Tracking cyberstalkers: a cryptographic approach *
Mike Burmester, Peter Henry, Leo S. Kermes
Department of Computer Science
Florida State University, Tallahassee, FL 32306-4530, USA
Email: {burmester, henry, kermes}@cs.fsu.edu
Abstract
Stalking is a pattern of behavior over time in which a stalker seeks to gain access to, or control over, an unwilling victim. Such actions range from the benign to the malicious and may cause emotional distress or harm to the victim. With the widespread adoption of new technologies, new forums of Internet-mediated discourse now exist which offer stalkers unprecedented scope to locate and exert influence over victims. Cyberstalking, the convergence of stalking and cyberspace, has created new challenges for the prevention, detection, and prosecution of this new phenomenon as the traditional methods of detection by witnesses and enforcement through physical restraining orders often are inadequate.
In this paper we suggest a cryptographic approach for tracking cyberstalkers. We first define the threat model in terms of the profile of a cyberstalker, as well as legal and law enforcement constraints. We then describe a monitoring system that addresses the basic admissibility requirements of our threat model, by capturing and verifying circumstantial evidence for use in cyberstalking investigations.
Keywords. Cyberstalking, cyberharassment, digital forensics, digital evidence integrity .
1 Introduction
Make no mistake: this kind of harassment can be as frightening and as real as being followed and watched in your neighborhood or in your home.
Former Vice President Al Gore [31]
The Internet has increasingly become a forum for predator and prey crimes, wherein one party in a relationship seeks to control, exploit, or harm the other through online channels. The harassment can range from unsolicited communication (emails, chat, etc), to repeated, threatening, or malicious information. In extreme cases it may extend to luring or enticing victims contacted on the Internet into dangerous physical liaisons.
Cyberstalking generally involves the repeated and persistent attempt by one individual, the stalker, to harass another individual, the victim, using the Internet or other open network. Typically this takes place on networked Personal Computers (PCs), but it can extend to portable devices such as laptops, PDAs (Personal Data Assistants), mobile phones and more generally devices linked to the Internet. Cyberstalking is in many ways analogous to traditional forms of stalking, but by exploiting new technologies and using malicious code ( e.g. , Trojan code, viruses, time bombs, etc ), and because of the ubiquity and anonymity provided by the Internet environment, it can take on new forms with unprecedented scope.
Cyberstalking cases present unique challenges for law enforcement [4]. First, the behavior patterns associated with cyberstalking are complex, varied, unpredictable, and difficult to recognize, investigate, assess and prevent. Some studies indicate that there is no standard predator/prey profile that will universally typify parties [21]. Second, the anonymity provided by the Internet emboldens the perpetrator and complicates the determination of the identity of the stalker [29]. Third, the need to preserve the privacy of legitimate Internet users prohibits direct 'wire-tapping' of Internet channels and underscores the need for quality circumstantial evidence.
Law enforcement agents need new tools to address the technical challenges of new technologies, and these emerging types of crime, often perpetrated by resourceful and determined assailants. Ruthless, technologically advanced stalkers can easily intimidate their victims, and the social, educational, and economic status of cyberstalkers often complicates prosecution in cyberstalking cases. In fact, studies have found that stalkers are generally older than other clinical and offender populations [16,12,35]. They are typically better educated than other types of offenders [14], with 22% graduating high school and 6% having graduated college [12]. Frances Grodzinsky and Herman Tavani [10] have noted the ethical issues of cyberstalking in terms of gender, personal privacy, and both virtual and physical harm. They found that cyberstalkers are typically male and more technically adept than their victims. The online environment makes it relatively easy to maintain anonymity through chat room 'avatars', anonymous email accounts, multiple ISPs, and email relay techniques. This anonymity, coupled with the wealth of data available on potential victims and the ubiquity of the Internet, has frustrated law enforcement, while jurisdictional and statutory limitations often have tied the hands of investigators.
