The NY Times brings us the story of Rodney Bradford. He’s the 19 year old Brooklyn man whose lawyer, Robert Reuland, invoked one of the first known “Facebook alibis” in his defense of the 19 year old Bradford on what were a second set of robbery charges he was facing. Since the Facebook defense is now on the record, I’m going to lay out my plans for knocking over a liquor store without consequences.
At 11:49am on October 17th an update was made to Bradford’s Facebook profile: “WHERE MY IHOP?”, a message to his pregnant girlfriend. This update was one minute before two men were robbed at gun point in the Farragut Houses in Brooklyn where Bradford lives. At the time of this robbery, the robbery he faced charges for, Bradford claims he was sitting at the computer at his father’s apartment in Harlem making this Facebook update despite his being identified by a witness at the Farragut Houses.
“If it wasn’t for Facebook I’d still be on Rikers Island.”
So like any good defense attorney would, Reuland pointed out to Brooklyn District Attorney Lindsay Gerdes that his client could not possibly be in two places at the same time, and look, here is the evidence on Facebook that he was sitting at the computer at his father’s place. The DA subpoenaed Facebook to verify the location where the status update was made from, Facebook verified it, and the charges were dropped.
Mr. Reuland does acknowledge that anyone who knew Bradford’s user name and password could make the updates. But he responds: “This implies a level of criminal genius that you would not expect from a young boy like this; he is not Dr. Evil,” and notes the Facebook alibi was just “the icing on the cake,”. But making the effort to subpoena Facebook and comments by Jonah Bruno, a spokesman for the Brooklyn Assistant DA’s office acknowledging that the Facebook component was a key reason for dropping the charges, indicate that the Facebook status update time played a predominant role in the decision by the district attorney’s office to drop the charges. Also remember that with the existing elements of the alibi, Bradford remained in jail on Rikers Island, it was when the Facebook piece came in that he was released.
The district attorney subpoenaed Facebook to verify that the status update had actually been typed from a computer located at 71 West 118th Street in Harlem.
Source: NY Times
“Facebook saved my son.” Ernestine Bradford
The above is interesting. It is interesting because there is no way Facebook could tell with certainty that an update was made from the computer at 71 West 118th Street. In fact they could only reasonably make such an educated guess through forensic evaluation of the computer in Harlem itself. They didn’t do that, they looked at their own information (likely some combination of site cookies read and web server logs) and decided that the update came from there. While IP (internet protocol) addresses used from the home are not technically static, they can remain the same assignment for days from an ISP providing cable, FIOS, or similar. So Facebook can say that the IP address of the party making the request to its web servers is the same as previous accesses and can approximate the geo-location of the IP. That assumes no use of a proxy or anonymizer.
Technologists Lurking in the NYT Comments
The comments from NY Times blog readers are telling. While some are ridiculous – he probably just used his phone to make the update (the phone browsers can usually be fingerprinted in the web server logs, the IP would show a phone network)- some are legitimate. Why couldn’t a friend have updated Facebook for him, maybe he used RDP to login (its built into Windows XP, just needs to be enabled), maybe VNC, maybe an SSH tunnel, and so on are all listed possibliities.
“This was just a very strong alibi…It reflects the pervasiveness that Web sites and social networking has on our lives.”
Bradford’s lawyer, Robert Reuland
The problem (for a non-technical user) with VNC or RDP is that they need to be installed on most phones, and the SSH tunnel while not complicated would not be a readily available option to a non-computer literate person. RDP is on Windows XP, but it would have to be enabled, and his lawyer is telling us that his client is not a computer guy. The friend updating Facebook? That’s low tech and easy, but for my money I don’t want to involve any extra parties, collusion makes crime harder.
The Perfect Crime
So now that I know I can invoke the Facebook defense, how do I want to approach it? Let’s say I decide I want to knock over a liquor store. I have my mask and so forth, but I also want to establish my alibi, that I was 30 miles away at my computer doing some social networking on Facebook. I could get in remotely from my mobile device (VNC, RDP, etc.) but I don’t want to be worrying about that while I’m emptying the register. As I mentioned before, my buddies can’t keep a secret, so I’m not letting them update Facebook either.
So I started with the following PHP script using curl (JD McCloud, python guru, is groaning at the desk next to me over the use of PHP). I fired up WebScarab, the great intercepting proxy from OWASP, the Open Web Application Security Project, and captured the full HTTP header that is part of a Facebook status update request. Snagging the request URL, Facebook cookies, and POST options sent with the request, I setup the PHP script below to essentially replay a Facebook status update request.
