An interesting story of viruses, research, copyright, and jail. News.com reports of the trial of a French researcher Guillaume Tena who in 2001 found a number of vulnerabilities in the antivirus software made by a French company named Tegam. Monseur Tena published his research online in 2002 and is now facing some serious litigation in his home country.  The research showed how the program worked, demonstrated few security flaws, and carried some tests with real viruses.

However, Tena’s actions were not viewed kindly by Tegam, which
initiated legal action against the researcher. That action resulted in
a case being brought to trial in Paris. The trial kicked off on Jan. 4.
The prosecution claims that Tena violated article 335.2 of the
intellectual property code and is asking for a four-month jail term and
a fine of about $7,900 (6,000 euros) . Additionally, Tegam is
proceeding with a civil case against Tena and asking for about $1.2
million in damages.

Tena, who is now with Harvard, was labeled a "terrorist" by Tegam and was sued in French court where the judge found that because the published exploits included some re-engineered source code from the software, they violated French copyright laws.

How would this complaint do if filed in the United States? Although the facts are not entirely clear, it seems like unless there was some measure to protect access and Mr. Tena circumvented it, the plaintiff would not have much of a case. Even if there is an access-control measure, the Digital Millenium Copyright Act has a provision which in Section 1201(j) allows circumvention of access control measures in cases of security testing and research, for which Mr. Tena could quality. And certainly the US copyright violations, in most cases and especially in this one, do not carry the stiff jail penalties that the French laws carry.

In a rare and quite well publicized action, the Federal Trade Commission is after a number of individuals and companies for spamming sexually explicit advertisements.

The FTC alleges that the defendants sent thousands of emails for pornographic websites that did not contain the required under CAN-SPAM Act "sexually-explicit" warning in the subject line. In addition, the emails did not have proper opt-out information, and contained false or misleading information saying that the websites are free while in fact they required payment for access.

The challenge was filed in a Federal District Court in Nevada, the home state of one of the defendants. Among the other named defendants are companies from England, Latvia (does the FTC think they will appear in court anyway?) and several individuals. The federal judge in Nevada also granted FTC’s request for temporary restraining order (TRO) thus legally preventing the spammers from continuing their practice and freezing their assets until they appear and defend in court.

The complaint is here and FTC’s press release is here.

While I think FTC’s efforts are commendable, I am somewhat concerned about the rarity of similar efforts. After CAN-SPAM went into effect one year ago, there have been very few instances where the federal government who has standing to sue under CAN-SPAM has stepped up and protected consumers. It seems that ISPs and individual users are more interested in bringing lawsuits against spammers under their states’ anti-spam statutes, similar to Eric Menhart’s spam challenge under Maryland law.

The US government is openly proclaiming its desire of increased use of the criminal system to punish and deter intellectual property theft - which is now mostly defended via the civil system.

China has "got to start putting people in jail" to show it is serious
about cracking down on widespread counterfeiting and piracy that costs
U.S. companies billions of dollars in lost sales every year, a top Bush
administration official said. [Reuters]

Although such words are pretty harsh and are not heard so loudly in the US, there are proposals floating in Washington, mainly offered by the MPAA/RIAA/friends, to criminalize an increasing part of the intellectual property enforcement. This would allow the government to go after fileswappers, instead of the industries having to waste their money and resources. Nice trick, but isn’t it an overkill? Also, aren’t federal law enforcement resources better spent on catching corrupt politicians, CEOs, and murderers, rather than on putting 18-year old fileswapping kids behind bars?

Cybersecurity firm Sophos has released rankings of spam originating countries. The top spots are:

1. US - 42%
2. South Korea - 13%
3. China - 8%
4. Canada - 6%
5. Brazil - 3%
6. Japan - 2%
7. France - 1%
8. Spain - 1%
9. Germany - 1%
10. Britain - 1%

Considering the attempts of US legislation to curb spam in passing the CAN-SPAM Act one year ago, US’ position in world’s spam leader is not commendable. Another factor that helps a country obtain a higher spam ranking is broadband penetration. Korea is the world’s leader in broadband availability and this may explain why so much spam comes from there - more and more viruses exploit vulnerabilities to use zombie computers to send spam.

