Category Archives: Legal

President Signs SESTA/FOSTA; Web Sites Start Shutting Down Services

SESTA/FOSTA was a bill that was supposedly designed to shut down sex trafficking sites on the Internet by effectively repealing the protections provided by Section 230 of the Communications Decency Act which protects online service providers like Facebook and Google from being prosecuted for the postings of their users.

The bills, which have been around in different forms for a couple of years, was snuck into the budget bill in the dark of night.  There was no debate, no committee hearing and no markup of the bill.  Likely, knowing DC, it was a Quid Pro Quo to get someone to vote for the budget bill.

Section 230 of the Communications Decency Act protects online service providers from being held accountable for what their customers post.  While the “claim” is that this bill is designed to punish web sites that post prostitution ads, it is so poorly written that it could be used as a club against any web site that a federal prosecutor chooses to.  The main target of the bill was Backpage, which did post, in my opinion, prostitution ads, but that site was shut down and the people responsible for it arrested days before the President signed this bill, so, apparently, the feds did not need this law to shut down what was proclaimed to be the target of the bill.

Fringe dating sites, sex trade advertising sites, parts of Craigslist and other sites have already shut down.  Google has started wielding a meat axe on their site to ensure they are not charged.  All this before the law likely is implemented, some time next year (Source: Motherboard Vice).

Given this, what should you do?

First, this really only affects you if you run a website and you allow users to post content on that site.

For the moment, lets assume that you do run a website that allows users to post content such as comments or reviews.  Up until now, the rule was that if you did not impose editorial control over that content, then you were not liable for it.

Now, apparently, you are.

This means that you need to do one of two things:

1. Shut down the part of the web site that allows users to post content.  If this destroys your business model, tough.  Write a letter to Congress.  What Congress giveth, Congress can taketh away.

2.  If that is not an attractive option, then you have to create a process to review every post to make sure that it cannot be misconstrued by some over eager federal prosecutor to charge you.

Remember, you do not have to be guilty to be charged and proving yourself innocent can be very expensive.

I am not sure if cyber insurance will start covering this.  Prior to the effective repeal of Section 230, they did.  Now, it is not clear at all.

Fundamentally, you have to exercise full editorial control over the content.

Don’t be surprised if people start figuring out which sites do not monitor posts and start using those sites as a replacement for the ones that shut down.

As we get closer to 2019, there could be some clarity and, possibly although unlikely, Congress could amend the legislation.

In the meantime, stay tuned and start setting up those processes.

 

 

Facebooktwitterredditlinkedinmailby feather

Can The Ruskies REALLY Hack Our Elections?

With all the news lately about the Russians trying to change the outcome of the elections (like, I might add, the U.S. has been trying to do around the world for decades – think of the Shah in Iran, the Congo elections, Chile and many others – see here), the real question is can the election really be hacked.

The Pew Charitable Trust published a great piece on the subject which should make you think about the subject.

Here are my thoughts on the subject.  Feel free to comment.

#1 – As a concept, there is no “single point of failure” in the American election system.  That is both its strength and its weakness.  According to Pew, there are 10,000 election entities, mostly (by sheer numbers) counties and cities.  These organizations are, at best, loosely affiliated with each other.  The Clerk in Wichita, KS likely doesn’t even know the Clerk in Fort Smith, Arkansas, except maybe by chance and, for sure the systems used by the two cities are not, in any way, connected.

#2 – Your local voting machine is NOT connected to the Internet.  In fact it is not connected to much of anything.  It is likely loaded with it’s ballot by a flash drive, created at the Clerk’s office.  At the end of the election day, the results are read out on each machine and probably called into each individual election office, manually.  The machines are then locked up and driven to a warehouse, where they are stored, more or less securely until the next election.  Could you compromise that flash drive at creation time?  Likely.  Probably without a huge amount of effort.  But even if you do, that would only be used within a single election PRECINCT.  Not exactly an easy way to change the outcome of a Presidential election.

#3 – While we are on the subject of Presidential elections, the easiest way to change the outcome of that election is by way of fake news, promoted by influencers.  Not the fake news that the current office holder talks about, but rather real fake news.  The average voter assumes, for the most part,that whatever they read, if it supports what they believe, is likely true – it just reinforces their existing beliefs, without regard to whether those beliefs are correct. Or not. That is certainly what Russia did in 2016.  Those efforts can effect a change in the election results.

