Malware was popping up in some places where you really, really don’t want to see it this week. Let’s start with Japan, where information about a top-secret new rocket, currently in development, was siphoned off a computer at the Tsukuba Space Center. This rocket was supposedly designed to launch satellites, but “solid-fuel rockets of its size can also be used militarily for intercontinental ballistic missiles.” So that’s pretty scary! The infected computers have been cleaned of all malware, but it’s not yet known who did the siphoning.

From rockets to nuclear weapons now: The International Atomic Energy Agency, a branch of the U.N., reported a security breach earlier this week, where the names of over 100 experts working for the agency were disclosed online. From Yahoo:

A group called “Parastoo” — Farsi for the swallow bird and a common Iranian girl’s name — claimed responsibility for posting the names on its website two days ago…

Chastising Israel for its “nuclear arsenal,” the hackers urged the experts whose names they published to sign a petition demanding an “open investigation” into Israel’s nuclear program.

Fortunately, the head of the agency announced yesterday that no “sensitive nuclear information” was stolen as a result of this hack.  To counteract those two bursts of worrisome news, here’s something: Microsoft has teamed up with malware analysts to try and fight click fraud (“a scam where advertisers pay for worthless clicks”), which is a $32bn problem. Let’s hope they enjoy some success.

Meanwhile, a senior Federal Reserve official warned about the potential damage that cyberattacks could have on our financial infrastructure; and a 27-year old man from Houston was arrested for breaking into hotel rooms. Well, not breaking into hotel rooms, but exploiting a security flaw in hotel room keycard locks and gaining entry into rooms, and then stealing from them. The latter is a pretty interesting story and well worth a read.

Here’s a quick update on one of the earliest cases we covered here at IT-Lex. Back in early July, the First Circuit ruled against Ocean Bank because of its “commercially unreasonable” online security. The vulnerability was discovered after hackers stole $588,000 from the account of an Ocean customer. Though some of that money was recovered, the customer was still $345,000 short, and that brought about the lawsuit. The First Circuit judge encouraged the parties to settle, and as the WSJ reports, that’s exactly what they did earlier this month. People’s United Bank, as Ocean is now known, agreed to reimburse the client with the full $345,000.

There have been a handful of stories that caught my attention this week, which can all be linked by one theme: we in the U.S. should be incredibly thankful to have largely reliable and safe internet access. Compare and contrast with the situation in Iran, as reported by German newspaper Der Spiegel, via Techdirt:

Iran’s government is introducing a biometric ID card that will function at the same time as an access card to the Web. Without registration via “smart card” the Internet will be blocked for citizens — an insidious strategy for monitoring the opposition on the Internet.

The ID card will be required for any Iranian over the age of 14, and would contain an encrypted, digitized fingerprints. The potential for identity theft is very high, and the chilling effect this will have on internet users is even higher. We’ve seen social media help galvanize the people in Iran, as in other countries, and this measure would really serve to stifle voices of opposition.

Speaking of other countries, the Electronic Frontier Foundation posted a blog entitled “What’s Going On in Central Asia?” which highlights current concerns from Kazakhstan about dissenting voices being silenced. Some reports suggested that state prosecutors had filed lawsuits against Google, Twitter and Facebook, but these reports have been denied. Not far away, in Tajikistan, Facebook has been blocked by the national government, in response to so-called “mud and slander” against the country’s President and other officials.

Beg Zukhurov, head of the state-run communications service that is enforcing the ban – the second time Tajikistan has blocked Facebook this year – accused unnamed donors of paying users to post negative comments about “respected figures”…

“Does Facebook have an owner? I’d like to speak to him,” Zukhurov said. “Let him come here and meet me in my office.”

Meanwhile, in India, a controversial law declaring it “a crime to digitally send “any information that is grossly offensive or has menacing character””, led to two even more controversial arrests.

Last week, the police arrested Shaheen Dhada, 21, a medical student, after she posted an update on the social media site Facebook questioning the forced citywide shutdown after a far-right Hindu political leader died in Mumbai. A friend who clicked “Like” on the post, Renu Srinivasan, 20, was also arrested.

The arrests were widely criticized by free speech advocates, and in the subsequent fallout, the police officers that carried out the arrests have been suspended. The women have been released on bail, though charges against them have not, yet, been dropped.

Finally, an interesting story out of China. Yes, we know that the internet is heavily censored out there, but here’s some information you may not have known (via Gizmodo):

…Chinese authorities are employing all kinds of techniques to prevent their population from seeing the real web.

Often that involves subtle tricks, like giving the appearance of a slow internet connection. But sometimes the country uses DNS poisoning, which employs cheeky redirection to throw up a website that wasn’t requested. In particular, a Miami pet spa, known as The Pet Club, is one of the chosen sites.

