Archive for the ‘Legal Shiz’ Category

Dan Kaplan has a piece in SC Magazine on the lawsuit being filed against SI/resellers Radiant Systems and Computer World by some restaurants in Louisian and Mississippi.

Dan interviewed me for the piece:

Diana Kelley, founder of consultancy Security Curve, said she understands where the restaurants have a case, considering Visa alerted the two defendants in April 2007 that their systems were non-compliant. The eateries claimed they never learned of the warning, but Kelley said they still are required to perform a PCI assessment, which should have caught the vulnerabilities.

“We’re going to have a judge put some case law on where the accountability does lie,” she said. “It really could change the landscape.”

OK, so I saw in the industry press that CIS had put out configuration guidance for the iPhone. This seemed interesting to me, since I’m now an Android user (love it, by the way) – I think the Google phone is the best thing since sliced bread. Not that the iPhone and Android are the same thing – just because I feel a kinship with the iPhone users for some reason.

Anyway, I surfed over to the benchmark to check it out. Not surprisingly, there’s about as much complexity associated with hardening an iPhone as you’d probably expect. For example, they outline that “Airplane Mode” is pretty good from a security perspective, that it’s probably a good idea to turn the password protection feature on, and that you really ought to upgrade the firmware occasionally.

But believe it or not, I didn’t bring it up to make fun of the specific recommendations in the benchmark. It it what it is… No matter how obvious the recommendations might seem to us as security folks, explicitly pointing stuff out in a no-nonsense way can never be bad.

No, actually the reason I’m bringing this up comes about because of the “wall of text” in the legalese of the Benchmark’s Terms of Use. Check this out and see if anything about this strikes you as unusual:

CIS makes no representations… as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware…

Wait… wut? OK, so I’m not a lawyer. And maybe lawyers have a different meaning for the word “representation” (if so, I couldn’t find it). But doesn’t this (from the CIS Benchmark FAQ) sound like a representation “as to the positive effect” on security:

CIS Benchmarks enumerate security configuration settings and actions that “harden” your systems. They are unique, not because the settings and actions are unknown to any security specialist, but because consensus among hundreds of security professionals worldwide has defined these particular configurations.

What bothers me about this is that CIS clearly asserts that using the benchmarks will help secure your systems. What else could “harden your systems” mean? What would be the point of pointing out that “hundreds of experts agree” if the end state was not to make the security profile better?

It’s clearly the case. In fact, it’s sort of the whole point.

CIS leading with this seems to me kind of like Honda pasting a big yellow sticker on the Civic’s steering wheel that says “Automobile not intended for transportation.” … What the frick else would it be intended for? Outdoor paperweight? Portable cell-phone charger?

Is it really the case that we’re so far down the word-weasel road that the only way not to get sued is to entirely disavow what our products actually do? Can it really be that bad? Or is CIS just over the fence?

So, today I came across a small reference (via HackInTheBox) about how one of the UK’s premier forensics experts committed perjury by claiming to have a degree that he didn’t, in point of fact, have.

It barely made a blip in the press – after all, it wasn’t a huge sentence (he got a suspended sentence and a small fine), his colleagues say that there was no doubt as to his expertise, and that he didn’t put any convictions in jeopardy.

Now, I’m not going to be the first in line to pile all over him and say that he was wrong or “a monster” or evil or whatever… Human nature is what it is, and people lie from time to time. So he didn’t have a degree? So what… On the punishment side, the court did a pretty good job with the sentencing. A small sentence, but one that makes it very unlikely that he’ll be an expert witness again, thereby preventing recurrence. So it goes.

But what interests me about this is the long-term effect that misdeeds on the part of security folks have. Take, for example, the recent Pay By Touch debacle (you know, where the CEO was playing fast and loose by running biometric payments into the ground). I liked Pay By Touch – sort of. I thought it was a good idea, but I figured it was going to flop – although I figured it was doomed because of the sales numbers they had on their site (which were clearly bogus) as opposed to the whole fraud/drug use/sex parties thing.

Anyway, the point is this – after Pay By Touch, how likely is it that supermarkets – or the populace as a whole for that matter – will trust biometrics nowadays? Sure, maybe they’ll trust the biometric technology – but there could be some lingering suspicion for the companies. Will that bad will extend to other security companies and products? Maybe so. Will practicing forensics in the UK be harder now that it turns out the “founder” of the discipline in that region was lying to the court? I would tend to think so…

So, I guess I’ll stop ranting now… I just find it irritating when the actions of an individual make everyone else feel the pain. Maybe at some point we’ll all wake up and start enforcing competency (and ethics) for the discipline the same way they do with medical practitioners. Or maybe not…

Hey, so have you been keeping up with all the awesomeness going on in Mass? In case you haven’t noticed, there’s a bunch of new stuff out there. There’s 201 CMR 17.00 which requires encryption of personal data of a commonwealth resident no matter where it is. That’s pretty awesome, and it’s going to blow a hole in traditional IT. After all, how do you know who’s a resident of Mass or not? Couldn’t someone list their secondary address in your database, but really be a resident of Mass? Sure. Would they be covered by the law? Probably. Nifty, huh? It’s the same dilemma that businesses were in relative to SB-1386. And we all know how that shook out.

But what’s even cooler than that (or maybe just as cool) is Executive Order 504 that requires specific information security controls, management, and governance from state agencies, and requires certification of contractors to a defined security standard. Again, this ought to shake things up a bit.

I’m really pleased with what’s going on just down south of us. Although I’m a little nervous. Here’s why:

1) we’re heading in to a recession
2) recession means less tax money to the government
3) recession means higher unemployment and higher rate of state-funded programs like unemployment
4) states have to maintain a balanced budget
5) more technical controls means more IT spending at the expense of services-spending

I’m not sure that this is the perfect time for what Mass is up to – but I’m really interested to see how it’ll shake out.

Remember the other day when I was talking about why assigning liablity for buggy code was a bad idea? Bruce had argued that we should sue companies for buggy software – which I argued was not a good idea because smaller companies that made freeware tools (e.g. Counterpane) wouldn’t release such a tool given the risk. Well, as if to prove my point, the folks over at Elcomsoft (remember them) pointed out what is arguably a security flaw in PasswordSafe. I say “arguably” because it’s a “how to make a dictionary attack viable” kind of flaw; Microsoft argued this wasn’t a flaw per se when the same thing happened to them (with L0phtcrack) so maybe it’s not a flaw here either.

If we all followed the “company liability” model, now would be the time to start getting our class action together against CounterPane; if we followed the “developer liability” model, I suppose we would need to sue Bruce himself. In my opinion, both are obviously foolish – nobody cares more about security than Bruce Schneier… Why sue him for someone else’s creativity?

Everybody’s heard about the now-infamous Paris Hilton sidekick incident. It’s been the subject of numerous Internet parodies, television hijinkery, and entertainment gossip. Apparently, in a similar incident, Jimmy Buffet’s phone was stolen by a restaurant busboy and used to “crank yank” former president Bill Clinton.

So where am I going with this? Who cares, right? Everybody nowadays has a cell phone, PDA, sidekick, nomad, iPod, or some other easily-misplaced digital information appliance. We use them to store everything: pictures, phone numbers, music, plans to the death star, etc. One often-overlooked fact in all this is that these devices of today are more and more frequently starting to obviate the privacy measures of yesterday. In other words, Bill Clinton thought his number was unlisted and inaccessible to the casual prank caller; it was, and it would have stayed that way if it weren’t for a lost cell phone half a hemisphere away.

There are three trends at work: 1) these unsecured devices are starting to carry more data and more types of data. 2) these devices are becoming more ubiquitous. 3) any data on these devices can be (as was the case with Paris’ data) instantaneously shared amongst interested parties across the globe. I think, looking down the road, that privacy erosion is less about government “big brother” (as argued by Orwell) or the numerous corporate “little brothers” (although this is slightly more prevalent.) After all, pro-privacy folks at least have a chance to fight back on those fronts. What scares me much more is the large array of personal “micro brothers” – the “Amway”-tization of privacy loss. By the time anybody notices, there will be no such thing as an “unlisted number”, “private IM account”, or anonymous email address; how can there be when all this data is stored in so many different places and can be instantly shared? Call me cynical, but I think it’s only a matter of time; for the truth of this, just ask all the famous people who had to change their number as a result of Paris’ hacked side-kick account – or ask Bill Clinton for that matter. You can still find their phone numbers on Google.

Typically, I come down on the side of “sufficient protection” when debating what type of authentication mechanism to employ in a given security scenario. Up until now, that meant that I felt that passwords were a fairy robust vehicle for protecting data. However, a recent ruling determined that passwords alone were insufficient protection to preserve trade secret information. In other words, data placed in a directory secured by passwords was found to not be sufficient protection to preserve trade-secret status. In this instance, the judge questioned why other measures weren’t taken – e.g. data labeling, confidentiality notices, etc.

In context, I agree with the ruling. While what the judge said is true (e.g. that the employees of the firm needed to be advised of data confidentiality,) I’m concerned about the precedent and how the industry will react. The judge said in his ruling, “[r]estricting access to sensitive information by assigning employees passwords on a need-to-know basis is a step in the right direction”. “a step in the right direction” but not “sufficient.” What is sufficient? A confidentiality label at the bottom of the screen? I don’t think that will cut the mustard if passwords don’t…

This is just the kind of thing that a unscrupulous company could spin into a FUD-fest to try to sell two-factor products.

Quotes from FCC Chairman Michael Powell on the FCC’s rules released on local telephone and broadband: “FCC Releases Rules on Local Phone, Broadband Competition.”

Makes you wonder when the Chairman has such an uncomplimentary view of the rules. A lot of the rules pertain to discounts and sharing requirements of existing networks. If you’re interested in the full report, the FCC has all 576 pages available for download here: www.fcc.gov, along with comments from Powell, and Commissioners: Abernathy, Copps, Martin and Adelstein.

“Sounding a united alarm against intrusive federal regulation, industry officials cautioned that over-involvement on the part of the government could impede speedy disaster recovery operations by private companies. First and foremost, they agreed, Congress should keep its hands off when it comes to monitoring or controlling privately held networks.”

ComputerWorld reports “the California State Senate passed a bill Thursday that would transform spam from a misdemeanor to a felony offense and cost spammers an estimated $500 per unsolicited e-mail sent.”

The Bill is called SB12 and works on an opt-in model. Just think about the repercussions, lawyers can chase ’spammers’ instead of ambulances now. More seriously, though, if this can be acted on and enforced, the $500 per email fee could be a strong deterrent that may make many spammers think twice before hitting the send button.