MIRLN --- 6-26 Nov 2016 (v19.16)

MIRLN --- 6-26 Nov 2016 (v19.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Understanding footnote 14: NSA lawyering, oversight, and compliance (Lawfare, 7 Oct 2016) - In 2009, the government notified the Foreign Intelligence Surveillance Court (FISC) of a serious issue in the design and description of the National Security Agency’s (NSA) Business Records metadata program. In short, the NSA had implemented a part of that program using an erroneous interpretation of the term “archived data” that appeared in the court’s order. An inadvertent mistake in later reports to the FISC concealed the fact of the misinterpretation, which was incorporated into multiple reports over time. Readers are likely aware of the incident, which has become a persistent reference point for NSA’s most ardent critics. One such critic recently pointed to a FISC memorandum referencing the episode as evidence that “NSA lawyers routinely lie, even to the secret rubber stamp FISA court”; another cited it in claiming DOJ’s attorneys made “misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets” and that “NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.” These allegations are false. And by insisting that government officials routinely mislead and lie, these critics are missing one of the most important stories in the history of modern intelligence oversight. As people who served in the NSA during and after the time of this particular incident, we seek to offer a fuller account of this episode. [ Polley : On 14 Nov Bruce Schneier wrote about this story: “Former NSA attorneys John DeLong and Susan Hennessay have written a fascinating article describing a particular incident of oversight failure inside the NSA. Technically, the story hinges on a definitional difference between the NSA and the FISA court meaning of the word “archived.” (For the record, I would have defaulted to the NSA’s interpretation, which feels more accurate technically.) But while the story is worth reading, what’s especially interesting are the broader issues about how a nontechnical judiciary can provide oversight over a very technical data collection-and-analysis organization—especially if the oversight must largely be conducted in secret. In many places I have separated different kinds of oversight: are we doing things right versus are we doing the right things? This is very much about the first: is the NSA complying with the rules the courts impose on them? I believe that the NSA tries very hard to follow the rules it’s given, while at the same time being very aggressive about how it interprets any kind of ambiguities and using its nonadversarial relationship with its overseers to its advantage. The only possible solution I can see to all of this is more public scrutiny. Secrecy is toxic here."]

top

Adobe Voco ‘Photoshop-for-voice’ causes concern (BBC, 7 Nov 2016) - Adobe unveiled Project Voco last week. The software makes it possible to take an audio recording and rapidly alter it to include words and phrases the original speaker never uttered, in what sounds like their voice. One expert warned that the tech could further undermine trust in journalism. Another said it could pose a security threat. However, the US software firm says it is taking action to address such risks. At a live demo in San Diego on Thursday, Adobe took a digitised recording of a man saying “and I kissed my dogs and my wife” and changed it to say “and I kissed Jordan three times”. The edit took seconds and simply involved the operator overtyping a transcript of the speech and then pressing a button to create the synthesised voice track. “We have already revolutionised photo editing. Now it’s time for us to do the audio stuff,” said Adobe’s Zeyu Jin, to the applause of his audience. He added that to make the process possible, the software needed to be provided with about 20 minutes-worth of a person’s speech.

top

Lawyers may not use ‘web bugs’ to track email sent to opposing counsel, ethics opinion says (ABA Journal, 8 Nov 2016) - Lawyers should not plant “web bugs” to track the location and use of emails sent to opposing counsel, according to an Alaska ethics opinion. The Alaska Bar Association Ethics Committee is the second bar panel to address the issue, according to the ABA BNA Lawyers’ Manual on Professional Conduct . An ethics opinion by the New York State Bar Association also found web bugs are not ethically permissible. The Oct. 26 opinion by the Alaska ethics committee said web bugs in emails can track a variety of information. They can be used to learn when and how often an email was opened, how long it was reviewed, how long an attachment was reviewed, whether the email or attachment was forwarded, and the rough geographical location of the recipient. Web bugs can reveal information that interferes with the lawyer-client relationship and the preservation of client confidences, the ethics opinion said. Seeking to invade the lawyer-client relationship through web bugs, even if the web bug is disclosed, violates ethics rules barring lawyers from engaging in misrepresentation and deceit, according to the opinion. The ethics opinion provides two examples of how web bugs can intrude on the attorney-client relationship.

