Thursday, December 20, 2007

Another Myspace hoax leads to tragedy, this time in New York State

CNN today, in a story by Susan Chun, reports on jury deliberations of a manslaughter trial against Riverhead, LI NY man who shot a teenager, a friend of his son, outside his home in August 2006. The man thought that there was a threat. The teenager was there trying to protect a girl from a threat that had been sent as a "joke" by someone who had logged on to the Myspace page of the son of the man on trail and sent the threat as a hoax.

The case raises some of the same issues as the tragic case in Missouri already reported on this blog, generating some angry comments.

Generally, sending a "threat," even as a hoax, is against the law, however; people have been prosecuted for doing this for a number of years, given school incidents that go back into the 1990s (well before 9/11). The same laws that would have applied to physical media and US Mail can generally be applied to the Internet.

Prosecutors maintain that the defendant should have called police before acting. The defendant is African-American, and there are reports that his reaction to the situation is based on KKK experience in the South.

The CNN story is at this link.

Thursday, December 06, 2007

PC World reports on Storm Worm botnets

PC World, December 2007, has an important story by Erik Larkin on p 67, "Security Alert: The Internet's Public Enemy Number One" about the Storm Worm and the number of computers it can command. Apparently it can defend itself heuristically by "DDos"-ing your machine, in unusual and deceptive ways. But the best defense seems to be good use of anti-virus software from the major vendors (McAfee, Norton, etc).

Robert McMillan, of IDG News Service, as an article in the PC World online, "Storm Worm Sent 15 Million Pump-And-Dump E-Mails Last Month: The Storm Worm botnet network may be shrinking in size, but it managed to send out 15 million annoying audio spam messages in October", here.

The best way to find information about the virus on McAfee seems to be to look for Nuwar, which brings up many entries, such as this . "Storm Worm" itself does not come up on McAfee.

Sunday, December 02, 2007

Disturbing case in MO: adult impersonates a teen, resulting in tragedy

Recently, many media outlets have reported a very disturbing incident in a suburb (Dardenne Prairie) of St. Louis, MO where a teenage girl (Megan Meier) befriended a “virtual boy” on the Internet (through a Myspace profile) and then committed suicide when he suddenly rejected her online. Later the parents of the girl found out that the poster was the mother of a neighboring teen who wanted to “spy” on the girl, so an adult was impersonating a teen (sound familiar?). One of the major accounts is dated Nov. 22, 2007 on ABC News by Barbara Pinto, here. Another is by Mike Celizic on MSNBC here. A later story by By Deborah Roberts, Andrew Paparella, and Ruth Chenetz, appeared Dec 6 on ABC, "'Sickened, Devastated': Parents on MySpace Suicide; Should Those Who Posed as 'Cute Boy' Online Be Held Responsible for 13-Year-Old's Death?", here.

I had previously started a discussion of this story on my TV blog, here.

Local and state authorities indicated that no actual law had been broken. The town passed a law outlawing cyberbullying as “behavior” (based on intent. regardless of the “objective content,” so this is an example of “implicit content”). Later NBC interviewed a legal expert who said that there is a federal law that applies to harassment by impersonating someone else. She did not identify the law. I was not able to find any specific reference to such a law, although perhaps there is a statute related to the coercion and enticement statutes (2422 etc). 2422 (on Cornell site) could apply if the adult was trying to set up an illicit encounter with a minor, which does not sound like the case here (it was in the case of David Kaye on one of NBC’s “Dateline” stings with Peej.)

School systems vary in their enforcement of bullying codes, especially with GLBT people. Even the situation in Jena LA shows that there is a problem with racial issues. Generally school districts say that they have zero tolerance of bullying, but that is not always true in practice, and they have much less control over what kids do at home, much less their parents (although there have been some cases about this).

The interviewer on NBC encouraged parents to watch their kids’ online activity, insist that they be allowed to access their kids’ social networking pages, and to “google” their kids’ names, although this will not work with common names. The major media sites have been claiming that it’s possible to get search engines to notify a parent by email when a child’s name gets indexed online. That sounds misleading. I think what they mean is that Google Index Notification, or similar products from other engines, can be set up to notify the parent when a child's profile on a social networking site (or a child's site or blog) gets indexed, but the parent will need to work with the social networking company to get the details. This isn't a problem when a child sets up a site with the parent or school for a constructive purpose (science or other class research project), but it is a problem when the parent doesn't know what sites the child has or uses.

An important site that deals with cyber bullying is Isafe, with this pdf paper "Beware the Cyber Bully".

An interesting related story is from the FTC about a settlement against Xanaga for violating COPPA (Children’s Online Privacy Protection Act) online children’s privacy protection rule (from 2006)

Update: Dec. 3

I am told that the applicable federal law may be the The Telecommunications Policy Act of 1996. This was previously called "the Communications Decency Act" (CDA) and portions of it having to do with Internet censorship were struck down in 1997 by the Supreme Court, but other portions (including Section 230 which EFF often talks about as protecting webhosts from the effects of postings made by others) are in effect. The best link that I could find is this (on Newshare).

The link for the comment (q.v.) blog is this. It bears reading as there is quite a bit of detail. I also think it is possible that 2242 could apply.

Update: Dec. 3, 2007

Anderson Cooper went into this issue on his CNN 360 Program tonight in his "Digging Deeper" series. He interviewed Jeffrey Toobin, who discussed federal anti-stalking laws but indicated that it seemed unlikely that they are specific enough to apply here. (Some other laws mentioned in the debate might have a chance.) The possibility of a civil suit for intentional infliction of emotional distress, a tort but a vague one that can be abused, was mentioned.

Apparently, the mother hired an 18 year old to help her develop the phony profile. Another family member have been involved, but if so was apparently motivated or encouraged by the mother. The mother, however, denies that she actually knew about the last taunts sent to the girl. It's not clear who sent the various messages at different times.

