Tag Archives: Mondaq

And people wonder why we have so many breaches

I just signed up for a cyber security newsletter with Mondaq, the big British publisher, and I got a confirmation email back after the signup.  I get those all the time, so I didn’t really look at the email until later.

Two things stand out in the email —

First this:

To choose your personal News Alert topics and region click here:

http://www.mondaq.com/go.asp?u=mitch@tanmann.com&p=***************&n=1

For those of you who are not geeks, the &u= is my userid, the &p= is my password.  I put the stars in there instead of sharing my password with everyone. 🙂

Of course, this came in unencrypted email.

The second is, later in the same email:

Your user details are below:
Username: mitch@tanmann.com
Email Address: mitch@tanmann.com
Password: ***************

Please ensure that you keep this information for future reference.

Besides the obvious security breach of sending my password in clear text in an unencrypted email, it also means that they know what my password is (most web sites either encrypt or hash your password in a way that no one, even them, can decrypt.  Then when you send your password the next time to log in, they encrypt or hash the new password and compare the encrypted or hashed values.  That way, they never have to know what your password is.  Apparently, the folks at Mondaq have never heard of that concept.

I assume these guys are smart.  They are just trying to make things easy for their user and have no thought of the security impact doing this.

ARGH!!!!!

 

Mitch

Counterpoint to Guilty Till Proven Innocent

Last month I wrote a piece talking about the Business Software Alliance’s point of view of software piracy, which is guilty till proven innocent.

As with any good story, there is often an opposing view and I came across one on Mondaq, the legal (among many other things) information publisher.

The article, written by Steven Hellend of the law firm of Fredrikson and Bryon, has a different point of view and I think his point is well taken.  Understand, of course, that if you take his strategy you are likely in for a large legal bill, but the situation is messy either way and you need to decide what is the best strategy for your company.

Steven’s point of view is summed up this way, by him:

Imagine that you are accused of shoplifting a pair of Levi’s® jeans by an un-named tipster. The agent for the clothing store demands that you inventory not only your Levi’s® jeans, but every article of clothing in your closet. Next the agent demands that you provide a dated receipt for each article of clothing. No matter how old. And if you can’t find a receipt for a favorite old sweater, the agent is un-interested that your mom will provide an affidavit that she bought it for you as a gift. Absent a dated receipt, all items are deemed shoplifted or stolen. And the agent will demand a settlement payment or threaten to sue you for $150,000 per item.
The inference of shoplifting/theft above is absurd on its face.
The inference of copyright infringement for software under like circumstances is equally absurd.

I think that Steven is not particularly arguing with the guilty until innocent comment, but he thinks that there are many possible defenses, contrary to what the BSA might tell you.  Remember, the BSA is a private organization, not a judge, jury or regulatory body.

So, in short summary, here is his take:

  • The BSA says you have to have dated receipts.  Steven says that you may be able to convince a court that other evidence is sufficient.
  • The BSA says if you cannot provide dated receipts you are de facto guilty.  Steven says there are many factors and in court (assuming you go that far), things may not be so simple and the burden MAY shift to the BSA. Note I said MAY.
  • The BSA says you can be fined up to $150,000 per infringement. Steven says that the BSA forgets to mention that the statute says ordinary or typical damages are between $750 and $30,000 as the court considers just.  The $150,000 is the maximum for certain willful infringement. It also says that the court may reduce the fine to no less than $200.

So, I think what Steven is saying is that you should not cave, consider your options and come up with a plan.  The result may be much less dire than the BSA suggests.

That being said, as part of your cyber risk management plan, you do need to manage software licenses, manage documentation, enforce the rules, punish violators, etc.  Doing this will likely (not guaranteed, but likely) eliminate any chance of willful infringement charges being successful.  In that case, your exposure will certainly be a whole lot less than the BSA suggests.  However, if you just let it slide or wink while employees copy software, the picture will not look anywhere near as pretty.

Here is an article on software audits that Steven has written on his company’s web site.  More information.  In this case, information is definitely good for you.

Mitch