Saturday, May 05, 2012

MIRLN --- 15 April – 5 May 2012 (v15.06)

MIRLN --- 15 April - 5 May 2012 (v15.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | BOOK REVIEW | LOOKING BACK | NOTES

FBI: Smart Meter Hacks Likely to Spread (Krebs on Security, 9 April 2012) - A series of hacks perpetrated against so-called "smart meter" installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity. The law enforcement agency said this is the first known report of criminals compromising the hi-tech meters, and that it expects this type of fraud to spread across the country as more utilities deploy smart grid technology. The FBI believes that miscreants hacked into the smart meters using an optical converter device - such as an infrared light - connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the Internet.

top

Face Recognition Could Catch Bad Avatars (New Scientist, 11 April 2012) - A police car rolls up to a house where the doors and windows are smashed in, rooms are ransacked and numerous high-value items are missing. Calming the home-owner, an officer begins to investigate: "Did you see the person who did it?" The shaken victim replies: "Yes, he had massive purple dreadlocks, green lips and was dressed like Michael Jackson." Such an unusual perpetrator would be easy to identify in the physical realm, but this break-in took place in a virtual world, where odd-looking avatars are the norm. It may sound like an odd crime, but Japanese police have previously arrested virtual muggers , and the FBI has investigated casinos based in the virtual world of Second Life . Virtual crimes will become more common as we venture more and more into these worlds, says computer scientist Roman Yampolskiy . To prevent this, multinational defence firm Raytheon, based in Waltham, Massachusetts, has a patent pending on fusing a person's real biometrics with their 3D avatar, so you know for sure who you are speaking to in a digital world. Yampolskiy and colleagues at the Cyber-Security Lab at the University of Louisville in Kentucky are going one step further: they are developing the field of artificial biometrics, or "artimetrics". Similar to human biometrics, artimetrics would serve to authenticate and identify non-biological agents such as avatars, physical robots or even chatbots (see "Spot the bad bot") . In Second Life, avatars are easily identified by their username, meaning police can just ask San Francisco-based Linden Labs, which runs the virtual world, to look up a particular user. But what happens when virtual worlds start running on peer-to-peer networks , leaving no central authority to appeal to? Then there would be no way of linking an avatar username to a human user. Yampolskiy and colleagues have developed facial recognition techniques specifically tailored to avatars, since current algorithms only work on humans. "Not all avatars are human looking, and even with those that are humanoid there is a huge diversity of colour," Yampolskiy says, so his software uses those colours to improve avatar recognition.

top

Law Enforcement Surveillance Reporting Gap (Chris Soghoian SSRN, 11 April 2012) - Abstract: Third party facilitated surveillance has become a routine tool for law enforcement agencies. There are likely hundreds of thousands of such requests per year. Unfortunately there are few detailed statistics documenting the use of many modern surveillance methods. As such, the true scale of law enforcement surveillance, although widespread, remains largely shielded from public view. The existing surveillance statistics might be sufficient if law enforcement agencies' surveillance activities were limited to wiretaps and pen registers. However, over the last decade, law enforcement agencies have enthusiastically embraced many new sources of investigative and surveillance data for which there are no mandatory reporting requirements. As a result, most modern surveillance now takes place entirely off the books and the true scale of such activities, which vastly outnumber traditional wiretaps and pen registers, remains unknown. In this article, I examine the existing electronic surveillance reporting requirements and the reports that have been created as a result. Some of these have been released to public, but many have only come to light as a result of Freedom of Information Act requests or leaks by government insiders. I also examine several law enforcement surveillance methods for which there are no existing legally mandated surveillance reports. Finally, I propose specific legislative reporting requirements in order to enable some reasonable degree of oversight and transparency over all forms of law enforcement electronic surveillance.

top

Harms of Post-9/11 Airline Security (Bruce Schneier, 14 April 2012) - I debated former TSA Administrator Kip Hawley on the "Economist" website. I didn't bother reposting my opening statement and rebuttal, because -- even though I thought I did a really good job with them -- they were largely things I've said before. In my closing statement, I talked about specific harms post-9/11 airport security has caused. This is mostly new, so here it is, British spelling and punctuation and all. In my previous two statements, I made two basic arguments about post-9/11 airport security. One, we are not doing the right things: the focus on airports at the expense of the broader threat is not making us safer. And two, the things we are doing are wrong: the specific security measures put in place since 9/11 do not work. Kip Hawley doesn't argue with the specifics of my criticisms, but instead provides anecdotes and asks us to trust that airport security -- and the Transportation Security Administration (TSA) in particular -- knows what it's doing. This loss of trust -- in both airport security and counterterrorism policies in general -- is the first harm. Trust is fundamental to society. There is an enormous amount written about this; high-trust societies are simply happier and more prosperous than low-trust societies. Trust is essential for both free markets and democracy. This is why open-government laws are so important; trust requires government transparency. The secret policies implemented by airport security harm society because of their very secrecy. The humiliation, the dehumanisation and the privacy violations are also harms. That Mr Hawley dismisses these as mere "costs in convenience" demonstrates how out-of-touch the TSA is from the people it claims to be protecting. Additionally, there's actual physical harm: the radiation from full-body scanners still not publicly tested for safety; and the mental harm suffered by both abuse survivors and children: the things screeners tell them as they touch their bodies are uncomfortably similar to what child molesters say. In 2004, the average extra waiting time due to TSA procedures was 19.5 minutes per person. That's a total economic loss -- in America -- of $10 billion per year, more than the TSA's entire budget. The increased automobile deaths due to people deciding to drive instead of fly is 500 per year. Both of these numbers are for America only, and by themselves demonstrate that post-9/11 airport security has done more harm than good. The current TSA measures create an even greater harm: loss of liberty. Airports are effectively rights-free zones. Security officers have enormous power over you as a passenger. You have limited rights to refuse a search. Your possessions can be confiscated. You cannot make jokes, or wear clothing, that airport security does not approve of. You cannot travel anonymously. (Remember when we would mock Soviet-style "show me your papers" societies? That we've become inured to the very practice is a harm.) And if you're on a certain secret list, you cannot fly, and you enter a Kafkaesque world where you cannot face your accuser, protest your innocence, clear your name, or even get confirmation from the government that someone, somewhere, has judged you guilty. These police powers would be illegal anywhere but in an airport, and we are all harmed -- individually and collectively -- by their existence. Increased fear is the final harm, and its effects are both emotional and physical. By sowing mistrust, by stripping us of our privacy -- and in many cases our dignity -- by taking away our rights, by subjecting us to arbitrary and irrational rules, and by constantly reminding us that this is the only thing between us and death by the hands of terrorists, the TSA and its ilk are sowing fear. And by doing so, they are playing directly into the terrorists' hands.