The AP (also carried on AOL) has a 12/3/2007 detailed story by Betsy Taylor (explaining the lack of prosecution by local and state authorities) here.

Update: Dec 4, 2007

CNN has a video this morning on cyber-vigilantism spurred by this incident, here.
The Washington Times, in an editorial Nov. 24, called the woman a "knave" in its Saturday "Nobles and Knaves" piece.

Update: Jan 8, 2008

The Dr. Phil show covered the Megan case today (unfortunately it got pre-empted in Washington DC by Coach Joe Gibbs 's resignation from the Washington Redskins). The link for the show is here. The Dr. Phil website publishes a Drew Family Statement. There are some other cases on the show. Colorado Councilwoman Sandy Tucker was asked to resign after posting a joke online with some racy language. An XBox video gamer complains about getting racist taunts while playing games online. The Dr. Phil show took a poll. 67% of replies supported free speech online, but 93% supported laws against cyber-bullying.

Furthermore, NBC Today reports that a federal grand jury in Los Angeles is investigating the possibility of prosecution for essentially wire fraud charges, "defrauding Myspace." But if this was done, what about the millions of other "fake" profiles on social networking sites. Many people set up pseudonyms to protect privacy and many people blog or even publish in print under pseudonyms. The ACLU has defended anonymous free speech vigorously. Is Myspace the "victim"? The MSNBC / Ap story is here. The story from the Los Angeles Times is "Report: Grand jury probes girl's Internet suicide: L.A. Times says issued a subpoena over case in Missouri."

I continued this discussion today on a new entry for Jan. 11, 2007 (look at that date in the blog).

Thursday, November 15, 2007

Microsoft promotes campaign to promote parental controls, safe use of XBox 360

Today Microsoft ran print ads in newspapers about its partnerships in promoting parental controls and responsible use of its products, especially its XBox 360 games and the new features in Vista. The relevant article is “Safety Is No Game. Is Your Family Set?” Campaign Kicks Off Second Year" here, with a Q&A by Robbie Bach. A related posting is this.

Of particular concern is limiting "screen time" since children need outdoor physical activity and because fast moving images are now considered harmful to children under the age of 2.

Voluntary parental controls are considered essential to ward off attempts at government censorship (such as COPA, discussed on a separate blog), and they go far beyond simplistic ideas like adult-id schemes proposed by COPA.

Thursday, November 01, 2007

Microsoft security download site -- is there an imitator out there?

These comments are relative to Windows XP Home and Pro. I don’t have Vista yet.

Often, the shield for Microsoft automatic updates times out at 0% when downloading. I then will go to the site. The site navigates to security (panel on right side) and then home (box in middle) and then Protect Your Computer. The site requires Internet Explorer 5.0 or higher and will not work with Mozilla.

Today, I tried a shortcut and got a different looking site that, when I placed the cursor on links, appeared to lead to other places. So I did not proceed. If someone is imitating Microsoft with a misspelling (it didn’t look like I misspelled), I am surprised that the McCafee site advisor didn’t catch it.

So I went back to the Microsoft home page, navigated (in IE 7.0) from one panel to the next, ran the computer scan and download and install and restarted the machine without any problems. Sometimes the automatic download has run, and the installs are done before logging off (before Windows will sign the machine off) – not a good thing if you have to go right to work.

I don’t know if someone is imitating Microsoft for fake downloads, but if someone knows, they may comment. (Please stay on topic; comments are moderated.)

If, as a visitor, you are Microsoft or McCafee, Cert, or another security company, you may want to look into this quickly, if there is a new threat

Friday, October 05, 2007

Non-profit has major security lapse: where was the Firewall?; health care info security

On Friday, October 5, 2007. Joe Stephens has an article in The Washington Post, business, p. D4, “Nature Conservancy Says Spyware Compromised Employee Data.” An employer in Human Resources in Arlington, VA reportedly visited a sports website on a work computer, which got infected with spyware, and soon the organization discovered that the personal information of over 14,000 persons was being exported.

What seems unclear is that the sports website itself was compromised (that wouldn’t normally happen), and why the organization’s security procedures and software (Firewall and virus scan) did not prevent the compromise. McAfee, for example, also offers a Site Advisor that might have caught this problem. Many other organizations have lost data because of poor physical security (missing laptops or disks); it needs to be explained in cases like this one why security software suites did not work properly. But companies and employers can be as vulnerable as individuals.

A much more positive story appears on p D1 of the same paper. Catherine Rampell has a story, “Your Health Data Plugged In to the Web: Microsoft Promises Privacy on New Portal.”

Microsoft (as well as Google and AOL) are working on projects (HealthVault from Microsoft; “Revolution Health” from Google down the road) to automate health care information, and allow patients and health care providers to maintain patient care information on secure websites. The main area where systems development and growth are needed seems to be secure automation of medical records feeds (as with XML). There a specific legal requirements from HIPAA (Health Insurance Portability and Accountability Act) that would have to be met. But the innovation could be important in controlling health care costs, and such a system could be as safe as the clumsier manual paper system.

Thursday, October 04, 2007

RIAA wins copyright lawsuit against Minnesota woman for P2P file-sharing

The Minneapolis Star Tribune reports tonight (Thurs. Oct 4, 2007) that a civil trial jury in Duluth found for the plaintiffs in a suit brought by the RIAA against a woman for illegally downloading and copying 24 songs. She was ordered to pay the six companies $9250 per song.

What is disturbing is that the woman, while admitting that she was a user on Kazaa and had used a particular screenname for P2P sharing, claimed that a hacker was impersonating by spoofing her during the downloads in question. So far, media reports don’t seem to support the technical likelihood that this really could have happened, but the idea that it could happen is frightening. In December a woman in Arizona was convicted of crimes apparently done by her kids on her home computer without her knowledge (this blog).

