"Hacking & the Law: What Are the Legal Considerations of Tinkering with Software & Hardware?"
Presentation for the Cherry Hill Linux Users Group (CHLUG)
Friday 1 Aug 2008 from 7pm to 9pm
in the Multicultural Room of The Cherry Hill Public Library.
1100 Kings Highway N., Cherry Hill, NJ. [Directions]
The meeting is open to the public.

When I offered to speak at a CHLUG meeting, I asked what information security topics they wanted covered. The answer was "Hacking & the Law". Interesting, but it is too vast a topic to cover in 45 minutes. I asked what they meant by "hacking". The CHLUG members explained they were interested in "hacking" as it pertains to tinkering with software and hardware. Since this is a Linux users group, the emphasis would be upon free & open source (F/OSS) concepts. Excellent!

Some of the things I'll cover include

• Quick overview of concepts such as copyrights, fair use, and patents.
• Overview of F/OSS licensing approaches such as GPL ones.
  
• Can F/OSS licensing provisions be enforced by law?
  
• Hardware tinkering issues such as "Tivoization" where a system incorprates F/OSS but the hardware is designed to prevent modification of the code.
• Examination of the issues raised by things such as the DMCA anti-circumvention provisions.
• Issues that can arise when publicising info about our tinkering.
• Suggestions for dealing with these issues.
  

(NOTE: I am not a lawyer and this general presentation is not a substitute for competent legal counsel.)

J.D. Abolins

At the HACDC Hackerspace area.

I'm posting photos and, eventually, videos at my Flcikr collection.
(You can see other Flickr images with the tags "Last HOPE" and "hacker" here.)

A Hacker Scene Anthem?
(Eine Hymne für die Hackerszene?)

A the closing of the Last HOPE conference, the funeral them broke in joyfulness when it was announced that this 2008 conference is not the final one but the last one attended so far. Then, a fellow from Austria added to the happy moment by proposing a hacker anthem: "Surfen Multimedia" done by the Eurocats in 1998. [mp3 link]

English translation of the lyrics:

Suring surfing through the world with multimedia
Suring surfing, day and night
on the data highway

Come join me on the internet tonight
I'm already waiting for you
Dude, be a user, go online
You'll meet me in the email

And should you lack some megabytes
You’ll find them here with me
Be it interface or cyberspace
I'll gladly share with you

With bits and bytes
With mouse and click
We are going on a tour
In the World Wide Web
We'll follow each new hint today

Just the song to listen while "surfen auf der Daten-Autobahn". Sorta like what ABBA might have done had they gotten interested in the Internet.

J.D. Abolins

Through Sunday afternoon (20 July 2008):
http://radio.hope.net/

Right now, I am listening to Steve Ramban, a private investigator who speaks at every HOPE conference, speak about privacy and, moreso, the ways it is disappearing. Fascinating as usual.

In a few days, I'll post links to photos and videos from the Last Hope.

Cheers,
J.D. Abolins

UPDATE (23 July 2008): The streaming radio feed from Last HOPE's Radio Statler is no longer on the air.

This afternoon, Dark Reading reports:

Schneier, Team Hack 'Invisibility Cloak' for Files
Researchers break 'deniable file system' steganography feature that conceals the existence of sensitive files from hackers
JULY 16, 2008 | 5:35 PM

By Kelly Jackson Higgins
Senior Editor, Dark Reading

[...]
The researchers were able to get around DFS in versions 5.0 and below of TrueCrypt’s encryption-on-the-fly tool, and will present their findings on the hack at the Usenix HotSec ’08 summit next week in San Jose, Calif.

[...]
Schneier, who has studiedthe viability of the so-called “deniable” file system model in the past, says DFS is actually easier to hack than encryption, and that there may be no way to make files truly undetectable on a drive. “Deniability is a much harder security feature to enable than secrecy,” he says. [...]

