[AusNOG] Metadata retention... it's now (almost) a thing

Matt Palmer mpalmer at hezmatt.org
Mon Nov 3 10:13:49 EST 2014


On Mon, Nov 03, 2014 at 08:28:58AM +1100, Ross Wheeler wrote:
> >only reason I could see them needing the raw logs is if it is
> >required for evidence in prosecution (have had AFP agents fly in
> >to pick up some form of evidence before from a colleague in a
> >previous job).
> 
> I still don't see how they (think) they can guarantee any logs
> extracted from a system haven't been "fiddled with" before they get
> there. It would be a trivial task and I should think it would be
> either undetectable or impossible to prove it was either valid OR
> tainted.

Right there with you.  In my experience (having testified as an expert
witness in a trial on this exact subject), the court effectively puts the
evidence itself on trial, trying get to "beyond a reasonable doubt" as to
whether or not there was motive, means, and opportunity for the logs to have
been altered by someone.  Like the crime itself, you can rarely get to
"absolutely, 100% sure" one way or the other, everything is about making a
judgment call.

If there's one thing my time doing that taught me, it's that we're
*extremely* lucky in our business to have such a black-and-white view of the
world.  In the legal game, *everything* is truly shades-of-grey (and far
more than fifty).

Incidentally, and completely off-topic, if you want to see the legal
shades-of-grey in all its glory, listen to serialpodcast.org and try and
decide if you think the guy at the centre of it all is guilty or not.

- Matt

-- 
A byte walks into a bar and orders a pint. Bartender asks him "What's
wrong?" The byte says "Parity error." Bartender nods and says "Yeah, I
thought you looked a bit off."



More information about the AusNOG mailing list