Archive for December 2010

Hacktivists Crowd-Source DDoS Attacks, Luring Thousands into Felonies

one comment

How is MasterCard like the Greensboro Woolworth’s? The diffuse Internet group Anonymous would have you believe they are very alike.

In the past week, distributed denial of service (DDoS) attacks have been launched against MasterCard, Visa, and PayPal in the wake of their refusing to service payments to the controversial site WikiLeaks. DDoS attacks rely on “botnets” of compromised computers to overload a server with phony requests, interrupting the server’s ability to process real requests.

Anonymous, a self-styled cyberactivist movement (sometimes called “hacktivists”) best known for launching cyberattacks on the Church of Scientology, took credit for the attacks. Anonymous also claims to have launched attacks against the Swedish Prosecution Authority and the Swiss Post Bank, as well as an attack on Amazon that it claims to have aborted. (It is more likely that the attack on Amazon simply failed.) These recent attacks, says Anonymous, are retaliation against groups that have helped to suppress WikiLeaks.

These attacks are unique, however, in that Anonymous apparently supplemented its own DDoS capabilities with volunteers. Anonymous encouraged ordinary Internet users to download a program called the Low Orbit Ion Cannon (LOIC), which launches a small-scale denial-of-service-like request from the user’s machine, and use it at the same time Anonymous launched its own attacks. LOIC is available for download on computers and on the iPhone, and is even available through a JavaScript applet online. LOIC’s simplicity and availability allow anyone, even without any specialized computer knowledge, to participate in a DDoS with only a few clicks of the mouse.

The use of LOIC is probably only symbolic. There is no reason to believe that more than a few thousand people have actually used LOIC to help Anonymous. DDoS attacks typically require tens of thousands of machines or more to successfully disrupt a large-scale commercial site. The brunt of these DDoS attacks is probably coming from Anonymous’s own botnets (which have executed attacks of this scale in the past), with LOIC serving as a PR tool to create the appearance of a mass movement.

LOIC itself is not illegal. It was developed as a stress-testing tool for network managers and has legitimate diagnostic uses. A DDoS attack, however, will usually violate the Computer Fraud and Abuse Act (CFAA) and could, for a first conviction, carry a sentence of up to ten years imprisonment. Similar statutes exist in other countries, most notably the UK’s Computer Misuse Act.

The CFAA criminalizes not only compromising a computer, but also attempts and conspiracies to engage in such behavior. Therefore, any user participating in a DDoS attack using LOIC is probably guilty of violating the CFAA, no matter how ineffectual his individual contribution to the attack. A LOIC-supported attack might subject thousands of people who don’t properly know what a DDoS is, and who believe they are simply making a statement, to felony charges under the CFAA.

Anonymous released an open letter on Thursday titled A Letter from Anonymous: Our Message, Intentions, and Potential Targets, comparing itself to the Greensboro Four:

During the Civil Rights Movement in the 1960s, access to many businesses was blocked as a peaceful protest against segregation. . . We are using the LOIC to conduct distributed denial of service attacks against businesses that have aided in the censorship of any person. Our attacks do no damage to the computer hardware. We merely take up bandwidth and system resources like the seats at the Woolworth’s lunch counter.”

Anonymous’s appeal to history is seductive, but ultimately misleading. Civil disobedience – intentionally breaking the law as a form of protest – has a proud place in United States history, most notably during the Civil Rights protests. But Civil Rights protestors knew what they were doing and consciously decided to break the law. They volunteered to suffer the legal consequences of disobedience to serve as a symbol against systemic injustice. Many went willingly to jail to become the faces of equality.

The people using LOIC to help Anonymous are probably unaware that their actions are both felonious and easily traceable. Nowhere in its calls to action does Anonymous warn its supporters of the possible consequences.

Anonymous, unsurprisingly, refuses to identify its members. No member of Anonymous has ever volunteered to come forward. In public they wear Guy Fawkes masks and on the Internet they sign their posts “-Anonymous.” Rather than standing up in public to decry perceived injustice, Anonymous is putting unsuspecting citizens on the hook for its actions. Anonymous isn’t simply taking up seats at Woolworth’s; it’s approaching random Woolworth’s shoppers, asking “Hey, would you like to sit in on this protest?” and then running to hide in the bathroom when the police arrive.

