Rossander’s Security Reader

“Cloud” computing has been a popular buzzword in the news for a few years now but it’s rarely defined. So in the interest of debunking some of the hype and identifying some of the unique risks, here goes…

Cloud computing means having someone else do your computing for you – taking data and calculations that you would have crunched on your own mainframe or workstation and, instead, crunching it on some computer on the internet. (The name comes from the IT diagramming convention of showing the internet as an amorphous cloud.) In theory, this gets you access to more and bigger computers than you would be able to afford yourself. It also gets you access to your data from any internet browser, not just your own dedicated computer. If you are a webmail user (yahoo, gmail, hotmail, etc), you are already using cloud computing.

There are two general business models for cloud computing providers. The first are companies who already have lots and lots of computers but who only need their computing power for surges. Amazon, Google and eBay might be examples. They have to build their data centers to handle Cyber-Monday. Renting computer time to you is a way to get back some of their investment when they’re not busy with their own crunch.

The second are companies who start out with the model of renting – the United Rentals of the computer world. IBM is moving aggressively in this space. A variation on this is Software-as-a-Service (or SAAS) where a particular vendor lets you move his application and the associated data out of your data center and onto his machines for a fee. Moving your financials to Peachtree’s online application might be an example.

In either business model, there are some serious security and legal issues to think through before you decide to outsource your computing. For example:

1. Security – Are they able to keep your data separate from the data of all their other customers? Who else now has access to your confidential data?
2. eDiscovery – If you get sued and have to turn over your computer records, can they segregate them? Can they produce your records fast enough to keep the courts happy? And how much are they going to charge you for the privilege?
3. Privacy – What if the vendor gets a subpoena or request for your data? Will they fight it? Will they even tell you about it?
4. Records Retention – Hopefully, you have a carefully thought-out policy that makes sure all information is kept as long as it is needed (either by the business or by law) but no longer. Keeping information longer than you need it is, by definition, risk without reward. How will you ensure that the vendor lives up to your policy?
5. Privacy laws – Some of these vendors send data overseas. All of them send it outside your local jurisdiction. Is this contract going to get you in trouble with any processing, retention or transfer restrictions, such as those in the European Data Protection Directive? Worse, are you going to inherit those privacy obligations because your data is comingled with others?

Cloud computing can be a boon to small businesses that are growing rapidly and can’t yet afford a dedicated data center. But the cloud can also be a dangerous place. Don’t rush into the relationship without a lot of thought and consideration for the risks and for your mitigation strategy.

A while back, CBS News ran an “exposé” on the security risks of digital copiers. I answered a few emails but quickly let it drop. Apparently, this story is being run around the internet again, though, so let’s take a few minutes to formally debunk it.

One version of the scare article can be found here. The story goes that digital copiers contain hard-drives and the hard-drives store copies of all the documents being copied. When the copier is sold or thrown away, all the documents copied on it are visible to any hacker and the information on it can be used for identity theft.

Like any good urban legend, there is a kernel of truth to the story but the dangers are overstated. Let’s take the elements in turn:

• Digital copiers contain hard-drives – True.
• The hard-drive keeps a copy of the documents being copied – True.
• The hard-drive keeps copies of all the documents copied – False. The scanned images are big and the copier hard-drives are as small as the manufacturer can feasibly make them. They have to be to control costs. So, yes there are images on the hard-drive but they get overwritten on a regular basis. A high-use copier might have documents a few days old but not much older.
• The images remain visible to the new owner of the copier – Maybe. If your company’s IT department is even half-way on the ball, they keep track of copiers so they can keep the operating system patched. They will also have a decommissioning process that wipes the hard-drive before selling, donating or throwing it away.

So the lessons from this story are:

1. If your company does not keep copiers on their IT asset list, they should. (Though they should primarily because of the risk of an unpatched OS.)
2. If you don’t have an IT shop, run a few dozen pages of non-sensitive garbage through your copier before you sell it or throw it away. Pages from the phone book or pictures of your cat would do. Anything to fill up the drive and overwrite the older files.

Unless you are protecting DoD nuclear secrets, I wouldn’t worry more than that about copiers.

Update: This post got picked up by CFO Magazine as part of their Risk Management series. You can read their article here.

