Sunday, January 27, 2008

One small step backward

This is post #51 - haha who would have thought I had so much crap to say. s.e
A topic that I have been writing about for some time has once again stuck it's head up and flipped me off, so here we go again...

For quite a while I have been writing about the growing movement within government to develop the infrastructure and capability to monitor all in house network communications. Short version:

The classified joint directive, signed Jan. 8 and called the National Security Presidential Directive 54/Homeland Security Presidential Directive 23, has not been previously disclosed. Plans to expand the NSA's role in cyber-security were reported in the Baltimore Sun in September.

According to congressional aides and former White House officials with knowledge of the program, the directive outlines measures collectively referred to as the "cyber initiative," aimed at securing the government's computer systems against attacks by foreign adversaries and other intruders. It will cost billions of dollars, which the White House is expected to request in its fiscal 2009 budget.

You are sick of hearing about this I realize, but there is a 'frog slowly boiling in a pot of water' activity going on and I feel the need to share my frustration over it as well as a little paranoia.

So it looks like the first half of the program has passed the directive stage and will in all likelihood be funded. Seems like this sort of project does not fall under the scrutiny that the rest of the office of science (for example) does. Guns before butter kids...

There are a few interesting things that come up in the article which I found facinating. The initial read did not really provide a clear idea as to the state of domestic survelance. This struck me as a little odd, so I re-read and it became less opaque. None the less they spend nearly a third of the word space talking about domestic non-governmental monitoring as if already passed. It did not and perhaps I am reading too much into it.

But think about it this way. The NSA (and it's proxy organizations and companies) are building out their already sizable infrastructure to do really large scale monitoring - as if they don't already do. In addition they will build on the expertise to (hopefully) do real large scale correlation and analysis.

Correlation and analysis.

But we citizens are safe, yes? As this is just for governmental networks where notions privacy expectations are somewhat alien. Not so fast. They already have the infrastructure in place and are doing deep packet monitoring of US based traffic. This is a documented fact.

Feel better?

Then there is this weird attitude that somehow this is a simple problem to solve and that the most natural way to take care of the issue is to glom all the analysis together under one system.
Ed Giorgio, a former NSA analyst who is now a security consultant for ODNI, said, "If you're looking inside a DoD system and you see data flows going to China, that ought to set off a red flag. You don't need to scan the content to determine that."
and even weirder:

Under the initiative, the NSA, CIA and the FBI's Cyber Division will investigate intrusions by monitoring Internet activity and, in some cases, capturing data for analysis, sources said

The Pentagon can plan attacks on adversaries' networks if, for example, the NSA determines that a particular server in a foreign country needs to be taken down to disrupt an attack on an information system critical to the U.S. government. That could include responding to an attack against a private-sector network, such as the telecom industry's, sources said.

The first is breathtaking in its naive style of analysis. You right fucking need to look at what is going over the wire. Anybody who tells you otherwise is simply telling you a lie. This person is a consultant who is planning on getting to blindingly stupid rich on this pig roast.

The second is a little creepy since they are talking about intentionally targeting civilian computational resources via official US military means. When that country or nation state defends itself by returning the favor, we have a reason for the infrastructure to be rolled over to the civilian side of the house.

This is exactly what has been suggested in the last post I did:
Spychief Mike McConnell is drafting a plan to protect America’s cyberspace that will raise privacy issues and make the current debate over surveillance law look like “a walk in the park,” McConnell tells The New Yorker in the issue set to hit newsstands Monday. “This is going to be a goat rope on the Hill. My prediction is that we’re going to screw around with this until something horrendous happens.”

Monday, January 21, 2008

cyber blah blah blah

I was reading slashdot the other day and ran across an interesting article. In it there was a discussion about the CIA admitting that 'cyberattacks' have caused at least one power outage that affected multiple cities.

This is, on the whole, an interesting bit of information - quite a bit more interesting when put in the context of what has been said. On Dec 28, I had a little discussion about the proposed NSA/DHS joint program which would be used to monitor internet traffic on US commercial links. The section relevent to the power outage is the following quote:
Policymakers have become increasingly alarmed at the vulnerability of trains, nuclear power plants, electrical grids and other key infrastructure systems, which rely on Internet-based controls that could be hijacked remotely to produce a catastrophic attack.
In another article from Forbes, we can get a little more information (sans details):

Cyber-security experts have long warned of the vulnerability of critical infrastructure like power, transportation and water systems to malicious hackers. Friday, those warnings quietly became a reality: Tom Donahue, a CIA official, revealed at the SANS security trade conference in New Orleans that hackers have penetrated power systems in several regions outside the U.S., and "in at least one case, caused a power outage affecting multiple cities."

