Anonymous Struck USDOJ.gov HARD

Hey- Remember how I said that Anonymous was taking us to school? Well, it looks like they're taking the feds to school, too. As I write this, the United States Department of Justice website is down. Down. That is unacceptable, folks. It was bad enough that NATO and the CIA sites were hacked, but they didn't learn from that? How could the DOJ allow their site to be compromised? That is a failure of our government in a big way. How will we recover our confidence in Internet security if the GOVERNMENT isn't secure?

(Note- The picture above is a screenshot of the usdoj.gov website taken at about 9 pm eastern time on 1/19/2012)

Zappos and Other Hacks

Zappos was one of several online vendors hacked this week. The company claims that only personal information, like names and addresses of its 24 million customers were accessed, but not credit card data. Right.

6pm, another online retailer that happens to have my account information was also hacked and claims that ‘only’ the personally identifying information, like names, addresses, last four digits of the credit cards and passwords of its customers. The company assured us that our credit card information had not been accessed.

Well woop-de-do. . . Individuals don’t seem to care much about their data or where it’s stored or whether it is compromised. After all, they’re on all sorts of mailing lists and they get spammed from all directions, they’re called constantly- barraged by an endless stream of advertising. We rightly assume that the law protects us from credit card fraud and individual data breaches. The fact that our credit card information hasn’t been compromised really isn’t a big issue, is it. After all, our liability as individual consumers amounts to $50, and that’s usually waived by the credit card company in these situations. The real issue is much, much more serious.

While vendors are going around touting cloud computing, every day we hear of large scale hacks of e-commerce providers, government, cloud computing vendors and academia. What could Zappos or 6pm have done differently? How is it possible that the CIA and NATO and Straffor have been hacked?

The crux is that security is mostly a reactive endeavor. There’s only so much that can be done prophylactically. The grand plans that many security vendors market may sound sexy, but they will always be a step behind the conspiracies of the bad guys looking to breach your system and steal your data. That’s just the way law enforcement and security works. The best you can hope for is to have a good structure in place for responding to threats when they happen and a team that can assemble to both quash the security breach and anticipate future threats.

Anonymous Coverage on CNN and the History Behind the Mask

If you missed the piece Saturday on Anonymous, CNN posted it online at:

Part 1 http://www.cnn.com/video/#/video/us/2012/01/15/lyon-anonymous-pt1.cnn

Part 2 http://www.cnn.com/video/#/video/us/2012/01/15/lyon-anonymous-pt2.cnn?iref=allsearch

You can order a Guy Fawkes mask from Amazon for as little as $4.00 (before shipping) here:

http://www.amazon.com/s/?ie=UTF8&keywords=guy+fawkes+masks&tag=googhydr-20&index=aps&hvadid=4308600137&ref=pd_sl_5yqqdt97qc_b

Guy Fawkes lived in the 1500's in England. He's famous for leading a group of rebels who tried to blow up the House of Lords. His plot was discovered when a coconspirator revealed it to a member of the House of Lords by allegedly sending a note saying to stay away on November 5. The country celebrates a holiday called 'Bonfire Night,' during which they set off fireworks and light bonfires. Manic The holiday is officially intended to celebrate the safety of the monarch. People make dummies to symbolize Guy Fawkes, and throw them on the fires.

The mask that has come to be associated with Guy Fawkes is the one adopted by Anonymous as the symbol of its group. The association between the Guy Fawkes mask and Anonymous is that Fawkes struck at government- he attempted to blow up the House of Lords. And, he maintained his anonymity. Of course, he did so unsuccessfully, but go with it. . . It's cool and it's symbolic and so far they're on a roll.

Consumer Electronics Show and Anonymous on TV this Week- YAY!

The CES is going to be covered on starting Tuesday afternoon on Spike.

And, although the CNN website sucks and the information is not posted there, it’s reported on the network that on Sunday Jan 14 at 8 p.m. there’s going to be a program on Anonymous.

They’re the hacking group that claims responsibility for the biggest exploits of 2011. Sure, I’ll admit that buying into media coverage of a hacking group like Anonymous is the same thing as sopping up the clap trap fed to us by terrorists. But, ignoring Anonymous is something we do at our peril, apparently. They’ve hacked the CIA and NATO and Straffor. Anonymous is really scary and important because they are, no kidding, smarter than we are in lots of ways. And, we’re doing a crappy job of protect ourselves against the threats they pose.