top

- and -

Beware of sites importing your contacts, and watch your social media comments, ethics opinions say (ABA Journal, 21 Nov 2016) - The ethics committee of the District of Columbia Bar is advising lawyers about some social media dangers in two ethics opinions released this month. Many issues addressed in the opinions have been widely explored in ethics opinions in other jurisdictions, but a couple of topics haven’t gotten much treatment in prior opinions, according to the ABA BNA Lawyers’ Manual on Professional Conduct . The D.C. opinions are here and here . One “apparently novel warning” is about lawyers who take positions on legal issues when blogging or tweeting, according to the ABA BNA Lawyer’s Manual. The ethics opinion says a lawyer’s positions on social media could be adverse to the interest of a client, inadvertently creating a conflict. Those online positions could violate a D.C. ethics rule that prevents lawyers from representing clients if their professional judgment will be, or reasonably may be, adversely affected by a lawyer’s own financial, property or personal interest, the ethics opinion says. Another new topic addressed is about the danger of allowing social media websites such as LinkedIn to access email contacts. Such access can allow a social media site to suggest potential connections with people the lawyer may know who are already members of the website, or to invite nonmembers to join and connect with the lawyer, explains D.C. Bar Ethics Opinion 370 . “However, in many instances, the people contained in a lawyer’s address book or contact list are a blend of personal and professional contacts,” according to the opinion. “Contact lists frequently include clients, opposing counsel, judges and others whom it may be impermissible, inappropriate or potentially embarrassing to have as a connection on a social networking site. … For attorneys, these connection services could potentially identify clients or divulge other information that a lawyer might not want an adversary or a member of the judiciary to see or information that the lawyer is obligated to protect from disclosure.”

top

How Facebook, Twitter helped lead Trump to victory (AdAge, 9 Nov 2016) - America just endured its first presidential election in which the majority of the electorate got its news from social media. And the outcome is already prompting soul searching by the companies that shaped it. Facebook will have to contend with mounting dissatisfaction over its role as the most widely used news filter in history. Forty-four percent of American adults get their media through the site, many consuming news from partisan sources with which they agree. The proliferation of fake news on Facebook has also been a problem: false stories about the Clinton family committing murder and Huma Abedin being a terrorist flew fast and furious despite refutations from responsible news organizations. Those stories shaped public opinion, said Ed Wasserman, the dean of the University of California, Berkeley Graduate School of Journalism. “This is a landmark,” he said. “Trump was able to get his message out in a way that was vastly influential without undergoing the usual kinds of quality checks that we associate with reaching mass public. You had a whole set of media having influence without really having authority. And the media that spoke with authority, the authority that comes after careful fact checking, didn’t really have the influence.”

top

- and -

This analysis shows how fake election news stories outperformed real news on Facebook (Buzzfeed, 16 Nov 2016) - In the final three months of the US presidential campaign, the top-performing fake election news stories on Facebook generated more engagement than the top stories from major news outlets such as the New York Times, Washington Post, Huffington Post, NBC News, and others, a BuzzFeed News analysis has found. During these critical months of the campaign, 20 top-performing false election stories from hoax sites and hyperpartisan blogs generated 8,711,000 shares, reactions, and comments on Facebook. Within the same time period, the 20 best-performing election stories from 19 major news websites generated a total of 7,367,000 shares, reactions, and comments on Facebook. (This analysis focused on the top performing link posts for both groups of publishers, and not on total site engagement on Facebook. For details on how we identified and analyzed the content, see the bottom of this post. View our data here .) Up until those last three months of the campaign, the top election content from major outlets had easily outpaced that of fake election news on Facebook. Then, as the election drew closer, engagement for fake content on Facebook skyrocketed and surpassed that of the content from major news outlets. [ Polley : see also Call it a ‘crazy idea,’ Facebook, but you need an executive editor (Margaret Sullivan in WaPo, 20 Nov 2016)]