Note: For best results with the “poor man’s disk wipe”, set your copier to it’s highest resolution, in color, and run a stack of stuff through as fast as the copier will take it. It still won’t stop a hacker with a forensics lab but it will frustrate the 13 year old who pulls the drive out of the trash.

Today’s post has nothing to do directly with information security but the article so caught my eye that I had to share it. Feel free to skip today’s post if it doesn’t interest you.

The U.S. Chamber Institute for Legal Reform recently released a report on the disproportionate share of U.S. litigation cost borne by small businesses. The full report is about 25 pages and well worth reading. The short version is:

• Small businesses generate 64 percent of all new jobs and over half of non-farm GDP
• Small businesses bore 81 percent of business litigation cost, yet represented only 22 percent of US business revenue
• Small businesses pay more of their tort costs out-of-pocket rather than through insurance
• More than one-third of surveyed small businesses had been sued – To put that number in perspective, think of any three local small businesses that you use, maybe your barber, hardware store and local laundry. Do you really think that one of every three is so evil that the only way to resolve the complaint was to go to court?
• 62% reported making business decisions in order to avoid lawsuits and that these decisions made their products and services more expensive. 45% pulled a product or service off the market just out of fear of lawsuits and 11% have had to lay off employees as a result of lawsuits
• For medical businesses, it’s even worse. Tort liability is 94 percent of all medical malpractice litigation for small medical practices and small medical labs. This is driving the medical profession away from small practices and toward large hospital-based and health system-based groups. In just three years, from 2005-2008, small groups dropped from two-thirds of all practices to less than half.
• 66% of the general public agreed with this statement: “The fear of being sued is changing American society for the worse because it’s often having the effect of discouraging people from doing the right things.”

Statistically, some few of those small businesses are bad apples who should be sued, maybe even into bankruptcy. Sometimes, that is your only recourse. But I do not believe that all businesses are inherently evil and am deeply suspicious of the way the legal profession has morphed into a legal industry over the past few decades. The more I read, the more convinced I become that tort reform is desperately needed. Some form of “loser pays” like they have in Europe would be a good first step.

Who owns your contact list? Is your rolodex yours or is it intellectual property of your employer? And how does that rule change when your rolodex is really your LinkedIn account?

Two recent court cases out of the UK concluded that your contact list may well belong to your employer. The first involves the UK arm of a US publishing group, PennWell Publishing (UK). In this case, a departing employee burned 18 files containing contact details for industry members and conference attendees onto a CD. While at the company, the employee had stored both personal and work contacts in his email account address book. As the database contained his own “journalistic contacts”, he believed he was entitled to a copy when he left to set up a competing business. Despite a strong argument by the former employee about “the highly personal nature of the files”, the judge found that an address list in the email system and backed up by the employer is exclusively the employer’s. He went further and said that not only is the employee not entitled to exclusive use of his former address book, he is not even entitled to shared use and was permanently enjoined from using the address list. This was true even though the list was started from a list that the employee brought from his previous employment and updated himself and despite the fact that it contained a proportion of purely personal contacts.

In the second case, a former Hays Specialist Recruitment employee was forced to disclose business contacts added to his LinkedIn account before leaving the company. Again, the company’s motivation was the employee’s use of the contacts to set up a competing business.

Some forms of intellectual property are clear. Stealing the recipe for Coca-Cola, employee lists showing SSNs, the company’s strategic plans or patented machine designs is bad. Whether a customer roster belongs on that list depends a lot on the company’s business model. And whether your own address book counts as a customer roster may depend on your position within the company – there’s a stronger argument if you’re in Sales than if your rolodex consists mostly of IT vendors.

The line between personal and business life is increasingly blurry – and that blurriness helps companies more often than not in my opinion. Often, you want the personal connection of a human name in the contact list. I am not in favor of a blanket rule that you can never mix personal and business contacts. We need to be careful about putting too many barriers in the way of our employees.

In some cases, you can get around the problem by setting up role-based accounts for the company. For example, when I was working the company’s domain registrations, I set up an account called “dom-admin”. All the contacts, registration credentials, alert messages, etc were made in that dummy account’s name. For convenience, the account forwarded to my internal email but everything stayed with the dummy account. When I moved out of that role, we simply switched the forwarding to the new person. It really helped our continuity. That doesn’t work for every situation, though.