That’s right: Chinese internet users trying to access a site like torproject.org (a tool designed to improve online anonymity), they get redirected to a pet spa in South Florida, with a decidedly old-fashioned website.

So even though our ISPs might want to throttle our speeds or block certain sites; or our email privacy is questionable at best, let’s be thankful for the rights and freedoms we do enjoy here.

Remember the Six-Strikes program that was meant to launch this week? You remember the one: if your ISP catches you illegally downloading or uploading copyrighted material, it would give you half-a-dozen warnings, and maybe throttle your internet speed or block access to certain popular websites? Well, that’s been put on hold temporarily, supposedly due to last month’s devastating hurricane. From TorrentFreak:

“Due to unexpected factors largely stemming from Hurricane Sandy which have seriously affected our final testing schedules, CCI anticipates that the participating ISPs will begin sending alerts under the Copyright Alert System in the early part of 2013, rather than by the end of the year,” CCI’s Executive Director Jill Lesser explains.

“We need to be sure that all of our ‘I’s are dotted and ‘T’s crossed before any company begins sending alerts, and we know that those who are following our progress will agree,” Lesser adds.

That TorrentFreak article goes on to suggest that another, non-Sandy, hurdle that the initiative is facing involves getting all the ISPs on the same page. As it stands, it sounds like each company will handle offenders in different ways.

Three of the five U.S. ISPs participating in the copyright alerts plan have revealed what mitigation measures they will take after the fourth warning.

AT&T will block users’ access to some of the most frequently websites on the Internet, until they complete a copyright course. Verizon will slow down the connection speeds of repeated pirates, and Time Warner Cable will temporarily interrupt people’s ability to browse the Internet.

The remaining two ISPs, Cablevision and Comcast, have not announced their plans yet. As Cory Doctorow points out on Boing Boing, the idea of cutting off certain sites seems like it could be problematic: “I wonder if Facebook will sue [AT&T] for tortious interference.”

We’ve talked about how newspapers in Brazil and across Europe are battling with Google over revenues. In a nutshell, they claim to be suffering due to web users reading their headlines and opening sentences through Google, and not clicking through to their own websites. Page views equals advertising money, so the newspapers want to get paid for their summaries. As ZDNet reports, the nation of Germany is trying to address this situation via new legislature:

The Leistungsschutzrecht für Presseverleger, or ‘ancillary copyright for press publishers’, would provide an extension of copyright in Germany to cover snippets of articles, such as those that show up in search results so the user can tell what each result is about. It is being proposed by Angela Merkel’s coalition, and follows intense lobbying by publishing giant Axel Springer and others.

Not surprisingly, Google is strongly opposing the proposed legislation. The company just launched an online petition on their campaign website, which also contains a video explaining the problem that it would cause. It’s not just that they would be forced to spend a lot more money for content, they argue, but that they would have to eliminate a lot of the content they provide, and that would be bad for the German people. (As the website points out, four million German jobs depend on the Internet). The site also points out that, if newspapers don’t want their stories to appear in the Google aggregators, there’s a way to opt out (as 90% of newspapers in Brazil did). Therefore, they say, this kind of legislative response is unnecessary  The ZDNet article contains this interesting tidbit, too, about how far-reaching the original draft of this law was:

The version of the bill that is set for debate is not the first iteration. An earlier version would have forced not only search engines to pay up, but also any business that lets employees search the web at work.

That proposal elicited such a furious response from German industry bodies that the government scaled back its plans.

TheNextWeb offers this statistic: “Google’s search and News service already directs four billion hits to publishers globally, equating to roughly 100,000 clicks per minute.” This isn’t the only battle Google currently faces in Germany, but this one could have some very powerful implications. Something is expected to happen with the bill in the coming days, so we’ll keep our eyes on this story.

By IT-Lex Member Jason Pill (Bio)

A recent district court decision may hold appeal for anyone who has wanted to fulfill their inner-most “Office Space” fantasy.  No, not the fantasy of owning your very own Red Swingline stapler (although such an item can be purchased here, and makes for a great stocking stuffer this time of year).  I am referring to the infamous scene where the main characters, Peter, Samir, and Michael Bolton, demolish a temperamental fax machine/copier/printer (all-in-one!) against the idyllic backdrop of a summer meadow.   Inspired by the movie, the plaintiff in Taylor v. Mitre Corp., 2012 WL 5473573 (E.D. Va. Nov. 8, 2012), went “Office Space” on his work desktop by taking a “sledgehammer to it” and disposing of it in a local landfill after filing a charge against his employer for FMLA discrimination and failure to accommodate his disabilities—but it does not end there.

In 2009, Plaintiff secured counsel in anticipation of bringing a lawsuit against his employer.  Counsel advised Plaintiff of his obligation to preserve and maintain all relevant documents or files in his possession.  In November 2010, Plaintiff filed his EEOC charge.  Sometime in 2011, Plaintiff’s work computer allegedly “died” and he attempted to back-up the files (including work-related emails), with partial success to his laptop. After transferring the limited information he could, Plaintiff “wiped his work desktop” and then—ignoring counsel’s advice—“took a sledgehammer to it,” before ultimately disposing of it in a landfill.  (For the curious type, the Court did, in fact, ruminate on the size and magnitude of Plaintiff’s weapon of choice.  The Court noted that Plaintiff’s accounts of the size and type of the hammer varied, but Plaintiff did not deny that he smashed the computer with “some nature of mallet.”)

Despite these efforts, Plaintiff was not quite done.  After filing suit in November 2011, Plaintiff was ordered to submit his laptop to inspection.  The forensic expert examining Plaintiff’s laptop concluded that Plaintiff had purchased and run a program called Evidence Eliminator, a program whose express purpose was removing “sensitive material” from an individual’s hard drive, and had extensively researched evidence-removing software online before ultimately purchasing Evidence Eliminator.  And, because these things occur in threes, the forensic expert further determined that Plaintiff had run another program, called CCleaner, at least twice in the week between the Magistrate Judge’s order and the date upon which Plaintiff submitted his laptop for inspection.  By the nature of these programs, the Magistrate Judge was unable to conclude how many files were deleted from Plaintiff’s laptop.  Nevertheless, the Magistrate Judge recommended dismissing Plaintiffs claims outright, based on the severity and magnitude of Plaintiff’s destruction.

The District Court, in adopting the Magistrate’s recommendation, noted that any one of Plaintiff’s actions would have likely been sufficient to warrant sanctions, and had no reservation in dismissing Plaintiff’s claims entirely.  Based on the egregious and intentional nature of Plaintiff’s actions, and given his knowledge and experience as a computer expert, the Court adopted the Magistrate’s ruling granting Defendant’s Motion for Sanctions, dismissing Plaintiff’s claims against Defendant with prejudice and awarding Defendant fees and costs associated with its Motion for Sanctions.  The full order can be read here [.doc].

As you read in Jason’s post a couple of weeks back, a Magistrate Judge in Colorado recently ordered the plaintiff in an employment case to turn over her cell phone, plus access to all email and social media accounts, to a special master for review. Well, the order was subsequently amended, and the special master was taken out of the equation; now, an employee of the Equal Employment Opportunity Commission (which happens to be acting on behalf of the plaintiff) has been tasked with sifting through all that digital information. Additionally, the EEOC just filed an objection [PDF] to the Magistrate’s order, on privacy and procedural grounds. From the objection:

An opportunity to object on the ground of privacy is essential, since, while the Order briefly acknowledges the “privacy concerns” raised by the EEOC’s Opposition, the Order does not substantively address these concerns. While the Order permits the EEOC to  designate documents confidential under the protective order entered in this case,  designation under the protective order does not address the EEOC’s chief privacy concerns, which is that disclosure of certain materials to any third party, and particularly to Defendant or its counsel, is itself an undue invasion of privacy, one that will cause the victims undue embarrassment and have a chilling effect on this and other sexual harassment lawsuits in the future. This is clearly the type of invasion of victims’ innermost private lives that courts have repeatedly precluded from discovery.

(Emphasis added)

Additionally, the EEOC cited Rule 412 of the Federal Rules of Evidence, which is particularly appropriate given the facts of this case:

[The Rule] explicitly precludes use of the type of private material sought by Defendant to prove sexual behavior or predisposition…  The Rule is particularly applicable here in that it “aims to safeguard the alleged victim against the invasion of privacy, potential embarrassment and sexual stereotyping that is associated with public disclosure of intimate sexual details and the infusion of sexual innuendo into the factfinding process…” … The same invasion of privacy, embarrassment, and chilling effect will occur if Defendant is allowed unbridled discovery of sensitive information here, and the injury is not obviated by the inclusion of a third-party or court review.

The initial Order garnered a lot of attention earlier this month, so it’s not really much of a surprise that the EEOC has filed this Objection. As always, it’ll be interesting to see what happens next.

Yes, I am aware that this isn’t the first time I’ve made the “Frozen by ICE” joke in a headline, but it really does work so, so well. Yesterday, while shoppers celebrated Cyber Monday by buying reduced kitchenware and DVDs (not from the same site), the people of  Immigration and Customs Enforcement – and their counterparts in Belgium, Denmark, France, Romania and the United Kingdom - were busy taking down 132 websites suspected of selling illegal goods. From the ICE press release:

The 132 domain names seized are part of Project Cyber Monday 3 and Project Transatlantic. These websites were set up to dupe consumers into unknowingly buying counterfeit goods as part of the holiday shopping season…

This is the third year that the [Intellectual Property Rights Coordination Center] has targeted websites selling counterfeit products online in conjunction with Cyber Monday… Cyber Monday 3 seized 101 websites and yielded one arrest [in the United States]. Additionally, recognizing the global nature of Internet crime, this year the IPR Center partnered with Europol, who, through its member countries, executed coordinated seizures of foreign-based top-level domains such as .eu, .be, .dk, .fr, .ro and .uk. This effort is titled Project Transatlantic and resulted in 31 domain name seizures.

CNN describes the characteristics of some of the sites in question:

The seized websites claimed to be selling familiar name-brand products, including Ergobaby Carriers, New Era hats, Nike sneakers, Tiffany jewelry, Oakley sunglasses, NFL jerseys and Adobe software.

Although some products may have fooled customers, many were inferior products and some should have been obvious frauds. One website sold a DVD entitled “100 Years of Disney,” but the Walt Disney Company — founded in 1923 — is less than 100 years old, [ICE Director John] Morton said.

What’s more, investigators were able to find PayPal accounts linked with the allegedly-offending sites, and are pushing to seize proceeds obtained through those accounts, which they estimate to be around $175,000.

There’s a fascinating privacy-storm a-brewin’ down in Texas that somehow manages to sound both futuristic and old-fashioned. San Antonio’s Northside Independent School District started issuing students with ID cards imprinted with Radio-Frequency Identification (RFID) chips earlier this semester. The RFID chip is able to monitor the student’s location while they’re on campus. Why does the school district want to know where the students are throughout the day? Well, for one thing, it’s due to funding:

Like most state-financed schools, the district’s budget is tied to average daily attendance. If a student is not in his seat during morning roll call, the district doesn’t receive daily funding for that pupil because the school has no way of knowing for sure if the student is there.

But with the RFID tracking, students not at their desk but tracked on campus are counted as being in school that day, and the district receives its daily allotment for that student.

(From Wired)

What’s more, according to TechCrunch:

The school argues that in addition to location monitoring, the ID card is also necessary for essential services, such as the cafeteria, the library, and getting tickets to extracurricular activities.

So that’s the motivation behind the measure. How are students reacting to it? Well, one particular student – sophomore Andrea Hernandez - refused to wear the RFID around her neck as required, because she thought it resembled the Biblical “mark of the beast”. She wouldn’t wear the tracking chip, so the school decided to suspend her. The suspension was blocked temporarily by a judge last week, but proceedings in this matter are set to continue in the coming days. WND Education has more details, and an interview with Andrea’s father, who suggests that the school district offered to drop the whole matter if he’d promise to stop criticizing them in the press. He refused this offer.

The Wall Street Journal wrote about a very interesting story last week that involves a man who logged on to his across-the-street neighbor’s unsecured wireless network, and used the connection to share images of child pornography over peer-to-peer networks. The opinion, from U.S. District Judge Joy Flowers Conti, features an extensive but fascinating description of how IP numbers work and how anybody using a wireless network can be uniquely identified. I’ve heard of people that go to Starbucks or McDonald’s specifically for the purpose of downloading music or movies, and they might want to read this opinion. As with anything online, it’s not as anonymous as you think!

Anyway, the defendant here – the guy who was stealing internet from his neighbor- was traced using some free software and subsequently indicted for child pornography possession. He then tried to suppress the evidence discovered on Fourth Amendment grounds. More precisely, the issue was:

“…whether [defendant] had a legitimate expectation of privacy in the wireless signal he caused to emanate from the computer in his home to [neighbor]’s wireless router and the wireless signal he received back from [neighbor]‘s wireless router in order to connect to the internet.”

Specifically, defendant argued that the use of the free software that found him (the program is called Moocherhunter, by the way) constituted an unreasonable search. Judge Conti disagreed, finding that that wasn’t a search at all.

“Moocherhunter monitored the strength of a signal that [defendant] voluntarily caused to send from his computer to [neighbor]’s wireless router and to receive a signal back from the wireless router in order to gain unauthorized access to [neighbor]’s internet connection…  the party seeking suppression of evidence assumed the risk that information disclosed to a third party may be turned over to the police. Notably, Moocherhunter… did not reveal the contents of the communications; it only revealed that communications were taking place”

The ultimate lesson here is that a paying internet subscriber has no reasonable expectation of privacy when it comes to their IP number, “and likewise, a person connecting to another person’s wireless router does not have an expectation of privacy in that connection[.]” Additionally, as we’ve seen before, there are no sanctions for the owner of the unsecured network, though I’d image he’s put a password on it now.