Jaani.net

August 19, 2006

Chilean Dictator Stripped of Immunity

Chile's Supreme Court has stripped former dictator Augusto Pinochet of his immunity in order to bring him to trial on charges of embezzling public funds. The prosecution case alleges that secret overseas bank accounts were established for his family members.

Posted by Jaani at 9:15 PM | Comments (0)

May 13, 2006

3rd Circuit: Computer Fraud and Abuse Act Provides for Civil Remedies

In its first interpretation of remedies available under the federal Computer Fraud and Abuse Act, the 3rd Circuit ruled that civil claims are allowed. In the case, an employer alleged that former employees used information wrongfully obtained from the employer's computer system. The 3rd Circuit's decision is particularly significant to employers, who may now obtain federal court jurisdiction and assert a claim without meeting all of the requirements under traditional common law and trade secret claims.

Posted by Jaani at 2:24 PM | Comments (0)

Email Bomber Faces Retrial

An anonymous reader writes "A UK teenager who was cleared last year of launching a denial-of-service attack now faces a retrial. Judges have ruled that crashing a server with five million emails probably isn't permitted under the law. With NASA hacker Gary McKinnon vowing to fight on after losing his extradition fight yesterday, it's been a busy few days for the UK courts."

Posted by Jaani at 2:22 PM | Comments (0)

Hacker Faces Criminal Liability for Identifying Security Flaw

After pointing out a hole in the security of a USC database, a computer expert finds himself on the short end of the legal stick.

McCarty allegedly dug into the USC database and retrieved seven personal files, which he then anonymously passed along to SecurityFocus.com. That site contacted the university, which shut down the server for a few days until the problem could be addressed. SecurityFocus.com wrote an article on the matter, and the case was closed until USC personnel went through the server logs. The intruder hadn't really made an effort to cover up his activities, so it wasn't long before the school contacted the FBI, which questioned McCarty, then arrested him.

Posted by Jaani at 1:53 PM | Comments (0)

Cyber Criminal's Jail Term 'Too Light'

A 21-year-old man in California has received one of the harshest sentences for cyber crime, but Internet polls say it should have been longer.

Posted by Jaani at 1:42 PM | Comments (0)

"Paraplegic Activist Leaps from Wheelchair, Runs from Police"

From Overlawyered: 'Laura Lee Medley was making a regular career of filing claims against various Southern California entities complaining of violations of her rights as a wheelchair user under the Americans with Disabilities Act. Placed under arrest after police sniffed fraud, Medley leaped from her chair and led authorities on a brief chase which ended with her capture:

Medley's claims in California against San Bernardino County, South Pasadena and Long Beach included one allegation that a bus dropped her off near what she called a non-ADA compliant roadway, causing her wheelchair to topple over.

Pasadena settled Medley's claim for almost $7 000.

Posted by Jaani at 1:36 PM | Comments (0)

May 7, 2006

Anti-Piracy Law Gets First Tryout

In the first trial of its kind in the United States, a federal jury in Los Angeles recently convicted a retired painter of illegally bringing a camcorder into a movie theater to record "The Legend of Zorro." The jury's decision against Manuel Sandoval was the first brought under the U.S. Family and Entertainment Copyright Act. The year-old law makes it a crime to upload a copyrighted work onto the Internet, and makes it a felony, not just a misdemeanor, to copy a movie in a theater using a camcorder.

Posted by Jaani at 10:56 AM | Comments (0)

The RFID-Hacking Underground

They can steal your smartcard, lift your passport, jack your car, even clone the chip in your arm. And you won't feel a thing. By Annalee Newitz from Wired magazine. Plus: Retail-Safe RFID Unveiled.

Posted by Jaani at 10:54 AM | Comments (0)

"Spam king" gets fined US$4 million in spyware lawsuit

The Federal Trade Commission has concluded its first major spyware-related lawsuit, slamming down a US$4 million hammer against Sanford Wallace and his company, Smartbot.net. Will this have any effect in the War On Malware?

Posted by Jaani at 10:44 AM | Comments (0)

March 19, 2006

London Millionaire Accused of Involvement in Hacking Ring, Say Investigators

According to this CNET Article, ‘a high-profile London society millionaire is among a group of defendants accused of being part of a phone-tapping and computer hacking scheme that gathered confidential information on wealthy people and businesses. He has been charged with conspiracy to cause unauthorized modification of computer material.’

Update: the CNET Article has now disappeared. I’m not entirely sure what’s going on here — perhaps the lawyers of a certain London millionaire obtained a supression order. In any case, best to treat this one with a grain of salt.

Posted by Jaani at 7:10 PM | Comments (0)

Canadian Man Jailed for Cyberstalking; Australia Proposes New Cyberstalking Offences

A man in Alberta who used the internet to turn his ex-girlfriend’s life upside down was convicted on Thursday of criminal harassment and sentenced to a year in jail. The man used internet keyloggers and fake e-mail addresses to harass the ex-girlfriend.

Meanwhile, the Australian federal government will ramp up its efforts to catch sexual predators who use the Internet. New offences relating to the luring and grooming children for sexual purposes over the Internet were among the recommendations of the Parliamentary Joint Committee inquiry on Cybercrime agreed to by the government.

Posted by Jaani at 5:21 PM | Comments (0)

March 14, 2006

Security Danger for Voice over Internet Protocol Users, Says Study

‘An Australian survey of 200 medium to large businesses and government organisations revealed that 97 per cent of respondents lacked sufficient security on their VoIP [Voice over Internet Protocol] systems. The survey, conducted in late 2005, found that nearly 60 per cent of organisations reported frequent breaches to the security of their data networks, more than two each year’:

A quarter of potential adopters of IP telephony rate security as their biggest concern.

The research finds that nearly 60 per cent of organisations report frequent breaches to the security of their data networks - more than two each year.

