Interesting that there is not a “Best
Practices” website to guide you through this process. Think there
would be a market for such a beast?
What
to Do After You’ve Been Hacked
Evernote became
the latest member of the “we’ve been hacked” club. And the
thing is, what was once a pretty exclusive club now lets just about
everyone in these days. I’m
a member too. And as I discovered when I was hacked last year,
my experience was distressingly commonplace. And yet while being
hacked may be increasingly familiar, it isn’t getting any less
stressful or confusing. It’s hard to know what to do, or where to
begin, immediately afterward.
Whether you were hacked, phished, had
malware installed or just don’t know what the heck happened but
there’s somebody all up in your e-mail, here are a few good first
steps to take following an incident. This is by no
means comprehensive, but it’s a good start.
Yesterday, a court said the exact
opposite (of course, lawyers would claim that it wasn't “exact”
and for $450 per hour they would be happy to spend a few days telling
you why that should be obvious.)
Two opinions issued by courts today:
In United States v. Wahchumwah,
the Ninth Circuit Court of Appeals affirmed
a lower court ruling that an undercover agent’s warrantless use of
a concealed audio-video device in a home into which he has been
invited by a suspect does not violate the Fourth Amendment. EFF had
filed an amicus brief in that case that did not persuade the panel:
Finally, we reject
amicus Electronic Frontier Foundation’s contention that the
audio-video recording here was similar to the prolonged visual
surveillance in United States v. Jones, 132 S. Ct. 945
(2012). The Jones Court rested its holding on the government’s
physical trespass on Jones’s property, rather than the government’s
prolonged surveillance.2 Id. at 949. Moreover, the GPS
device in Jones enabled constant surveillance of a vehicle
over a period of twenty-eight days, id. at 948, whereas the recording
by Agent Romero lasted for only a few hours and for no longer than
Romero remained an invited guest in Wahchumwah’s home.
In a footnote, they add:
Although amicus
Electronic Frontier Foundation argues that Wahchumwah can show a
Fourth Amendment violation under the trespass theory articulated in
Jones, Wahchumwah did not raise this argument in the briefs he filed
with our court. Generally, arguments not raised in a
party’s opening brief are deemed waived, Smith v. Marsh, 194 F.3d 1045, 1052 (9th Cir. 1999), and the court will not consider arguments raised only in amicus briefs. See Chaker v. Crogan, 428 F.3d 1215, 1220 (9th Cir. 2005). Because Wahchumwah has not argued that a Fourth Amendment violation under the trespass theory articulated in Jones occurred in this case, that issue is not properly before us, and we express no opinion concerning it.
party’s opening brief are deemed waived, Smith v. Marsh, 194 F.3d 1045, 1052 (9th Cir. 1999), and the court will not consider arguments raised only in amicus briefs. See Chaker v. Crogan, 428 F.3d 1215, 1220 (9th Cir. 2005). Because Wahchumwah has not argued that a Fourth Amendment violation under the trespass theory articulated in Jones occurred in this case, that issue is not properly before us, and we express no opinion concerning it.
Meanwhile, over in the 10th Circuit, in
United States v. Barajas, the court affirmed
a lower court ruling admitting evidence from GPS pinging obtained
under a warrant, even though the affidavit supporting the probable
cause warrant neither asked for, nor directly addressed any request
for GPS pinging. It appears to be another one of those cases where
the good-faith exception enables the court to avoid deciding whether
evidence should be suppressed.
I’m not sure I really follow all of
their reasoning, but I found this part of the opinion interesting:
Mr. Barajas
suggests the agents knew or should have known the order was invalid
because they knew (1) that GPS data is not typically intercepted
pursuant to a wiretap order; and (2) that the affidavit did not
request GPS data. Aplt. Br. 30; Aplt. R. Br. 30. We disagree.
First, we
have no reason to believe the government cannot obtain GPS data
through a wiretap order. Assuming pinging is a search,
the burden to obtain GPS data would be no greater than a
wiretap—probable cause. But even if Mr. Barajas is correct, he
cannot show the agents were on notice of this fact because the law on
electronic surveillance is very much unsettled. See In re
Application of U.S. for an Order Directing a Provider of Electronic
Commc’n Serv. to Disclose Records to the Gov’t, 620 F.3d
304, 310 n.6, 311 (3d Cir. 2010) (noting the debate among courts on
the procedure for electronic surveillance and taking “no position
whether a request for GPS data is appropriate under a § 2703(d)
order”); see also Henderson, 595 F.3d at 1202 (officers
acted in good-faith when relying on an affidavit based on a
standardized form the court later determined did not establish
probable cause); United States v. Rowland, 145 F.3d 1194,
1207 (10th Cir. 1998) (applying the good-faith exception to an
anticipatory warrant when the law was unsettled). The agents’
knowledge of the gap between the affidavit and the order gives us
more pause, but we cannot say this gap was intentional.
Yet another reason for
Congress to resolve some of these controversial questions.
How to “Big Brother” a Guide for
those who speak Gobbledygook...
Department of Homeland Security,
Privacy Office
2012 Data Mining Report to Congress
February 2013
You can access the report here
(pdf).
If it were on Amazon, I can just
imagine the review: “Chock-full of government-speak, this report is
a must-read for acronym lovers everywhere!”
And not for nothing, but yesterday,
during the Location Tracking and Biometrics conference, Judge
Kozinski asked what prevents the government from purchasing
commercial databases that companies like Experian sell access to. The
answer is “nothing.” Read the DHS report section on Analytical
Framework for Intelligence (AFI), which begins on p. 17 of the
report.
(Related) Unfortunately, DHS has to
counter clear, unambiguous language...
March 04, 2013
EPIC
Prevails in Social Media Monitoring FOIA Suit
"EPIC has obtained a court order
and an opinion
in a Freedom of Information Act lawsuit
against the Department of Homeland Security, requiring the agency to
turn over more documents about the monitoring of social media and
Internet media organizations. EPIC had previously obtained several
hundred pages of documents, revealing that the agency monitors
the internet for reports that “reflect adversely” on the agency
or the federal government. EPIC also obtained a list of very broad
search terms used by the agency to monitor social media. As a result
of EPIC’s findings, Congress held a hearing on "DHS
Monitoring of Social Networking and Media: Enhancing Intelligence
Gathering and Ensuring Privacy." For more information see:
EPIC:
EPIC v. Department of Homeland Security: Media Monitoring."
The Italian courts appear a bit more
functional than the government...
Peter Fleischer, understandably basking
in a post-acquittal glow, writes:
Just before Christmas, an Italian
Appeals Court over-turned
the convictions of three Googlers, including myself, for
allegedly violating Italian privacy law. Now, after roughly 2
months, the Court has issued its written opinion to explain its
decision. The Court’s opinion is a lucid and ringing endorsement
of the principles
Google and I have been defending since the beginning of this
prosecution 6 years ago:
- Intermediary Liability: The Court held that Internet platforms, like Google Video or YouTube, are not responsible for user-uploaded content, absent notice of inappropriate content. These platforms also cannot—and should not—be required to pre-screen content that is uploaded to them. Any efforts to pre-screen content would raise serious risks to users’ freedom of expression. In the Court’s own words: “Imposing a duty on or granting the power to, an internet provider to carry out prior screening seems to be a step that is to be afforded particularly careful consideration, given that it is not entirely free of risk due to the possibility of a conflict arising with the principles of freedom of expression of thought”.
- Privacy: The Court held that people who film and upload videos are responsible for compliance with data privacy laws. Internet platforms cannot possibly obtain the consent of people appearing in user-uploaded videos. In the words of the Court: ”it is patently clear that any assessment of the purpose of an image contained in a video, capable of ascertaining whether or not a piece of data is sensitive, implies a semantic, variable judgement which can certainly not be delegated to an IT process“. [Would a summary of laws that impact uploaded video or images be a worthy Law School student paper? Bob]
- Criminal Responsibility: The Court recognized the basic legal principle that employees like me could not have the required criminal intent to violate data privacy laws when they had nothing to do with, and weren’t even aware of, the alleged criminal data privacy violation.
Read more on his blog.
Mark Eckenwiler points us to the
opinion (in Italian):
ttp://www.leggioggi.it/wp-content/uploads/2013/02/sentenza-google.pdf
For my Ethical Hackers and Computer
Security students.
March 04, 2013
EFF
Surveillance Self Defense - Secure Deletion
"Secure deletion involves the use
of special software to ensure that when you delete a file, there
really is no way to get it back again. When you "delete" a
file — for instance, by putting the file in your computer's trash
folder and emptying the trash — you may think you've deleted that
file. But you really haven't. Instead, the computer has just made
the file invisible to the user, and marked the part of the disk drive
that it is stored on as "empty," meaning that it can be
overwritten with new data. But it may be weeks, months, or even
years before that data is overwritten, and the computer forensics
experts can often even retrieve data that has been overwritten by
newer files. Indeed, computers normally don't "delete"
data; they just allow it to be overwritten over time, and overwritten
again. The best way to keep those "deleted"
files hidden, then, is to make sure they get overwritten immediately.
Your operating system probably already includes software that can do
this for you, and overwrite all of the "empty" space on
your disk with gibberish (optionally multiple times), and thereby
protect the confidentiality of deleted data. Examples include GNU
Shred (Linux), Secure Delete (Mac OS X), and cipher.exe (Windows XP
Pro and later)."
Tools & Tips for researchers?
March 03, 2013
Article
- Twitter as a reporting tool for breaking news
"This study
focuses on journalists Paul Lewis (The Guardian) and Ravi Somaiya
(The New York Times), the most frequently mentioned national and
international journalists on Twitter during the 2011 UK summer riots.
Both actively tweeted throughout the four-day riot period and this
article highlights how they used Twitter as a reporting tool. It
discusses a series of Twitter conventions in detail, including the
use of links, the taking and sharing of images, the sharing of
mainstream media content and the use of hashtags. The article offers
an in-depth overview of methods for studying Twitter,
reflecting critically on commonly used data collection strategies,
offering possible alternatives as well as highlighting the
possibilities for combining different methodological approaches.
Finally, the article makes a series of suggestions for further
research into the use of Twitter by professional journalists."
For my students
March 04, 2013
OATs:
Open Access Textbooks
OATs:
Open Access Textbooks: "The OATs Libguide provides access to
descriptions and links to known initiatives and organizations
that support the development and promotion of Open
Access textbooks, and to OA and low-cost e-books and
textbook catalogs and databases." [Gerry McKiernan]
I wonder if my Vets would be
interested?
Armchair
Generals Wanted: Army Outsources Criticism of New Defense Strategy
Ever felt like you could fix U.S.
national security strategy, if only the military would listen to you?
The Army is ready to listen. Especially if your arguments mean a
bigger role for the Army.
This is a tough time for the Army. Its
reward for fighting in Iraq and Afghanistan for 12 years is to have
its soldiers
downsized and its budget
slashed. Worse, from the ground forces’ perspective, its
future relevance is in question: The defense strategy that the Obama
administration unveiled
in 2012 is big on robots, commandos, and air
and sea power in places like Asia. Ponderous ground warfare is
out.
What’s a ground warfare organization
to do? If you’re the Army, commission a study on why the strategy
is a looming disaster.
No comments:
Post a Comment