March 29, 2024

Washington Post: Break-Ins to Military Computers

Interesting article today in the Washington Post about some freelance consultants who apparently rummaged through a bunch of Department of Defense computers without authorization. What they found was pretty appalling. But what they did seems pretty appalling too – although the article takes pains not to mention this. Here is the beginning of the article:

Security consultants entered scores of confidential military and government computers without approval this summer, exposing vulnerabilities that specialists say open the networks to electronic attacks and spying.

The consultants, inexperienced but armed with free, widely available software, identified unprotected PCs and then roamed at will through sensitive files containing military procedures, personnel records and financial data.

[…]

ForensicTec officials said they first stumbled upon the accessible military computers about two months ago, when they were checking network security for a private-sector client. They saw several of the computers’ online identifiers, known as Internet protocol addresses. Through a simple Internet search, they found the computers were linked to networks at Fort Hood.

Former employees of a private investigation firm – and relative newcomers to the security field – the ForensicTec consultants said they continued examining the system because they were curious, as well as appalled by the ease of access.

What is amazing to me is that the writer seems to be working hard to avoid pointing out that what these guys did looks to have been unethical and probably illegal. The rule is pretty simple – honest discussion of security vulnerabilities: good; actually breaking into other people’s computers: bad.

True, careful readers of the article might still connect the dots between the description of what the ForensicTec guys did, and the mention fifteen paragraphs later of laws against unauthorized intrusion. But isn’t it the writer’s job to point out such basic connections?

It’s hard to believe the writer and his editor would have missed this obvious point. Yet I can’t understand why they would have chosen to ignore it. Any suggestions?

UPDATE: Within hours of appearance of the above-mentioned Washington Post article, the FBI raided the offices of ForensicTec.

Keystone SpamKops (cont.)

A reader, Florian Weimer, points out that there has already been at least one apparently successful lawsuit against spam blacklisters.

Keystone SpamKops

Earlier this week, my ISP shut off this site, because the site had appeared on a list of “spammers” published by an outfit called SpamCop.

Apparently, this happened because one person, whose identity I was not allowed to learn, had sent SpamCop an accusation saying that he had received an unwanted email message, which I was not allowed to see, that did not come from me but that did mention my web site. On that “evidence” SpamCop declared me guilty of spamming and decreed that my site should be shut down. Never mind that I had never sent a single email message from the site. Never mind that the site was not selling anything.

Naturally, I was not allowed to see the accusation, or to learn who had submitted it, or to rebut it, or even to communicate with an actual human being at SpamCop. You see, they’re not interested in listening to complaints from spammers.

With help from my ISP, I eventually learned that the offending message was sent on a legitimate mailing list, and that the person who had complained was indeed subscribed to that list, and had erroneously reported the message as unsolicited. Ironically, the offending message was sent by someone who liked my site and wanted to recommend it to others. Everybody involved (me, my ISP, the person who filed the complaint, and the author of the message) agreed that the report was an error, and we all told this to SpamCop. Naturally, SpamCop failed to respond and continued to block the site.

Why did my ISP shut me down? According to the ISP, SpamCop’s policy is to put all of the ISP’s accounts on the block list if the ISP does not shut down the accused party’s site.

Note the similarities to the worst type of Stalinist “justice” system: conviction is based on a single anonymous complaint; conviction is based not on anything the accused did but is instead based on favorable comments about him by the “wrong” people; the evidence is withheld from the accused; there is no procedure for challenging erroneous or malicious accusations; and others are punished based on mere proximity to the accused (leading to shunning of the accused, even if he is
clearly innocent).

Note also that the “evidence” against me consisted only of a single unsigned email message which would have been trivial for anyone to forge. Thus SpamCop provides an easy denial of service attack against a web site.

The only bright spot in this picture is that our real justice system allows lawsuits to be filed against guys like SpamCop for libel and/or defamation. My guess is that eventually somebody will do that and put SpamCop out of business.

We're Back

Well, we’re back on the air after a three-day interruption of service. The interruption was due to bogosity at SpamCop, which I’ll explain more fully in the next post.

Fuzzy Language, Fuzzy Thinking

One of the things I’ve learned in working with lawyers is that the language you use to describe something can powerfully shape your listeners’ ideas about it. Unless you’re very careful, you can fool yourself in the same way.

Many have remarked upon the rhetorical trick of using the word “piracy,” which denotes a type of violent crime long hated and feared – and still too common – to describe a lesser infraction. Calling infringement “piracy” makes it sound worse than it is.

But the use of “piracy” hides yet another rhetorical trick. The meaning of “piracy” is vague and expansive, while the more accurate term “infringement” has a precise and limited meaning. “Piracy” is often used even when no infringement is taking place; in these cases “piracy” really just means “any activity that makes a copyright owner unhappy.”

All right then; you may admit that “piracy” is an inaccurate term. But it is a colorful term, and like it or not, it is in common use. So, you might ask, what’s the problem with using it?

The problem is that fuzzy language leads to fuzzy thinking, and you may be fooling yourself by using fuzzy language. Fortunately, there is an easy way to tell if you’re falling into this trap. Try expressing your ideas using the precise term rather than the fuzzy one (e.g. using “infringement” rather than “piracy”). If your ideas still make sense, then you’re in good shape; but if your ideas sound weak when expressed in this way, then the fuzzy term has clouded your thinking.

This method works, but it’s a hassle to keep applying it to yourself. There is an easier way – use precise language. Don’t say “piracy,” say “infringement.”

[More posts on inaccurate terminology to come.]