More than 15 per cent indicate that these breaches caused significant or extensive damage to business operations.

Nearly all of the companies interviewed for the survey said they had installed antivirus systems.

However, 48 per cent said they were still affected by virus attacks.

Posted by Jaani at 10:19 PM | Comments (0)

March 3, 2006

Distributed Computing Project Cracks Enigma Cypher, Decodes WWII Message

An interesting distributed computing project has reportedly cracked one of the Enigma cyphers used by the Germans during World War II. The M4 Message Breaking Project, founded in January by an amateur German cryptographer, harnesses the processing power of a wide network of computers in order to do in one months what the likes of Alan Turing and his Bletchley Park colleagues failed to do at all.

The decoded messages were enciphered using the Enigma machine, a device used by German U-boats to send text messages from the North Atlantic to German navy headquarters. The cyphertext was produced by setting a series of rotors and applying a ‘plugboard’.

The original, encyphered message, was as follows:

NCZWV USXPN YMINH ZXMQX SFWXW LKJAH SHNMC
OCCAK UQPMK CSMHK SEINJ USBLK IOSXC KUBHM
LLXCS JUSRR DVKOH ULXWC CBGVL IYXEO AHXRH
KKFVD REWEZ LXOBA FGYUJ QUKGR TVUKA MEURB
VEKSU HHVOY HABCJ WMAKL FKLMY FVNRI ZRVVR
TKOFD ANJMO LBGFF LEOPR GTFLV RHOWO PBEKV
WMUQF MPWPA RMFHA GKXII BG

Decoded, and translated to English, this reads:

F T 1132/19 contents:
Forced to submerge during attack.
Depth charges. Last enemy position 0830h
AJ 9863, [course] 220 degrees, [speed] 8 knots.
[I am] following [the enemy].
[barometer] falls 14 mb, [wind] nor-nor-east,
[force] 4, visibility 10 [nautical miles].
Looks

It turns out that Hartwig Looks was the captain of a U-264 and among the 52 survivors of a depth charge attack by two British sloops, the HMS Woodpecker and HMS Starling, on 19 February 1944. Very interesting indeed.

Posted by Jaani at 6:44 PM | Comments (0)

December 13, 2005

Police Seize German Warez Servers

'German police have confiscated five warez servers with 6 terabytes of illegal copies of movies and games in the German town of Coburg on the fringes of northern Bavaria. The servers, with names as Temptation and Paradise Island, were accessible to over 1 200 people for € 30 to 120 per month. Police arrested at least one 26 year old. ...'

Posted by Jaani at 2:33 PM | Comments (0)

October 27, 2005

Barnes on Spyware

Wayne Barnes (Texas Wesleyan University - School of Law) has posted Rethinking Spyware: Questioning the Propriety of Contractual Consent to Online Surveillance (UC Davis Law Review, Vol. 39, 2006) on SSRN. Here is the abstract: The spyware epidemic has reached new heights on the Internet. Computer users are increasingly burdened with programs they did not knowingly or consciously install, which place strains on their computers' performance, and which also trigger annoying "pop-up" advertisements of ...

Posted by Jaani at 9:42 PM | Comments (0)

October 15, 2005

Two Ex-Employees of Computer Maker Dell Charged With Forgery

Two Malaysian former employees of US computer maker Dell Inc were charged with forging documents, causing millions of dollars in losses to the company, a court official and news reports said Friday. Ng Chiun Khoon, previously manager at Dell's plant in Malaysia's northern Penang state, and former technician Tan Boon Hoe were arrested September 22 in China's southern province of Guizhou, the newspaper reported.

Posted by Jaani at 6:42 PM | Comments (0)

October 8, 2005

User of Lynx Web Browser Found Guilty for Intrusion

Man attempts to make donation to tsunami relief fund, gets prosecuted for cybercrime violation. This is quite astonishing:

Last January, I got an email from a trusted source swearing that a good pal of his had been arrested while making a donation to an online tsunami relief fund because he’d been using a non-standard text-based browser that triggered the donor’s intrusion detection system.

… He says that he wasn’t just using nonstandard browser, but that’d he’d also probed the system when his attempt to make a donation had failed and he got a suspicion that he’d been suckered by a phishing scam.

According to the ZDNet coverage, the trial judge accepted this version of events, holding that it was not the accused’s intention to cause harm to the system. However, the offence was one of strict liability, meaning that no mens rea was required:

Cuthbert’s defence team had argued that he had merely ‘knocked on the door’ of the site, pointing out that he had the skills to break into it if he wanted.

Section 1 of the Computer Misuse Act 1990 (UK) says that it is an offence to make ‘unauthorised access to computer material’. There is no burden on the prosecution to prove that the accused had intended to cause any damage.

Judge Purdy accepted that Cuthbert had not intended to cause any damage, and also pointed out there was almost no case law in this area.

According to Stephen:

The details of this case are important to understand exactly how absurd the verdict was. What Daniel actually did to ‘knock on the door’ was to insert a ../../../ character sequence into the web address and a single quote into the credit card field - THROUGH HIS BROWSER. He did not use any attack ‘tools’ or ‘probes’ other than Internet Explorer. Furthermore, typing these sequences into a browser does not an attack make — it only proves that a website may be vulnerable. … I am a security consultant and not the only one to be outraged by the way this case was handled and by the outcome of the final verdict. The incompetence and ignorance of the Computer Crime Unit can be understood — but that the judge chose to interpret the vague Computer Misuse Act in this way simply beggars belief and sets a worrying precedent in UK law.

Posted by Jaani at 1:09 PM | Comments (0)

October 6, 2005

Eight charged over Star Wars leak

Dark Side of the net

Eight US residents suspected of involvement in leaking the final Star Wars film onto the net prior to its official release have been charged with copyright infringement offences.…

Posted by Jaani at 9:54 PM | Comments (0)

eBay fraudster to repay £70k

A convicted eBay fraudster has been ordered to cough up £70 000 or face an extra two years behinds bars.…

Posted by Jaani at 9:51 PM | Comments (0)

Pirated DVD Seller Faces US Criminal Charges

A man convicted in China of selling pirated DVDs now faces multiple charges of copyright infringement in the United States.

