Category Archives: Security

Education, Scope, Security, Technology

Clowns to the Left of Me, Jokers to the Right…and Girls Around Me

MP900442709

Well I don't know why I came here tonight,
I got the feeling that something ain't right…

Stealers Wheel

At many of my presentations, I say, "Finally, I'm able to exploit my cynicism and paranoia as an excellent career choice!"  I did one such presentation at LACBA Tax Night a couple of weeks back with my LPMT colleague, Gideon Grunfeld.  We have some fun with the subject matter by playing the attorney version of good cop/bad cop.  I terrify the attendees just a bit, then Gideon illustrates why they shouldn't go overboard with worry.

He's right, of course.  There's just one problem.  So am I.  I'm proud of my paranoia; it's what my clients expect of me.  Heck; someone has to play Chicken Little and accurately assess the risk.  After all, sometimes, the sky really is falling!  What's the most important determining factor?  Context.  A product or service can be of benefit and detriment at the same time.

Gideon used the example of accidentally locking his keys in his car.  He didn't have the availability of one of those, call-us-and-we-unlock-the-door-remotely services, so he had to have someone respond.  When he was ready to provide the location, he was told, "That's ok, you left your cell phone on in the vehicle and we know exactly where your car is."  File that under, benefit.

Take a look at this article on the short-lived app, Girls Around Me.  I bet several of you who thought I was over the top when I advised major caution in revealing your constant whereabouts on Twitter, Foursquare and/or Facebook, might think differently now.  File that under, detriment.

As to what to worry about – and how much – that's up to you; as individuals, technologists, and especially, attorneys.

Disaster Recovery, Education, Science, Security, Technology

60 Minutes: #Stuxnet Worm (Why You Should Care)


(Embedded video feeds aren't resolving properly on some systems. If you don't see the video interface above, here's a direct link to launch it, manually)

Last night, 60 Minutes broadcast an excellent, in-depth analysis of the Stuxnet Worm and how it was used to infiltrate and damage the Iranian nuclear program.  Let's put politics aside for a moment (as I always try to do on this blog).  Anyone who wants (or needs) to understand how malicious code may be used to wreak havoc upon a thought-to-be-secure system should watch this video.

Particularly, pay close attention to how the worm was introduced into the facility's computers.  I guarantee, it'll be the best 15 minutes you can invest before you sit down and formulate your security plan.

Education, Security, Technology, Tips & Tricks

Tips & Tricks: #HTTPS Everywhere

I just checked…I haven’t done one of these since late October, last year.  A general hat tip goes out to many of my colleagues who, through social media, reminded me about EFF’s HTTPS Everywhere, which is an extension for Firefox and, as of this posting date, currently in beta for Chrome.  Here’s their own description of the product:

“HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure.”

So, why didn’t I simply Tweet that?  Well, actually, I did.  However, there are a couple of things you might want to consider before installing it.  As with all products, that’s usually the easy part.  Will you read the installation notes or the FAQs?  Probably not.  At least keep these two things in mind:

  1. Some users experience degraded performance.  I’m using Firefox and I’m seeing markedly degraded performance.  However, the benefits outweight the detriments, so that’s not a showstopper for me.
  2. Occasionally, the product will add an ‘s’ to ‘http’ addresses on the command line.  To most, this is meaningless; until they start sharing/embedding those links, that is.  Sometimes, this will cause errors at the other end, unless that user’s system also has the extension or ‘understands‘ what’s happened, as my IE9 browser did.  Luckily, this is rare.
Scope, Security, Technology

Three Things Matter in #Cyberspace: Location, Location, Location!

(The video feed that accompanies this post isn't resolving properly on some systems. Here's a direct link if you'd like to launch it, manually)

This seemed like an appropriate subject to cover today, in light of Google's new privacy policies kicking-in in a few hours…

First off, I've never really understood the obsession some people have with disclosing trivial details about themselves. Of course, that opens a can of worms, doesn't it? One person's trivia is another person's 'absolutely-positively-need-to-know-this-very-minute!' piece of information, after all. Who am I to judge? Disclose what you want on Facebook. Leave GPS enabled 24-hours a day. Knock yourself out!

