MIRLN—- 8-28 July 2018 (v21.10)

MIRLN—- 8-28 July 2018 (v21.10)—- by Vince Polley and KnowConnect PLLC




ABA attendees at the Chicago annual meeting next week may want to attend a showcase program (August 4 10:00-11:30 Central), featuring Raj De (former NSA GC), Suzanne Spaulding (former DHS Undersecretary), and others. ” Cybersecurity Wake-up Call: The Business You Save May Be Your Own.” Info here . See you there!


In world first, Danish court rules stream-ripping site illegal (Torrent Freak, 10 July 2018) - While millions of users still obtain pirate music from peer-to-peer platforms such as BitTorrent, in recent years a new challenge has appeared on the horizon. Sites like YouTube, which offer millions of copies of almost every song imaginable, are now an unwitting player in the piracy ecosystem. Every day, countless people use special tools to extract music from video tracks before storing them on their local machines. This so-called ‘stream-ripping’ phenomenon is now cited as being one of the greatest piracy threats to the record labels but thus far, no single action has been able to stem the tide. Over in Denmark, however, there has been a breakthrough of sorts following action by local anti-piracy outfit RightsAlliance taken on behalf of IFPI, collecting society KODA , the Danish Artist Union , and the Danish Musicians Association . The action targeted Convert2MP3 , a site that allows users to download audio and video from platforms including YouTube. The recording industry groups wanted the stream-ripping platform blocked by Internet service providers in Denmark but first, they needed it to be declared illegal in the country. That decision came last week from a court in Frederiksberg. * * * top

US government drops prohibition on files for 3D printed arms (Volokh Conspiracy, 10 July 2018) - Last week the U.S. Department of Defense and U.S. Department of State settled a lawsuit and agreed to end their prior restraint of distribution of computer files for the production of 3D printed firearms. The “International Traffic in Arms Regulations (ITAR)” are a collection of regulations covering the export of military weapons from the United States. The regulations are based on the 1976 Arms Export Control Act. The ITAR export controls apply to all arms on the U.S. Munitions List [“USML”], which is created by the State Department. An ITAR export permit costs at least $2,250 annually. Starting in 2012, the Department of Defense issued regulations asserting that many U.S. gunsmiths are required to obtain ITAR export permits even if they never export anything. Details are available on the website of Prince Law Offices, P.C., which specializes in firearms commerce regulation. Under the Obama administration, the U.S. Munitions List grew to include many ordinary firearms, as well as the computer files for 3D printing of ordinary firearms. In 2015, a lawsuit against the ban on distributing 3D printing files within the U.S. was brought by the Second Amendment Foundation (a civil rights litigation organization) and by Defense Distributed (a producer of 3D printing files). Plaintiffs’ attorneys included Alan Gura (winner of the Heller and McDonald cases) and Josh Blackman (law professor at South Texas College of Law). There were many arguments in the case, but the principle one was that ban constituted a prior restraint of speech, contrary to the First Amendment. The plaintiffs sought a preliminary injunction against the restraint on speech. The U.S. government prevailed in the District Court, and before a Fifth Circuit panel. A petition for rehearing en banc was rejected by a 9-5 vote. Fifth Circuit Judges voting to grant the petition were Jones, Smith, Clement, Owen, and Elrod. Voting against the petition were Stewart, Jolly, Dennis, Prado, Southwick, Haynes, Graves, Higginson, and Costa. In January 2018, the U.S. Supreme Court denied the petition for certiorari. The preliminary injunction having been utterly defeated, the next stage for the case was factual development in district court. In the view of attorney Alan Gura, the main reason for the loss on the preliminary injunction was reluctance to upset the status quo, rather than an expectation that the government could prevail on the merits of the First Amendment issue. Documents in the case are available here . In May 2018, the Trump administration proposed revising revise the ITAR regulations. The move for regulatory reform actually began under the Obama administration, but the proposed reforms were never published. Now they have been. Export controls for many ordinary firearms and accessories will be removed from the ITAR list. Exports of such items will instead by controlled by the Department of Commerce. Among the items remaining under the ITAR system are automatic firearms, firearms of greater than .50 caliber, magazines with more than 50 rounds, and sound moderators (a/k/a “silencers”). Non-automatic firearms of.50 caliber or less will no longer be covered under ITAR; among the firearms no longer under ITAR is the semiautomatic AR-15 rifle, the most common rifle in American history. Its typical calibers are .223 and .308—well under the new .50+ caliber rule. Accordingly, the government defendants revisited the Defense Distributed case. If a particular arm (e.g., the AR-15) is no longer part of ITAR, then it would be illogical for ITAR to be applied to instructions for making the arm. Under today’s settlement agreement, plaintiffs and others may freely publish 3D printing instructions for firearms that are not covered under ITAR. Restrictions on distribution of 3D printing information for items that are still under ITAR, such as machine guns or rifles over .50 caliber, remain in place. [ Polley : I.e., this is NOT a 1st Amendment case.] top