Posted by Jaani at 9:27 PM | Comments (0)

September 13, 2005

Unraveled Web Fraud Reveals Inner Workings of Net Theft

The unraveling of an Internet "phishing" scam reveals the complications of busting thieves across international borders. "There's sort of a hole in enforcement," says an investigator for the Royal Canadian Mounted Police. Investigators have found suspects' inboxes emptied and evidence deleted as embarrassed victims explain how seemingly legitimate e-mails request personal information, such as credit card numbers and mother's maiden name. "Stupid me, I just went ahead and gave up everything," says one man.

Posted by Jaani at 8:48 PM | Comments (0)

September 10, 2005

Scammers, Identity Thiefs Converge upon Katrina Aftermath

Jennifer Kerr of the Associated Press writes, ‘Social Security cards, driver’s licenses, credit cards and other personal documents are literally floating around New Orleans, raising the prospect some hurricane survivors could be victimized again — this time by identity thieves.

“This is probably not the most immediate concern that people have, but at a certain point they need to stop and take stock of their financial health”, Broder said Tuesday.

The FBI also warned people wanting to donate money for Katrina survivors to beware of scammers who solicit online donations to lure victims into giving up credit card numbers and other sensitive information.

“There are people out there who are willing to stoop so low as to scam people who are willing to open their hearts and wallets to people in need,” said FBI spokesman Paul Bresson.

He said the bureau has identified about 2 000 Web sites related to the Katrina relief effort. Most are legitimate, Bresson said, but the FBI is investigating about a dozen for possible fraud.’

Posted by Jaani at 10:34 AM | Comments (0)

September 3, 2005

Accused Pleads Guilty to Theft of Microsoft Source Code

'A Connecticut man pleaded guilty in federal court to selling proprietary Microsoft source code in a case that has the potential to take the issue of software piracy to a higher level.'

Posted by Jaani at 8:39 PM | Comments (0)

September 2, 2005

Alternative Browsers Impede Investigations

'Allegations in an article over at CNET propose that alternate browsers such as Firefox and Opera impede law enforcement and investigation efforts because they "use different structures, files and naming conventions for the data that investigators are after", which can "cause trouble for examiners.'

Posted by Jaani at 11:36 AM | Comments (0)

Writer of Zotob Worm Was Paid to Create it

'Now that authorities have apprehended the alleged writer of Zotob, an interesting facet of the story has emerged: Diabl0, the author, may have been paid to write the virus. A story from Elizabeth Montalbano of the IDG News Service identifies the suspects as Atilla Ekici, 21, of Turkey and Farid Essebar, 18, of Morocco. Montalbano reports: Ekici went under the code name of "Coder" and Essebar used the code name "Diabl0," said Louis M. Reigel III, assistant director of the FBI Cyber Division, in a conference call Friday. Ekici apparently paid Essebar a sum of money to write the worms...'

Posted by Jaani at 11:28 AM | Comments (0)

August 29, 2005

Spyware Manufacturer Charged with Criminal Offences

'The San Diego Union-Tribune is reporting that Carlos Enrique Perez Melara, the author of an investigative tool called 'Lover Spy,' has been indicted on 35 counts of federal hacking violations. This begs the question: if you develop and sell a software product, are you responsible for what your users choose to do with it?"'

Perez, a native of El Salvador, probably is in the Los Angeles area, said Stewart Roberts, the second highest-ranking agent at the San Diego FBI office. Crime Stoppers has offered a $1 000 reward. Perez is charged with 35 crimes, each of which carries a potential five-year prison sentence if he is convicted.'

Posted by Jaani at 11:14 PM | Comments (0)

August 27, 2005

Attorneys Say Charges May Be Dropped Against Students Accused of Computer-Tinkering

'Most of the 13 students accused of tinkering with their school-issued laptop computers to download programs and spy on administrators are being offered deals in which the felony charges would be dropped, lawyers and a family member say. In return, the students would perform 15 hours of community service, write an apology, take a class on personal responsibility and serve a few months' probation, the attorneys said.'

Posted by Jaani at 8:59 PM | Comments (0)

Two Arrested Over Computer Worm

'Turkey and Morocco on the arrests there of two men suspected of disrupting computer networks across the US last week.'

Posted by Jaani at 8:54 PM | Comments (0)

August 24, 2005

'Spammer Made Millions', Say US Federal Investigators

Christopher Smith's neighbors in an affluent Minnesota suburb didn't know exactly what he did for a living, but the feds did. In May, they shut down Smith's flagship company, Xpress Pharmacy Direct, suspected of being part of a massive unsolicited e-mail marketing campaign. Seen as one of the world's leading spammers, Smith remains free on bail as he awaits a hearing Thursday on contempt-of-court charges for which prosecutors are seeking six months in jail. He also faces a grand jury investigation.

Posted by Jaani at 2:47 PM | Comments (0)

Proposed Bill Would Confer Email Monitoring Powers on Canadian Police

'The Canadian federal cabinet will review new legislation this fall that would give police and security agencies vast powers to begin surveillance of the Internet without court authority. The new measures would allow law-enforcement agents to intercept personal e-mails, text messages and possibly even password-secure websites used for purchasing and financial transactions.'

Posted by Jaani at 12:49 PM | Comments (0)

Criminal Libel on the Internet

According to CNET News:

Oklahoma prosecutors will soon weigh whether to take up criminal charges against a former mayoral candidate accused of libeling a longtime state politician on his Web forum.