The researchers were able to crack DFS without decrypting it. “Breaking the security of a DFS does not require decrypting the data; it only requires proving that (or in some cases simply providing strong evidence that) the encrypted data exists,” according to the report, which was co-authored by Schneier and University of Washington researchers Alexei Czeskis, David St. Hilaire, Karl Koscher, Steven Gribble, and Tadayoshi Kohno.

The researchers found that Windows Vista shortcuts can give away the existence of a hidden file. Vista, which automatically creates shortcuts to files that get used, then stores the shortcuts in the Recent Items folder. And the auto-save feature in Word, meanwhile, saved versions of the hidden files.

[...]
“Modern applications and operating systems are very complicated, and interact with each other in many different ways,” Schneier says. “Hiding the existence of something means controlling all those interactions, which turns out to be a very hard problem.”

Quite interesting. I am looking forward to the presentation whenever it becomes available on the USENIX Conference Proceeding site.

Related reference: Truecrypt's explanation of its Plausible Deniability approach.

UPDATE (17 July 2008):
Bruce Schneier & UW team's research paper "Defeating Encrypted and Deniable File Systems: TrueCrypt v5.1a and the Case of the Tattling OS and Applications" is now available at
http://www.cs.washington.edu/research/security/truecrypt.pdf
and
http://www.schneier.com/paper-truecrypt-dfs.html

Although Schneier has not yet mentioned the paper on his blog, some comments about Truecrypt and plausible deniability appear under his recent post "Using a File Erasure Tool Considered Suspicious".

I sometimes slip in "deniable plausibility"; it's hard to believe,
J.D. Abolins

Information about the conference at http://www.thelasthope.org
Speaker/ Talks info: http://www.thelasthope.org/talks.php
Conference schedule: http://www.thelasthope.org/matrix/
Discussion site: http://talk.hope.net

Since 1994, the Hackers on Planet Earth (HOPE) conferences have been held in New York City every other year. The HOPE conferences are organised by the folks who publish 2600 - The Hacker Quarterly.

These conferences bring together an interesting variety of people from all over the world, including technology fans, tinkers, academics, cryptography folks, cyber-liberties activists, and, of course, hackers of all kinds as well as people interested in hacker culture.

This year is going to be difficult for time but I hope to make it out for one of the days.

One of the presentations that should be very interesting is Johnny Long's "No Tech Hacking". I've seen him give such a presentation at TechnoForensics 2007 and it's both fun and thought provoking. The no tech aspect is a good eye-opener for people who get so focused upon technical/cyber security issues that they forget the low/no tech gotchas. (Hint for organisations with special security concerns that was conveyed by a couple of the slides: Don't put agency logos on laptops, laptop cases, etc. Advertising might not be your friend. <g>)

HOPEfully,
J.D. Abolins

On 30 June 1908, something hit the Earth's atmosphere and resulted in the biggest space impact of modern times. It occurred over Tunguska in Siberia. If the event had occured over, say, London, it could have been a gigantic tragedy instead of scientific curiosity. Quite a close call.

• BBC story "Fire in the sky: Tunguska at 100"
• Scientific American on "Tunguska Mystery 100 Years Later"
• Rian.ru story "Тунгусский метеорит: факты и гипотезы" (Tunguska meteorite: facts and hypotheses,)
• English translation of the above story via Google Translate.
• Wikipedia on the Tanguska Event.
• 1908 Siberian Explosion (includes some paintings of how the event might have appeared.)

Thinking about a "blast from the past",
J.D. Abolins

Yesterday, The Guardian had an essay by Bruce Schneier on "CCTV doesn't keep us safe, yet the cameras are everywhere." (The essay is also posted on his blog along with readers' comments.)

No big surprises in the essay. It does, however, provide a good overview of some of the CCTV (closed circuit television) surveillance benefits-cost issues and offer links for further information, including UK Home Office's 2005 study "Assessing the impact of CCTV". Schneier is not against all uses of CCTVs. He does exhort people to examine where their benefits are worth costs (including non-material ones).

