November 27, 2024

Senate File Pilfering Report Released

The report of a preliminary investigation into the Senate file pilfering has been released (in two parts) by Senate Sergeant-at-Arms Bill Pickle.

The report mostly confirms what was reported previously: many files on the shared server were unprotected, so that anybody who knew how could get them; a clerk working for the Republican staff, under the direction of a senior Republican staffer, accessed more than 4,000 of the Democrats’ files; and some of the juiciest files were leaked to the press, probably by the aforementioned Republican staffer.

The report also contradicts some claims made previously. It is clear from the report that the availability of the files was not widely known. The report also shows that the people making the accesses worked to cover their tracks, both during and after the time when the accesses occurred. It also appears that the Republican staff member who oversaw the accesses made false statements to the investigators.

I wrote before that it wasn’t clear whether the accesses violated the Computer Fraud and Abuse Act (CFAA). The key question in applying the CFAA to these facts was whether the staffers were “entitled to” access the particular files they downloaded; and the answer to that question depends on the rules and practices of the Senate.

The issue still isn’t clear-cut, but the facts recounted in the report tend to tip the balance toward violation of the CFAA. The accessors’ efforts to cover their tracks, both during and after the accesses, are revealing. And the report tells how the clerk, on initially discovering the files were accessible, took a pile of printed-out opposition files to one of his supervisors, who shredded the files and “admonished [the clerk] not to use the … documents”. These facts, plus the apparent false statements made to the investigators, tend to support the argument that the clerk and the staffer knew that the accesses were improper.

The report makes no recommendation for or against a referral of the CFAA matter to the Justice Department. That decision is in the hands of the Senators.

Implementing EFF

Recently, the EFF issued a white paper suggesting an approach to the problems of music distribution. The proposal would let people buy a blanket license allowing unlimited access to music from any source, in exchange for a payment of about $5 per month into a fund that would be distributed among copyright owners in proportion to the usage of each copyrighted work. The plan is voluntary, with neither consumers nor copyright owners compelled to participate. Commentary on the plan has been generally positive, though the RIAA said it wasn’t interested.

Ernest Miller pointed out a problem that would need to be resolved. Consumers who bought a license would be free to use P2P networks to download music; but it wouldn’t do to let them upload freely, as those uploads would be an unstoppable source of unpurchased music for non-participants. Peter Eckersley suggests that this problem could be solved by publishing an (unforgeable because digitally signed) list of the IP addresses of licence participants, and allowing anybody to transfer files to the people at those IP addresses.

It seems to me that if the EFF plan is going to happen, it will start with a deal between the RIAA and a university, in which the university creates a fund to pay out to copyright holders, in exchange for (a) free rein to do anything at all with copyrighted music within the campus (but not to distribute it outside the campus), and (b) permission for anyone, either on the campus or off, to transmit music to people on campus.

The university could help ensure compliance by blocking P2P traffic that would otherwise lead to outgoing transfers of music. (As always, the blocking would be easily circumvented by those who wanted to do so. Its only purpose would be to let well-intentioned people share music within the campus without accidentally making it available to outsiders.)

This is a much better deal for universities than a Penn State-style transaction, in which a university buys its students subscriptions to a limited music service. An EFF-style license allows unlimited use of music in courses, and it allows students and faculty to experiment with new uses of music. It also allows cross-university sharing and collaboration on music projects, if multiple universities join.

This might be a good deal for some university, if the price is right.

Dueling Viruses

There seems to be an active rivalry between the authors of competing computer viruses, with back-and-forth insults included in the textual comments within each virus, according to a Mike Musgrove story in today’s Washington Post.

Witty repartee it’s not: “Bagle – you are a looser!!!” But one does worry about what will come next, if the loosers decide to escalate from a war of words to an e-war. If that happens, the next step will be new virus versions that try to inoculate victims’ machines against rival viruses. And don’t expect the kind of clean, surgical inoculation you get from a good antivirus product, but a crude rewiring of the victims’ software configuration, causing all sorts of trouble.

In the worst (but unlikely) case, this could escalate into a full-on game of distributed core wars, with rampaging malware armies clashing in the computers of people foolish enough to click on the wrong attachments.

Let’s hope this doesn’t happen. And let’s all remember to update our antivirus software and be very suspicious of email attachments.

Avi Rubin's Election Judge Experience

Avi Rubin, the John Hopkins computer science professor and leading critic of e-voting, has posted a fascinating account of his day as an election judge in Baltimore, Maryland, using the new Diebold machines.

UPDATE (11:00 AM): It must be noted that the polling place where Avi worked was not typical. Everybody seemed to know in advance who he was. One of the other poll workers just happened to be an experienced Diebold trainer. Very senior Diebold executives just happened to show up before the polls opened to make sure everything was okay.

Super Tuesday

Today is a major primary election in several U.S. states. In Maryland, it will be the first use of the controversial new Diebold e-voting machines that were the subject of several negative security evaluations.

Unless there are very large, obvious problems today, expect stories later in the week in which e-voting advocates say there were no problems with the new machines. What they will really mean, of course, is that they didn’t notice any problems, which isn’t too surprising since the machines are essentially black boxes.

Avi Rubin, a prominent computer security expert and e-voting critic, is working as a volunteer election judge in Maryland. I’m eager to hear what he has to say after spending a day in the trenches.