In a police report filed 16 August, former state senator and convicted felon Gene Stipe charged that Harold King had published false information about Stipe and his family on his Web forum, the McAlester Watercooler, said Captain Darrell Miller of the McAlester, Oklahoma, police force. The nature of the information was not disclosed.

Eugene Volokh comments on the constitutionality of criminal libel laws.

Posted by Jaani at 12:11 PM | Comments (0)

August 20, 2005

Ramsay on the Steve Vizard Case

'The public and media frenzy which accompanied the recent downfall of Steve Vizard overshadowed some important issues of insider trading and directors' duties. Professor Ian Ramsay reports on the case and asks what lessons can be learned.'

ASIC made two errors. First, its media release of 4 July 2005 was deficient in relation to the information that it did not disclose. First, there was no mention of the important role of the DPP. The DPP made an independent evaluation of the results of ASIC’s investigation of Vizard’s share trades and formed the view that there was insufficient evidence to bring a criminal prosecution for insider trading. This important information was missing from the media release.

Second, the media release contained no information about the legal options that were available to ASIC and the DPP for bringing enforcement action against Vizard. What this meant was that for more than a week, there was incorrect information in media discussion about the legal options that were available. This lead to even more confusion and criticism of ASIC. ASIC should have outlined what its legal options were in its media release.

Posted by Jaani at 1:44 PM | Comments (0)

August 19, 2005

Internet Accounts and Probable Cause

Orin Kerr offers this analysis of the circumstances in which the existence of an internet account will satisfy the 'probable cause' requirement to search a home for evidence:

In [such] cases, the police know that an Internet account was used in a particular way potentially related to criminal activity. The police then use that knowledge to get a warrant authorizing them to search a physical place for evidence of the crime.

Posted by Jaani at 4:21 PM | Comments (0)

Online Scammers Pose as Executives for 'Spear-Phishing'

Online criminals trying to pry passwords and other sensitive information out of companies have started using fake e-mails to pose as powerful executives of the targeted organisations.

Posted by Jaani at 4:15 PM | Comments (0)

August 18, 2005

E-Mail Thief Jailed

A former AOL engineer who admitted stealing 92 million screen names and e-mail addresses and selling them to spammers is sentenced to 15 months in prison.

Posted by Jaani at 9:47 PM | Comments (0)

August 17, 2005

Nuclear Reactor Cybersecurity Targeted by New US Legislation

Under new United States legislation, operators of the US electricity grid will be subject to greater regulation of their cybersecurity practices:

A visit from the Slammer worm ... may have been in part to blame for failures at a nuclear power plant in 2003, the report said. And in March, electric industry security consultants reported numerous intrusions into control systems. No serious damage was done, they said, but the activity 'heightened concerns' about future foul play.

Of course, the sensible solution would be simply to isolate all mission-critical systems from remote networks. Connecting a nuclear reactor's monitoring computer to the internet is sheer folly.

Posted by Jaani at 12:06 PM | Comments (0)

August 13, 2005

WorldCom Fraud's 'Architect' Receives 5-Year Prison Term

Scott Sullivan, the former chief financial officer of WorldCom who was described by a federal judge as the 'architect' of the largest accounting fraud in US history, was sentenced Thursday to five years in prison. Judge Barbara Jones gave Sullivan credit for his cooperation in unraveling the WorldCom fraud and also took into account his 'extraordinary family circumstances'.

Posted by Jaani at 5:25 PM | Comments (0)

Man Convicted in Enormous Acxiom Data Theft

A man who owned an e-mail marketing company was convicted Friday of stealing information from data broker Acxiom Corp. in what prosecutors said was the largest federal computer theft case ever. The jury convicted Scott Levine, the owner of defunct e-mail marketing contractor Snipermail.com, on 120 counts of unauthorized access to data, two counts of access device fraud and one count of obstruction of justice.

Posted by Jaani at 4:25 PM | Comments (0)

August 12, 2005

'Video Game Defence' Rejected By Jury

‘FAYETTE, Alabama (AP) — A 20-year-old whose lawyers claimed the video game Grand Theft Auto and childhood abuse caused him to kill three small-town police officers was convicted Tuesday of capital murder.

Defense lawyers had partly blamed Moore’s actions on the hours he spent playing video games from the Grand Theft Auto series, in which players shoot police officers and steal cars.

While the judge barred jurors from hearing testimony linking the 2003 shootings to the game, defense lawyer Jim Standridge reminded them that Moore, after his arrest, told police “Life is a video game; everybody has to die sometime.”

The victims’ families have filed a civil suit against the video game manufacturer and two stores, claiming Moore killed the three after repeatedly playing Grand Theft Auto III and Grand Theft Auto: Vice City. No trial date has been set in the civil lawsuit.’

Source: Associated Press.

Posted by Jaani at 9:25 AM | Comments (0)

August 6, 2005

Games Made Me Do It Defense Didn't Work

BuddingMonkey wrote to mention a heartening ruling from a judge who saw beyond the anti-gaming hype. CNN is reporting that Devin Moor has been found guilty of murder, in a well publicized case where the defendant stated that video games caused his behavior. From the article: "Prosecutor Lyn Durham said Tuesday that Moore knew what he was doing when he grabbed a patrolman's gun and killed two officers and a radio dispatcher. 'And he knew it was wrong,' she said."

Posted by Jaani at 12:25 PM | Comments (0)

August 1, 2005

Jury Deliberates in Arkansas Computer Hacker Trial

Jury deliberations began Wednesday in the trial of an accused computer data thief in one of the largest federal computer theft cases to date. Scott Levine, the former CEO of bulk e-mail firm Snipermail.com, faces 144 counts from a July 2004 indictment. He is accused of stealing 8.2 gigabytes of information from Acxiom Corp. The 1.6 billion records included names, home addresses, phone numbers, e-mail addresses, bank and credit card numbers involving millions of individuals.

