Monday, 8 June 2009

Holes in the AFLD-zone...


This is a “thinking out loud” post, continuing a focus on the French Anti–doping Galaxy's apparent obsession with Floyd Landis. From a weekend of reflection, several salient points rebounded time and again. These are:


1 how (not to forget one big -IF-) did Baker first contact Kargus?

How easily could a Doctor in San Diego 'infiltrate' the French corporate–espionage culture, to find a well–situated 'partner in crime' such as Kargus consultants? Admittedly such could be done with a 'couple of phone calls', but it seems incredible that Baker would do this after Floyd's A Sample results were announced. What if Floyd (and thus Baker) didn't know the number (995474) before Kargus had infiltrated (with instructions from 'client' to seek documentation under the number?) we know that Judge Cassuto requested the 'date from which Landis had access to his Sample(s) 'control number'?


2 does Baker know the identity (–ies) of the 'whistle blowers'?

If Baker did receive the documents from 'whistle blowers', did he have enough information to afford this qualifier? Meaning: if he didn't do it, and didn't know or hire who did it, and yet received these documents, it was either totally anonymous (plain envelope?), or 'Deep Throat'–anonymous (in the Watergate sense), or identifiable.


3 on what date (and via what 'channel of evidence') did French Government investigative Police agencies OCLCTIC or DCPJ identify Kargus as the 'hackers'?

As touched upon in 1, above, a 'defendant'
(Kargus) was identified by the 'diligent' OCLCTIC or DCPJ. Is the evidence based on their expert 'computer systems hacking' analyses? It must be. The dates are crucial: yet the 'channel of evidence' is primordial.


4 did (hypothetically) someone other than Kargus actually 'hack into' AFLD, but Kargus was willing to 'play the game' in return for a lesser sentence vis–à–vis EDF/Greenpeace?

These border on unspeakable alternative(s), and are herein proposed hypothetically, but one could conclude that Kargus had attained this 'defendant' status as a 'quid pro quo' situation vis–à–vis its status as
Defendant in the Greenpeace-EDF case, as the contracted 'hacker company', or...(??)


5 why did USADA/Young never raise the 'hacking' issue, which would have qualified Landis' 'crimes' as more aggravated?

Richard Young had, between his first acceptance (not that anyone twisted his arm to do so) of the USADA case against Landis and its resolution, many many months of chronological overlap, during which he was also drafting the new WADA CODE revisions, which were accepted in Madrid in November 2007. As that work included drafting the new CODE Article 10.6 on 'Aggravating Circumstances' (without adding a 'Definition' (see Question Three)), it would seem logical to this legally–trained mind, that proving 'aggravated circumstances' in the Landis case would be a bonus as the CODE negotiations moved forward.


If a 'defendant/cyclist' actually 'hacked' into the lab that held his results, wouldn't that constitute 'egregiously aggravated circumstances'. So why didn't Young use that 'evidence'? There seems an implication that it took a long time for OCLCTIC or DCPJ to actually discoverthe 'hackers' were identified.


As well, remembering how Richard Young's
brief and case against Landis in the CAS appeal had an unusually glaring amateurish mistake (in a 'trial de novo' you do NOT ask the appellate court to 'confirm the decision below': Young did ONLY that in his CAS appellate brief), and interesting incidents which fell outside normal CAS procedures, (see Landis' Federal case brief, in which his attorneys raise damning evidence and arguments that were never heard due to the case having been withdrawn) he could have easily included the hacking evidence as an 'unargued argument', if it had been resolved in France prior to the CAS hearings in New York. So... that seems to indicate it took the 'French Justice system' nearly a year and a half to find Kargus as the 'defendant'(??)


6 Lastly, was Landis/Baker 'the client', or a silent 'third–party beneficiary'?

As touched upon in item #2, the alleged 'Anglo–saxon client' could have been someone that was willing to do anything that might help Floyd, without having a direct tie to Team Landis. As you may be a 'beneficiary' of your parents' life insurance policy, a contract can benefit an unnamed 'third party'. Anyone so inclined as to provide Landis with 'help' from outlaw–shenanigans, and set up the means to do so, ought to be smart enough to receive Kargus' discovered E–files and send them on a CD to Baker, so as to eliminate any network–traces. The only link between Baker and the hacked files is known through his having sent these outward after receiving them.


Thus it would have to be, as Pierre Bordry and AFLD would have the system of French Justice believing, that Dr Baker (or "Anglo-saxon(s) X"):
  • found someone (French!) who would risk infiltrating a French Government office computer system, and risk criminal charges in France, for a ridiculously low price (Euro 2,000);

  • provided them with the 'rider number' (995474) so as to have a target to accomplish the hacking;

  • receive the files (as 'Anglo–saxon clients'? we are led to believe) and then send them forward from their own computer to the recipients.

Those seem to be our outstanding issues, regarding LNDD hacking and any ties to the Landis entourage. Moving onward, since those answers are for another day, we come to the WADA ISL article that was mentioned in our prior WADAwatch post: ISL 5.4.4.4.1.1.

Here it is (from sub–Article 5.4.4.4.1 Data and Computer Security):

5.4.4.4.1.1

Access to computer terminals, computers, or other operating equipment shall be controlled by physical access and by multiple levels of access controlled by passwords or other means of employee recognition and identification. These include, but are not limited to account privileges, user identification codes, disk access, and file access control.




