Tuesday, March 05, 2013

Interesting that there is not a “Best Practices” website to guide you through this process. Think there would be a market for such a beast?
What to Do After You’ve Been Hacked
Evernote became the latest member of the “we’ve been hacked” club. And the thing is, what was once a pretty exclusive club now lets just about everyone in these days. I’m a member too. And as I discovered when I was hacked last year, my experience was distressingly commonplace. And yet while being hacked may be increasingly familiar, it isn’t getting any less stressful or confusing. It’s hard to know what to do, or where to begin, immediately afterward.
Whether you were hacked, phished, had malware installed or just don’t know what the heck happened but there’s somebody all up in your e-mail, here are a few good first steps to take following an incident. This is by no means comprehensive, but it’s a good start.


Yesterday, a court said the exact opposite (of course, lawyers would claim that it wasn't “exact” and for $450 per hour they would be happy to spend a few days telling you why that should be obvious.)
Two opinions issued by courts today:
In United States v. Wahchumwah, the Ninth Circuit Court of Appeals affirmed a lower court ruling that an undercover agent’s warrantless use of a concealed audio-video device in a home into which he has been invited by a suspect does not violate the Fourth Amendment. EFF had filed an amicus brief in that case that did not persuade the panel:
Finally, we reject amicus Electronic Frontier Foundation’s contention that the audio-video recording here was similar to the prolonged visual surveillance in United States v. Jones, 132 S. Ct. 945 (2012). The Jones Court rested its holding on the government’s physical trespass on Jones’s property, rather than the government’s prolonged surveillance.2 Id. at 949. Moreover, the GPS device in Jones enabled constant surveillance of a vehicle over a period of twenty-eight days, id. at 948, whereas the recording by Agent Romero lasted for only a few hours and for no longer than Romero remained an invited guest in Wahchumwah’s home.
In a footnote, they add:
Although amicus Electronic Frontier Foundation argues that Wahchumwah can show a Fourth Amendment violation under the trespass theory articulated in Jones, Wahchumwah did not raise this argument in the briefs he filed with our court. Generally, arguments not raised in a
party’s opening brief are deemed waived, Smith v. Marsh, 194 F.3d 1045, 1052 (9th Cir. 1999), and the court will not consider arguments raised only in amicus briefs. See Chaker v. Crogan, 428 F.3d 1215, 1220 (9th Cir. 2005). Because Wahchumwah has not argued that a Fourth Amendment violation under the trespass theory articulated in Jones occurred in this case, that issue is not properly before us, and we express no opinion concerning it.
Meanwhile, over in the 10th Circuit, in United States v. Barajas, the court affirmed a lower court ruling admitting evidence from GPS pinging obtained under a warrant, even though the affidavit supporting the probable cause warrant neither asked for, nor directly addressed any request for GPS pinging. It appears to be another one of those cases where the good-faith exception enables the court to avoid deciding whether evidence should be suppressed.
I’m not sure I really follow all of their reasoning, but I found this part of the opinion interesting:
Mr. Barajas suggests the agents knew or should have known the order was invalid because they knew (1) that GPS data is not typically intercepted pursuant to a wiretap order; and (2) that the affidavit did not request GPS data. Aplt. Br. 30; Aplt. R. Br. 30. We disagree.
First, we have no reason to believe the government cannot obtain GPS data through a wiretap order. Assuming pinging is a search, the burden to obtain GPS data would be no greater than a wiretap—probable cause. But even if Mr. Barajas is correct, he cannot show the agents were on notice of this fact because the law on electronic surveillance is very much unsettled. See In re Application of U.S. for an Order Directing a Provider of Electronic Commc’n Serv. to Disclose Records to the Gov’t, 620 F.3d 304, 310 n.6, 311 (3d Cir. 2010) (noting the debate among courts on the procedure for electronic surveillance and taking “no position whether a request for GPS data is appropriate under a § 2703(d) order”); see also Henderson, 595 F.3d at 1202 (officers acted in good-faith when relying on an affidavit based on a standardized form the court later determined did not establish probable cause); United States v. Rowland, 145 F.3d 1194, 1207 (10th Cir. 1998) (applying the good-faith exception to an anticipatory warrant when the law was unsettled). The agents’ knowledge of the gap between the affidavit and the order gives us more pause, but we cannot say this gap was intentional.
Yet another reason for Congress to resolve some of these controversial questions.


How to “Big Brother” a Guide for those who speak Gobbledygook...
Department of Homeland Security, Privacy Office
2012 Data Mining Report to Congress February 2013
You can access the report here (pdf).
If it were on Amazon, I can just imagine the review: “Chock-full of government-speak, this report is a must-read for acronym lovers everywhere!”
And not for nothing, but yesterday, during the Location Tracking and Biometrics conference, Judge Kozinski asked what prevents the government from purchasing commercial databases that companies like Experian sell access to. The answer is “nothing.” Read the DHS report section on Analytical Framework for Intelligence (AFI), which begins on p. 17 of the report.