Posted by Jaani at 12:27 PM | Comments (0)

July 14, 2005

Aussie Speed Cameras in Doubt Because of MD5

An anonymous reader writes "A speeding case has been thrown out in Australia after the Roads and Traffic Authority admitted that it could not prove the integrity of speed-camera photos. 'The case revolved around the integrity of a mathematical MD5 algorithm published on each picture and used as a security measure to prove pictures have not been doctored after they have been taken.'" I wonder if Australian police are as (radar gun) trigger happy as they are in certain parts of the U.S.

Posted by Jaani at 12:25 PM | Comments (0)

February 27, 2005

Attention Widows: When in Florida, Never Parachute on Sunday

Two American students are intent on making criminal history by spending their summer breaking as many US laws as possible. Starting in the liberal state of California, they hope to evade the attention of local police officers when they ride a bike in a swimming pool and curse on a crazy-golf course.

In the far more conservative — and landlocked — state of Utah, they will risk the penitentiary when they hire a boat and attempt to go whale-hunting. If they manage to outwit state troopers in Utah, and perhaps federal agents on their trail, they will be able to take a deserved, but nevertheless illegal, rest when they have a nap in a cheese factory in South Dakota.

“There are thousands of stupid laws in the United States, but we are limiting ourselves to breaking about 45 of them,” said Richard Smith, from Portreath, Cornwall.

The journey, which appropriately enough begins in Alcatraz, will cover around 18 000 miles and take eight weeks — provided, of course, that Mr Smith and his accomplice, Luke Bateman, are not apprehended along the way.

Source: Gerard Seenan, Guardian Unlimited

Posted by Jaani at 3:34 PM | Comments (0)

February 23, 2005

Teenager Arrested for Sending 'Spim'

A US teenager has become the first person to be arrested on suspicion of sending unsolicited instant messages, or ‘spim’. Anthony Greco, 18, was lured from New York to Los Angeles under the pretence of a business meeting. He was arrested upon arrival at Los Angeles International Airport last Wednesday.

Greco allegedly sent 1.5 million messages advertising pornography and mortgages. According to reports, the recipients of the messages were all members of the MySpace.com online networking service.

Greco had allegedly threatened to share his methods for spimming members of the group if MySpace didn’t sign an exclusive marketing deal that would have legitimised the messages he was sending via the service. Greco believed he was flying to Los Angeles to cement that agreement with MySpace President Tom Anderson.

Source: Will Sturgeon, CNET News

Posted by Jaani at 9:40 AM | Comments (0)

February 21, 2005

Not Guilty, Pleads Lynx User Accused of Hacking

A man has denied attempting to hack into a website designed to raise funds for victims of the December tsunami, pleading not guilty to a charge of ‘causing a computer to perform a function which intended to secure unauthorised access to a program or data held in a computer’:

Daniel Cuthbert, 28, made a tsnuami-relief donation using lynx — a text-based browser used by the blind, Unix-users and others — on Sun’s Solaris operating system. The site-operator decided that this ‘unusual’ event in the system log indicated a hack-attempt, and the police broke down the donor’s door and arrested him

‘No good deed goes unpunished’, indeed!

Source: BBC News See further: Boing Boing

Posted by Jaani at 8:49 PM | Comments (0)

February 7, 2005

Accused 'DDoS Mafia' Go Free

Federal authorities in Los Angeles have dismissed a criminal complaint (PDF) filed last August against four men accused of performing distributed denial-of-service (DDoS) attacks for hire.

The defendants were originally accused of carrying out attacks on behalf of Jay Echouafni, a Massachusetts businessman who sold satellite TV gear via his website. At an August 26, 2004 press conference, Attorney General John Ashcroft said the attacks cost the victims, who were competitors of Echouafni, over $2 million in lost revenue and mitigation efforts.

Media reports last summer referred to Echouafni and his henchmen as the “DDoS mafia.” … His attorney, Richard Cline, declined to comment on the case. Kirch said he recently spoke with Ashley, and he believes Ashley is remorseful and hopes to arrange a plea agreement with prosecutors.

Source: Brian McWilliams, O’Reilly Network

Posted by Jaani at 11:05 AM | Comments (0)

January 28, 2005

Internet Worm Creator Sentenced to 18 Months

A 19-year-old Minnesota resident was sentenced in a US District Court today to 18 months in prison and an additional 10 months of community service for releasing a variant of the Blaster worm in 2003. Jeffrey Lee Parson had originally pleaded innocent to the charges, but last summer had a change of heart and pleaded guilty to one count of intentionally causing or attempting to cause damage to a protected computer.

He could have gotten 10 years behind bars, but the judge took pity on him, saying his neglectful parents were to blame for the psychological troubles that led to his actions… The Internet ‘has created a dark hole, a dungeon if you will, for people who have mental illnesses or people who are lonely,’ US District Judge Marsha Pechman said. ‘I didn’t see any parent standing there saying, “It’s not a healthy thing to lock yourself in a room and create your own reality.”’

This and other convictions have done little to diminish the creation and spread of new worms and viruses.

Source: Eric Bangeman, Ars Technica

Posted by Jaani at 7:53 PM | Comments (0)

May 10, 2004

US to Prosecute for Cyberstalking

Recent amendments to the United States Code are about to be tested by prosecutors in the District of Columbia, who have charged one Robert Murphy with 26 counts of using a telecommunications device 'to annoy, abuse, threaten and harass'.

The facts of the case reflect an increasingly common experience for ex-partners and employees: the accused and the victim became involved in a relationship when she was 15, which was terminated when she was 22, 13 years ago. Over a period of 5 years, it is alleged that Murphy sent 'obscene and sexually explicit messages and pictures' to his ex-girlfriend and her colleagues via e-mail. Investigators say they have evidence that suggests Murphy used information publically available on the Internet to followed his ex-girlfriend as she moved between states, houses, and jobs.

