Law – The InfoSec Blog

Purpose unclear. Why are the FBI really trying to subvert encryption?

Tim cook says Apple will fight a federal order to help the FBI hack an iPhone.

An earlier version of this page has a paragraph which seems to have been deleted later;

It was not immediately clear what investigators believed they might find on Farook’s work phone or why the information would not be available from third-party service providers, such as Google or Facebook, though investigators think the device may hold clues about whom the couple communicated with and where they might have travelled.

Is that “Whom” grammatically correct?

This does raise a ‘why’ in my mind.
Cant the other service providers (who would it be, AT&T, Verizon?) supply the ‘traffic analysis of who they communicated with? Isn’t this the sort of “metadata” that the government spies are supposed to be collecting?

Opening the phone won’t give the content of the messages past, they are gone like the snows of yesteryear[1]. Dead as the author of that famous quote.

So what are the FBI looking for? The address book? I’m not sure how helpful that will be and its likely to cast suspicion on innocent parties. Continue reading Purpose unclear. Why are the FBI *really* trying to subvert encryption?

Canada’s counter terrorism strategy

https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/trrrst-thrt-cnd/index-eng.aspx

Here in Kanukistaniland, Vic Toews (remember him? Check back to February of last year to see an example of him being idiotic in his role as Minister of Pubic Safety) has published a “2013 Public Report on the Terrorist Threat to Canada”

You can read it at the above URL.
I ask you, would you buy a used Huawei router from someone who looks like that?

The map/infographic has, you will note, a large number of grey areas. There is no legend referring to that colour. Are we to take it that grey means ‘zero’? In which case having Indonesia grey is very interesting. Of course China is grey, the authorities will not permit any terrorist activity since that would mean people are acting out grievances against the state. As opposed to, say, foreign cartels that are employing under-age workers, which is against Chinese law.

Do note that in Canada terrorist activity or affiliation is an offence under the CRIMINAL code. Unlike many InfoSec-bad-things.

“Cybercrime” is still Crime and “Cyberfraud” is still Fraud

http://www.techsecuritytoday.com/index.php/our-contributors/michael-vizard/entry/lifting-the-veil-on-cybercrime

This says it all:

At the end of the day, cybercriminal activity is not all that different
from more traditional forms of organized crime. Obviously, the way the
crime is perpetrated is new, but the ways in which cybercriminals
operate is not all that different from anything that has gone on before.

Heck, once upon a time there was no telegraph, no “Royal Mail” (or whatever the equivalent in your state/nation). But when those came along they offered new opportunities for fraud. Most places have laws in place again fraud perpetrated by mail or telegraph and telegraph
includes the telephone.

And this is where I get to wonder at how our politicians work, the knee-jerk “something must be done NOW” attitude.

Here in Canada we have a criminal code. It covers fraud. We don’t need new laws to deal with cybercrime because the ways our laws are written they are general and not reductionist. They specify the crime, not the technology used.

I get the impression that in the USA (and possibly other places) its the other way round. That’s why they need lots of new laws to address every fine-grained detail as the technology advances. Personally I don’t think this is a good way of working since it piles laws upon laws.

In science we was that in astronomy before Newton. The classical “Ptolemaic” system piled epicycles upon epicycles as corrections because the underlying model based on a geocentric approach and the idea of ‘perfect spheres’ was fundamentally flawed. Piling human laws upon human laws to deal with special cases of what is really a general
situation is no less flawed in approach.

Fraud is fraud is fraud. It doesn’t matter if its perpetrated by a hustler in person as in the scenes in “Paper Moon“, by mail, over the phone or using the Internet. Fraud is fraud is fraud.

We don’t need new laws; we just need a better understanding of how criminals use technology. We perhaps we security droids don’t, perhaps the public, the police, the legislators and the managers of the firms and organizations impacted by such criminals need that understanding.

But that’s not what detailed, reductionist legislation is going to achieve, is it?