It’s easy to mistake Anonymous for the good guys, but they’re wearing ski masks, not white hats. They are using the rhetoric of free speech to trick thousands into criminal behavior. Luckily, federal criminal law allows for accomplice liability. If Anonymous continues to hide its criminal behavior behind sympathetic citizens, federal prosecutors should be prepared to bring the full force of the CFAA – including accomplice liability for all the violations Anonymous induced others to commit using LOIC – against any members of Anonymous who are eventually identified and apprehended.

Written by

December 13th, 2010 at 5:39 pm

Posted in Commentary

Is Comcast violating the “Open Internet?”

leave a comment

Yesterday, Net Neutrality advocates were outraged at accusations levied by Level 3 Communications Inc. against cable giant Comcast. Level 3 Communications Inc., a provider of fiber-based communications services that supports Netflix Inc.’s movie streaming service, issued the following statement criticizing Comcast Corporation’s new fees for the right to send data to its subscribers:

“On November 19, 2010, Comcast informed Level 3 that, for the first time, it will demand a recurring fee from Level 3 to transmit Internet online movies and other  content to Comcast’s customers who request such content. By taking this action, Comcast is effectively putting up a toll booth at the borders of its broadband Internet access network, enabling it to unilaterally decide how much to charge for content which competes with its own cable TV and Xfinity delivered content. This action by Comcast threatens the open Internet and is a clear abuse of the dominant control that Comcast exerts in broadband access markets as the nation’s largest cable provider.”

Comcast fired back, stating that such charges were necessary to keep up with the increase in congestion on its broadband network and in line with charges that it levies to Level 3’s competitors who deliver the same type of traffic to Comcast customers.

This is not the first time that Comcast has been accused of violating net neutrality and unduly regulating web traffic. In 2008, the FCC issued a finding that Comcast had illegally inhibited users of its high-speed Internet service by intentionally slowing and blocking transfers of BitTorrent files. At the time, the FCC stated that communications companies could not limit the manner in which customers use their networks unless there is a good reason. Earlier this year however, the United States Court of Appeals for the District of Columbia Circuit ruled against the FCC, stating that the FCC lacked the authority to regulate the manner in which Comcast provided its internet service to consumers. While the FCC has not commented on the current complaint against Comcast, FCC chairman Julius Genachowski presented a plan today for broadband Internet service that forbids both Internet service providers from blocking lawful content—however, this proposal would allow providers to charge consumers different rates for different levels of service. This seeming compromise met mixed reviews from net neutrality advocates who worry that the proposal doesn’t do enough to protect against telecommunication companies regulating Internet content.

What does this mean for the current debate between Level 3 and Comcast? Comcast will likely be able to impose usage-based prices, meaning they can charge customers higher prices for using data heavy services, like streaming movies from Netflix. However, the broadband companies will not be able to hide content regulation behind usage and congestion arguments and will have to report to the FCC and demonstrate why such services warrant an exception to the general open internet principles espoused by the FCC.  This interpretation depends on whether the FCC has the authority to regulate Internet service providers in this manner, a proposition that has been challenged by Congress and the Courts in the past.

Written by

December 13th, 2010 at 5:34 pm

Posted in Commentary

International Telecommunications Union Holds Meeting, Little Changes

one comment

In October, the International Telecommunications Union held its Plenipotentiary Conference in Guadalajara, Mexico. The ITU, an international organization operating within the UN framework tasked with addressing telecommunications issues, used the plenipotentiary conference to elect its secretariat for the next four years and develop its policy initiatives. There were few surprises in the election process, with the majority of the previous office-holders being reelected to their positions. The voting process is oddly outdated, with old world diplomacy running up against the needs of such a technically focused organization.

One office winner at the plenipotentiary conference was Mr. Malcom Johnson, re-elected to be head of the  standardization group (ITU-T).  This group has been responsible for issuing recommendations, which aim to standardize telecommunications and software standards across the globe, ranging from ISDN standards to JPEG compression techniques.  These recommendations carry considerable weight and have often been subsequently adopted as industry standards.

In determining these standards, ITU-T is supposed to consider intellectual property rights according to a prescribed process.  At the same time, however, a debate rages as to what this process should be in the ideal.  While wealthier nations are mostly satisfied with the status quo over international telecommunication issues, some worry about growing technological inequalities between North/South countries.  Should standardization groups consider the geopolitical dimension of intellectual property rights, and if so, with what weight?

With Mr. Johnson’s re-election, it seems as though the status quo will be preserved. The ITU’s re-elected Secretary-General, Hamadoun I. Touré, did focus on global access problems during his acceptance speech.  It will be interesting to see if the ITU shifts policy in the next four years.

