Monday, April 28, 2008

Could clicking a link—just clicking it—be a federal-level offense?

Scary opinion piece by Mark Gibbs in ComputerWorld.
Just imagine if one day in the near future the FBI comes to your enterprise with warrants that allow them to seize and remove any computer-related equipment, utility bills, telephone bills, any addressed correspondence sent through the U.S. mail, video gear, camera equipment, checkbooks, bank statements and credit card statements. The first question you'd ask is, "Who has done what?"

You're going to be presume your CEO has been involved in some outrageous stock manipulation, or maybe your CFO has been cooking the books. But no, the agent in charge says: "Someone here clicked on a Web link, and we're going to find out who did it."

A link?! Clicking on a link can now be a federal offense?! Was it a link to the truth about JFK's assassination (which we all know the CIA was responsible for ... or was it the Moonies?). Was the link going to launch an ICBM at the Kremlin? Nope, it was a link to a nonexistent cache of kiddie porn that was created specifically by the FBI to attract pedophiles.

As is often said at moments like these, I am not making this up; this is exactly what happened to a doctoral student at Temple University who was also a history professor at La Salle University named Roderick Vosburgh...

According to federal law, attempts to download child porn, whether successful or not, can result in prison sentences of up to 10 years, and a court found Vosburgh guilty of just that, "attempting" to follow a link, a link set up specially by the FBI to trap pedophiles...

The fact that the action might not have been done by you personally is, apparently, not an issue...

The second issue concerns browser add-ons that attempt to pre-cache the content of links on a page. These add-ons are to improve perceived performance, but imagine that you run a Web search and wind up on a page that links to one of these FBI honeypots: Your browser will access the link and, unless you are masking what you do through something like the Tor network, the Feds will get your IP address. Before you know what's going on, there will be a knock on your door, you'll be hurled to the ground, cuffed, Mirandized, and all of your computer gear, financial records and leftover Chinese food will be en route to the local FBI office.

But what if an employee's browser pre-caches the contents of one of these FBI links, or the employee actually clicks on it? Can you imagine the chaos and insanity that would result from the FBI paying your company a visit? Work would grind to a halt, PCs and other gear would be impounded, records taken and your business would be dead in the water.

Labels: , ,


Wednesday, April 23, 2008

They don't add up!

Ed Felten has a new post on the discrepancies observed in vote totals from some of New Jersey's electronic voting machines in the 2008 presidental primary. See also this post.

Every time Ed (with the assistance of troubled voting officials) documents a new inconsistency in the machine reports, the vendor (Sequoia) and the New Jersey Secretary of State come up with a new explanation of how a harmless error could have crept in. Then he comes up with another clear error, and the explanation has to be made more elaborate to cover it, too.

It's not obvious how long this charade will have to continue until someone in authority insists on an independent investigation. Of course, it's "just votes," it's not like money was involved...

My past posts on evoting.

Labels: , , , ,


Tuesday, April 22, 2008

Your relatives' DNA may implicate you.

The privacy community has been concerned for some time about the ethical, legal, and practical issues surrounding DNA testing and the fact that you share a lot of your DNA with relatives. Much of the concern had been for things like insurance: Should the fact that I carry a gene predisposing me to blood clots affect my sister's insurance rates, even though she has not been tested for that gene?

The Washington Post has a very interesting story by Ellen Nakashima that details an actual criminal case where a man was arrested for murder based on DNA testing of a 5 year old Pap smear specimen from his daughter. While it appears that justice was done in this case, the Fourth Amendment implications of this type of search are not so clear. The article discusses a number of them in depth.

Labels: ,


Wednesday, April 16, 2008

Spear phishing for CEOs

No matter how often people are reminded that they shouldn't click on links in unexpected emails, and that they shouldn't download software from an unknown source, there are still victims. Even highly-placed, affluent victims. The kind phishers really like.

A ComputerWorld story by Robert McMillan details a recent example.
Panos Anastassiadis didn't click on the fake subpoena that popped into his in-box on Monday morning, but he runs a computer security company. Others were not so lucky.

In fact, security researchers said that thousands have fallen victim to an e-mail scam in which senior managers such as Anastassiadis are told that they have been sued in federal court and must click on a Web link to download court documents. Victims of the crime are taken to a phony Web site where they are told they need to install browser plug-in software to view the documents. That software gives the criminals access to the victim's computer.

This type of targeted e-mail attack, called "spear phishing," is a variation on the more common "phishing" attack. Both attacks use fake e-mail messages to try to lure victims to malicious Web sites, but with spear phishing, the attackers try to make their messages more believable by including information tailored to the victim.
The troubling thing is that so many reputable sites legitimize phishers by asking people to do the same things: Click on this link to log in to your account. Download this plugin to view your bill.

If you're used to getting such messages from your bank, the phone company, and your health insurer (not to mention your professional society), you will likely not be so wary when you get a message that is only pretending to be from one of them, or that is pretending to be from some important organization that you deal with less frequently, like the Federal courts or the IRS. I must get a dozen such messages a week.

Shame on ACM! Shame on Verizon Wireless! Shame on Blue Shield of California! And the list goes on... But kudos to Wells Fargo!

Labels: ,


Thursday, April 10, 2008

Phorm is even more pernicious than I had thought

Harlan Yu has a good post on Freedom to Tinker, explaining why Phorm is worse than I had realized.
New technical details about its Webwise system have since emerged, and it’s not just privacy that now seems to be at risk. The report exposes a system that actively degrades user experience and alters the interaction with content providers. Even more importantly, the Webwise system is a clear violation of the sacred end-to-end principle that guides the core architectural design of the Internet.
This is a deal-breaker. If Comcast starts providing this "service," I will be moving to a new ISP (and a new video provider).

Labels: , ,


Wednesday, April 09, 2008

HSBC's turn to lose customer data

Michael Krigsman has a very good post on ZDnet about how the UK's largest bank sent unencrypted data on 370,000 customers through the mail, and lost it. It's amazing who shows up prominently on the list of those who don't have a clue about data security... They should have read this.

Labels: , , ,


Sensible risk analysis

ComputerWorld has a nice article by Charlie Martin on "Assessing the risks and cost of encryption." It not only gives a reasoned justification for encryption of personal data on a laptop's disk, it explains a general method for doing a back of the envelope calculation (BOTEC) for any similar security/risk question.

This technique of risk analysis can be applied to almost any decision about any security measure: It's worthwhile only if it costs less than the reduction in your expected loss per year. For example, there are a number of special disks available now that have specialized on-disk encryption hardware. How much of a premium is it worth to buy one of these disks, compared to using encryption software? Simply extend the reasoning: If the special hardware makes it 100 times harder to get data off the disk, the expected loss per year is around $1. If the special hardware costs significantly more than $199, it doesn't actually
pay off.

So the next time the CEO asks you one of these questions, you can make a back-of-the-envelope estimate in just a few seconds' thought. Won't that make you look good?

Labels: , ,


Friday, April 04, 2008

2010 Census turns victim of another government IT fiasco

Ho, hum! The US wastes another $3Billion in a failed automation project.

Reports in The New York Times, ZDnet, Digital Trends.

My previous post.

Labels: , ,


Wednesday, April 02, 2008

A bumper crop

There seem to have been an unusual number of April Fool pranks this year--or perhaps word about them just spreads more efficiently these days?