Guarding your business against cybercrime (premierlinedirect.co.uk)
Interpol Promises New Center to Fight the E-Mob (spectrum.ieee.org)
Russian Cybercrime pays! (toinformistoinfluence.com)
Cybercrime ‘cannot be stopped entirely’ (premierlinedirect.co.uk)
Former National Cyber Czar Creates Cybercrime TV (prweb.com)
There’s no business like Cybercrime business! (blog.bt.com)
Impact of cybercrime underestimated as most crimes go unreported|Network security (c24.co.uk)
European Commission wants a cybercrime centre (h-online.com)
Everything you thought you knew about cybercrims is WRONG (go.theregister.com)
FBI finds scammers impersonating the FBI now one of worst online threats (theneteconomy.wordpress.com)
Educate Customers on Mass Marketing Fraud (ibaeducationblog.com)
Cybercriminals offer bogus fraud insurance services (zdnet.com)

Economic Impact: Patent trolls chase app developers out of the U.S

http://www.linuxfordevices.com/c/a/News/Kootol-joins-Lodsys-as-a-patent-troll/?kc=LNXDEVNL072111

The Debt ceiling crisis will pass; even if there is a crash, the USA can recover from it …

IF its core economic worth, that is its industrial productivity, is unharmed.

There are a number of ways this can be harmed, poor credit rating among them, lack of availability for investments. Continue reading Economic Impact: Patent trolls chase app developers out of the U.S

Sony backs U.S. ineffective cybersecurity legislation

Image via Wikipedia

http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html

“If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone,” the Sony executive said.

“By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all,” he said.

To people like us, IT Audit and InfoSec types, ‘control‘ come in 3 forms

preventative
detective
compensatory

It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.

Sony backs U.S. cybersecurity legislation (canada.com)
DOD Website Sells Public On Cybersecurity Strategy (informationweek.com)
Companies To Spend $130 Billion On Cybersecurity In 2011 (teamshatter.com)
Obama to Introduce Cybersecurity Proposal (circleid.com)
White House to unveil cybersecurity proposal (theglobeandmail.com)
What do we need to do to reach “cybersecurity awareness”? (nakedsecurity.sophos.com)
White House Cybersecurity Plan: What You Need To Know (huffingtonpost.com)
Microsoft Endorses White House Cybersecurity Plan (blogs.wsj.com)

On the one hand …

On the one hand there this:

http://www.theregister.co.uk/2008/06/10/new_york_isp_crackdown/

and on the other, when it comes down to practice, there’s this

http://www.theregister.co.uk/2008/02/20/australian_adult_content_filter_failure/

Now please don’t think I support p0rn.
But surely …

One of the principles of good home economics is to pay down your most expensive (usually credit card) debts first. Surely there’s an analogue here about applying censorial leverage where its most effective.

Sadly, the media, and hence the government and also the “do something about it now” pressure groups, are very good at making use of broad, overly inclusive labelling. It saves having to deal with fine issues, use discernment and judgement and making people actually stop and think about things rather than have an emotional reaction.

So where does pornography begin and end? Continue reading On the one hand …

The FBI risk equation

It seems that to make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation:

risk = threat x vulnerability x consequence

rather than solely focusing on threat vectors and actors.

To be honest, I sometimes wonder why people obsess about threat vectors in the first place. There seems to be a beleive that the more threats you face, the higher your risk, regardless of your controls and regardless of the classification of the threats.

Look at it this way: what do you have control over?

Why do you think that people like auditors refer to the protective and detective mechanisms as “controls”?

Yes, if you’re a 600,000 lb gorilla like Microsoft you can take down one – insignificant – botnet, but the rest of us don’t have control over the threat vectors and threat actors.

What do we have control over?

Vulnerabilities, to some extent. We can patch; we can choose to run alternative software; we can mask off access by the threats to the vulnerabilities. We can do things to reduce the the “vulnerability surface” such as partitioning our networks, restricting access, not exposing more than is absolutely necessary to the Internet (why oh why is your SqlServer visible to the net, why isn’t it behind the web server, which in turn is behind a firewall).

Asset to a large extent. Document them. Identify who should be using them and implement IAM.

And very import: we have control over RESPONSE.