#4 – it doesn’t require flipping very many votes to change the outcome of a single election.  In this week’s PA-18 House election, the difference between winning and losing was around 627 votes.  Out of 250,000 or so votes.  So, if, via fake news, you can flip the minds of less than a thousand voters, you have just changed the outcome of an election.  That is probably a  lot easier and a lot cheaper than trying to hack voting machines.

“That keeps me awake at night,” said Nancy Blankenship, the clerk for Deschutes County, Oregon.

That quote gives me some hope regarding fending off the bad guys.

On the other hand, this quote worries me.  This clerk either is so clueless about technology that she should not have the job or is sticking her head in the sand.  In either case, it is a problem.

Sara May-Silfee, the director of elections for Monroe County, a community of 170,000 in eastern Pennsylvania, said she knows her county is secure, even if her state was one of 21 states targeted by Russian hackers in 2016.

“I can’t even begin to tell you how they’d hack us,” she said. “Nothing is hooked up to anything. How could anybody hack us? I’m not worried about anything. Sometimes it seems like a lot of hullabaloo.”

I wonder how she KNOWS her county is secure?  Perhaps the same way Target knew?  Or Home Depot knew?  Part of the problem is that County clerks are political animals.  Usually elected.  Highly unlikely from a technical background.

I saw an article earlier today that the Air Force was lamenting that they could not find good cyber security folks.  After all, they pay $37,000 a year plus allowances and benefits.  Someone who is competent could likely make 50% to 100% more in the private sector and not have to worry about having to listen to the whims of politicians who have no idea about tech, even though they feel the need to flap their gums about the subject.

#5 – in many locations, the vast majority (if not all) of the ballots are done via mail.  ON PAPER.  The old fashioned way.  Could you steal the ballots out of the mail?  Maybe?  But if you do, are you helping the candidate you favor?  Or hurting that candidate?  Could you hack that voting process?  Unlikely.

#6 -Could you compromise the central ballot counting process in any given city or county?  Maybe, but likely not easily.

#7 – Hackers could break into central state voter databases and add names, delete names or make changes.  This is one of the things that the Russians were reported to have been trying to do during the 2016 elections.  Is this possible?  Apparently, at least to a degree.  What backups, cross checks and security  measures any given voter database has, is, of course, unknown.  Reports have it that the Russians were successful at doing this, at least to some extent, in several states.

#8 – Many electronic voting machines still do not have a paper confirmation printout.  What this means is that there is NO way for the voter to know what the voting machine actually registered and no way for voting officials to verify the vote count.  THIS IS A BIG PROBLEM.  Without some independent means to verify the vote count, it is all a big guess.

At the hacking conference Defcon, there has been a contest for the last few years for hacking voting machines.  Every year, every single machine gets hacked.  Sometimes in just a few minutes.  In fact, it has been so embarrassing to voting machine manufacturers that they have resorted to threatening people who sell voting machines on the used market.  If the organizers of Defcon can’t get machines, they can’t embarrass the voting machine manufacturers.  If I was a manufacturer, I wouldn’t count Defcon’s organizers out yet.

Suffice it to say, this system is far from perfect.  However, hacking the tech is not only hard but will also have limited effect.  There is no central place to attack; no website to compromise.  Still, that doesn’t mean you can’t do anything.  Think back to PA-18 this week.  Only 600+ votes separated the winner from the loser.

Information for this post came from The Pew Charitable Trust.

Facebooktwitterredditlinkedinmailby feather

What If Security Products Offered Warranties?

Most of the time software license agreements say “we are not responsible for anything that might happen”.  In fact, most license agreements say that it is up to the user to figure out if the software is even appropriate for whatever the user plans to use it for.

So what would happen if a software vendor offered, say, a ONE MILLION DOLLAR warranty?

Well, you no longer have to wonder.

SentinelOne (https://www.sentinelone.com/ ), maker of endpoint protection software (the next generation of anti virus software), has started offering a million dollar warranty if their customer’s computers are infected by ransomware while their software is active.

They are that confident of their product.  They use AI and machine learning to stop attacks.

SentinelOne decided that they needed a differentiator.  Providing a warranty would be an impressive difference in a very crowded software segment with 60 competitors.