Rapid advances in technology have exacerbated the technical and legal problems facing investigators. The President's Working Group on Unlawful Conduct on the Internet has documented the difficulties of fighting this new form of stalking [30], as law enforcement often lacks the resources to place agents on the scene with the victims, despite efforts to educate victims in best practices for stalking situations [22]. James Moor has pointed to the 'policy vacuums' that have arisen because of the new possibilities and 'conceptual muddles' caused by the use of networked computers to perpetrate crimes that did not exist in pre-Internet times [17]. Stalking on the Internet leaves an entirely different trail of evidence for investigators that threatens to confound efforts to protect victims. The highly volatile and easily corrupted digital evidence that is often essential for the prosecution, presents new challenges to law makers and forensics experts.
In the past, agents often advised victims simply to stop using the internet, but law enforcement has increasingly adapted newer techniques for surveillance, investigation, and evidence gathering to networked computer environment [31]. Agents currently try tofollow the electronic trails left behind by cyberstalkers to discover the patterns of stalking behavior, while preserving the privacy of legitimate users of the network.
In this paper we discuss cyberstalking issues in the general context of a threat model based on a Cryptographic/Steganographic approach and consider possible solutions. We first define (Section 2) our threat model and consider two problems that are closely related to cyberstalking: the Prisoner's Dilemma and the Man-in-the-Middle attack. Then (Section 3) we propose a 'blackbox' monitoring system that will track the actions of cyberstalkers as a general forensics tool that will address the security issues of our cyberstalker threat model. We conclude (Section 4) with a discussion of implementation issues.
2 A cyberstalking threat model: the Cyberstalker's profile, Law Enforcement constraints and the Cyberstalker's problem
Our threat model has three basic components: a Cyberstalker profile, Law Enforcement constraints and the Cyberstalker's problem.
2.1 The Cyberstalker's profile
Cyberstalking, and more generally cyberharassment, are characterized by the stalker's relentless pursuit of the victim online and are likely to include or evolve into some form of offline attack. Cyberstalkers can be known or unknown to their victim and are often driven by revenge, hate, anger, jealousy, obsession and mental illness, while cyberharassers are often driven by the desire to frighten or embarrass the victim. The harassment may take several forms, including:
" Posting comments intended to cause distress to the victim and/or make them subject of harassment by others.
" Sending a stream of unsolicited messages (possibly hateful or provocative) to the victim or to associates of the victim.
" Sending or posting offensive or hateful comments or lies in their own identity or impersonating the victim.
" Hacking or taking over the victim's computer or email accounts.
" Changing the victim's password and blocking their account.
" Signing the victim up for spam, porn sites or questionable offers.
" Following the victim into online chat rooms or discussion boards.
" Creating sexually explicit images of the victim and/or posting them on websites, or commercial porn sites.
" Luring, or enticing, the victim into an offline meeting [33].
The last form of harassment is perhaps the most dangerous because of the potential to lead to direct physical harm. The wide variety of stalking and harassing enabled by the increasing power and reach of networked computers and evolving technologies has made it possible to deliver content anonymously and remotely. This is exacerbated by the technical proficiency of stalkers, which often exceeds the capability of the victims and the law enforcement agents. We propose a monitor system that is able to captures data only from the PC of the victim, without resorting to prohibited Title III wiretap techniques. 1 Although it cannot directly combat all the categories of cyber-harassment listed above, it can effectively document and verify: ( i ) messages sent directly to the victim, ( ii ) attempts to hijack the victim's computer, (iii) cyberstalking in chat rooms and discussion boards, and ( iv ) sexually explicit messages sent to the victim directly.
2.2 Law enforcement constraints ' consent, digital evidence integrity, chain-of-custody
The Monitor system that we propose is intrusive to the victim because it requires the insertion of both hardware and software into the victim's computer environment that are capable of capturing private communication between the victim (and other users, if the computer is a multi-user platform) and legitimate parties. Additionally, there may be confidential files on the computer that the victims do not want the investigator to see. These concerns must be addressed on a case-by-case basis. Strategies include giving the victim a dedicated computer to use during the investigation, quarantining existing files, making Monitor sessions specific only to the victim, and demanding consent from the victim at the beginning of each session through an authorization dialog.