Note that I’ve removed the content specific to my profile. I don’t have the script logging in to Facebook. If I needed to I would have, but fortunately Facebook has a “Keep me logged in” radial button on its homepage, so I didn’t bother.
<?php $ch = curl_init(); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)"); curl_setopt($ch, CURLOPT_COOKIE, 'datr=; s_vsn_facebookpoc_1=; __utma=; __utmz=.utmccn= (referral)|utmcsr=|utmcct=|utmcmd=; s_vsn_facebookpocads_1=; locale=en_US; __qca=; x-referer=; cur_max_lag=; lsd=; h_user=; __utmc=; c_user=; lxe=; lxr=; sid=; xs=; presence='); curl_setopt($ch, CURLOPT_POSTFIELDS,'action=PROFILE_UPDATE&profile_id=&status=I said where are my pancakes!&target_id=&app_id=&&composer_id=&display_context=profile&post_form_id=&fb_dtsg=& _log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest&__a=1'); curl_setopt($ch, CURLOPT_URL, 'http://www.facebook.com:80/ajax/updatestatus.php'); curl_exec($ch); ?>
Now I just add a Scheduled Task (Programs > Accessories > System Tools > Scheduled Tasks) or use At to run the program at the time I’m scheduled to do the stick up, and I’m all set. Facebook will note dutifully that a status update request came to them using the FireFox browser from an IP roughly around where I claimed to be. As long as no one actually checks my PC…
Oh C’mon Now
Yes I know what you’re thinking. I said that accessing the PC remotely was probably too complex (in reality I have no idea) for Mr. Bradford, and now I’m pitching writing scripts. I agree, if you are not a computer person, this would be out of reach. So how about another approach?
CoSripter, now owned by IBM, is pretty non-technical. Download a Firefox plugin, record your activities as you login to Facebook and update your status, and save the script that is generated. And if a person can’t follow those instructions, they can always watch the video tutorial. Here is the script that is automatically generated as I go through a login and status update on Facebook:
* go to “http://www.facebook.com/index.php” * pause 3600 seconds * enter your “e-mail address” into the “Email” textbox * enter your password into the “Keep me logged in Forgot your password?” textbox * click the “Login” button * click the “Profile” link * enter "I said where the hell are my pancakes" in the “What’s on your mind?” textbox * click the first “Share” button
Its fairly easy to see what we’re doing above, I’ve set up variable names for my e-mail and password, but even that is very straight forward, and its only if you want to protect your credentials. Since you have recorded everything that generates the script, you only have to do one manual change, the line “pause 3600 seconds”. Remember, my robbery is 30 miles away, so I’m running my script, but giving myself an hour to get myself over to the liquor store. At exactly one hour from the time I kicked this off in Firefox I’m grabbing twenties from the tray and Facebook is seeing an update from FireFox in their logs for user “me” with the status update above. Facebook dutifully reports that I couldn’t have committed the robbery, I was still wondering where my pancakes where.
Facebook et al. and the Law
As social networking has taken hold as a cultural phenomenon, so too will its use in the proceedings of the legal system. There have been other uses of Facebook and other social networking sites in legal proceedings that have a great deal more legitimacy. There is the jackass in Pennsylvania who checked his Facebook status during a robbery on the victim’s computer and left the page open. There’s the Indiana murder case where a MySpace description was used as character evidence. The things people write online can be used against them in employment or divorce cases.
But with all that said, nativity with social networking tools like Facebook must not be misinterpreted as an actual understanding of the way web applications and computers work. I hope Facebook with their technical understanding of the boundaries of their network responded to that subpoena with a voluminous explanation that what they were providing was in fact proof of very little, proof only that their web servers had received a request looking like this at a certain time. I hope that Robert Reuland is the only defense attorney who is able to pull a fast one (exactly what he is paid to do) presenting Facebook status updates as forensically sound and acceptable evidence of a person’s location. Finally, I hope Mr. Bradford gets his pancakes.
What’s your approach?
There are plenty of other ways to approach this, and thus go on a consequences free international crime spree thanks to Facebook. How are you going to approach it?
Bradford hired a civil attorney, Herbert L. Schmell, who says that they’re “99.9 percent sure” that they will sue the city for a false arrest/imprisonment.