top

Twitter's Revolutionary Agreement Lets Original Inventors Stop Patent Trolls (TechDirt, 17 April 2012) - We've talked repeatedly in the past about how even if a company got patents for solely defensive reasons, down the road, those patents can end up in the hands of trolls, who abuse them to hinder real innovation. If you talk to engineers -- especially software engineers -- in Silicon Valley, this is one of the many things they absolutely hate about patents. But, because companies often feel the need to stockpile patents as a defensive means of warding off patent lawsuits, many engineers and companies do so out of a sense of obligation. However, it appears that Twitter is thinking differently about this, and has announced that it will be using its new Innovator's Patent Agreement to guarantee that any patents obtained by employees at Twitter (past or present) grant lifetime control to the actual inventors, to prevent the patents from being used offensively against others. The basic idea makes a lot of sense. Twitter has also posted the full agreement to Github and put it under a Creative Commons license. The method by which this works is pretty creative. Basically, if the actual patent holder tries to use the patent offensively without first obtaining the permission of the inventor, the agreement allows the inventor to issue a license to the entity being sued * * *

top

Only 1 Out of 4 Companies Buying Cyberinsurance (Insurance Journal, 17 April 2012) - Nearly three in four corporate risk managers are not buying insurance policies to cover data breaches and damage to customers' privacy despite the rising threat of hacking, according to a survey released on Monday. Not only are most North American companies shunning coverage entirely, many of those who are taking out "cyberinsurance" are buying policies with only limited protection in case of an attack, consultants Towers Watson said in their annual review of corporate risk. In the wake of high-profile attacks on companies like Sony and Citigroup, insurance brokers reported last summer that interest was soaring in policies to protect against civil suits and regulatory fines from data breaches. That, in turn, led a number of insurers to start offering policies, which had an immediate downward effect on rates. Insurance brokers Marsh recently said that pressure has continued, as capacity exceeds demand. Of those not taking coverage, two-thirds said it was because their internal controls were adequate or because they did not have a significant data exposure. Fewer than half said they conducted regular "penetration tests" to assess the adequacy of their network.

top

If Lawyers Sell Legal Expertise to Clients, Who Owns the Resulting Product? (Susan Hackett, 17 April 2012) - I'm still mulling over the implications of an article by Mark Hamblett in the New York Law Journal about some lawyers who have filed suit against Lexis-Nexis and West Publishing for what these lawyers say is the "unabashed wholesale copying of thousands of copyright-protected works created by, and owned by, the attorney and law firms." While the article's story is about whether authoring lawyers or their firms are copyright holders of documents filed in courts and stored as public records-especially if folks retrieving them want to resell access to and discussion of them as Lexis and West do-I'm more interested in the corporate clients who hired the lawyers in the first place and how firms and clients are (or are not) leveraging that knowledge for reuse. To that end, I don't propose to offer my predictions for the outcome of this suit, but rather to share a bit of the resulting think-train that this case spurred in my mind. And I'm sharing it here in the New Normal column since I think the meaning of knowledge ownership and knowledge sharing in the legal profession has profound impacts on the kinds of collaborative, data-driven, process oriented, "stop-reinventing-the-wheel" discussions currently under way between many in-house counsel and their law firms. More and more clients are engaging in the creation and sharing of knowledge platforms that incorporate all kinds of material-documents, filings, memos, research, templated "answers" used by the department to answer internal client questions, etc. Of course, their efforts range from a simple repository on the client's intranet of past memos and briefs to much more sophisticated systems, databases, and extranets that share data and documents, sift and apply model past contract terms to new agreements, allow counsel to answer company manager questions online in a self-service fashion, and create the basis for new ways of focusing lawyers on routinizing those elements of work that aren't really unique from matter to matter. (See, e.g., a few of the more intense knowledge-based in-house practices we've been documenting on my company's website as we've conversed with law department leaders who have made knowledge-sharing and experience "captures" a primary mission.) It stands to reason that pretty much any client knowledge/experience-based system-no matter how sophisticated or developed-will include documents, materials, practices, and processes that were generated to some degree by the client's outside counsel. Some might include a lot of them. I'm not the copyright expert that others reading this article may be-so chime in! What I understand in general is that when retaining someone to perform services that include the provision of copyrightable material, the presumption is usually that the IP rights stay with the author who's been retained for the service, unless those rights are specially contracted to pass to the company retaining the author-the company may have some right of use for internal purposes consistent with the reason for the retention, but not an automatic right to "share." And I know that the practical attitude of most clients is that they paid-and often dearly!-for the work that the firm provided, so they feel that they have the right to use the material provided by their outside counsel again and again, and pretty much as they wish. I also know that most retention agreements are silent on this point-the parties' relative positions as I've described them are presumed. So maybe firms won't be likely to protest when clients continue to use and reuse material the firm provided in past matters for internal purposes-even those beyond the instant matter. But what about when a bunch of clients decide that they'd like to share with each other those kinds of materials that do not constitute "confidential" advice that they're willing to swap for the access to other clients' similar treasures?