SEC probes why Facebook didn’t warn sooner on privacy lapse (WSJ, 12 July 2018) - Securities regulators are investigating whether Facebook Inc. adequately warned investors that developers and other third parties may have obtained users’ data without their permission or in violation of Facebook policies, people familiar with the matter said. The Securities and Exchange Commission’s probe of the social-media company, first reported in early July , follows revelations that Cambridge Analytica, a data-analytics firm that had ties to President Donald Trump’s 2016 campaign, got access to information on millions of Facebook users. The SEC has requested information from Facebook as it seeks to understand how much the company knew about Cambridge Analytica’s use of the data, these people said. The agency also wants to know how Facebook analyzed the risk it faced if developers were to share data with others in violation of its policies, they added. The SEC, one of several government agencies investigating Facebook and its handling of user data, enforces securities laws governing what must be disclosed to shareholders so they can make informed investment decisions. It could close its investigation, which is in its early stages, without taking enforcement action against Facebook. top

Top voting machine vendor admits it installed remote-access software on systems sold to states (Motherboard, 17 July 2018) - The nation’s top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them. In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had “provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006,” which was installed on the election-management system ES&S sold them. The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. “None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software,” the spokesperson said. ES&S is the top voting machine maker in the country, a position it held in the years 2000-2006 when it was installing pcAnywhere on its systems. The company’s machines were used statewide in a number of states, and at least 60 percent of ballots cast in the US in 2006 were tabulated on ES&S election-management systems. It’s not clear why ES&S would have only installed the software on the systems of “a small number of customers” and not all customers, unless other customers objected or had state laws preventing this. top

Businesses cannot contractually ban “abusive” consumer reviews (Eric Goldman, 17 July 2018) - An article recently posted to SSRN argues that the Consumer Review Fairness Act (CRFA) purportedly lets businesses contractually ban “abusive” reviews. If this is correct, it could affect millions of businesses and hundreds of millions of consumers. However, the article’s argument is clearly wrong, and this error exposes millions of businesses to potentially severe liability. This post explains why and how. Note: unavoidably, this blog post counterproductively draws greater attention to a bad argument. Because of the stakes, I concluded a public correction was, on balance, necessary. However, to reinforce my view that the article doesn’t merit your independent review, I’ve deliberately not identified the article’s author or title or linked to it (is there a blogging equivalent of subtweeting?). I recommend reading the article as “enthusiastically” as I “recommend” watching The Emoji Movie . TL;DR top

Ponemon Institute: Average cost of a data breach exceeds $3.8 million (Ride the Lightning, 19 July 2018) - The 2018 Cost of a Data Breach Study is available for download from IBM here . The study was done by the Ponemon Institute and IBM. This year’s study reports that the global average cost of a data breach is up 6.4% over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% over the previous year to $148. IBM Security and Ponemon conducted interviews with nearly 500 companies that experienced data breaches, and they collected information on hundreds of cost factors surrounding a breach, including technical investigations and recovery, notifications, legal and regulatory requirements, cost of lost business, and loss of reputation. As reported by VentureBeat, the study found that hidden costs in data breaches - such as lost business, negative impact on reputation and employee time spent on recovery - are difficult and expensive to manage. For example, the study found that a third of the cost of “mega breaches” (over 1 million lost records) were derived from lost business. And that is course why the C-Suite has nightmares about data breaches. The reputational damages can be extraordinary. In the past five years, the amount of mega breaches (breaches of more than 1 million records) has increased from nine mega breaches in 2013 to 16 mega breaches in 2017. Due to the small amount of mega breaches in the past, the Cost of a Data Breach study historically analyzed data breaches of around 2,500 to 100,000 lost records. The vast majority of the mega-breaches (10 out of 11) were caused by malicious attacks rather than technical failures or human error. The average time to detect and contain a mega breach was 365 days - almost 100 days longer than a smaller scale breach (266 days). top