Written by

December 1st, 2010 at 5:10 am

Posted in Commentary

FCC Investigating Google for Street View Data Collection

leave a comment

The Wall Street Journal reported that the Federal Communications Commission is investigating whether Google broke federal laws when its Street View service collected personal data over wireless networks.  Google has admitted that its street mapping cars picked up personal information from unencrypted residential wireless networks, including e-mail addresses and passwords, but claims the data collection was an inadvertent mistake.

The news of the FCC’s investigation comes only a few weeks after the Federal Trade Commission decided to close their investigation into the Street View data collection.  The FTC ended their investigation after Google promised to improve their privacy practices and delete all collected data.

The FCC’s investigation started after the Electronic Privacy Information Center (EPIC), a public interest research center, filed a complaint urging the FCC to act.  EPIC argued that Google could be liable for violations of the federal Wiretap Act, the federal Communications Act, the Pen/Trap Act, and 18 U.S.C. §1030.  However, many have questioned whether the FCC has the authority to act under any of these statutes.

Meanwhile, other entities jumping in to try to hold Google accountable include legislators, numerous state Attorney General offices, and individuals filing class action suits.

The difficulties presented in trying to find Google liable for these privacy violations come as no surprise to those who have argued that the United States’ online privacy laws are outdated, unclear, and insufficient.  For example, a group of privacy advocates wrote a letter to the FTC this year arguing that U.S. online privacy laws are “in disarray” and have a “piecemeal” nature.  Perhaps more surprisingly, a group of privacy advocates (including the ACLU and EPIC) and industry leaders (including AOL and eBay) have joined together to urge Congress to update the Electronic Communications Privacy Act, which was passed in 1986 and, according to the group, “has not been significantly updated since.”  This high-profile investigation, and the difficulties in holding Google accountable, should encourage lawmakers to listen.

Written by

December 1st, 2010 at 5:09 am

Posted in Commentary

Tagged with , , , , ,

FDA approves clinical trial using human embryonic stem cells

leave a comment

In November 2010, the U.S. Food and Drug Administration (FDA) gave clearance for Advanced Cell Technology (ACT), based in Marlborough, Massachusetts, to commence Phase I/II clinical trials of a new therapy for Stargardt’s Macular Dystrophy, an incurable form of juvenile macular dystrophy that leads to blindness. Twelve patients will receive intraocular injections of healthy retinal cells derived from human embryonic stem cells (hESC). In animal studies, the therapy was effective in preventing further vision loss and restoring sight.

The ACT study is only the second clinical trial using hESC to gain approval. In January 2009, the FDA cleared Geron, based in Menlo Park, California, to begin Phase I trials using a hESC-based therapy to treat spinal cord injuries. Injecting oligodendrocyte progenitor cells derived from stem cells at the site of the injury was shown to stimulate nerve growth and significantly improve locomotion in an animal model.

While the use of stem cells in research remains controversial, the clinical studies will provide some clarity about the potential benefits of hESC-based therapies in humans. As William Caldwell, Chairman and CEO of ACT, remarked, “[w]ith the initiation of this clinical trial, and that of Geron’s earlier this fall, the field of regenerative medicine is poised to take embryonic stem cell therapies from the realm of nebulous potential to that of tangible and real treatments that will make a significant difference in the lives of millions of people worldwide. This is truly a ‘game changer’ for the medical community.”

Written by

December 1st, 2010 at 5:07 am

Posted in Commentary

Google a “Go” in Jury Selection

leave a comment

Worried about the current state of the legal market? Depressed about the paltry Cravath bonus scale for 2010? Terrified that your firm might be cutting back on some pricey perks? Or maybe you’re just concerned about high costs choking off access to the civil litigation system?

Well, you may be in luck.

Instead of forcing law firms to pony up $20 million for the world’s greatest jury consultant, litigators can now invade the private lives of potential jury members all on their own, for the price of a laptop computer.

During the jury selection stage of a recent medical malpractice trial in Morris County, New Jersey, plaintiff’s counsel whipped out a laptop computer and, using the courthouse’s free Wi-Fi service, began researching the potential jurors by running a Google search with each of their names. This led to an objection by defense counsel and the following exchange between the presiding judge and the rogue researcher (as recounted in the Court of Appeals opinion):

THE COURT: Are you Googling these [potential jurors]?

[PLAINTIFF’S COUNSEL]: Your Honor, there’s no code law that says I’m not allowed to do that. I — any courtroom –

THE COURT: Is that what you’re doing?