What is quite hysterical is at the same time as this is playing out we have a fluff interview of Mike McConnell by the Wall Street Journal where he states:

Spychief Mike McConnell is drafting a plan to protect America’s cyberspace that will raise privacy issues and make the current debate over surveillance law look like “a walk in the park,” McConnell tells The New Yorker in the issue set to hit newsstands Monday. “This is going to be a goat rope on the Hill. My prediction is that we’re going to screw around with this until something horrendous happens.”

At issue, McConnell acknowledges, is that in order to accomplish his plan, the government must have the ability to read all the information crossing the Internet in the United States in order to protect it from abuse. Congressional aides tell The Journal that they, too, are also anticipating a fight over civil liberties that will rival the battles over the Foreign Intelligence Surveillance Act.

So, to set the stage we have a joint NSA/DHS program that expressly states that it is interested in monitoring both governmental and non-governmental internet traffic which has remained a non-discussed non-issue even to the chairman of the House Homeland Security Committee. This program is being driven by Mr. McConnell. A common argument for this program is that it will be used to secure sensitive and critical infrastructure against cyberattacks. Imagine my surprise when the CIA announces multiple city power outages based on computer attacks (and, errr, insiders - but we digress!).

Back to your regularly scheduled programs.

Saturday, January 19, 2008

inconvenient science

As a sad comment on the state of my life, the acronym HSPD-12 actually means something to me. As a sad comment on the state of the world, it means a great deal more to a bunch of folks working out at NASA JPL.

A good chunk of this brought to you by the Los Angeles Times opinion piece by Tim Rutten.

After 9/11, the Bush administration engaged in a great deal of Security Kabuki. A great many bad decisions were made which shunted giant piles of money into the hands of countless contractors and NGO's to do things that might be simultaneously nice examples of how not to do security as well as an endangerment of our basic freedoms and liberties. This is the usual corporate welfare that we all know and love.

One thing which transpired was the passing of HSPD-12 (Homeland Security Presidential Directive 12) which was supposed to standardize the badging process for all employees and contractors of the federal government. Boring. Or so you would think.

Most agencies (including the one that I work for) more or less ignored the directive, which made me quite happy since it looked like a real pain in the ass. Unfortunately NASA Administrator Michael Griffin directed Caltech (who holds the contract to run JPL for NASA) to make sure that all of it's employees were in compliance. Such a word never holds well for anything...

Form 'SF85' and 'SF85P' were send out. Not signing them meant terminating your employment. Signing them allowed:
  • That the release form on the SF85 or SF85P authorizes an investigator to obtain "any information" on you from schools, residences, employers, criminal establishments, and any other sources, and that the investigation is explicitly "not limited"?
  • That each of the neighbors, supervisors, and references you are required to provide will be sent a questionnaire asking about your "mental or emotional stability," "financial integrity," and "abuse of alcohol and/or drugs," among other things?
  • That SF85 remains in effect for two years, whether or not you stay at JPL? In other words, federal agents can use your SF85 release as permission to investigate you for two full years, even if you are no longer affiliated with a federal agency
  • That the new rules prevent JPL from issuing retiree badges?
  • That the official SF85 and SF85p forms describe the process as "voluntary," but that jpl will terminate your employment if you don't fill it out?
In addition:
Investigators wanted license to seek information as to whether "there is any reason to question [applicants'] honesty or trustworthiness." At one point, JPL's internal website posted an "issue characterization chart" -- since taken down -- that indicated the snoops would be looking for "patterns of irresponsible behavior as reflected in credit history ... sodomy ... incest ... abusive language ... unlawful assembly ... homosexuality." (We'll leave it to others to explain a standard that links incest with unlawful assembly.)
A copy of the "issue characterization chart" can be found here. This is some really sad shit. I can go on and on about of freaky it is that the right wingers are all control freaks obsessed about everybody else's sex lives, but I will not. I prefer to look at this as blackmail pure and simple. Why would I think such a thing?
Many at the lab believe that there's more than governmental overreaching at work here. They point out that Griffin is one of those who remain skeptical that human actions contribute to global warming, and that some of JPL's near-Earth science has played a critical role in establishing the empirical case to the contrary. They see the background checks as the first step toward establishing a system of intimidation that might be used to silence inconvenient science.
Inconvenient science. Really says it all.

Saturday, January 12, 2008

Semantic Attack

Now that I have disgorged that technological hairball in the form of the previous post, I can get on with the usual soap box hysteria and cranky ranting. I apologize in advance for the length of the quotes. We begin with the following:
In a 43-page opinion, Circuit Judge Karen Lecraft Henderson found that the Religious Freedom Restoration Act, a statute that applies by its terms to all “persons” did not apply to detainees at Guantánamo, effectively ruling that the detainees are not persons at all for purposes of U.S. law. The Court also dismissed the detainees’ claims under the Alien Tort Statute and the Geneva Conventions, finding defendants immune on the basis that “torture is a foreseeable consequence of the military’s detention of suspected enemy combatants.” Finally, the Court found that, even if torture and religious abuse were illegal, defendants were immune under the Constitution because they could not have reasonably known that detainees at Guantánamo had any constitutional rights.
Yeesh. This was a decision (Jan 11, 2008) from the District of Colombia circuit court regarding an action brought by four former British detainies in Guantanamo Bay against Donald Rumsfeld and senior military officers for ordering torture and religious abuse.

Think about what this is saying. For those of you endeared by bullet points:
  • Detainees are not persons according to US law.
  • Torture is an expected consequence of military detention, so the tortures should not be responsible for their actions.
  • Torture is not a criminal act unless the torturer is expected to know that the person is a US Citizen.
I have a great deal to say about this, including some legal goop about recent laws and tort actions against federal employees. From a purely emotional level I am disgusted. This sick, venal horrorshow needs to be dragged out into the sun and left to die. The Rule of Law that I am such a fan of has been perverted to such a degree that I am sometimes lost in a sea of minutia.

To flavor the following discussion, I provide a short (ha!) quote regarding US interrogation policy. This is from a larger post on the same subject.
"The C.I.A.’s interrogation program is remarkable for its mechanistic aura. 'It’s one of the most sophisticated, refined programs of torture ever,' an outside expert familiar with the protocol said. 'At every stage, there was a rigid attention to detail. Procedure was adhered to almost to the letter. There was top-down quality control, and such a set routine that you get to the point where you know what each detainee is going to say, because you’ve heard it before. It was almost automated. People were utterly dehumanized. People fell apart. It was the intentional and systematic infliction of great suffering masquerading as a legal process. It is just chilling.'"
Details, details, details. In comments on the original posting I ran across a very lucid description of why the tort was tossed out.
I don't like it either (look up tort first), but technically the decision is correct, the Federal Tort Claims Act clearly applies here so they had little choice. Same with foreigners not being persons as far as US constitutional rights are concerned, as this been held so by US courts for quite some time.

For uninitiated the primary purpose of FTCA is to shield government people from having to answer criminally for things they do, this is somewhat similar in purpose to the infamous "qualified immunity". Torts usually result in monetary compensation, prison time is highly unusual. The calculation here is this, if we think we will lose we will settle in tort proceedings to avoid harsher penalties, if not we will fight it out in courts. Fine by me, although some government transgressions are so serious prison time would be highly desirable if only for its presumed deterrent quality.

Ok. I am a detail oriented sort of person and I recognize that in the current legal environment what was done is technically based on fact and current case law. I have an honest question that I am having a little difficulty answering. For how long has a 'person' in the US been distinct (in a legal sense) from a regular human sense. This is in the context of there being no congressionally declared war, so short term derailments of habeas from (say) the US Civil War do not count. Recently the wedge was driven in regarding 'illegal immigrants' , the war on (some) drugs and now terrorism. What about pre-Regan?

I am offended so for two reasons. The first is that my vision of the Law is different than the vision being brought forth by the legal arguments being brought forth specifically by the executive branch. It makes me angry when the nice rational universe that I have worked so hard to get along with starts saying things like :

Salmons did pledge that the Executive Branch will use care in deciding who is designated an “enemy combatant.” In response to one judge’s question about the President applying the tag to an activist from the People for the Ethical Treatment of Animals, Salmons joked, “the representative of PETA can sleep well at night.”

Nevertheless, Salmons argued that the judgment on who is deemed an “enemy combatant” is solely the discretion of President Bush. [NYT, Feb. 2, 2007]

These assholes can not be trusted to not crash the clown car, and I am supposed to trust them?? Is this what rule of law has become? It sickens me.