The Star Tribune story is by Larry Oakes and it is titled: Brainerd woman guilty in Internet music sharing: Duluth jury ordered Brainerd defendant to pay $222,000 for violating song copyrights. The link is here.
Wired News has a particularly detailed blog about this case here:

This appears to be one of the first major RIAA cases to go to trial rather than settlement upon complaint and demand.

Message board comments (on AOL) from musicians indicate that it is illegal to share tabs or transcriptions of copyrighted songs for specific instruments.

Monday, October 01, 2007

Washington Times offers insert on teen cyber safety

Today, Monday October 1, 2007, The Washington Times included a special insert on cybersecurity. The green cover reads “Celebrate Crime Prevention Month,” from NCPC, the National Crime Prevention Council. The cover also has the banner, “Delete Cyberbullying” which is viewed as a significant problem among middle and particularly high school students. “Don’t write it! Don’t forward it.” Words can really hurt.

The magazine insert goes over the usual advice on Internet safety for teens. One of the most common recommendations is that families keep home computers in a “public” area of the home. That certain sounds right until kids are mature enough. But once a high school kid is able to be trusted to work alone on his computer, he or she can certainly advance on academic work. Search engines can be a perfectly legitimate help in doing homework, especially when looking for more objective information in math and science. Public schools often duplicate a lot of lesson information in printed handouts in order to reduce the need for computer use for basic lessons.

The other big area is what kids post online. Students feel that the world is competitive, and social networking sites can add to the perception of social competition. Students may also want the limelight, when what they want to post may have no real public value. This is not to disparage the fact that some teens really have created legitimate, even revolutionary businesses on the web. Even so, innocuous information (such as home address, land telephone number, even school identification, names of parents and siblings, personal whereabouts) could jeopardize personal security or even that of family members or classmates. It seems that the “rule of thumb” is, if you want to be famous, you have to earn the right to be famous in a legitimate way. But that itself is pretty loaded.

It does seem to me that social networking companies, because they emphasize using the web for social and business interaction and contact (as a "Web 2.0" experience) rather just as a "publishing" too (as I conceived the Web in the late 1990s with the COPA litigation), have helped create an atmosphere where other people (and employers) take what is said on the Web in a conversational, rather than literary, context. That makes what teens post on the Web a more sensitive matter as to how it could affect their futures -- jobs, college or graduate school admissions.

Earlier (April 2007), I did a review of a book by Susan Lipkins on teen and school hazing here.

Monday, September 03, 2007

Monster incident raises questions about userid and password logon paradigm

The recent media reports about the information leak from (Monster’s own account of this is here:) again reminds us that large corporations have not been particularly successful in safeguarding client information. At many other companies, compromises have happened the old fashioned way, however, with loss of laptops or diskettes or CDs.

In this case, there is a lot of criticism that the conventional idea of user name and password is not and adequate paradigm for security client information. Nevertheless, the information leak appears to have resulted from passwords and such leaking from recruiters or other third parties, not by direct attacks on Monster. Some companies will start checking for logons from overseas, which can be an indication of password compromise. Others may become stricter with password changes and password cracker tests.

In theory, the same risk could exist any time a resume is sent to a headhunter, or any time an applicant uses a “headhunter’s” website to apply for consideration for a job. Headhunters now routinely advise jobseekers to leave social security numbers off of resumes. If the job hunter has a land address box from UPS or a similar company, he or she may want to use that as the contact address.

Of course, a practical question is how effective using job boards really is. In 2002, I started using them and basically got nowhere. What I found is that promising employment opportunities nearly always depend on a specific match to a specific requirement at a specific employer or situation that the job hunter finds our about through his or her own activities. The low-tech approach often works better. And, as we know especially now through all the media attention to employer’s gumshoeing on the Internet, it is not always prudent for a current employer to find out that one is “looking,”

There is a good story about this at MSNBC by Brian Bergstein, here.

Wednesday, August 08, 2007

Consumer Reports Sept 2007 has a major issue on Internet safety

The September 2007 issue of Consumer Reports is an excellent issue discussing Internet safety. It’s subtitle is “19 Ways to Protect Yourself Online.”

A couple of the major tips are to consider using Mac’s as they are less of a target, or consider upgrading to Vista, offered in January by Microsoft. I have an iMac bought in 2002 and it was not more stable than my Windows machines. I have yet to try Vista, since it is pretty new, but C.R. considers it considerably more immune to many security problems.

It also recommends using disposable email addresses when ordering online, and using at least two anti spyware programs. On AOL, I get some spam, but most of it is very easy to identify at sight (AOL traps about 80% of it, and does give some false positives, so I have to glance at the spam folder once in a while). Banks and financial institutions never ask customers to update information online. Another good piece of advice – when about to click on a hyperlink in an email (or an unfamiliar website) run the cursor over the hyperlink and make sure it matches. (Some sites now have “previews” in cursor mode, and I wonder if this creates an exposure.) It recommends several anti-virus suites.

It also notes that Microsoft MSN now uses Sender-ID to screen out email with spoofed sender-id’s, an idea I discussed on my main blog in January. That would include false Mailer Daemon bouncebacks. I wish AOL would do the same.

Update: Aug 11, 2007

Arise, a company that employs agents who work from home, recommends the following website to check your computer for spyware: Unwantedlinks.
If you go to this site (Windows XP and higher at least) environment, you will see a red "Spyware & Adware Test Scan" 2/3 the way down the page, to check your own computer for these.

Wednesday, August 01, 2007

"Legal" website images stir public anger in WA and CA

The news media, within the past week, has erupted with a number of stories about someone who is trying to test the legal limits of web speech and daring the authorities as well as vigilante justice to do anything about it.