However, last year there were four vendors offering a warranty;  this year there are 18, so that difference is losing a little bit of its punch.  SentinelOne is likely responsible for that.

If this trend continues, this could be a great event for users.

Getting SentinelOne’s management to agree to offering a warranty was a bit of a challenge, but Jeremiah Grossman , the guy who did the convincing, had things figured out.

First you have to model your losses, understanding what the likelihood is of the product failing.

Then you have buy reinsurance against catastrophic losses.  The reinsurance, he said, cost them less than $25,000 a year.  A pretty cheap marketing cost.

SentinelOne said they had no losses in the last year.  That, by itself, is pretty impressive.

While $1 million is a lot of money, the average cost to recover from a midsize breach is between $3 million and $7 million, so that $1 million, while it should be a good sales tool, is not the end game.

Enter warranty V2.  Details still being worked out.

Still, if this is a trend, maybe there is an end to the insanity of software licenses – caveat emptor, buyer beware.

That, if it happens, would be a wonderful change.  I have my fingers, and toes, crossed.

Information for this post came from SearchSecurity at TechTarget.

 

Facebooktwitterredditlinkedinmailby feather

Yahoo Breach Victims Can Sue

Here’s a thought.  If the lawsuit against Yahoo succeeds and the award is $10 per victim, that would be a $30 billion judgement.

The breach, you may remember, was publicly disclosed after Verizon agreed to buy Yahoo but before the deal closed.  As a result of the announcement the price was lowered by $350 million, but there were also some changes to the terms.

The changes were not all announced publicly, but likely some of the changes were related to who gets to pay for fines and penalties.

*IF* the plaintiffs win and the award is $30 billion –  two VERY BIG ifs – and even if the two companies split the $30 billion, then that $350 million discount won’t seem like much of a deal.  All of this is a big if.

For years judges dismissed these lawsuits out of hand saying that the plaintiffs didn’t suffer imminent harm or didn’t have standing at all.

In this case, the judge is someone who is familiar with both high tech and very public trials – she presided over the Apple-Samsung trial, among others.

The judge, Lucy Koh, said that it is reasonable that the plaintiffs might have chosen a different email provider if they had known that Yahoo’s email system had weaknesses.

She also said that the plaintiffs were going to be allowed to try and prove that the liability limits in Yahoo’s terms of service were unconscionable given the allegations that Yahoo knew it’s security was horrible and didn’t do much about it.

It is going to be years before anything is likely settled, but we are seeing more and more that judges are no longer siding with companies blindly saying there is nothing that companies can do to prevent breaches.

Obviously no one knows what the outcome of this trial and appeals will be, but if the plaintiffs win and if there is a big award, it would set an interesting precedent.  This case is being tried in the 9th Circuit, which is in the  heart of Silicon Valley.  If the plaintiffs win, it will definitely get the attention of every tech company in the valley.

I have heard that Yahoo did not have any cyber risk insurance.  If true, they could be digging deep in the couch cushions to pay for the trial, appeal and possible verdict.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Warrantless Searches of Your Car

For the most part, police need a search warrant to search your possessions.  Want to search your house, get a warrant.  Search your phone, yup, need a warrant.

But when it comes to your car, the rules are different.

The rules for searching your car don’t run back to the Constitution.  After all, there were no cars in 1776 and searching your horse was likely a different matter.

To search your car all the police need is probable cause and the definition of what is probable cause is somewhat variable.  This goes back to the days when a cop stopped someone for running a stop sign and saw a gun on the front seat or some drugs.  They used that as probable cause to search your car for more.

But where, exactly, does that stop?  Can they plug a cable into your maintenance port and suck out all your call data or text messages from your smart entertainment system without a warrant?  Currently, yes.  So if you won’t give them your phone when they stop you, they could, maybe, get the same data from your car.

It seems to me that there is a difference between looking under a blanket in the back seat for a gun or  drugs or even an illegal immigrant and searching your car’s entertainment system to dump all your email.

The police are welcome to search my car’s entertainment system for my email because it is not there.  I have a dumb entertainment system.  If I want to listen to music stored on my phone, I have to plug in a cable into the headphone jack.  That connection is not going to leak much data.  But, for many people, they like the feature of being able to have their car radio read email to them or read the President’s latest Tweet storm as they drive.  Or be able to say “car, phone ET at home”.