The victim said she ignored this conduct for the first four years, Murphy not having made any attempts to contact her in the analogue world. She deleted the messages and their attachments for a period of four years, but then - after prohibitions on stalking were amended in 1997 to include electronic harrassment - she approached police, saving the messages for evidence.

Murphy is the first person to face charges since the amendmant of 47 USC 223, which provides that:

If Murphy's communications are proved to be as the victim claims, it seems likely that the conduct will fall under the ambit of s 223 (a)(1).

The required intent is that to 'annoy, abuse, threaten, or harass'. It will be interesting to see what evidence is adduced by the prosecution from which an inference of intent may be drawn; for though 'the assaults [the victim] suffered are no less real' than their physical counterparts, the mere sending of e-mail messages would not appear to be capable of giving rise to an inference of an intent to harrass in the same way that, for example, repetitious acts of sending flowers or following her home might.

If this were the case, then the sending of bulk commercial e-mails (provided for under s 233(2) of the Code) - particularly those of a sexually explicit nature - might also be considered harrassments. Such violations would incur a $50 000 penalty per violation (of which there is a limit of one per day; s 233 (4)).

Upon closer examination, two problems with the legislation's wording become evident, though neither of which are applicable to the facts of the present case. Firstly, an accused is only required to 'initiate the transmission of' an offending communication. The requirement of mere initiation (rather than receipt) makes it possible for messages sent, but not received - as, for example, a result of 'filter[ing], screen[ing], or disallow[ing] content' - to still attract liability.

Such a definition is unwanted because it reconceptualises the crime of stalking as one based on acts and not consequences. This does not draw adequate attention to the effect of the accused's conduct upon the victim, which should, I would submit, be the locus of the crime. Thus, whether sending a particular electronic message is capable of constituting an assault should be predicated upon the victim's actual apprehension of harm or feeling of harrassment, and not any objective assessment of whether the content or nature of the message is 'obscene, lewd, lascivious', or the like.

The second problem is one of knowledge. In an electronic context, it is possible for messages to be delivered automatically, or without the sender's consent (as, for example, is the case with forged address headers used to mask the real sender of mail). The ease with which electronic communications can be forged or redirected poses real problems, possibly leading to false-accusations.

The legislation does provide for 'knowingly' allowing a communications service under the accused's control to be used as a vehicle for stalking (s (d)(2)) - but this requirement could go too far. Courts have, in the past, treated electronic evidence in respect of a requirement of knowledge very leniently, allowing an accused to easily disavow knowledge of their wrongful conduct (the so-called 'luddite defence'). A better solution might be to simply emphasise the requirement of voluntariness. If an accused doesn't send a message voluntarily, they cannot be held liable for its effect upon the recipient.

The anonymity of electronic communications could also pose a difficulty. Though a victim may know the identity of his or her aggressor, how are prosecutors to prove a connection between the sender and the accused? Such a problem is, however, less concerned with the legislation itself, and more a problem of cyber criminal law generally.

Regardless of the issues facing the new legislation, it would appear it is a step in the right direction. As the Internet continues to broaden the possibilities for electronic communication - with online dating, instant messaging, community forums in increasing use - the possibilities for harrassment and assault widen. Legislation that addresses the specific problems associated with electronically-committed assaults, but which retains unity with conventional common law approaches, is essential if legislators are to arrive at a workable framework for the prosecution of electronic offenders.

Posted by Jaani at 11:47 AM | Comments (0)

January 9, 2004

Counterfeit Circumvention Angers Photoshop Users

This thread in Adobe's Photoshop Users forum details a rather unusual feature that debuted with the release of the latest incarnation of popular image-editing software Photoshop. The latest version uses an image-analysis algorithm to detect the presence of an image of United States or European Union currency, and disables access to the file. The motivation is obviously to curb growing computer-enhanced counterfeit currency, but the implementation is causing a furor with consumers who don't appreciate such intrusive prior restraint.

The algorithm operates by examining the blue alpha channel of an image, attempting to scale and transform reference eigenvectors into corresponding patterns in the image being analysed. The reference pattern which produces the most accurate results has been found to be a series of small circles on the currency, similar to the EuroStar pattern in EU currency. Their distance and distribution across the note is also factored into the analysis.

Technical operation aside, two arguments are commonly raised against the inclusion of this 'feature': 1) legitimate artistry will be prevented due to either a) a false-positive match; or b) the introduced limitation upon subject matter; and 2) being government works, the images aren't protected by copyright, are important symbolic items, and are legally able to be maintained in digital form, so what right does a software manufacturer have to restrict this use?

To test the first claim, I downloaded several images of US currency: firstly, a high-resolution picture of a $1 note; secondly, a lower-resolution compressed image of a $5 note; thirdly, a zoomed-in portion of a note; fourthly, the government seal and serial number; fifthly, a picture of a pile of money; sixthly, an unfurled group of notes such as might appear in a person's hand in the background of a photograph. Loading each of them into the latest build of Photoshop CS, not a single image was blocked.

However, the above image - which depicts an abstract green blob completely unlike a bank note - was detected as fraudulent. One user on the Photoshop forums has devised a workaround to avoid detection: simply open the file in an older version of Photoshop (or ImageReady), add a layer of black above the money/false-positive layer, then save and reopen in Photoshop CS. You should now be able to open the file, unhide the top layer, and proceed to perform your evil deeds normally. Ahem.

With regard to the second argument, while it is true that - though fraudulent intent alone is sufficient to constitute a felony under Title 18, Section 472 of the United States Code - it is only an offense to produce a printed reproduction of a (Title 18, Section 474), studies have shown that more than 40 percent of currency forgery now begins with a digitally edited image. Adobe has every right to include or restrict access to any aspect of their product. I'm surprised that there has not been more fervent advocacy for a similarly-premised child pornography filter -- though if current pornography detection algorithms are as inaccurate as this article indicates, there would be some interesting results.