Whatever the policy is, your company needs to make the policy clear especially in this age of expanding social media and networking. If your rolodex is yours, fine. If it’s the company’s, make sure your employees know the rule ahead of time. The company’s Social Medial policy is a good place to make clear who owns your contact list. If the policy isn’t clear, push the issue. Ambiguity is good for nobody but the lawyers.

A federal judge in Los Angeles ruled recently that a computer server’s RAM (random-access memory) is a tangible document that can be stored and must be turned over in a lawsuit. The judge is an idiot.

Background

The case is about copyright infringement. The Motion Picture Association of America (MPAA) is trying to force TorrentSpy, a file-sharing site, to turn over data about visitors to their website. TorrentSpy replied that they don’t keep logs on their users – they are merely an intermediary, allowing data to pass through their website unscreened. They essentially said that they have no data to turn over. Unhappy with that answer, Judge Jacqueline Chooljian ordered TorrentSpy to begin logging user information and to turn that data over to the MPAA.

Unfortunately, the only way that the judge can make that order is to make some real leaps of logic. Companies are required to cooperate with fact-finding requests for documents. That’s what the whole “discovery” thing is about. Our judicial system is based on the assumption that if we can get all the facts on the table, we can quickly figure out who’s right, who’s wrong and how to make the victim whole. (Remember that this is a very different standard from the criminal “innocent until proven guilty” rule.) If you have a document that might be relevant to the case, you are required to produce it to the other side and to the court.

There are a few limits to that broad discovery, however. You can hold back documents (or parts of documents) that are attorney-client privileged or that contain confidential information like SSNs, medical details, etc as long as those details are not relevant to the case. You also can not be compelled to produce documents you don’t have. Courts are not supposed to be able to force you to create new records or documents just to respond to a discovery request.

TorrentSpy does not log user transactions during their normal operations. They do so to protect users’ privacy and because they have no operational need for the data in their normal course of business. MPAA argues that it also makes it easier for people who download pirated material to work in the shadows. They may be right. Regardless, TorrentSpy argued that requiring them to turn on logging is the same as requiring them to begin creating new documents just for this case. From a legal point of view, they’re right.

The judge got around this by arguing that the data already exists in the computer’s RAM. Therefore, she is not asking them to create new documents, merely to produce existing data in a more usable form. You can read the original order here. She does cite some other Ninth Circuit decisions involving RAM but, in my opinion, she is either misreading or misapplying the underlying facts.

RAM is not and can not be considered a “document” for the purposes of eDiscovery. RAM is the ephemeral memory that the computer uses to make calculations and to quickly access the data in other places. Think of RAM as the one that you carry in your head when adding a column of digits. (The data on your hard-drive may hold the result of your calculation in a spreadsheet but that’s a completely different kind of memory. The hard-drive data generally is reasonably accessible.) There is no possible way to record the billions of transactions per second that flash through the RAM of even a small computer. Attempting it would consume more permanent memory than exists in the world. And, by the way, writing all that content also requires transactional decisions and data that pass through RAM. The act of recording it spoliates it.

Okay. The judge is not really an idiot. She is seeking a justification to force cooperation from a company that’s not really playing fair. She wants them to turn on logging. Logging is cheap and easy – at least compared to most other electronic discovery activities. From a social policy point of view, I’m torn. TorrentSpy probably should be cooperating and not being stupid about the “costs of logging” and the applicability of Dutch privacy law. On the other hand, TorrentSpy is not being accused of any direct misdeeds. They are being pulled in as a third-party in MPAA’s attempt to sue their own customers. MPAA’s heavy-handed approach is not winning them any friends. Whichever side you agree with, though, the judge’s contortions about the technological facts of RAM to make her rationalization will get used as precedent outside this narrow circumstance. As the saying goes, “Bad facts make bad law.”

The judge’s decision is already being appealed and has been stayed pending that decision. Her decision has been upheld once but appeals continue. On both technological and legal grounds, I sincerely hope that her decision is overturned. Congress needs to address the problem of compelling cooperation from companies like TorrentSpy but they need to do it cleanly – a new law, not judicial twisting and rationalization.