Saturday, 28 March 2009

Fight against cybercrime - Costs of

Financial crisis helping, some warn that firms may not invest as much as they should in cyber-security, with the negative consequences this could have. See the interview of Régis Fohrer, French Lieutenant Colonel (Home office): "La crise a un impact négatif sur la lutte contre la cybercriminalité"(JDN, 30 March 2009).

Maybe to palliate this pronostic, the French Home Secretary announced a series of measures to fight cybercrime. Filtering for child porn, and linking the Complaint website of Internet-signalement.gouv.fr to a European website managed by Europol. The last is good news; not sure the first is feasible...
"Michèle Alliot-Marie durcit la lutte contre la cybercriminalité" (JDN 25 March 2009)

criminal law - some patterns of theft disappear

Self-explanatory - US based (FBI) "Car Stereo Theft Doesn't Pay What It Used To" (TechDirt, 27 March 2009)

Anonymity, data and social networking

A scary report, but not surprising, that explains how so-called anonymised data can be reversed and named again. "New Study Shows Anonymous Data Isn't Very Anonymous At All" (TechDirt, 27 March 2009) linking to the blog of Arvind Narayanan, 33 bits of Entropy, http://33bits.org/2009/03/19/de-anonymizing-social-networks/

Wednesday, 25 March 2009

A centre for training, research and education in cybercrime

See teh website of the 2CENTRE http://www.2centre.eu/node/1

and the University of Troyes (France) being a partner to the project "L'Université de technologie de Troyes gonfle ses formations en cybercriminalité" (JDN, 12 March 2009)

use of technology at/after sentencing

Self-explanatory:

"Tracking Sex Offenders With GPS Isn't A Bulletproof Solution" (TechDirt 12 March 2009)

Jurors and the availability of technology

For a civil law suit I think, but issue applicable to cybercrime/criminal law in general

"Lawyers Use Juror's Twitter Messages As Basis For Appeal" (TechDirt, 18 March 2009)

I can't help thinking about the question of whether President Obama should access his Blackberry (distraction or no distraction?...)

Proof of writing in digital format - France

The implications for cybercrime are obvious, but the case by the French Supreme Court is interesting. It deals with a private law issue, where proof was needed that an e-mail has been sent by the social security services. The Court highlights a series of conditions necessary for evidence to be accepted. Obviously, a printed copy of the e-mail is not sufficient, but incredibly, that was what was used by the services!

"La valeur probante de l’écrit numérique" (JDN, 18 February 2009) - Cour de Cassation le 4 décembre 2008 (pourvoi n°07-17622)

Concept of personal relationships and violence

Well, maybe the two articles are not related, but I am struck by their common theme: the nature of personal relationships and how they can be affected by the internet.
The first article relates a survey where 80% German 20yrs old people interviewed said they would prefer to keep their internet connection rather than their partner or car. If true (and again, questions of methodology of the survey), that says a lot about the value attached to bodied relationships: body people are not deemed important. Thus, is it that silly to argue that the next step is an effect of video games on bodied violence if the person is considered as an object rather than a subject? Whatever are the flaws of the surveys done in that respect, I would disagree with the conclusion: there is no strong evidence so far, but it does not mean the phenomenon does not exist. Should we not start good studies?


"I Love You, Honey, But Not As Much As The Internet (or Twitter)" (TechDirt, 24 March 2009)

"Evidence Lacking On Any Connection Between Video Game Violence And Real Violence" (TechDirt, 19 March 2009)



It is also a matter of education, and parents should be a bit more careful when letting their children access the web. It's not so much access to porn and violence that troubles me, but the lack of understanding about reliability of sources and the distinction between fantasy and reality because of images blurring the line.
"Shocker: Parents Don't Have A Good Idea Of What Their Kids Do Online" (TechDirt, 19 March 2009)

"School Shooting In Germany Immediately Leads To Calls To Ban Violent Video Games" (TechDirt, 12 March 2009)

No limits to surveillance? crime, internet, secret agencies, and police forces' wishes to hack

  1. The following interview is extremely interesting in terms of technical aspects of surveillance and implied human rights/ethics breaches. First, F-secure as an anti-virus company never received information from Government when police forces use Trojan. In other words, F-secure blocks Trojans without discrimination on their origing. So the question is: can police forces overcome the barrier anti-virus softwares create? I wonder who will answer that one.
    Secondly, hacking if used by police forces creates technical difficulties: how do you cypher through the mass of data? how do you comply with basic procedural rules if you do not want evidence to be later discarded? The answer is our third point: the interviewee suggests that the main reason for wanting to hack would be organised crime like drug-trafficking. For those, there are often specific rules about covert investigations.