As we have seen, victims of cyberstalking are often isolated, intimidated, and technologically unable to effectively respond to the threat. In addition, the collection of quality evidence in cybercrime is problematic. Even when law enforcement agents are directly involved in investigating cybercrime, great care must be taken in the capture, recording, indexing, and verification of digital evidence. Evidence in a criminal court is authenticated through standardized evidence handling procedures and chain-of-custody records that have traditionally relied on physical security measures. Digital evidence offers new challenges for authentication because it is so easily copied, deleted, and modified. Erik Berg [2] has argued that digital images may require that special care be given to document the collection and analysis procedures and the chain-of-custody to ensure admissibility. Thomas Duerr et al [7] agree that digital evidence is potentially more susceptible to post-collection alteration than analog evidence, but argue that there are information assurance methods developed for Internet applications and electronic commerce that can enhance current evidence handling and chain-of-custody documentation procedures for their integrity. The Information Assurance Technical Framework [20] delineates five primary security services relevant to information and information processing systems: access control, confidentiality, integrity, availability, and non-repudiation. Confidentiality and availability are not directly concerned with the authentication of digital evidence, but integrity is essential. Duerr et al [7] argue that 'it is desirable to ensure the integrity of the data as close to the source format and as near to the time and place of collection as feasible,' and that 'identification of the user who collects the evidence and generates the integrity data should be integral to the solution.' It is imperative that the integrity process must not be allowed to modify the original data in any way. Non-repudiation and access control services are also necessary to bolster chain-of-custody record keeping and to maintain an audit trail of successful and unsuccessful access attempts (it is essential to prove who handled a piece of evidence and when ). Because methods of digital evidence integrity verification are often new and have not yet been used in criminal courts, they may be subject to a Daubert challenge [5] that requires the judge to assess the validity and applicability to the case of the technique or methodology invoked by expert testimony. The Daubert ruling provides aids for the judge in making that assessment. These are based on the reliability and general acceptance in the scientific community of the techniques or methodologies used. In particular, authentication systems must strictly adhere to existing government and industry standards and accepted practices set forward by the National Institute for Standards and Technology (NIST) for government and commercial cryptographic algorithms and equipment.
2.3 The Cyberstalker's problem, the Man-in-the-middle attack and the Prisoner's dilemma
The Cyberstalker's problem is a three party communication game involving a Victim (Alice), the Stalker (Bob) and a Monitor (See Figure 1). Bob and Alice are linked by a communication channel which can be accessed by the Monitor. The goal of Bob is to harass Alice while the goal of the Monitor is to record any such activity. In the traditional cryptographic terminology, Bob wants to establish a (virtual) harassment channel, while the Monitor wants to capture its content.
Figure 1 . The Cyberstalker's problem: the Monitor's goal is to capture harassment data exchanged by Alice and Bob.
This problem is related to the classical Prisoner's dilemma in Steganography (Information Hiding) which also involves three parties [24]. In the Prisoner's dilemma case, Bob is incarcerated, Alice is free and the Monitor (Wendy) is a Warden ' see Figure 2. Alice has hatched out an escape plan and visits Bob with the intention of passing on details of her plan. Any exchange of information must take place in the presence of Wendy. To succeed, Alice must hide her escape plan in what appears to be innocuous information. If Wendy detects that secret information is hidden in their communication then the Bob's escape will be thwarted. The channel that Alice and Bob want to establish is called a subliminal (or covert ) channel.
Figure 2. The Prisoner's dilemma: Wendy has to prevent Alice from sending Bob a covert message.
The man-in-the-middle attack is a similar problem that has been extensively studied in Cryptography [1, 25, 8]. In this case the Monitor is the adversary (Eve) ' see Figure 3. Eve may be passive and simply eavesdrop on the communication between Alice and Bob, and/or active . An active adversary can corrupt messages sent to Bob (or Alice) by Alice (Bob) or impersonate one party to the other .