top

Elite Universities' Online Play (InsideHigherEd, 18 April 2012) - Princeton University, the University of Pennsylvania and the University of Michigan at Ann Arbor have teamed up with a for-profit company to offer free versions of their coveted courses this year to online audiences. By doing so, they join a growing group of top-tier universities that are embracing massively open online courses, or MOOCs, as the logical extension of elite higher education in an increasingly online, global landscape. Princeton, Penn and Michigan will join Stanford University and the University of California at Berkeley as partners of Coursera , a company founded earlier this year by the Stanford engineering professors Daphne Koller and Andrew Ng. Using Coursera's platform, the universities will produce free, online versions of their courses that anyone can take. [Editor: I took part of the Stanford crypto course on Coursera earlier this year - good tool. (My math was too rusty to get past week-3 of the course.) NYT story here . For those of you who are educators, this is an interesting blog posting on MOOC communities/sharing.]

top

Texas Ruling Shows Why We Need a Federal Anti-SLAPP Law (Eric Goldman, 18 April 2012) - This may be the first application of Texas' new anti-SLAPP law to Internet postings. It's a fine example why Texas enacted the law in the first place. And it's a good preview of the benefits we could get from federal anti-SLAPP protection. American Heritage Capital is an online lender. Apparently, AHC didn't fund a loan requested by Mrs. Gonzalez, and Mr. Gonzalez posted critical remarks about AHC at multiple websites (including Zillow, CreditKarma and Ripoff Report). Allegedly, AHC's president then sent Mrs. Gonzalez an email threatening her if she didn't remove the posts, including the following passage: "You started this. You can end it. Otherwise I will end it for you, and it won't be pretty." AHC then sued the Gonzalezs in October 2011. In January, AHC voluntarily dropped the lawsuit against Mrs. Gonzalez. (I asked AHC's lawyer why it did so, but the lawyer declined comment; the fact that Mr. Gonzalez admitted he made the posts may have had something to do with it). In March, the court dismissed the lawsuit with prejudice and made Mr. Gonzalez eligible for anti-SLAPP fee-shifting. Last week, the court granted the fee-shift, awarding Mr. Gonzalez: * over $15k in attorneys' fees
* another $15k in sanctions
* additional financial concessions if AHC challenges this ruling on appeal and loses. Sadly, this situation is all too common. The Gonzalezs griped online about their experiences as consumers, AHC allegedly tried to bully the posts off the Internet, then AHC tried to use the court system to bully the posts offline. In states without anti-SLAPP laws (or with inadequate ones), AHC almost certainly gets its desired outcome (the content removed) to the detriment of other prospective consumers. Instead, thanks to Texas' new anti-SLAPP law, the Gonzalezs win quickly and the plaintiff writes a non-trivial check for their troubles (2x the attorneys fees). These are the kinds of outcomes I wish we'd see across the country, not just in Texas and California and a few other states with reasonably strong anti-SLAPP laws.

top

Who Has the Dirtiest Clouds? Apple, Amazon, but not Google (Peter Vogel, 18 April 2012) - Greenpeace reported that cloud computing may be popular, but generally it's not very clean and gave Apple Ds and Amazon Fs, while Google got the best grades. The Greenpeace report entitled "How Clean is Your Cloud?" made these observations about electrical consumption: (*) The electricity consumption of data centers may be as much as 70% higher than previously predicted; (*) If the cloud were a country, it would have the fifth largest electricity demand in the world.

top

Copyright and Control of Museum Art Images (MLPB, 18 April 2012) - Kenneth D. Crews, Columbia University, and Melissa A. Brown, Columbia University, have published Control of Museum Art Images: The Reach and Limits of Copyright and Licensing in The Structure of Intellectual Property Law 269-284 (Annette Kur and Vytautas Mizaras, eds., Edward Elgar, 2011). Here is the abstract: "Many museums and art libraries have digitized their collections of artworks. Digital imaging capabilities represent a significant development in the academic study of art, and they enhance the availability of art images to the public at large. The possible uses of these images are likewise broad. Many conditions of use, however, are defined by copyright law or by license agreements imposed by museums and libraries that attempt to circumscribe allowable uses. Often, these terms and conditions will mean that an online image is not truly available for many purposes, including publication in the context of research or simple aesthetic enjoyment. Not only do these terms and conditions restrict uses, they also have dubious legal standing after the Bridgeman case. This chapter examines the legal premises behind claiming copyright in art images and the ability of museums to impose license restrictions on their use.

This paper is one outcome of a study of museum licensing practices funded by The Samuel H. Kress Foundation. It is principally an introduction to the relevant law in the United States and a survey of examples of museum licenses. The project is in its early stages, with the expectation that later studies will expand on this introduction and provide greater analysis of the legal complications of copyright, the public domain, and the reach of license agreements as a means for controlling the use of artwork and potentially any other works, whether or not they fall within the scope of copyright protection."

top

New Bankruptcy Website Stores Downloaded PACER Documents for Free Reading (ABA Journal, 19 April 2012) - A new website called Inforuptcy is touted as a cheaper alternative to PACER for users searching for bankruptcy documents. The site charges users the regular PACER fee for documents that are not yet in its database. After a document is accessed, however, it remains in the website database for future users, according to the Wall Street Journal blog Bankruptcy Beat . Searching and reading a downloaded document in HTML are free, but downloading a PDF in Inforuptcy's database costs half of the PACER fee of 10 cents a page. Bankruptcy Beat's search for bankruptcy documents led to PACER download charges. That will change as more people use Inforuptcy, according to co-founder Michael Mikikian. "The more people who bypass PACER.gov and use our site instead, the more we will be able to share that information with the public," he told Bankruptcy Beat. The idea is similar to a service called RECAP that provides downloaded PACER documents, the story says.

top

Insurance Industry Responds to Cyber Attack Increase (Insurance Networking, 20 April 2012) - Last year was an extremely active year for data breaches, according to a new study. "The First Annual 2012 Data Privacy and Information Security Predictions" from Cyber Data-Risk Managers reported that there were 841 incidences of cyber data breaches in 2011, a 37.4-percent increase over 2010. Annual gross written premiums in the cyber risk market was in the $800 million range in 2011 up from $600 million in 2010, according to the Betterly Risk Consultants report, "Cyber/Privacy/Media Liability Market Survey." Meanwhile, in the U.K. a Cyber Insurance Working Group has been established with leading technology insurers, such as Liberty International Underwriters, Zurich Insurance and CNA Europe. The Working Group, launched by independent information assurance firm NCC Group , will meet regularly to drive the development of a framework of recommended information security practices and policies, including adequate business continuity plans and corporate information security policies. "The U.K. is ahead of here in United States as far as cyber insurance because privacy is more highly regarded in Europe than it is here," Marciano told Insurance Networking News. The cyber insurance market is currently worth an estimated £250 million per year across the EU with high-profile cyber attacks increasingly hitting the headlines. "In the United States there are more than 30 cyber insurance carriers with different policies because there's no standard yet," says Marciano. "We could benefit from a cyber insurance work group here because we need some kind of minimum standard for security to control the losses that we anticipate will be coming in."

top

Internet Intermediary Law Slides from Stanford Guest Lecture (Eric Goldman, 24 April 2012) - I recently guest-lectured at an Internet Law course at Stanford, run by Jennifer Granick and Richard Salgado. My slides . Jennifer asked me to cover 47 USC 230 and 17 USC 512 in a single session. I know other Internet Law professors combine the topics, but I normally don't in my Internet Law course. When I cover online copyright liability, I discuss Section 512 as a defense to secondary copyright infringement. Later, I talk about publication torts, including defamation, and then talk about Section 230 as an Internet exceptionalist approach to publication torts based on third party content. I do have a wrap-up slide at the end of my Section 230 (included in the slides linked up) that contrasts Sections 512 and 230, but I have never taught them together. I thought it worked out nicely, and it gave me a chance to show different ways plaintiffs are attacking UGC websites. Check it out.

top

Hack The Law (Shareable, 24 April 2012) - On Sunday, April 15, Brooklyn Law School's Incubator and Policy Clinic (BLIP) hosted its first " Legal Hackathon ." Describing lawyers as "traditionally conservative wallflowers and naysayers," Jonathan Askin, the founder of the BLIP Clinic, urged the crowd of lawyers, law students, coders, and entrepreneurs to join a "common mission to apply the law to pave the way for technological, civic, social, and cultural progress." The Legal Hackathon was conceived as a way to get lawyers and law students to work collaboratively with coders, policymakers, and entrepreneurs to develop creative ways for lawyers to use new technology and for coders to interact with the law. At the BLIP Clinic and elsewhere (even, tellingly, that Saturday at New York School of Law), law students and newly minted lawyers are engaging with technology, and with hacker culture, in exciting ways. The second keynote came from Tim Wu, senior advisor for consumer protection at the Federal Trade Commission and professor at Columbia Law School. Wu's keynote struck a very different chord than Rasiej's, emphasizing the historic tension between technological innovation and the law. Most of the inventions that made the information environment what it is today, Wu said, "have two things in common: they're all hacks, and most of them involved breaking the law somehow." Wu's talk emphasized the ethos of hacking, an approach to work that values play, creative problem-solving, and collaborative processes. When asked how the law can keep up with technology, Wu questioned the premise: "Is it actually our aspiration for law to keep pace with technology?" We do not want the law to react quickly, Wu argued, because it represents the slow codification of what we have to say about the authorized use of force. Ultimately, the law should protect a space for innovation, a space that would otherwise shrink and be hampered by private power, Wu said. [Editor: Sounds fascinating - wish I'd been there. Anybody have podcasts/slides?]

top

Limbaugh Copies Michael Savage's Bogus Copyright Theory, Sends DMCA Takedown to Silence Critics (EFF, 24 April 2012) - We've seen some ridiculous DMCA takedowns over the years, but we might have a new champion. On Monday, radio host Rush Limbaugh -- who over a three-day period beginning in late February attacked Georgetown law student Sandra Fluke on air for the apparently unforgivable sin of testifying before Congress to advocate for legislation she supported (a bill mandating health insurance coverage for contraception) -- turned to copyright law to go after one of his most vocal critics, the left-leaning political site Daily Kos. The site's offense? Publishing a damning montage of Limbaugh's controversial comments about Ms. Fluke. While initiating frivolous legal processes to intimidate and silence critics is hardly new, Limbaugh actually seems to be taking a specific page out of the playbook of Michael Savage, his on-again/ off-again compatriot and fellow conservative talk radio fixture. In 2007, Savage turned to copyright law in an ultimately futile attempt to silence the Council on American-Islamic Relations (CAIR) who did precisely what the Daily Kos has done here: post online a minutes-long montage of outrageous statements made by a radio host in order to criticize the host's behavior and expose it for a public audience. In Savage's case, he unsuccessfully sued CAIR for copyright infringement. (And, bizarrely, for racketeering, because posting his xenophobic anti-Muslim rant was clearly part of a vast global terrorist conspiracy targeting Michael Savage .) Limbaugh has (for now) chosen the more expeditious DMCA takedown route. Just as with Savage's ridiculous attempt to keep his own words from being used against him failed, though, so will Limbaugh's.

top

Art Is Long; Copyrights Can Even Be Longer (NYT, 25 April 2012) - It is there in the new 3-D version of "Titanic," as it was in James Cameron's original film: a modified version of Picasso's painting "Les Demoiselles d'Avignon" aboard the ship as it sinks. Of course that 1907 masterpiece was never lost to the North Atlantic. It has been at the Museum of Modern Art for decades - which is precisely the reason the Picasso estate, which owns the copyright to the image, refused Mr. Cameron's original request to include it in his 1997 movie. But Mr. Cameron used it anyway. After Artists Rights Society, a company that guards intellectual property rights for more than 50,000 visual artists or their estates, including Picasso's, complained, however, Mr. Cameron agreed to pay a fee for the right to use the image. With the rerelease of "Titanic," the society wants Mr. Cameron to pay again, asserting that the 3-D version is a new work, not covered under the previous agreement. Filmmakers are not the only ones who sometimes run afoul of artists' copyright law. In recent weeks Google Art Project, which just expanded its online collection of images to more than 30,000 works from 151 museums, agreed, because of copyright challenges, to remove 21 images it had posted. Artists' copyright is frequently misunderstood. Even if a painting (or drawing or photograph) has been sold to a collector or a museum, in general, the artist or his heirs retain control of the original image for 70 years after the artist's death. If someone wants to reproduce the painting - on a Web site, a calendar, a T-shirt, or in a film - it is the estate that must give its permission, not the museum. That is why, despite the expansion, Google Art Project still does not contain a single Picasso. Indeed, few 20th-century artists are included in the project's digital collection because copyright owners have not yet given permission. "We don't want to prevent Google from showing the work, but they won't enter into negotiations with us," Mr. Feder said.

top

Equipment Maker Caught Installing Backdoor Account in Control System Code (Wired, 25 April 2012) - A Canadian company that makes equipment and software for critical industrial control systems planted a backdoor login account in its flagship operating system, according to a security researcher, potentially allowing attackers to access the devices online. The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, "factory," that was assigned by the vendor and can't be changed by customers, and a dynamically generated password that is based on the individual MAC address, or media access control address, for any specific device. Attackers can uncover the password for a device simply by inserting the MAC address, if known, into a simple Perl script that Clarke wrote. MAC addresses for some devices can be learned by doing a search with SHODAN, a search tool that allows users to find internet-connected devices, such as industrial control systems and their components, using simple search terms. RuggedCom switches and servers are used in "mission-critical" communication networks that operate power grids and railway and traffic control systems as well as manufacturing facilities. [Editor: see follow-on story of 2 May, lauding Clarke for the disclosure.]

top

The Case Against Virtual Annual Shareholders Meetings (Broc Romanek on CorporateCounsel.net, 26 April 2012) - Over the years, I have wavered - yes, even flip-flopped - over whether allowing companies to hold virtual annual shareholder meetings (i.e. without any physical audience) is a good idea. More recently, I had gotten comfortable with the notion that it might be okay for companies that know that their meeting will be held without any controversy. The problem is how do companies really know this when so much of their vote comes in typically within the last 48 hours or so? So now we have the news that Martha Stewart Living Omnimedia intends to hold its meeting as a virtual one - as noted in its proxy statement - complete with an online shareholders forum, as noted in these additional soliciting materials . And even though the company is a controlled one - by Martha Stewart herself and family - I can't help but think this is a problem given Mark Borges' blog that the company is the target of a shareholder class action lawsuit alleging that the company's disclosure for a proposal to increase the share reserve of its omnibus stock plan was inadequate (plaintiff is seeking an injunction to prevent the company from bringing the proposal to a vote at its annual meeting in late May). A company with a controversy should have its management team and board available to face interested shareholders once a year.

top

Social Media Guidelines: My Top [University] Picks (InsideHigherEd, 26 April 2012) - When I search for "social media guidelines," sans quotes on Google, there are 41,200,000 results. Corporate sites, blog posts, higher education institutions, and more provide a rich amount of social media guideline examples. When I'm out on the road working with schools or conference attendees, I am often asked to provide social media guideline resources. In the spirit of sharing, here are my top picks for social media guidelines that are easily applicable for folks in Student Affairs * * *

top

Cloud Computing: Legal Standards Up in the Air (Christian Science Monitor, 26 April 2012) - With the advent of Google Drive , we talk about cloud computing as if the bits and bytes of our lives are stored somewhere up in the air, but, really, the "clouds" are very terrestrial. What's more up in the air are the laws that govern who can access your stuff and how. "The problem that cloud computing has, more generally, is that (the real world) assumes that rights are based geographically," Mark Radcliffe, senior partner at law firm DLA Piper, said in an interview with the newspaper. "That assumption is not realistic in the cloud." One concern some have expressed online and out loud is how law enforcement could gain access to your digital life stored in a cloud. With a computer in your home, you'd have to be served a warrant for legal access to your hard drive. But with remote storage, you may not know whether a subpoena or warrant has been served on the cloud service provider. "Law enforcement can subpoena the service, but it depends on their contractual obligation," Radcliffe said. In other words, what they spell out in their terms of service. Always remember, that's a contract that you agree to by using the service. Most terms of service include a clause stating the provider would give up your information if required by law, with no mention of whether it would inform you. Interestingly enough, Dropbox's Terms of Service says something a little different.

top

Amazon Outage One Year Later: Are We Safer? (Network World, 27 April 2012) - Amazon Web Services last April suffered what many consider to be the worst cloud service outage to date - an event that knocked big name customers such as Reddit, Foursquare, HootSuite, Quora and others offline, some for as many as four days. So, a year after AWS's major outage, has the leading Infrastructure-as-a-Service and cloud provider made changes necessary to prevent another meltdown? And if there is a huge repeat, are enterprises prepared to cope? The answers are not cut and dried, experts say. In part, it's difficult to answer these questions because AWS is notoriously close-lipped about the inner workings of its massive cloud operations , which not only had an outage last April, but suffered a shorter-lived disruption in August . What's more, it's hard to get a read on individual cloud customers' private plans, although industry watchers such as IDC analyst Stephen Hendrick say many enterprises have a long way to go to be fully isolated from provider shortfalls.

top

The Hard Drives Most Likely to Expose Your Data Aren't Your Own (ArsTechnica, 27 April 2012) - Hard drives that provide prime material for identity theft are more likely to come from a company for which you are an employee or client than from your own computer, according to a study released by the Information Commissioner's Office in the UK on Thursday. ICO had a computer forensics company read 200 used hard drives using freely available tools, and found that files containing personal data like bank account info and tax forms were more likely to have come from an organization than an individual. The 200 hard drives were sourced from computer trade fairs and online auction sites by the forensics company NCC Group. The drives were first searched without any particular software, and then searched again using "forensic tools freely available on the internet." Fifty-two percent of the drives had been wiped, but 48 percent still had readable information, with 34,000 recoverable files. Of the 200 drives, only two had enough data to allow a new owner to steal the former owner's identity. Four more drives, however, contained information on employees and clients of four organizations, including health and financial details.

top

Patent Office Weighs Patent Secrecy for "Economic Security" (FAS.org Secrecy News, 27 April 2012) - In response to congressional direction, the U.S. Patent and Trademark Office is considering whether to expand the scope of patent secrecy orders - which prohibit the publication of affected patent applications - in order to enhance "economic security" and to protect newly developed inventions against exploitation by foreign competitors. Currently, patent secrecy orders are applied only to patent applications whose disclosure could be "detrimental to national security" as prescribed by the Invention Secrecy Act of 1951. At the end of Fiscal Year 2011, there were 5,241 such national security secrecy orders in effect . But now the Patent Office is weighing the possibility of expanding national security patent secrecy into the "economic security" domain. "The U.S. Patent and Trademark Office is seeking comments as to whether the United States should identify and bar from publication and issuance certain patent applications as detrimental to the nation's economic security," according to a notice that was published in the Federal Register on April 20.

top

GSA Tool Lets People Verify Genuine Federal Social Media Accounts (FCW, 27 April 2012) - Federal agencies need help tracking their social media accounts, and citizens need help verifying which government accounts are authentic. Now the General Services Administration has stepped in to address both of those concerns with a new online solution. The GSA this week launched the new online Federal Social Media Registry and verification tool intended to allow users to register and verify official federal social media accounts. The registry is meant to serve as a central database to list all official, verified federal social media accounts on Twitter, Facebook, Google+ and YouTube and other services, totaling 22 networks. Debuting on Howto.gov on April 26, the registry allows users to enter an account name to determine if it is an official account sponsored by a federal agency. It also allows federal managers to submit accounts for registration and verification. While the registry is up and running, it was apparently incomplete as of April 27. A quick check of about a dozen official federal Twitter accounts indicated that about half had not been registered yet. In addition, the registry does not include official accounts at Pinterest.com, which is currently one of the fastest-growing social networks.