But…have you thought about who else is watching…and why? Twitter has inked a deal to sell two-years' history of your tweets; location included. What's so important about location, anyway?

Even I can see some value in disclosing your location, under certain circumstances. For example:

LIST A

  1. A minor who goes missing,
  2. The family pet runs away,
  3. A vehicle veers off the road and crashes into a tree in an isolated area, and the driver's unconscious or is trapped and can't reach their phone,
  4. A bunch of friends plan to get together and, rather than having to contact each other, they simply home in on the organizer's location.

I could go on, of course. And obviously, some of these items are critical, while others are simply convenient. The problem is, all kinds of other people have an interest in knowing your patterns:

LIST B

  1. Advertisers, so they can tailor-make their ads to bring you goods and services in your vicinity,
  2. Insurance providers,
  3. Law enforcement,
  4. The burgler who's waiting to break into your home,
  5. Your boss,
  6. That pesky process-server,
  7. Your significant other(s),
  8. Your stalker.

Lately, in my market, Flo from Progressive Insurance has been touting their Snapshot Discount (by the way, am I the only one who is – in California vernacular – totally freaked out by Flo?) It's a device you plug into your vehicle, and it monitors your driving habits, such as how hard you brake.

Of course, it also monitored how hard the driver from List A was braking just before s/he crashed into that tree. And now we have several people from List B who are interested; the insurance carrier (noted), law enforcement (obviously), the boss (if it's a company car), a significant other (because you were supposed to be on your way to the corner store, but you were 15 miles from home) and of course, that pesky process-server (when the tree sues a few months later).

This is an over-the-top example to make a point. I'm not picking on Progressive. I could just as easily cite Onstar, et al. Besides, many newer vehicles already monitor the driver's habits through their own black boxes.

You think you're giving out information for one purpose; but others are taking it for a completely different purpose. You can either act accordingly, or go with the Flo…

Education, Implementation, Law, Security, Technology

Why #Smartphones & #Tablets Don’t Come with Seat Belts & Airbags

MP900308899This weekend, I was mulling over the question of how responsible we are – individually – for our online privacy.  That's not an easy question to answer on a global basis.  Coincidentally, I came across a couple of recent articles on the subject.  What makes them interesting – and perhaps a bit distinctive – is that each addresses how much fault should be apportioned to the end-user.

Information Week comes right out and says so in their article, "Google's Privacy Invasion: It's Your Fault".  The New York Times Bits Blog is more subtle in their take, "Disruptions: And the Privacy Gaps Just Keep On Coming."  At least they spread the blame around, somewhat.

I waded into the issue myself about three weeks ago with my, "Beware the Ides of Google" post, when I pointed out that these companies give us all this free stuff for a reason.

However, they don't exactly fall all over themselves to clearly explain to the general public why they give us all this free stuff, either.  I bet if I asked the average person, "How does Google (or Yahoo, or Facebook, or…) make money?", they wouldn't be able to articulate it very well (save for possibly being able to say that they make their money through 'advertising', whatever that means to them).  The better question to ponder is, how these companies use your information to make money.

Everyone's screaming for 'the government' to regulate these matters; and 'the government' has responded with clunky, well-meaning and/or self-serving attempts like SOPA.  No doubt, to a certain extent, the end-user is responsible for their own security, but I really like the way the NYT article attempts to equate the issue to how government, safety advocates (Ralph Nader, anyone?) and the general public drove (pun intended) the automobile industry toward seat belts, air bags and center tail lights.

I don't agree with it, but I really like it.

In my opinion, the reason this type of equivalency doesn't work is that the general public understood seat belts, air bags and tail lights.  They could easily envision a head-on collision (in fact, they didn't have to envision it, since car crashes are reported in gory detail nightly on the evening news).  On the other hand, they don't have a clue to life how their information is lifted from their devices and deposited in the hands of others; nor how, in a technical sense, to stop it.