top

- and -

Tens of thousands join ‘Lawyers of the Left’ Facebook group, sign Bannon protest letter (ABA Journal, 22 Nov 2016) - A law professor and a legal marketer apparently struck a chord when they appealed to lawyers disappointed in the election results and with a key appointment by Donald Trump. Nearly 120,000 people had joined an invitation-only Facebook group called Lawyers of the Left as of Monday morning, Robert Ambrogi reports for Above the Law . More than 10,000 lawyers signed a letter within 48 hours that objected to the appointment of Breitbart News chief Stephen Bannon as chief White House strategist. Above the Law reports on Traci Feit Love, the Harvard law graduate and legal marketer who created the Facebook group, while Bloomberg Big Law Business spoke with a law professor who wrote the protest letter. Legal marketer Traci Feit Love says her initial goal was to find 150 lawyers to join her Facebook group. Her idea, she wrote, was hatched after she saw Facebook posts from lawyers who proposed positive action after the election. “I thought to myself: Why not create a small Facebook group where those action-minded lawyers could really start making a difference?” Love wrote. One of the Facebook group’s initial plans is to coordinate among members attending the Women’s March on Washington on the day after the inauguration. University of Denver law professor Nancy Leong wrote the protest letter with colleagues Lindsey Webb and Robin Walker Sterling. Her goal was to get a couple hundred lawyers to view and repost the letter. More than 10,000 lawyers had signed the letter in less than 48 hours. The letter calls on Congress to ask Trump to rescind Bannon’s appointment.

top

- and -

Call to Action lets you phone your Congressperson with just a tap (TechCrunch, 22 Nov 2016) - The U.S. election has inspired more people to become politically involved, and one of the most practical and direct ways to have an impact is to directly call your Congressperson to have your voice heard. However scouring .gov websites can be a little frustrating, and today’s current crop of online resources for reaching Congress are often poorly designed or hard to locate. A new online application , Call To Action , wants to help. With a simple user interface that’s accessible via the desktop or mobile web, Call To Action has a singular purpose: it makes it easy to find your representatives and place a phone call to their office. It even provides simple scripts to help you get started. However, Call To Action doesn’t currently take a political position, nor is it associated with any political action groups. As evidenced by its purple color scheme, its main goal is to simply make reaching out to your House reps more accessible. When you launch the Call To Action website, you’re prompted to enter in your home address, and the app will then locate your Congressional representative. As the website explains, because Congressional representatives serve fewer constituents than a Senator, calls to reps are more likely to be answered and hold more relative weight. Remarkably, Call To Action was a weekend project build by a team of ten, some friends and some strangers. Zack Shapiro, an iOS developer previously from Splash, had originally tweeted out the idea, and expressed his interest in building such a utility.

top

Yahoo admits some employees knew of massive hack in 2014 (CNET, 9 Nov 2016) - As any investigator can tell you, it’s not just what you knew, but when you knew it. On Wednesday, Yahoo admitted that not long after a hack in 2014 some of its employees were aware a state-sponsored hacker had breached its network. The revelation is sure to cast a larger shadow over Verizon’s $4.8 billion deal to acquire the company. Yahoo said in September that an investigation in August had uncovered the theft of personal information associated with at least a half billion Yahoo accounts, the biggest data breach in history. The company said at the time that it discovered the massive intrusion after a hacker claimed in August to have snatched 200 million Yahoo usernames and passwords in an earlier hack. But a Yahoo filing with the US Securities and Exchange Commission on Wednesday revealed that at least some people within the company were aware of the intrusion in 2014. “An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access,” Yahoo said in its filing. It wasn’t until the August probe, however, that the company got confirmation of the extent of the breach , a source with knowledge of the investigation said.

top

FTC issues data breach response guidance (Steptoe, 10 Nov 2016) - On October 25, the Federal Trade Commission (FTC) released a guide on data breach response, along with a video and business blog. The main guidance, entitled Data Breach Response, A Guide for Business, lays out some important steps for a swift and appropriate response when a data breach is suspected. Since the FTC is the primary judge in the United States of whether a company’s preparation for, and response to, a breach was “reasonable,” it would make sense for companies to incorporate the FTC’s guidance in their incident response plans.