Is CCTV equivalent to 204TV?
J.D. Abolins

I came across two wiretapping items in the past 24 hours.

1. Happy 40^th Birthday for the US Wiretap Act

The US "Wiretap Act" (18 U.S.C. 119 - Wire and Electronic ommunications Interception and Interception of Oral Communications) is now 40 years old! It, along with the rest of the Omnibus Crime Control and Safe Streets Act, was enacted on 19 June 1968.

Many thanks to Orin Kerr for mentioning this in his post today on the Volokh Conspiracy.

2. DIY Wiretapping & Counter-measures

IT Security site has an article about Do-It-Yourself wiretapping and how to counter it. A good overview of some relatively inexpensive methods to tap into phones and some ways to detect certain taps. (Those methods are not likely to detect sophisticated taps.)

One thing the article mentioned that was new to me was that Toy's R Us sells a telephone bug kit from Elenco Electronics. The kit's product description says:

Listen in on telephone conversations in your home with this build it your self telephone bug. Its compact size (about the size of a dime) allows it to fit into most telephone handsets. Easy to install and fun to build. No battery are required. Complete with training course. Soldering is required.

While I am in favour of kids learning about science and technology with hands on projects, the telephone bug kit and some other "spy toys" remind me a bit of a scene from George Orwell's 1984 where Mr. Parsons tells Winston Smith about the Spies, a youth group serving Big Brother:

"[...] That's a first-rate training they give them in the Spies nowadays -- better than in my day, even. What d'you think's the latest thing they've served them out with? Ear trumpets for listening through keyholes! My little girl brought one home the other night -- tried it out on our sitting-room door, and reckoned she could hear twice as much as with her ear to the hole. Of course it's only a toy, mind you. Still, gives 'em the right idea, eh?"

Hmmm....

"I hear you..."
J.D. Abolins

Last week, The Register and The Times reported that Russian president Dmitry Medvedev has been seeking to make the Internet more Russian language friendly. (By the way, The Register mentioned Live Journal in its article.<wink>)

Reuters reported President Medvedev saying:

"We must do everything we can to make sure that we achieve in the future a Cyrillic Internet domain name -- it is a pretty serious thing."
[...]
"It is a symbol of the importance of the Russian language and Cyrillic and it is not a bad sphere of cooperation. And I think we have a rather high chance of achieving such a decision in the Internet world."

Medvedev claims that more than 300 million people worldwide use Russian media and the access to Russian language sites without having to enter Latin alphabet domain names would make it easier for them.

Currently, Russian domains generally have the .ru top level domain (TLD). With the future possible Cryllic domain names, it is very like the TLD will be .рф (Cyrillic of .rf for Росси́йская Федера́ция - Russian Federation) instead of .ру (Cryllic of .ru). A major problem with the Cyrillic .ру TLD is it Paraguay's Latin-character code .py.

So, if the proposal gets implemented, Russians looking for the Kremlin's Web site could type in the URL Кремль.рф instead of kremlin.ru.

Meanwhile, ICANN has been working on setting up "internationalized domain names" (IDNs) that would allow the use of non-Latin characters in domain names.

Overall, I welcome the ability to have non-Latin character domain names. One concern I have, however, is the possibility for mishaps or mischief via "lookalike" domain names across different character sets.

I already mentioned the confusion that could occur with a Russian .ру domain and a Paraguayan .py domain. Many Cyrillic characters look like Latin ones. On a machine level, such as hexadecimal or binary, the differences are quite evident. One security help may be a browser add-in that indicates what character set(s) appear in the URL and for what country is the TLD associated.

J.D. Abolins

Last night, I saw Adam Sandler's movie "You Don't Mess with the Zohan".The comedy was hilarious at many points but rude, crude, and literally "cheeky" at other points. (It has some scenes not for the prudish nor for children.) Not a great movie but I got enough good laughs to be satisfied.

