Security researchers and legal experts have voiced concern this week over the prosecution of an information-technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission.

Find a bug. Report it. Have the U.S. Attorney claim in court that you are liable for the costs associated with fixing the bug. Go to Jail. Dave Aitel has it right... Retarded...

Breach case could curtail Web flaw finders

Reports filtering back to the Tokyo headquarters of the Japanese electronics giant NEC in mid-2004 alerted managers that pirated keyboards and recordable CD and DVD discs bearing the company's brand were on sale in retail outlets in Beijing and Hong Kong.

After two years and thousands of hours of investigation in conjunction with law enforcement agencies in China, Taiwan and Japan, the company said it had uncovered something far more ambitious than clandestine workshops turning out inferior copies of NEC products. The pirates were faking the entire company.

In the name of NEC, the pirates copied NEC products, and went as far as developing their own range of consumer electronic products - everything from home entertainment centers to MP3 players. They also coordinated manufacturing and distribution, collecting all the proceeds.

"On the surface, it looked like a series of intellectual property infringements, but in reality a highly organized group has attempted to hijack the entire brand," he said. "It is not a simple case of a factory knocking off a branded product. Many of them have been given bogus paperwork that they say gives them the right to do it."

Next step in pirating: Faking a company

Revellers in a British town are to have their fingerprints scanned when they enter pubs and clubs in a scheme aimed at weeding out drunken troublemakers.

The "In Touch" project is the first of its kind in Britain.

Biometric finger-scanning machines have been installed at six venues in Yeovil, southwest England. Clubbers will be asked to have their right index finger scanned and show picture identification to register on the system.

"If somebody is causing trouble in one pub and is removed from the premises, from the time it takes for that person to walk to another venue, the system will have been updated and the door staff at other venues will be aware."

"It will also mean that they do not have to carry ID on them which can often be the source of inconvenience."

Once registered on the system, clubbers are identified by finger scan only.

The scheme is voluntary and the information stored will be subject to data protection laws.

I think it's safe to make this broad statement now. Britain is the canary in the coal mine when it comes to determining how much monitoring and surveillance a citizenry will accept.

British town's pubs scan fingerprints to spot louts

MemeStreamer Elonka has been all over the media lately, as she has become a leading expert on all things related to code breaking. Radio and TV talk shows, news articles, et cetera. Needless to say, we are all very proud of her, and really enjoying watching her get all this attention.

I suggest checking out her page here on MemeStreams for links to and information about all her recent appearances.

Also, many of us have come to the conclusion that it is necessary to get Elonka on the Oprah Winfrey Show. It just fits. It must happen. Elonka would fit perfectly on that show. You can help this out by suggesting they have her as a guest using their web page.

The FBI secretly sought information last year on 3,501 U.S. citizens and legal residents from their banks and credit card, telephone and Internet companies without a court's approval, the Justice Department said Friday.

That's one out of every 85,000 people in the US (roughly). Now it wouldn't surprise me if there are 3500 people who should be checked out, but that's the whole point of FISA and the fact that they can RETROACTIVELY approve searches. National Security Letters have already been discussed here but as also discussed here they get used in areas that have nothing to do with National Security.

AOL News - FBI Investigated 3,501 People Without Warrants

Last week, Attorney General Alberto Gonzales, a Republican, gave a speech saying that data retention by Internet service providers is an "issue that must be addressed." Child pornography investigations have been "hampered" because data may be routinely deleted, Gonzales warned.

It's not clear whether that requirement would be limited only to e-mail providers and Internet providers such as DSL (digital subscriber line) or cable modem services. An expansive reading of DeGette's measure would require every Web site to retain those records. (Details would be left to the Federal Communications Commission.)

The Bush administration's current position is an abrupt reversal of its previous long-held belief that data retention is unnecessary and imposes an unacceptable burden on Internet providers. In 2001, the Bush administration expressed "serious reservations about broad mandatory data retention regimes."

DeGette said in a statement that her amendment was necessary because: "America is the No. 1 global consumer of child pornography, the No. 2 producer. This is a plague we had nearly wiped out in the seventies, and sadly the Internet, an entity that we practically worship for all the great things it has brought to us, is being used to commit a crime against humanity."

At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

Is there actually a problem with ISPs not cooperating with child porn investigations? Or is this just being used as a excuse to make ISPs preserve more information that is subject to NSLs and other types of monitoring? I think the latter.

Congress may consider mandatory ISP snooping | CNET News.com

dc0de has posted a what-if scenario which may pose a very serious problem with this bill. Are there any lawyers paying attention who can comment on this?

Here's a what if scenario if the GA HR 1259 get's passed...

1. I am asked to go to a friends house to look at something odd on his VPN connnection.

2. I discover that he is witnessing someone steal Intellectual property from the company HE works for.

3. He turns the thief into the his company, and explains that I identified the network traffic that brought this to their attention.

4. They take the thief to court, and I am called as a witness.

5. I am asked what I did to identify the traffic, and at this point, I'm in a Catch22.

Do I explain what I did and risk being charged with a FELONY as having performing forensics without a P.I. license?

-Or-

Do I plead the 5th Ammendment, and allow the thief to go free?

Also, what if I am "compelled" to give my testimony? What if the company makes a sworn statement that I was the one that helped identify the thief? Wouldn't I still be liable for performing forensics without a license?

Wow...I can't even HELP people anymore?

Now that's messed up.

Forensic felonies - continued

A new law in Georgia on private investigators now extends to computer forensics and computer incident response, meaning that forensics experts who testify in court without a PI license may be committing a felony.

Coverage at Security Focus.

Forensic felonies

New technology is "encouraging large-scale criminal enterprises to get involved in intellectual-property theft," Gonzales said, adding that proceeds from the illicit businesses are used, "quite frankly, to fund terrorism activities."

Willful attempts at piracy, even if they fail, could be punished by up to 10 years in prison.

But one of the more controversial sections may be the changes to the DMCA. Under current law, Section 1201 of the law generally prohibits distributing or trafficking in any software or hardware that can be used to bypass copy-protection devices. (That section already has been used against a Princeton computer science professor, Russian programmer Dmitry Sklyarov and a toner cartridge remanufacturer.)

Smith's measure would expand those civil and criminal restrictions. Instead of merely targeting distribution, the new language says nobody may "make, import, export, obtain control of, or possess" such anticircumvention tools if they may be redistributed to someone else.

When the Attorney General raises the specter of terrorism in the context of laws which primarily related to p2p file trading networks, its time to stop taking the Attorney General seriously. He is obviously not a serious person.

As for Lamar Smith, he is responsible for 2004's round of rock stupid DNS WHOIS legislation.

Congress readies DMCA ][

New York's Westchester County has enacted a law designed to limit identity theft by forcing local businesses to install basic security measures for any wireless network that stores customers' credit card numbers or other financial information.

The law also requires that businesses offering Internet access -- coffeehouses and hotels, for example -- post signs warning that users should have firewalls or other security measures.

As he signed the bill, County Executive Andrew Spano said the county had been unable to find any law like it in the country and had received inquiries about the legislation from other states and from Great Britain, South Korea and the Czech Republic.

CNN.com - N.Y. county mandates wireless security - Apr 21, 2006