For one thing, they’re making pretty easy work of showing up our top flight security and intelligence resources- like NATO and Straffor and the CIA. You’d think those sources would be locked down pretty tight- you know, there’d be solid access controls, encryption, if the sites were compromised they wouldn’t be back up unless they were hack-proof. NOT. Although I definitely do not subscribe to feeding the beast, I do admit we’re being taken to school. I, for one, am going to be watching.

Research in Motion Pursues the "London" - Maybe Microsoft System will be the Winner?

Blackberry- Ummmm. Toooo little. . . . Toooo late.

The screen is still too small and I haven't lost so many brain cells that I can't figure out that the keyboard is the same, lame keyboard in the same place it's always been. Thinner? Maybe. Is that enough? No.


On another note, there's an article in today's New York Times heralding the dawn on an awesome new Windows Phone operating system for smartphones to be unveiled at the International Consumer Electronics Show in Las Vegas tomorrow (which looks totally overstimulating, but probably something to check out at least online or in review).


Nokia is making the hardware. We should see what that will look like soon.

The Times describes the operating system as being tiled and alerting the user when contacts post to areas of interest. The article was silent on security and how the OS hooks up to existing infrastructure. Like I've said in prior posts, probably a good idea to take a 'wait and see' approach- I'm holding off on my next smartphone commitment until I am a bit more certain about the security and viability of the phone operating systems moving forward.

I’m Free! Wait- No, I’m Not. . . My Resolution to Unsubscribe from Spam

New Year’s Day 2012, I spent an hour or more responding to the spam emails in my inbox by unsubscribing to the lists. It’s something I’ve wanted to do for a long time, but put off because I figured it was easier to just delete the email than it was to negotiate my way through the unsubscribe process. And, in the past, I’ve found it frustrating that I make valiant efforts to unsubscribe to email but I’m not actually unsubscribed. In following through on my resolution, I’ve found that not only do unsubscribe orders not work many times, but even worse- and this should make lawyers’ jaws drop in HORROR- many reputable companies who send out commercial email don’t provide the functionality on the email to unsubscribe. Or even the information necessary to unsubscribe. Not good, my friends. . . not good.

Yes, of course I’m documenting this nonsense. And yes, of course, I’m going to write nasty-grams to the companies and threaten CAN-SPAM lawsuits. Just a word to those companies who send out advertisements by mail and the lawyers who advise them- you have to provide information and an ability to unsubscribe from future emails. Consider it a heads-up before you get one of my nasty-grams.

The CAN-SPAM Act of 2003 is a federal law that provides for $15,000 penalties against businesses who send out commercial emails that do not meet its mandates. OUCH! That’s just the fines from the government (provided, of course, the government does anything about it). However, there are means of civil redress of grievances as well. Here’s some of what the Federal Trade Commission website has to say:

"Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.

Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.

Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible."

It’s January 5, 2012 and I have now invested at least five hours of my valuable time unsubscribing from email lists. Hundreds of different sources, from E-Bay to LL-Bean, webinar providers to law book sellers. I was receiving email from Major League Baseball under two different accounts. Victoria’s Secret. K-Mart. Walmart. Neiman Marcus. Zappos. Every conceivable e-commerce site that I’ve ever purchased so much as a stick of gum from sends me regular emails. Countless information security sites and news services pared down to only the very few legal and real news sources that I actually read. I’ve unsubscribed from them all (except for Kate Spade, which is absolutely essential).

Yet, after five days of dutifully deleting my name from lists, each time I check my email, there are more. Admittedly, I get a lot of email. But it wasn’t until I embarked on the unsubscribe venture that I became aware of just how much is crap. When I say hundreds of unsubscribes, I mean hundreds. Every time I go into my email there are at least five more emails lists to unsubscribe from- and that is whittled down substantially.

The good news is that when I open my email in the morning, there aren’t a hundred and fifty emails. There are like forty or fifty, and that’s not bad. I actually read those. I’ll let you know when I’m done unsubscribing. I’m figuring it will be sometime in March or April, but not counting on it. However, five hours in, it’s worth the effort to open my inbox and see that it’s pretty clean.