Rather than going into a detailed review of the film, I figure I can do more good by giving a glossary for some of the Arabic (A), Hebrew (H), and Yiddish(Y) words & references I recollect from the movie.

• Abba (H) - Father, Daddy
• Boker tov (H) - Good morning.
• Fattoush (A) - A Middle Eastern salad. (One of the characters turns out to have been named Fattoush. I wonder if the joke was that it sounded like "fat tush" or that it was akin to a US tough guy named "tatter salad". Maybe both.<g>)
• Feygeleh (Y) - "Little bird", often slang reference to a male homosexual.
• Imma / Eemma (pronounced like "ee-mah"] (H) - Mother, Mum
• ShabaH / (A) - Phantom. "The Phantom" character often wore a maroonish headband with the word written in Arabic: شبح
  [Note below on movie head gear texts.]
  
• Sharmuta (A) - Slang for "whore" or "skank". The expletive was uttered by one of the hair stylists as she was hanging up the phone. (The word has also been picked by Israeli Hebrew slang.)

If you recollect any other Arabic or Hebrew words from the Zohan movie that I missed, let me know.

ADDITION & UPDATES (as of 26 June2008)

Transliteration note: I use an upper case "H" to represent the "ح" in Arabic. There isn't an equivalent sound in English. It is an emphatic "h" sound that some describe as the sound you might make if you just swallowed something really hot or spicy.

• Sheket (H) - Quiet; shut up.
• Arabic numbers as in reciting a phone number. One of the gags involved a character giving a phone number in Arabic. The way he says them is what's funny independent of knowing exactly what he said. (I'm not going to give away the joke itself.) Anyway, here are the numbers 0 through 9 in Arabic:
  
0. Sifr (By the way, we get the word "cipher" from this word.)
1. WaaHid
2. Ithnaan
3. Thalaatha
4. 'Arba'a
5. Khamsa
6. Sitta
7. Sab'aa
8. Tamaaniya
9. Tis'aa

"Don't Mess with the Yonatan,"
Jonathan "J.D." Abolins

PS.: The cleverest headgear text gag I ever saw was on the "Blazing Saddles" movie poster. It depicted Mel Brooks wearing a Sioux chief's war bonnet and the beadwork said "כשר לפסח" ( Kasher LePesach" "kosher for Passover" in Hebrew).

I had mentioned Security & Privacy Day @ Stony Brook University in an earlier post and I attended the conference. The slides from most of the presentation are now online on the event's speaker schedule.

A chart from the paper "Spot me if you can: recovering spoken phrases in encrypted VoIP conversations" linked from Prof. Monrose's home page. The chart shows the overlap of Hungarian with some other languages.

One of the more interesting (to me) sessions was "Information Leakage in Encrypted Network Traffic" by Fabian Monrose of Johns Hopkins University. The presentation showed how variable bit rate (VBR) compression in VoIP carries over some hints of the audio wave forms before compression. The packet sizes vary in some resemblance of the wave forms and, from the packet sizes, it is possible to get clues about the encoded communications. It is possible to have a good go at identifying the language spoken in the VoIP communications and, in some cases, spot certain phrases. Interestingly, spoken Hungarian (Magyar) can look like Arabic, Czech, Turkish, and several other languages in the VBR analysis. Monrose said that some linguists are looking into why.

Unfortunately, the slides from this talk are not on the Security & Privacy Day 2008 site. But you can lean about the VoIP VBR analysis from Prof. Monrose's home page. Look under the papers for Encrypted Traffic.

Speaking of professors' home pages and their papers, I was checking out the home page for Prof. Rebecca Wright of Rutgers University. She was scheduled to speak on "Incentives for honestly announcing paths in BGP" but, instead, spoke on network privacy and some ways to maintain soem privacy in the course of data mining. Prof. Wright's home page has links useful for people learning about the mathematics of cryptography and application of cryptography. (The emphasis is heavy on the maths; not the place if you are merely looking to learn day-to-day practical applications, such as how to use GnuPG.) Besides her papers, check out out the syllabi for her courses if you are trying to get an idea of how to study the underlying workings of modern cryptography.