Figure 3. The man-in-the-middle attack: Eve intercepts the communication between Alice and Bob: she may simply eavesdrop or corrupt communicated data. Alice and Bob want to establish a private and/or authenticated communication channel.
The last two problems are fundamental to Steganography and Cryptography, and define their respective threat models. Dealing with them has been the focus of research in these disciplines (see e.g. , [24, 3, 34, 1, 25, and 8]). Common to all three problems is their adversarial nature. In the Cyberstalker's problem the Stalker is the adversary and the other two collaborate to detect and record any harassment. In the Prisoner's dilemma, Alice and Bob conspire to establish a subliminal channel. For this problem, they are the adversary. The Warden's goal is to make sure that their communication channel is subliminal-free . In the man-in-the-middle attack, Eve is the adversary. Eve's task is to undermine the privacy and/or authenticity of the communication between Alice and Bob. Alice and Bob want to establish a private and/or authentication channel to secure their communication.
The Cyberstalker's problem focuses on capturing harassment data rather than direct prevention of harassment, while the other two problems focus on prevention. This makes it easier in some respects to deal with cyberstalking ' at least from a cryptographic point of view. The main difficulties are: ( i ) the forensics aspects of the verification of the captured data, and ( ii ) the integrity of the capturing process.
2.4 A model for the cyberstalking problem
It is convenient to model the cyberstalking problem as a three party game involving Alice, Bob and a Monitor, with two oracles, a harassment profile oracle O harass and a law enforcement oracle O law . Alice and Bob are linked by a communication channel and the Monitor has a wiretap on this channel. The oracle O harass rules whether captured data is in the harassment profile (and if so outputs bit 1, otherwise bit 0), while O law rules whether the capturing process satisfies the law enforcement constraints regarding the victim's consent, the digital evidence integrity, and chain-of-custody (and if so outputs bit 1, otherwise bit 0).
The goal of the Monitor is to capture data that the oracles will accept. The Monitor wins the Cyberstalking game if it succeeds. A winning strategy for the Monitor is called a solution of the cyberstalker's problem.
Definition . A strategy of monitor M = M Alice,Bob is an actionable solution of the Cyberstalker's problem if, for all data Alice,Bob that Bob and Alice exchange,
O harass ( data Alice,Bob ) = 1 implies O law ( M Alice,Bob ( data Alice,Bob )) = 1.
Thus, according to our definition, an actionable solution captures all harassment data in a lawful way.
3. A Cyberstalker Monitor system
Having defined our threat model, we now consider actionable solutions. These will be based on a monitoring system that captures harassment data in such a way that both the capturing process and the data will be admissible evidence in a court of law.
Our proposed Monitor is a tool meant to complement traditional forensics tools. It may not directly identify the stalker, but will allow investigators to uncover patterns of behavior, trails to computers that the stalker may have used, and other potentially relevant forensic data that will bolster the circumstantial case against the perpetrator.
3.1 A first approach: a low-tech analog solution
An obvious, but costly, low-tech solution is to have a law enforcement agent alongside the victim to monitor cyberstalking sessions, as in physical stalking cases. A more practical solution is to replace the agent with a closed-circuit television camera and recorder to monitor the sessions (See Figure 4).
Figure 4. A low-tech solution: harassment data is captured on a closed-circuit television camera.
Both of these solutions will provide evidence of stalking, but offer only a weak binding of the stalker to the session. Evidence from the actual TCP/IP packet headers received could help strengthen the bond.
Another solution is to use software to collect and store harassment data on the victim's computer. However any data collected this way is susceptible to manipulation and may not be admissible in a court of law. Yet another solution to transmit captured video and other data to a remote agent [36]. This solution may not be practical in low bandwidth environments.
3.2 A basic Cyberstalker Monitor system
In this system a blackbox Monitor is used to capture the local host data and the relevant network data (See Figure 5).
Figure 5. The Cyberstalker Monitor System captures and stores local host data and network data.
