Thursday, December 29, 2005

Sony Falls on the Rootkit Sword -

In what has to be one of the fastest filing-to-settlement class action lawsuits on record (no pun intended) Sony/BMG settled the action claimin violations of the Computer Fraud and Abuse Act, Trespass to Chattel, and other claims. In what reads more like a confession than a settlement agreement, Sony agrees inter alia, to (1) take remedial steps for those who were affected by the rootkit laden CD's, (2) provide some compensation, by way of a free CD, download or coupon, (3) issue remediating (rootkit and vulnerabilit removal) software for the rootkit software already in the wild, (4) not collect consumer information, and (5) to have subsequent software issuances certified by an security expert as effective and will not create any known security vulnerabilities.

The document reads more like confession than it does a settlement. Notable is what the class action plaintiff's retained relating to reservation of rights to sue for consequential damages:
"The Settlement’s release of claims does not include claims for consequential damage to a computer or a network that may or are alleged to sult from interactions between XCP or MediaMax software and other software or hardware installed on those computers or networks. (¶¶ II.O., VIII.B.) The release excludes these claims out of concern that such claims for consequential damage to a computer or network may raise questions concerning the predominance and manageability requirements under Rule 23(b)(3) of the Federal Rules of Civil Procedure. (¶¶ II. O., VIII.B.) If the Settlement is approved, Settlement Class Members who wish to asset such claims may do so in small claims court or other venues.

Happy New Year to All.

Wednesday, December 21, 2005

California Demands Diebold eVote Appliance Source Code Certification

It appears that:

1) The code inside the machine that records the vote,
2) The output of the code (i.e., the vote) of the machine that records the vote, and
3)The audit log generated by the code of the machine that records the vote

Are all susceptible to undetectable manipulation. This comes as no surprise. Computers are not sentient (except for those with Turing potential, and there are none yet) and do not lie, but those who program are, and may. Knowing what the coder/manufacturer has placed inside a device, what it does, how it does it, and concrete proof (rather than assurances) that it will always do what it is purported and advertised to do, might be helpful for audit purposes.

And an honest election.

Excerpted from cNet.com:

"Diebold's woes don't end in California. Last week, elections officials in Leon County, Fla., announced plans to drop Diebold from its polling places after a Finnish security expert successfully tampered with a memory card in an optical scan machine without detection."

A wee bit'o bias (mine): Hardware based trusted timestamping schema could remediate this problem. The e-vote machine community would be well advised to follow the lead of the financial community, which has adopted and published an ANSI standard (X9F4 9.95) for Trusted Timestamps usage in the financial institution community.

Link to the Article:

http://news.com.com/California+scrutinizes+Diebold+e-voting/2100-1028_3-6004615.html?tag=nefd.top

Monday, December 19, 2005

Contemporaneously Entered (And Computerized) Time Records:


In this latest decision in the case of Cobell v. Norton from Judge Royce Lamberth of the United States District Court for the District of Columbia, a subject near and dear to my heart. Admissions were made as to ministerial changes after the fact. No cogent challenge was made as to the "currency" of the entries, as most attorneys lack the understanding of the ephemeral nature of digital data necessary to proffer same.

Link to the decision page:

http://www.dcd.uscourts.gov/opinions/district-court-2005.html


Here now, an excerpt from the decision, issued December 14, 2005:

II. CONTEMPORANEOUS TIME ENTRIES
Defendants urge the Court to reject the Interim Fee Petition on the grounds that plaintiffs
failed to submit “contemporaneous records of exact time spent on the case, by whom, their status and usual billing rates, as well as a breakdown of expenses such as the amounts spent copying documents, telephone bills, mail costs and other expenditures related to the case.” Opposition, at 8 (quoting Cmty. Hearing & Plumbing Co. v. Garrett, 2 F.2d 1143, 1146 (Fed. Cir. 1993)).

Defendants take issue, for example, with plaintiffs’ stated practice of transferring time entries from hard copy to computer. The record reveals that Gingold recorded his time in a diary and then input the information into his computer, Gingold Aff., at &¶ 1 and 2; Keith Harper, John Echohawk, and Lorna Babby maintained daily records that were subsequently entered on a eekly or monthly basis on a computer database, Harper Aff., at & 2, Echohawk Aff., at ¶ 2, abby Aff., at ¶ 2; and Stacy Gingold Bear “maintained [her] time records in an annual hard copy diary . . . . [f]rom this diary, . . entered [her] time electronically into a Quattro Pro software application.” Gingold Bear Aff., at ¶ 2.

