Rossander’s Security Reader

Well, another Cyber-Monday has come and gone. According to initial reports, it was a good day for retailers and for customers with lots of deals available. I hope that you were successful with your holiday shopping and more importantly, that you were safe with your online shopping.

For those of you who are still shopping, a few quick security reminders.

• Be very suspicious of any “convenient” link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
• Look for the prefix https in the address line.
• If the deal sounds too good to be true, it probably is. If you’re suspicious, take your business somewhere else.
• Make sure your own computer protections (anti-virus, firewall, patches) are up-to-date.
• Always use a credit card, never a debit card. And check your statement carefully for charges you don’t recognize.

The more interesting question, though, may be whether your online shopping was “legal”. It’s called Cyber-Monday because so many people wait until they’re back at work and can use their company’s high-speed connections for their shopping. Are you allowed to do that under your company’s Acceptable Use policy? If you are in charge of setting the policy, should it be allowed?

Dan Lohrmann (of GovSpace fame) wrote an article for CSOonline titled Cyber Monday & Redefining Acceptable Use – Again in which he recaps the history – and confusion – of acceptable use policies. In these days of social networking (Facebook, Twitter, LinkedIn, wikis, etc), it seems so much more complicated. Should we allow it? Should we block it? Is it all-or-nothing or should we try to decide by categories? If we treat all employees the same, how do we accommodate the departments (say, Marketing) with special needs? What are we paying employees for anyway?

Lohrmann rightly says that this is a management problem that goes “back to the basic boss/employee accountability questions” and offers some hope that once Management decides on the right policies, the latest generation of tools can help to enforce them.

I’ll go further and say that despite all the hype, this is not a new problem. Because it’s not a new problem, using tools to cover it over is a placebo. The problem is employee (and supervisor) behavior. You need to know whether your people are getting the work done that you expect and pay them to do. And if not, you need to know that your supervisors are finding it and taking corrective action. If the work is getting done even on Cyber-Monday, why do you care if they spend their spare time at Amazon?

Note: I categorically reject the definitions of “expected work” that are based on hours. In my experience, employees have an intuitive levelset for how much work they should be doing given the pay, perks and culture (and offset by the animosity created by bad managers). Attempts to increase productivity by ‘taking away distractions’ just causes employees to find other distractions. They always have and they always will. The joke about the two-hour rule long pre-dates the Internet.

More than that, I believe that they understand and levelset productivity in terms of business results. No matter how you pay me, if I’m only making one widget an hour, I’m not meeting expectations. On the other hand, if I’m cranking out 150, you have no right to care that I can do it while spending half my day at the water cooler because if you try to push me for 300 I’m going to slack back to the 20 or so that my co-workers average.

To be blunt, if you lock down the computer, you are not going to get that productivity back.

The next question then is why your supervisors aren’t fixing the poor performers. It could be that they don’t understand the expectations. Specifically, you haven’t made them ready to be good supervisors. Or maybe they’re just lazy or, worse, too conflict-averse. Anyone can be a supervisor but not everyone can be a good supervisor. The point, though (and my apologies for the long-winded way around to it), is that technology is not a replacement for good supervision. You need to know what your people are doing. You need to know that work is getting done and done properly. Acceptable use policies intended to affect “productivity” are the lazy way out and using them will get you the lazy-man’s result.

That’s not to say that Acceptable Use policies don’t have a place. Acceptable Use policies should put clear boundaries around how the employee’s behavior can affect the company’s reputation (which is why restrictions on gambling and hate sites are defensible) or how they can affect other employees (the hostile workplace implications of sexually explicit sites) or even how they affect corporate resources like bandwidth (which is why we blocked internet video for the longest time – not because Howard Stern needed censoring but because we’re at the end of the pipe and streaming media usage led to a measurable degradation of business traffic). But Acceptable Use policies must be based on a direct adverse impact to the company. And it must be a clear enough connection that good employees self-censor rather than try to get around the blocks.

Acceptable Use, especially the “productivity” aspect of Acceptable Use, is more than just a management tactics question – it’s a management philosophy question. It’s a question about trust. The answer affects the whole tone and culture of your company.

Pennsylvania just enacted the Consumer Protection Against Computer Spyware Act. I appreciate that legislators are finally starting to take computer security seriously though this law may be more bark than bite.

Briefly, the law makes it a state crime for any “unauthorized user” to deceptively add software to your computer without your consent, prevent you from removing their software, changing your computer settings or hiding their own software. It’s a pretty good list of all the bad things that people were doing to our computers in 2008.

Unfortunately, the hackers have moved on and are using different tactics now. But I guess it never hurts to outlaw the old bad stuff. You might at least catch the stupid criminals who haven’t stayed with the times. The real problem, though, is that cybercrime is rarely investigated, much less prosecuted. If this law gets legitimately used a dozen times in the next five years, I’ll be surprised.