A New Blackberry Bold in 2012? I think not. . .

Who watched New Year’s Rocking Eve and saw the ‘new’ Blackberry Bold for 2012 unveiled? Yawn. Same size screen. No new apps. Woo hoo- you can tweet. Yippee- you can facebook. Wait! It’s got a touch screen! Hey, my Palm Pre had a touch screen. Palm. . . Blackberry. . . same thing very soon. . .

Just as I was thinking I had been too hard on Research in Motion, they proved me right. There is nothing going on over there except for passing the hat for the next person jumping ship before they shut the lights off. The only thing left for them is who takes over their corporate services and who will take over the hardware. In the meantime, nobody in their right mind is buying BB for themselves. The problem is. . . what to go with now?

Security conscious folks- those in business who have intellectual property and trade secrets to protect, lawyers, doctors and other professionals who are required to protect privilged and confidential data and all of the support staff we rely on who communicate with us are stymied- where should we look for our next smart phone?

As Sharon Nelson reported on her blog, Ride the Lightning, recently, the Department of Defense has nixed the iPhone because Apple won’t give on security issues. The DoD chose to go with Android, but their choice is a bit perplexing and certainly leaves the question of where to turn for our next phone unresolved. The DoD only approved the Android 2.2 operating system, and at that, a stripped down version. The only phone it approved as ‘secure’ is the Dell Venue. Not the sexiest communication device on the market. Of course, phones are currently shipping with the 2.3 operating system. The security differences between the two are not completely known, but according to most sources, Android is the most hacked system out there.

Aside from security issues associated with the Android OS, there are ongoing challenges by Apple claiming that Google infringed upon its intellectual property , at least one of which has been successful. Others are pending. There is no doubt that the challenges will continue. The implications for actual users remains a wild card, but it is unlikely that either the iOS or the Andoid OS will become unavailable or unworkable in the near future.

Until then, what's a lawyer to do?

1) Well, in my experience, hacking phones isn't a big issue. The biggest problems with mobile devices are losing them. So, secure whatever device you have with a password. Other problems with smartphones have come from dropping it in coffee, my son taking it outside to play without my permission and leaving in the rain, dropping it in the toilet- an ugly, ugly event- and, unfortunately, but you guessed it. . . forgetting the password and wiping the phone. Which brings me to #2. . .

2) Back up your phone information. You don't have to do it every day, but do it regularly. There are few things more painful than losing all your contact information and all the emails you received on your phone but didn't sync up to your pc.

3) Do not. . . i repeat. . . DO NOT. . . sell or give away any device, most especially your smart phone that at any time contained privileged or confidential data. Engage the services of a professional to wipe and dispose of the device. I've told this story before, but it bears repeating because it's horrifying and true.

Once upon a time, a laywer who dropped her cell phone in the toilet turned to e-Bay to buy a new Blackberry Bold. This tack was partly taken for research purposes and partly because e-Bay offers the best deals on used, unlocked phones (by unlocked, I mean you can use the phone again). With purchase in hand and savings in the bank, the sly lawyer went about activating the phone. To her surprise (and admitted merriment), the former owner of the phone had not de-activated his email. Although he followed all the instructions provided by the communications carrier and Research in Motion for deleting his information and 'wiping' the phone, quite a bit of data remained, and continued to be transmitted to the phone.

This wouldn't have been much of an issue, I suppose, if the prior owner was a teenager looking to fund the next smartphone upgrade. This particular prior BB owner was, in fact, employed in the finance department of a major oil company. Major. And the new owner of the smartphone received all sorts of data about acquiring new companies, pricing and cost information and, oh, you get the idea. The phone even came with a couple of pictures of the prior owner's kids. Had the phone not fallen into the hands of a responsible lawyer, who knows what might have happened? However, this phenomena didn't occur once in isolation. It occurred again after another unfortunate incident involving some moisture and a smartphone and the self-same lawyer. This time, the prior owner was not nearly as interesting. However, personal identifying information is personal identifying information, and who needs for it to fall into the wrong hands?

4) Treat your media tablets and your laptops as you would your smartphone- password protect it.