Cyber security advice issued to law firms in first legal threat report (GCHQ, 19 July 2018) - The NCSC’s first legal threat report has been issued to law firms. Law firms have been urged to follow expert cyber security guidance after a report published today (19 July) showed the scale of the threat they face. The National Cyber Security Centre (NCSC) has published its first report into the cyber threat to the UK legal sector, which reveals that more than £11 million of client money was stolen by cyber criminals between 2016-17. In the last year, 60% of law firms reported an information security incident - an increase of almost 20% from the previous 12 months. The report outlines clear and actionable guidance that firms can follow, such as how to defend your practice against phishing, reduce the risk of malware infection and take effective control of your supply chain. top

US energy regulator wants more disclosure of cyber attacks (Reuters, 19 July 2018) - The Federal Energy Regulatory Commission (FERC), an energy industry regulator, called for the power industry’s regulating body, the North American Electric Reliability Corp, to expand rules that require reporting of cyber security incidents to include attempts that might facilitate future efforts to disrupt the grid. FERC requested the increased disclosure after the administration of President Donald Trump blamed the Russian government in March for a campaign of cyber attacks stretching back at least two years that targeted the U.S. power grid. That marked the first time the United States had publicly accused Moscow of hacking into American energy infrastructure. Current NERC rules only mandate reporting of cyber attacks if they compromise or disrupt a “core activity” toward maintaining the reliability of the electric grid, according to a 67-page report issued by FERC. That threshold “may understate the true scope of cyber-related threats” facing the industry, the report said. top

Some colleges cautiously embrace Wikipedia (Chronicle of Higher Ed, 19 July 2018) - Anna Davis remembers when people didn’t want to talk to her at academic conferences: “I had this woman one time who held her folder up over her head and was like, ‘Don’t let my department chair see me talking to you guys, but I’m so glad you’re here.’” Davis works for Wikipedia, the online encyclopedia that was once considered anathema to the academic mission. She’s director of programs for its higher-education-focused nonprofit arm, Wiki Education. Academics have traditionally distrusted Wikipedia, citing the inaccuracies that arise from its communally edited design and lamenting students’ tendency to sometimes plagiarize assignments from it. Now, Davis said, higher education and Wikipedia don’t seem like such strange bedfellows. At conferences these days, “everyone’s like, ‘Oh, Wikipedia, of course you guys are here.’” One initiative Davis oversees at Wiki Education aims to forge stronger bonds between Wikipedia and higher education. The Scholars program, which began in 2015, pairs academics at colleges with experienced Wikipedia editors. Institutions provide the editors with access to academic journals, research databases, and digital collections, which the editors use to write and expand Wikipedia articles on topics of mutual interest. A dozen institutions, including Rutgers University, Brown University, and the University of Pittsburgh, are participating. * * * Scholars’ skepticism about Wikipedia also stems from its community-authorship model, said Amanda Rust, a digital-humanities librarian at Northeastern University. Not all academics felt that way about Wikipedia in its fledgling days, but a critical mass perceived the online encyclopedia as a threat, Rust said. As Wikipedia has matured, however, that consensus began to shift. And students’ widespread use of Wikipedia has forced some cynics to acknowledge its role in higher education. “Whether or not you think a crowdsourced encyclopedia can work, that ship has sailed, and students are using it all the time,” Rust said. top

- and -

Flabbergasted Twitter trashes Forbes story that suggests replacing libraries with Amazon (Mashable, 23 July 2018) - There are bad takes, and then there’s the take by Forbes contributor Panos Mourdoukoutas (who also serves as Chair of the Department of Economics at Long Island University) that local libraries should be replaced by Amazon book stores . Among the reasons Mourdoukoutas offers are: libraries don’t have as many public events as they used to because of school auditoriums; people go to places like Starbucks to hang out and work and read now instead of their library; and because technology makes physical books obsolete. * * * [ Polley : wild idea, wild story, great Tweets/comments (some NSFW).] top

- and -

Growing role of Amazon in library acquisitions (InsideHigherEd, 23 July 2018) - Research on where academic libraries buy their books has revealed the increasingly important role of nontraditional vendors such as Amazon. A preliminary study , published last week by Ithaka S+R, found that Amazon was the second most popular venue through which academic libraries purchased books in 2017. GOBI Library Solutions, a popular acquisition-management platform, took the No. 1 spot. It controls nearly half of the market share. The research included data from 54 libraries at a range of institutions—from small private liberal arts colleges to public research universities. During 2017, these 54 libraries purchased 178,120 academic books. The clear majority of these were in print format (96 percent) rather than ebooks (4 percent). Ebooks were found to be significantly more expensive than print titles. In a blog post , Katherine Daniel, an analyst at Ithaka S+R, explained that the study was prompted by questions of whether libraries are really buying fewer books, or simply purchasing them in ways that are not currently captured in acquisition analyses. Further research will include data from large research institutions and will be published in a final report this fall. top