[PLAINTIFF’S COUNSEL]: I’m getting information on jurors — we’ve done it all the time, everyone does it. It’s not unusual. It’s not. There’s no rule, no case or any suggestion in any case that says . . .

THE COURT: No, no, here is the rule. The rule is it’s my courtroom and I control it.

[PLAINTIFF’S COUNSEL]: I understand.

THE COURT: I believe in a fair and even playing field. I believe that everyone should have an equal opportunity. Now, with that said there was no advance indication that you would be using it. The only reason you’re doing that is because we happen to have a [Wi-Fi] connection in this courtroom at this point which allows you to have wireless internet access.

[PLAINTIFF’S COUNSEL]: Correct, Judge.

THE COURT: And that is fine provided there was a notice. There is no notice. Therefore, you have an inherent advantage regarding the jury selection process, which I don’t particularly feel is appropriate. So, therefore, my ruling is close the laptop for the jury selection process. You want to — I can’t control what goes on outside of this courtroom, but I can control what goes on inside the courtroom.

After the jury returned a verdict for the defendant at trial, the plaintiff brought an appeal challenging, among other things, the trial court’s refusal to allow his attorney the opportunity to access the internet during voir dire. In a somewhat surprising opinion, the New Jersey Appellate Court found that the trial court had erred in precluding the plaintiff’s attorney from conducting internet research on the potential jury members. Though the Appellate Division recognized the broad discretion usually afforded to the trial court in determining the proper procedure for jury selection, it noted that the trial judge had cited no authority for his ban on internet usage, nor was the issue addressed in the court rules.

Instead, the Court of Appeals found that as there was no suggestion that his laptop use was disruptive; the fact that plaintiff’s counsel “had the foresight to bring his laptop computer to court, and defense counsel did not, simply cannot serve as a basis for judicial intervention in the name of ‘fairness’ or maintaining ‘a level playing field.’ The ‘playing field’ was, in fact, already ‘level’ because internet access was open to both counsel, even if only one of them chose to utilize it.”

How’s that for recognizing the benefits of technology? Need to know whether Juror 11 has been using his daily blog to rail against the insurance company you represent? Or whether Juror 4 has been making any last-minute Twitter updates regarding his mistrust of the safety features on imported cars? Well, now you can access it all without ever leaving the comfort of your seat at counsel’s table.

Best of luck and happy Googling, counsellors!

Written by

December 1st, 2010 at 5:05 am

LimeWire Pirates: “You Can’t Keep a Good App Down.”

leave a comment

As mentioned in Robert Kolick’s post from November 3rd, LimeWire, once the most popular peer-to-peer file-sharing program on the ‘net, was ordered to shut down via an injunction issued by Judge Kimba Wood of the Southern District of New York.

Just a few weeks after LimeWire closed its doors, a new version, “LimeWire: Pirate Edition” surfaced online.  Developed by a purported “secret development team”, the new edition first appeared on a website created by a hacker who goes by the name MetaPirate.  LimeWire was able to obtain a court order requiring MetaPirate’s site to shut down, but the software continues to circulate via torrent networks.  The Pirate Edition presents a classic example of the “whac-a-mole” problem that plagues the content industry’s quest to stop internet piracy and online copyright infringement.

The new, unauthorized edition is being touted as an improved version of the former program.  This pcworld.com article notes that the creators of the Pirate edition removed all dependency on the LimeWire LLC servers, disabled remote settings, and activated features previously only available on LimeWire PRO (a version which, for a one time charge, removed advertising and offered increased search and download capabilities, among other offerings).

The identities of MetaPirate and/or the Pirate Edition creators have not yet been revealed, but speculation pegs the release as the work of either a present or former LimeWire LLC employee.  Limewire has disclaimed any involvement, posting a notice on its website homepage that also asks that the pirates cease and desist any use of the company’s software, name, or trademark.  In communication with tech news site Arstechnica, MetaPirate maintains that “the monkeys who created LimeWire Pirate Edition are not associated in any way with Lime Wire LLC.”  The RIAA obtained authorization for discovery of MetaPirate’s identity, as well as a host of documentation from LimeWire about past and present employees, that it hopes will shed some light on who is behind the leak.

It is unclear how the release of the Pirate Edition, and the subsequent investigation into the party responsible, may play into the outcome of the impending trial for damages in the LimeWire case.  The company is, at present, cooperating and working diligently on its own to uncover the source of the bootlegged version, but if signs point to LimeWire’s involvement, it could mean bad news.