top

- and -

NIST issues small business information security: the fundamentals (Ride the Lightning, 14 Nov 2016) - The title pretty much says it all. The November 2016 release of the NIST (National Institute of Standards and Technology) Small Business Information Security: The Fundamentals is welcome indeed. The document clocks in at 32 pages with several helpful appendices (including worksheets and sample policy and procedure statements) extending the length to 54 pages. Reading this document constitutes a good crash course for any small business. If you know you need to come up to speed with a very current document, here’s your opportunity.

top

Secret back door in some US phones sent data to China, analysts say (NYT, 15 Nov 2016) - For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours. Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence. International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature. Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. “Even if you wanted to, you wouldn’t have known about it,” he said.

top

‘Augmented Intelligence’ for higher ed (InsideHigherEd, 16 Nov 2016) - This company behind the Jeopardy!-winning computer, Watson, is now establishing itself in the adaptive and personalized learning markets. What is IBM? The company is partnering with a small number of hardware and software providers to bring the same technology that won a special edition of the game show back in 2011 to K-12 institutions, colleges and continuing education providers. The partnerships and the products that might emerge from them are still in the planning stage, but the company is investing in the idea that cognitive computing—natural language processing, informational retrieval and other functions similar to the ones performed by the human brain—can help students succeed in and outside the classroom. Chalapathy Neti, vice president of education innovation at IBM Watson, said education is undergoing the same “digital transformation” seen in the finance and health care sectors, in which more and more content is being delivered digitally. * * * IBM has been out of the personal computer market for more than a decade, and just as you no longer see any laptops branded with the “Big Blue” logo, the company won’t be releasing its own adaptive learning platform or learning management system. Instead, IBM is working with major companies to bring its technology to market. In higher education, IBM is at the moment working with Blackboard and Pearson on student retention and tutoring, respectively. Both education companies are this fall beginning to test a handful of early prototypes, exploring potential use cases and working with clients to learn what sort of software they are interested in. Pearson is testing what Angie McAllister, senior vice president of personalized learning and analytics, described as an “intelligent tutoring system.” As one of the major course material publishers in the market, Pearson controls a wealth of content, and it is testing IBM’s technology as a way to offer one-on-one tutoring using artificial intelligence.

top

French law on digital versions of out-of-print books flouts EU directive (ArsTechnica, 16 Nov 2016) - A French law that allows royalty collectors to authorise the publication of digital versions of out-of-print books is not compatible with the EU copyright directive, Europe’s top court has ruled. The Court of Justice of the European Union (CJEU) has ruled that authors must be informed about any plans to release their out-of-print books in this way so that they can object if they wish, and that the French law does not require this. The CJEU explained that currently “an approved collecting society, the SOFIA, is responsible for authorising the reproduction and communication, in digital form, of out-of-print books, it being understood that the authors of those books or their successors in title may oppose.” But the EU copyright directive says that “authors have the exclusive right to authorise or prohibit the reproduction and communication to the public of their works,” not collecting societies. Prior consent of authors to the use of their works can, under certain conditions, be expressed implicitly, the EU’s top court said. One requirement is that “every author must be informed of the future use of his work by a third party and of the means at his disposal to prevent it if he so wishes.” The problem with the French legislation, the CJEU ruled, was that it is possible that some of the authors affected are not made aware of the envisaged use of their works and, so are not able to adopt a position on it. “In those circumstances,” the court said, “a mere lack of opposition on their part cannot be regarded as the expression of their implicit consent to the use of their works.”

top

66% of organizations won’t recover after cyberattack, Ponemon study says (Tech Republic, 17 Nov 2016) - A recent study performed by IBM’s Resilient and the Ponemon Institute found that 66% of organizations would be unable to recover from a cyberattack. The results of the 2016 Cyber Resilient Organization study were released Wednesday, and show a decline in organizational resilience against cyberattacks. Of the respondents, 32% of IT and security professionals ranked their resilience as high. That same number was 35% in 2015, marking a drop over the past 12 months. A press release announcing the study defined resilience as “an organization’s ability to maintain its core purpose and integrity in the face of cyberattacks.” One of the biggest hindrances to effective security listed by respondents was the lack of a proper cyber security incident response plan (CSIRP). However, it should be noted that Resilient provides incident reporting services.