Public domain advocate gets appellate win in bid to publish copyrighted standards referenced in laws (ABA Journal, 19 July 2018) - A federal appeals court on Tuesday told a federal judge to reconsider whether the fair use doctrine allows a nonprofit to post technical standards created by private industry groups that are later referenced in government regulations. The U.S. Court of Appeals for the D.C. Circuit vacated injunctions that had prevented Public.Resource.org, known as PRO, from publishing copyrighted best-practice standards developed by six organizations. PRO had purchased copies of the technical standards that had been incorporated into laws, scanned them into digital files, and posted them online. Its founder, public domain advocate Carl Malamud, tweeted this about the appellate decision: “I bought the law, and the law won.” The appeals court ruled in a combined appeal of two lawsuits. A federal judge had ruled the standards organizations held valid and enforceable copyrights, and PRO failed to create a triable issue of fact on whether its publication of the materials constituted fair use. On appeal, PRO argued incorporation of the standards by reference make the works a part of the law, and the law can never be copyrighted. PRO asserted that allowing private ownership of the law is inconsistent with the First Amendment principle that citizens should be able to freely discuss the law and a due process notion that citizens must have free access to the law. PRO also argued that, even if the standards remain copyrighted, its copying qualifies as a fair use because it facilitates public discussion about the law. The appeals court said PRO “raises a serious constitutional concern,” but it is better to first address the fair use issue. The district court had concluded PRO distributed the standards to undermine the organizations’ ability to raise revenue. According to the appeals court, the record does not support that blanket conclusion. “Rather, by all accounts, PRO distributed these standards for the purpose of educating the public about the specifics of governing law,” the court said in an opinion by Judge David Tatel. In addition, Tatel said, the district court failed to account for the variation among the standards at issue and consider the legal status of each incorporated work. In a concurrence, Judge Gregory Katsas strongly supported PRO. “As a matter of common-sense, this cannot be right: access to the law cannot be conditioned on the consent of a private party, just as it cannot be conditioned on the ability to read fine print posted on high walls,” he wrote, referencing a book about the Roman emperor Caligula. PRO was represented by the Electronic Frontier Foundation, the law firm of Fenwick & West, and attorney David Halperin. An EFF press release is here . [ Polley : congrats, Carl.] top

The blockchain begins finding its way in the enterprise (TechCrunch, 23 July 2018) - the blockchain is in the middle of a major hype cycle at the moment, and that makes it hard for many people to take it seriously, but if you look at the core digital ledger technology, there is tremendous potential to change the way we think about trust in business. Yet these are still extremely early days and there are a number of missing pieces that need to be in place for the blockchain to really take off in the enterprise. Suffice it to say that it has caught the fancy of major enterprise vendors with the likes of SAP, IBM, Oracle, Microsoft and Amazon all looking at providing some level of Blockchain as a service for customers. While the level of interest in blockchain remains fluid, a July 2017 survey of 400 large companies by UK firm Juniper Research found 6 in 10 respondents were “either actively considering, or are in the process of, deploying blockchain technology.” In spite of the growing interest we have seen over the last 12-18 months, blockchain lacks some basic underlying system plumbing, the kind any platform needs to thrive in an enterprise setting. Granted, some companies and the open source community are recognizing this as an opportunity and trying to build it, but many challenges remain. * * * [ Polley : see Resources ” below.] top

1Password’s travel mode (Bruce Schneier, 23 July 2018) - The 1Password password manager has just introduced “travel mode,” which allows you to delete your stored passwords when you’re in other countries or crossing borders: Your vaults aren’t just hidden; they’re completely removed from your devices as long as Travel Mode is on . That includes every item and all your encryption keys. There are no traces left for anyone to find. So even if you’re asked to unlock 1Password by someone at the border, there’s no way for them to tell that Travel Mode is even enabled. In 1Password Teams, Travel Mode is even cooler. If you’re a team administrator, you have total control over which secrets your employees can travel with. You can turn Travel Mode on and off for your team members, so you can ensure that company information stays safe at all times. The way this works is important. If the scary border police demand that you unlock your 1Password vault, those passwords/keys are not there for the border police to find. The only flaw—and this is minor—is that the system requires you to lie. When the scary border police ask you “do you have any other passwords?” or “have you enabled travel mode,” you can’t tell them the truth. In the US, lying to a federal office is a felony. I previously described a system that doesn’t require you to lie. It’s more complicated to implement, though. This is a great feature, and I’m happy to see it implemented. top

