. Nerdy injustice is still injustice.
Haha, thanks. I'm in Vegas about 51 weeks out of the year, although god knows why anyone actually chooses to come here. My family happen to mostly worked in casinos and I didn't have much of a choice if I want to be close to family when I was burned out, although all of the folks who run conventions when it's 125F out every day are, in my opinion, utterly nuts, whether it's LibertyCon or Blackhat or whatever it might be. I don't know how people are still able to practice law when the government really doesn't consistently care about so much that actually matters. My grandfather quit his post as a judge in 1980 over pretty the same reason, except he was in China, and the courts literally don't decide anything. At some point I'll probably write some explainers that will be a very cynical and entirely real version of how a substance doesn't have any substantive research associated it gets scheduled so that there can't be any research on it. Or how substantively every judge except one have entirely failed to grasp how crypto works in this country. There's an ongoing trial right now over something that clearly isn't illegal, and prosecutors are basing their allegations heavily on the fact that the defendants thought it was illegal, which, of course, doesn't make it so. You can't manifest a crime into reality, but they're doing their best. Although the fact that it got to trial means that nobody involved knows fully what's going on and that's horrifying and sad at the same time. Corpus delicti is no small matter, it kind of determines whether a crime even happened. On the state level I was told that it should always be the first sanity check. But the presumption of competence on the federal level really is neither deserved nor warranted even though it's just routinely assumed to exist, considering that the interim(?) US Attorney in E.D. Va's entire background is in what, mortgages and real estate? I moved here without knowing what an HOA is, and that at least is only consequential on a small level. The opposite of that is insane. It makes allowing a 25 year old to take death penalty cases with 3 days of CLEs look sane.
But yeah, feel free to hit me up if you end up in these parts. If I'm slow to respond, there probably was a breach somewhere and my inbox is flooded with Coinbase phishing emails. I'm actually banned from Coinbase, and the usual suspects like Paypal and Venmo too. Doesn't matter how convincing, I pretty much only get phishing emails from places I don't associate with, but the volume is hilarious (also I get other people's tax returns since 4 letter outlook email addresses are a magnet for those). Not that some 15 year skid with an email list would know that, so I'll eventually run a cleanup and get back to you. But my messages are also open and I read a lot more than I write, either way, feel free, but don't feel obligated. Definitely enjoy your posts, while the platform's interface I'm generally ambivalent about. The only thing that prevents full api usage is the devicecheck/play integrity token generation and I'm sure there's code for that. Either way, it'll be on github with a very permissive license if I actually get around to it. Peace.
When I was at the public defender's I had a few cases involving CSAM and none of them even gave counsel access to the actual material. It was all matched by hash - which is problematic on its own because at that point, they used MD5. It was 2014. There's no reason to base a case on a single MD5 hash hit passed down from a federal case passed down a level. I couldn't ask anyone in the office for help, since the lack of budget really stretched the investigators extremely thin, and also, I appeared to be the only person who knew anything about cryptography. There are others I went to school with who certainly knew, but they did the rational thing and went into IP or in house work that paid actual money. Some even had parking spots. I worked at a place where it was normal to excuse oneself every 4 hours to fill up the parking meter, even if it was mid-trial. So I guess on some level I shouldn't have been surprised, but without anyone having seen the material, really if I didn't suppress the evidence there wasn't much of a defense. Juries tend to take evidence at face value and prosecutors can easily find some expert that I can then try to impeach, but it would create a circus and unlikely to convince the jury since as soon as "child" comes out, I mean, I didn't really have a shot.
Except it was also impossible to explain to the judge to exclude the evidence, because the best way to demonstrate would be to create a collision, and I couldn't bring in my computer, it had to be on paper. Since I'm entirely self-taught when it comes to technology it's impossible to discern what is jargon and what isn't. None of it sounded like jargon to me. All of it sounded impenetrable to everyone else. Client pled guilty after the motion was denied. God knows how sound the actual case was, but I think the whole point is to not test that part at all. It was strict liability so intent didn't matter, it was binary, and strict liability crimes are next to impossible to win in trial without nullification, but if I said the word I'd be hauled off myself. It was frustrating as hell.