J.D. Abolins

In the networked world, data breaches involving peoples' sensitive data are a big concern. One response is enacting data breach notification laws, such as California's SB 1386, and New Jersey's "Identity Theft Protection Act". (CSO Online has a US state-by-state overview of data breach notification laws.)

Out-Law.com has an opinion essay by Dr. Chris Pounder that caught my attention because it disagreed with the need for similar notification laws in the UK. Did the writer perceive data notification to be worthless?

Not at all. He supports data notification. No need for a new law because the Data Protection Act, along with recent changes in the law, already points to notification.

Dr. Pounder focuses upon the implications of the Act's Seventh Principle requirement for data handling organisations to maintain levels of security appropriate to the potential harm if the data was lost, stolen, etc. Among other things, this may imply encrypting sensitive data. Dr, Pounder concludes:

In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals are protected because they have simple and free access to the Information Commissioner, who has powers to investigate any complaint and fine. Compensation for aggrieved individuals could arise from any significant security lapse.

In other words, all the features of a security breach notification law are now found in existing data protection legislation.

Helpful. Now, do the data handling organisations know this?

For what it's worth, Wikipedia has an overview of the UK Data Protection Act (DPA) amd the UK Information Commissioner's Office has some data protection guidance.

J.D. Abolins

From the xkcd site:



For a serious overview of the bug, see Bruce Schneier's post on the Random Number Bug in Debian Linux and an explanation at the Metasploit site. (By the way, I like the Dilbert comic at the Metasploit link.)

Randomly predictable,
J.D. Abolins

Via the Cryptome site, I learned about the Security & Privacy Day conference at Stony Brook University on New York's Long Island on Friday 30 May 2008. The event is free but they ask people to register in advance. I just signed up.

The sessions I particularly want to hear are:

Information Leakage in Encrypted Network Traffic (14:45 - 15:15)
Invited speaker: Fabian Monrose of Johns Hopkins.
Description:

Over the past few years, Voice over IP (VoIP) has become an attractive alternative to more traditional forms of telephony. Naturally, with its increasing popularity in daily communications, practitioners are continually exploring ways to improve both the efficiency and security of this new communication technology. Unfortunately, while it is well understood that VoIP packets must be encrypted to ensure confidentiality, we show that simply encrypting packets may not be sufficient from a privacy standpoint. In this talk, we focus on information leakage in encrypted VoIP communications. In particular, we will show that when VoIP packets are first compressed with variable bit rate (VBR) encoding schemes to save bandwidth, and then encrypted with a length preserving stream cipher to ensure confidentiality, it is possible to determine the language spoken in the encrypted conversation, and more importantly, to spot arbitrary phrases of interest within the encrypted conversation. We will discuss the underlying reasons for the success of our techniques, and present a summary of our findings.

Simulating a Global Passive Adversary for Attacking Tor-like Anonymity Systems (16:30 - 17:00)
Invited speakers: Angelos Keromytis and Sambuddho Chakravarty, Columbia
Description:

