Yottabytes: Storage and Disaster Recovery

August 18, 2019  9:47 PM

Hacked Biometric Database Could Cause Problems

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Biometrics, privacy, Security

About a year ago, it was discovered that a DNA database was hacked. At least, sort of. It was just email addresses of the users of the DNA database, not any of the DNA itself. And everyone heaved a huge sigh of relief at that, because losing data like that would be really bad.

Now, some data like that has been stolen.

“BioStar 2 is a web-based biometric security smart lock platform. A centralized application, it allows admins to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs,” writes vpnMentor, an organization that reviews VPNs, particularly their security. “Our team was able to access over 1 million fingerprint records, as well as facial recognition information. Combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive. Once stolen, fingerprint and facial recognition information cannot be retrieved. An individual will potentially be affected for the rest of their lives.”

Well, that’s a bummer.

The security software, produced by a company called Suprema, is used by a variety of companies worldwide, including  UK Metropolitan police, defense contractors, and banks, according to Josh Taylor in the Guardian newspaper.

The problem with stealing biometrics, such as fingerprints and faces, as opposed to credit card numbers, is that while people can always get a new credit card if one gets compromised, they can’t get new fingerprints or faces. This is related to the problem of medical identity theft: It’s not something you can change.

The breach was discovered on August 5, reported on August 7, and closed on August 13, the organization writes. Altogether, the company said it was able to access more than 27.8 million records, a total of 23 gigabytes of data. It isn’t clear how long the vulnerability was there, according to Chris Baraniuk of the BBC.

As with many other breaches, this one happened because the security for the system was so bad, the organization writes. Some people had really poor passwords, and even the good passwords were stored in plain text in a database, meaning that anyone who hacked into the database could have access to the data.

“The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance, and the fact that BioStar 2 is built by a security company,” the organization writes. For example, instead of saving a hash of the fingerprint (that can’t be reverse-engineered) the company saved people’s actual fingerprints, which could be copied for malicious purposes, it warns.

So what sorts of things could hackers do with the stolen data?

  • Take over a high-level account, with user permissions and security clearances, and make changes to the security settings in a network
  • Change user permissions and lock people out of certain areas
  • Create new user accounts to give people accessto secure areas
  • Change the fingerprints of existing accountsto their own and hijack a user account to access restricted areas undetected
  • Gain access to activity logs, so they can delete or alter the data to hide their activities

The one bit of good news, according to one security researcher on Twitter, is that perhaps the data was just test data and not actual data. But it isn’t clear yet, and, not surprisingly, Suprema isn’t talking; there’s been very little new information after the initial report.

July 26, 2019  8:23 PM

Federal Government Trying to Mandate Encryption Back Doors Again

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Encryption, privacy, Security

Here we go again. Federal governments are talking about encryption back doors.

Oh, excuse me. The latest term of art is “exceptional access,” which actually makes it sound sort of cool. But it’s a back door just the same.

As you may recall, governments have been concerned about encryption for as long as it’s been around. At one point in the U.S., it was actually classified as a munition. It came up again in the fall of 2014, when Google and Apple each released smartphones with encryption that even the respective vendors couldn’t break. Much handwringing on the part of law enforcement ensued, warning us of dire consequences such as pedophilia, terrorism, and so on.

Never mind the fact that plenty of bad guys, including terrorists in Brussels and France, don’t seem smart enough to use encryption in the first place.

Most recently, it came up in late July when US Attorney General William Barr, followed by US Attorneys Geoffrey Berman and Richard P. Donoghue the following day, to again call for government access to encrypted data.

“Although the cast of characters is new, Barr’s arguments echoed the same points Justice Department officials have been making for years: The government needs access to encrypted data, he says, or else devices are ‘law-free zones’ that hinder law enforcement officers,” writes Patrick Howell O’Neill in MIT Technology Review.

It’s not like this is a surprise. People have been expecting this since, oh, mid November 2016.

People with more sense, like German prosecutor Markus Hartmann, disagreed with his US counterparts, pointing that criminals and terrorists will simply turn to different services if a country like the US passes a law to bypass encryption, noting GitHub has plenty of examples, O’Neill writes.

Even former National Security Agency director Michael Hayden weighed in. “Not really,” he Tweeted in response to a Tweet quoting Barr as saying that Americans should accept the security risks of encryption back doors. According to Politico reporter Eric Geller, a number of three-letter government agencies have differing views of the proposal.

The U.S. isn’t alone. Countries such as Germany and Australia have also been looking at ways to outlaw encryption.

The most recent suggestion, from Ian Levy from the U.K.’s equivalent to the NSA, is that an encryption system between two people simply add a “ghost user” – that is, the government – to their conversation, which would give the government access to the conversation should they deem it necessary.

Security expert Jon Callas has a long (four part) series on the American Civil Liberties Union (ACLU) website explaining all the technical issues wrong with the proposal, while other security experts such as Bruce Schneier and Matthew Green have also weighed in on the proposal. The Electronic Frontier Foundation has issued at least three such rebuttals as well.

When the ACLU and Reason are both on the same side of an issue, you know it’s got to have problems.

Security experts such as Schneier have also pointed out that there’s no such thing as a back door that only good guys can use, and that any back door, no matter what you call it, is likely to be exploited by bad guys as well. That argument has worked in the past, and they are trying it on this technique as well, but it is unclear whether it will work this time.

Ironically, a number of government representatives, including President Donald Trump’s son-in-law Jared Kushner, Australian politicians, and members of Britain’s Parliament have all been said to use the encrypted messaging application WhatsApp to conduct government business. It is unclear whether they would continue to be able to do so if WhatsApp were made illegal or given a back door.

But Green people such as Matthew Green, who teaches cybersecurity at Johns Hopkins, pointed out that likely all we need is the cybersecurity equivalent of the Reichstag fire for legal encryption to go bye-bye. “But what they do have is time, and the inevitability that given enough of it, something terrible will happen to America on their watch,” he wrote on Twitter, which is apparently the place people make pronouncements these days. “And they’ll be able to push these proposals without the need for debate. That’s where we are, and it should scare you.”

July 18, 2019  9:15 AM

Wikipedia in DNA Storage is Another Leap Forward

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

We’ve talked before about DNA storage, or the ability to store large amounts of data in DNA. Now there’s another company that’s taking a stab at it.

While DNA storage is incredibly dense and is thought to last longer than traditional magnetic storage, it’s expensive and slow.

So now there’s a Boston-based company, Catalog Technologies, that was founded in 2016 and is working on the technology. It got a flurry of attention last year when it raised $9 million from investors.

Most recently, the company said that it had put all 16 gigabytes of Wikipedia onto DNA strands to demonstrate its technology. Since previous demonstrations were 200 megabytes that Microsoft showed in 2016, this was quite an improvement.

“We encoded the English text version of Wikipedia into synthetic DNA molecules using printer technology, our groundbreaking encoding scheme and chemical protocols,” the company writes. “The total amount of data came to 16 gigabytes, significantly more digital information than has ever been captured into DNA previously – not to mention orders of magnitude faster and cheaper than chemical synthesis approaches.”

The company uses a DNA-building enzyme instead of traditional chemical approaches to rapidly synthesize DNA, wrote Jeff Bauter Engel in Xconomy last year. “ The startup says the key to its approach is separating the process of synthesizing DNA molecules from the process of encoding the digital data,” he writes. “Catalog’s method involves purchasing large quantities of small DNA fragments—about 20 to 30 base pairs long—from synthetic DNA suppliers. Catalog designed a machine that can dispense and stitch the DNA fragments together in programmable ways. The idea is that Catalog’s process uses a relatively small number of DNA molecules—fewer than 200—which can be combined in an exponential number of ways.”

Essentially, it’s like a language: in English, there are only 26 letters, but through various arrangements we can make, theoretically, make an infinite number of different words,” wrote Katherine Ellen Foley in Quartz last year. “Catalog estimates that it will cost less than three thousands of a cent to store one MB of data. For context, on Spotify, a minute of stereo sound is about 2.4 MB at the highest quality.”

The company had said at the time that by next year – that is to say, this year – it would be able to encode 1 terabyte of information per day in DNA, for several thousand dollars, Engel wrote.

Now, 16 gb isn’t 1 TB, but it’s certainly better than 200 mb. “By comparison, a silicon-based portable hard drive with 1 terabyte of storage capacity typically costs less than $100, and the process of saving 1 terabyte of data on it would only take a few hours,” Engel writes. “The bottom line is even if Catalog’s system performs as well as advertised, the company and its rivals are still a long way from being able to compete with the lower costs and faster data transfer speeds of hard drives.”

Nonetheless, it’s a start. The company told MIT Technology Review last year that it would have a commercial system of a single machine or a group of them able to store a petabit of data per day by 2021.

“Let’s face it, this thing is huge,” wrote Antonio Regalado. “It’s no flash drive. The rendering shows a door and room enough inside for a couple of technicians. Inside there will need to be a hundred bags or bottles of ready-made DNA, and then an automated laboratory to mix the strands together and perform billions of reactions. You’ll also have to squeeze in a DNA sequencing machine—maybe a couple of them—to retrieve the data.”

In addition to raising money, Catalog is also said to have done a good job assembling talent. Funny how those two things go together.

Meanwhile, Microsoft hasn’t yet announced the DNA storage engine it promised to have by the end of the decade.

July 13, 2019  7:22 PM

Concern Rises About ICE Facial Recognition Use

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security

In 2016, the Federal Bureau of Investigation’s (FBI) facial recognition database was big and broken, according to the Government Accountability Office (GAO). Now, it’s not much better, a whole lot bigger, and it’s being used by Immigration and Customs Enforcement (ICE) as well.

