Common sense advice for parents of networked kids

November 9, 2009 Joseph Webster 1 comment

Just lately I’ve discovered Common Sense Media and am quite impressed with their tools and advice for parents that are soundly based on, well, common sense. Anyone who has read earlier posts on this blog like this one or this one knows that I’m really big on the idea that security begins with don’t be an idiot. So I was quite pleased when Common Sense had this featured article by Liz Perle in the Common Sense Newsletter entitled Rules of the Road for Parents in a Digital Age. She had me at the first line: “Even if you’re clueless, you’re still your kid’s teacher“.


Common Sense Rules of the Road for Parents

  1. Model good behavior. If we’re on our Blackberries or iPhones at dinner, why will our kids listen to us when we tell them to turn theirs off?
  2. Pay attention. We have to know where our kids are going online – and what they’re doing there.
  3. Impart our values. Cheating, lying, being cruel – they’re all non-starters. Right and wrong extends to online and mobile life.
  4. Establish limits. Phone time, video download time, destinations. There’s really a right time and place for everything.
  5. Encourage balance. Get kids involved in offline activities – especially where there’s no cell service.
  6. Make kids accountable. If they have a privilege, make sure they earn it.
  7. Explain what’s at stake. Let kids know that what they do today can be abused by someone tomorrow.
  8. Find ways to say “yes.” That means we have to do some homework and know the sites they visit, the songs they download, etc. – and find ways to use technology that lets us say “yes” more often than we say “no.”
  9. It’s not rocket science. Learn to text, send a mobile photo, set up a Facebook page, upload a video. Or have your kids show you how. It’s impossible to guide what you don’t understand. Not only that, but think of all the anxiety you can avoid by knowing how things work.
  10. Lighten up, embrace their world, and enjoy the possibilities together. None of us want digital divides in our relationships with our kids. It’s up to us to join the fun and help them seize the potential.

Some great stuff here. I think the main point (well at least the point I’d like to make) is that for a parent being clueless is normal, but staying clueless is not an option. And I’d also like to draw particular attention to #5  (Encourage balance). This is where kids – and parents – discover the actual purpose and utility of the online world. Yeah, that’s right – it’s way too easy to get caught up in the fiction of  ”socializing” online with people we’ve never met when in fact most of those people are not at all who they pretend to be. And some aren’t even people. The point? Social media is a powerful tool to collaborate and stay connected to real people you actually know, but to just be a poser interacting with other posers never accomplishing anything tangible in the real world is not only pointless, but boring. How do I know this? My son Nicholas is an avid gamer and web designer. So he has spent a good deal of time online since he was fairly young. Several years ago we (Nicholas and I) started volunteering for the FIRST Robotics challenge. In the real world. He now helps mentor and judge the web sites for the teams as well as doing crowd control and other jobs at the actual event. This requires collaboration and communication with other volunteers, the teams and challenge coordinators. Nicholas – and I – now have practical experience collaborating via social media with others folks who are involved in doing something that is very real, very tangible and wicked cool. Needless to say neither of us are interested in wasting time gossiping with posers when we can connect with interesting folks doing amazing stuff. Real stuff.

So if you are a parent, think about these 10 rules. It really all comes down to this: If your kids see you not being an idiot and doing cool stuff that’s what they will pay attention to. And everybody will get a clue in the process.

Categories: Uncategorized Tags: , ,

Update on ID Theft, Privacy, Fear and Loathing in Colorado

November 5, 2009 Joseph Webster Leave a comment

I first mentioned “Operation Numbers Game” last August in this post and followed up about a month later with this post.

Here’s a quick recap of the controversial investigation.

“Operation Numbers Game” began after a Texas man told Greeley [Colorado] authorities someone there was using his identity. The suspect in that case alerted law enforcement to the firm that prepared his taxes. Investigators obtained a search warrant [and] seized the returns last year from a tax preparation firm that catered to Latinos in Greeley, where Hispanics make up about a third of the population.

A District Court judge halted the investigation in April. He ruled Weld County authorities violated people’s privacy rights and had no probable cause to inspect the tax returns, which were used to file charges of criminal impersonation and identity theft against more than 70 people.

Weld County appealed the decision.

Weld County District Attorney Ken Buck, a Republican U.S. Senate candidate who advocates stricter immigration laws, has maintained the investigation was about identity theft, not illegal immigration.

