Saturday, December 30, 2006

Last Chance for Hotel in Little Rock!

Don't forget that the hotel block is officially out of reach after January 1 2007, so if you are reading this prior to that date, get on over to here!

(Note that I say "officially" -- Our members have a long history of sweet-talking hotels into extending the official time windows. However, your mileage may vary, no warranties express or implied, use at your own risk, and we'll leave the lights on (in case you get stuck at the Motel 6).)

(NOTE FROM THE OTHER SIDE OF TIME: It's now January 3. Anybody who gets a favorable response from the hotel regarding 'late' reservations, could you please file a comment below for all of us to see? Thanks!)

If you have not yet registered for the meeting, but sure to head now to the meeting's home page.

Access to Source Code Denied

In a recent case in Talahassee, Florida, a local judge ruled that a candidate who lost by only 369 votes can't get access to the source code for the voting machines to test out her theory that flaws in the software resulted in underreporting of votes for her. According to the news report, the court held that the candidates conjecture regarding the supposed flaws was not sufficient to trump the trade secret rights of the company that provided the voting machines.

If I find a copy of the judge's actual opinion, I'll post it as a follow up.

Consider whether this type of thinking will prevail in a contract dispute where one party seeks access to "black box" components of a system that underlie a disputed online transaction.

Friday, December 22, 2006

Even Criminals Should be Careful about Authentication

Here in Cyberspace-law-land, we've long been noting that lack of a true purely electronic method authentication is the big thing that prevents e-commerce from making the leap into the big time. (Yes, you can buy plenty of books online, but nobody has been willing to sell you a house on a transaction that is totally end-to-end online -- You still need to see somebody offline.) There is still some risk that the person you are dealing with is not who they claim to be. If one is vending a low-cost items like books, maybe the risk is sufferable. If one has backup from another independent system like a credit card system, maybe the risk is mitigated. But, if one is doing high-value transactions with a purely electronic communication, from start to finish, authentication is still a serious isue.

Well, it seems you can't even solicit somebody to do a crime without running into potential authentication problems. On an e-mail exchange posted on the site http://attrition.org/, a couple of guys apparently answered a widely disseminated request from somebody who was allegedly soliciting for someone to engage in potentially criminal enterprises (i.e., entering without authority into the systems of the solicitor's alma mater to change his Grade Point Average). The guys who took up the call were spoofing the solicitor -- let's just say that hilarity ensued. (It almost reminded me of the elaborate e-mail chains the infamous Nigerian spammers would start once they might have started to reel in a victim...)

To put it mildly, when you get to the part where the spoofers ask the solicitor for pictures of the pigeons on his college campus to prove that he's not an FBI agent, you will probably be spitting your lunch all over the table. (Aim away from the computer screen when you do that. Trust me on that one.)

Notes --
  1. All people are innocent before the law until found guilty -- Even on this blog.
  2. There is a background story on this that involves U.S. politics -- Many of you might have already gotten wind of this story because of that aspect. This blog has no dog in that hunt... We're all about the cyberspace part.
  3. If you do go to the actual e-mail exchange posted at http://www.attrition.org/postal/z/033/0871.html, it contains a few choice words that most of us would not want to say out loud in front of our grandmothers. Press the link at your own risk. There's a less naughty-word laden report on the story here if you wish. And, props to Talking Point Memo for originally pointing out the story to me.

ANYWAY -- I hope each of you has a happy holiday season, and we look forward to seeing many of our readers at upcoming Cyberspace Law Committee events during 2007!

Thursday, December 14, 2006

Ken Adams on Web Searching for Contracts

Ken Adams, proprietor of the always interesting AdamsDrafting blog and author of the best-selling ABA book A Manual of Style for Contract Drafting, had a post this morning on his blog regarding the use of EDGAR as a research tool to look at old contracts that had been filed as part of SEC filings. The Cyberspace hook for us today is the commentary on how there is a proprietary Web-based service out there that will help one to index the old contracts and find ones that might be of interest. Ken's sense is that there are many other ways to use the Web to access the same information (for example, the use of Lexis and/or Westlaw to search EDGAR filings that are under Exhibit 10). Ken also notes his skepticism on the quality of the work one might find in SEC filings -- I'll let you go read the particular choice phrase he applied to the contracts on EDGAR (this is a family blog after all...).

My only other thing to add is that in my particular practice, involving a great deal of day-to-day contracting for technology licensing and purchasing, the times I've been able to find useful work on EDGAR is almost too small to count. The EDGAR system is potentially useful if one is interested in contracts that publicly-held companies might do that rise to a certain level of materiality--Software licenses rarely fall into that bucket for either the licensor or the licensee. I've no doubt that there are exceptions to that, but combined with the fact that I think any of us who read this blog are more than capable of running rings around what we might find on EDGAR, my suggestion is to stick to our own form libraries and use our own inherent skills rather than relying on some other person's randomly-selected work.

ASIDE: The other Cyberspace angle -- Ken Adams will be joining a panel of lawyers from this Committee at the ABA Business Section's Spring Meeting this March in Washington DC. The pre-meeting CLE programs put on for the Section's Young Lawyer Forum are fantastic, and that's not just because I will be speaking for one of them! We hope to see you there.

Tuesday, December 05, 2006

Remotely Eavesdropping on Cell Phone Microphones

A cellular telephone can be turned into a microphone and transmitter for the purpose of listening to conversations in the vicinity of the phone.

read more | digg story

FOLLOWUP THOUGHTS (Jan 4, 2007):

I can’t get paranoid about this one. It seems to me that if the bug is obtained through the auspices of a proper (4th Amendment compliant, probable cause, yadda yadda yadda) court order, it’s not all that different than any other form of bug. We can be paranoid about the cops and courts as a general rule (and should be…), but the means they use to exercise their court orders is not all that much more scary.

I couldn’t tell (and CNET obviously can’t from what I read) if the bug is one that directly transmits a signal to a receiver operated by the police, or if it transmits something via the cell network. Legally it should not be all that much different if there's been a proper court order, although you’d have to rope in the cell provider if the latter.

Technically it is interesting in that the only radio that should be in your typical cell phone is the radio that transmits to the cell network. (Blue tooth, found in an increasing number of handsets is, of course, a wild card in all of this – Let’s set that one aside for the moment though.) If we’ve got the bug set up as a purely software bug that infects the phone and has it transmitting what’s passing through the microphone over some sort of ‘radio’ then it must be going over the cell-transmission radio – And, that seems difficult to conceive other than something that would require the cooperation of the cell phone provider, since operating that radio without interacting with the cell network would be something I cannot believe would be an ‘off-the-shelf’ capability of the phone handset. If that’s the case then I’m less concerned again about non-legal hackers because it seems hard to believe that the cell networks would volunteer to allow a hacker to use the network! (It also suggests that this technique shouldn’t work against somebody sitting on an airplane, unless the FBI is suggesting that the FAA’s prohibition on cell phone use is not really a safety concern for all on the plane...)

If, as the BBC article mentioned in the CNET article linked above suggests, the cell network radio is hacked, via some kind of Malware that is sent electronically to the victim’s phone, to stay in transmit mode even where the phone seems to be turned off (or the radio has been turned off, as I can supposedly do with my BlackBerry), and even if ‘intelligence agencies’ can find ways of intercepting that signal and decode it, that would still require the spy to have physical proximity to the victim at all times (presuming the cell network isn't being used), and I find that all rather implausible as a useful source of data unless the spy is investing a LOT of money in this victim (and, if they have that much money to invest, they’d find some other way than this exploit to get what they want). We’re not going to see hackers using this tactic for random crap they might want to listen to while your talking to your best friend at the local coffee shop. (And, the cell providers would quickly come up with anti-spyware tactics for their phones if the exploit got out beyond this nefarious ‘intelligence community,’ so any win by a hacker would be short-lived at best.)

Apart from the radio that is used for purposes of the cell network, the only other ‘radio’ in a typical cell phone (off the shelf) is the Bluetooth. That might be an interesting hack (and the subject of multiple discussions already). Still, it seems hard to believe that there would be a hack that might alter the phone to NOT turn off the Bluetooth (and/or the phone itself) when I thought I’d turned it off – There would be a hell of a lot of software necessary to do that, and it would be so handset specific that, again, the investment for any one particular victim would prevent the odd private citizen hacker from taking advantage of it – We don’t have the single-source problem for cell phone operating software that we have for PCs. (I do work for that industry, and actually work on licenses for cell phone operating system software, so I speak from knowledge in that regard.) Also, since the off-the-shelf Bluetooth system in my phone does not use the microphone on the phone handset itself, but rather the microphone in my earset, it would require an even more incredible hack to get the handset to use the Bluetooth transmitter for such a non-standard function as to transmit the sounds on the microphone to a surreptitious Bluetooth listener, and to do so while also allowing the spy to circumvent whatever encryption is on the Bluetooth transmitter, and probably to do so as well while still allowing the Bluetooth transmitter to be used simultaneously for its intended purposes since otherwise one would tip off the victim of the bug. Finally, Bluetooth is even more susceptible to the need to be proximate to the victim -- That radio will reliably transmit only a few hundred feed through clean space. Again, it might be plausible for the 'intelligence community' to invest in human resources to follow somebody around who is a high-value target, but that target would be gotten one way or the other if somebody was really interested, that target would probably know well enough to take out the battery of his phone, and the rest of us are perfectly safe from the pimple-faced script kiddie.

Finally, if all that’s involved in the above is a physical bug snuck into the cell phone itself, then those paranoid executives who remove their batteries are missing the boat. And, pimple-faced kids sitting in coffee shops are still at a loss when it comes to physical invasions of people’s personal property (or I’m not all that worried about the few who would try such a thing). Regardless, the addition of using a cell phone (as opposed to slipping a bug into the back of my jacket collar) to the mix doesn’t change anything where you’ve got somebody who’s willing to commit a criminal breach of my personal effects in order to plant his bug.

In other words – I’m kind of skeptical about all of this.


But, it all leads to finding stuff on the BBC article cited by CNET, such as this actual living example of a Cone of Silence. Where’s Maxwell Smart when you need him? (If you read the BBC article, it really seems poorly thought out – For example, they find ‘experts’ who claim that a physical bug wouldn’t work since the battery would wear out, but who’s to say the bug wouldn’t be set up to use the cell phone’s own battery (duh…). And, I did check the dateline of the article – It’s not April 1, but maybe it should have been.)