Friday, January 27, 2012

Judge Orders Defendant to Decrypt Laptop | Threat Level |

Judge Orders Defendant to Decrypt Laptop | Threat Level |

This decision has left me wondering, why would someone volunteer to decrypt their laptop? Isn't it the equivalent of telling the police where you hid the murder weapon? You can order someone to do it all you want, but the fact is I can't think of a reason the person would be motivated to give it up. In the end, I guess its the same as a murder weapon; you hope that the more cooperative you are with authorities the less of a sentence you receive as a result of the crime.

This portion of the case was really just a test to see if revealing a password *could* be protected under the 5th amendment, which it is not. I doubt this precedent is going to change much either in police work or in court cases.

Wednesday, January 25, 2012

Gov't and IP, takedown of

It is an interesting coincidence that in the same week time frame that SOPA/PIPA are to be voted on here in the US, is taken offline and its owner being brought up on charges. The US Gov't has conveniently listed them on the home page of for us to reference. I think there a couple of interesting points to be made out of these recent events.
  • SOPA/PIPA are both the wrong tool for the right job. Certainly we expect the government to take steps to protect people's intellectual property (IP) and their copyrights. What we're challenged with, however, is the history of "personal use" when duplicating quality was a problem, and both the originators of the content and the people making personal copies were satisfied with the quality of the copy. Laws and content owners were satisfied (or at least told to be satisfied) with people making copies of media for their own use. Those who are old enough to remember... We copied each other's vinyl albums onto cassette tapes.  We made mix tapes from songs recorded from albums or the radio. We bought VCRs specifically to record our favorite TV programs from network, broadcast TV. And all was good, and the law was on our side. Only when technology improved to create near, or even exact, copies of the content were the content providers not satisfied with the laws of "personal use" and sought to change the laws. I would argue that they instead should keep focusing on managing the technology of content delivery. Yes, its a hard problem and one that is going to take a long period of time to resolve. Where content providers are challenged with delivering a product that can be easily copied and distributed, they should not be creating an onerous legal environment which has significant ramifications to more than just their content distribution.
  • Did do something illegal? They should likely be prosecuted for their role in promoting privacy. I say likely, because I'm not privy to the evidence the government has. In matters of prosecution for information security related things, they've been pretty good. The fact that Kim Dotcom barricaded himself in his mansion on the distant island (at least from the US authorities) of New Zealand probably says something about how he feels about his own business dealings as well. Not that its evidence of wrongdoing but...
  • Shuttering a site that is not used exclusively by evildoers is not a good solution. There should be a better method for dealing with shutting down sites which hold legitimate consumer data. While I believe MegaUpload intentionally catered to the people who wanted to share illegally copied content, I have to imagine that some of that 50 million user base statistic are legitimate users of a functional service. I believe, that similar to how failing banks are transitioned to new banks, sites and data should be transitioned to similar services. How that exactly happens, I'm not sure, and I'm sure it would be challenging, but the point is that consumers are left without their data because the government shut down a site that was providing services to law abiding citizens, unknowingly supporting a (likely) criminal enterprise. People's ownership and stewardship of their data is going to become more and more of an issue as our lives are increasingly data driven.
Comments? I'd love to hear them.


Wednesday, January 4, 2012

uCertify's Computer Hacking Forensic Investigator PrepKit initial impressions

I received an offer from uCertify to review their "PrepKit" for the EC Council's Computer Hacking Forensic Investigator certification. Given I'm a security geek and hold several certifications, I thought I'd see what it's like. They call this the 312-49 PrepKit.

Initially, the UI looks good and the process of taking the first assessment test was good. Lets face it, the requirements of a test UI isn't rocket science, however it is hard to do well. I think uCertify has done a good job at this component. I was a little challenged in the initial assessment questions around specific tool names, so I'm eager to understand the rest of the test questions to see if this is a quality test prep for that exam.

As soon as I am done with the full review I will post it for you all.