The second is more fundamental, and is really an extension to the first. It involves the idea that by redefining the legal meaning of a word like person, it is possible to sidestep any and all moral obligations that are inherent in the meaning of the original content. This is just sophomoric bullshit. Year after year we sit around and are talked down to again and again about Responsibility and Duty and Freedom and Sacrifice by whatever political party happens to be in charge. What is happening is just word play, but the end result is the continuing erosion of our political existence. A semantic attack on our freedoms.

A perfect example of this can be found during the following transaction:

The administration’s contempt for habeas corpus and other fundamental rights was reflected again in a strange colloquy between Attorney General Alberto Gonzales and Sen. Arlen Specter during a Senate Judiciary Committee hearing on Jan. 18.

Gonzales argued that the Constitution doesn’t explicitly bestow habeas corpus rights; that it merely says when the so-called Great Writ can be suspended.

“There is no expressed grant of habeas in the Constitution; there’s a prohibition against taking it away,” Gonzales said.

Gonzales’s remark left Specter, the committee’s ranking Republican, stammering.

“Wait a minute,” Specter interjected. “The Constitution says you can’t take it away except in case of rebellion or invasion. Doesn’t that mean you have the right of habeas corpus unless there’s a rebellion or invasion?”

Gonzales continued, “The Constitution doesn’t say every individual in the United States or citizen is hereby granted or assured the right of habeas corpus. It doesn’t say that. It simply says the right shall not be suspended” except in cases of rebellion or invasion.

The idea of habeas corpus pre-dates the writing of the constitution by hundreds of years. To even suggest that this right is not built into the fabric betrays their contempt for the lifeblood of the democracy. The Constitution typically defines rights by describing negatives - by describing what the government can not do.

Enough of this. I need a drink.

Enjoy the following while you can:

No person shall be held to answer for any capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

Wednesday, January 9, 2008

Got Meat? Thoughts on the FBI Carnavore System

Some months ago, I downloaded from the EFF the freedom of information mandated information relating to the DCS-3000 system. I spent a few days (evenings really) looking over the information and thought that I might provide my own insight into what I found.

For the record I have no access to any sore of inside or classified material. If I did, it would be illegal and against my own code of ethics to do so - anything here can be found out on the internets. I do have some familiarity with the style of paperwork which composes many of the most interesting parts of the information. NIST based Site Security Plans are excruciating to do under any conditions, so my condolences to those people who had to put together that package...

The most up to date run down of the design and operation of the DCS-3000 seems to be a Wired article from August 29, 2007. Besides that, the original documents (and a good many more interesting things!) can be found here. This entry is meant to augment the already published information rather than replace it, since they did such a nice job of describing the other details of the system.

Overall Design
The overall design of the system is actually a number of different systems which fulfill many different functions and suggest that the overall mission of the system has grown somewhat organically. Exercising my somewhat anemic graphic arts skills, I have put together a diagram of what I suspect things look like. This is a composite of various hints, diagrams and information from the various pdf files available.Please be kind as I have limited graphics skills... In addition to the boxes shown, there are also connections to the internal FBI network, storage components and the usual collection of infrastructure components.

One of the most interesting things I discovered is in the MultiVANGuard section, so if you are skimming take a look there.

A few details and notes follow - first some notes on each of the hardware and software components, then thoughts on the general security architecture provided in the system.

This seems to be the general control system for interacting with the telco switches as well as the main interactive gateway to the other systems(?). The two basic classes of wiretapping are Call Data Channel (CDC) which is more of a pen-register style, recording call metadata. The second is Call Content Channel (CCC) which records both call metadata and content.

Logins happen into this system as well as the other through a set of id's which are (at a minimum) DCSAdmin and ERFAdmin.

The following applications are described in the site security document:

Client: Users Guide 070207_dcs03.pdf
The DCS Client application is configured to collect data for Court-approved surveillance operations. The Client receives call related data from the DCS Server or MultiServer and packages it into target data files that are saved, forwarded, or printed. At times, the Client is used to reformat and export call related data for use in external databases. The Client cannot record call content. However, installing a Recorder Control Interface (RCI) card allows the Client to control standard recording devices, which record such audio.

Server: Users Guide 070207_dcs04.pdf
Breakdown of options described in the server section of the user documentation, and a few notes where it might be interesting. The server is designed to operate on a single recording event.
  • Using the DCS Server
  • Working in the Server Window
  • Configuring the Server
  • Configuring the Client
  • Configuring the VSELP Decoder
From Wikipedia:
Vector Sum Excited Linear Prediction (VSELP) is a speech coding method used in the IS-54 standard. This codec was used in early TDMA cell phones in the United States. It was also used in the first version of RealAudio for audio over the Internet. The IS-54 VSELP standard was published by the Telecommunications Industry Association in 1989.
  • Establishing a Connection
  • Monitoring Activity
  • Storing Target Data Files
  • Shutting Down the DCS Server
See above and below for details.

See below. 'MultiFOO' is just 'FOO' that is designed for multiple source data instances.

Notes on MultiVANGuard (this might be a red herring) from, a company that specializes in communication interception and analysis. Regardless, this shows that the technology exists as of 03/02/2007 for Skype interception, which is interesting in and of itself.

A snippet from the page includes:
Updated ETSI 101 671, et al.  Add support for Ericsson specific ASN.1 messages.
Updated GISH by addiing support for SMS messages containing commas.
Updated GIS Mapping for calls and cell tower records to add a button to allow user to toggle transparency of cell tower sectors.
* Phone Company Autoload : Added Skype.
* Phone Company Autoload : Added Snake River PCS.
* Phone Company Autoload : Removed both Sprint Spectrum options.

* Phone Company Autoload : Removed VoiceBox (delimited) [old format, no column indicators].
* Phone Company Autoload : Updated Alltel Tolls.
* Phone Company Autoload : Updated Bell South CSV.
* Phone Company Autoload : Updated Bell South Trap and Trace.

* Phone Company Autoload : Updated Centennial Wireless.
* Phone Company Autoload : Updated Cricket CSV.
* Phone Company Autoload : Updated Dobson Communications.
* Phone Company Autoload : Updated Generic Multi-format [Windstream text format, Alltel PDF, Edge Wireless, Cingular PDF].

* Phone Company Autoload : Updated MCI Business Gold.
* Phone Company Autoload : Updated Nextel CSV.
* Phone Company Autoload : Updated Qwest CSV.
* Phone Company Autoload : Updated SBC Trap File.

* Phone Company Autoload : Updated T-Mobile Prepaid.
* Phone Company Autoload : Updated TeleSur [Suriname Telco].
* Phone Company Autoload : Updated Unicel.
* Phone Company Autoload : Updated Verizon Wireless.

* Phone Company Autoload : Updated VoiceBox Session Detail.
* Phone Company Autoload : Updated Vonage.
And so much more. I suspect that this represents more or less the cutting edge in current communication decoding technology. The whole list is quite interesting to look over

This is the system designed to handle FISA related activity, so it operates at a higher security level that the DCS-3000 which it is connected to. Naturally there is not all that much information on this system in the documentation. Reason suggests that there is not much in the way of technical differences between the software on the 5000 and the 3000, but really I have no idea. The main difference between the two systems function is the sensitivity of the information that is being looked at. The CI 100 has the interesting job of segregating the lower classified DCS-3000 from it's higher classified neighbor while still allowing for information flow. More on it below.

This system is used for Title III style, full content (ie CCC) type wiretap orders. Like the DCS-5000, the same data that can be accessed from the DCS-3000 can be as well from the DCS-6000.

Pix Firewall
Since the DCS-3000 and DCS-6000 exist at the same security clearance level, there is no need for anything more complicated than a classical firewall to be placed between them. I suspect a more detailed reading of the SSP for the 3000 system will lend a listing of windows based services which are required, but that is not what I am looking for here.

CI 100 (link to base document)
This system is designed to be an information level firewall which sits between the higher security DCS-5000 and the less paranoid 3000. There is a whole chapter in the users guide on this pair of (windows based Dell servers).

From p.20:
The CI-100 acts a a controlled interface security device connecting an unclassified system (Low side) with a confidential or secret system (i.e., High side). The connection between the two security domains is accomplished by a "one-way transfer" (OWT) through the use of a modified RS-232 serial cable or fiber optic cable. The modified cable permits information to travel from the low side to the high side and eliminates the possibility of the high system from passing data to the low. This is accomplished by converting the data packets from TCP/IP to serial or UDP, both connectionless protocols. The data is pushed from the low side and across the OWT cable to the high system. Once on the classified system, the information is converted back to TCP/IP and sent out to the classified network.
There is quite a bit more, but the system is just a firewall for information running on a windows box. Really quite cool...

Cisco 2610
This system is referenced in the training manual, and I suspect just used for general interaction with the other, non-DOJ telco equipment. Any details were redacted.