The local host data includes data on the PC of the victim: the contents of the screen buffer, audio buffer, keystrokes and mouse movement data. The relevant network data includes all the incoming/outgoing network packets, excluding machine generated overhead. Data is captured and stored locally in the Monitor (on a local hard drive).
The Monitor contains a transparent network bridge with connections to the network (Internet) and the localhost (the Victim's computer) and a storage device (See Figure 6).
Figure 6. The Monitor has a transparent network bridge, a Recorder and a Validator.
The storage device has two modules: a Recorder and a Validator. The Recorder captures local host data and network data, while the Validator is a physically secure device that stores evidence integrity data, metadata, and a cryptographic key (K).
The Monitor operates on the concept of a session. A session is initiated upon the victim's connection to the network and lasts until disconnection, or, optionally, under the direct manipulation of the victim. During the session, the local host data is stored on the Recorder and authenticated using a keyed hash function HMAK [13] with hash function such as SHA-1 [19]. This produces a digest which is the evidence integrity data. A symmetric key is used that is stored in a secured (tamper-resistant) region of the Validator (and cannot be extracted). A duplicate key is kept in the forensics lab of the law enforcement agency. To validate captured data for use as evidence in court, the data and its integrity validator are extracted and the duplicate key is used to validate the data. The cryptographic details of the process of validation of the integrity of the evidence data are as follows. Let
data session ( sn ) = ( cn, sn,T lh ,T mon , { data lh ,data mon }, T lh * ,T mon * )
be the data with case number cn , session number sn , start timestamps T lh ,T mon , end timestamps T lh * ,T mon * , for the local host and Monitor respectively, and session stream data { data lh ,data mon }, formatted in such a way that it can be hashed as a stream, 2 and let
HMAC Kcn SHA ( data session ( sn ) )
be its HMAC digest with hash function SHA-1 and key K cn . 3 The data integrity validator is,
integrity_validator session ( sn ) = ( cn, sn, HMAC Kcn SHA ( data session ( sn ) ) ).
To validate extracted data, the duplicate key is used to compute its keyed digest and the result compared with the integrity validator for that session. If the values agree, then the data has not been corrupted.
Observe that it might be tempting to send the integrity validation data (the digest) through the existing network directly to the forensics lab for secure storage, but this should be avoided because it violates the transparency of the bridge, making it possible for the stalker to detect the presence of the Monitor. The separation of the functions of the Monitor and of the local host is a crucial security requirement [6].
3.3 Securing the Cyberstalking Monitor
We can replace the symmetric key used in the Cyberstalker Monitor with an asymmetric key, e.g. , a DSS key [19]. In this case a private key SK cn is stored in the Validator module and the corresponding public key PK cn is stored in the forensics lab (See Figure 7).
Figure 7. The Monitor with an asymmetric key.
This strengthens the evidentiary value of the captured data and extends the chain-of-custody (secrecy is not needed for the public key PK cn ), but does not offer any other significant advantage.
A significant security advantage is achieved by separating the duties of the Recorder and Validator. 4 For this purpose, we may use an independent communication channel (one that is not associated with the Victim in any way) to send the evidence integrity validation (the digest) to the forensics lab, where it is securely logged. For practical purposes we may use wireless communication technology to broadcast securely the validation data to a network controlled by the law enforcement agency. Figure 8 illustrates an application which uses wireless technologies.
Figure 8. The Monitor with a wireless device.
The independent communication channel could also enable additional functionality to make the system more flexible. First, with a high bandwidth channel, Virtual Network Computing (VNC) could be used to allow the investigator to remotely monitor and control the Victim's desktop. Second, session 'reports' containing important system information (remaining disk space, amount of data recorded, etc.) could be sent to the investigator via email, secure chat, or secure FTP. Third, reports could include snapshots (screen images) of significant events tagged by the victim. Finally this channel can be used to synchronize the clock of the Monitor to the clock of the forensics lab. All of these enhancements help the investigator monitor the case more closely and respond in person if required.
