Category Archives: Law News

What is the Vulnerability Equities Process?

The Vulnerability Equities Process or VEP was designed by the Obama administration in an effort to ensure that the government react appropriately if and when it discovers vulnerabilities in the products made by technology manufacturers. While the guidelines were an attempt to find an ideal compromise among contradictory values, many technology, industry and security experts have condemned the VEP as a failure.

Dave Aitel and Matt Tait, for example, said last week that “the US has confused a public relations strategy with a security strategy, to the detriment of the nation.”

vepThe VEP hosts a handful of major weaknesses, the first and most important of which is perhaps the fact that it’s not actually a binding order. In fact, because the VEP is technically contained under the umbrella of administration policy as opposed to being a law or executive order, the next president can decide whether or not he or she even wants to continue it.

That’s just fine with Aitel and Tate. According to them, the next administration should just devise a completely new strategy, preferably one that’s actually effective.

So what is the VEP? Briefly, the Obama administration hashed out and later revised the VEP as an internal framework for ascertaining whether the US government should publicly disclose discoveries it might make regarding hardware and software vulnerabilities in tech products. These discoveries could be discovered independently by government agencies or by third-party contractors. How exactly the government determines the applicability of situations that merit disclosing or covering up vulnerabilities remains classified. However, intelligence and defense agencies seem to do work where issues regarding discovery and disclosure would be most relevant.

vep2Given the basis of US intelligence, the VEP would provide a fundamentally flawed and confusing framework for deciding whether or not to inform a company of its products’ vulnerabilities. Given intelligence equities, clearly the most advantageous situation is one in which the government develops, stockpiles, and utilizes vulnerabilities for as long as they can get away with it, disclosing vulnerabilities as little as possible.

This agenda clearly butts heads with that which would form given an operational standpoint. It takes at least two years to make full use of and integrate a discovered vulnerability; if an intelligence officer is given the task of managing an offensive security process, the VEP requires that inexpert intergovernmental oversight be maintained over these actions. That means that certain bugs are going to be doomed to eventual public exposure, regardless of strategic management by whatever experts are involved.

Whether the government published the VEP in an effort to ultimately make the vulnerabilities process transparent is rather unlikely. As prominent tech blogger Michael Daniel noted about Heartbleed, “this case has re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public.”

The argument will likely be hashed out yet again as a result of the recent NSA hack and the consequential leak of important and highly confidential hacking tools created by the US government. Now that these powerful methods will be made available to malevolent hackers through a black market auction, a case can be made that the government should inform manufacturers as opposed to documenting and exploiting vulnerabilities.

 

 

Fledgling Tech Companies Prepare for Change

In terms of young tech startups enjoying almost immediate, enormous, and global success, you can’t find a much better example than Slack. Only two years old, Slack has already secured for itself a mind-boggling $2.8 billion dollar valuation, hundreds of thousands of users, and a break-neck growth rate that is extremely competitive by even Silicon Valley standards.

Slack recently raised $160 million as a result of its $2.8 billion valuation in April. It’s founder, Stewart Butterfield, said that he did so not because the company actually needed the money, but purely because it was possible.

slack“This is the best time to raise money ever,” he told the New York Times. “It might be the best time for any kind of business in any industry to raise money for all of history, like since the time of the ancient Egyptians.”

This quote is not necessarily an indicator that the young startup founder expects long term prosperity in a gravy-train market. Butterfield may be expressing a “make hay while the sun shines” type philosophy that if anything, indicates an understanding that more difficult times may be ahead.

He and many other successful tech company founders are likely making an intelligent decision to raise as much money as possible now. According to many analysts, they may be riding the inflation of a tech bubble for all its worth and collecting as much “bubble insurance” as possible before that bubble implodes and times get a little tougher for venture capitalists and the private tech companies that they’ve invested in.

“The advice you always get from more seasoned entrepreneurs is to take the hors d’oeuvres when they’re passed,” explained Marco Zappacosta, CEO of Thumbtack. In other words, raise money when you can, because if you wait until you need it, it might not be out there waiting for you to grab it. Thumbtack is a local services platform that managed to raise $100 billion from Google Capital and other investors in August of 2014.

Whether this economic downturn is worth preparing for is becoming an increasingly irrelevant question; people are actively waiting for the bubble to burst, and mitigating the potential results before they’re a reality is one of the most effective ways to avoid total failure when disaster hits.

That said, riding out a couple years’ worth of market crash with stored money isn’t without its risks. “You’ll have to make the numbers to justify your valuation at some point, so you’re raising the hurdle on yourself.”

google clioudThe paradox is that the ability of even the most successful tech moguls like Facebook to make those numbers has become increasingly in dispute, and that’s the reason people are suspicious of there being a bubble in the first place. AirBnb was valued at 50x its actual profits, and Uber was valued at 100x. Investors have backed up these valuations with the logic that, for startups that show promise, there’s no good reason to cap their potential.

“All of the growth in venture capital has been in the seed market,” explained Scott Kupor, a managing partner at Andreessen Horowitz. Cloud computing and other innovations have made starting up a tech company cheaper than ever, which means more seed companies hit the market ever year. That said, cheaper to start doesn’t mean cheaper to bring into fruition, and at some point, that truth will be written in red dollar signs.

 

When the Internet Acts as Judge and Jury

The Trump campaign made headlines today as usual, though this time around the case was slightly more unique and potentially much more appalling than the standard coverage. Let me save you the effort of Googling it:

Today it was released that Corey Lewandowski, Trump’s camptn rmanager, has been charged with misdemeanor battery after allegedly grabbing former Breitbart reporter Michelle Fields following a Trump event in Jupiter, Florida early this month.

The incident has been a highly Twitter-ized he-said-she-said battle ever since the incident allegedly occurred. Fields isn’t the only witness to the potential violence; Washington Post reporter Ben Teriss claims he witnessed Lewandowski’s violent act against Fields.

coreyJupiter police have stated that their arrest report was not hinged on the two’s testimonies alone but also on surveillance footage that eventually surfaced and has been also posted on the internet. The footage seems to support Field’s story of Lewandowski grabbing “Field’s left arm with his right hand, causing her to turn and step back.” This sealed the deal with the police, who then moved forward to press charges.

Or course, the Trump campaign and its supporters have yet to be convinced. That’s not too shocking for anyone who has kept an eye on Trump’s campaign, as no amount of fact-checking or evidence-finding seems to throw his supports off track. Their camp has even set in motion a new hashtag train, “#IStandWithCorey.

The Trump campaign recently released a statement reading, “Mr. Lewandowski is absolutely innocent of this charge. He will enter a plea of not guilty and looks forward to his day in court.”

Of course, Trump isn’t the only candidate under Twitter fire for dirty campaign tricks. Remember right around the South Carolina democratic primary when the hashtag #WhichHillary started trending, eliciting more than 88,000 weets by 1pm ET? The Twitter had surfaced multiple times on social media as a way of raising awareness of when Hillary Clinton had “flip-flopped” on issues that are currently acting as her selling points in the primaries.

WhichHillary#WhichHillary was all over the internet after Clinton became involved in an altercation with Black Lives Matter activist Ashley Williams at a private fundraiser in South Carolina the Wednesday before the primary. Clinton did not address the activist’s sign, which sported a quote from Hillary Clinton during her husband’s presidential time in which she describes gang members as “super-predators” and said something along the lines of that they need to be “brought to heel.”

The hashtag is now used to bring to light many of Hillary Clinton’s political inconsistencies, from her stance on gay marriage to mass incarceration. It goes to show how much more power internet users have to incriminate people than the standard politically active person had, say, twenty years ago. Physical protests remain powerful, but online protests and trending hashtags are now worthy of campaigner’s attention and anxiety. Just how much power they hold remains to be determined, but I’m sure in a few years we’ll have data to tell us exactly that.

In this particular case, and despite the hashtag, Clinton led Sanders in South Carolina by a fairly large margin.

4 Ways to Hack a Facebook Account

It’s not nearly as hard as it should be… you definitely don’t have to be a professional hacker to pull it off. Here’s 4 ways you can hack into someone else’s Facebook account without doing anything too strenuous or unimaginable.

The easiest way to “hack” into someone’s Facebook is more a social engineering feat than one of computer genius. Just figure out someone’s Facebook email login, then go to the Facebook login page and click “Forgotten your password?”. Type in the victim’s email and if their account comes up, click “This is my account.”

key loggerFacebook will ask if you’d like to reset the password using the victim’s emails, which obviously won’t help you an just click “No longer have access to these? It will ask How can we reach you? and you can type in an email that you have that also isn’t linked to any other Facebook account. Then it will ask you a security question. If you’re close friends with the person, you likely know the answer. If you’re not, make an educated guess and in 24 hours you can login to their account. if you can’t figure out the question, click “Recover your account with help from friends” and click three friends that are in cahoots and can give you the password or make three fake Facebook accounts and get the person to add you before any of this stuff happens. Then you’re in.

Another option? Use a keylogger, or a program that can record each stroke own the keyboard that a user makes without their knowledge. The software has to be downloaded manually on the victim’s computer and will automatically start capturing keystrokes as soon as the computer is turned on and remain undetected in the background. The software can then be programmed to send you a summary of all the keystrokes via email. CNET provides Free Keylogger.

If you’re afraid you might be susceptible to key logger, use fireball, install a password manager, update you software and change your passwords every so often.

Then there’s the option of phishing. It’s not for beginners because you have to design a fake Facebook login page, and if the victim logs in, the information will be sent to you instead of Facebook’s server. You’d also need a web hosting account. There are guides on how to clone a website that you can use, and detailed instructions you can follow, if you really want to do it.

internet cookieIf you don’t want to be susceptible to this trick, be sure not to click on links provided through weird emails. Also check the URL before you click on it using CheckShortUrl or unshort.me. Antivirus and web security software is also helpful here.

The final method? Steal the cookies that allow a website to store information on a user’s hard drive and retrieve it later. You can access your victim’s account by cloning those cookies and tricking Facebook into thinking the hacker’s browser is already authenticated. Fire sheep collects cookies and stores them in a tab on the side of the browser so you can get in.

Brendan Eich Takes on Ads

Branden Eich is famous for his part in rewriting the Web; his creation of JavaScript, the world’s most used programming language, ended Internet Explorer’s web browser monopoly and opened the door for other browsers to proliferate and change the way people experienced the internet.

His first browser was Mozilla Firefox, but he stepped down from his position as the CEO of Mozilla in 2014 amid loud criticisms of his donations to same-sex marriage ban initiatives in California. Now he’s working on his next browser project: Brave.

Brave is a startup dedicated to developing a browser that changes how internet ads are published and paid for. The browser would block advertisements and attempts to track user data, but replace those advertisements with ads that are less intrusive and use less of a device’s computing resources to run. Advertising revenue will go to site owners and users themselves; publishers would be getting 55 percent of the revenue generated by the ad, which trumps the percentage they get from more established advertising networks. The company advertising would then pay its own advertising network partners 15 percent and keep 15 percent for itself. The final 15 percent would flow back into the browser users’ pockets, though I don’t really get how. Users could opt out of ads altogether by donating to their favorite websites.

The idea behind Brave is to give more power to web users, who are just beginning to be able to make real decisions about their surfing experience based on the browser they choose. If Brave is a success, it will be the first browser to show so much respect for an internet user’s privacy. For now, every time you load a page you’re opting into whatever policies an ad network has in place. “…so we invert this power structure and have the browser be an important part of the system instead of this passive window,” explained Eich.

That said, Eich isn’t out to eliminate internet advertising by any means. He understands that the internet cannot function without its main source of funding, and that ad-blocking software could create major funding issues for a lot of websites.

“Most people aren’t ready to pay for their content,” Eich claimed. “Some aren’t well off enough to pay for subscriptions, some don’t know how or don’t want to trust their credit card to a paywall…They like free-riding, or even starting a war.”

“You may never click on an ad, but even forming an impression from a viewable ad has some small value. With enough people blocking ads, the Web’s main funding model is in jeopardy.”

Brave hopes to allow those who prefer to not see ads still support sites through donations, allowing for those websites losing out on advertising funding to be funded directly by their users. Everyone else can support sites by viewing ads that Eich hopes will be “more relevant, less intrusive, and not so creepy” as the status quo.

Brave claims that if it shares data it finds, it will always by anonymized and that it cannot be shared without the user opting in.

Apple CEO Stands Strong Against FEDs on Encryption

encryption3Last Sunday, Apple CEO Tim Cook took part in an interview on the CBS new program 60 Minutes in which he asserted the rights of tech companies to provide encryption services to their clients.

“There’s all kinds of sensitive information on smartphones today,” claimed Cook. “You should have the ability to protect it. The only way we know how to do that is to encrypt it.”

Cook noted that Apple was still willing to comply with search warrants served on it by law enforcement officials.

FBI Director James B. Comey disagrees, believing encryption is only remains a legal service because of a lag between legislators and inventors: “Unfortunately, the law hasn’t kept pace with technology, and this disconnect has created a significant public safety problem… We call it ‘Going Dark’ and what it means is this: Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism, even with lawful authority.”

“We have the legal authority to intercept and access communications and informant pursuant to court order, but we often lack the technical ability to do so,” added Comey.

Plenty of security and tech advocates take issue with Comey’s initiative to ban encryption services.

“A proposal to protect our security by weakening our security is going in the wrong direction,” asserted executive director of the Electronic Frontier Foundation Cindy Cohn.

“If the government were to suggest that no one put locks on their doors because if we were a terrorist it would be harder to get into our house, we would think that was a bad idea… This is pretty much the digital equivalent of that.”

supercompute2Cohn makes an excellent point; as large scale hacks become commonplace, government agencies are finding that sometimes not even they can keep their sensitive data under wraps. If they have access to everyone’s data, or make that data more accessible to everyone, terrorists won’t be the only users made more vulnerable.

Berin Szoka, the president of TechFreedom, claims that this issue presents a historic crossroads in American history and the history of the internet:

“This is really a binary issue. Are you going to allow end-to-end encryption by the operating system makers or not? Once you say no, you start down this road without stopping the really smart bad guys from continuing to use encryption on their devices.”

CEO of Accellion Yorgen Edholm believes the government can achieve its goals by walking a separate path: “If the government law enforcement agencies are looking for an encryption compromise, maybe they should look outside the tech sector for it… Encryption can always be broken by people who have supercomputers- the government has more supercomputers than anyone else. So the government has the resources to decrypt anything. It’s just that those resources have to be made available to local law enforcement… That compromise wouldn’t make it easier for the bad guys to get into my privacy just because the government wants to have the computer equivalent of a wiretap.”