A Maryland man has been sentenced to 18 months in jail for criminal violation of copyright statutes by distributing pirated software over the Internet. As the Register reports, the man was running a pay-per-access website which offered software by Microsoft, Adobe with copyright protections removed (or cracked.    ) The value of the software allegedly distributed over a 6-month period was between $70,000 and $120,000.

The defendant plead guilty that he illegally reproduced and distributed copyrighted software software. The applicable US statutes are 17 USC 506 and 17 USC 2319. Under these provisions, it is a criminal infringement for someone to wilfully to reproduce or distribute one or more copies with value of over $1,000 or for personal commercial gain. 17 USC 506(a).

Microsoft’s recent announcement and decision to provide free spyware and antivuris tools to its users is commendable. [News.com] Recently Microsoft announced its acquisition of Giant Software, a company providing anti-spyware tools and the tools are now integrated and available for free download by Microsoft.

Although antitrust lawsuits against Microsoft recently have claimed that the software giant uses its market power in the operating systems market to influence other markets, in this case, the spyware detection and removal market. Many spyware and security software manufacturers are naturally scared by Microsoft’s entry into this market, but cyber security experts should have a reason to celebrate. Microsoft’s move is a great step towards limiting spyware, spam, and zombie networks.

As we wrote before, it takes between four and fifteen minutes to infect and "zombify" an unpatched Windows XP machine connected to the network. Although Microsoft’s new tool would not likely change this scary number, it will give a tool to the thousands (or millions??) users who are infected with viruses, spyware, or are running a zombie PC at home or at work. Microsoft’s step towards providing the free software should be followed by strong marketing and education campaign to make users understand the threats, download the software (or a competing version) and clean their PCs.

It is very interesting to see whether the availability and publicity of such tool would decrease the amount of botnet attacks, their intensity, or in other way put a dent in the number of cyber crime attempts.

I think South Koreans may be on to something - a bill was passed that goes in effect in 2006 which states that banks or other financial institutions will be liable if their customers incur damages caused by hacking or other similar activities by third parties.

According to the bill, if consumers incur damages or loss while
engaging in e-banking because of an incident caused by a third factor,
such as a case of hacking or computer system meltdowns, financial
institutions or e-banking service providers will be liable. [Chosun]

Essentially, South Korea makes the banks responsible for what happens through their systems, unless the customer is at fault - for example, write your username and password with chalk on the sidewalk. I think this is a great way to combat cyber crime - push the right buttons and provide the incentives to those parties who are most capable to protect to do so. The financial institutions are almost always involved in the chain of cyber fraud or cyber crimes involving money. So with this legislation the South Korean government creates the proper incentives to secure their networks to the parties that are most likely to benefit from secured networks while at the same time have the ability and resources to do so.

Washington Post (free registration required) has an interesting article about a new approach towards password security. The article focuses on the efforts of a local DC company to create authentication procedures based on users clicking on series of photos of human faces in order to gain access to a protected online resource.

The Problem

One of the weakest links in an online security system is the user, and his or her ability to remember the assigned password without writing it on a sticky note and putting it next to the monitor, or without the user picking the same password for their bank as they use for their email, or even for registering for various legitimate and not-so-legitimate web sites. By using the same password in different contexts, all accounts become vulnerable to a breach of the password in any one of the accounts. For example, if you use the same password for your online banking, email, and to provide to various sites requiring registration, then if a breach occurs in any of these sites (let’s say an insecure bulletin board website), then the attackers would have access to your email, online banking, and all other websites which have the ability to send you your ‘forgotten password’ to your email address. Enough said - the passwords are a problem.

Faces as Passwords

The idea of having users click through series of photos by recognizing a particular photo is interesting. The idea is that instead of having to remember a text password, users would have to remember a number and sequence of faces, depending on the level of security desired. Then the authentication system will present a number of faces allowing the user to click on one of them. The next level would present another set of photos and so on until the user successfully clicks on the correct photo on all levels.

The idea behind this new method of authentication is that users have problems remembering long passwords while the human brain is much more likely to successfully remember a face or series of faces. Because the brain has a natural ability to recognize a face, the system only requires the user to recognize a face, and not to identify it, this relying on the natural ability of the brain.