top

Even Harvard Can't Afford Subscriptions To Academic Journals; Pushes For Open Access (TechDirt, 30 April 2012) - Techdirt has published several posts recently about the growing anger among scholars over the way their work is exploited by academic publishers. But there's another angle to the story, that of the academic institutions who have to pay for the journals needed by their professors and students. Via a number of people, we learn that the scholars' revolt has spread there, too: " We write to communicate an untenable situation facing the Harvard Library. Many large journal publishers have made the scholarly communication environment fiscally unsustainable and academically restrictive. This situation is exacerbated by efforts of certain publishers (called "providers") to acquire, bundle, and increase the pricing on journals. Harvard's annual cost for journals from these providers now approaches $3.75M. In 2010, the comparable amount accounted for more than 20% of all periodical subscription costs and just under 10% of all collection costs for everything the Library acquires. Some journals cost as much as $40,000 per year, others in the tens of thousands. Prices for online content from two providers have increased by about 145% over the past six years, which far exceeds not only the consumer price index, but also the higher education and the library price indices."

top

Here's Why Google and Facebook Might Completely Disappear in the Next 5 Years (Forbes, 30 April 2012) - We think of Google and Facebook as Web gorillas. They'll be around forever. Yet, with the rate that the tech world is moving these days, there are good reasons to think both might be gone completely in 5 - 8 years. Not bankrupt gone, but MySpace gone. And there's some academic theory to back up that view, along with casual observations from recent history. More and more in the Internet space, it seems that your long-term viability as a company is dependent on when you were born. Think of the differences between generations and when we talk about how the Baby Boomers behave differently from Gen X'ers and additional differences with the Millennials. Each generation is perceived to see the world in a very unique way that translates into their buying decisions and countless other habits. With each succeeding generation in the Internet, it seems the prior generation can't quite wrap its head around the subtle changes that the next generation brings. Web 1.0 companies did a great job of aggregating data and presenting it in an easy to digest portal fashion. Google did a good job organizing the chaos of the Web better than AltaVista, Excite, Lycos and all the other search engines that preceded it. Amazon did a great job of centralizing the chaos of e-commerce shopping and putting all you needed in one place. When Web 2.0 companies began to emerge, they seemed to gravitate to the importance of social connections. MySpace built a network of people with a passion for music initially. Facebook got college students. LinkedIn got the white collar professionals. Digg, Reddit, and StumbleUpon showed how users could generate content themselves and make the overall community more valuable. * * * [Editor: There's more. This is a useful, cautionary perspective that resonates with me. I think Facebook already is done, but expect Google to persist and evolve.]

top

Electronic-Records Goals Aren't Met by 80% of U.S. Hospitals (Bloomberg, 1 May 2012) - More than 80 percent of hospitals have yet to achieve the requirements for the first stage of a $14.6 billion U.S. program to encourage doctors to adopt electronic medical records, the industry's largest trade group said. The program is too ambitious and goals may not be met, Rick Pollack, executive vice president of the American Hospital Association, said yesterday in a 68-page letter to the Health and Human Services Department. He cited "the high bar set and market factors, such as accelerating costs and limited vendor capacity." The records program, enacted as part of the economic stimulus law in 2009, makes hospitals eligible for payments of as much as $11.5 million if they can demonstrate "meaningful use" of computer systems, according to the Washington-based group. Hospitals and doctors who don't adopt electronic records by 2015 will be penalized with lower Medicare payments. Hospitals are "particularly concerned," he said, about a requirement in the new rules that they let patients view and download their medical records from websites. The requirement "is not feasible as proposed, raises significant security issues and goes well beyond current technical capacity," Pollack wrote. Patients' inability to easily download records from doctors and hospitals has hampered development of personal medical records systems such as a Google Inc. (GOOG) program that was shut down last year after it failed to gain enough users, said Farzad Mostashari, who leads the electronic records program at the Department of Health and Human Services.

top

Electronic Filing at Federal Circuit (PatentlyO, 3 May 2012) - If you are filing a Federal Circuit appeal, beware that the court will soon require Electronic Case Filing. The initial filing (i.e., case initiating documents) will still be done on paper, but after May 17, 2012 any subsequent filings (such as responsive briefs and petitions) must be done electronically (with some exceptions). Except as otherwise prescribed by Circuit rule or court order, all briefs, appendices, motions, petitions for rehearing, and other documents filed in cases assigned to the CM/ECF system, must be filed electronically using the CM/ECF system by a filer registered in accordance with ECF-2. Comments on the new procedures are dues by May 8, 2012. [ New Procedures ]