A man has set up websites in which he shows pictures of children, clothed, and suggests where others can to see and scope them (in public areas) in order to enjoy mental fantasies about intimacy with minors. Apparently he does disclose some of his "fantasies" on the sites, and maintains that he has never carried out the desires. Is this an implied "threat" or "enticement" in the eyes of the law? It seems so in the eyes of the public. Why else would someone want to post such a thing? He seems to be daring law enforcement and parents to "do something" "because I can" -- a line I've heard in the movies.

The man was driven out of Seattle, by threats that may have included his family, and is reported to be living in a car or in various temporary places in LA. The website was shut down by his ISP but reportedly he found an offshore provider.

This does sound like a mind game. In a way, “information” about where to “see” minors is pretty meaningless. Any shopping mall, and park, and anything visited by the public, especially in warmer weather. However, when someone has images of specific children (without the consent of the parents of the children, which no sane parent would give) and posts them, admittedly specific children are being targeted. This sounds like crossing the line into violating enticement statutes in many states, maybe even federally.

Generally, one cannot use the image of another person for personal gain without permission. The best known application of this idea is the right of publicity, that applies to celebrities, but it would seem to “instantiate itself” if an ordinary person is made a public target for other crime.

Even so, law enforcement in Califonia insists there is little that can be done, although a specific parent whose child appears on a site could file a complaint. UCLA law professor Eugene Volokh calls the case "interesting" and Volokh has in the past written articles on the ambiguities of law applied to the Internet.

The main story was by Jennifer Steinhauer in The New York Times, link here (will require registration). The individual is Jack McClellan, 45, and one must caution search engine users that this is a common name and a search could pull up the wrong person.

ABC also carried the story on “Good Morning America” here Some of the ABC UGC message boards complained about the fact that some people like the subject have never been parents, another tried to make fun of the matter by writing a caricature of the site.

The tone of this CBS story from LA June 14, 2007 is certainly that of angry emotional panic, like in the film “Little Children.”

There is a lot of other angry reaction out there, of varied credibility. Here is a commentary from a blogger in Ohio. Here is another "goddess blog". One company Go Ronnie announces a child safety club.

One individual boasts that he registers domains in the names of self-proclaimed pedophiles in order to attack them. All of this vigilante action in the name of individuals who have not been convicted, let alone prosecuted or arrested, sounds legally risky; if anything is factually untrue, libel suits can result. Furthermore it would sound like bad faith according to ICANN rules to register a domain in someone else’s name in order to disparage the person. Perhaps a company or a person (not me!) would set up a "s.o. suspect" registry based on ownership of sites like this and try to sell it. If so, such a registry would have to be awfully careful about "the truth" (or could it hide behind "the Opinion Rule"?) We could wind up with a "privatized" vigilante witch-hunt mentality that makes the military's "don't ask don't tell" for gays seem tame in comparison.

It's important that many people see the legal and constitutionally mandated legal due process requirements an impediment to the safety of children. At least one state, Ohio, allows the state attorney general to force certain persons to register as sex offenders without prosecution in limited circumstances. It's possible that civil registration (without conviction) could eventually become a factor in keeping certain persons from using social networking sites or Internet accounts at all.

California and other states could consider passing narrowly tailored laws posting identifiable pictures of minors (even when fully clothed) without parental permission in conjunction with sexually explicit text content. All of this gets back to the murky area of "implicit content" that has a long way to evolve in Internet-related law.

It’s possible that the speaker, McClellan, thinks that he has a legitimate First Amendment motive here. Of course, he is free to advocate lowering of the legal age of consent in all states. But that doesn’t require the use of images. A deeper political message might have to do with some resentment of the “male role” as protector of women and children. That sounds closer to the mark, as he has managed to incite every possible form of mobspeak, even on the Internet. But it could explain his motives. He may well actually have no expectation or "intention" of carrying his fantasies out. What remains, thought, is the idea of "rebuttable presumption" known from the military gay ban and "don't ask don't tell" legal paradigm; sometimes speech, at least if gratuitous, indicates a propensity for future action, and you have to expect the parents to be very concerned.

There have been remarks that there is a federal law prohibiting posting certain weapons-related information on the Internet. I can't find such a specific statute (a "Hit Man law") myself although Electronic Frontier Foundation has notes about a lot of legislation proposed by CA Senator Feinstein in the 1990s. Here is a "Legal Theory Blog" with a reference to "crime-facilitating speech." Another relevant concept could be federal coercion and enticement laws regarding minors (USC 2422). Visitors may be able to comment on this question.

Update: Aug. 4, 2007

A story by Carla Hill of the Los Angeles Times, Aug. 4, 2007, link here,
(registration required), reports that a Superior Court Judge in Los Angeles, Melvin Sandvig, issued a temporary restraining order Aug. 3 prohibiting McClellan to be present within 30 feet of any person under 18 anywhere in California, effectively placing him under "civil house arrest." Some legal authorities questioned whether this is constitutional and disregards due process, but others call it a civil harassment restraining order. McClellan was given the papers by a process server at the LA Airport as he was preparing to leave.

The restraining order was sought by attorneys Anthony Zinnati and Richard Patterson.

The order could set a dangerous precedent regarding other speech on the web, where people give hint publicly to their "tastes." Indirectly this was dealt with in the COPA trial. However, McClellan was also taking pictures of minors in public places (and posting them on the Internet) without their parents' consent, and this sounds like a much narrower form of conduct to object to.

Newsweek has a major story by Andrew Murr on Aug. 3, 2007, with a detailed discussion of the First Amendment and law enforcement perspectives, with a disturbing public opinion poll, here.

Update: Aug. 14, 2007

He was arrested near a day care center at UCLA for violating the restraining order by campus police; AP-CNN story

Update: Aug 15, 2007

A site proposing a new law to makes sites like his illegal is April's Law. It has a petition. There would be constitutional issues if it inhibited normal political arguments for lowering age of consent.

