Rossander’s Security Reader

A while back, CBS News ran an “exposé” on the security risks of digital copiers. I answered a few emails but quickly let it drop. Apparently, this story is being run around the internet again, though, so let’s take a few minutes to formally debunk it.

One version of the scare article can be found here. The story goes that digital copiers contain hard-drives and the hard-drives store copies of all the documents being copied. When the copier is sold or thrown away, all the documents copied on it are visible to any hacker and the information on it can be used for identity theft.

Like any good urban legend, there is a kernel of truth to the story but the dangers are overstated. Let’s take the elements in turn:

• Digital copiers contain hard-drives – True.
• The hard-drive keeps a copy of the documents being copied – True.
• The hard-drive keeps copies of all the documents copied – False. The scanned images are big and the copier hard-drives are as small as the manufacturer can feasibly make them. They have to be to control costs. So, yes there are images on the hard-drive but they get overwritten on a regular basis. A high-use copier might have documents a few days old but not much older.
• The images remain visible to the new owner of the copier – Maybe. If your company’s IT department is even half-way on the ball, they keep track of copiers so they can keep the operating system patched. They will also have a decommissioning process that wipes the hard-drive before selling, donating or throwing it away.

So the lessons from this story are:

1. If your company does not keep copiers on their IT asset list, they should. (Though they should primarily because of the risk of an unpatched OS.)
2. If you don’t have an IT shop, run a few dozen pages of non-sensitive garbage through your copier before you sell it or throw it away. Pages from the phone book or pictures of your cat would do. Anything to fill up the drive and overwrite the older files.

Unless you are protecting DoD nuclear secrets, I wouldn’t worry more than that about copiers.

Update: This post got picked up by CFO Magazine as part of their Risk Management series. You can read their article here.

Note: For best results with the “poor man’s disk wipe”, set your copier to it’s highest resolution, in color, and run a stack of stuff through as fast as the copier will take it. It still won’t stop a hacker with a forensics lab but it will frustrate the 13 year old who pulls the drive out of the trash.

Who owns your contact list? Is your rolodex yours or is it intellectual property of your employer? And how does that rule change when your rolodex is really your LinkedIn account?

Two recent court cases out of the UK concluded that your contact list may well belong to your employer. The first involves the UK arm of a US publishing group, PennWell Publishing (UK). In this case, a departing employee burned 18 files containing contact details for industry members and conference attendees onto a CD. While at the company, the employee had stored both personal and work contacts in his email account address book. As the database contained his own “journalistic contacts”, he believed he was entitled to a copy when he left to set up a competing business. Despite a strong argument by the former employee about “the highly personal nature of the files”, the judge found that an address list in the email system and backed up by the employer is exclusively the employer’s. He went further and said that not only is the employee not entitled to exclusive use of his former address book, he is not even entitled to shared use and was permanently enjoined from using the address list. This was true even though the list was started from a list that the employee brought from his previous employment and updated himself and despite the fact that it contained a proportion of purely personal contacts.

In the second case, a former Hays Specialist Recruitment employee was forced to disclose business contacts added to his LinkedIn account before leaving the company. Again, the company’s motivation was the employee’s use of the contacts to set up a competing business.

Some forms of intellectual property are clear. Stealing the recipe for Coca-Cola, employee lists showing SSNs, the company’s strategic plans or patented machine designs is bad. Whether a customer roster belongs on that list depends a lot on the company’s business model. And whether your own address book counts as a customer roster may depend on your position within the company – there’s a stronger argument if you’re in Sales than if your rolodex consists mostly of IT vendors.

The line between personal and business life is increasingly blurry – and that blurriness helps companies more often than not in my opinion. Often, you want the personal connection of a human name in the contact list. I am not in favor of a blanket rule that you can never mix personal and business contacts. We need to be careful about putting too many barriers in the way of our employees.

In some cases, you can get around the problem by setting up role-based accounts for the company. For example, when I was working the company’s domain registrations, I set up an account called “dom-admin”. All the contacts, registration credentials, alert messages, etc were made in that dummy account’s name. For convenience, the account forwarded to my internal email but everything stayed with the dummy account. When I moved out of that role, we simply switched the forwarding to the new person. It really helped our continuity. That doesn’t work for every situation, though.

Whatever the policy is, your company needs to make the policy clear especially in this age of expanding social media and networking. If your rolodex is yours, fine. If it’s the company’s, make sure your employees know the rule ahead of time. The company’s Social Medial policy is a good place to make clear who owns your contact list. If the policy isn’t clear, push the issue. Ambiguity is good for nobody but the lawyers.

A federal judge in Los Angeles ruled recently that a computer server’s RAM (random-access memory) is a tangible document that can be stored and must be turned over in a lawsuit. The judge is an idiot.