One talks about 'elements' of a law or rule, when one has to break it down into components to be proven in any 'court case'. In our examination of LNDD laboratory security, this would require listing those 'elements' for analysis of the elements of 5.4.4.4.1.1, which are:


First sentence:

“Access...”
(a presumption of legitimate access implied)

“... to computer terminals, computers or other operating equipment...”
(non–exclusive listing of the info–tech and scientific equipment one finds within a WADA accredited laboratory)

“... shall be controlled...”
(mandatory stipulation without exception, the violation of which should be grounds for audit/investigation/discipline)

“... by physical access...”
(imprecise wording: 'control of access... by physical access'(?) this is really problematic drafting, as the sentence should at least contain 'by qualified staff or authorized third parties (eg: systems providers' repair/maintenance personnel) receiving authority to enter into the premises (and systems)...' to define the principle of 'physical access')

“... and by multiple levels of access controlled by passwords or other means of employee recognition and identification.”
(sadly drafted (again); where at least 'physical' was the adjective above, this lacks an 'IT' reference, to coherently define as to 'what' control by passwords, etc., is required to have in place in a WADA lab)


Second sentence:
“These include, but are not limited ...”
(as above, establishing a non–exclusive list)

“...account privileges, ...”
(those computer system or software controls, which allow Directors more access than supervisors, who hold more access than data–entry level staff)

“...user identification codes, ...”
(incontrovertible passwords or other controls, which establish that 'Operator 43' (hypothetical choice) IS he or she whose data–entries create 'the record';)

“... disk access, ...”
(seems to imply 'physical access' to hard–drives, perhaps servers, who in a lab of international renown probably reside in controlled–access 'cool rooms')

“... and file access control. ” (seemingly a redundancy, as 'account privileges' and 'file access control' overlap to a great degree; where applicable to insure perhaps that 'Operator 43' cannot (hypothetically) mistake the file into which 'her' work goes, thus avoiding confusion with files belonging to 'Operator 39'?)


Now even the Pentagon (maybe not the best example: how about... IBM?) suffers from constant attempts at 'hacking' from the outside, not the least of which come from abroad, from 'strategic partners' (Asian powers?) or other (so–called) 'opponents' of 'the American Way'. Point being, that 'hacking' must be acknowledged, to the point of being taken seriously, and government systems themselves should be as well–secured as can be provided by experts in the IT industry.

If AFLD is accusing anyone associated with Floyd Landis, of being complicit in the
alleged LNDD 'hacking', for which Kargus consultants appears to be the 'defendant' of record, then an examination of their (LNDD) data system(s) security structure(s) will enter the record of the case.

Did AFLD 'control' their data systems to a degree of professional security reasonable for their industry as demands the WADA ISL, and which is recognized as sufficient within its professional community?
(if it's facing a hacking case, to prove it was not 'negligent' or 'insufficiently protected', AFLD /LNDD must offer evidence of its (their) control systems in place, and prove that the 'Hacking' from Kargus (who was paid only Euro 2,000) was of "an unexpectedly–sophisticated capability" to win)

If "file access control... disk access... [and] user ID codes" are WADA's preferred means to create 'access trails' to the important, confidential data stored by AFLD/LNDD, the wording of ISL 5.4.4.4.1.1 shows that AFLD/LNDD is not constrained to limit its security measures by these items listed in the ISL: they could have even greater security than the minimum imposed by WADA. (did AFLD exceed WADA's expectations as to data systems security?)


What an interesting dilemma for Pierre Bordry and AFLD. Even with its previous 'wins' against Landis, through USADA/AAA/CAS, its own (we believe illegitimate) AFLD 'second procedure', and indirectly through Landis' US Federal Court case having been withdrawn, there's no rest at AFLD to ensure dotting the *i* in *Landis*.


Now, Bordry must convince a French court judge that Landis' entourage is responsible for financing a 'hack attack' on AFLD/LNDD's most secure and sensitive electronic files, that the successful attack released 'damning evidence', at the same time that it must convince WADA (not that WADA has announced any investigation for suspension of the AFLD 'département des analyses') that its systems are secure, its data is safe, and attacks such as that performed by Kargus (the true defendant, we are informed) in November of 2006, are not a breach of WADA ISL 5.4.4.4.1.1.



We mentioned in our prior post that if Bordry's claim that the documents are authentic is true, then that seems to damn them (AFLD) for this 5.4.4.4.1.1 violation. Whether or not Baker or Landis are involved, if Kargus is found guilty of 'hacking' AFLD, the judge should determine if the claimed method of attack went to the high degree of sophistication that (might) exonerates AFLD from WADA's wrath.



Yet... WADA has never expressed wrath towards anyone in France: not Jacques de Ceaurriz, nor his staff, nor Pierre Bordry, nor his staff, nor the Ministry, nor l'Equipe, nor ASO and its owners.


Consider this: without LNDD, AFLD, l'Equipe, Lance Armstrong and Floyd Landis, the reputation(s) of Dick Pound and WADA would not be what they are today...


And you can take that any way you choose, and bank on it.

..........@............WADAwatch

copyright 2009 Ww



No comments:

Add to Technorati Favorites