Given the inability of the algorithm to detect low or even medium resolution images of banknotes in typical environments, the algorithm poses little threat to creativity. In fact, (though I've yet to actually see a note positively identified) all the check really seems good for is preventing access to images that would really only be used for non-philatelic, artistic, or academic purposes. To this end, the software is consistent with the governing legislation:

s 472 - Uttering counterfeit obligations or securities

Whoever, with intent to defraud, passes, utters, publishes, or sells, or attempts to pass, utter, publish, or sell, or with like intent brings into the United States or keeps in possession or conceals any falsely made, forged, counterfeited, or altered obligation or other security of the United States, shall be fined under this title or imprisoned not more than 20 years, or both.

[...] There must be sufficient resemblance to the genuine article to deceive a person using ordinary caution. [emphasis added]

Clearly, any low-resolution image will not satisfy the requirement of sufficient resemblance, so the check does not intrude upon non-infringing activities.

Whilst I'd stop short of congratulating Adobe for their inclusion of a government regulatory function in privately owned software, the check will - based on my initial tests - hinder very few (if any) legitimate ends. Of course, the efficacy of the measure at preventing real counterfeiting taking place remains dubious; firstly, the would-be counterfeiter would need to be using the latest, inordinately expensive, retail version of Adobe's software (and not, as would be far more likely, an older, pirated version). Secondly, there are numerous alternatives (such as The GIMP) without the check. Thirdly, the main problem in counterfeiting notes is not obtaining or producing the correct image (high resolution scanners are very cheap these days, and incorporate no such protection), but obtaining the correct paper and printing it.

This is not the first time prior restraint has been exercised by a software manufacturer over end users. Jasc Software's Paint Shop Pro incorporates similar anti-fraud protection measures in its more recent versions. DVD players have Macrovision compulsorily built in to prevent unauthorised copying or stream capture, despite potentially non-infringing uses. What, then, is so remarkable about Adobe's (flawed) implementation?

Posted by Jaani at 12:56 PM | Comments (3)

October 20, 2003

Trojan Horse Defence Valid

A jury in the Southwalk Crown Court, London, has acquitted a teenager of various cyber crimes after his counsel successfully used the 'Trojan Horse' defense. Aaron Caffrey, aged 19, was charged with launching a denial of service (DoS) attack from his personal computer against a mainframe computer owned by the Port of Houston in Texas, United States, but claimed that the attack was not his doing - but that of a rogue hacker who infiltrated his computer and used it as a base for the attack.

Caffrey was able to dodge criminal provisions in the Computer Misuse Act 1990, like the defendant in Schofield v R. In this case, a man accused of possessing 14 images of an illicit, pornographic nature was acquitted by claiming that the images were not downloaded onto his computer by him, but rather, an unknown malicious agent.

Many have criticised the defense as allowing cyber criminals to evade conviction, but I don't think this argument applies to Caffrey's case. Prosecutors failed to establish motive and intent to commit a crime (vaguely citing 'revenge' against an online chat user who insulted his American girlfriend), and evidence raised by the defense seems to justify the jury's finding that it was not 'beyond reasonable doubt' that the attacks were knowingly committed by the defendant. The jury obviously found it compelling, deliberating for only 3 hours before returning with a not guilty verdict.

Of course, it seems somewhat suspicious that Aaron himself was the founder of a British hacker league called Allied Hax0r 31337, and that there was (miraculously) no evidence at all that his computer had been compromised, but evidently this was sufficient to satisfy reasonable doubt. There were no log files (granted, though, it was a Windows machine with many logging options disabled, and many Trojans do clean up after themselves), and Caffrey himself admitted no evidence of suspicious activity until he was arrested in January after authorities traced the attack to his home in Shaftesbury, Dorset.

The defense does seem to hold up to scrutiny, but needs to be tempered with common sense. Computer users do need to take some responsibility for how their property is used by others, but this shouldn't unfairly disadvantage those without the knowledge to protect themselves. Several times a week I get calls from clients or friends wondering why their computer is suddenly displaying popup advertisements everywhere or trying to dial a foreign phone number. When coupled with the realisation that a good black hat (chacker) can very easily manufacture activity logs utterly indistinguishable from the real thing, falsify configuration files, plant hacking scripts and files on a user's computer without their (direct) consent, and launch attacks remotely with a frightening amount of ease, there is a clear need for the Trojan Horse defense. These people simply don't have the knowledge to protect themsevles against an increasingly hostile internet filled with spyware and viruses. A side note:

But I digress.

To draw an analogy, if my car were to be stolen, I could not be held responsible for criminal or tortious acts committed by the thieves (consider, for example, the owner of the car used by the plaintiffs in Gala v Preston). Note, however, that this is not the situation in Caffrey's case. The defendant addmitted to being a member of a cracker group and clearly aware of the risks associated with computer security, so a more appropriate analogy may be that of leaving an automatic weapon unsecured. (Further, the defendant in this case was using Microsoft Windows, so it's more like the weapon was left unattended, loaded, and in a school playground.)

At any rate - as a matter of policy - it is no excuse for the owner of an object posessing actual knowledge of its inherent capability to cause serious harm to third parties, who has the required knowlege and skill to take measures to prevent this harm being caused, and where the measures of prevention are cheap and effective, to not take any steps to prevent unauthorised use. Of course, this is hardly a wrong for which criminal action is justified - if, indeed, Caffrey is telling the truth. The Port of Houston may, however, wish to bring a civil action in negligence against the defendant for failing to take reasonable care to prevent a foreseeable risk of harm. A civil suit seems the best way to deal with Caffrey's contumelious disregard for the safety of his fellow netizens without causing undue criminal ramifications.