Canadian court affirms citizens still have an expectation of privacy in devices being repaired by third parties (TechDirt, 23 July 2018) - A Canadian appeals court has decided in favor of greater privacy protections for Canadians. The case involves the discovery of child porn by a computer technician who was repairing the appellant’s computer. This info was handed over to the police who obtained a “general warrant” to image the hard drive to scour it for incriminating evidence. Yes, “general warrants” are still a thing in the Crown provinces. The same thing we fought against with the institution of the Fourth Amendment exists in Canada. These days, it has more in common with All Writs orders than the general warrants of the pre-Revolution days, but there’s still a hint of tyrannical intent to them. (Again, much like our All Writs orders, which date back to 1789.) “General warrants” are something the government uses when the law doesn’t specifically grant permission for what it would like to do. * * * The appellant’s challenge of the general warrant (rather than a more particular search warrant) almost went nowhere, but this decision grants him (and others like him) the standing to challenge the warrant in the first place. As the court notes , handing a computer over to a technician doesn’t deprive the device’s owner of an expectation of privacy. * * * So, while this didn’t end up giving the defendant the suppression he was seeking, it did at least affirm an expectation of privacy in devices being handled and repaired by third parties. Better, the opinion contains the government’s concession that this privacy expectation exists. Hopefully, this will help deter violations—erroneous or not—in the future. top

How clients are pushing their outside counsels to adopt stricter cybersecurity standards and protections (ABA Journal, 25 July 2018) - In a profession defined by zealous representation of clients, it’s no surprise that clients are starting to push their outside counsels to beef up cybersecurity. “The possibility that your outside law firm could be breached and your sensitive data stolen is a huge nightmare for in-house lawyers,” says Sterling Miller, general counsel of Marketo Inc., an online marketing technology company. “Outside counsel need to start taking this very seriously. If a breach happens, that law firm is probably no longer working for you and the malpractice claim could be very large.” These aren’t just idle words. In fact, they underline how serious clients have become when it comes to cybersecurity. * * * The legal industry is one of the most targeted sectors for a cyberattack because of the trove of information it possesses about clients and cases. In a profession based on precedent and history, the legal sector often has been slow to adapt to new risks and technological changes. One alarming statistic is that cybersecurity company Mandiant estimates at least 80 of the 100 largest firms in the country, by revenue, have been hacked since 2011. As law firms wade into cybersecurity best practices, the glaring reality is most law firms are not prepared to respond to a major breach. According to the ABA TechReport 2017 , only 26 percent of responding firms had an incident response plan in place to address a security breach, and only two-thirds with 500 lawyers or more had such a plan in place. These plans were not a priority with smaller firms, as 31 percent of firms with 10 to 49 lawyers, 14 percent of firms with two to nine lawyers, and 10 percent of solo practices had such plans. * * * top

Carpenter and the end of bulk surveillance of Americans (Sharon Bradford Franklin on Lawfare, 25 July 2018) - Writing for the majority in Carpenter v. United States , Chief Justice John Roberts called the court’s momentous Fourth Amendment decision “a narrow one.” The specific holding-that a warrant is required for law enforcement to access historical cell site location information (CSLI)-may indeed be narrow, and the decision rightfully cautions that “the Court must tread carefully” when considering new technologies. Yet, despite its limited scope, the opinion provides a framework for recognizing that the digital trails Americans create through their daily lives are protected by the Fourth Amendment. The decades-old “third-party doctrine,” under which Fourth Amendment rights are extinguished whenever individuals share their information with third parties such as banks and telephone companies, has appropriately been confined to the pre-digital age scenarios in which it arose. As others have already argued , the Carpenter decision does not provide a clear legal standard for when the Fourth Amendment applies to data shared with a third party, and it raises many questions about the future of Fourth Amendment doctrine. But the decision does offer a resounding declaration that Fourth Amendment analysis must take account of the “seismic shifts in digital technology” and the power of modern surveillance tools. In particular, the Carpenter decision should foreclose, once and for all, any claim that bulk surveillance of Americans-or bulk collection of their digital records-would be constitutional. Through the USA Freedom Act of 2015, Congress ended the government’s bulk telephone records program, known as the Section 215 program, and provided new authority for collection of call detail records using a “specific selection term.” With reauthorization of this act to be considered next year, Carpenter’s analysis should preclude any attempt to retreat from the narrowing of surveillance authorities achieved under the 2015 law. From the fall of 2013 through January 2017, I served as executive director of the Privacy and Civil Liberties Oversight Board (PCLOB). I was part of a skeletal staff of attorneys who supported the board in its examination of the Section 215 program. The PCLOB’s January 2014 report on the Section 215 program found that the program was illegal; this report was highly influential in the debates in Congress that led to the ultimate demise of the program. Still, the report stopped short of finding that the program was unconstitutional. The board noted that “[t]o date ... the Supreme Court has not modified the third-party doctrine or overruled its conclusion that the Fourth Amendment does not protect telephone dialing records.” Its recommendation for ending the Section 215 program was based on statutory and policy analyses. When the Second Circuit considered the Section 215 program in ACLU v. Clapper in May 2015, it too found that the program was illegal under the terms of the statute and declined to reach the constitutional questions. * * * top