Today the Colorado Supreme Court is hearing arguments about the legality of “Operation Numbers Game”. As reported in this story on TheDenverChannel.com, the web site for Denver ABC affiliate 7News, Weld County is sticking with their original “identity theft” spin.

The Colorado Supreme Court is hearing arguments Thursday about the legality of an identity theft investigation that targeted hundreds of suspected illegal immigrants who filed U.S. tax returns without valid Social Security numbers.

Authorities say that as many as 1,300 suspected illegal immigrants were using other people’s identities to work and to file taxes. Some of those charged face deportation. Others pleaded guilty before the court stopped the investigation.

Weld County is appealing the lower court’s ruling that there was no probable cause for the search warrant. The District Court judge called the warrant “nothing more than an exploratory search based upon suspicion that some unknown person or persons” committed a crime.

The county is appealing another judge’s ruling that barred prosecutors from filing more cases using evidence seized from the tax preparer.

Filing taxes is mandatory for anyone who earns income in the U.S. regardless of legal status. Many of the people targeted in Operation Numbers Game were filing taxes with government-issued taxpayer identification numbers.

So other than being an update on yet another creative interpretation of one law to enforce something completely different case, why should anyone care? What’s the big deal? Well here’s the big deal, again from the 7News article:

Prosecutors in other states have expressed interest in Weld County’s use of tax documents to go after illegal immigrants. Immigrant advocacy groups have said Weld County is the only jurisdiction to use tax records – which are confidential under federal law – to prosecute illegal immigrants.

Yikes! That’s right, fellow citizens, apparently D.A. Buck has some philosophically kindred spirits out there in other states. Hopefully the Colorado Supreme Court will stop this runaway train in it’s tracks before it can run roughshod (to the extent that trains, runaway or otherwise, have shoes) over more civil liberties.

Here are some previous stories related to this case.

[updated to fixed broken links]

    Categories: general, professional, security Tags: , , , ,

    Once I was a caregiver and didn’t even know it.

    November 4, 2009 Joseph Webster Leave a comment

    Apparently there are some folks out there in the great state of Colorado confusing the roles of caregiver and dope dealer. Or would like to. Or would like us to. Attempts to the clarify the issue by the Colorado State Board of Health and Environment has succeeded only in making the distinction even more hazy. According to this article by Tom McGhee in the Denver Post there is a whole lotta confusion going on.


    Last summer, the Board of Health defined a list of duties that could be considered “significant responsibility for managing the well-being of a patient,” for someone to qualify as a caregiver entitled to provide marijuana. But the language made it possible to qualify even if the only thing they did was provide marijuana to a patient.

    The board removed the entire definition, intending to take up the issue on Dec. 16 at a public meeting.

    Colorado Department of Public Health Executive Director Jim Martin said a Colorado Court of Appeals opinion released last week forced the board to take quick action.

    “I don’t believe this leaves the board any leeway,” he said of the ruling made Thursday in the case of Stacy Clendenin.

    In 2006, Clendenin was charged with cultivation of marijuana in her Longmont home, which is a felony.

    Clendenin argued that the marijuana she grew was distributed to authorized medical-marijuana patients through dispensaries. The court found that Clendenin needed to know the patients.

    By changing the rule, the state Board of Health has given itself time to consider whether to repeal the language permanently.

    But it could force dispensaries and growers to offer other care as well, said attorney Warren Edson, who represents dispensaries and growers.

    While many dispensaries offer other services to those buying their marijuana, it would be impossible for growers who supply the dispensaries to offer anything but the drug, said Edson.

    The rule change exposes [marijuana] growing operations to criminal prosecution, he said.

    “They told us in July, you don’t have to do anything but (provide) pot,” Edson said. “We have a whole industry that has grown up that is screwed.”

    It isn’t the intention of the board to throw a kink in business plans of those selling medical marijuana, said health department spokesman Mark Salley. “I think it is the Court of Appeals decision that might have changed the game. All this board did was make sure it was not in contradiction with the court.”

    Yep a whole new industry that popped up like weed [snicker] going up in smoke [guffaw]. Sorry, but this subject just begs the tokin’ puns. And far be it from me to take the high road.

    Still you have to wonder about those unfortunate caregivers of the past, when the government was all about Reefer Madness and disinclined to tolerate them. Even to the point of incarcerating them. Will they finally be recognized as societal assets rather than parasites? Guess we’ll just have to wait for the smoke to clear. Or not.

    Party on, dudes!

    Categories: general, security Tags: , , ,

    The pirate you know…

    November 4, 2009 Joseph Webster Leave a comment

    Steve Ragan over at The Tech Herald reports a most curious situation in this post wherein the attempted closure of The Pirate Bay [don't worry the link is to Wikipedia, not TPB] is having some unintended side effects.

    The number of new file-sharing sites hosting pirated copyrighted content skyrocketed over the last three months, according to McAfee’s Q3 Threats Report. The attempted closure of the infamous Pirate Bay site spawned clones and scams as criminals used the hype to spread Malware.

    “The attempted shut down of The Pirate Bay led to an explosion of similar sites, many of which are malicious,” said Dave Marcus, director of security research and communications for McAfee Labs. “The sharing of illegal content online has not been quelled by the prosecution of The Pirate Bay founders, whose site was back online within 24 hours.”

    Way to go, copyright crusaders. Not only did the attempts to shut down The Pirate Bay fail miserably, but now there are even more sites providing even more dubious services. That would be way more pirated content and way more nasty malware. And these newcomers don’t even have the amusing legal messages and responses pages [again not to worry, the link is to Hip Forums] of the original. Right about now I’m thinking that maybe you would have been better off to just stick with the pirate you know.

    The entire McAfee Q3 Threats report may be found here.

    Categories: general, professional, security Tags: , , ,

    Does encryption imply expectation of privacy?

    November 2, 2009 Joseph Webster Leave a comment

    Recently Chris Webster, a law student at the University of Maryland Baltimore School of Law, started this email thread which I will present here with minimal editing in hopes that some experts or interested parties among you, dear readers, can chime in. Just so everyone is clear, a disclaimer: I’m fascinated by e-discovery and legal issues surrounding security and privacy and blog about these subjects fairly often. I’m not, however, an expert in this area. And I’m certainly not a lawyer. Having said that, let’s begin.

    This article from the Wall Street Journal Law Blog Newsletter about an opinion Re United States, – F.Supp.2d -, 2009 WL 3416240 (D.Or. 2009) handed down by District Judge Mosman earlier this year is what started the exchange.

    Here’s a question: Is it kosher for a law enforcement agency to, pursuant to a lawfully granted search warrant, search your Gmail account without telling you? According to [District Judge Mosman] the answer is yes.

    The Fourth Amendment protects our homes from unreasonable searches and seizures, requiring that, absent special circumstances, the government obtain a search warrant based on probable cause before entering. . . . This is strong privacy protection for homes and the items within them in the physical world.

    When a person uses the Internet, however, the user’s actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus, “private” information is actually being held by third-party private companies.

    It is clear that notice is an essential part of the reasonableness calculus in judging searches and seizures under the Fourth Amendment. The Federal Public Defender has argued that this constitutional notice requirement supports [the view] that the copy of the warrant and receipt . . . must be provided to the subscriber to the e-mail account, rather than just to the ISP. The notice must be provided to the subscriber because the ISP “has a far lesser privacy interest in the content of its subscriber’s e-mails than the subscribers themselves.”

    This argument fails to take into account the third party context in this case. If a suspect leaves private documents at his mother’s house and the police obtain a warrant to search his mother’s house, they need only provide a copy of the warrant and a receipt to the mother, even though she is not the “owner” of the documents. (citations omitted). In such a case, it is irrelevant that the suspect had a greater privacy interest in the content of the documents than did his mother. When he left the documents in her possession he no longer has a reasonable expectation of privacy in their contents.

    Chris:

    I think I found a judge who reads your blog…

    Much of the reluctance to apply traditional notions of third party disclosure to the e-mail context seems to stem from a fundamental misunderstanding of the lack of privacy we all have in our e-mails. Some people seem to think that they are as private as letters, phone calls, or journal entries. The blunt fact is, they are not.

    I am concerned about the legal effect of this misunderstanding – are we entering a world in which all data storage is online, and so not protected by the constitution? For example, we just bought a scanner to upload our contracts and family records (bills, medical records, insurance and such).  I thought I was being a “good” lawyer when I decided to upload these to an online account. This way a disaster striking my home would not leave me without my vital records and contracts – my primary evidence in a contractual dispute. Now I am rethinking this. I never had the intention of opening those documents up to search and seizure without notification. Now my records live on a DVD in the bank vault – where the constitution still applies. DVDs in a bank vault, it’s a 19th century solution to a 21st century problem.

    Very dicey topic. Thought you might want to weigh in.

    Joe:

    This judge is saying that on the internet you essentially have no reasonable expectation of privacy. While I agree wholeheartedly with his assessment, I would submit that the act of encrypting data that is sent into the cloud does, in fact, give you a reasonable expectation of privacy – that being the sole purpose of encrypting the data. Therefore, while I’m not sure what the legal standing is on this, it would seem like encrypted data that requires a privately held key, explicitly excluding routine data transmission encryption (e.g. HTTPS and SSL), is no different than a safe deposit box at the bank where you hold the key. In other words, while you may be compelled to provide the key subject to a court order, that court order would require probable cause.

    I can certainly offer some advice with respect to the offsite archive of your personal data.

    I have a Verisign OpenID (which you can get for free here). In the process you setup a “Personal Identitly Portal” which includes an encrypted “File Vault” that holds 2 GB. That’s a lot of documents. I’m exceedingly paranoid so I encrypt everything prior to putting it in my file vault using SecureZip (which you can get for free here) so there is minimal chance of exposure.

    Chris:

    If the Government seizes documents which are encrypted can they then seize the key from you? The request for the key would be effective notice of sorts, but would you have to provide it? I know this is a purely legal question, but I thought you might know the answer.

    Joe:

    Legally the answer is “yes” the government can compel you to reveal your password. Practically there are so many ways around it that the answer is “fat chance”. A really simple workaround would be for you to have an encrypted data store where only your wife has the key. A private key escrow. As you know your spouse can’t be compelled to testify (i.e. provide the key) against you.

    The other point is that any encrypted data store whether online or not is not amenable to search. In other words you can’t even see what’s there so there is no way to know know what’s in it. From the point of view of Google, a Verisign file vault doesn’t exist.

    If you are really paranoid, Bruce Schneier has this article all about plausible deniability. The article is about securing laptops but the principles apply anywhere.

    The bottom line is, sure the government can try to compel you to reveal encrypted data, but only if they know it exists. TrueCrypt has this guidance on plausible deniability. So to be completely safe and secure you could create a “hidden encrypted volume” inside an encrypted volume and upload the encrypted container to a Verisign file vault. With a little creative key management, you would be untouchable in any practical sense.

    Now you may end up doing time for contempt of court or some bogus DHS charge but your data will be safe.

    Chris:

    Ok, this is heading into some really interesting legal waters. Building on your last comment,  I am not an expert on the criminal side, but I can tell you that on the civil side a judge can compel discovery. If you do not comply the Judge can order the jury to draw the negative inference (meaning that they will be instructed that the encrypted document is what the plaintiff says it is, and that it says what they say it says). There is however a safe harbor for electronic documents destroyed in the course of regular maintenance – I would be interested to see if this would include encryption keys which are time sensitive, or single use.

    Switching to the criminal example we are working with – if my wife had a physical copy of the key (on a hard drive or otherwise) a judge could compel production of this in the same way he could make her give over a murder weapon. If it was memorized, I suppose she could refuse.

    My concern wasn’t really with the compulsion to turn it over, it was the fact that you get no notice. This allows for secret searches (fishing expeditions)  to take place. Also, presumably they have probable cause, or the warrant in this case would not have been issued.

    I do find the distinction between encrypted data and non-encrypted data, and the differing expectations of privacy intriguing. However, would your expectation of privacy survive the fact that the data is housed on another person’s machine. In the example the case offers, a letter on your mother’s table can be taken into evidence without your notice if your mother’s house is searched under a valid warrant. In that case the only one who gets notice is dear old mum. It is hard to argue the ruling would be different if you had the papers in a safe at mom’s place – the result would be the same, notice to mom, none to you.  Would the same be true for packets of encrypted information on internet servers? Maybe you have an expectation of privacy with encrypted data (like with the safe) but the reality is governed by the physical location of the “evidence”. Once they have the encrypted data can they subpoena you, or your mom, or others, to compel the production of a key? I acknowledge this would give you notice. This is more proof that the internet is absolutely non-private, even when encryption leads to an expectation of privacy.

    The problem is, the conclusion that the internet is a group of guest houses through which your packets pass, and at any given time are subject to ownership by the individual who runs the house, is a troubling roadblock for the development of the net. In order to streamline our society, the internet must at some point be viewed as an instant “post-office” type service. While people sometimes use the mail to do bad things, or even steal it, the Feds and suing parties can’t. In fact messing with people’s mail, even by carriers and third parties, is a crime. Shouldn’t the same model be imposed on the internet, even if it is a legal fiction? Wouldn’t such a model be better for the ISP’s and users?

    Joe:

    The salient feature of encrypted data is that it is useless (i.e. random noise) without the decryption key. If you hold that key then clearly you must be notified in order to compel you to provide the key, otherwise there is no evidence.

    For example, let’s say that the letter you left on mom’s table was encoded using a one-time-pad. The letter is seized under a valid court order. What have they got? Diddley. Just some weird random text on a page that is meaningless until the key – which only you have – is applied to it.

    Now they can try to decode it, but the chances of success are exceedingly unlikely. They may attempt to compel you to provide the key, at which point if you refuse, you may get slapped with contempt or adverse inference but either way you get notified.

    So unless they can make the case that some random collection of bits is anything more than just that, it will be impossible to use it for a fishing expedition. The point being, who cares if they seize it, it’s useless.

    The original court opinion was with respect to GMail type services where your data is stored in cleartext for anyone who has the legal authority or technical prowess to see. But even the U.S. government would have a hard time deciphering AES 256 encrypted data without the key in your lifetime.

    As for the instant “post-office” model legal fiction you suggest, that’s called “Net Neutrality” and the main groups opposed to it are the entertainment industry who wants to control their copyrighted content (same clowns, different circus) and some large ISPs that would like to give precedence to their own content over competitors (everybody thinks they can be Microsoft). Of course that’s not what they’re saying, but it essentially boils down to that. For the record, I agree that net neutrality would be much better for ISPs and net users alike. Whether they recognize it or not.

    Categories: professional, security Tags: , , , , , , , ,

    OLPC experience advice for your project

    October 28, 2009 Joseph Webster 1 comment


    Regular readers of this blog know that I’m a huge fan of the One Laptop Per Child (OLPC) project and the XO laptop. A previous OLPC related post may be found here. As a result I follow the OLPC News blog which recently had this great article by 16-year-old Derek Chan on his experience with a small scale OLPC implementation in Kenya.

    My name is Derek Chan, I’m 16 years old, and I was part of Mark Battley’s team of high school students from Upper Canada College that initiated a small scale OLPC implementation at the Ntugi Day Secondary School.
    Part of our goal was to provide Ntugi with power for their initial complement of 8 XOs and 2 Cradlepoint PHS300s at a school that had no access to the country’s power grid.

    In addition to this being a very well written piece about an extremely fascinating project, Derek enumerates some lessons learned that are directly applicable to any Infrastructure and Integration project. Especially security infrastructure projects like say a Network Access Control (NAC) or Enterprise Single Sign On (SSO) project. Just replace the word “school” with “enterprise” or “business“.

    Ultimately, we were successful, but not without missteps and failures along the way. We did lots of things right, but we made a few newbie errors. Here’s what we learned!

    1. Learn as much as you can about your destination school’s physical resources.
    2. Don’t assume that tests in the lab will duplicate conditions in the field.
    3. Read all the relevant blogs, forums and bulletin boards before implementing.
    4. Don’t underestimate the sophistication of local technology and expertise at your destination.

     

    Let’s think about each of these in turn, much as Derek did in his post.

    Learn as much as you can about your destination physical resources.
    Who hasn’t heard the horror stories from the installation team that just tried to add “one more appliance” to the customer’s data center, only to find out that the power or cooling or rack space just wasn’t there. Always verify ahead of implementation that the destination has all of the physical resources required by your hardware, all of the compute resources required by your software, and all of the network resources, including IP address space, required to connect it all together. An actual visit to the site by your Systems Engineers is a really great idea. Never assume that the destination is a “typical” configuration or that the customer knows the difference.

    Don’t assume that tests in the lab will duplicate conditions in the field.
    Boy Howdy! This assumption ranks right up there with “no customer would ever do that” as a surefire path to failure. The point is that the lab, by definition, is an artificial environment. Sure our QA engineers do the best job they can to simulate a real world environment, but the key word here is simulate. It’s pretty hard to simulate things like network latencies or ATM noise in the lab. Remember your lab techs are good, not god. What a difference that “o” makes.

    Read all the relevant blogs, forums and bulletin boards before implementing.
    Not that this has ever happened to me, mind you, but I’ve heard of engineers that actually believe the promo literature and design the system around that, assuming that all the details are handled. I mean how much difference can there be between Server 2K3 and Server 2K3 R2? Yeah. Just do the homework. That’s called “due diligence” in business speak.

    Don’t underestimate the sophistication of local technology and expertise at your destination.
    As engineers we always like to think we’re way smarter than the mere mortals we tolerate in our presence. But never fool yourself into believing that you can understand the ins and outs of a customer’s infrastructure as well as they do. You may think they are yokels, but they are yokels with way more relevant experience than you. And they are the ones who control your payday. Just suck it up and let them make it easier (or possible) for the project to succeed.

    So there you have it. Excellent advice from a 16-year-old who has already learned some important lessons. Well done Derek.

    Categories: general, professional, security Tags: , , , , ,

    Exposing yourself Web 2.0 style

    October 27, 2009 Joseph Webster Leave a comment

    Everybody knows that social networking sites are notorious for their ill-advised exhibitionism. Folks who are reasonably demure and respectable in person get their freak on when it comes to FaceBook or MySpace. Yep, insert an internet connection between them and the world and the gloves come off. Or rather only the gloves stay on. I’ve written about this phenomenon before and warned of the need to take your online shadow seriously. But increasingly the exposure these social network exhibitionists face is more than simply embarrassment and ridicule on a worldwide scale. Prosecutors  have discovered a veritable treasure trove of unprotected self-incriminating evidence on social networking sites. This entry in the Electronic Discovery Law blog describes just such a case.

    Defendant was found guilty of murdering a two year old girl left in his care and was sentenced to life in prison without parole.  On appeal, [he] argued that the trial court improperly admitted evidence from his MySpace account in violation of Ind. R. Evid. 404(b).  Taking up the “novel question” of the propriety of admitting such evidence, the Supreme Court of Indiana ruled that the trial court did not err in admitting the evidence, particularly where [his] own testimony made his character a “central issue” of his defense.  The verdict and sentence were therefore affirmed.

    Yikes! Hoist by his own petard as it were. While most Web 2.0 exhibitionists are no doubt posers and certainly not murderers or child abusers, it’s going to be a little embarrassing - not to say legally damaging – if they are ever find themselves a defendant in a criminal or legal proceeding where their chief defense is good character and their FaceBook page proclaims “Gangsta 4Evah!”.

    But there are further exposures as well as illustrated in this entry by Christopher Boyd on the SpywareGuide blog.

    Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer “Hacked Facebook and Photobucket accounts” for a price.

    Yes, the site is actually called “Hackedsluts.com” and claims to offer up an endless series of images from “hacked” accounts including Myspace, Photobucket and Facebook in return for a monthly fee.

    Just when you think they can’t possibly get any creepier or salacious, [they] throw in dubious claims of hacked accounts / stolen images AND [they] lob in a blood splattered “Too extreme” banner supposedly covering up some of the pictures. While this is clearly a piece of Lame Marketing 101, the overall effect of the site is extremely disturbing.

    Disturbing indeed. While I agree with Christopher when he concludes that the bulk of the content on “Hackedsluts.com” is made up of stock pornographic content and almost certainly not the result of hacking social networking sites, the fact that there is an actual market for such content is a very distasteful realization. We all know what happens when you mix unsavory and illicit demand with criminal entrepreneurs. Clearly there are people out there who would pay to see you acting the tart. Only you don’t get paid (like a proper tart). That’s being a pro-bono hooker, which is just stupid. And what happens when your future boss turns out to be a Hackedsluts.com aficionado? Good luck with those sexual harassment claims. Or how about when your future ex-spouse sues for custody of your kids?

    So the next time you feel like exposing yourself to the world, kick it old school and just get naked, throw on a trench coat and flash the neighbors. The indecent exposure misdemeanor will be way less exposure than an ill-considered photo on MySpace.

    Categories: general, security Tags: , , , , , , ,

    Colorado Weirdness

    October 25, 2009 Joseph Webster 1 comment

    Strange days have found us
    Strange days have tracked us down
    From “Strange Days” by the Doors

    I spend most of my time in the Peoples Republic of Boulder, so I’m pretty blase about strange stuff. I mean this is a place where a candidate for city council can file a campaign finance report with $14.37 to “Only Natural Pet Store” for dinner for his campaign manager, a cat named Sita. And nobody thinks twice about it. Needless to say, my Bizarro-meter is calibrated way higher than most. Nevertheless, events of this last week have pretty much pegged it.

    First there was the whole Balloon Boy saga. As if a runaway helium filled mylar flying saucer thought to have a six-year-old stowaway aboard wasn’t bizarre enough, it turns out to be an elaborate hoax for purposes of snagging a reality TV show. Move over John and Kate plus Octomom. This totally raises (or lowers) the weird-stuff-fools-do-to-get-on-TV bar. Here is a timeline of this odd affair.
    Oct 20:
    FAA investigating Colo. balloon flight
    Griego: A better image of parenthood
    Hollywood acquaintances say balloon boy’s dad always wanted fame
    Oct 19:
    Balloon boy saga “absolutely … a hoax,” Larimer sheriff says
    Sheriff admits misleading the media to win trust of balloon boy’s family
    Oct 18:
    Fort Collins parents face felony charges in “balloon boy” case
    Balloon escapade a hoax police say
    “Balloon boy” responders dealt with roller coaster of emotions
    Experts say TV cameras alter family dynamics, like in “balloon boy” case
    Sheriff expects charges to be filed against Colorado family in “balloon boy” case
    Oct 17:
    Charges pending in “balloon boy” saga
    Balloon family has pushed for television spotlight
    Sheriff has questions, says he believes family
    Oct 16:
    ‘Balloon boy’ found safe at home
    Oct 15:
    Feared lost in balloon, boy found at home

    Yep. It just keeps getting weirder and weirder. Culminating in what will no doubt be the most popular Halloween costume of 2009 and this YouTube spoof Real Men of Genius: Heene. Just think, all this took place in the normal part of Colorado.

    And then there was this pair of stories about insurance company craziness. In the first, an infant was denied coverage due to pre-existing condition: “obesity”. In the second a two-year-old was denied coverage due to another pre-existing condition: “underweight”. Yeah, that’s what I thought too. I gotta tell ya, this doesn’t do a lot for the credibility of insurance companies in my mind. Although I have no problem believing that insurance prices will go up if the health care legislation currently being debated in congress is passed. Or not. Whatever happens I’m pretty sure that they’ll find a way to take more of our money and deliver less coverage.

    And in the “Best Job Ever” category Westword, a Denver alternative newspaper posted an ad for a reviewer of the state’s marijuana dispensaries and their products. Hey, they don’t call it the Mile High city for nothing!

    All this during the week that the Denver Broncos went 6-0 in a seasons where most of us thought they would be lucky to win 6 at all. If this isn’t concrete evidence of the existence of a God who watches over His Broncos I don’t know what is.

    Oh, I almost forgot. Microsoft released their long-awaited new OS – Windows 7 which was Amazon UK’s biggest pre-ordered product of all time. Unseating the previous title holder Harry Potter and the Deathly Hallows. Now if businesses will just follow the consumer herd, Microsoft will be golden. And I will totally need to re-calibrate my Bizarro-meter even higher.

    Categories: general, security Tags: , , , , , , , , , ,

    No privilege for you!

    October 9, 2009 Joseph Webster Leave a comment

    Everybody knows about the idea of attorney-client privilege. At least in the USA. It’s what keeps lawyers in business and their clients out of jail. In general, any communication between attorney and client is privileged. It’s a secret that no court can compel either party to divulge. Kind of like the privilege between confessor and confessee [priest and sinner in confession]. Only God usually isn’t involved. If the conversation is via telephone? Covered. Postal mail? Ditto. E-mail? Absolutely. Except when it’s not.

    You see, privilege hinges on the idea that the conversation is private. Since it’s not possible to “un-hear” a public conversation you don’t get no stinking privilege. Well duh! you might be thinking about now. Of course not. But when a client sends an email directly to an attorney then it’s private. Not so fast there, buckaroo! In this post on the Electronic Discovery Law blog an incident is described wherein that privileged email turns out not to be.

    At issue before the court was an email sent from defendant’s counsel to plaintiff’s Vice President and In-House General Counsel regarding a prior conference call attended by [the] defendant, [both counsels] and another lawyer for plaintiff.  At the time of the call, [the] defendant was CEO and Vice-Chairman of the plaintiff corporation.