But the worse part was that most such cases were handled by the juvenile unit. Everyone had too many cases so unless it was a murder or on that level in terms of potential time, everyone is on their own. Most cases were actually the result of the age of consent in the state being 16, but federally it is 18. I was never good at dealing with kids and it wouldn't make any sense to put me in juvenile court just in case, but I didn't do anything with the CFAA until I briefly took CJA work on the federal level before moving cross country. Mostly the problem was that the actual alleged crime is very ordinary in most senses but a small piece of it required someone to call out the expertise of the prosecutor's witness during cross. I don't know where they find their witnesses, but if a 25 year old with nothing remotely relevant on a resume can impeach your credibility, well, shit.
I hope things have improved, although I'd be happy if all of the attorneys can read their emails without printing them out. It's always the best trial attorneys who did that and it was wild. In 2014 we had cryptocurrencies, people were providing evidence by sending videos from their phone to mine (with a ROM that debloated my phone I got a staggering amount of storage - close to 100GB in my pocket. I even made a rudimentary but perfectly workable internal app that aggregated the sentencing guidelines so at least for the year, nobody needed to waste time flipping through the tome published yearly and then add up points, my very ugly app can read the data from a mysql db on a surplus machine from the county that I had to get a hard drive for but ran like a champ. Sadly since the data needed to be refreshed yearly pretty much as soon as I left the office reverted.
But somehow, MD5 hash matching meant that there's someone who has 4 more years of sex offender registration left, today, over a decade after the case was closed. Nerdy injustice is still injustice.
By the far the top comment in our history, Jim. We should have a visit sometime.
Haha, thanks. I'm in Vegas about 51 weeks out of the year, although god knows why anyone actually chooses to come here. My family happen to mostly worked in casinos and I didn't have much of a choice if I want to be close to family when I was burned out, although all of the folks who run conventions when it's 125F out every day are, in my opinion, utterly nuts, whether it's LibertyCon or Blackhat or whatever it might be. I don't know how people are still able to practice law when the government really doesn't consistently care about so much that actually matters. My grandfather quit his post as a judge in 1980 over pretty the same reason, except he was in China, and the courts literally don't decide anything. At some point I'll probably write some explainers that will be a very cynical and entirely real version of how a substance doesn't have any substantive research associated it gets scheduled so that there can't be any research on it. Or how substantively every judge except one have entirely failed to grasp how crypto works in this country. There's an ongoing trial right now over something that clearly isn't illegal, and prosecutors are basing their allegations heavily on the fact that the defendants thought it was illegal, which, of course, doesn't make it so. You can't manifest a crime into reality, but they're doing their best. Although the fact that it got to trial means that nobody involved knows fully what's going on and that's horrifying and sad at the same time. Corpus delicti is no small matter, it kind of determines whether a crime even happened. On the state level I was told that it should always be the first sanity check. But the presumption of competence on the federal level really is neither deserved nor warranted even though it's just routinely assumed to exist, considering that the interim(?) US Attorney in E.D. Va's entire background is in what, mortgages and real estate? I moved here without knowing what an HOA is, and that at least is only consequential on a small level. The opposite of that is insane. It makes allowing a 25 year old to take death penalty cases with 3 days of CLEs look sane.
But yeah, feel free to hit me up if you end up in these parts. If I'm slow to respond, there probably was a breach somewhere and my inbox is flooded with Coinbase phishing emails. I'm actually banned from Coinbase, and the usual suspects like Paypal and Venmo too. Doesn't matter how convincing, I pretty much only get phishing emails from places I don't associate with, but the volume is hilarious (also I get other people's tax returns since 4 letter outlook email addresses are a magnet for those). Not that some 15 year skid with an email list would know that, so I'll eventually run a cleanup and get back to you. But my messages are also open and I read a lot more than I write, either way, feel free, but don't feel obligated. Definitely enjoy your posts, while the platform's interface I'm generally ambivalent about. The only thing that prevents full api usage is the devicecheck/play integrity token generation and I'm sure there's code for that. Either way, it'll be on github with a very permissive license if I actually get around to it. Peace.