Legal commentators are predicting "immense implications" for the use of this defense in future cybercriminal prosecutions, prompting some to call for a system of court-appointed expert witnesses to evaluate the plausibility of the defense by performing a detailed technical examination of the facts of the case at bar. Computer forensics will indeed be a growing area (and - ironically - an interesting career path for hackers-turned-security-experts), but courts need not baulk at the technical nature of the defense. In a vast majority of cases, careful analysis of the evidence by each party is sufficient to determine its applicability.

Posted by Jaani at 12:01 PM

September 5, 2003

'Brazen Theft' at Sydney Airport

According to The Age, two men "of Middle Eastern appearance" were successful in a cunning theft of several million dollars worth of high-tech mainframe computers from the cargo and intelligence centre of Sydney International Airport.

Authorities are more concerned about the use to which data contained on the servers will be put than the loss of the equipment (they have backups, right?), noting that terrorists have the most to gain (though the Australian Customs Office was quick to deny the loss of any sensitive information).

The theft went something along the lines of The Thomas Crowne Affair:

The theft took place on 27 August, but I'm not surprised it hasn't come to light until now. The security staff must be rather embarrassed, especially since they didn't even bat an eyelid as several servers were wheeled right past them! I suspect that the airport management have been in silent denial about the incident for the past week. More information as it comes to hand.

Posted by Jaani at 11:05 AM | Comments (0)

August 19, 2003

Trojan Horse a Valid Defense

A British Court has acquitted Julian Green, an individual accused of possessing child pornography when police siezed his computer in October 2002.

This case may pave the way for the legitimation of the defense for computer crimes generally, and has extensive implications upon the evidential requirements for successful cyber-criminal prosecutions. Part of the dubidity of this defense is that it is a difficult, highly technical process to prove whether or not the alleged actions (or, in this case, accesses of illicit materials) were performed knowingly and with mens rea.

Many backdoor (Trojan) programs are capable of depositing files onto an unsuspecting user's hard drive, delete or modify files and preferences, and potentially fabricate a trail of misleading evidence. Careful analysis of system logs and temporary files is essential, but a competent cracker (or accused, for that matter) could easily cover their tracks sufficiently to mislead investigators. The practical effect is to render proof beyond reasonable doubt very difficult to attain, meaning that future possessors of illicit materials may be incorrectly acquitted.

The highly specialised nature of computer evidence and the often megre technical knowledge of legal professionals, juries, and judges is troubling. A careful prosecuting attorney may be able to misleadingly construe evidence against an innocent accused, or we may enter a new era of expert witness battles. One approach adopted by the Fourth Circuit Court of Appeals was to accept evidence obtained by a vigilante hacker who spied on the accused and reported illicit material to law enforcement authorities. His defence counsel claimed that the means by which evidence was obtained was unlawful and in violation of his Fourth Ammendment rights, but the appeals panel - reversing the decision of the Virginia District Court - held that there was no violation because the hacker was not a member of or working in collaboration with government law enforcement at the time of obtaining the evidence.

While this approach has its merits, it does appear to condone the illegal use of computers by individuals and vigilante law enforcement thereby (even if for the sake of society's current spectre). Vigilante hackers get off scott-free, while others face jail terms longer than purveyors of the illicit materials in question! A fair (but practicable, lawful) way to examine digital crimes must be implemented if we are to prevent injustice, but exactly how this might be done remains largely uncertain.

Posted by Jaani at 2:58 PM

August 12, 2003

Blaster Seizes Control, Politburo Disbanded

Okay, so that last part was a joke. In stark contrast comes the rapid spread of a new internet worm, which seems to have taken many by surprise and is continuing to infect users with unprecedented rapidity.

It goes by several names - MSBlast, W32.Blaster, Lovsan - and has a relatively mild (but annoying) payload: it uses a DCOM RPC exploit to shutdown a critical system service and cause the infected computer to reboot at random intervals. It will also attempt to send itself on to another computer by generating a random IP address and sending a TCP request to port 4444 of the target host.

More information and removal instructions can be found here. Note that many anti-virus programs will not detect or remove this virus; if you have received it, follow the removal instructions above, then visit the WindowsUpdate site and apply the necessary security patches to bring your computer up to date. Even if you haven't received the virus, apply said patches anyway, since you don't actually need to open any e-mail attachments to be infected. Your computer just has to run Windows XP or 2000 and have ports 4444, 135, and 136 open (which is likely to be most of you).

Fortunately, removal is relatively simple. At best, it necessitates running a simple patch. TrendMicro also have a patch available. At worst, it involves editing the registry and deleting the errant executable file.

The security flaw that the virus exploits was discovered over a month ago, and a security advisory and subsequent patch was immediately released by Microsoft and CERT. The worm (note the distinction) only affects users who have not applied the patch.

Of course, the real victims in all this are not computer users, corporations, or even the many hapless government departments which found themselves shut down (literally) - no, the real victims are the squadrons of exasperated IT support desk operators, each of whom must be inundated with calls from ignorant users who have no idea why their computers continue to reboot.

It's sad, really. Helpdesk operators become irate at the average user's inability to be prompt about installing security patches and the like, while the average user calls up their computer manufacturer or ISP, wondering what on earth is happening to their 'productivity tool'. While it's by no means ideal to have to install barrages of hotfixes, service packs, virus-scanners, hardware firewalls, NAT configurators, port-blockers, and software patches, it's also naive for consumers to expect that their whizz-bang piece of hardware is going to exempt them from software problems that plague other users.

Not since Code Red has a an internet worm infected so many so quickly. And users have until 16 August before any infected computers simultaneously activate a worldwide denial of service attack upon the root WindowsUpdate server. Funnily enough, though, many users are reporting that they will allow the worm to remain on their computer until after the 16th of the month, so they may participate in what promises to be one of the largest DoS attacks in recent years. I pity the WindowsUpdate server administrator...

Posted by Jaani at 8:13 PM | Comments (0)