    "Privacy vs protection: Police and the right to hack" (ZDnet.co.uk, 17 March 2009)
  2. Overall, what is surprising is how the internet and its characteristics seem to be used to justify a level of surveillance that simply never existed and a breach of basic human rights that is unthinkable outside the world of cybercrime/ technology-based crime. Why that fear of crime?
Even the creator of the web opposes it: "Berners-Lee says no to internet 'snooping' " (ZDnet.co.uk, 11 March 2009)

"Gov't may track all UK Facebook traffic" (ZDnet.co.uk, 18 March 2009) and Facebook's response"Facebook attacks gov't web-monitoring plans" (ZDnet.co.uk, 24 March 2009)

"Does 'Cyber-Security' Mean More NSA Dragnet Surveillance?" (TechDirt, 17 March 2009)

"White House Says Feds Should Have Unfettered Access To Mobile Phone Location Info" (TechDirt, 18 March 2009)


3. Lastly, the study by Cl. Guerrier (in French - abstract in English) shows that in the US, Germany, and France, interception of communications is at the same time authorised and controled by the creation of an agency. The problem is the effectiveness of the control done.


"Aux USA, en Allemagne, en France, quelle protection de la vie
privée en matière d’interceptions de télécommunication ?
" (Juriscom, 9 March 2009)

Censorship/filtering policies - contrast?

Because of being late in updating the blog, I saw the two following post/article at the same time.
One would expect a clear difference because of the values the two countries attach or do not attach to democracy. The similarities are striking and worrying.

"Why Are Australia's Would-Be 'Net Censors So Opposed To Transparency?" (TechDirt, 19 March 2009)

"China Blocks YouTube, Again" (TechDirt, 24 March 2009). Yes, the interesting question is when did they allow YouTube again? Once YouTube has removed the problematic content? Or when they devise a tool to block access to the videos at stake?

Computer misuses: hacking and the rest

The Web Hacking Incidents Database just published its 2008 report. It is worth a read. Here are a few facts:

- 19% steal information in order to sell it = profit
- 24% deface a website (i.e. change its homepage with a message)
- 5% is phishing


The attacks originate for 66% from North America, 16% from Europe, 6% Asia, which is probably a reflection of internet access and use.


and Government websites & co represent 32% of the victims. Two explanations here: Government got sensitive information (hence theft and fraud) and they represent the law (thus issue of politics or hactivism)

http://www.breach.com/resources/whitepapers/downloads/WP_WebHackingIncidents_2008.pdf
for a partial translation in French see Journal du Net (March 2009)

Fraud occurences: classics, SEC, and selling mis-behaviours

Nothing really new, just reinforcing the obvious: can't be too careful on the net when buying or installing softwares.
"Report: Fake antivirus scams pulling in profits" (ZDNet.co.uk, March 2009)

or cameras for that matter:
The article shows the difficult line between aggressive selling and just fraud. Probably more appropriate to use contract law to deal with the issue.


For another classic fraud, this time applied to the Stock Exchange, and dealt in the US by the SEC: fraud, manipulation of shares...
"Two Texas men settle charges in spam scam case" (Investment.News, 19 March 2009)


For the "Cost of online-banking fraud doubled in 2008" (ZDNet.co.uk, 23 March 2009)

Wednesday, 11 March 2009

Censorship and the economy

no cybercrime issue here at least directly. It is just a side-effect of censorhip and filtering - lack of transparency triggers more lack of transparency...
"How Does Chinese Internet Censorship Affect Business?" (TechDirt, 25 February 2009)

"China Shuts Down 'Unregistered' Websites" (TechDirt, 25 February 2009)

Piracy, filtering and the place of criminal law

France is trying to create a graded response to piracy obliging ISPs to filter the internet and the users' access to be blocked in case of infringement. It's still a Parliament bill but very controversial.
"Piratage : les moteurs bientôt soumis au filtrage du Web ?" (JDN, 6 March 2009)
I'm not a copyrights' specialist but the story, like everything that I can read about piracy issues (thinking of the Swedish(?) case of Pirate Bay), brings to mind several comments:

1) I don't think copyrights should be violated per se and should necessarily disappear; however, I don't believe either that the system can work the way it was created and generalised a good century ago. The internet changed the background, the landscape in which copyrights operated. Works are now easily available - They are cheap but often of good quality because of the nature of digital technology - the immanent nature of the internet allows for permanent and vast diffusion of works whether illegal or legal

2) thus, criminal law cannot be the response to a problem which dimensions changed because of the internet. Piracy always existed. Not the internet.
In other words, reflexion on copyrights and availability of creative works should be primary rather than a push towards investigation, prosecution and sentencing.
"A la veille du vote des députés : retour sur la future loi ‘création et Internet’ " (Juris.com, 22 February 2009)