Here's another discussion at "Scared Monkeys" (rather like "Twelve Monkeys" the movie): link.

CNN has a story and video about his not-guilty plea. He appears in the video. Link.

On Thursday Aug 22 the AP and AOL (Greg Risling is the writer) reported that McClellan had been set free and that prosecutors determined that the judge had to give him a hearing to give him proper notice and follow due process of law. This sounds like a due process case here.

On Aug. 27, The New York Times, on page A13 print, ran an AP story to the effect that the individual would move to an unspecified state and that he had done the postings for self "therapy", not to announce any real intentions.

Related blog posting here.

Monday, July 16, 2007

NBC Today Show says kids on Internet responsible for wrongdoing of others with their profiles

On the NBC Today Show (Monday July 16 2007), Internet safety expert Ruth Peters discussed the dangers to high school and college students and their families from personal profiles (especially photos) even for whitelisted sites that are supposed to be restricted in who can view them. (That’s automatically true with Facebook). As in the Miss New Jersey case, persons sometimes acquire material and post it anyway in other profiles, or even make up fake profiles.

Ms Peters suggested that parents supervise their kids’ sites and insist on knowing passwords. (She assumes that the parent pays for Internet access, but that may not always be true.) One point that she stressed is that other family members and home security could be compromised this way, and that the teenager will be held responsible for what is on his site even if other post harmful materials on it or hack into it. This gets into the anti-libertarian idea of being held responsible for the actions of others that is a bit of a rub. (When am I to be my brother's keeper? Always, say the Gospels!) But it also comes out of the “amateur” nature of user-generated content on the Internet.

Internet companies start offering visitors website safety and search engine screening

On earlier postings (especially a recent book review [on my book review blog as on my Profile] at the end of June) I’ve talked a bit about more recent concerns over “amateurism” on the Internet with user-generated content and personal blogs and personally owned sites. Recently the “free market” of Internet companies has started offering website evaluation for visitors.

McAfee, for example, offers SiteAdvisor, (and a Plus version that one can pay extra for), which grades search engine results and also sites when they are brought up, as green, yellow or red, like a traffic light. Depending on one’s settings, yellow and red sites are blocked until overridden. The criteria include email signups and reports of excessive automated emails, downloads (presumably of applications), online affiliations (links to other sites), annoyances, and user comments. Many sites have not been tested and remain “gray”. Some sites, especially blogger sites, have testing start and remain unfinished for a long time (that is true of this blog) and that does not seem to mean that anything is wrong. Possibly McAfee is determining how to report online affiliations entered by users in comments, an issue that would raise questions about fair scoring.

At least one major corporate site, television station WLJA (7), affiliated with ABC, in Washington DC (actually Arlington VA) got a yellow for sending more than 15 emails a week. This is easy to override but it seems a bit overreaching. I do not receive excessive emails from WJLA even though I signed up, and I look at the site all the time with absolutely no problems. So there could be factual issues.

It appears that McAfee ratings apply to whole domains, not to individual files.

More recently, after watching David Boaz and Nick Gillespie discuss libertarianism on NBC’s McLaughlin Group, I tried Google for the show and got, for, in the search engines results, “This site may harm your computer.” This warning would appear to apply to the whole site, not just one file. I looked at the links and found a connection with, although Google says it uses its own criteria, too. Both sites give procedures for webmasters to contest the appearance of this message. I did not override the result and visit McLaughlin Group’s own site (it has another site on CNBC that does not get the message), but I believe it is quite likely that this warning for them could be a “false positive” (due to some harmless but misinterpreted script somewhere, maybe on one insignificant file) and is likely to disappear soon when the McLaughlin Group contests it.

Note: I do see that this McLaughlin problem could be from an involuntary redirection to Wikipedia.

Stopbadware gives this link defining badware.

The site also says, “StopBadware does not independently test or review the sites provided by trusted third parties unless there is a request for review; rather, StopBadware merely hosts the lists of badware websites provided by third parties.” Link: Here is their FAQ page:

The “Manifesto” blog here is interesting and talks about the Anti-Spyware Coalition.

The organization also claims that innocent website owners sometimes get hacked because of inadequate security at some ISPs. The page with security tips is this: One danger is a so-called “injection attack” with “invisible iframes” and “obfuscated code.” Even so, most larger corporate ISPs can probably provide better security (to subscriber webmasters, even individuals) through shared hosting and dedicated hosting services than can novice users running their own servers, but very skilled professionals (those well versed in scripting languages and security) may want to do this on their own. This, again, is a disturbing reminder of the “amateur” question.

Two files on one of my sites was hacked in 2002, one of them an essay on WMD’s. It was determined (by a fellow "libertarian" expert) that a Unix Site command had probably left open at the ISP. The correct files were easily recovered and the incident did not recur. (The corrupted files were sent to law enforcement but I never heard anything, of course.)

Update: July 19

WJLA now tests green with McAfee Site Advisor. However, the cache still blocks it until I unblock; this seems to be an issue with how McAfee talks to Mozilla.

However today (July 25) I found another site that McAfee rates as red (for sending viral emails) on searches and access, but gives green if one requests a report.

Monday, July 09, 2007

Miss New Jersey a victim of a dangerous Internet prank

John Springer has a story on the NBC Today show and MSNBC regarding the private photos of Miss New Jersey, Amy Polumbo. She posted some pictures on a “whitelisted” site that only people with passwords could access. She did not post them on a public site accessible to search engines or the public. Apparently, someone obtained the photos by hacking and then tried to use them for blackmail. The photos apparently do not contain anything illegal or violating her contract, but she fears that someone could doctor the photos. State and national pageant winners are held to very strict publicity and moral turpitude clauses (including appearing in the nude), that can be easily undermined by others.