    Evidence was presented that during [the defendant's] employment with plaintiff, [the In-House General Counsel] served as [the defendant's] personal advisor.  Accordingly, [the defendant] claimed the email was a privileged communication between his counsel and his “personal advisor and agent”.  Issues of whether the relationship between [them] was sufficient to establish privilege aside, the court ruled that the email in question “[was] not protected by the attorney-client privilege because [the defendant] had no reasonable expectation of privacy…”

    That’s right. Do not pass Go, do not collect $200. This is a point I’ve been trying to drive home since I started blogging lo those many months ago (14 to be exact): when you send and receive email at work you have no reasonable expectation of privacy. Just so there’s no confusion, here are the four factors the court set forth for consideration in determining whether an employee has a reasonable expectation of privacy in computer files or email:

    1. does the corporation maintain a policy banning personal or other objectionable use,
    2. does the company monitor the use of the employee’s computer or email,
    3. do third parties have a right of access to the computer or e-mails, and
    4. did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?

    That’s right, you better check the old employee manual to see what your employer’s policy is. Or better yet just pay attention to that disclaimer message to comes up every time you log in to your PC or workstation. You know, that one you always ignore? I willing to bet that it doesn’t say “Use this computer for anything you like. We don’t care and won’t pay any attention to you.

    Bottom line is that you have no reasonable expectation of privacy when you email at work. And therefore no privilege. Not with your lawyer. Not with your priest. Even though God might forgive you in the latter case, a judge certainly will not in the former. You’ve been warned. Now go in peace and sin no more.

    Categories: general, professional, security Tags: , , , ,

    If we only knew now what Caspar knew then

    October 2, 2009 Joseph Webster 1 comment

    Superman where are you now?
    When everythings gone wrong somehow
    The men of steel, the men of power
    Are losing control by the hour.
    “Land of Confusion” – Genesis

    Why, oh why didn’t we listen to Caspar Weinberger? Or more correctly, why didn’t the U.S. government follow the directives and doctrine that “Cap the Knife” proposed and instituted over 30 years ago? And why does it matter now? Glad you asked.

    In a recent entry Voltage Superconductor blogger Luther Martin ponders this same question with respect (or lack thereof) to privacy.

    The need to protect the sensitive personal information that’s used to commit identity theft has been well known for many years. As far back as 1973 this was know to be a problem. That’s when the report Records, Computers and the Rights of Citizens was written for Caspar Weinberger, who was then Secretary of Health, Education, and Welfare.

    This report discussed the problems of privacy and recommended that the following five principles be used to create a “federal code of fair information practice” that would be enforced by one or more federal laws:

    • There must be no personal data record keeping systems whose very existence is secret.
    • There must be a way for an individual to find out what information about him is in a record and how it is used.
    • There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.
    • There must be a way for an individual to correct or amend a record of identifiable information about him.
    • Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

    Yeah, that Caspar Weinberger. The same guy who, during his tenure as Secretary of Defense for President Reagan, proposed the Weinberger Doctrine of six criteria for determining whether – and how – the U.S. should commit U.S. military forces abroad to avoid the “Vietnam syndrome”.

    1. The United States should not commit forces to combat unless the vital national interests of the United States or its allies are involved.
    2. U.S. troops should only be committed wholeheartedly and with the clear intention of winning. Otherwise, troops should not be committed.
    3. U.S. combat troops should be committed only with clearly defined political and military objectives and with the capacity to accomplish those objectives.
    4. The relationship between the objectives and the size and composition of the forces committed should be continually reassessed and adjusted if necessary.
    5. U.S. troops should not be committed to battle without a “reasonable assurance” of the support of U.S. public opinion and Congress.
    6. The commitment of U.S. troops should be considered only as a last resort.

    Come on now, folks! It’s not like the Nixon or Reagan administrations were exactly bleeding heart liberal pacifists. Maybe Secretary Weinberger was simply a politician who could (gasp!) foresee the problem with no official protection of personal privacy and (gasp! choke!) learn from historical mistakes. I know it certainly doesn’t sound like any of the pols we’ve come to know and love [loathe]. In any event, it’s pretty obvious that his policies and doctrine have been roundly ignored for far too long.

    So here’s an idea: How about the Obama administration try “reaching across the aisle” with a proposal for a “federal code of fair information practice” that originates with a prominent, hardcore, Republican? A guy who was once the chairman of the California Republican Party and served at the cabinet level in two of the most conservative Republican administrations ever. A guy who was publisher of Forbes magazine. It would be a little hard for the “loyal opposition” to question his pedigree. And hey – they could even take credit for the idea [Dude, we thought of that first!]. Whatever. Just pass the legislation already! And it’s a little late now to apply the Weinberger Doctrine.

    Categories: general, security Tags: , , , , , ,