Defendants next accuse plaintiffs of improperly “modifying,” Opposition, at 10, “editing,” id., and “altering” id. n.4, their time records. Defendants cite to those entries where plaintiffs “added clarity where contemporaneous entries had been made in abbreviated, coded, short-hand, or summary form,” Gingold Aff., at ¶ 2 (August 16, 2004); or, “slightly modified some of the descriptions to clarify the task completed,” Babby Aff., at ¶ 3; or “edited some of the original description to fix obvious recording errors . . . . because of the need for increased clarity . . . [and] slightly modified some of the descriptions so as to clarify the task that I was completing,” Echohawk Aff., at ¶ 3; or “edited some of the original descriptions to fix obvious recording errors . . . . because of the need for increased clarity . . . slightly modified some of the descriptions so as to clarify the task that [he] was completing,” Rempel Aff., at ¶ 4; or “added
clarity where contemporaneous entries had been made in abbreviated, coded, short-hand, or summary form.” Gingold Bear Aff., at ¶ 2.

The Court finds defendants’ objections to plaintiffs’ practice of transferring records from one medium to another and clarifying records to facilitate judicial review, meritless. In the first instance, defendants put forth no evidence supporting their challenge. “[A] respondent to a fee application must file affidavits in opposition [] where the respondent challenges the factual accuracy of the fee petition. Joy Mfg. Corp. v. Pullman-Peabody Co., 742 F.Supp. 911, 915 (W.D. Pa. 1990). Defendants, having been present at all proceedings and having reviewed all filings could easily have “submit[ted] to the District Court any evidence challenging the . . . the facts asserted in the affidavits submitted by respondents’ counsel,” Blum v. Stenson, 465 U.S. 886, 892 n.5 (1984) (citing City of Detroit v. Grinnell Corporation, 495 F.2d 448, 472-473 (2d Cir. 1974)). Instead, defendants offer only innuendo and speculation.

Beyond this, defendants’ interpretation of the “contemporaneous time records” requirement is draconian. A time record is “contemporaneous” if its descriptions are both “accurate and current,” In re Hudson & Manhattan R. R. Co., 339 F.2d 114, 115 (2d Cir. 1964), and includes “for each attorney, the date, the hours expended, and the nature of the work done.” New York Assen for Retarded Children v. Carey, 711 F.2d 1136, 1148 (2d Cir.1983). While the need to “maintain contemporaneous, complete and standardized time records which accurately reflect the work done by each attorney” is “particularly apt” in EAJA petitions since “the fee requirements will be satisfied from the United States Treasury,” In re Donovan, 877 F.2d 982, 994 (D.C. Cir. 1989), this Court does not share defendants’ obsession with the medium in which plaintiffs’ time records were entered or with the fact that abbreviated notations were clarified and mistakes corrected to assist the Court’s review.

What is significant is that plaintiffs’ time entries do not constitute “casual after-the-fact estimates.” Action on Smoking and Health v. C.A.B., 724 F.2d 211, 220 (D.C. Cir. 1984). The Court has no reason to question the veracity of plaintiffs’ sworn affirmations that they clarified abbreviated notations and shorthand to allow “this Court to make an informed decision about the relevance and appropriateness of the entry,” (Gingold Bear Aff., at ¶ 2), or that they were
“diligent to check the time claimed with contemporaneous records, briefs or memoranda to ensure against recording errors.” Echohawk Aff., at ¶ 3. In short, the Court finds defendants’
exceptions to plaintiffs’ entries on the grounds that they do not constitute contemporaneous records to be without foundation.
Wikipedia alternative aims to be 'PBS of the Web'

"No no," says Mr. Wiki. "Yes, yes," the upstart rejoins, "we're the *real* authority for meaning in the digital world. Don't listen to those other people behind the curtain. They're wrong. Why? We have PhD's from Phoenix University, that's why. And because we say so, and we're the *real* authority"...ad nauseum.

Well, maybe. At least for this week.

Real academics. True recursivity. How refreshing.

In the TV world, PBS is the abbreviation for "Public Broadcast System." A well respected informational source that takes pride in it's devotion to vetted information.

In the virtual world, and keeping in mind that on the Internet, no one knows you're a dog, this more readily dilutes into (and Wikipedia will have the definition as soon as someone posts it anonymously) "Public Bull---- Site."

More techno-babble, is all.

News.com article here: http://news.com.com/Wikipedia+alternative+aims+to+be+PBS+of+the+Web/2100-1038_3-5999200.html?tag=nefd.lede

Bah. Humbug.

Ebeneezer Grinch
Out of the Frye-ing Pan

In the case excerpted below and just decided by the Florida Third District Court of Appeal, digital evidence in the form a GPS reading was deemed admissible by the trial Court and affirmed on appeal. What is noteworthy here is *not* that the GPS data on the car's location (via Onstar) was admissible, but that the Court appears to have taken pains to provide a substantial amount of "in any event" justification for ascertaining a defendant's whereabouts at a time and place. It almost appears that the Court doesn't want to stick it's neck out too far, and finds other ample an convincing evidence to affirm.

From Still v. State of Florida, (Fla. 3rd DCA December 14, 2005) Case No. 3DO3-2970

An interesting note. The NY citation following the phrase "generally accepted" on page 3 and the word "used" at the beginning of page 4 do *not* appear on the viewable pdf at that location. That cite does appear on the next page. So, an obvious error of some sort, but this is a published opinion, and other "errors" might not be so obvious. Or as admissible under a Frye analysis.

Steven


*******
We turn next to Still’s second point on appeal that the trial court erred in failing to conduct a Frye hearing regarding the testimony of OnStar Computer Service, the operator of an in-vehicle telecommunication system. We find that the trial court correctly found that it was not necessary to conduct a Frye hearing to determine the reliability of OnStar’s evidence. Novel scientific evidence is inadmissible unless it meets the test set out in Frye v. United States, 293 F. 1013 (D.C. Cir. 1923). Courts only use the Frye test in cases of new or novel scientific evidence. See Brim v. State, 695 So. 2d 268, 271-72 (Fla. 1997). The evidence involved in this case is nothing more than commonplace global positioning satellite (GPS) technology, a technology which has been generally accepted and
, 695 N.Y.S.2d 244 (1999). used for years. The OnStar system is not new or novel scientific evidence; it is basically a tracking system that uses GPS technology. Florida courts have allowed evidence obtained from GPS systems. See Hicks v. State, 852 So. 2d 954, 957 (Fla. 5th DCA 2003). Other jurisdictions have held such tracking technology admissible without conducting a Frye hearing. See State v. Vermillion, 51 P.3d 188 (Wash. 2002); People v. Cortorreal
Furthermore, even if the trial court erred in admitting the OnStar evidence, it was harmless error because Still was not prejudiced by not having a Frye hearing. The evidence indicated that the subject vehicle had Still’s fingerprints on it, Still told his uncle the subject vehicle belonged to him, and the subject vehicle was found at Still’s aunt’s house. Moreover, an eyewitness made a positive identification of Still and saw Still leave the subject car. No expert in this case was necessary because of the overwhelming evidence tying Still to the vehicle.
*******
Wikipedia: Mass Opinion As Fact

Wikipedia seems destined to become the non-academic's attempt to fashion the universe as s/he, rather than the spin-meisters, see it. Righto. A refreshing view, if occasionally (if not almost always) wrong. Who cares about a high error rate, it's a *collective* hind-mive, er um I mean hive-mind effort. Isn't it clear by now that facts are what a majority express them to be? With Wiki, we know what the majority thinks something is. Comforting thought.

Here now, in a link from The Register, a different, and patently unfair, critique of Wikipedia. Why? Well, when I think of a Wikipedia, my mind wanders to those halcyon days when I would make some Margaritas with whatever Tequila was available, pop in a Jimmy Buffet CD, and lounge under the Tiki hut at the beach. After about five or six margaritas, I reckon I'd have been primed to contribute to wild world of Wiki under the Tiki.

Now, lessee if there's an entry for Sox compliance...

http://www.theregister.com/2005/12/16/wikipedia_britannica_science_comparison/

Sunday, December 18, 2005

Small-Cap SOX 404 Exemption Issues


I have been done a bit of research, and it appears that nowhere in SOX is there permissive authority for the SEC, through the PCAOB, to exempt small-caps, on that basis (is 150mm "small"? is 181mm "big") from 404 reporting (or compliance) requirements. As it relates to audit committees, for example, Sox §2(a)(3)(A) and §2(a)(3)(B) seem to severely restrict the SEC's ability to exempt reporting requirements except in the case of ministerial persons, etc. Notably, the exemption contained in §405 relates only Investment Companies subject to the Investment Company Act of 1940. The language states that, in the case of audit committees, "The Board, may, by rule, exempt persons engaged only in ministerial tasks from the definition in subparagraph (A), to the extent that the Board determines that any such exemption is consistent with the purposes of this Act, the public interest, or the protection of investors."

The recent recommendation of the staff to the Commission is that small-caps be exempt from 404 reporting requirements. Well, it seems that the interests of investors of small caps are either not really important and that exempting small-caps is consistent with the purposes of the SOX, the public interest, or the protection of investors.

Hmm. I see, said the blind man to the deaf man. And how many shareholder derivative suits for breaches of fiduciary duties in these "small-cap" companies are based upon fraudulent financial misrepresentations that would have as their bases defects in, or a lack of internal controls? Are small-cap shareholder's less deserving of transparency and proper internal controls than those of a large-cap? So, a mere million in capitalization keeps you opaque. How utterly rational. The dollars an investor loses from fraud in a small-cap impose equal monetary damage as an equivalent amount those dollar losses from a large-cap fraud. Even Alan Greenspan would agree with that.

15 USCA §78m (6) also appears to impose the following limitation on the SEC's exemption power reporting companies:

"6) The Commission may, by rule or order, exempt, in whole or in part, any person or class of persons from any or all of the reporting requirements of this subsection as it deems necessary or appropriate in the public interest or for the protection of investors."

If this is, as I believe, applicable to SOX 404 reporting requirements, and if the SEC chooses to so exempt small-caps pursuant to this "authority," I wonder whether a well-placed lawsuit seeking to enjoin the exemption as exceeding the statutory authority might be brought on behalf of those oh-so-well-protected small-cap investors.
Voting Machines - What's Old is New Again

It should really come as no surprise that electronic voting machines can be "hacked," but the interesting point here is that there are alleged hacks carried out by, you guessed it, those who are purportedly neutral and in control of those machines.

For those of you who take comfort in "auditable" paper printout electronic voting machines, be assured they are not. Here's a cautionary note: One can program a voting machine to

1. Appear to record a vote for "A" to a voter on a monitor screen
2. Actually record a vote for "B" for election purposes
3. Print out a vote for "A" for voter "comfort"
4. Revert to a vote "A" as the vote sent to the election authority, for audit purposes.

Sounds comforting, doesn't it?

In pertinent part from the AP via the Sarasota Herald Tribune:

TALLAHASSEE -- Gov. Jeb Bush said the state should review the way it tests electronic voting machines after a local elections official said the devices could be hacked to change race outcomes.Bush's remarks Friday come after the acting secretary of state, David Mann, said he was confident in the process of certifying voting machines. Mann said he was "concerned" only that Leon County Elections Supervisor Ion Sancho might have given an outsider access to computer codes for a test of the Diebold optical-scan machines.Sancho sent state elections officials a letter Friday requesting they do "further investigation" of Diebold Election Systems' Accuvote 2000. Sancho said his internal tests showed the optical-scan machine's memory card produces false results when hacked by elections office insiders.

Friday, December 16, 2005

Florida Court Decision: Mysterious Breath-a-lyzer Source Code - Produce or Dismiss DUI

From my (relatively new) home state in Florida, a well-reasoned (disclaimer: imo) District Court of Appeal decision about...discovery production of source code from a breath-alcohol analyzer.

The Wall Street Journal reports that: "The battle is over the source code of breath analyzers made by CMI Group, a closely held maker of breath-alcohol instruments. Defense lawyers have challenged the use of the device and asked to see the original source code that serves as its computer brain, saying their clients have the right to examine the machine that brings evidence against them."

"It seems to us that one should not have privileges and freedom jeopardized by the results of a mystical machine that is immune from discovery," the state's Fifth District Court of Appeal wrote.

It seems, that in this state at least, jurists are brave enough to not heed the admonition: "Pay no attention to the man behind the curtain..."

The breathless response by the breath-a-lyzer attorney: "It's a trade secret, and like any company they don't just turn over information for the asking," says Allen Holbrooke, outside attorney for CMI.

Well pardner, they also don't deprive a person of his or her rights based on uncorroborated say so. Y'all see, we have this here procedure in the great state of Florida we call dis-cov-er-y. So, Mr. Holbrooke, we didn't merely *ask* for that information...we made a discovery demand...the "please" language is merely a formality.

Next stop: Mystical voting machines? Mystical compliance machines? Oh no. This could out bad code in almost everything fobbed off as perfect. Gadzooks.

Thursday, December 15, 2005

Seeing Is --- Not Believing

Think thee that a photographic image is admissible because you "swear" in Court that you took the digital image? Think again. Digital data is ephemeral (meaning, eminently susceptible to manipulation and alteration) so before you believe what you see in that jpeg, think 0's and 1's, not pixels.

The following link from Cnet.com contains an article about how stem cell researchers in Korea fabricated lines, images, and not surprisingly, results.

http://news.com.com/2102-11395_3-5997074.html?tag=st.util.print

Friday, December 09, 2005

Information Security Tower of Babble -- Compliance Vendors

Everybody talks.
No one understands what anyone is saying.
Everyone nods in agreement.
Whither Rootkits?

My general question is this: If a service provider requires a download and installation in order to access and use its service, what's to stop that provider from adding a little holiday cheer, by way of rootkit like add-in activity that cloaks its own existence, as part of the consented-to downloaded app? Here's the reason for the question. The Google model pays per click and positioning. Might not that self-same service provider be compensated by malware exploiters for each "add-on" downloaded to an unsuspecting "consenter-user"? The installation of "proprietary" software that builds a pipe to a spam/adware/exploit potential may well be seen by the tech community as merely an extension of the revenue model espoused by Google and Yahoo.

Ok, call me suspicious, but I'm willing to bet some fruitcake (in fact, all I have) that this has been done repeatedly, and, if there are an inordinate amount of "patches" now being circulated for other applications, we may be seeing "stealth" rootkit-type apps being removed in direct response to the Sony/BMG debacle and ensuing lawsuits.

"Gee. We can't do this anymore. Damn lawyers always get in the way with those frivolous lawsuits. So anti-business. So tech-averse. So Luddite. So anti-the future [as in *the* future, not the future -- cr. to Mark Hammill] How are we going to make money now?"

Thursday, December 08, 2005

Gramm Leach Blilely Not Applicable to Attorneys.

Thus spake the United States Court of Appeals for the District of Columbia Circuit.

http://pacer.cadc.uscourts.gov/docs/common/opinions/200512/04-5257a.pdf

Tuesday, December 06, 2005

New PCAOB Report on SOX 404 and Internal Controls Reporting Issues: That's the way to do it. You get yer gitar on the MTV. Company controls first, then individual controls. Oh.

From Compliance Week:

Here also, the link to the PCAOB report: http://www.pcaobus.org/Rules/Docket_014/2005-11-30_Release_2005-023.pdf

"According to a new report by the Public Company Accounting Oversight Board, audits performed in the post-Sarbanes-Oxley world "were often not as effective or efficient" as the Board intended. As a result, the PCAOB has reiterated the guidance it released back in May, stating auditors should plan internal control audits with a more top-down, risk-based approach."


Some quotes from the PCAOB report:

"The Board expects that auditors will tailor their procedures to focus on the particular risks facing audit client's systems of internal control as they gain more experience in auditing internal control."

Whoa, Jim. Does this mean that auditors are only now learning what auditing internal controls mean?


"Some auditors performed inefficient, sometimes ineffective, walkthroughs of major classes of transactions because they used different transactions to test each control separately rather than walking a single transaction through the entire process."

Whew. Does this mean auditing of data throughout its life-cycle? Checking to see that something hasn't been altered or changed along the way to its being audited?


"In addition, some auditors did not ask sufficiently probing questions of the company's personnel to gain a complete understanding of the transaction process."

My, my. It's not enough to ask whether ye olde blue light blinketh, that everything is mucho authentico, and to ascertain, yea and verily, that the wizard in charge of information management and security understands the queries being asked of him/her?


"Making such inquiries assists the auditor in identifying any points at which a necessary control is missing or inadequate."

Hmmm. Lessee. If the IT person doesn't understand the policy behind compliance and transparency, how can he s/he be expected to "assist" in describing the elephant to the auditor? Perhaps this is the central reason for the "top down" approach. At least those at the top of the transactional pyramid are expected to have a clue about the interdependence of policy, process and compliance.

"In the future, the Board expects auditors, in most cases, to simplify their walkthroughs by following a single transaction"

Which to me, means do not listen to cries of "pay no attention to the man behind the curtain," i.e., Mr/Ms Auditor, do not allow yourself to be sidetracked and diverted from your investigation of a single transactional process by sideshows thrown up to deflect attention. Not easy, I surmise.


The rest of the release is also quite informative.

Steven

Wednesday, November 30, 2005

Welcome to Security Kernels. Subject matter is, well, the intersection of technology, and more specifically, information security, and the law. Enjoy.


Wednesday 2005-11-30

The first partial facial transplant was announced today. The receipient was the victim of a dog bite, and the donor a brain-dead individual. Quite apart from the "organ bank" implications (look at that donor form again, folks), this raises some issues for biometrics authentication based upon facial recognition. As I suspect that this may be the first *publicly* announced facial feature reorg., how can facial recognition, which is not an exact science, even for an authentication program, be relied upon? ***