And filtering is not the answer.
the IWF story in the UK illustrates well the controversy "IWF chief: Why Wikipedia block went wrong " (ZDNet.co.uk, 20 February 2009)
The following article (in French) reveals a study made about ISPs and their perception of filtering for piracy if the French bill is enacted: most won't do it and if they do, they'll certainly not support the costs (= the Government has to do it!) "Ce que pensent les FAI du filtrage du Web" (JDN, 4 March 2009)

3) compared to other crimes, frankly, piracy is the least important. Especially when those benefiting copyrights are more often than not the big companies and not even the authors themselves. If the same amount of energy and money were put into fraud or child porn, cybercrime would be greatly reduced. Which say something about our society: better to protect property of big businesses than to protect the persons and their individual well-being. Problematic no?

Election fraud - Germany's Supreme Court

I can't read German so this is clearly second hand information. The German Supreme Court considered that e-voting was unsafe and thus unconstitutional, although in the elections at stake in the appeal, it refused to strike down the results for no proof of mistakes.
Again, the issue of clearly an issue of security and transparency, criminal law being really of last resort.
"German Court Says E-Voting Was Unconstitutional" (TechDirt, 5 March 2009)

Nasa hacker - CPS refusal

CPS refused prosecution on the ground that most of the evidence rests in the US, which obviously would cost a fortune to bring back to the UK. However, I don't fully understand the decision, given that McKinnon confessed and thus showed his intention to plead guilty. If he pleas guilty, there is more or less no assessment of evidence, thus whether it's in the US or not does not matter. If I am right, then it raises the question of why the CPS does not want to prosecute and are happy to leave their American colleagues facing the burden of proof...

"Nasa hacker closer to extradition after CPS refusal " (ZDNet.co.uk, 26 February 2009)
"Parliamentary support builds for Nasa hacker " (ZDnet.co.uk, 25 February 2009)

Agression and the influence of the internet and games

Conflicting stories continue to arrive. It would be a very interesting subject for a PhD in criminology/sociology to analyse the studies, their methodologies and their conclusions.
My belief remains the same. Violence on screen does not make you a criminal per se; but combined with dysfunctional families or personal life, it can, in certain circumstances, just be the trigger to real physical violence. To be purely dismissive of their effect is as silly as to be (over)emphasing their effect.

Whether criminal law should intervene is an other matter. However criminal law never faced the issue because violence ritualised by society (think about the fights organised in the Middle Ages between the knights; or even hunting parties) was physical violence, not "virtual" violence displayed on a screen. I'm starting to reflect on those issues for which I'll present a paper at the next BILETA 2009 conference.

"Teens killed in cyber bullying 'epidemic' " (CCRC, 21 February 2009)

"Internet-Addicted Kids Are Aggressive, Study Says" (TechDirt, 25 February 2009)

"The Big Question: Are Violent Video Games Adequately Preparing Kids For The Apocalypse?" (the post refers to a video quite funny) (TechDirt, 27 February 2009)

On a similar theme, "And Now Facebook And Twitter Will Melt Your Mind" (TechDirt, 25 February 2009). I would not be as harsh as the author of the post. There is a point where using Twitter and even e-mails constantly create a frame of mind not suitable for very deep reflexion. I think those tools are good and extremely useful, but I certainly can't write a 15000 words article if I look at my e-mails more than twice a day while researching and writing. Filtering the outside world to create silence does make us stronger if well used. The reverse is also true: e-mails and other forms of new communications can be good stuff.

National Security/Defence and cyberccrime

Two incidents that just remind us of how fragile cybersecurity can be

1) the French army plane Le Rafale was affected by a well-known virus that found its way to the computer system running it
"Le Rafale cloué au sol par un virus" (JDN, 10 February 2009)

2) the Presidential helicopter could be targeted as information was leaked via the filesharing software in the computer
"US Contractor Follows Japanese Example: Leaks Military Secrets Via P2P" (TechDirt, 2 March 2009)

See previous post today about human error: http://cybercrimeatessex.blogspot.com/2009/03/fraud-on-social-networks-security-or.html


Would non cyber data be safer? Well, it all depends on what security measures have been implemented! "Le papier plus exposé que les données informatiques" (JDN, 9 February 2009) - (Paper more exposed than electronic data)

The fight against child porn: to the root of the matter, money

The EU accepted to fund the European Financial Coalition where different firms and NGOs join their forces to combat child porn. The 427,000 euros will go towards tracking down the producers of child porn via the amount of money they manipulate. In other words, it goes to the heart of the matter: money. Porn is about money first of all (for adult porn, it is even truer). The fight has traditionally gone towards the end users probably because it is easier to track them down than to find the producers. But like the mafia or other forms of organised crimes, money (and tax) is the first tool used by criminals; tracking it down allows for the chain to be discovered.