top

IRS demands identities of all US Coinbase traders over three year period (Motherboard, 18 Nov 2016) - In bitcoin-related investigations, authorities will often follow the digital trail of an illegal transaction or suspicious user back to a specific account at a bitcoin trading company. From here, investigators will likely subpoena the company for records about that particular user, so they can then properly identify the person suspected of a crime. The Internal Revenue Service, however, has taken a different approach. Instead of asking for data relating to specific individuals suspected of a crime, it has demanded bitcoin trading site Coinbase to provide the identities of all of the firm’s US customers who made transactions over a three year period, because there is a chance they are avoiding paying taxes on their bitcoin reserves. Coinbase has a total of millions of customers. According to court filings , which were first flagged by financial blogger Zerohedge on Twitter , the IRS has launched an investigation to determine the correct amount of tax that those who use virtual currencies such as bitcoin are obligated to pay. But according to the documents, the IRS is asking for the identities of any US Coinbase customer who transferred crypto-currency with the service between 2013 and 2015. (Although the site does allow the trade of alternative virtual currency Ethereum, it was not introduced until 2016 , so it is outside the scope of this IRS request.)

top

UK Parliament approves unprecedented new hacking and surveillance powers (The Intercept, 22 Nov 2016) - A few years ago, it would have been unthinkable for the British government to admit that it was hacking into people’s computers and collecting private data on a massive scale. But now, these controversial tactics are about to be explicitly sanctioned in an unprecedented new surveillance law. Last week, the U.K.’s Parliament approved the Investigatory Powers Bill, dubbed the “Snoopers’ Charter” by critics. The law, which is expected to come into force before the end of the year, was introduced in November 2015 after the fallout from revelations by National Security Agency whistleblower Edward Snowden about extensive British mass surveillance. The Investigatory Powers Bill essentially retroactively legalizes the electronic spying programs exposed in the Snowden documents - and also expands some of the government’s surveillance powers. Perhaps the most controversial aspect of the new law is that it will give the British government the authority to serve internet service providers with a “data retention notice,” forcing them to record and store for up to 12 months logs showing websites visited by all of their customers. Law enforcement agencies will then be able to obtain access to this data without any court order or warrant. In addition, the new powers will hand police and tax investigators the ability to, with the approval of a government minister, hack into targeted phones and computers. The law will also permit intelligence agencies to sift through “bulk personal datasets” that contain millions of records about people’s phone calls, travel habits, internet activity, and financial transactions; and it will make it legal for British spies to carry out “ foreign-focused ” large-scale hacks of computers or phones in order to identify potential “targets of interest.”

top

- and -

The FBI hacked over 8,000 computers in 120 countries based on one warrant (Motherboard, 22 Nov 2016) - In January, Motherboard reported on the FBI’s “unprecedented” hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site. Now, it has emerged that the campaign was actually several orders of magnitude larger. In all, the FBI obtained over 8,000 IP addresses, and hacked computers in 120 different countries, according to a transcript from a recent evidentiary hearing in a related case. The figures illustrate the largest ever known law enforcement hacking campaign to date, and starkly demonstrate what the future of policing crime on the dark web may look like. This news comes as the US is preparing to usher in changes that would allow magistrate judges to authorize the mass hacking of computers, wherever in the world they may be located. “We have never, in our nation’s history as far as I can tell, seen a warrant so utterly sweeping,” federal public defender Colin Fieman said in a hearing at the end of October, according to the transcript. Fieman is representing several defendants in affected cases. Those cases revolve around the FBI’s investigation into dark web child pornography site Playpen. In February 2015, the FBI seized the site, but instead of shutting it down, the agency ran Playpen from a government server for 13 days. However, even though they had administrative control of the site, investigators were unable to see the real IP address of Playpen’s visitors, because users typically connected to it through the Tor network. In order to circumvent that anonymity, the FBI deployed what it calls a network investigative technique (NIT), or a piece of malware. That malware, which included a Tor Browser exploit, broke into the computer of anyone who visited certain child pornography threads on Playpen. It then sent the suspect’s real IP address back to the FBI. According to court filings , the FBI obtained over 1,000 IP addresses of alleged US-based users. Over the past year, Motherboard has also found that the FBI hacked computers in Australia, Austria, Chile, Colombia, Denmark, Greece, and likely the UK, Turkey, and Norway too . But, those are only a tiny handful of countries in which the FBI was hacking computers. According to the newly published transcript, the FBI hacked computers in at least 120 countries. “The fact that a single magistrate judge could authorize the FBI to hack 8000 people in 120 countries is truly terrifying,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU) told Motherboard in a phone call. (Soghoian has testified for the defense in Playpen cases).