The correct link is here. (There is a bad hyperlink on the Today site today; one of the links takes the visitor to the incorrect story, about Atlantic City.)

Generally, schools and universities have encouraged students to consider posting pictures and personal information only on private servers, not open to the general public, as a way of protecting personal and familial privacy and personal information. Some of these concerns have been also motivated by recent trends among employers to troll social networking sites for undesirable information about job applicants.

(Later information is that her title will not be taken away.)

Apparently the current Miss America (Lauren Nelson) assisted NBC Dateline with a well-publicized sting in New York (on Long Island) attracting internet predators.

Update: July 25, 2007

On July 24, 2007 Miss America (Lauren)told Congress that education in legal and safety issues in Internet use (provided by public schools) should be mandatory before minors can go online.

Update: Aug 26, 2007; Teacher apparently defamed by video on Net

In a somewhat similar situation, ABC News posted a story "Teacher's Nightmare: Ogling Video on You Tube: Internet Videos such as 'Hot for Teacher' Clip Raise Privacy Concerns," here.
The inappropriate video of a female teacher was shown at a fifth grade graduation ceremony in Charlotte, NC. It got posted on YouTube, which removed it for copyright infringement upon notice from the teacher. The story indicates that the law on this is still hazy. However, in December, Dr. Phil had reported about a teacher about whom some kids made a fake profile on Myspace (see my "issues" blog Dec 6).

Friday, July 06, 2007

False identities off Internet used to procure equipment in Britain

Today, Friday, July 6, 2007, Brian Krebs has an important story in The Washington Post, the top of page D01, on how accomplices in the recent string of incidents in Britain bought illegal supplies with stolen identities. The story is here.

The article discusses a woman in New Jersey was fooled by a phishing email asking her to update her EBay information. That information was used to purchase supplies under her identity. (Note: I don’t repeat the names of targeted people here, since spiders would pick them up; although the names are still going to picked up from the media sites by search engines.) This could have happened with any financial site, or a social networking site. I note humorously that the plot of the recent hit film “Transformers” is driven by the fact that the EBay page of a teenage boy captures the attention of the bad guys out in outer space (I guess the speed of light is no limit to the reach if the Internet now). The article goes on to discuss (in graphic detail) the way the bad guys use “free speech” to post jihadist propaganda and instructions on the Internet.

One concern, expressed by earlier postings on this blog, is whether anyone has liability if he or she fails to practice proper computer security and as a result others are harmed. There have been prosecutions based on stolen identities, but these prosecutions have not been legally justifiable once the facts are shown – still the experience is horrifying and can cost thousands in defense fees. With some offenses becoming “strict liability” offenses, I wonder what would happen if someone’s computer were hijacked if they didn’t practice proper security.

There are similar stories on page A1 of the July 6, 2007 Washington Times, by Ben McConville (AP) and Audrey Hudson (WT staff). The stories point out that British law on incitement through the Internet may be tougher than US federal and state laws,

Brian Krebs does have a “Security Fix” blog at The Washington Post at this URL:

Remember, newspaper stories often require registration and sometimes require credit card purchase.

Visit my relate blog on consumer identity protection.

Tuesday, July 03, 2007

CERT has a good forensics page

Home and small business users may want to take the time to explore the Forensics link at the CERT website of Carnegie Melon University in Pittsburgh. The link is

One of the major forensic tools is called “Live View” which uses visualization technology to look a disk images on physical drives. Live View has a Limited Edition version available only to law enforcement agencies. There is much discussion of the “Virtual Machine” which is a concept that IBM uses in the mainframe world to describe a facility to switch among different operating systems (but in the 1980s it was used as kind of operating system itself, making a 4300 style mainframe behave like a DOS PC from the point of view of the user).

There are two large PDF files on basic and advanced forensics, and these have a lot of discussion of the technical details of file systems on hard drives in various operating systems. These PDF files are set up in such a manner that they cannot be saved as such on the user’s computer, only as text files.

Forensics is an important topic, because it is critical in preventing individuals from being framed for crimes committed by hackers, certainly a John Grisham novel like concern that could become more common in real life. Some more detailed technical knowledge can help the user become more prudent in his or her own best practices.

Hardware forensics would become important in a situation where a person's computer had actually been used (tracked by IP address) in order to prove that the computer had previously been "hacked."

Monday, June 18, 2007

BBC story on FBI "recall" of infected home computers

BBC News (from the British Broadcasting Company) is planning to contact up to one million home or small business personal computer owners whose computers have been hijacked and turned into “zombies” for sending spam, or possibly for participating in denial of service attacks against visible controversial targets, or as conduits for steganography. The exercise is called “Operation Bot Roast.”

One high profile spammer, Robert Alan Soloway, has been arrested during this investigation and could face 65 years in prison.

Among the labs that can scan the Internet to look for infected “botnet” machines are F Secure, Trend Micro, and Kaspersky Labs.

McAfee has recently offered its subscribers a Site Advisor service, where it scams sites for known problems that could compromise a home computer’s security or lead to unwanted emails.

Some problems that sites have, however, come from legitimate software bugs and not malware. For example, for a while Microsoft Word (the 2002 version) would sometimes insert or propagate extraneous and erroneous links into webpages that it converted to HTML, because of a bug in the way its XSL translator applied the span keyword. The resulting page would appear to misdirect users when clicking on links (that could appear hidden under text not intended to be linked), which normally a sign of a malware website. Microsoft now only supports later versions of Word.

An infected machine, when traced, will show that an inappropriate modem really was sent from the IP address associated with the machine, which is not the case when the sender-id in an email is spoofed.

As far as I know, so far owners of infected machines have not been prosecuted for violations of law that occur when their infections result from hackers, malware, visiting infected sites, or viruses. But it would seem logical that the possibility would exist, or that in the future prosecutors might want to treat certain things as strict liability offenses.

Parents have been prosecuted for illegal activity of their kids, and when a family computer can be used by unknown visitors to a house, there is a risk of additional security problems and conceivably erroneous arrests and prosecutions, since IP addresses can be traced. Similar concerns occur in the workplace. See the previous story on the apparently wrongful conviction of a substitute teacher.

The BBC story is here.
AOL featured the story today on its home page as a warning to home users that a knock on the door could come from the fibbies.

Thursday, June 07, 2007

Malware leads to conviction of substitute teacher

USA Today on June 7, 2007 reported that middle school teacher Julie Amero will get a new trial in Norwich, CT on a case where she had been convicted in January 2007 on endangering the welfare of students when, in October 2004, the computer in her classroom served up pornographic popups after several kids surfed to a site about hair styles. Journalists have discovered that the school system did not have effective firewalls or popup controls on their computers and were not blocking ineffective sites. Apparently the site in question was associated with spam and (from a school system point of view) socially objectionable products. "Security Fix: Brian Krebs on Computer Security" has a major blog analysis in The Washington Post, “Substitute Teacher Faces Jail Time over Spyware,” Jan. 25, 2007, here.

It is amazing to me that a teacher (regular or substitute) would be held responsible for web content delivered by malware because of lack of proper system security, that is relatively easy to install now (such as McAfee Site Advisor, discussed here). Furthermore, she was a substitute. I’m not sure of the situation in Connecticut, but in many states substitutes do not have to be licensed, and often take one-day short term assignments where they do not know the classroom well. This case points out a flaw in the way substitutes are hired and managed. The classroom management skills expected of substitutes have been a matter of controversy in many states. According to the story, other teachers did not come to the aid of the substitute, and short-term substitutes may not be perceived by kids as morally legitimate authority figures, and may not obey (like discontinue inappropriate surfing) when told. In practice, it is often very difficult to prevent kids from surfing to inappropriate sites, and school districts are well advised to block sites with strict filters (Fairfax County, VA, for instances, blocs MySpace, and many other sites considered to have content objectionable for a public school environment).

Even if acquitted on retrial (that sounds likely given more modern awareness of spyware and popups), the substitute may have enormous personal financial losses from this work experience. This is not good for substitute programs.

Monday, May 21, 2007

Advisory for travelers; MySpace under fire again

Multiple media reports have recently warned that travelers should be wary of logging on to personal financial, banking, or especially securities trading websites from hotel computers or computers in public places, which may have sometimes been bugged by thieves. Administrators of 401K and similar plans for federal employees and military servicemember have warned that money lost to thieves from web activity may not be recovered, as security for an account is the "strict liability" responsibility for the site owner.

People should make a habit of checking financial sites frequently, and, when on the road and not in a secure location, calling 800 numbers rather than using websites to check balances. This might be an issue for people whose jobs require them to travel frequently. Likewise, frequent travelers should consider subscribing to secure wireless services rather than using free unsecured wireless often available in motels.

In other developments, is cooperating with authorities to close down profiles of persons convicted of certain offense, although they are not yet able to identify sites registered with pseudonyms. In the future, it might even be possible that sites of suspects (as well as convicted offenders) or persons in certain civil situations could have sites pulled (as with a recent law in Ohio). The Associated Press story May 21 2007 by Margaret Lillard is here.

For a particularly troubling incident involving a misidentification by Myspace over a name similarity, see this story on ABC News May 24 by David Schoetz.

Update: May 22

There is a related story about McAfee SiteAvisor (and Plus) on my content labeling blog, here.

Sunday, April 08, 2007

Intellectual Property Law for the Kids -- time to teach it in public schools

The World Wide Web, in conjunction with search engines, all of this together with Peer-to-Peer computing, and especially newer incarnations like Web 2.0 or 3.0, are kind of a geekolator’s realization of the mystic idea of astral projection. One ‘s thoughts or images (maybe holographic, at least animated or video) may be transmitted almost anywhere on the planet (even Saudi Arabia and China, surprisingly often) at the speed of light. Maybe in a couple decades years, it will be fifteen minutes to Mars, or about an hour or so to a base on Europa or Titan.

That presents an unprecedented situation, the free entry situation, which, as we know from stories about social networking sites especially, is starting to worry employers and all other kinds of interests, including the notorious RIAA. Even when a blog or profile is “whitelisted”, the viral “friends” process pretty much can give something provocative a worldwide distribution.

People are publishing themselves with absolutely no training or education in the legal risks. I saw the Miramax film “The Hoax” last night, about the false autobiography of Howard Hughes by Clifford Irving, and saw what the tortuous, bean-counting and bureaucratic process of getting published was three decades ago, and how a “writer” was a real professional, unfortunately all too often a hack to transmit someone else’s message. The film did project a certain irony.

It has gotten to the point that public school systems really should provide education on the legal concepts, which especially include copyright and defamation, as well as security concerns. Schools already, by necessity, have a handle on plagiarism and academic integrity (and even proper attribution of sources has to be taught). But we’ve all heard the horror stories of suits by record companies against kids and their parents, and the concerns of employers about job applicants defaming themselves “for fun” or even for political protest (“dreamcatching”) on their blogs and profiles. We’re even hearing about people not getting jobs because of searchable defamation posted by others.

How would the curriculum be developed and when would it be taught? The most obvious place is probably English, starting no later than the tenth grade (ninth grade for honors, maybe even earlier). Social studies is the other place. Most schools teach world history in ninth or tenth grade, American history in eleventh, and government or civics in twelfth. Government class sounds like a logical place for more advanced instruction about copyright, defamation, privacy invasion, right of publicity, and even trade secrets, conflict of interest, and "implicit content". The other place is, of course, technology education (often taught at career centers or academies) but not all students take this. Some of these concepts are commonly taught in high school journalism (in conjunction with yearbook and the school paper), but not that many students take it.