Europa Press release 3 March 2009

In that sense, filtering looks like an inadequate tool. Given the immensity of the web, it is also an ineffective tool to avoid child porn. See "Group Reveals There Are Ways To Fight Child Porn Other Than Useless Web Filters" (TechDirt, 5 March 2009)

the use of internet by police forces: to go with the flow or not?

Undoubtedly, new technologies challenge traditional policing, but it is no reason to forgo human rights and becoming more invasive in investigation techniques. New technologies work both sides (criminals/police) as long as one pauses to see their potential. Criminals are very good at it; police forces seem to be less able to view it in a positive light. A shame because hacking computers won't help them tracking down criminals if they do not have previous information of what has been done. Second, having a computer does not give the right to breach privacy. The traditional criminal procedural rules DO apply; thus the Australian proposals look pretty scary.


"Australian Law Enforcement Wants The Right To Hack Computers" (TechDirt, 10 March 2009)

"Cops Taking To Private Social Networks; Is There Enough Oversight?" (TechDirt, 10 March 2009)

"Illinois Sheriff Sues Craigslist For Prostitution; Apparently Unaware Of The Law" (TechDirt, 5 march 2009)

"More Dumb Criminals On YouTube: Man Faces 10 Years In Jail For Self-Incrimination By YouTube" (TechDirt, 6 March 2009)

Perception of security by users

JDN reports a study made by Epitech which, as far as I could make out (JDN does not indicate or refer to external links), is a firm/school specialised in information technology. 1032 persons answered what is probably a questionaire. 95.64% know that using the web leaves tracks and between 44 to 60% use the privacy function of their web browser or proxy websites to avoid being tracked down. 94% believe spying is possible, whether of e-mails, forums or social networking.

"Sécurité IT : l'ingérence de l'Etat inquiète les internautes" (JDN, February 2009)

US cybersecurity agency and spy agency

Strangely enough, I saw that information first in the French newspaper, rather than English speaking newsletters! Rod Beckström , the head of the National Cybersecurity Center in the US and responsible for protection against cyberattacks, resigned after the Center being attached to the National Security Agency which more or less spies on the web, rather than improving the security of the network. Looking at his reasoning, he is probably right. The NSA has different objectives than the NCSC; that they should collaborate, it's obvious; but they should remain different in the way they function. Merging them is potentially a source of human rights infringement.

"Le patron de la cyber-sécurité américaine claque la porte" (JDN, 9 March 2009)

For a related article (this time in English), "Is FEMA The Best Group To Model A Cybersecurity Agency After?" (TechDirt, 20 February 2009)
and for the other aspect of the US policy on new technologies "Barack Obama nomme un CTO pour l'Amérique" (JDN 6 mars 2009)

Fraud on social networks: security or education issue?

The article probably reiterates what is already known, but I found it interesting because it explains with details how the lack of security is increased by the combination of people not using their common sense and the presence of networking offered to them by Twitter, Facebook, LInkedIn which all link together rather than being compartementalised.
Maybe people do need to be educated after all on this, notably in realising the snowball effect of having details exposed and linked to different sites.

"Why scammers find rich pickings on Facebook" (ZDnet.co.uk, 3 March 2009)

For the type of spam/scam, see "Do not falling victim of social networking spam" (CCRC, 27 February 2009)

The same issue seems to exist in the financial sector, which is pretty scary given the amount of financial data at stake and what it means for fraud. The study was provided by Cabinet Deloitte; it is in French, but still more or less readable because a lot is in tables. The most interesting thing for me was the last table: human error accounts for 86% in 2008 (79% in 2007) for breaches in security. In other words, people need to start taking responsibility for maintening security and stop blaming softwares developers and the like.
"Le secteur financier jugé trop peu sensible à la sécurité IT" (JDN, Feburary 2009)

Trends in cybercrime

The French Journal of the Net (JDN) provides tables for cybercrime trends in January 2009. A few viruses were around; infected websites so that malicious codes are distributed are trendy; wi-fi protection increases but still 44% of the computers are not secured enough to go online; spam comes predominantly from the US, then China (but a huge drop: 456 compared to 1546 for the US), then Russia, the UK and South Korea.

"L'état de la menace informatique dans le monde (janvier 2009)" (JDN, March 2009)


According to the American Clic Forensics firm, fraud using clicking is on the increase for the last term of 2008, with 17% of the clicks fraudulent, and a rise to 28,2% on sites providing sponsored links such as Google Ad or Yahoo. Zombies PC are playing an important part in spreading the problem.
Recrudescence de la fraude au clic fin 2008 (JDN, 30 January 2009)

and insiders are also creating risks increasingly "Insider Security Attacks On The Rise, MS Says" (TechDirt, 19 February 2009)