(Related) Unfortunately, DHS has to counter clear, unambiguous language...
March 04, 2013
EPIC Prevails in Social Media Monitoring FOIA Suit
"EPIC has obtained a court order and an opinion in a Freedom of Information Act lawsuit against the Department of Homeland Security, requiring the agency to turn over more documents about the monitoring of social media and Internet media organizations. EPIC had previously obtained several hundred pages of documents, revealing that the agency monitors the internet for reports that “reflect adversely” on the agency or the federal government. EPIC also obtained a list of very broad search terms used by the agency to monitor social media. As a result of EPIC’s findings, Congress held a hearing on "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy." For more information see: EPIC: EPIC v. Department of Homeland Security: Media Monitoring."


The Italian courts appear a bit more functional than the government...
Peter Fleischer, understandably basking in a post-acquittal glow, writes:
Just before Christmas, an Italian Appeals Court over-turned the convictions of three Googlers, including myself, for allegedly violating Italian privacy law. Now, after roughly 2 months, the Court has issued its written opinion to explain its decision. The Court’s opinion is a lucid and ringing endorsement of the principles Google and I have been defending since the beginning of this prosecution 6 years ago:
  • Intermediary Liability: The Court held that Internet platforms, like Google Video or YouTube, are not responsible for user-uploaded content, absent notice of inappropriate content. These platforms also cannot—and should not—be required to pre-screen content that is uploaded to them. Any efforts to pre-screen content would raise serious risks to users’ freedom of expression. In the Court’s own words: “Imposing a duty on or granting the power to, an internet provider to carry out prior screening seems to be a step that is to be afforded particularly careful consideration, given that it is not entirely free of risk due to the possibility of a conflict arising with the principles of freedom of expression of thought”.
  • Privacy: The Court held that people who film and upload videos are responsible for compliance with data privacy laws. Internet platforms cannot possibly obtain the consent of people appearing in user-uploaded videos. In the words of the Court: ”it is patently clear that any assessment of the purpose of an image contained in a video, capable of ascertaining whether or not a piece of data is sensitive, implies a semantic, variable judgement which can certainly not be delegated to an IT process“. [Would a summary of laws that impact uploaded video or images be a worthy Law School student paper? Bob]
  • Criminal Responsibility: The Court recognized the basic legal principle that employees like me could not have the required criminal intent to violate data privacy laws when they had nothing to do with, and weren’t even aware of, the alleged criminal data privacy violation.
Read more on his blog.
Mark Eckenwiler points us to the opinion (in Italian): ttp://www.leggioggi.it/wp-content/uploads/2013/02/sentenza-google.pdf


For my Ethical Hackers and Computer Security students.
March 04, 2013
EFF Surveillance Self Defense - Secure Deletion
"Secure deletion involves the use of special software to ensure that when you delete a file, there really is no way to get it back again. When you "delete" a file — for instance, by putting the file in your computer's trash folder and emptying the trash — you may think you've deleted that file. But you really haven't. Instead, the computer has just made the file invisible to the user, and marked the part of the disk drive that it is stored on as "empty," meaning that it can be overwritten with new data. But it may be weeks, months, or even years before that data is overwritten, and the computer forensics experts can often even retrieve data that has been overwritten by newer files. Indeed, computers normally don't "delete" data; they just allow it to be overwritten over time, and overwritten again. The best way to keep those "deleted" files hidden, then, is to make sure they get overwritten immediately. Your operating system probably already includes software that can do this for you, and overwrite all of the "empty" space on your disk with gibberish (optionally multiple times), and thereby protect the confidentiality of deleted data. Examples include GNU Shred (Linux), Secure Delete (Mac OS X), and cipher.exe (Windows XP Pro and later)."


Tools & Tips for researchers?
March 03, 2013
Article - Twitter as a reporting tool for breaking news
"This study focuses on journalists Paul Lewis (The Guardian) and Ravi Somaiya (The New York Times), the most frequently mentioned national and international journalists on Twitter during the 2011 UK summer riots. Both actively tweeted throughout the four-day riot period and this article highlights how they used Twitter as a reporting tool. It discusses a series of Twitter conventions in detail, including the use of links, the taking and sharing of images, the sharing of mainstream media content and the use of hashtags. The article offers an in-depth overview of methods for studying Twitter, reflecting critically on commonly used data collection strategies, offering possible alternatives as well as highlighting the possibilities for combining different methodological approaches. Finally, the article makes a series of suggestions for further research into the use of Twitter by professional journalists."


For my students
March 04, 2013
OATs: Open Access Textbooks
OATs: Open Access Textbooks: "The OATs Libguide provides access to descriptions and links to known initiatives and organizations that support the development and promotion of Open Access textbooks, and to OA and low-cost e-books and textbook catalogs and databases." [Gerry McKiernan]


I wonder if my Vets would be interested?
Armchair Generals Wanted: Army Outsources Criticism of New Defense Strategy
Ever felt like you could fix U.S. national security strategy, if only the military would listen to you? The Army is ready to listen. Especially if your arguments mean a bigger role for the Army.
This is a tough time for the Army. Its reward for fighting in Iraq and Afghanistan for 12 years is to have its soldiers downsized and its budget slashed. Worse, from the ground forces’ perspective, its future relevance is in question: The defense strategy that the Obama administration unveiled in 2012 is big on robots, commandos, and air and sea power in places like Asia. Ponderous ground warfare is out.
What’s a ground warfare organization to do? If you’re the Army, commission a study on why the strategy is a looming disaster.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)