Which brings me to my real cause for concern – what are the ways this law could be twisted beyond its intended scope?

This law makes it illegal to change settings, modify bookmarks, impose a homepage, disable software, prevent your own software from being disabled and use techniques like keylogging. All those are bad things when done by an outsider but potentially legitimate tactics for law enforcement, your own company’s IT Security investigations or for your responsibilities as a parent.

On the plus side, PA did include wording that the person adding the software and making the modifications must be an unauthorized person. That’s a good thing. Other states have left that qualification out, making it ambiguous whether the company’s IT department could impose software restrictions on a company-owned computer. PA’s law provides a safe-harbor for the IT Security department as long as they are also authorized users on the user’s computer.

Here’s the rub, though. Several courts have passed down decisions (such as Tengart v LovingCare, US v Ziegler, US v Simons) that make it confusing when the computer is the user’s and when it is the company’s. Similar decisions have made it ambiguous whether a computer is owned by the parent or the child. (And it gets really complicated when you have two spouses going at it as in White v White.)

If the ownership and privacy right is at the company (or family) level, I don’t see a problem here. The IT department (or parent) is an authorized user by definition. One authorized user can still change settings or programs on the computer without the consent of the other authorized user(s). Whether it’s ethical or effective is another question but it would pretty clearly be legal under this law. On the other hand, if the employee (or child) has a “reasonable expectation of privacy” to the computer, then the IT department (or parent) might not be considered authorized under this law.

The fix is easy. PA did a pretty good job with this law – we don’t need to tamper with the law. You just need to make it crystal clear to every other user of the computer that you are the primary owner of the computer and that no other user can have any expectation of privacy that excludes you and your right to monitor. At the company level, you should have that in your written policy manual and probably on the login splash screen. At the family level, you need to insist on having a copy of all your children’s passwords (my one exception to the never share your password rule) and use parental controls. Exert your rights regularly both to reinforce everyone’s understanding of the rules and so that you can show that your actions were a part of your routine security practice, not for example retaliation.

That sounds pretty simple but I predict at least one lawsuit testing the expectation of privacy and complaining about actions that in the non-computer world would be considered nothing more than good parenting. Make sure that everyone knows that you are an authorized user, then you can monitor whenever you find it necessary and you can impose changes on your corporate computers whether or not the individual user likes them.

Disclaimer: I am not a lawyer. I don’t even play one on TV. This is a layman’s interpretation of the law. I like to think it’s an informed opinion but only that – an opinion. If you need specific legal advice, contact a qualified lawyer in your area.

Senator Patrick Leahy just introduced the ‘Combating Online Infringement and Counterfeits Act’ (COICA). As the Electronic Frontier Foundation notes in their press release, this is an egregious power grab by the government. This bill would allow state Attorney Generals to arbitrarily designate entire internet domains as “infringing” and require domain registrars/registries, ISPs, DNS providers, and others to block Internet users from reaching those domains. Worse, the bill allows the US Justice Department to create its own blacklist with even more intrusive restrictions and fear-inducing penalties, all without any judicial review, much less an actual conviction that something illegal really happened.

The thinly veiled excuse of “copyright protection” ignores the massive potential for abuse on the part of overzealous prosecutors and bureaucrats. It tramples on the First Amendment rights of other potential users of the domain, requiring not merely that the specific infringing content be taken down but that everything else on the site, all the blogs, images and any legitimate content be made inaccessible as well.

The US is supposed to be the leader in freedom. This bill sends a message to the rest of the world that we don’t really believe what we say – that censorship is acceptable. This is a very dangerous and patently unconstitutional bill.

Please take a minute to read EFF’s article. But more important, WRITE YOUR SENATOR opposing this bill.

This week’s post isn’t strictly a computer security topic but it’s a core privacy issue and I think that’s close enough.

Time magazine ran an article recently asking Should Videotaping the Police Really Be a Crime? The article tells the story of Anthony Graber, a Maryland Air National Guard staff sergeant, who faces up to 16 years in prison for posting a videotape of a traffic stop on YouTube.

Apparently, Graber keeps a video camera on top of his motorcycle helmet to record his journeys. He got a little too enthusiastic this time, popping a wheelie and going 80 in a 65 mph zone. The camera was rolling when an unmarked gray sedan cut him off as he stopped behind several other cars at an exit from the interstate. A man in a gray pullover and jeans got out of the car wielding a gun and repeatedly yelled at Graber, ordering him to get off his bike. Only then did Maryland State Trooper Joseph D. Uhler identify himself as “state police” and holster his weapon. Graber got a speeding ticket which he says he deserved.

