Westchester County reponds [they were the folks who wanted to criminalize unsecured Wireless Internet]:

The legislation does not seek to ban or outlaw the use of Wi-Fi.
Rather, it is designed to get "commercial businesses" that collect
personal information or who offer their customers Internet service to
install minimum security safeguards. The legislation does not
criminalize the use of Wi-Fi, does not require businesses to pay permit
or licensing fees, and does not cover the use of private wireless
service at home.

The legislation is aimed at raising public awareness to get commercial
businesses to better protect the personal information of their
customers and to advise people who use the Internet in public access
areas of the risks involved with Wi-Fi. We anticipate that members of
the business community, many of whom are entirely unaware of this
problem, will do the right thing and take the necessary precautions to
protect their databases.

[...]

The intent of this law is largely to educate the public that though
wireless networking is a great convenience, like all technology, it
requires intelligent use. Although many businesses have already taken
simple and inexpensive steps to protect their data, a significant
fraction has not.

We recognize that the law’s current definition of minimum security as a
"firewall" has been ambiguously drafted. The definition will be
modified to address the concerns raised.

- Andy Spano, Westchester County executive for the state of New York.

Education via criminalization? Maybe it would work, but shouldn’t we let the market solve such problems? A business incapable of securing elementary infrastructure will not last long.

[Via CNET News.com, United States -]

Is it race to the top or rate to the bottom? Recently we reported on a device that would decrypt all SSL traffic at a network gateway level to "sniff" for malware. Now security researchers report that bots will start including encryption to hide their presence from sniffing tools.

"We will see encrypted sessions, and as things become
encrypted, we’ll have a more difficult time investigating
botnets,"  said Adam Meyers, an information assurance
engineer at SRA International

The goal for bot creators is to evade intrusion detection systems (IDSes) and to obfuscate anything they are doing to make it impossible or at least harder to figure out what that piece of network traffic contains. In the world of fast-spreading vulnerabilities (and even increasing level of zero-day vulnerabilities) this means that any advantage in time bot writers can get is likely to translate to increase in affected systems.

US Attorney General Roberto Gonzales has proposed legislation with much harsher punishment for copyright violations, including jail time. Although the Intellectual Property Protection Act doesn’t appear to change the
fundamentals of US copyright law but does allow more leeway for the
police when investigating suspected crimes, and harsher punishments for
those convicted. Among the major changes are criminalizing "attempted" copyright violation, as opposed to "actual" and removing the requirement of copyright registration before criminal prosecution can be sought.

Although Gonzales’ proposal is far from being implemented as a law, it shows a distinct effort by the US Department of Justice to prosecute copyright violations. I am somewhat troubled by criminalizing "attempt" to commit copyright violation. I am troubled because it is not clear what would constitute an "attempt" to commit a copyright infringement. For example, putting a small part of my music collection on an FTP server which is accessible only by me so that I can listen to the music from my office (legal under copyright) may make me a candidate for DOJ prosecution - should it?

Another argument against the proposal posed by the Public Knowledge foundation criticizes the removal of the requirement to have a copyright registered before b

“The bill would eliminate the requirement that a copyrighted work be registered before the government could pursue a criminal copyright infringement claim. Current copyright law requires a copyrighted work to be registered with the U.S. Copyright Office before an infringement suit can be filed–regardless of whether it is a civil or criminal suit. While this change might increase the Department’s ability to apprehend copyright infringers, it would have an overall negative effect by discouraging copyright registration.

It would be interesting how Congress picks this? Undoubtedly, the bill will be greeted with much enthusiasm by Hollywood.

Misrosoft promises that its newly announced "Microsoft Defender" will be able to detect and clean the Sony rootkit installed when a Sony CD is played on a Windows/Mac machine.

Microsoft had to take a side in this dispute, after all other security firms such as Symantec and McAfee have already announced plans to treat Sony’s software as malicious (which it is, isn’t it?) and protect against it. Sony doesn’t have to complain much however; Microsoft’s Vista operating system will have the DRM protection built-into the kernel of the OS so that the Sony’s of tomorrow would not have to make their own weak attempts to write DRM protection mechanisms - Microsoft will give it to them "for free."

This CNET article bothered me somewhat. A company has announced a proxy network service which will "inspect" encrypted traffic for malicious content. Rationale is that because encrypted content (SSL traffic) usually bypasses uninspected through firewalls or other stateful inspection devices, it poses a great risk for an enterprise no matter how good the gateway firewall is. The company wants to plug this hole by creating a proxy which can decrypt the SSL traffic so that they can scan traffic for malicious code and other threats.

