Monday, August 31, 2009

Judge officially Reverses Drew Conviction

In case you weren't following the Lori crew case she had been convicted of of misdemeanor for violating the Computer Fraud and Abuse Act (CFAA) by violating the terms of service of MySpace when she created her account.

The judge has just recently overturned the conviction. Analysis and coverage from several places.
Congratulations to one of her Lawyers, Orin Kerr, whose analysis of the Ninth Circuit's opinion I posted about last week.

Friday, August 28, 2009

Important Legal Decision Regarding the Fourth Amendment and the Plain View Exception

Some interesting discussion this week of a case recently decided in the Ninth Circuit. The case is "United States v Comprehensive Drug Testing". The decision is here.

Essentially the Ninth circuit is trying to proactively eliminate the plain view exception to warrant requirements under the fourth amendment when applied to computer searches.

I can't do the decision justice or put it in context. I recommend reading the following posts if you're interested in learning more. Some excellent discussion topics on the first blog post below.

The closest analogy I can draw is to the collection minimization requirements of wiretaps. The Ninth-Circuit is essentially imposing collection/search minimization rules on computer searches. Whether they have the authority to do so is an interesting constitutional question.

Personally, I think this is a pretty good idea, we'll just have to see whether it passes muster constitutionally.

Monday, August 03, 2009

Extortion or Responsible Disclosure?

I was just reading an article in Wired - "Electronic High-Security Locks Easily Defeated at DefCon".

A quote from the article:
The lock makers say they can’t respond to the issues Tobias is raising until he tells them exactly how his attacks work. But before he’s willing to give them the details, Tobias has insisted the makers agree to fix the vulnerable locks retroactively with no cost to customers who have already purchased them. Something they refuse.

It got me thinking - I've never heard of anyone doing this in the software world. For those who just have a website, I suppose this kind of threat isn't too big a deal. Most reasonable software vendors provide patching on an ongoing basis, but for those who don't, is anyone aware of any cases like this? A researcher requiring the vendor to promise to fix the product before they disclose the defect?

Software Assumptions Lead to Preventable Errors

Here is a paper I co-wrote with Gunnar Peterson for the IEEE Security and Privacy Magazine. The title is pretty much the subject of the piece - how assumptions in the development process, and the associated lack of documentation and explicit statement of those assumptions, leads to preventable errors. We cover some techniques for documenting assumptions across a number of areas of the product lifecycle. Hopefully there are a few ideas here about formally documenting assumptions that you'll find useful.

Note: This article is Copyright IEEE and was originally published in IEEE Security &
Privacy magazine, vol. 7, no. 4, 2009, pp. 84-87.