Cyberlaw Central

Ryan Blitstein asks this question in a great article at the Mercury News, here is the link.

To summarize, the difficulties include legislators who don’t understand the technology, as well as companies that fight good laws because the proposed law hurts their bottom line. Special interests, as usual, appear to have more sway than implementing good laws to fight spyware or phishing attacks.

To further understand why stronger laws are needed, he’s also written a three-part series on cybercrime. Here are links to Part I, Part II, and Part III. (Hat tip to Bruce Schneier for linking to Part III today.)

These laws are needed, and are needed soon.

Here’s an interesting article, written by Declan McCullagh and Anne Broache, entitled “Will security firms detect policy spyware?”

There are currently no rules that specifically require companies to comply with requests for government spyware to be installed on users’ machines. There similarly is no current requirement for anti-spyware vendors to write software that doesn’t detect government spyware. The article does a good job discussing some vague language in the Wiretap Act that could be used in an effort to make such a request, but of course whether such an argument would be successful is unknown.

(Hat tip to Bruce Schneier for the link)

The following is an article I wrote about the recent changes to the Federal Rules of Civil Procedure and its impact on record keeping responsibilities and issues.

—-

As of December 1, 2006, the Federal Courts have adopted new Federal Rules of Civil Procedure that explicitly acknowledge the fact that information that may be relevant to a lawsuit exists only in electronic form. As such, for the first time the rules set forth procedures that lawyers need to follow in all federal cases. Electronic discovery is no longer limited to the huge cases, it will be required to be discussed in all cases.

While we will not discuss the specifics of the rules here, as the details are of interest mainly to other lawyers and people who are involved in a federal lawsuit, this article focuses on the impact of these rules on record keeping responsibilities and issues.

So what kinds of electronic evidence are we discussing here? It should be stressed that the new Rules define “electronically stored information” very broadly. Instead of focusing just on documents, such as word processing documents and emails, the definition now can include information stored on voice mail, PDA’s, cell phones (with or without cameras), thumb drives, laptops, and backup tapes. Even automobiles, with their onboard computers that can store information about a vehicle crash, are potentially covered by the new rules.

The new rules do not prohibit the routine deletion of electronic evidence as part of a regular record keeping policy or program. However, once a person has knowledge of a lawsuit (or even a potential claim), the preservation requirements kick in. Parties then have a duty to quickly preserve electronic evidence before it can be destroyed. There can be severe consequences for failing to preserve electronic evidence once there is notice of a lawsuit, or there is reasonable anticipation of one. As such, careful companies should prepare for this eventuality by knowing their systems, and knowing their people.

Know your systems – Companies should know what pieces are in their IT infrastructure, and how they work and interact. If an automated backup system that overwrites data is not stopped in a timely fashion, then critical data could be overwritten. If nobody except the IT support staff knows it’s running, then who knows to stop it in time? Some questions to consider are: Where are the machines located? What kinds of backups are run? Where are backups stored? How long are they kept? Is mail stored on the servers, or just on individual machines? How is voice mail stored? Is voice mail backed up? Knowing answers to these types of questions in advance can help to reduce the time needed to get up to speed once there is litigation, and helps avoid the inadvertent destruction of data.

Know your people – The duty to preserve evidence attaches not just to a company, but to all of its employees. Some questions to consider are: Who is the most knowledgeable person about this particular system? Who uses that program? Who has access to this data? Who can overwrite it? Who can delete it? These questions can help you determine who is the most knowledgeable about the systems, and help determine who needs to be told to preserve evidence.

We hope that these questions will help to allow people to be proactive, rather than reactive. It would be a shame for a company to feel pressured to settle a case it could otherwise win rather than face the prospect of producing electronically stored information.

Here’s a funny development I’ll be watching closely.

This week, a hacker who claimed to operate a remote ‘bot network of thousands of computers was interviewed in the Washington Post. That in itself wasn’t newsworthy enough for me to blog about it, as sadly there are many users who allow this to happen to their home computers without their knowledge by following poor computing practices. This fellow was unique only in that he chose to be interviewed about his alleged violation of federal law. I say alleged only because we don’t know for sure he wasn’t bluffing about what he’d done in order to be interviewed.

Well, the hacker went so far as to have a picture appear with the article in which his face was partially obscured. Here’s a link to an eWeek article about this case. Hidden metadata in that image file was capable of identifying the small town in Oklahoma where he lives. Hopefully, federal authorities in the vicinity of Roland, Oklahoma will now be able to zero in on his location. With further clues in the article about his identity, such as his long hair down to his eyebrows, he’s described as tall and lanky, he lives with his religious parents, and he conveniently triangulates his house near readily identifiable businesses such as a “used-car lot, a gas station and convenience store and a strip club.” It shouldn’t be too hard to find him in a town of only 2,842.

Let’s see how long it takes to bring this arrogant alleged violator of the Computer Fraud and Abuse Act to justice! Anybody care to place a friendly non-monetary wager on the timeframe?

The FBI’s Computer Crime Survey 2005 has been released. Thanks to BeSpacific for the link.

At the time of this writing the survey itself is not accessible, but the summary of the findings can be found from the above link. In relevant part, the important findings are as follows:

Frequency of attacks. Nearly nine out of 10 organizations experienced computer security incidents in a year’s time; 20% of them indicated they had experienced 20 or more attacks.
Types of attacks. Viruses (83.7%) and spyware (79.5%) headed the list. More than one in five organizations said they experienced port scans and network or data sabotage.
Financial impact. Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.
Sources of the attacks. They came from 36 different countries. The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading.
Defenses. Most said they installed new security updates and software following incidents, but advanced security techniques such as biometrics (4%) and smart cards (7%) were used infrequently. In addition, 44% reported intrusions from within their own organizations, suggesting the need for strong internal controls.
Reporting. Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement’s response. And 81% said they’d report future incidents to the FBI or other law enforcement agencies. Many also said they were unaware of InfraGard, a joint FBI/private sector initiative that battles computer crimes and other threats through information sharing.