We present a novel, practical, and effective mechanism for identifying the IP address of Tor clients. We approximate an almost-global passive adversary (GPA) capable of eavesdropping anywhere in the network by using LinkWidth, a novel bandwidth-estimation technique. LinkWidth allows network edge-attached entities to estimate the available bandwidth in an arbitrary Internet link without a cooperating peer host, router, or ISP. By modulating the bandwidth of an anonymous connection (e.g., when the destination server or its router is under our control), we can observe these fluctuations as they propagate through the Tor network and the Internet to the end-user's IP address. Our technique exploits one of the design criteria for Tor (trading off GPA-resistance for improved latency/bandwidth over MIXes) by allowing well-provisioned (in terms of bandwidth) adversaries to effectively become GPAs. Although timing-based attacks have been demonstrated against non-timing-preserving anonymity networks, they have depended either on a global passive adversary or on the compromise of a substantial number of Tor nodes. Our technique does not require compromise of any Tor nodes or collaboration of the end-server (for some scenarios). We demonstrate the effectiveness of our approach in tracking the IP address of Tor users in a series of experiments. Even for an under-provisioned adversary with only two network vantage points, we can accurately identify the end user (IP address) in many cases. Furthermore, we show that a well-provisioned adversary, using a topological map of the network, can trace-back the path of an anonymous user in under 20 minutes. Finally, we can trace an anonymous Location Hidden Service in approximately 120 minutes.

J.D. Abolins

Last Thursday, a federal grand jury in California indicted a Missouri woman, Lori Drew, for her alleged role in a MySpace hoax directed against a 13-year-old neighbour, Megan Meier. Meier was distressed by the hoax and committed suicide in October 2006. CNN has a story about the case and the indictment [pdf].

The charges revolve around claim that Drew accessed protected computers without authorisation. The indictment cites 18 U.S.C. 1030 sections (a)(2)(C) and (c)(2)(B)(ii). Did Drew "hack into" a MySpace account to get information?

Not in the usual sense, The act of creating an account in the name of a non-existent person in violation of MySpace's terms of service (ToS) and using that account to communicate with the victim was deemed to be the unauthorised access. This is quite a stretch.

Orin Kerr's posting on The Volokh Conspiracy explains three hurdles for the prosecutors and why the indictment should be dismissed. Kerr also makes a reference to his NYU Law Review article, Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes.

Daniel J. Solove also has been commenting on the case & indictment. Solove has also posted on a misguided response to the case by Missouri legislators. The summary for Missouri bill SB 818 to modify laws concerning stalking & harassment says:

Currently, the crime of harassment includes communications meant to frighten or disturb another person. Under this act, communications conducted to knowingly frighten, intimidate, or cause emotional distress to another person are included. Harassment includes communications by any means.

Harassment includes knowingly using unwanted expressions that put the person in reasonable apprehension of offensive physical contact or harm or knowingly making unwanted communications with a person.

A person also commits harassment:

1) By knowingly communicating with another person who is, or who purports to be, seventeen years of age or younger and in so doing, and without good cause, recklessly frightens, intimidates, or causes emotional distress to such other person; or

2) By engaging, without good cause, in any other act with the purpose to frighten, intimidate, or cause emotional distress to another person, cause such person to be frightened, intimidated, or emotionally distressed, and such person's response to the act is one of a person of average sensibilities considering the person's age.

[...]

This act expands the crime of stalking to include any course of conduct with two or more acts over a period of time that is communicated by any means. A "credible threat" includes those made with the intent to cause the person who is the target to reasonably fear for his or her family's safety or family's pet's or livestock's safety, and not only his or her own safety.

Under this act, the definition of "harasses" is modified to include conduct directed at a specific person that serves no legitimate purpose, that would cause a reasonable person to be frightened or intimidated, as well as emotionally distressed. A person need only harass a person purposely, rather than purposely and repeatedly, to commit the crime of stalking or aggravated stalking.

Solove explains how this attempt to address a difficult problem with an awkwardly craft legislation could have a chilling effect upon speech. He gives a scenario showing also how many children could easily become criminals under this legislation:

Consider the following case: Child 1 teases Child 2 by saying that he's a "nerd." Child 2 starts to cry. Child 1 repeats the insult. Child 1 has knowingly communicated with Child 2 and without good cause, has recklessly caused that child emotional distress. Yup, let's charge Child 1 with a crime and all other children of his or her ilk. Let's have Missouri start building jails, so it can lock up all those children who insult, frighten, or cause emotional distress to each other.