Is this a good idea? Network admins would surely say ‘Yes, anything we can do to plug holes on our system is good!’ but I am somehow bothered that an organization can easily decrypt secured traffic and monitor it in real-time. Many of us rely on the little icon in the browser indicating that there is a secure connection to send private information over the web. Knowing that my traffic is being decrypted, inspected, and potentially stored (in unencrypted form) somewhere bothers me. Or, to take this a step further - what if attackers gain control over the proxy and are able to read SSL traffic as if it were plain text while the users believe that their traffic is encrypted and out of reach?

While I understand the reasons for this type of device, I think that there are many unanswered and bothersome questions.

According to a new proposal being considered by a suburb of New York City, any business or home office with an open wireless connection but no separate server to fend off Internet attacks would be violating the law.

Politicians in Westchester County are urging adoption of the law–which
appears to be the first such legislation in the U.S.–because without
it, "somebody parked in the street or sitting in a neighboring building
could hack into the network and steal your most confidential data,"
County Executive Andy Spano said in a statement.

Under the proposed law, "public Internet access" may not be provided without a network gateway server equipped with a firewall. Second, any business or home office that stores personal information also must install such a firewall-outfitted server even if its wireless connection is encrypted and not open to the public. And the kicker - all such businesses must register with the county within 90 days.

Is this a pre-election legislative "buzz" only or a county legislator gone mad? Mandatory registration of home office network even if it is secured and not available to the public? Fines of $250 to $500? Is this a solution to the problem, or a solution looking for a problem?

While it is true that there are many unsecured wireless access points run by small offices or home users, this is nonetheless a weak excuse to create a draconian regulation such as this one. Two interests may play a role here. First, identity theft, while possible, does not often happen via unsecured wireless access points. Even though the traffic may be unprotected, many e-commerce sites where the user submits credit cards, etc. are SSL-encrypted and thus very hard to obtain. Second, commercial broadband service providers may see the emergence of a "neighborhood" wireless networks as a threat to their business. If a household can share with their neighbors the broadband bill by putting a simple wireless access point, this is one less customer to the cable/DSL company.

Comment from the county:
"It was just introduced; it’s a draft. We’re hoping it’s enacted early next year, but this can change."

Happy 1st Birthday, Cyber Crime Law!



Special thanks to our readers and contributors for making our first year a success!

Five ISPs have been recruited by the government to hunt down virus-infected computers used to send spam or launch distributed denial-of-service (DDoS) attacks from Australia. Basically the five Australian ISPs will share data on suspected zombie computers on their networks and each ISP will then take on responsibility to notify, educate, help clean, and, if necessary, take down the zombie PCs.

According to a statement from the Australian Communications and Media Authority, if the owner of a computer
contacted by an ISP is unwilling or unable to disinfect that machine,
the ISP could remove its connection to the Internet: "if the computer
remains a threat to other Internet users, the ISPs may take steps under
their acceptable use policy to disconnect the computer until the
problem is resolved".

Although we hear of similar patch-up-or-shut-down initiatives every once in a while, results so far haven’t been very positive. Hopefully this time it will work well.

[Via ZDNet]

Did anyone not anticipate this? Sony is in the crosshairs of several big legal guns. The Electronic Frontier Foundation (EFF) is currently investigating whether Sony’s anti-piracy tactics justify the filing of a class-action suit. In addition, the Electronic Frontiers Italy on Friday filed papers with authorities claiming Sony BMG was responsible for "illicit actions" in Italy and seeks "penal denunciation"  against the company for secretly inserting software into consumer computers.

his is exactly what happens with spyware that gets installed on people’s computers, they have these 27-page license agreements in which you totally agree to let them infest your computer with all kinds of stuff you really don’t want. But it’s all kind of buried in the fine print and I think to allow companies like Sony BMG to do the same thing is heading down a bad path.

- Jason Schultz, EFF

Can anyone help me understand the legal significance of "penal denunciation" under Italian law?

[Via InternetNews.com -]

Phishing is not particularly directed at financial accounts’ information, but phishers certainly love to get their hands on some juicy brokerage account account information. SEC is aware of this and taking steps to prevent it..

The SEC published an investor guide Thursday, warning users of keystroke-logging software, phishing scams and traditional snoops as ways fraudsters could obtain access to online brokerage accounts and steal money. The agency suggests beefing up security to protect against such thieves.

The Security and Exchange Commission seems to aim at two targets with this guide. Although individual investors need to be reminded to be vigilant with their account information, the Commission should concentrate its efforts on beefing up the security and practices of the financial institutions. Banks and brokerages are best equipped to prevent theft of personal account information - 1) they have the resources; 2) the know-how; and 3) the business interest to protect their customers from being phished out of their password.

[The SEC Investor Guide]

« Previous entries