top

Now’s the time for courts to accept digital signatures (LegalTech News, 23 Nov 2016) - Digital processes are quickly replacing manual ones across the country. However, the judicial system sometimes throws a wrench in those digital gears, and it could have ramifications for a society that increasingly desires to embrace technology for just about everything. A California lawyer was recently sanctioned by a bankruptcy court judge for using electronic signatures on a bankruptcy petition instead of handwritten, wet-ink signatures. The Electronic Signatures in Global and National Commerce (ESIGN) Act, which went into effect in 2000, permitted e-signatures to be legally accepted in commercial affairs-but it didn’t specifically include usage in the courts. As such, the judge stated that, although electronic signatures are accepted in commercial dealings, they may not substitute wet signatures on documents filed with the court. Moreover, the judge stated there was not sufficient means to prove the legitimacy of a document’s electronic signature, so the signature didn’t “protect the integrity of the documents filed in bankruptcy cases .” The attorney’s client signed a declaration stating the signature on the bankruptcy petition was indeed his intended signature. But the judge found that if the electronic signature contained sufficient evidence and complied with the court’s rule, the declaration wouldn’t be necessary. [ Polley : Spotted by MIRLN reader Mike McGuire ]

top

RESOURCES

Final papers posted from the George Washington Law Review’s CFAA symposium (Orin Kerr, 21 Nov 2017) - Last year, the George Washington Law Review hosted a symposium on the controversial Computer Fraud and Abuse Act . I was honored to be the faculty adviser to the symposium. I’m happy to say that the final papers have been posted on the Law Review’s website. Here are the papers in order they appear in the issue:

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Computer crime costs $67 billion, FBI says (CNET, 19 Jan 2006)—Dealing with viruses, spyware, PC theft and other computer-related crimes costs U.S. businesses a staggering $67.2 billion a year, according to the FBI. The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. “This would be 2.8 million U.S. organizations experiencing at least one computer security incident,” according to the 2005 FBI Computer Crime Survey. “With each of these 2.8 million organizations incurring a $24,000 average loss, this would total $67.2 billion per year.” By comparison, telecommunication fraud losses are about only $1 billion a year, according to the U.S. Secret Service. Also, the overall cost to Americans of identity fraud reached $52.6 billion in 2004, according to Javelin Strategy & Research. Other surveys have attempted to put a dollar amount on cybersecurity damages in the past, but the FBI believes its estimate is the most accurate because of the large number of respondents, said Bruce Verduyn, the special agent who managed the survey project. “The data set is three or four times larger than in past surveys,” he said. “It is obviously a staggering number, but that is the reality of what we see.”

top

Vulnerability auctions killing responsible disclosure (ZDnet, 19 July 2006)—More security researchers are selling vulnerabilities to the highest bidder rather than disclosing them “responsibly” to the vendor whose products are affected. At a breakfast briefing organised by e-mail security firm MessageLabs on Wednesday, Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), said that a market where vulnerabilities in software are traded is hotting up and the rewards for researchers can be very tempting. “I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under “responsible disclosure” or pay off my mortgage, which one do I choose? Responsible disclosure occurs when a security researcher discovers vulnerabilities in a popular application and then reports them to the relevant vendor rather than publishing the details online or, as has become a trend recently, selling that information to the highest bidder. “The economy on the market place is facilitating the sale of everything you want from custom Trojans to rootkit and moving through to things like vulnerabilities, which are a marketable commodity,” said Ingram. Last week, security firm Finjan published evidence, which was compiled by the company’s Malicious Code Research Centre, that showed examples of vulnerabilities being sold online. Finjan’s chief technical officer, Yuval Ben-Itzhak, said that researchers will be even more likely to sell their discoveries as the demand—and therefore the price—goes up.

top