The physical tamper-resistance of the Monitor can be supported by case-intrusion detection mechanisms and real-time notification of tampering or system failure through a 'heartbeat' protocol. 5 For fine granularity, a heartbeat signal from the internal clock of the Monitor is recorded on the Validator disk (on a cyclic log). For course granularity, at regular intervals ( e.g. , once a day), the heartbeat is broadcast to the forensics lab.
3.4 Policies concerning the Cyberstalking Monitor
Because of the intrusiveness of the Monitor, policies must be established for the deployment, retraction, key management, extraction, and storage of data to follow all applicable laws in the preservation of the integrity and chain-of-custody of the evidence. Detailed discussion of policy considerations is dependent on jurisdictional considerations as well as privacy considerations for the innocent, and goes beyond the scope of this paper.
3.5 Proof that the solution is actionable
In Section 2.4 we proposed a model for the cyberstalking problem and defined actionable solutions. We shall use this model to prove that our Monitor generates an actionable solution. Suppose that O harass ( data ) = 1 for some captured data, that is, data is in the harassment list. We have to show that O law ( M ( data )) = 1 , that is, that M has captured this data in a lawful way. This is based on the following assumptions:
the Monitor is physically tamper-resistant,
the processes running on the Monitor are transparent,
there is a distinct separation of duties,
the data is validated using admissible cryptographic practices, and
applicable laws and policies regarding chain-of-custody are followed.
4 Implementation 4.1 Hardware
Implementation of the Monitor has been be achieved by S. Aggarwal et al [37] through the use of commodity hardware. The following considerations have been made in selecting such hardware:
As far as possible, industry standard security components for environments that involve trust, security, and reliability should be used.
The power consumption is low.
The hardware is able to perform the required tasks reliably.
The footprint of the device is minimal, and annoyances such as heat and noise are avoided (these may affect the victim's willingness to use the device in his or her environment).
4.2 Software
The Monitor uses one of the many hardened Linux Distributions of the NSA's SE Linux project for security, hardware compatibility, and developer community oversight. These operating systems have robust journaling file systems as well as secure role-based access control mechanisms.
Several pieces of software have been developed for our system. Depending on the OS of the Victim's local host, either a system service (Microsoft Windows) or a daemon process (Linux) is used to gather the local host data in real time and send it to the Monitor. On the Monitor, we include a daemon for each of its modules and an interface to configure the Monitor. Also, a suite of applications has been developed for the extraction, verification and analysis of the data collected by the Monitor. NIST standards are followed in the implementation of our system and the best software engineering practices adopted, so that the implementation can benefit from the scrutiny of public review.
4.3 User interaction
From a software engineer's point of view, the Monitor system has three users: the Victim, a Law Enforcement Officer, and a Forensics Lab Technician.
For the Victim, the Monitor is transparent and has no effect on the normal use of the local host with the exception of a splash screen and system tray icon that notifies the victim that the Monitor is active.
For the Law Enforcement Officer, the Monitor is an appliance: simple connections (USB and Network Bridge) are made when the Monitor is first installed.
For the Forensics Lab Technician, the Monitor is a Linux system. To set up the Monitor for deployment, the Technician attaches a display, keyboard and mouse and logs into the local console of the Monitor to configure the system and load the case number and encryption key. On return from deployment, the Technician unlocks the Monitor, ejects the disk and loads it on another system with a suite of forensic analysis tools for the extraction, verification, and analysis of the data. The disc is stored securely as digital evidence and investigators work off of verified copies.
Acknowledgements
The authors wish to thank all those who have contributed to this work, including Judie Mulholland, Sudhir Aggarwal, Breno de Madeiros, Alec Yasinsac, Tri Van Le and Melissa Kryder.
References
" S. Bengio, G. Brassard, Y.G. Desmedt, C. Goutier, J.J.Quisquater. Secure implementations of identification systems . J. Cryptology 4(3) (1991) 171'183.
" M. Burmester, Y. Desmedt, T. Itoh, H. Shizuya, M. Yung. A progress report on subliminal-free channels . Information Hiding, First International Workshop, Cambridge, Lecture Notes in Computer Science No. 1174, Springer, Berlin, 1996, pp. 151'168.