JSI-3084 (link to base document)
This is an interesting bit of equipment. Since all the useful diagrams are blocked out, I had to infer the existence of this system from the system security architecture diagram, figure 3 attachment B in the April 28, 2006 Site Security Plan for the DCS 3000 where it is listed as a separate accreditation device.

Not really sure exactly what this system does, but it may be a legacy pen register device (but that is just a guess based on a table of system descriptions.

The most surprising thing was the presence of two system level accounts without any strong password controls. Based on a description of running services, there may be kerberos available which would be quite useful for user level authentication (with the usual access control attached to each account).

Access to the account information is assigned to a "need to know" basis, which is always a little suspicious. There is no way to confirm that any of the passwords are different. There were other interesting things in the POEMS (basicly a list of things that the auditing agency found wrong which need to get fixed). There were quite a few scary things like portable drives being plugged in and no anti-virus software installed.

That's it - there are hundreds of pages which can probably yield even more interesting results, but I really don't have the time. If anybody actually reads this and wants to know more, please leave a comment and I can add whatever you would like to see.

Saturday, January 5, 2008

10% hypocrisy

I started out with a little rant about the proliferation of international legislation relating to computer hacking tools. The most recent addition are new guidelines relating to the creation and distribution of hacking-tools. The key issue here is summarized in the following article:
Following industry lobbying the government has come through with guidelines that address some, but not all, of these concerns about "dual-use" tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offence. This leaves the door open to prosecute people who distribute a tool, such as nmap, that's subsequently abused by hackers.
More details about amendments can be found here as well.

These guidelines join new language put into the German computer crime laws. In an article discussing the two laws:
This hope was important because earlier this year the German Government had introduced similar language into Section 202c StGB of the computer crime laws, which would have made the mere possession of (creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to) tools like John, Kismet, KisMAC, Nessus, nmap, and the ability to Google effectively a crime.
The fallout from this is that a number of security related research and development groups have moved out of the country or closed up shop entirely. In an interesting quote (see previous link) from Stefan Esser (a PHP security activist) :

"The law does not affect our freedom of speech to report and inform about security vulnerabilities and how to exploit them.

We are just not allowed to create/distribute/use software that could be used as "hacking tools". "

My feelings about this are quite mixed - seems like the overall notion of free speech and expression is being curtailed. The most significant issue with this not that there will be this large scale crackdown on security researchers of all types. Rather this places a powerful tool in the hands of law enforcement with regard to generating probable cause for wiretapping. This is most interesting in the context of international treaty.

There are a number of other nations who have enacted or are looking to enact similar legislation including the US. I have blathered endlessly about the tedious chipping away of civil liberties in this country so this will be (mercifully) skipped. An interesting fact is the US has a treaty with the Council of Europe with regard to cybercrime issues. The EFF has a nice paragraph on it:
The treaty requires that the U.S. government help enforce
other countries' "cybercrime" laws -- even if the act being
prosecuted is not illegal in the United States. Countries
that have laws limiting free speech on the Net could oblige
the FBI to uncover the identities of anonymous U.S. critics
or monitor their communications on behalf of foreign
governments. American ISPs would be obliged to obey other
jurisdictions' requests to log their users' behavior without
due process or compensation.
Have I managed to get across the point that there is an even greater legal apparatus in place than you probably ever imagined? Since most of my international experience seems to come out of Romania (a fascinating cybercrime region!) - a country which seems not to have entered into the agreement - I was unaware of this till today.

Notice that this entire effort seems to be geared toward the individual, or small group of individuals. What if it is a corporation or (gasp!) small nation state doing the attacking or creating/supplying the software. What if it is part of their regular business practice.

We might ask Sony about that one. I will not go on and on regarding what bullshit it is that if I lobbed a rootkit into thousands of windows boxes I would be prosecuted under a slew of (US) national and international laws. They got to say 'oops!' and pay out a bunch of money. Money is really not punishment.

Did our international corporate overlords learn much? Maybe enough to include a EULA in the process. Sears has introduced a new internet community. When you join, you get to install software on your system. Details include: is distributing spyware that tracks all your Internet usage - including banking logins, email, and all other forms of Internet usage - all in the name of "community participation." Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software ("the proxy") on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the "community," very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently.
There is quite a but more here which describes in some detail what exactly is going on. But may annoyance today is about the clear disparity between what a company like Sony or Sears can seem to do without regard to users privacy. This is a rootkit, something illegal under law but not prosecuted as anything except a civil offense.

Must go, this is getting a little boring and I have dishes to do. Feh.