Search This Blog

A Word About Our Blog Entries

The Julie Group shares a professional interest in the area of digital and emerging technology and law. As professionals there is a rich and deep appreciation for the differences of opinion that can appear in this space. You must never assume that opinion, where it is introduced is universally shared and endorsed by all our volunteers. Nor are they necessarily the very best snapshot of a given issue.

Readers are expected to think about the issues, question everything worth discussing, and add value to the conversation by correcting what's here or broadening the understanding of the subject. This is part of the educational process between us all. Our hope is that this exercise results in better law, law enforcement, and citizen participation in forging sophisticated social understandings of the technological forces changing our lives.

Tuesday, May 18, 2010

OnStar Redux

Back on October 12, 2007, we posted a piece Should OnStar Shut Your Car Down? on this blog. Well, lo and behold, the New York Times just reported this past Friday that,

"Automobiles, which will be increasingly connected to the Internet in the near future, could be vulnerable to hackers just as computers are now, two teams of computer scientists are warning in a paper to be presented next week." (See Cars’ Computer Systems Called at Risk to Hackers by John Markoff, May 14, 2010, web version May 13, 2010.)

The two groups found that, "they were able to remotely control braking and other functions," and "the car industry was running the risk of repeating the security mistakes of the PC industry" (before PCs became widely networked and there were relatively few security incidents).

The stuff they could do was really scary,

"We demonstrate(ed) the ability to adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.”

Can you imagine what it would be like to be in a car traveling at high speed while being subjected to such an attack?

And what would happen when you had to answer to the cops if you somehow survived? Well, the researchers

"also demonstrated what they described as 'composite attacks' that showed their ability to insert malicious software and then erase any evidence of tampering after a crash"

Oh boy! Things look bad. But how could a malicious hacker get access to your car's electronics when your car is not connected to the internet? Well, the Times article pointed out that, "Wireless connections are increasingly becoming available in a wide range of automobiles," and it singled out "services like the OnStar system from General Motors (which) now report(s) vehicle position and diagnostic information to the manufacturer."

In our original OnStar post, we asked for legitimate security researchers "to try to hack into OnStar (and other systems) just to find out how easy or hard it is to do."

The good news is that security researchers have started to do just that. The bad news is that it turns out to be easy to do. Toyota and GM and other automobile manufacturers, TAKE NOTICE.

The researchers report is Experimental Security Analysis of a Modern Automobile, and will be presented at a computer security conference this week in Oakland California.

The opinions expressed in this post are those of the author and should not be interpreted as an official position of The Julie Group.

--Chip Neville

Thursday, January 14, 2010

Haiti Earthquake Donation Scams

Tom Kelchner, Sunbelt blogger, is reporting on malware that's targeting Haiti Relief efforts.

Schools and community organizations who are collecting relief funds or encouraging donations should caution everyone to be sure of the legitimacy of the web sites claiming to offer aid.

The Sunbelt blog link is here:

As an ethical disclaimer, Alex Eckelberry, one of the founding members of The Julie Group is an executive at Sunbelt Software. Nonetheless, the warnings on that blog are worth noting.

- krasicki

Sunday, September 27, 2009

Poorly Written Law, Chemical Neurowarfare, and Hacking

The intersection of recent technological advances and law are troubling.

YouTube documentation of the treatment of college students in Pittsburgh during the G20 summit raise serious questions about legislation that allows unconstrained, maliciously cruel, and disproportionate crowd control tactics to be used against unarmed civilian populations.

If we have learned in recent months that corporate behavior that goes unregulated can lead to disastrous social and economic consequences then just as surely we are witnessing warning signs that government empowered by ambiguous law and selective prosecution can strangle, intimidate, and muzzle constitutionally protected free speech.

The Stanford Law and Biosciences blog entry called, Militarized Neurotechnology: Incapacitating Chemical Agents by Kelly Lowenburg is a siren call.

Two recent pieces in Nature, an opinion and an editorial, discuss how non-lethal neuroactive chemical agents have been used by military forces (e.g. fentanyl-induced unconsciousness) and speculate about the potential development of more non-lethal weaponized chemicals (drug-induced lack of aggression, oxytocin-induced trust). Although using these chemical agents is prohibited by the Chemical Weapons Convention, an exception allows their use by law enforcement, for example, in domestic riot control (which may or may not include intrastate military actions).

And Kelly goes on to ask:
The divergent views on policy regarding incapacitating neuroactive chemicals leads me to ask, what about these chemicals makes them more alarming than other weapons? An understanding about why incapacitating chemical agents are uniquely worrisome should inform how they will be regulated.

Is it that they are difficult to defend against and therefore more effective? Is this a problem even though these weapons create non-lethal alternatives in otherwise deadly situations? Or is our real concern that, by incapacitating, they facilitate brutality toward a defenseless prisoner? If so, then the conversation should be about illegal soldier/police abuse, not the chemical agents themselves. Or is there something inherently unacceptable about militarized neuroactive chemical agents? Is acceptability determined by the intended effect (temporary unconsciousness)? By the mechanism (manipulating the brain)? By the amount of pain (fentanyl was developed as an anesthetic, so likely none)? By the size of its therapeutic index and how safe it is (when used to end a siege in a Moscow theater, fentanyl-derived gas killed 124 of the over 750 hostages)?

Should the Chemical Weapons Convention be amended to prohibit the use of incapacitating chemical agents by law enforcement? Or to permit their use by the military? Does permitting them in either context place us at the tip of a too steep slope of biological weapons with more prolonged and devastating effects (attacking fertility or the immune system)? Or does it save lives?

The questions are both urgent and critical in light of a recent 'hacking' conviction in Ohio.

Kim Zetter authored a Wired article called, Court Upholds Hacking Conviction of Man for Uploading Porn Pics from Work Computer.

She describes the case;
An Ohio appellate court has upheld the felony hacking conviction of a man who was found guilty of unauthorized access for misusing his computer at work.

Richard Wolf acknowledged that his behavior was inappropriate when he used his work computer to upload nude photos of himself to an adult web site and view other photos on porn sites, but he didn’t think he should be convicted of hacking for doing so.

A jury disagreed and felt he exceeded his authorization on the computer, which the appellate court recently upheld (.pdf).

Mark Rasch, a former federal prosecutor of computer crimes, called the conviction a misuse of the computer hacking law.

“This goes to the whole concept . . . that violation of an internal policy on the use of a computer can be piggybacked to make a crime,” said Rasch, who now works as a consultant for Secure IT Experts. “His uploading of nude pictures is certainly inappropriate and something he could be terminated for, but it was perfectly legal. When you use the heavy hand of the criminal law to prosecute inappropriate behavior, it’s just an abuse of the criminal statutes.”

Wolf was also convicted of soliciting a dominatrix online for sexual services, a misdemeanor. Rasch says using the computer evidence for proof of this crime is appropriate, but charging him separately for felony hacking goes too far.

Rasch said the problem stems from an amendment that was made to the federal Computer Fraud and Abuse Act — the federal anti-hacking law — that states have added to their own statutes.

“The early statute only talked about unauthorized access — which is breaking into computer,” he said. “But then they amended it to say ‘or exceeding the scope of authorization to access a computer’.”

Richard Wolf may be guilty of many things but the inappropriate application of a computer hacking law targeting malicious hacking of machines is judicial malfeasance. So much so, that the courts need declare such laws unconstitutional and reject them not only for their blanket indifference to criminal behavior but for their dysfunctional effect on regulating such behaviors.

The vigilance of courts in ensuring the veracity of the claims of criminality against individuals must increasingly become a function of such prosecutions. Poorly written technology law must not be tolerated. In an age of mind-numbing technological change, the judicial branch of government must defer to and insist on clear and unambiguous language and appropriate application of law.

The concept of hacking is rapidly evolving from the quaint confines of computers and entering the realm of genetics and human self-determinism. The laws governing illegal activity concerning malicious modification to processes, machines, and human activity need to be re-examined and refined not by the politics of pornography, unbridled military industrial enthusiasms, or provincial social engineering tyrants.

Criminal behavior needs to be distinctly defined rather than broadly implied. And the governments of this world whose resources are unlimited in relative comparison to its citizenry must be constrained from loosing technology in its most punishing and draconian abuse against the inalienable rights of men and women.

Saturday, November 22, 2008

Julie Amero: Unjust Justice

The felony charges against Julie Amero have been dropped. Instead of facing prison, she was allowed to surrender her teaching license, pay a $100 fine, and plead to a misdemeanor charge of disorderly conduct.

I am thrilled that Julie Amero has no more charges hanging over her head. And she is thrilled, too. But you should know that no justice was done here. None whatsoever.

Justice would have been full exoneration with a deep, heartfelt apology from the prosecutor for not fully investigating the possibility that malware had infected the computer in the classroom where she was substituting.

Justice would have been a public statement from the prosecutor and Mark Lounsbury, the so-called police forensic "expert" who gave false testimony in her trial.

Justice would have been a proper investigation at the outset before she lost her baby, her reputation, her job, and ultimately, her good health.

Justice would have been placing the responsibility for the whole debacle at the feet of the school network administrator who did not have a full version of anti-virus or anti-spyware software installed, had almost no security policies in place, and hadn't updated the virus definitions on what was on the computer for over three months.

Justice would be seeing the jerks who create malware thrown in jail with the key thrown out, forced to watch the same pornographic images they fed to unwitting PC owners over, and over, and over again, while handcuffed behind their back.

Julie Amero was hospitalized last week for symptoms relating to stress and a possible heart condition. Just four short years ago she was looking forward to the birth of her child and a life with her husband in a community she loved. She enjoyed substitute teaching, loves kids, was well-liked by the students in the school where she taught, and had prospects for a nice, quiet, drama-free life.

One day substituting in a classroom with a badly-infected computer changed her life, her future, and her career.

I went ballistic when I read this a few minutes ago:

But since that dramatic reversal, local officials, police and state prosecutors were unwilling to admit that a mistake may have been made -- even after computer experts from around the country demonstrated that Amero's computer had been infected by "spyware."

New London County State's Attorney Michael Regan told me late Friday the state remained convinced Amero was guilty and was prepared to again go to trial.

"I have no regrets. Things took a course that was unplanned. Unfortunately the computer wasn't examined properly by the Norwich police," Regan said.

"For some reason this case caught the media's attention,'' Regan said.

So that we're clear, it didn't catch the media's attention "for some reason". It caught the media's attention and the attention of forensic experts across the country because they all KNEW that typical behavior of a PC infected with malware is exactly what happened to Julie Amero in that classroom on that day. They were utterly appalled when she was convicted on those four counts of endangering the morals of a minor.

They saw unjust justice.

They saw Mark Lounsbury flat-out give testimony to falsehood. I am not saying that Lounsbury testified that way out of malice. I do, however, think he was untrained, had very little knowledge of viruses and spyware, and a full-blown ego that didn't allow for the possibility he was wrong.

They saw an investigation with very little process or integrity.

They saw Julie. And they knew this was not a woman who would walk into a classroom, boot up a computer, and start surfing porn sites in the middle of class.

They saw the truth. And when they saw it, they knew they couldn't sit idly by and watch an innocent person go to jail when the truth had not been told.

Experts, lawyers, and loudmouthed bloggers like me said "Not this time." They stepped up, they gave their time and expertise for free, and the loudmouthed bloggers started doing what we do best -- blogging it. Telling the truth. Telling those who want the real story to come over here and read about what really happened.

It is unfortunate that politics, or ego, or self-righteous certitude prevents Mr. Regan from understanding what everyone who has ever had a PC without the proper virus protection knows: Without proper anti-virus and spyware protection, your computer and maybe even your life is at risk.

Regan's pronouncement of his certainty of her guilt speaks to his ignorance and unwillingness to learn the facts of this case, and the facts of what PC viruses can do to a computer and in some cases, a life.

Julie Amero should have her teaching certificate back. She should have her hundred dollars back. She should be compensated for malicious prosecution. She should have her child in her arms.

She should. But she doesn't. Because a prosecutor thinks he knows it all, and has listened to a cop with enough information to be dangerous but no facts with which to be right.

Julie deserves better. But she accepts gratefully what she got. I only wish I could do the same.

More information and posts about Julie's case can be found here.

Saturday, October 4, 2008

Star Simpson Update

An interview with Star Simpson from Boing Boing TV. Simpson has left MIT.

Tuesday, August 26, 2008

Justice for Julie Petition Tops 1,000

THE JUSTICE FOR JULIE PETITION REACHED 1,000 SIGNATURES a few days ago, and is now closed. We presume it will be sent on to Chief State's Attorney Kevin Kane, Thomas Griffin, and the various State's Attorneys in Connecticut. Thanks to all who signed.


The opinions expressed in this post are those of the author and should not be interpreted as an official position of The Julie Group.

--Chip Neville

Tuesday, August 19, 2008

Julie Amero: 432 Days, No Resolution. Still

We're just going to re-post today's blog piece by Karoli Kuns:

Julie Amero: 432 Days, No Resolution. Still

Or, as Rick Green said so well today, Julie Amero is held hostage for 432 days.

I’m waiting for the state to admit that this poor substitute teacher should never have been arrested, tried and convicted. I’m waiting for prosecutors in Norwich to do something: come up with some real evidence and try her — or drop the charges. Amero’s supporters, who include Internet security experts from around the country, have a petition urging Chief State’s Attorney Kevin Kane to drop all charges.

Perhaps the citizens of Norwich should tie yellow ribbons around their trees. It might even be more effective for them to ask their law enforcement officials to focus on real criminals and let the innocent be.

Please sign the petition. It’s time for Julie Amero to be freed from the chains she’s worn for 432 days.

And thank you, Rick Green, for being a responsible voice for justice.

--Chip Neville (quoting Karoli Kuns blog piece from today in its entirety)

The opinions expressed in this post are those of the author and should not be interpreted as an official position of The Julie Group.

Sunday, July 20, 2008

And She Still Waits

Julie Amero is still waiting for word that she will be retried or her case dismissed. Meanwhile, there is a moving piece by Wes on the Julie Amero blog here. And please don't forget to sign the petition here.

The opinions expressed in this post are those of the author and should not be interpreted as an official position of The Julie Group.

--Chip Neville

Julie Amero Petition

A plea to the Connecticut's State's Attorneys. Please sign.

Link here.

The opinions expressed in this post are those of the author and should not be interpreted as an official position of The Julie Group.

--Chip Neville

Thursday, July 10, 2008

Julie Amero Still Waits

Noted security exert Alex Eckelberry and Hartford Courant Columnist Rick Green report that Julie Amero's case is still on the trial docket in Connecticut. Details are here and here. It is disappointing that 13 months after it was conclusively proved that Julie was the victim of adware and spyware, and 13 months after she was granted a new trial on this basis, the case still drags on. But the best and most optimistic scenario is that her legal team is negotiating with the State as you read this. (We don't actually know, in fact we are as much in the dark as you.) But if this scenario is correct, things may be in a delicate state right now. So we would ask bloggers to be extremely restrained in their comments. In other words, if you must blog, please follow the sage advice, "Don't PO the prosecutor, don't PO the judge."

The opinions expressed in this post are those of the author and should not be interpreted as an official position of The Julie Group.

--Chip Neville

Notes added:

The Hartford Courant has a new editorial here. California journalist and blogger Karoli Kuns has a new piece here.