That being said, my car (actually a truck) probably has 50 or more computers in it that tell it everything from my speed to how far I drove today.  Not in my case, since I don’t have a GPS in my car, but for others, it will also tell the police every place my car has been and how it got from place to place and even when.  They can, today, get all that data, likely without a warrant.  Remember of course that they can get that same GPS data from your cell phone carrier, but the guys (and ladies) in black robes in DC have been making the barrier to getting that data higher over time.

Some police are even carrying systems in their police cars that can suck the data out of your phone in seconds.  Even if the phone is locked with a screen lock.  I am pretty confident but not positive, (a) *IF* your phone is encrypted and (b) you power it off – not lock it – before the police make it to your car, then the odds of that software working are as close to zero as possible.  But how many people would even think to do that.

Worse yet, some insurance companies are offering electronic insurance cards.  So, you unlock your phone, bring up the insurance app with the insurance card, hand your unlocked phone to the police officer who takes it back to his or her police car.  What could possible go wrong.   Besides, of course, in the minute or two while the police person is running your license and vehicle for wants and warrants, he or she could also be sucking all the data out of your phone.  Probably legally.

Legal?  Maybe?  But they have the data at that point and there is no law that requires them to delete it, so they add it to some mega database for what purpose?  And keep it for how long?

Seems to me that Congress needs to change the law, but that is just me.

After all, your definition of probable cause and mine could be different and the determination of probable cause could change after the fact.

Just something to ponder.

Information for this post came from Tech Crunch.

 

 

Facebooktwitterredditlinkedinmailby feather

The Feds (and Others) Can Probably Unlock Any iPhone Ever Made

Here’s something you don’t hear every day.

Cellebrite, a cell phone hacking vendor based in Petah Tikvah, Israel, claims that they can unlock any iPhone ever made, including the iPhone X running iOS 11.2.6 .

Cellebrite, who offers their services to the highest bidder – mostly law enforcement and governments, both ones that have a better track record with privacy and those that have a horrible privacy record such as Russia – has  made a business out of offering forensics services pretty much to anyone who’s check will clear.  That is probably being a bit unfair, but they were hacked themselves last year and from the data that was released, the statement above does not appear to be too far off.

In any case, typically the newer phones are harder to hack.  You may remember that the FBI paid someone over a million dollars to hack into the iPhone of the San Bernadino shooter after the FBI did not reach out to Apple in a timely manner and get directions on how to unlock it.  In the case of iPhones, usually waiting is your enemy because after a phone is locked for too long, extra security features kick in making it harder to unlock.

Apple adds new security features with every release, so it is especially embarrassing to Apple that their newest flagship phone – one that costs over a thousand dollars at retail – running its newest operating system can, apparently,  be popped open like a can of Coke or Pepsi.

This hacking process is typically a cat and mouse game – the hackers figure out how to break in and Apple fixes it after they find out and the process starts over.

In this case,  in order to maintain their revenue stream for as long as possible, Cellebrite has added a twist to the unlock process.

Normally the unlock features are added to their software which police departments and repressive governments license for an annual fee.  This time the agency has to send the phone to Cellebrite which will charge them a fee of around $1,500 per phone to unlock and they will return the phone unlocked.

Lets say that governments and others send them just 1,000 phones – the NY DA alone said that he had 400 phones that he would like unlocked, so that number is stupid low – then that would generate an extra million and a half dollars to their revenue for the year.

The other thing that it does is protect the bug that they found from being identified and fixed by Apple.  There are likely businesses who are friendly to Apple and who have licensed Cellebrite’s software.  If unlock feature was added to the software then Apple would connect a test phone with extra debug features to the Cellebrite software and likely figure out exactly what Cellebrite is exploiting so that they can plug the hole.

So this method – forcing the cops to write a check and send them the phone both provides a major revenue boost and preserves the bug for a longer time.

All that not withstanding, I am sure that Apple is scratching their collective heads trying to figure out what Cellebrite is doing.

And, just to be clear, this is not a theoretical issue.  Homeland Security has already written a check to get at least one iPhone X unlocked.

If you are a terrorist or someone who would prefer that the feds or other repressive governments can’t see what is on your phone, do not count on Apple to be able to provide that to you, at least for now.

Information for this post came from Forbes.

 

Facebooktwitterredditlinkedinmailby feather