Good example.

By the way, the Missouri bill states "This act shall not apply to activities of law enforcement officers conducting investigations." OK, it helps the police, but what about others whose activities might risk being interpreted as violations? For example, the modification of the verb  "harasses"  to include "conduct directed at a specific person that serves no legitimate purpose, that would cause a reasonable person to be frightened or intimidated, as well as emotionally distressed" leaves much uncertainty as to what might be a violation.

Much would hinge upon interpretation of what constitute legitimate purposes. Investigative reporters may cause emotional distress in some cases. Perhaps print, radio, and TV journalists would be generally safe. But what about online media journalists and content creators?

J.D. Abolins
NOTE: I am not an attorney and my ponderings upon the law should not be taken as expert advice.

I figured an end user licence agreement (EULA) was bound to appear in the malware market as the tools were moving towards finance profits goals. Years ago, I had joked that someday a malware author would be in court for two cases involving his code: one as a defendant in a computer offence case and the other as a plaintiff in a copyright case against somebody violating the code's licence agreement.

The dual court cases hasn't yet happen but Symantec Security Response Weblog has reported a EULA found in the help files for "Zeus" malware package.

A screenshot of the Russian language EULA from the Symantec Weblog.



Symantec translates the Client agreement as saying pretty much what most EULAs state minus the "bot" references:

1. Does not have the right to distribute the product in any business or commercial purposes not connected with this sale.
2. May not disassemble / study the binary code of the bot builder.
3. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.
4. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.
5. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.
   

Interestingly, while item 4 prohibits the user from sending the product's code to anti-virus firms, the section afterwards, the one in the red box in the screen shot, states: "In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies." This is perhaps the first malware tool to use AV firms as de facto enforcers of the EULA.

By the way, this might not be the first malware EULA. Some people have pointed out that Sony's digital rights management XCP rootkit had a EULA. <wink>

The Zeus EULA matter is also being reported by various tech news sites, including OUT-LAW, Slashdot, and Ars Technica.

At non-open source software funerals, do they give a EULAgy? <groan>.
J.D. Abolins

It's spring again and, among other things, it's time for another password security survey by the organisers of the Infosecurity Europe conference. These surveys, usually conducted near London railway stations by people posing as market researchers provide interesting glimpses into how readily people can be social engineered. The survey results are useful for security awareness anecdotes.

This year's survey of 576 office workers taken outside of the Liverpool Street station found the portion of workers revealing their passwords dropped from 64% to 21%. As in some other years, the researchers offered chocolate for taking the survey.

The researchers also asked people for their names and phone numbers so they could be entered in a drawing for a trip to Paris. About 60% of the workers gave their contact information. Such disclosures can be useful for future social engineering. The information, along with a few other personal details, can be useful for identity-linked fraud.

Some thoughts on these surveys:

• Could the drop in people revealing passwords reflect London area officer workers hearing stories about the past survey results? That's good if they are cautious with social engineering in general. Not so good if they are cautious only with market surveys conducted near railway stations.
  
• What's to keep some of the office workers from social engineering the researchers for chocolate? There isn't a legally practical way in this type of a survey for verifying if the user id and passwords are real ones.
  
• The value of contact & general biographical info for identity-linked fraud appears to me to be different between the US and many other countries. In the US, the Social Security Number is highly useful for fraud because the social insurance number is used as both an identifier and as a verifier. That's not the case in many other countries. The value of general biographical info can be more valuable to the theives than in the States. Meanwhile as US people are being educated to be cautious with their SSNs, they may overlook the value of other personal info.
  

One of the most memorable anecdotes from one of the surveys was this exchange between a researcher and an office manager reported in a 2003 Register article:

One interviewee said, "I am the CEO, I will not give you my password - it could compromise my company's information".

A good start, but then the company boss blew it. He later said that his password was his daughter's name.

What is your daughters name, the interviewer cheekily asked.