Did the FBI equation mention response? I suppose you could say that ‘awareness’ is a part of a response package. Personally I think that response is a very, very important part of this equation, and its the one you have MOST control over.

And response is – or should be – totally independent of the threats
since it focuses on preserving and recovering the assets.

I think they have it very, very confused and this isn’t the most productive, most effective way of going about it. But then the FBI’s view of policing is to go after the criminals, and if you consider the criminals to be the threat then that makes sense.

But lest face it, most corporations and are not in the business of policing. neither are home users.

Which is why I focus on the issue of “what you have control over”.

School Spy Program Used on Students Contains Hacker-Friendly Security Hole (wired.com)
The Top 10 Reports For Managing Vulnerabilities (lockergnome.com)
FBI searching for ‘Flavor Flav Bandit’ (seattlepi.com)
Why Security Vendors are loosing (tech.bl0x.info)
Editorial: Flawed F.B.I. Background Checks (nytimes.com)
FBI details surge in death threats against lawmakers (americablog.com)

The wedge gets thicker

http://news.cnet.com/8301-1009_3-10405824-83.html
http://news.zdnet.co.uk/communications/0,1000000085,39909136,00.htm
http://community.zdnet.co.uk/blog/0,1000000567,10014530o-2000331761b,00.htm

The thin edge of the wedge was when pubs were fined or letting patrons get drunk, drunk enough that they shouldn’t drive.

Now that wedge is being driven further.
Continue reading The wedge gets thicker

Speil Chequers

Yesterday, my friend and collegue, Rob Slade, noted that …

Idly leafing through yet another IT executive rag (preparatory to recycling it),
and noticed an article on privacy by the head of a data destruction company. He
was talking about the problem of “data reminisce.”

Well, it may not have been the author at fault.
We’ve criticized journalists for lacking knowledge of various technical professions and so mangling and misinterpreting reports, but what about typesetters? And editors?
Continue reading Speil Chequers

Judges Punish Wall Street as Regulators Just Talk About Reform

http://www.bloomberg.com/apps/news?pid=20601109&sid=a5wZ95KdSuJQ

This is something we should *ALL* be aware off, not least those that think legal and world economic stuff is off topic.

We all have to face standards; or the most part those are dictated by industry groups and we can, if we choose, partake of those.
I’ve been involved in technical standards groups in the past[1].

We have also, recently, had to face a lot of ‘regulations’, that is requirements with legal backing. Its easy to say that those are all very regional, which is why they don’t (any longer) appear in the CBK.

Personally I think this is a weak argument. SOX may only have been ‘legal’ in the USA, but many companies in other countries trade in or have offices in the USA and need to be aware of US laws and regulations.
In addition, SOX has been the model for regulations in other countries (and some of those have corrected deficiencies[2]).

Never the less the legal principle that is addressed in this article hold for many countries: while the politicians dither the people who have to deal with the details and actualities of making the legal system happen are getting on with it.

Free from the pressures of lobbyists, judges typically refrain from showing emotion or expressing opinions during court proceedings to appear impartial. During sentencings in criminal cases, they sometimes let their hair down about their feelings about the damage Wall Street firms or their executives did.

However, I don’t know it its the journalist or the judges that are being facetious:

In sentencing imprisoned con man Bernard Madoff June 29 to the maximum penalty of 150 years in prison, U.S. District Judge Denny Chin described Madoff’s crimes as “extraordinarily evil.”

What?
“Evil” compared to what? Continue reading Judges Punish Wall Street as Regulators Just Talk About Reform

Online Cyberlaw programs

People occasionally ask about InfoSec courses that cover law and cyberlaw and about schools that offer cyberlaw programs.

I’m curious about this whole thing for a slightly tangential reason.

On the one hand there’s the idea of Cyberlaw as part of a general law school curriculum.

On the other, there’s cyberlaw for InfoSec people and managers and executives.

The former will already have covered issues like criminal law, contract law, rules of evidence an so forth. Would all that be necessary for the latter group?

An in general, we do have a domain of the CISSP CBK that covers ‘law an ethics’, but I get the impression that in the effort to “internationalize” it has been gutted; the rationale being that many laws are so regional that the exam can’t address them without being very biased.

Well, I disagree. For a number of reasons.

First, there is a lot of law that is about principles.
I think its important to cover basics like CONTRACTS and LIABILITY, which I have seen one in a way that covers the variety of the western European legal codes.

Second, there is a fair bit of international or internationally recognised law. How else could trade and commerce go on? In addition there are many laws that are being applied or recognized cross-border in
one way or another, especially in the areas of cyber-related crimes such as fraud and extortion. Some of these may only be the basis for extradition, but they are examples of what happens in practice.

Finally the study of law in other jurisdictions is valuable as is the study of history; it gives us examples of the goo and the bad, how they were applied and what their successes, pitfalls and limits were.

This is more relevant that it seems at first. The impact of Sarbines-Oxley (SOX) applies to many of us outside the USA because we deal with companies in our own nation that have offices registered and trading inside the USA. On top of that, SOX has been the basis for – often better thought out – similar legislation in other countries. The same reasoning applies to things like the DMCA, CAN-SPAM and the like.

I ought to mention things like PCI as well, even though they are not “laws” in the same sense. PCI *IS* international, just as other banking standards that those of us who deal with finance InfoSec have to deal
with – BASEL, FFIEC and others.

Purely as a side issue, I think all of us need to know about matters like employment law, many of us are ‘consultants’ and need to know about contract law. Many of us are in situations where InfoSec deals with HR and that justifies knowing about employment law. We my also need to know about matters such as copyright and non-disclosure, and what contracts can and cannot bin one to.

Speaking as a “consultant”, I’d add that I’m very glad of my grounding as part of the management electives of my undergraduate degree in engineering that covered contract law. Many of the contracts I have been offered by small firms where they were drawn up by the owner (often an ‘entrepreneur’ with no business or legal background and often without guidance of a lawyer or even a CMA/accountant) were inequitable, unreasonable and full of ‘traps’ because of poor wording.

I think an understanding of the basics of criminal law, contract law and law pertaining to international trade are essential to members of our profession, regardless of their role. The CBK and exam may avoid them but as individuals we should each recognise the relevance of these and other legal and quasi-legal ‘standards’ and make them part of our ongoing education.

‘Fakeproof’ e-passport

The fingerprint created by that friction ridge...

My collegue Sami O. Koskinen said “I always felt like the new biometric passport is just a show” and I have to agree with him. He also has reservations about the idea of building a national fingerprint database covering all citizen, and I would think visitors to a country. He points out that the justification for this in his home country of Finland is that fingerprints are already taken for ID and passports.

The normal justification for such a policy, which seems to exceed those of even the most represive times at Stalinist Russia, is that it would ease solving crimes and help in crime prevention.

Well, for a start, I see from discussions in other forums that many people in IT and security don’t understand the difference between preventive and detective controls, or even that detective controls are part of an effective security profile, so why should tech-ignorant (and proud of it) politicians see that point.

Fingerprinting is a baseline detective method in law enforcement, at least with serious crimes of violence. But then again, this has been well publicized and is only really of use in impulsive crimes where the perpetrator has not had the time or foresight to wear gloves.

A few years ago I went through a stage of reading a lot of detective novels. Lets face it, these are ‘entertainment’, not true crime’. As such, twisted plots are common. Never the less, there are no shortage of plots whereby fingerprint and DNA evidence is spoofed and subverted. There are no laws or controls that prevent criminals or potential criminals from reading these books, and nothing what so ever to stop them from coming up with even more creative and ingenious methods.

We’ve had references here to Schneier‘s “security as a state of mind” and how we security professionals have “twisted minds”. That “twisted minds” designation has historically been applied to ingenious and inventive criminals.
According to my database of quotes, John Tandervold said:

“Each new law makes only a single guarantee. It will create new
criminals.”

A similar thing can be said about security controls in general. Each will have have people who will find ways to bypass or subvert it.

August 2018
M	T	W	T	F	S	S
« Nov
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Related articles

Related articles

What do we have control over?

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta