Monthly Archives: August 2009

Justice happens

Posted on by

For meting out true justice the coveted Security for All Simon Award goes to JAMES C. FRANCIS IV, United States Magistrate Judge for his ruling on Green v. McClendon, 2009 WL 2496275 (S.D.N.Y. Aug. 13, 2009). The Simon Award takes it’s name and inspiration from the classic 1980 Alan Arkin film Simon wherein Prof. Simon Mendelssohn (played by Arkin) who was abandoned at birth is convinced by a shadowy group of rogue scientists that he is of extraterrestrial origin. He then escapes and attempts to reform American culture by overriding TV signals with a high power TV transmitter, becoming a national celebrity in the process. Along the way he convinces congress to pass a law requiring that lawyers who lose cases receive the same punishment as their clients.

DIGRESSION: There is a scene in which Simon is regressed to the state of an amoeba using sensory deprivation as part of the brainwashing and then re-evolves back into a human [to "Also sprach Zarathustra" of course], including “religious repression and accompanying guilt”, that is truly classic.

The Electronic Discovery Law Blog describes the case that compels us to present the prestigious Simon Award to Judge Francis as follows.

Upon one of the defendant’s revelation that she had lost all original versions of electronic files when she transferred those files to CD and then reinstalled her operating system, plaintiff filed a motion for sanctions.  Finding that the defendant and counsel violated their duty to preserve evidence, the court authorized additional discovery and awarded plaintiff his costs, including attorney’s fees, to be paid by the defendant and her counsel.

Addressing culpability, the court found that the defendant and her counsel had been “at least negligent” in failing to implement a litigation hold, properly search for documents, and supplement discovery responses.

Finding some sanctions were warranted, the court authorized further discovery, including further deposition of the defendant, and awarded the plaintiff costs and attorney’s fees, in an amount to be determined, to be allocated between the defendant and her counsel.  Interestingly, the court offered the defendant and counsel the opportunity to work out the allocation between them, and to involve the court only if necessary.

Hurrah for justice! I’m not into lawyer bashing (much) but I have to admit that when a lawyer gives bad counsel or, as is most likely in this case, goes along with their client’s hare-brained scheme to bamboozle the court it’s refreshing to see them get spanked. I just wonder how that “opportunity to work out the allocation between them” part is working out.

Safe web browsing

Posted on by

It’s no secret that, by far, the number one threat vector for personal computers is the internet. Inadvertently (or intentionally) visiting a malicious web site can wreak havoc on your PC. I’ve written before, here and here, about browsing safely and you should definitely check out those fine articles. Rich Mogul, cohost of the Network Security Podcast and fellow member of the Security Bloggers Network has this excellent piece in Macworld about Super-safe Web browsing wherein he details these ideas that are critical to safe web browsing.

  1. Understand the risks
  2. Dedicated browsers
  3. Multiple operating systems

While you should definitely read Rich’s article in it’s entirety, I’ll touch on some of the high points here.

First if you don’t understand the risks at all then how can you possibly avoid them? I’m not suggesting that your mom needs to understand exactly how Cross-site Request Forgery works, but it would be a really good idea if she knew it exists. And it’s bad. We are talking about your mom here.

The second point is the easiest to implement. Simply put, use different web browsers for different tasks. In other words use one browser for online banking and a different one  to check Facebook. I’ll quote Rich here.

Although Firefox and Safari are good for general browsing, when I need more protection, I use either a dedicated browser or a site-specific browser (SSB).

By “dedicated browser,” I mean a regular Web browser that I use only for one site. In my case, I use OmniWeb to manage my company Web site and blog.

An SSB is essentially a stripped-down Web browser that you can create yourself in a few clicks. I created one with the Prism add-on for Firefox. (Go to Tools -> Add-ons -> Get Add-ons, search for Prism, and then install it.) With Prism installed, browse to that site and select Tools -> Convert Web Site To Application.

Rich is suggesting using an application that brings up one and only one web site in a browser window. If you think that’s too complicated, you can achieve the same thing by simply designating one browser for use in only specific situations. For example, use Internet Explorer for doing your online banking and use Firefox for checking Facebook. The important point is that you stick to this religiously, i.e. never, ever use your online banking browser for anything else. Period.

The third point may have you thinking, “Oh sure, you computer geeks can run different operating systems, but what about real people”. I won’t dispute that I’m a geek weenie, but I also know quite a few real people. In fact I’m married to one. My wife just got a new iMac when her PC bit the dust. I figured that the easiest way to transfer her data from the old PC to her new mac, especially since the laptop was toast, was to convert a current disk image from her PC (yeah she actually had current backups) into a virtual machine. She got VMWare Fusion for her iMac and was able to run the VM version of her old PC right on her iMac. Well duh! It’s the exact same thing she had before. Only now it actually works. During this process she discovered that some of the sites she uses, particularly government sites, just don’t work correctly under Safari, but they work just peachy under Internet Explorer. So that’s what she uses. Under Vista. In a VM. On a Mac. Sure there was some fairly complicated steps involved in setting up VMware and converting her physical PC to a virtual machine, but now that it’s done she uses it all the time. Simple enough that even a real person can do it. And it works with Windows and Linux systems as well. I do much of my browsing in a Linux VM on a Windows machine. Twisted I know, but it works great. My son often browses in a Windows VM on a Linux machine. Bright Boy. It’s easy once everything is set up.

So do us all a big favor – yeah all of us potential recipients of that spam sent from your pwned PC – and follow this advice. We’ll all be glad you did.

Upgrading for better security?

Posted on by

We’ve heard an awful lot about how Windows 7 is way more secure than Windows XP and it’s earlier brethren. Actually we heard that about Windows Vista too. Only very few people bothered to upgrade. The operative word here being “bothered”. But that’s another post. The fact is that Windows 7 is much better in any number of ways than Windows XP (and Vista – but again another post). If you were thinking that an upgrade might be in order to improve the security posture on your Windows boxes, that’s not a bad idea. The deal is, though, that upgrading alone isn’t the answer. Kevin Beaver, a fellow CISSP has written this piece for TechTarget about how you need to secure Windows XP before upgrading to Windows 7.

It’s not too early to be thinking about how you’re going to manage your existing Windows XP base and begin focusing on Windows 7 without creating unnecessary security gaps.

It often happens that legacy operating systems do not get the attention they deserve during upgrades and migrations. Inevitably, security suffers. When these holes are found in legacy Windows systems, the response is almost always that the box will soon be taken offline. Unfortunately, soon doesn’t cut it when it comes to someone maliciously exploiting the unplugged holes in these undermanaged systems. Even if you and your business are moving forward, your Windows XP systems are still going to be targets for attack — especially once Microsoft stops supporting it in 2014.

Windows XP may be going away in spirit, but its physical remains will linger on for some time. Don’t let Windows XP security management, or a lack thereof, rule your time now or in the future. Get a handle on these possible issues early and it will make a difference for your business.

In addition to the problem of laggards (sorry there is no “No PC Left Behind” program) even the boxes that do get upgraded won’t be any more secure than they are right now if you have unnecessary – or necessary but insecure – ports open. Or if the users of these Windows XP boxes have long lived, weak passwords because you aren’t enforcing your password policy – or you don’t even have a policy. The point is that Windows 7 is more secure than Windows XP only if you take steps to make it so. You can still do plenty of stupid things, or not do plenty of smart things, that can defeat all that swell new stuff in Windows 7, just like you can defeat the old stuff in Windows XP. So if your goal is to improve the security posture of your Windows endpoints, then start doing exactly that with the stuff you have right now. Before you upgrade. Who knows, maybe you won’t even need to upgrade.

How to text your way to failure

Posted on by

Have I mentioned that I’m a big fan of e-discovery and forensics? Yeah I thought so. Recently I came across this story from the {ride the lightning} blog that was just so priceless that I had to pass it on. If you’ve ever been involved in litigation and wondered “what could I do to really outrage the judge and guarantee failure?” then this is for you!

After earlier declaring a mistrial, [the judge] dismissed with prejudice a civil fraud lawsuit involving the sale of a condo tower. What made this decision interesting is his reason: a boss sent text messages to his employee, who was then testifying on the witness stand. This was done surreptitiously as the judge and lawyers conferred in a sidebar conference.

Sheesh! And I thought texting while driving was bad. And it gets better.

The judge ordered a mistrial when a spectator alerted him to the misconduct. Clearly incensed, the judge questioned [the wily texter and textee], who admitted to the texting. The judge then ordered the messages to be read aloud and into the record.

Just like passing notes in grade school. And if you went to a Catholic grade school like I did you might expect the judge to order the bailiff to beat the fool senseless, just like Sister Mary Catherine used to. But this just keeps getting better.

The texting “was underhanded and calculated to undermine the integrity of this court and the legal process,” the judge wrote in his dismissal order. “Regretfully, plaintiff through its unacceptable conduct has reached into the court’s quiver of sanctions, drawn the bowstring taut and aimed the arrow at the heart of its own case. This court has justifiably released the string.

Now you’ve just got to love the Robin Hood/William Tell, theme of the dismissal order. I think the judge should have stuck to this archery theme and ordered a court officer to shoot the idiot’s cell phone off his head. Or in his pocket. But I digress. And this gets even better.

Curiously enough, [the texting boss] appears to be a guy who just doesn’t learn. Two months before the trial, he improperly texted a witness during a deposition and was reprimanded by the magistrate. [The judge] said he took the previous conduct into account. No doubt.

There is one born every minute. But ones like this moron only come along once every year or so. Thank goodness, but there’s still far too many of them out there on highways. And in courts.

ID Theft, Privacy, Fear and Loathing in Colorado

Posted on by

Like Jerry said, “What a long strange trip it’s been“. But like Yogi said “It ain’t over til it’s over“. Which it isn’t. Yet.

In this case the long strange trip is an identity theft investigation known as “Operation Numbers Game” that is being prosecuted by Weld County [Colorado] District Attorney Ken Buck. As you may have guessed this isn’t your typical ID theft case. It involves quite a few undocumented workers (read illegal aliens) and a DA known for his staunch stand against illegal immigration. The basics of the story are laid out pretty well  in this article by AP writer Ivan Moreno, printed in the Denver Post.

Weld County launched Operation Numbers Game after a Texas man reported his identity was being used. The suspect in that case told authorities he had filed his taxes through a business widely used by immigrants in Greeley.

In October, authorities obtained a search warrant and seized the firm’s computers and thousands of tax documents.

Buck filed identity theft and criminal impersonation charges against more than 70 people. He said as many as 1,300 undocumented immigrants in the area were using false or stolen Social Security numbers.

The ACLU’s lawsuit argued authorities had violated privacy rights. Hiatt ruled for the ACLU, saying the county lacked probable cause for the raid, that it was too broad, and that tax records are confidential. Other Weld County judges with cases from Operation Numbers Game agreed.

Prosecutors dismissed many of the cases without prejudice, giving them the option to file charges again. But some defendants had pleaded guilty and face deportation.

Those charged allegedly used others’ Social Security numbers to work, and Individual Taxpayer Identification Numbers to pay taxes.

Weld County argued in its appeal it was impossible to identify individual suspects in the search warrant because the case centered on identity theft.

Buck, a Republican who is expected to run against Democrat Michael Bennet for his U.S. Senate seat, is known for his staunch stand against illegal immigration. But he has maintained Operation Numbers Game was about identity theft, not immigration.

In an unrelated case, the U.S. Supreme Court ruled in May that undocumented workers can be considered identity thieves only if authorities prove they knew they were using someone else’s Social Security number.

Aside from the basic facts – here is a map (OK more of a trail of breadcrumbs) of this long strange trip so far:

“So what does this have to do with security and privacy?” you may be asking about now. Maybe nothing. Maybe this is truly, as DA Buck asserts, “about identity theft, not immigration”. Yeah you bet. First off, the “identities” that were allegedly stolen here are, in fact, Social Security Numbers. Don’t even get me started on the fundamental idiocy of using SSNs as forms of identity. Second, I tend to agree with the Supreme Court in that “unrelated” case. In fact the case was Flores-Figueroa v. U.S, 129 S.Ct. 1886 (2009) [updated with correct citation - thanks to Chris Webster] and an exhaustive analysis with my keen legal sense (would you believe I read some articles like this one over a beer?) fails to find the “unrelated” part.

Ignacio Carlos Flores-Figueroa, a Mexican immigrant employed at a steel plant in East Moline, Ill., traveled to Chicago and bought numbers from someone who trades in counterfeit IDs.

Unlike earlier fictitious numbers Flores-Figueroa used, these numbers belonged to real people.

Flores-Figueroa had worked at the plant under a false name for six years. His decision to use his real name and exchange one set of phony numbers for another aroused his employer’s suspicions.

He was arrested in 2006 and convicted on false document and identity theft charges.

He appealed his conviction as an identity thief, but the 8th U.S. Circuit Court of Appeals in St. Louis upheld the conviction. With appeals courts divided on the issue, the Supreme Court stepped into the case.

Oh yeah, this case is nothing like that. Now don’t get me wrong, I’m not trying to minimize the severity of identity theft. This just isn’t it. These were just folks trying to make a living, albeit illegally. But the illegal part was not identity theft. What really bothers me is the creative interpretation of one law to enforce something completely different. Think of these swell examples from our recent past and present:

Terrorist - A person who demonstrates at the Republican National Convention

Hacker - Someone who writes code to watch DVD’s on Linux

Suspected child pornographer – Anyone crossing the border into the US with a laptop computer.

Should the weasels that sold the known good Social Security Numbers to the undocumented workers be prosecuted? Hell yes! Those are actual identity thieves. And Ill bet they are liberals [terrorists] and probably have computers [suspected child pornographers]. DA Buck could surely win with at least one of those angles. A long strange trip indeed.