Note: The title of this blog post comes from MetaPirate’s tagline for LimeWire: Pirate Edition.

Written by

December 1st, 2010 at 5:01 am

U.S. Seizes Domain Names Linked to Counterfeit Goods and Copyright Infringement

leave a comment

On Black Friday, a day known to be one of the busiest shopping days of the year, the U.S. government seized the Web addresses of over 70 websites involved in alleged counterfeit good sales and copyright infringement.  The Immigration and Customs Enforcement (ICE) division of the Department of Homeland Security seized the Web addresses, known as domain names, pursuant to a warrant authorized by civil forfeiture provisions 18 U.S.C. 981 and 2323.  Internet users attempting to visit the affected sites were redirected to a government issued takedown notice.

Seized websites included a number of purveyors of counterfeit luxury goods, as well as torrent-finder.com, a BitTorrent search engine, and other file-sharing related sites.  The takedown notice displayed on the seized websites specifically mentions copyright infringement and counterfeit good trafficking as targets of the action.  This ICE action followed a similar round of seizures in June, which targeted websites involved in television and movie piracy.

Unlike the seizure of counterfeit goods in a brick and mortar store, seizing domain names curbs piracy in a more indirect manner.  Every domain name, such as “nytimes.com,” is linked with a specific IP address.  When an internet user inputs a web address in a browser, it is translated to its respective IP address on a domain name server.  ICANN, a non-profit formed by the U.S. government, oversees this domain name system, and in the specific cases of “.com” and “.net” these registries are operated by VeriSign.  Consequently, the domain names are said to reside on servers in the U.S., although the content of the websites themselves may be owned and operated from anywhere.

Theoretically, one could still access the websites of the seized domains by inputting their respective IP addresses directly.  In practice, most web traffic to these sites would be stopped by the seizure; however, determined users could find the IP address and continue to access them.  Alternatively, owners of the seized domains could easily relocate to new domains, which apparently several have already done.

The recent round of seizures followed a Senate committee approval of the Combating Online Infringement and Counterfeits Act (COICA), aimed at making it easier for the government to shut down sites alleged to be involved in piracy.  The bill, which has garnered support from the usual suspects of content providers which includes the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA), is also criticized by others as potentially infringing on free speech rights.  Under the COICA, a domain name could be seized if it “has no demonstrable, commercially significant purpose or use other than” offering or providing access to unauthorized copies of copyrighted works.  Peter Eckersley, of the Electronic Frontier Foundation, argues that the COICA will not help content creators get paid for online distribution, will undermine the domain name system, and could bring back harmful Hollywood blacklists.

On the internet, relevance is worth more than privacy.

leave a comment

The Wall Street Journal recently announced that two U.S. companies are once again exploring a technology called “deep packet inspection” (DPI) as a means to specifically target online ads at consumers. The technology, which has come under fire in the past because it raises serious privacy concerns, tracks Internet users’ browsing habits and records the information to enable advertisers to tailor their content. Those opposed to DPI  suggest that it has an alarming potential for abuse. In once scenario, DPI could compromise privacy on the web altogether by harvesting personal details from confidential emails.

Despite the legitimate opposition, widespread adoption of DPI as an advertising tool seems inevitable. The technology has already shown promise beyond the advertising realm: it could save telecoms billions by optimizing mobile networks, and is contemplated to help the U.S. government thwart hacker attacks. Its potential in advertising could be too valuable not to exploit.

DPI could benefit users as well. The more information advertisers have, the more specific their ads become, which can benefit consumers by boosting the number of relevant ads (as opposed to irrelevant spam) that is introduced to them. In this respect, it is hard to deny the appeal that targeted ads have.

In one sense, DPI is a logical extension to methods that are already used to target advertisements. Facebook, a social networking site that allows users to create custom profiles where they share personal information, has benefited tremendously from targeting its ads based on such information. In addition, Google has amassed a vast amount of valuable information about Gmail users that it has contemplated selling to advertisers and uses it on its own to funnel the most relevant ads to certain consumers. Additionally, the Wall Street Journal reports that major websites have already begun collecting information about surfing habits and that the information is openly traded. Thus, there may be almost no privacy left for DPI to strip away.

To quote Pedro Ripper, strategy and technology director of a Brazilian-based ISP company:

“Everyone is going to get there. It’s just a matter of timing.”

Written by

December 1st, 2010 at 4:57 am

Posted in Commentary

Search the Blog