Reclaim Your Data (NPR podcast, 23 July 2018; 47 minutes) - Michael Chertoff, former Homeland Security Secretary and co-author of the Patriot Act, says data collection has gotten out of control. [ Polley : Spotted by MIRLN reader Corinne Cooper - @ucc2] top


Blockchain for law students (website by Walter Effross at American U) - Offers: (1) a list of recommended resources (for self-directed study and research, as well as for constructing or supplementing syllabi); (2) summaries of and/or excerpts from the emerging body of caselaw concerning blockchain and cryptocurrency; (3) a collection of legal issues and responsive law review articles (and other sources), ordered by field of law; (4) a categorization of major types of participants in the blockchain economy; (5) suggestions on selecting law school courses relevant to blockchain practice; and (6) various questions, opinions, and observations about blockchain-related legal issues. If any reader would like to contribute a guest post on how law students (or practitioners new to this area) can best prepare (e.g., recommended reading, potential paper topics, organizations to become active in, suggestions for programming courses or tutorials), please e-mail .(JavaScript must be enabled to view this email address). top


(note: link-rot has affected about 50% of these original URLs)

Larger prey are targets of phishing (New York Times, 16 April 2008) - An e-mail scam aimed squarely at the nation’s top executives is raising new alarms about the ease with which people and companies can be deceived by online criminals. Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case. A link embedded in the message purports to offer a copy of the entire subpoena. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer over the Internet. Another piece of the software allows the computer to be controlled remotely. According to researchers who have analyzed the downloaded file, less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack. The tactic of aiming at the rich and powerful with an online scam is referred to by computer security experts as whaling. The term is a play on phishing, an approach that usually involves tricking e-mail users - in this case the big fish - into divulging personal information like credit card numbers. Phishing attacks that are directed at a particular person, rather than blasted out to millions, are also known as spear phishing. Security researchers at several firms indicated they believed there had been at least several thousand victims of the attack whose computers had been compromised. “I think that it was well done in terms of something people would feel compelled to respond to,” said Steve Kirsch, the chief executive of Abaca, an antispam company based in San Jose, Calif. Mr. Kirsch himself received a copy of the message and forwarded it to the company lawyer. “It had my name, phone number, company and correct e-mail address on it and looked pretty legitimate,” Mr. Kirsch said. “Even the U.R.L. to find out more looked legitimate at first glance.” The software used in the latest attack tries to communicate with a computer in Singapore. That system was still functioning on Tuesday evening, but security researchers said many Internet service providers had blocked access to it. top

Avatars, virtual reality technology, and the US military: Emerging policy issues (Congressional Research Service, 9 April 2008) - This report describes virtual reality technology, which uses three-dimensional user- generated content, and its use by the U.S. military and intelligence community for training and other purposes. Both the military and private sector use this new technology, but terrorist groups may also be using it to train more realistically for future attacks, while still avoiding detection on the Internet. The issues for Congress to consider may include the cost-benefit implications of this technology, whether sufficient resources are available for the communications infrastructure needed to support expanded use of virtual reality technology, and whether there might be national security considerations if the United States falls behind other nations in developing or adopting this new technology. This report will be updated as events warrant. [Editor: the USG is beginning a detailed analysis of legal, policy, and technical implications from VR applications.] top