Some recent links I found particularly interesting on Twitter include:

Net Neutrality Case Heads to D.C. Circuit

A challenge to the FCC’s new Network Neutrality rules will be heard by the D.C. Circuit, which in the past has been tough on the FCC.

Computer Virus Hits U.S. Drone Fleet

It’s a pretty sad state of affairs when higher up military leaders learn that their drones have been infected with a computer virus from reading this article in WIRED.

Tracking the Trackers: When Everyone Knows Your Username

Jonathan Mayer’s article describing his research into web usage tracking is an excellent read.

Hacked!

If you’ve ever had your email hacked, you can sympathize with this great article from the Atlantic.

News and @cyberlaw Links is a post from: Cyberlaw Central

©2012 Cyberlaw Central.

Share on Facebook |  Twitter |  Stumbleupon |  Digg |  Reddit |  Email to friend

HP Touchpad’s Fate

Jonathan Ezor’s review of the HP Touchpad I linked to last week became more timely after HP’s announcement that it was discontinuing the platform. It looks like WebOS may live on in some form, but the TouchPad itself is being phased out. Sad, really, as among Jonathan’s conclusions was the following nugget:

“With its ease of setup and support, true multitasking, Bluetooth keyboard compatibility, Flash-enabled browser, and Synergy, the HP TouchPad represents a solid choice for law firms and legal departments that want to add tablets to their technology portfolios.”

Too bad. I used Palms before they were even called Palms (I had a Pilot 1000 back in the day), and was quietly rooting for HP to do well after it acquired Palm.

Fake Apple Stores in China

On Ron Coleman’s Likelihood of Confusion blog, guest author Paul Jones offered his insight into the fake Apple Stores that were recently spotted in China. His insight isn’t that China is finding it hard to crack down on infringers, but rather the remote nature of the province and its inability to have a real store:

Kunming is the capital of Yunnan Province, in the far south of China. The province borders on Vietnam, Laos and Myanmar. It is thus far inland and is not one of the richer coastal provinces where foreign retailers first open their stores. But Kunming Prefecture has about 6 ½ million people. In other words there is demand there but no supply.

The entire article is well worth a read.

The Challenge of Producing Secure Devices

This article in Security Week was interesting for its insight into the world of developers. The pressure on developers to ship devices is so strong that they may have to ship devices with security flaws in order to meet deadlines. Chris Eng of Veracode is quoted as saying:

“I don’t think that every tiny bug, every tiny security bug, has to be fixed before it goes out the door,” he said. “Ideally you fix as many as you can but there’s always going to be some date where you have to ship stuff and you have to prioritize…but you also shouldn’t forget about them.”

This is relevant as many security issues today come from these vulnerabilities which may never be completely patched. There will always be someone who hasn’t applied the recommended security patches, etc., and thus perpetuate the problem caused by the hardware being released this way.

Copyright Termination

I liked this article by Larry Rohter on the upcoming battle over recording artists who can now file termination notices for their master recordings dating from 1978. The recording studios say no deal, however, claiming that the master recordings are works made for hire and thus not eligible for termination. As the article notes,

“Independent copyright experts, however, find that argument unconvincing. Not only have recording artists traditionally paid for the making of their records themselves, with advances from the record companies that are then charged against royalties, they are also exempted from both the obligations and benefits an employee typically expects.”

Artists already filing notices include Bob Dylan, Tom Petty, Bryan Adams, Loretta Lynn, Kris Kristofferson, Tom Waits and Charlie Daniels.

This Week’s @cyberlaw Links is a post from: Cyberlaw Central

©2012 Cyberlaw Central.

Share on Facebook |  Twitter |  Stumbleupon |  Digg |  Reddit |  Email to friend

Most wireless routers come out of the box with the default setting of being wide open, i.e. with no security, so anyone can use the connection who is within range of it. Many security experts recommend that manufacturers change these defaults, but that is the situation currently.

Many security experts recommend WPA2 level encryption if your device supports it. The older type, WEP, can be cracked in less than a minute with commonly available tools, so it is not recommended. It still would be better than no encryption if that is all your device supports.

A good way to find out how to secure your own wireless network is to search Google with the terms “how to secure wireless network” along with the manufacturer’s name or model number of the device. Some general advice can be found in this WikiHow article, although I do disagree with its recommendation for MAC address filtering. I’d also recommend listening to the Security Now podcasts relating to encryption, including Episode 13, at http://www.grc.com/securitynow.htm. The transcript can be found here – http://www.grc.com/sn/sn-013.htm. It’s an oldie (the show now has over 300 episodes), but that old episode is still worth listening to.

Of course, there are arguments for open wireless networks, but that should be a choice, not a default, in my humble opinion.

