Rossander’s Security Reader

Score one for the Constitution! The US 6th Circuit just announced a decision upholding the requirement that police obtain a warrant before compelling an ISP to turn over your emails.

The background is that Steven Warshak was accused and eventually convicted of attempting to defraud the customers of Berkeley Premium Nutraceuticals (the distributor of Enzyte, an herbal supplement with some really goofy but apparently amazingly successful late night ads). The government agents in this case believed that they did not need a warrant because of some ambiguous provisions of the Stored Communications Act. (SCA was written in 1986 and had the unfortunate effect of codifying technology as it existed then. SCA has not held up well to the test of time.)

A number of privacy groups including EFF weighed in on the topic, successfully arguing that email users have a Fourth Amendment-protected expectation of privacy in the email they store with their email providers just like they do with traditional forms of communication like postal mail and telephone calls.

A warrant is easy to get and it’s unfortunate that the police in this case didn’t take the few extra minutes to document their probable cause. But the requirement for a warrant is an important check and balance on prosecution powers. The 6th Circuit did the right thing in finding that the Fourth Amendment applies to email, too. (They also did the right thing by narrowly ruling that this decision only overturns part of the matter. Warshak used some pretty sleazy practices and deserved to be put out of business.)

Next steps: It’s time for Congress to update the SCA.

We first talked about ATM skimmers in 2006. They are back in the news in 2010 as a wave of skimmers are being installed by what the FBI describes as organized crime from Eastern Europe. The latest reports show that these skimmers are taking in about $350,000 per day. And unlike the prior exploits, these criminals often wait weeks or even months before using the stolen information, making it much more difficult to connect the monetary loss to the crime.

A quick refresher: An ATM skimmer is a device glued on the front of an ATM machine or gas station card reader that records the magnetic information off your card as it passes the card through to the real reader. Some of these devices are quite thin and can look just like the original equipment. Many are also rigged with hidden cameras which record your fingers as you key in your PIN. Snopes has a good set of pictures, as does CSOonline.

Look carefully at the machine before swiping your debit card. If you see any signs of tampering, loose components, mismatched colors or anything else that makes you suspicious, go to a different machine.

And as always, leave your debit card at home whenever possible. Credit cards carry better legal protections if/when they get exploited.

Well, another Cyber-Monday has come and gone. According to initial reports, it was a good day for retailers and for customers with lots of deals available. I hope that you were successful with your holiday shopping and more importantly, that you were safe with your online shopping.

For those of you who are still shopping, a few quick security reminders.

• Be very suspicious of any “convenient” link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
• Look for the prefix https in the address line.
• If the deal sounds too good to be true, it probably is. If you’re suspicious, take your business somewhere else.
• Make sure your own computer protections (anti-virus, firewall, patches) are up-to-date.
• Always use a credit card, never a debit card. And check your statement carefully for charges you don’t recognize.

The more interesting question, though, may be whether your online shopping was “legal”. It’s called Cyber-Monday because so many people wait until they’re back at work and can use their company’s high-speed connections for their shopping. Are you allowed to do that under your company’s Acceptable Use policy? If you are in charge of setting the policy, should it be allowed?

Dan Lohrmann (of GovSpace fame) wrote an article for CSOonline titled Cyber Monday & Redefining Acceptable Use – Again in which he recaps the history – and confusion – of acceptable use policies. In these days of social networking (Facebook, Twitter, LinkedIn, wikis, etc), it seems so much more complicated. Should we allow it? Should we block it? Is it all-or-nothing or should we try to decide by categories? If we treat all employees the same, how do we accommodate the departments (say, Marketing) with special needs? What are we paying employees for anyway?

Lohrmann rightly says that this is a management problem that goes “back to the basic boss/employee accountability questions” and offers some hope that once Management decides on the right policies, the latest generation of tools can help to enforce them.

I’ll go further and say that despite all the hype, this is not a new problem. Because it’s not a new problem, using tools to cover it over is a placebo. The problem is employee (and supervisor) behavior. You need to know whether your people are getting the work done that you expect and pay them to do. And if not, you need to know that your supervisors are finding it and taking corrective action. If the work is getting done even on Cyber-Monday, why do you care if they spend their spare time at Amazon?

Note: I categorically reject the definitions of “expected work” that are based on hours. In my experience, employees have an intuitive levelset for how much work they should be doing given the pay, perks and culture (and offset by the animosity created by bad managers). Attempts to increase productivity by ‘taking away distractions’ just causes employees to find other distractions. They always have and they always will. The joke about the two-hour rule long pre-dates the Internet.

More than that, I believe that they understand and levelset productivity in terms of business results. No matter how you pay me, if I’m only making one widget an hour, I’m not meeting expectations. On the other hand, if I’m cranking out 150, you have no right to care that I can do it while spending half my day at the water cooler because if you try to push me for 300 I’m going to slack back to the 20 or so that my co-workers average.

To be blunt, if you lock down the computer, you are not going to get that productivity back.

The next question then is why your supervisors aren’t fixing the poor performers. It could be that they don’t understand the expectations. Specifically, you haven’t made them ready to be good supervisors. Or maybe they’re just lazy or, worse, too conflict-averse. Anyone can be a supervisor but not everyone can be a good supervisor. The point, though (and my apologies for the long-winded way around to it), is that technology is not a replacement for good supervision. You need to know what your people are doing. You need to know that work is getting done and done properly. Acceptable use policies intended to affect “productivity” are the lazy way out and using them will get you the lazy-man’s result.