Anyway, even if you deserve the speeding ticket, I can understand being upset about the traffic stop. Uhler should have known better and was certainly trained better – plainclothes police must identify themselves before they can have any expectation of obedience. If someone jumps out of a car screaming and waving a gun at me, I only hope I can react as calmly as Graber. Rather than file a formal complaint, though, Graber did what many do these days when dissatisfied with the service whether it’s of a company, a restaurant or the government – he posted his experience online.

Fast forward one month to April 8 when Graber is woken up as six officers raiding his parents’ home in Abingdon, Md., where he lived with his wife and two young children. They arrested him and confiscated four computers, the camera, external hard drives and thumb drives. He learned later that prosecutors had obtained a grand jury indictment alleging he violated state wiretap laws by recording the trooper without consent. Maryland is one of 12 states which require all parties to consent before a recording might be made if a conversation takes place where there is a “reasonable expectation of privacy.”

My apologies for the long introduction but we’re finally at the privacy issue: Does a traffic stop conducted in full view of the public and on a public roadway ever constitute a situation where there is a reasonable expectation of privacy? For that matter, is any official action by a law enforcement officer a private act deserving of that kind of protection from scrutiny? How do you square this criminal charge by the prosecutors with the COPS mentality where homes are invaded and suspects arrested on TV? (The perpetrator must sign a waiver or have his/her face blurred but no such waivers are requested of family members and other bystanders.)

I am extremely uncomfortable with the position taken by these prosecutors. In my opinion, an arrest or even a stop for questioning is an inherently public act. The State might have an obligation to protect the privacy of the suspect (since he/she still retains the presumption of innocence) but no such protection applies to the officer of the State. Nor should any such protection be needed – if an officer is behaving appropriately, why should he/she be worried about being filmed? That’s the argument trotted out by prosecutors in favor of the traffic cameras and other forms of public monitoring, after all. And it applies even more so since the officer is acting in his/her official capacity rather than a citizen’s private act of driving.

Third-party filming presents a more complicated question but in this case I think the suspect’s act of videotaping can be taken as implied consent.

Unfortunately, the Graber prosecution is not a rogue act. Prosecutions for videotaping of police encounters appear to be on the upswing. And even if they don’t win the legal case, the very threat by the police is intimidating and chills our society. Few people have the will to risk jail to defend their rights. Graber’s case may still be thrown out (his hearing is scheduled for October) but his lawyer says that “the message of intimidation has already been sent.” Graber says that he is afraid of police now and so nervous driving that he has put his motorcycle up for sale.

I’ve done a little digging into the debates around the time that Maryland and others were writing those wiretapping laws. From everything I can tell, they were written to protect us from state-sponsored intrusions into our privacy unless and until the state gets a warrant explicitly authorizing the intrusion. Can anyone find a differing opinion in the record?

So back to privacy at your company. If I believe the police should be transparent in their dealings with the public, I should hold myself to the same standard. Can an employee videotape an encounter with another? What about recording a meeting with a manager? Do they need to disclose it? What will you do when they don’t? With the advent of cellphone-based cameras, I don’t know if you could stop the recording even if you try. Disgruntled employees keep notes on their coworkers – they always have. This is different only in degree.

Ideally, we should all behave in such a way that we’d never be embarassed if something showed up online. That’s a very high standard of professionalism. We teach people over and over to make that assumption when writing emails. Now we have to think about it all the time. Are your people up to it? Are you?

Another article that I wish I’d written first. Ochman’s post is right-on. Read the full article here. The short version iof Ochman’s Five reasons companies should allow social networking is:

1. Resistence is futile – They already have access to social networking sites no matter what you do. Even the Department of Defense has given up on trying to close every avenue.
2. They’ll find other way’s to waste time regardless – It’s human nature. Always has been, always will be.
3. Social networks actually can make workers more productive – This one is a little more controversial but there is some compelling research about reading, writing and other cognitive skills.
4. You’ll miss great ideas – Concentration and increased connectivity has always led to greater creativity and sharing of new ideas. It’s why cities have always been the hotbeds of innovation – not because rural people are stupid, they’re just not exposed to the same pace of new ideas to steal from and build on. Social networking does the same but without the need for shared geography.
5. Employees are more trustworthy than companies think – Not everyone believes in this philosophy but it’s true in my experience. A few bad apples are not reason to impose draconian restrictions on the rest. If you do have employees abusing the system, you’ve either hired the wrong people or failed to properly train the ones you have. Neither of those problems is solved by attempting to block social networking websites.

It’s not easy but the right answer is to be a leader. Set goals, clearly define your expectations, then stand back and let them do the job. And, yes, I know that’s harder than it sounds. That’s why it’s your job as the supervisor. Good luck.