The system solves many of the problems of the current password-based authentication - passwords are forgettable, users are likely to share them, write them down, reuse them. Many users are even tricked by phishing sites to enter their password. All of this is eliminated by the new face recognition authentication system. However, it comes with its problems too.

First, one of the major problems with the new system is that it would require organizations to spend substantial amounts of money to retrofit their authentication systems and to educate their users. In a large organization or a website with thousands of customers, this would be a problem.

Second, although the brain is much more likely to remember a face, there will still be people who "forgot" their "face-password" and this is likely to increase the maintenance costs - to reset the photo sequence, etc. The familiar feature "email forgotten password" is not likely to work well.

Third, privacy and secrecy may be compromised by "shoulder surfers" who will now be able to follow the screen prompts to "remember" somebody else’s face recognition. Although there could be technological solutions to this problem, such as enabling users to key-in their selection, instead of clicking on the screen, this is still likely to be a problem and needs to be addressed.

Bottom Line

Excellent idea. "PassFace" or its functional equivalent will inevitably reduce the number of post-in notes hanging on monitors listing important passwords. This system will make computer security as general more reliable, but there are still issues that need to be addressed before this can go mainstream. Also, user education and system transformation costs are likely to be prohibitively high for some organizations.

California Leads the Way

California has again led the way against enforcing the privacy rights and the security of its residents’ computers. On January 1st a new law went into effect in California that outlaws installation of computer software that has the ability to collect information on a computer user’s web surfing. In addition, the Act bans the installation of software that takes control of another computer. Full text of the Consumer Protection Against Spyware Act.

Although US Congress has debated several anti-spyware bills recently, California is the first state to take active measures against spyware by allowing consumers to seek $1,000 in damages if they are victims of intrusive software.

Consumer Protection Against Spyware Act

In addition to banning software that monitors keystrokes and visited websites, it also bans unauthorized installation of keyloggers, spam sending/relaying software, viruses/malware that turns a PC into a zombie, or software disabling your anti-virus or anti-spyware software. The Act is drafted broadly, with the preamble specifically stating that it is the intent of California’s legislation to prevent "malware that is deceptively or surreptitiously installed on [California consumers'] computers."

Loophole

However, there is a loophole, which may seem quite big.

Nothing in this section shall apply to any monitoring of, or
interaction with, a subscriber’s Internet or other network connection
or service, or a protected computer, by a telecommunications carrier,
cable operator, computer hardware or software provider [emphasis added], or provider of
information service or interactive computer service for network or
computer security purposes, diagnostics, technical support, repair,
authorized updates of software or system firmware, authorized remote
system management, or detection or prevention of the unauthorized use
of fraudulent or other illegal activities in connection with a
network, service, or computer software [emphasis added], including scanning for and
removing software proscribed under this chapter. 22947.4(b)

One can argue that "software provider" above can be construed to refer to the spyware software company itself - which will put the spyware maker into the exempted category of parties.

Also, the "detection and prevention of the unauthorized use of fraudulent or other illegal activities" exemption - this language seems nicely tailored to allow for spyware designed by the MPAA/RIAA/BSA or other organization interested in monitoring copyright violations on its content. It is quite clear that no file-sharing user would agree to have the MPAA/RIAA install a piece of software to monitor what content it being shared; so the MPAA/RIAA most likely used their lobbying muscle to put this exemption in the law.

Bottom Line

While this is a great step in the right direction of eliminating spyware and malware, the law seems to be drafted in an "interesting way." The prohibition seems to cover exactly what most consumers are suffering from - software that installs without notice, monitors activity, is hard to uninstall, and collects personal information. However, the exemptions in the Act seem quite big and drafted under influence by special interests. It is early to judge the new California law on its 2nd day of existence, so a court test would go a long way towards showing the real value of the Act.

And it should not be long before we see claims against spyware manufacturers - it is enough to connect a Windows box to the Internet, download some popular shareware, run a Spyware detection tool, preserve the evidence, and go to your lawyer or a small claims court.

 Next entries »