He replied without thinking: "Tasmin".

Nice! 

J.D. Abolins

I was reading tonight on the informative Fraud, Phising, and Financial Misdeeds blog that Attrition.org might be calling it quits for their Data Loss Database - Open Source (DLDOS). <FIN> Bummer!

Looking at Attrition.org's current news, perhaps the news of DLDOS's demise  might be premature after all.

They have another news item, dataloss: A new beginning. saying they will be continuing DLDOS <SYN>. (By the way, I looked at the "partner" site mentioned in the last paragraph and see it's a ripping, somewhat risqué spoof.) As I am writing this post, I see that the current version of DLDOS database was updated Sunday 13 April 2008. Ctrl-Z my "Bummer" comment above.

Another good resource for data loss incidents is the Privacy Rights Clearinghouse's Chronology of Data Breaches.

J.D. Abolins

News.com' "Defense in Depth" reports on a presentation at USENIX Usability, Psychology and Security Conference (UPSEC) 2008. Andrew McDiarmid of the University of California Berkeley spoke about the way people perceive (radio frequency ID) RFIDs in day-to-day life.

Many of the novices surveyed by McDiarmid and Jennifer King, had no idea how the RDIF tokens, such as access control cards and contactless credit cards, work. Some used terms such as "magic" and "witchcraft" to describe their impressions of how RFIDs work. If the tokens didn't work, they had no idea why. A common perception among the novices was that RFID readers have to give feedback, such as a beep, when the token is read. They did not realise that silent, stealthy reads are possible. The more advanced users surveyed did have a much better understanding of RFIDs, including how to shield RFIDs from readers.

The researchers' paper, Radio Silence: Security, Privacy, and User Misunderstandings of RFID, is available online in HTML and PDF.

By the way, the USENIX UPSEC conference Web site has some other interesting papers, including:

• Freezing More Than Bits: Chilling Effects of the OLPC XO Security Model about the OLPC XO's Bitfrost security approach.
• iPhish: Phishing Vulnerabilities on Consumer Electronics
• Simson Garfinkel's IRBs and Security Research: Myths, Facts and Mission Creep, examining a particular legal issue faced by security researchers studying human factors. The issue is the body of regulations covering the use of human subjects in research.
  

J.D. Abolins

The Universal Cyrillic Decoder site:
http://2cyr.com/decode/?lang=en

Handy if you need to do things such as convert a KOI8-R Russian text attachment into Unicode UTF-8. Recently, I was examining several Russian language spam emails and needed to do that. I found the above site via Google and it did the trick.

Looking around the site at http://2cyr.com/, I found some other good tools for working between Latin and Cyrillic alphabets (About the only things it doesn't do is Volapuk , Translit, or Russian Chat Alphabet encodings used to handle Cyrillic in Latin-only applications.) You may have to read the document and experiment a bit to figure it out, but I found it worth the effort. Apparently, the JavaScript used for some of the tools can be used on one's own site under certain conditions. Unfortunately for me, the project's site is written in Bulgarian and I have yet to get a translation.

Here are some other Russian-related references on Wikipedia I've come across lately:

• A guide to telephone numbers in Russia. I used this to get some idea of the location for the phone numbers mentioned in the spam emails.
  http://en.wikipedia.org/wiki/Telephone_numbers_in_Russia
• Info on several methods for writing Cyrillic texts in applications that only support the Latin alphabet:
• Volapuk ("волапюк")
  http://en.wikipedia.org/wiki/Volapuk_encoding
• Translit
  http://en.wikipedia.org/wiki/Translit
• Russian Chat Alphabet
  http://en.wikipedia.org/wiki/Russian_Chat_Alphabet
• Faux Cyrillic entry that wasn't helpful for my analyses, but fun to read
  http://en.wikipedia.org/wiki/Faux_Cyrillic

Faking my Cyrillic,
J.D. ДВФLIИS