In other words, the general public wants security protection, but they don't really know how to ask for it.  Even if they install software or hardware that tells them they're more secure, they have no idea how to confirm that it's true (and many times, it's not, either because the stuff just doesn't work, or through lack of understanding, they either fail to complete the set-up process or complete it incorrectly).  Ask me how many times I see unsecured wireless routers in range that are named LinkSys or Belkin.  The purchaser plugged the thing in and went on their merry way, oblivious to the fact that it must be configured.  But, they sleep better at night because they think they're secure.

To one extreme, the opinion is that the responsibility falls squarely on the end-user.  To the other, the opinion is that Google, Facebook, et al, are techno-heroin.  They hook the public, then when everyone's an addict, they siphon off private information.  When the public inevitably complains, they retort, "You don't like it?  Stop taking heroin!"

Maybe the solution is A.A. for the Internet…

Duties, Scope, Security, Strategy, Technology

What, Exactly, is an e-Discovery Lawyer?

MP900448644Earlier this week, my interest was piqued when I read an article by a colleague, Dennis Kiker, titled, "I want an E-Discovery Lawyer for my E-Discovery Project".  He explains what his concept of a law firm e-discovery lawyer is; to him.

In the corporate world, I'm experiencing something quite different in the clear evolution of what many companies seem to want in an e-Discovery Lawyer these days; a combination of e-Discovery and Security in a single function.  Think about it.  It actually makes sense.  In theory, both jobs involve protection, but I bifurcate them between protection by technology and protection by individuals (notice, I didn't say 'of technology' and 'of individuals').

That's how I broke out the subject for the State Bar's upcoming book.  It's one thing for individuals to develop strategies to protect corporate assets via software, firewalls and other security protocols.  It's quite another for individuals to be aware of the security risks that surround them 24 hours a day.

Unfortunately, all that stealth goes out the window if those same individuals don't adhere to stringent personal privacy protocols.  Otherwise, the next thing you know, your company iPhone is sitting on a bar counter somewhere, next to your empty marguerita tumbler – and you're already on your way home.

e-Discovery Attorney as Project Manager?  Definitely.  e-Discovery Attorney as CyberSecurity Guru?  Well, let's just say, I'm glad I have 20+ years of world-wide LAN/WAN experience under my belt…

Who knew?

Implementation, Security

#Security Questions that AREN’T SECURE, DAMMIT!!!

MP900438619

/Rant ON

Note to the people who create security questions for our online accounts; the whole point of providing this service is to let us select questions that nobody else knowsor may easily discover!!!  With this in mind, please refrain from creating questions that require as answers:

My mother’s/father’s middle names
My mother’s maiden name
Any of my grandparents’ names
The names of any of my pets
My siblings’ first names
My siblings’ middle names
The cities in which any of my family members were born
The schools I attended
My favorite sports team(s)
My favorite sports team(s) as a child
My best friend, growing up
My favorite…anything!

You’re a bank, for Pete’s sake, and you can’t figure out that most of this information may be gleaned from a simple Google search, a Twitter, Facebook, LinkedIn or other social media posting (for those of you who over-share), friends & family members and/or public records!?!?!?

Right, then. Please handle by c.o.b., Friday. Thanks for your anticipated cooperation.

/Rant OFF

Security

#Analog Solutions to #Digital Problems

MP900284982Don't overthink things.  The issues we face – as attorneys and techies – are complicated enough; no need to make them more difficult when it's not necessary.  Earlier today I re-tweeted a post by Peter Shankman about a guy reviewing a confidential document on an airplane without giving any regard to his immediate surroundings.

Sloppy…sloppy…sloppy.  Or, is it ego?  You know what I mean.  The people who speak just a little too loudly at the bar, to make sure you know how important they are?  The people who display their confidential documents – electronic or otherwise – out in (if you'll pardon the pun) plain view, because they think you'll be impressed (they just don't think you'll read them).

More than ever, attention invites one thing; trouble.  All you do is make yourself a target for…something…and it's usually bad.

But I digress.  Assume the person in the article was simply oblivious.  Did he need complex software or some company edict to protect himself and his data?

Nope.  All he needed was one of these (no endorsement intended).  $30 versus a potential multi-million-dollar data breach.

Penny wise, pound foolish.