That’s not to say that Acceptable Use policies don’t have a place. Acceptable Use policies should put clear boundaries around how the employee’s behavior can affect the company’s reputation (which is why restrictions on gambling and hate sites are defensible) or how they can affect other employees (the hostile workplace implications of sexually explicit sites) or even how they affect corporate resources like bandwidth (which is why we blocked internet video for the longest time – not because Howard Stern needed censoring but because we’re at the end of the pipe and streaming media usage led to a measurable degradation of business traffic). But Acceptable Use policies must be based on a direct adverse impact to the company. And it must be a clear enough connection that good employees self-censor rather than try to get around the blocks.

Acceptable Use, especially the “productivity” aspect of Acceptable Use, is more than just a management tactics question – it’s a management philosophy question. It’s a question about trust. The answer affects the whole tone and culture of your company.

Go to your Facebook page and take a screen-shot. Paste that into a Word document or Paint program. Now cover up the names and pictures and project the result up on the wall. What does it say about you? Would your friends recognize you? Your parents? Yourself?

Howard Rheingold, a social-media professor at Stanford University, runs this experiment with his class. It’s surprising – and a bit frightening – what you see about yourself in this way. As one of his students put it, Facebook tacitly encourages you to describe yourself in headlines. Snippets, soundbites and stereotypes. You list a specific interest but since readers only see the subset of things you list, they make assumptions based on that first impression. Many people who take a neutral look at their profile discover that it presents a very shallow image.

Worse, they find that it rarely presents an image of responsibility and trustworthiness. When so many employers include Facebook in their background checks, it’s an image that can really limit your options later on.

Facebook does have some privacy settings that can minimize the damage but only if you take the time to set it right and even then if you’re lucky enough to set them right now for the privacy settings you’ll need in 5 or 10 years. The better answer is to control what you post and what you allow others to post about you. If there’s something embarrassing, take it down.

The other thing to remember is that Facebook will probably not be the last word in social media. New programs will come out and hopefully they’ll take a stronger approach to privacy and foresight. In the meantime, be cautious about what you post in any social media. Be a little paranoid. Watch out for yourself.

Pennsylvania just enacted the Consumer Protection Against Computer Spyware Act. I appreciate that legislators are finally starting to take computer security seriously though this law may be more bark than bite.

Briefly, the law makes it a state crime for any “unauthorized user” to deceptively add software to your computer without your consent, prevent you from removing their software, changing your computer settings or hiding their own software. It’s a pretty good list of all the bad things that people were doing to our computers in 2008.

Unfortunately, the hackers have moved on and are using different tactics now. But I guess it never hurts to outlaw the old bad stuff. You might at least catch the stupid criminals who haven’t stayed with the times. The real problem, though, is that cybercrime is rarely investigated, much less prosecuted. If this law gets legitimately used a dozen times in the next five years, I’ll be surprised.

Which brings me to my real cause for concern – what are the ways this law could be twisted beyond its intended scope?

This law makes it illegal to change settings, modify bookmarks, impose a homepage, disable software, prevent your own software from being disabled and use techniques like keylogging. All those are bad things when done by an outsider but potentially legitimate tactics for law enforcement, your own company’s IT Security investigations or for your responsibilities as a parent.

On the plus side, PA did include wording that the person adding the software and making the modifications must be an unauthorized person. That’s a good thing. Other states have left that qualification out, making it ambiguous whether the company’s IT department could impose software restrictions on a company-owned computer. PA’s law provides a safe-harbor for the IT Security department as long as they are also authorized users on the user’s computer.

Here’s the rub, though. Several courts have passed down decisions (such as Tengart v LovingCare, US v Ziegler, US v Simons) that make it confusing when the computer is the user’s and when it is the company’s. Similar decisions have made it ambiguous whether a computer is owned by the parent or the child. (And it gets really complicated when you have two spouses going at it as in White v White.)

If the ownership and privacy right is at the company (or family) level, I don’t see a problem here. The IT department (or parent) is an authorized user by definition. One authorized user can still change settings or programs on the computer without the consent of the other authorized user(s). Whether it’s ethical or effective is another question but it would pretty clearly be legal under this law. On the other hand, if the employee (or child) has a “reasonable expectation of privacy” to the computer, then the IT department (or parent) might not be considered authorized under this law.

The fix is easy. PA did a pretty good job with this law – we don’t need to tamper with the law. You just need to make it crystal clear to every other user of the computer that you are the primary owner of the computer and that no other user can have any expectation of privacy that excludes you and your right to monitor. At the company level, you should have that in your written policy manual and probably on the login splash screen. At the family level, you need to insist on having a copy of all your children’s passwords (my one exception to the never share your password rule) and use parental controls. Exert your rights regularly both to reinforce everyone’s understanding of the rules and so that you can show that your actions were a part of your routine security practice, not for example retaliation.

That sounds pretty simple but I predict at least one lawsuit testing the expectation of privacy and complaining about actions that in the non-computer world would be considered nothing more than good parenting. Make sure that everyone knows that you are an authorized user, then you can monitor whenever you find it necessary and you can impose changes on your corporate computers whether or not the individual user likes them.

Disclaimer: I am not a lawyer. I don’t even play one on TV. This is a layman’s interpretation of the law. I like to think it’s an informed opinion but only that – an opinion. If you need specific legal advice, contact a qualified lawyer in your area.