My take is that reporting viruses and spyware as computer crime in the same survey that covers intrusion and phishing attacks is a bit disingenuous. It artifically inflates the number of people that were the victims of computer crime, while also artificially lowering the number of people that reported it to authorities. Not everyone is going to report a simple virus caused by an uninformed user blindly opening email attachments, but more serious crime is more likely to be reported.

On the plus side, the survey points out the need to be vigilant for the beginning of intrusions like port scans, while also reminding users of the need for internal controls. Much computer crime is the result of an inside job from a former employee (or one on the way out), sometimes to hide evidence of another crime such as embezzlement or theft of trade secrets. Your security is only as good as the weakest link, make sure you look at it from the point of view of a potential intruder and see how easy access to your vital data can be obtained.

In Wired News, Quinn Norton has an interesting article on an open source CD that contains a self-contained operating system. The purpose is to never actually use the hard drive of the machine while still allowing internet access, thereby leaving no fingerprints that the machine was used. The CD runs OpenBSD, but it disguises the user’s profile so that others “see” that user as running XP SP1 so as not to stand out. It isn’t perfect, Norton advises that the experience is slow, but this is the first public unveiling of what is called a “live CD” based on Open BSD that is self contained, so you can expect the next version to run better.

Time will tell whether the author has succeeded in making a truly anonymous user, I would imagine that this release will result in a challenge for someone to try to find the flaws in the concept. Truly anonymous surfing is an ideal, one likely not to be achieved in the first attempt.

The existence of such CDs raise concerns for security experts and network administrators that now will have to try to make sure that their users aren’t using this CD (or its eventual ilk) to circumvent their security procedures already in place. Such CDs could also be used by dissidents seeking anonymity, but the more likely scenario involves office workers hiding their web surfing.

I’m writing this now on OpenOffice 2.01 with my new Acer Travelmate C200.

Opening the box was cool, I was up and running within minutes. The only big hiccup came with the built-in power management software misinterpreting tablet mode as being the standard “Lid’s closed, let’s power down” mode. Luckily I was able to diagnose that without having to call tech support. I still haven’t worked out the bugs in my wireless access at home, but hope to do more soon with it when I have more time. I can see my network, it just won’t let me access it. The wired access works (for now) just fine.

Over the weekend I visited family and brought the new tablet with me, hoping to set it up further after the kids went to bed. My computer detected a wireless access point that was completely wide open allowing anyone to log on and use that person’s Internet access point. Since I wasn’t doing anything secure, just downloading and installing software, I went ahead and took advantage of the opportunity to get online. While fun for me, such open points are potentially troubling for whoever’s account I was using. Some will advocate setting up a totally free access point by rationalizing like “I’m only being charged a flat rate anyways”, and that the founders of the Internet supported a free access rationale. However, this person could be liable if an anonymous user would do something like download the latest Hollywood blockbuster using a peer to peer package while connected to this network. It’s that home user’s IP address that would be visible to the RIAA and MPAA. It’s that home user that would be the named defendant in the lawsuit. And, it would be up to that home user to try to prove that he didn’t download the software at question.

I’m guessing the WAP I was using was from a new user since the access point name was the default straight out of the box “Linksys,” but it’s a shame these things don’t default to secure access and make the user affirmatively choose to run in the clear.

Mark Russinovich, over at Sysinternals, has declared victory over the rootkit embedded in the CD’s Sony has distributed. And, as Bruce Schneier points out in his excellent analysis, Mark has reason to be happy. It’s David v. Goliath.

However, it’s not a total victory.

There are untold numbers of machines still infected with the Sony Rootkit, a lurking security flaw waiting to be exploited. A recall of the discs will not uninstall the software. At best, Sony will get back the unsold discs, plus a very small percentage of those in the wild.

Further, Sony’s own attempt to remove it leaves another security hole, an ActiveX control that can be exploited, too.

It will take years before the lawsuits play themselves out. As news of what Sony has done to consumers spreads beyond techies, I fully expect more lawsuits to be filed. In the next few days, I will look further at some of the legal theories propounded, including trespass to chattels. Not to mention, of course, Sony’s own potential liability under copyright for including the LAME MP3 encoder in the DRM software without complying with the terms of its license. What irony, Sony’s software to protect its copyrighted content may itself be in violation of the copyright of others.

Whether others will learn from Sony’s public relations nightmare has yet to be seen.

So, just what was Sony thinking? Now that the first class-action lawsuit has been filed in California, I’m sure more details on that topic will eventually emerge. Since Sony licenses the software from First 4, it may not have known all of the niceties of just how the software worked. I would not be surprised if First 4 will be required to indemnify Sony from the lawsuits over the use of its software.

So what else has happened since my last post?

My major problem with the Sony DRM I wrote about yesterday is the lack of consent on the part of the user. The terms of the Sony EULA are posted here. Nowhere does Sony advise that even if you uninstall the software using normal procedures that there are hidden bits that remain. Further, the fact that the software is sloppily written and leaves the door open for malicious rootkit developers to take advantage of its flaws is negligent at best.

For its part, Sony today advised that a removal tool is now available from its website provided that you tell Sony where you obtained the CD from. However, it denied wrongdoing while admitting that many of the security flaws pointed out by Russinovich will be fixed on future CD releases.