" N. Ferguson & B. Schneier. Practical Cryptography . Wiley Publishing Inc., Indianapolis, 2003.
" T. Gregorie. Cyberstalking: Dangers on the Information Superhighway , 2002. Available from: http://www.ncvc.org/src/help/cyberstalking.html.
" F. Grodzinsky and H. Tavani. Cyberstalking, Moral Responsibility, and Legal Liability Issues for Internet Service Providers . In Josep Herkert, ed, Proceedings of ISTAS 2002: The International Symposium on Technology and Society , Los Almito, CA, IEEE Computer Society Press. 331-339, 2002.
" R.B. Harmon, R. Rosner and H. Owens. Obsessional harassment and erotomania in a criminal court population. Journal of Forensic Sciences, 40, 2, 188 - 196, 1995.
" H. Krawczyk, M. Bellare and R.Canetti. HMAC: Keyed-Hashing for Message Authentication. RCF 2104 (RFC 2104), Internet RCF/STD/FYI/BCP Archives, 1997. Available from: http://www.faqs.org/rfcs/rfc2104.htm
" R. Lloyd-Goldstein. DéClerembault On-Line: A Survey of Eratomania and Stalking from the Old World to the World Wide Web . In J.R. Meloy, The Psychology of Stalking: Clinical and Forensic Perspectives , San Diego, Academic Press, 1998.
" J.R. Meloy. Stalking (obsessional following): A review of Some Preliminary Studies . Aggression and Violent Behaviour, 1 (2), 147 - 162, 1996.
" J.R. Meloy. Unrequited Love and the Wish to kill: Diagnosis and Treatment of Borderline Eratomania . The Bulletin of the Meninger Clinic, , pp. 477'492, 1989.
" J. Moor. Reason, Relativity, and Responsibility in Computer Ethics . Computers and Society, Vol. 28, No. 1, pp. 14-21, 1998.
" The Electronic Frontier: the Challenge of Unlawful Conduct Involving the Use of the Internet , a Report prepared for the President's Working Group on Unlawful Conduct on the Internet. Available from: http://www.usdoj.gov/criminal/cybercrime/unlawful.htm
" US Department of Justice. Stalking and Domestic Violence: Report to Congress . Report from the Attorney General to the Vice President, 2001. Available from: http://www.ncjrs.org/pdffiles1/ojp/186157.pdf
" US Department of Justice. The Electronic Frontier: the Challenge of Unlawful Conduct Involving the Use of the Internet . Report prepared for the President's Working Group on Unlawful Conduct on the Internet, 2000. Available from: http://www.usdoj.gov/criminal/cybercrime/unlawful.htm .
" US Department of Justice. Cyberstalking: A New Challenge for Law Enforcement and Industry. A Report from the Attorney General to the Vice President , August 1999. Available from: http://www.usdoj.gov/criminal/cybercrime/cyberstalking.htm
" G. Wattendorf. Stalking Investigation Strategies . FBI Law Enforcement Bulletin, pp. 10-14, March 2000.
" S. Aggarwal, M. Burmester, P. Henry, L. Kermes and J. Mulholand. Anti-Cybertstalking: The Predator and Prey Alert (PAPA) System. To appear in the Proceedings of SADFE 2005, Tapei, Tawan.
* This material is based on work supported by the NIJ under grant number 2004-RD-CX-K145.
1 The US Federal Wiretap Statute, 18 USC §2516 (Title III).
2 Bits from data lh are interleaved with bits from data mon .
3 HMAC Kcn SHA ( data session ( sn ) ) = SHA ( K cn XOR opad , SHA ( K cn XOR ipad,data )), where opad and ipad are appropriate outer and inner paddings. A different key K cn is used for each case cn .
4 Separation of duties is a fundamental requirement for Trusted System security [6].
5 A heartbeat is a signal that is emitted at regular intervals by software to demonstrate that it is still alive.
Sometimes hardware is designed to react if it stops hearing a heartbeat.