top

Judge Rules IP Addresses Are Insufficient Evidence To Identify Pirates (GeekoSystem, 3 May 2012) - Mass lawsuits have been one of the most effective weapons rightsholders have had against torrenters. By using IP addresses to identify infringers, rightsholders have not only been able to find a large supply of alleged infringers to take action against, but are also to attach names - and wallets - to instances of infringement. The problem is that these cases tend to operate with the pinpoint accuracy of a flamethrower, which is why New York Judge Gary Brown has ruled IP addresses are insufficient evidence to identify pirates, and has provided a lengthy and thoughtful explanation as to why that is. [A] person who has the misfortune of having their name attached to the IP address in question isn't necessarily the one who was doing the pirating. In fact, they often aren't. That's not to say they never are, but it's a bit of a mess at best. Judge Gary Brown, in his order, attempted to straighten things up a bit with a very detailed explanation of why, legally, IP addresses are not sufficient evidence to prosecute pirates. Essentially, it boils down to one major point; using an IP address used to be a pretty reasonable method to single out an individual, but it isn't anymore. In the past, file-sharing could be tracked down to a single, wired access point that was registered to a single person and could only be used by one person at any given time.

top

NOTED PODCASTS

All Your Devices Can Be Hacked (TEDx talk by Avi Rubin, 1 Dec 2011; 17min) - Avi Rubin is Professor of Computer Science at Johns Hopkins University and Technical Director of the JHU Information Security Institute. Avi's primary research area is Computer Security, and his latest research focuses on security for electronic medical records. Avi is credited for bringing to light vulnerabilities in electronic voting machines. In 2006 he published a book on his experiences since this event. [Editor: hacking implanted medical devices, automobiles' speedometer and brakes and microphones, etc.]

top

RESOURCES

Do You Have an FBI File? -- This web site helps you generate the letters you need to send to the FBI to get a copy of your own FBI file. We can help you get your files from other "three-letter agencies" (CIA, NSA, DIA, ...) too. It's quick, it's easy, and best of all, it's free! Just click on the green arrow to get started! (If you're looking for FBI files on someone else, our sister web site, Get Grandpa's FBI File , can help you obtain FBI files for deceased individuals. If you have other questions about this site, please see our frequently asked questions page. )

top

BOOKS

The CERT Guide To Insider Threats (review by on SlashDot, 18 April 2012) - While Julius Caesar likely never said 'Et tu, Brute?' the saying associated with his final minutes has come to symbolize the ultimate insider betrayal. In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , authors Dawn Cappelli, Andrew Moore and Randall Trzeciak of the CERT Insider Threat Center provide incontrovertible data and an abundance of empirical evidence, which creates an important resource on the topic of insider threats. There are thousands of companies that have uttered modern day versions of Et tu, Brute due to insidious insider attacks and the book documents many of them. The book is based on work done at the CERT Insider Threat Center, which has been researching this topic for the last decade. The data the threat center has access to is unparalleled, which in turn makes this the definitive book on the topic. The threat center has investigated nearly 1,000 incidents and their data sets on the topic are unrivaled. With that, the book truly needs to be on the desktop of everyone tasked with data security and intellectual property protection. The book provides a unique perspective on insider threats as the CERT Insider Threat Center pioneered the study of the topic, and has exceptional and empirical data to back up their findings. While there are many books on important security topics such as firewalls, encryption, identity management and more; The CERT Guide to Insider Threats is the one of the first to formally and effectively tackle the extraordinary devastating problem of trusted insiders who misappropriate data. In 9 detailed chapters and 6 appendices, the book provides a comprehensive and exhaustive analysis of the problem and menace of insider threats. After completing the book, one is well-prepared to initiate an insider threat program. The book provides examples of insider crimes from nearly every industry segment and ample data to share with management to convince them that the threats, both to their intellectual property and corporate profits, are very real.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

NATIONAL ZOO CITES PRIVACY CONCERNS IN ITS REFUSAL TO RELEASE ANIMAL'S MEDICAL RECORDS (WashingtonPost.com, 6 May 2002) -- Thousands of people have peered in on the National Zoo's PandaCam to see Tian Tian and Mei Xiang cavorting. They have surfed to the zoo Web site's ElephantCam to watch the most intimate moments between Shanti and the pachyderm's newborn calf. And they have tuned into the Naked Mole-Rat Cam to follow the subterranean rodent's tubular meanderings. But don't ask to see their medical records. You won't get them. The Smithsonian Institution's National Zoo has taken the position that viewing animal medical records would violate the animal's right to privacy and be an intrusion into the zookeeper-animal relationship. The notion that animals have a right to privacy is, from a legal standpoint, odd, because courts have long held that they don't. http://www.washingtonpost.com/wp-dyn/articles/A37589-2002May5.html

top

IRS ADJUSTING SITE PAGES TO CURB FRAUD (CNET, 23 May 2002) -- The Internal Revenue Service is tweaking the technology in its Web pages so that people surfing the Web to research ways of avoiding taxes will turn up the agency's fraud pages instead. The IRS publishes information on the Internet about suspect tax schemes and online scams. The agency is trying to make those pages more prominent in search results by using key words or metatags, code that is not visible to Web surfers, but helps search engines find relevant sites. Sample metatags the IRS is looking at include the terms "pay no tax" and "form 1040." For instance, typing the words "pay no tax" into MSN and Google search engines on Thursday turned up links to sites with text such as "beat the IRS" and "offshore banking." http://news.com.com/2100-1017-921263.html?tag=fd_top

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: