2007-11-22 ES&S Voting Machine Fracas: Exactly the Same (but with minor differences)

Calif. claims that "certification" sticker were repeatedly placed on appliances that had not been certified in violation of California law.

In keeping with the nature of this dispute, someone might also be comfortable in stating the two positions stated below are identical, and with only minor differences.

ES&S: The updated machines contain the "exact same hardware configuration and firmware version
Calif: The A200 uses version 1.1.2258 of the system firmware, while the earlier machine uses version 1.0.

I find the "exactly the same, but with minor differences" argument intriguing.

The link to the Register.com article:

http://www.theregister.co.uk/2007/11/21/e_voting_vendor_sued/print.html

2007-11-21 New Discovery Venue: Apple Reported to Track iPhone Online Usage

Two things to keep in mind, depending upon circumstances. First, this capability, if true, could provide a rich discovery source, but although one might "request" the information generated by an iPhone, one might be well advised to incorporate specific language directed toward this captured information. Second, be aware of the type of information divulged-by-agreement when you, or your client sign up for the pretty bauble.

The link:

http://www.pocket-lint.co.uk/news/news.phtml/11368/12392/apple-tracking-iphone-usage-reports.phtml

2007-11-14 Data in Transit --- Just Not in the Enterprise Document Policy; Defecting Employees Steal Reported 1.8 Billion Worth of Data from Company.

Darkreading.com (link below) reports that two top officials (including an incumbent president and an executive director) of a "major Korean electric power business" stole, er, liberated, more than 1.8 billion in trade secrets when they teamed up with a rival earlier in the year.

The escaped data made its way out of the enterprise, apparently through a USB port and into some storage device connected thereto.


http://www.darkreading.com/document.asp?doc_id=139010&print=true

2007-11-08 eDiscovery: Hand me the Keys: The Downside to Hosted Encryption Services

Wired.com reports today that Hushmail, which, ahem, "dominate[s] a unique market niche fo highly secure webmail with its innovative, client side encryption engine" bows to court order to provide client's email encryption keys. Link below.

How, you might inquire, do they obtain access to a *client* private key? In an effort to make the email process seamless, Hushmail offers a thin client, and runs the encryption engine on their side. As succinctly put in the Wired Article: "...this means that an attacker with access to Hushmail's servers can get at the passphrase and thus all of the messages."

Let's do this in a step-by-step analysis.

1. Hushmail has control over its environmental variables.

2. Hushmail has control over its servers providing encryption services.

3. Hushmail encryption processes occur at Hushmail servers, not at the client.

4. Information (including key information) is transmitted between Hushmail server and client by SSL connection.

5. Key information is provided to Hushmail encryption engine in cleartext at Hushmail server.

6. Hushmail has access to the private key for some period of time.

7. Hushmail's keys can be compelled to be disclosed in court.

Client email not so Hush.

Third party custody of your encryption key, while a nifty idea for redundancy and data loss (meaning risk of non-decryption) might place that third party in a rather difficult position. Perhaps creating and enforcing a policy where private keys used for certain information are never sent in cleartext to a third party might be a good idea. Ya think?

In any event, creation of and adherence of a document retention policy to apply to 3rd party key custodian activities (and the keys held by them) in an auditable fashion, may be worth a thought.

The link from Wired:


http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html