American business – the software vendors and the media and music companies – should be proactive in helping to develop the curricula. It will be difficult for conventional textbooks to keep this kind of material current. Teachers themselves will need to be trained in the topics, which are sometimes quite tricky.

Sunday, March 18, 2007

Dateline NBC has Internet safety tips

Chris Hansen, anchor of the NBC Dateline Series "To Catch a Predator" concludes his book on the series (my blog entry here, date March 17) with a chapter giving reasonable online safety tips for parents.

The msnbc dateline link for the tips (or "Internet Safety Kit") is here. For the famed and controversial television series the link is here.

One of the more interesting tips is that he recommends that parents limit a given kid's activities on the computer to two hours a day. This should be enough time for socializing, looking up legitimate entertainment, and most of all for homework. He also recommends that the computer be located in a central area of the home and not in a kid's home. And he suggests a frank talk with kids about not giving out family information (address, land phone number, and even school attended) on social networking site profiles. There have also been recent concerns that, although facebook and more recently other social networking profiles (especially Myspace) can be whitelisted to a list of "friends" (and shut out of the search engines), these "friends" tend to reproduce private information so even whitelisted postings don't stay private.

The Internet, at least for a minor or someone not established into an adult career, should not be viewed as a "free entry" ticket to "fame" (like the name of the 1980 movie and song).

Of course, the Internet can be a tremendous asset in legitimate schoolwork, and teachers have a quandary in assigning work where it is needed. One solution is for teachers to use carefully structured lessons with the Internet in classrooms (rather than handouts) and try to set a good example for how to learn from the Internet at home.

Sunday, February 25, 2007

Be wary of the possibility of strict liability offenses

The last post (about the Arizona family and the teenager accused of criminal possession) reminds me that sometimes this situation might be viewed as a "strict liability offense", where the lack of evidence of intention or negligence might not be a sufficent legal defense. Sometimes certain acts or events incur "zero tolerance" strict liability because society considers the underlying risk so dangerous that it wants to compel people to play "brother's keeper."

Here, I wonder what the criminal liability could be when an unsolicited email is received, opened, and contains embedded HTML, images, or MIME that loads detectable illegal content onto the user's hard drive, detectable on warrant searches by police even if the user tries to delete the file (short of wiping out and rebuilding the hard drive). It is certainly a good idea to eyeball the subject lines of incoming emails and move suspicious emails to the spam folder (from the ISP) without opening them at all. It's a good idea to spam-classify emails with "no subject" (and I wish AOL and other ISP's wouldn't even permit accidental sending of emails with no subject).

One can even speculate about another theory, that a controversial user has "attracted" or "enticed" the sending of illegal content. Other than the Arizona case (previous post) I haven't heard of real prosecutions or civil suits based on this theory yet, but the possibility is chilling.

Credit card customers should also check their statements for charges that they do not recognize, and investigate and challenge unauthorized charges. People have been prosecuted for illegal possession based on credit card records, and presumably an imposter could make an illegal purchase on a stolen credit card number. Marketing companies have somehow been able to push "membership charges" onto many credit card bills by a process that escapes me, at least.

Update: 04/09/2007

Be sure to visit the sidebar by Adam Liptak, "Locking Up the Crucial Evidence and Crippling the Defense: A law meant to protect children rewrites the rules for the accused." The law is the Adam Walsh Child Protection and Safety Act. The Govtrack page (109th Congress, HR 4472) is here.

Saturday, February 03, 2007

Illegal downloads by kids can threaten families

ABC 20/20 has a particularly disturbing story from Jan 12, 2007, "Prison time for viewing porn: A teenage boy faces decades in prison for visiting sexually explicit websites, but was it really someone else." The story is at this link, and the facts are a bit ambiguous. The visitor is encouraged to read the ABC News story in detail, although the fact pattern is still a bit confusing. At 6 AM one morning in December 2006, police raided an Arizona family's home and confiscated the computer for illegal downloads that had been detected by Yahoo! and reported to law enforcement.

Now ISPs do have a legal obligation to report certain illegal activities, but we wonder why, if they can detect it, they don't block it. That's one question, and there may be a Catch 22 in the law.

The teenage boy was thought to have downloaded the material and faced 90 years in prison with consecutive counts. Eventually it was plea-bargained to a misdeamor with the intervention of a judge who showed some common sense.

There is still some concern on the part of the family that a hacker might have downloaded the material, using their account, and put it on their computer.

There is a disturbing legal uncertainty about all of this. Theoretically, a home computer owner is responsible for any illegal use of his computer, including hacker invasions, although actual prosecutions and lawsuits against "ordinary people" for downstream liability seem to be very rare. But this case could be an example. This obviously needs considerable attention from the legal community. The practical danger for most parents, however, is that kids will use computers for illegal purposes unbeknownst to parents, and parents are legally responsible for illegal behavior of their kids on the Internet (or behavior of other latchkey friends that their kids invite to use their home computer!).

The family has disconnected the home computer from the Internet. "Computers are not safe," the mother says, even though the boy has his life back. Yet, the boy will be at a disadvantage. Computers and high speed internet connections at home are important for school work, for gaining an edge in academic preparation for college and the workplace, with Internet uses that are entirely appropriate and involved academic content that is relatively non-controversial.

School, of course, is a somewhat sheltered world, not the full real world. But the real world has resources and information that are dangerous or misleading if improperly used.

Friday, January 26, 2007

Too many problems in the world?

I notice one comment from a reader some time back about focusing on the problems.

I've noted this elsewhere on my larger blogs. But to defend individual freedom, it's important to account for all of the problems that may occur. Many of them are subtle and unexpected, as we can see from all the recent controversy about social networking sites and employers. The law has not kept up with technology.

So I've tried to develop a technique for accounting for all of these issues and for "connecting the dots" -- drawing lines between them.