Securing Your Wireless Network is a post from: Cyberlaw Central

©2012 Cyberlaw Central.

Share on Facebook |  Twitter |  Stumbleupon |  Digg |  Reddit |  Email to friend

The complaint is interesting reading, it can be found here in PDF.

The ACLU’s press release had this interesting paragraph, explaining the rationale for the suit:

“We are not saying that the government can never search or seize electronic devices at the border, but only that border agents should have some suspicion that the search will turn up evidence of wrongdoing before looking through all the private information that people have stored in their devices. Americans travel internationally more than in the past, and usually with private information and intimate details of our lives condensed in small, electronic devices. We hope that the court will recognize that Americans don’t give up their right to privacy at the border, and strike down the DHS’s policy as unconstitutional.”

This should be an interesting case to track.

ACLU challenges Suspicionless Laptop Border Searches is a post from: Cyberlaw Central

©2012 Cyberlaw Central.

Share on Facebook |  Twitter |  Stumbleupon |  Digg |  Reddit |  Email to friend

The article is worth reading as it discusses the recent cases involving searches of electronic items at the border (based upon a “reasonable suspicion” test), and contrasts that to searches the police can do when you are stopped for another reason. The latter doctrine is called “search incident to arrest” and is meant to allow the police to search the person’s immediate possessions, or “containers,” to search for items that are dangerous, like a gun, or from concealing or destroying evidence. The question is whether the same doctrine will allow the police to search your cell phone, iPod, or laptop.

It’s an untested area of the law, and one which can be debated. Certainly, it is easy to imagine a scenario where a person is able to quickly wipe the memory on the laptop, etc. before a regular warrant could be obtained. The flip side would be that the officer could detain the item for a short period of time until a warrant could be obtained.

Any thoughts? Let me know in the comments.

What does “search incident to arrest” mean today? is a post from: Cyberlaw Central

©2012 Cyberlaw Central.

Share on Facebook |  Twitter |  Stumbleupon |  Digg |  Reddit |  Email to friend

To summarize, the difficulties include legislators who don’t understand the technology, as well as companies that fight good laws because the proposed law hurts their bottom line. Special interests, as usual, appear to have more sway than implementing good laws to fight spyware or phishing attacks.

To further understand why stronger laws are needed, he’s also written a three-part series on cybercrime. Here are links to Part I, Part II, and Part III. (Hat tip to Bruce Schneier for linking to Part III today.)

These laws are needed, and are needed soon.

So why is it difficult to properly legislate for Cyberspace? is a post from: Cyberlaw Central

©2012 Cyberlaw Central.

Share on Facebook |  Twitter |  Stumbleupon |  Digg |  Reddit |  Email to friend

There are currently no rules that specifically require companies to comply with requests for government spyware to be installed on users’ machines. There similarly is no current requirement for anti-spyware vendors to write software that doesn’t detect government spyware. The article does a good job discussing some vague language in the Wiretap Act that could be used in an effort to make such a request, but of course whether such an argument would be successful is unknown.

(Hat tip to Bruce Schneier for the link)

Detecting government spyware is a post from: Cyberlaw Central

©2012 Cyberlaw Central.

Share on Facebook |  Twitter |  Stumbleupon |  Digg |  Reddit |  Email to friend

—-

As of December 1, 2006, the Federal Courts have adopted new Federal Rules of Civil Procedure that explicitly acknowledge the fact that information that may be relevant to a lawsuit exists only in electronic form. As such, for the first time the rules set forth procedures that lawyers need to follow in all federal cases. Electronic discovery is no longer limited to the huge cases, it will be required to be discussed in all cases.

While we will not discuss the specifics of the rules here, as the details are of interest mainly to other lawyers and people who are involved in a federal lawsuit, this article focuses on the impact of these rules on record keeping responsibilities and issues.

So what kinds of electronic evidence are we discussing here? It should be stressed that the new Rules define “electronically stored information” very broadly. Instead of focusing just on documents, such as word processing documents and emails, the definition now can include information stored on voice mail, PDA’s, cell phones (with or without cameras), thumb drives, laptops, and backup tapes. Even automobiles, with their onboard computers that can store information about a vehicle crash, are potentially covered by the new rules.

The new rules do not prohibit the routine deletion of electronic evidence as part of a regular record keeping policy or program. However, once a person has knowledge of a lawsuit (or even a potential claim), the preservation requirements kick in. Parties then have a duty to quickly preserve electronic evidence before it can be destroyed. There can be severe consequences for failing to preserve electronic evidence once there is notice of a lawsuit, or there is reasonable anticipation of one. As such, careful companies should prepare for this eventuality by knowing their systems, and knowing their people.

Know your systems – Companies should know what pieces are in their IT infrastructure, and how they work and interact. If an automated backup system that overwrites data is not stopped in a timely fashion, then critical data could be overwritten. If nobody except the IT support staff knows it’s running, then who knows to stop it in time? Some questions to consider are: Where are the machines located? What kinds of backups are run? Where are backups stored? How long are they kept? Is mail stored on the servers, or just on individual machines? How is voice mail stored? Is voice mail backed up? Knowing answers to these types of questions in advance can help to reduce the time needed to get up to speed once there is litigation, and helps avoid the inadvertent destruction of data.

Know your people – The duty to preserve evidence attaches not just to a company, but to all of its employees. Some questions to consider are: Who is the most knowledgeable person about this particular system? Who uses that program? Who has access to this data? Who can overwrite it? Who can delete it? These questions can help you determine who is the most knowledgeable about the systems, and help determine who needs to be told to preserve evidence.

We hope that these questions will help to allow people to be proactive, rather than reactive. It would be a shame for a company to feel pressured to settle a case it could otherwise win rather than face the prospect of producing electronically stored information.

Be Proactive: Know Your Systems and People Before Facing a Lawsuit is a post from: Cyberlaw Central

©2012 Cyberlaw Central.

Share on Facebook |  Twitter |  Stumbleupon |  Digg |  Reddit |  Email to friend

This week, a hacker who claimed to operate a remote ‘bot network of thousands of computers was interviewed in the Washington Post. That in itself wasn’t newsworthy enough for me to blog about it, as sadly there are many users who allow this to happen to their home computers without their knowledge by following poor computing practices. This fellow was unique only in that he chose to be interviewed about his alleged violation of federal law. I say alleged only because we don’t know for sure he wasn’t bluffing about what he’d done in order to be interviewed.

Well, the hacker went so far as to have a picture appear with the article in which his face was partially obscured. Here’s a link to an eWeek article about this case. Hidden metadata in that image file was capable of identifying the small town in Oklahoma where he lives. Hopefully, federal authorities in the vicinity of Roland, Oklahoma will now be able to zero in on his location. With further clues in the article about his identity, such as his long hair down to his eyebrows, he’s described as tall and lanky, he lives with his religious parents, and he conveniently triangulates his house near readily identifiable businesses such as a “used-car lot, a gas station and convenience store and a strip club.” It shouldn’t be too hard to find him in a town of only 2,842.

Let’s see how long it takes to bring this arrogant alleged violator of the Computer Fraud and Abuse Act to justice! Anybody care to place a friendly non-monetary wager on the timeframe?

Arrogant hacker tracked down through Metadata is a post from: Cyberlaw Central

©2012 Cyberlaw Central.

Share on Facebook |  Twitter |  Stumbleupon |  Digg |  Reddit |  Email to friend

At the time of this writing the survey itself is not accessible, but the summary of the findings can be found from the above link. In relevant part, the important findings are as follows:

Frequency of attacks. Nearly nine out of 10 organizations experienced computer security incidents in a year’s time; 20% of them indicated they had experienced 20 or more attacks.
Types of attacks. Viruses (83.7%) and spyware (79.5%) headed the list. More than one in five organizations said they experienced port scans and network or data sabotage.
Financial impact. Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.
Sources of the attacks. They came from 36 different countries. The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading.
Defenses. Most said they installed new security updates and software following incidents, but advanced security techniques such as biometrics (4%) and smart cards (7%) were used infrequently. In addition, 44% reported intrusions from within their own organizations, suggesting the need for strong internal controls.
Reporting. Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement’s response. And 81% said they’d report future incidents to the FBI or other law enforcement agencies. Many also said they were unaware of InfraGard, a joint FBI/private sector initiative that battles computer crimes and other threats through information sharing.

My take is that reporting viruses and spyware as computer crime in the same survey that covers intrusion and phishing attacks is a bit disingenuous. It artifically inflates the number of people that were the victims of computer crime, while also artificially lowering the number of people that reported it to authorities. Not everyone is going to report a simple virus caused by an uninformed user blindly opening email attachments, but more serious crime is more likely to be reported.

On the plus side, the survey points out the need to be vigilant for the beginning of intrusions like port scans, while also reminding users of the need for internal controls. Much computer crime is the result of an inside job from a former employee (or one on the way out), sometimes to hide evidence of another crime such as embezzlement or theft of trade secrets. Your security is only as good as the weakest link, make sure you look at it from the point of view of a potential intruder and see how easy access to your vital data can be obtained.

Reviewing the FBI Computer Crime Survey 2005 is a post from: Cyberlaw Central

©2012 Cyberlaw Central.

Share on Facebook |  Twitter |  Stumbleupon |  Digg |  Reddit |  Email to friend