Background

The case is about copyright infringement. The Motion Picture Association of America (MPAA) is trying to force TorrentSpy, a file-sharing site, to turn over data about visitors to their website. TorrentSpy replied that they don’t keep logs on their users – they are merely an intermediary, allowing data to pass through their website unscreened. They essentially said that they have no data to turn over. Unhappy with that answer, Judge Jacqueline Chooljian ordered TorrentSpy to begin logging user information and to turn that data over to the MPAA.

Unfortunately, the only way that the judge can make that order is to make some real leaps of logic. Companies are required to cooperate with fact-finding requests for documents. That’s what the whole “discovery” thing is about. Our judicial system is based on the assumption that if we can get all the facts on the table, we can quickly figure out who’s right, who’s wrong and how to make the victim whole. (Remember that this is a very different standard from the criminal “innocent until proven guilty” rule.) If you have a document that might be relevant to the case, you are required to produce it to the other side and to the court.

There are a few limits to that broad discovery, however. You can hold back documents (or parts of documents) that are attorney-client privileged or that contain confidential information like SSNs, medical details, etc as long as those details are not relevant to the case. You also can not be compelled to produce documents you don’t have. Courts are not supposed to be able to force you to create new records or documents just to respond to a discovery request.

TorrentSpy does not log user transactions during their normal operations. They do so to protect users’ privacy and because they have no operational need for the data in their normal course of business. MPAA argues that it also makes it easier for people who download pirated material to work in the shadows. They may be right. Regardless, TorrentSpy argued that requiring them to turn on logging is the same as requiring them to begin creating new documents just for this case. From a legal point of view, they’re right.

The judge got around this by arguing that the data already exists in the computer’s RAM. Therefore, she is not asking them to create new documents, merely to produce existing data in a more usable form. You can read the original order here. She does cite some other Ninth Circuit decisions involving RAM but, in my opinion, she is either misreading or misapplying the underlying facts.

RAM is not and can not be considered a “document” for the purposes of eDiscovery. RAM is the ephemeral memory that the computer uses to make calculations and to quickly access the data in other places. Think of RAM as the one that you carry in your head when adding a column of digits. (The data on your hard-drive may hold the result of your calculation in a spreadsheet but that’s a completely different kind of memory. The hard-drive data generally is reasonably accessible.) There is no possible way to record the billions of transactions per second that flash through the RAM of even a small computer. Attempting it would consume more permanent memory than exists in the world. And, by the way, writing all that content also requires transactional decisions and data that pass through RAM. The act of recording it spoliates it.

Okay. The judge is not really an idiot. She is seeking a justification to force cooperation from a company that’s not really playing fair. She wants them to turn on logging. Logging is cheap and easy – at least compared to most other electronic discovery activities. From a social policy point of view, I’m torn. TorrentSpy probably should be cooperating and not being stupid about the “costs of logging” and the applicability of Dutch privacy law. On the other hand, TorrentSpy is not being accused of any direct misdeeds. They are being pulled in as a third-party in MPAA’s attempt to sue their own customers. MPAA’s heavy-handed approach is not winning them any friends. Whichever side you agree with, though, the judge’s contortions about the technological facts of RAM to make her rationalization will get used as precedent outside this narrow circumstance. As the saying goes, “Bad facts make bad law.”

The judge’s decision is already being appealed and has been stayed pending that decision. Her decision has been upheld once but appeals continue. On both technological and legal grounds, I sincerely hope that her decision is overturned. Congress needs to address the problem of compelling cooperation from companies like TorrentSpy but they need to do it cleanly – a new law, not judicial twisting and rationalization.

Here is the article I wish I’d written about Facebook. It’s a bit long but it’s very good and has some funny bits.
10 Security Reasons to Quit Facebook (And One Reason to Stay On) by Joan Goodchild of CSOonline.

The short version boils down to:

• Facebook makes it way too easy for young adults to post things that become forever part of their online history – they sabotage their own privacy without realizing it.
• Facebook does not have your interests at heart. They’re a business and they don’t really buy into the whole privacy concept. That’s why, for example, they don’t really care or even notice when their frequent redesigns disrupt your privacy settings.
• Spam, ads and other targetted malicious stuff.
• And finally, the quote from George Straight’s “All my ex’s live in Texas” and the implications in an internet world was just beautiful.

On the flip side, here’s another article with a possible solution. Even though Facebook doesn’t get it, some developers do and they are posting free Facebook apps to manage the privacy settings for you. It won’t solve all the problems of Facebook but it can mitigate some. If you are a Facebook user, stongly consider using one of these new privacy management apps.

… is an oxymoron. Read this WSJ article for more. Not much else to say except the obvious. When you sign up for a free service, you generally get what you paid for, especially in the area of privacy. Never post anything online that you’d be embarrassed to see on tomorrow’s front page.