Previously, the FBI’s Facial Analysis, Comparison, and Evaluation program (FACE, get it?) had the driver’s license photos of the residents of 16 states, while another 18 states were negotiating with the FBI over the use of driver’s license images, giving it a database of more than 411 million pictures. Now, 21 states give the FBI such access, with access to more than 641 million pictures, writes Drew Harwell in the Washington Post.

More recently, a report from Georgetown Law’s Center on Privacy and Technology revealed that ICE officials requested access to DMV databases in Utah, Washington State, and Vermont, with the intention of using facial-recognition technology to scan drivers’ photos and match them against criminal and residency databases without their knowledge, writes Sidney Fussell in the Atlantic. “Vermont and Utah both complied with ICE’s request, The New York Times reported; in Washington, it’s unclear whether the searches happened after being authorized,” he adds.

What makes those three states significant is that they are among more than a dozen that grant driver’s licenses to undocumented immigrants. Those states provide a driver’s license to undocumented immigrants because they feel it’s safer than having them drive around unregulated. “What may have seemed like an olive branch to allow easier access to driving and identification now could be an invitation for investigation, arrest, or deportation,” Fussell writes.

In fact, in Vermont, undocumented immigrants were apparently targeted after applying for state driver’s licenses, according to Vermont Public Radio. One migrant advocacy organization in Vermont contends that its members were targeted by ICE.

And in Utah, an immigration attorney “noticed what he described as an ‘undeniable statistical pattern’ of ICE agents detaining people after they renewed their state-issued driving privilege cards,” writes Dennis Romboy in the Deseret News. The state received 49 search requests from ICE between October 2015 and November 2017, about 10 percent of which resulted in a positive hit, he writes.

Vermont officials stopped sharing facial-recognition information with federal immigration authorities in May 2017, and in Washington state, as of 2018, all requests must be court ordered, according to CBS News.

According to the National Conference of State Legislatures, twelve states and the District of Columbia — California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maryland, New Mexico, Nevada, Utah, Vermont and Washington — enacted laws to allow unauthorized immigrants to obtain a driver’s licenses.  In 2019, legislators in several more states — including FloridaKansasMassachusettsMinnesotaNew JerseyNew YorkNorth Carolina, and Texas — introduced legislation to provide driver’s licenses to undocumented residents. Several of those states already have agreements with the FBI, Harwell writes. In fact, in Florida, 17 federal agencies have access to the driver’s license database, writes Joey Roulette in the Orlando Sentinel.

In addition, the organizations aren’t required to get a warrant or subpoena to perform such searches, Harwell writes. “While some of the driver photo searches were made on the strength of federal subpoenas or court orders, many requests for searches involved nothing more than an email to a DMV official with the target’s ‘probe photo’ attached,” he writes. “The official would then search the driver’s license database and provide details of any possible matches.” Moreover, this wasn’t just to help identify criminal suspects, but also to detect possible witnesses, victims, bodies, and innocent bystanders and other people not charged with crimes, he adds.

The GAO has updated its 2016 report, noting that while the Department of Justice and the FBI had taken some actions to address three recommendations— including the FBI fully implementing one of them—but has not taken any actions on the other three.

So what’s the problem with the FBI, or ICE, using facial recognition databases? First, the state driver’s license databases aren’t full of criminals; they are full of largely law-abiding people who have no reason to be suspected of or investigated about a crime. Second, there are no restrictions on which law enforcement people can look at the databases, or why. Third, facial recognition is no panacea, particularly with minorities, with whom it is more likely to show false positives.

While the accuracy rate has increased from 80 percent in 2016 to 86 percent now, that’s predicated on there being at least 50 pictures for comparison, which doesn’t always happen, Harwell writes. “The FBI said its system is 86 percent accurate at finding the right person if a search is able to generate a list of 50 possible matches, according to the GAO,” he writes. “But the FBI has not tested its system’s accuracy under conditions that are closer to normal, such as when a facial search returns only a few possible matches.”

The result is that someone minding their own business can suddenly find themselves the target of an FBI or ICE investigation because their face happens to match the face of a criminal or an undocumented immigrant.

July 7, 2019  10:00 PM

Spokeo as a Precedent Goes Far Beyond Original Database Case

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Database, Storage

A 2016 Supreme Court decision based on how much damage it costs a person when information about them is incorrect in a database is continuing to be used as a precedent in other legal cases that are far removed from the original case.

The actual original case revolved around the data aggregation site Spokeo. This site had been around for a while. It uses publically available data to collect information about a person, some of which it provides for free and some of which you pay for. Because of how it collects and aggregates the data, it can sometimes be laughably inaccurate.

But one person, Thomas Robins, didn’t find the inaccuracies laughable. In fact, he said they had caused him harm. They said he had a graduate degree and was married with children, and he was concerned that this inaccurate information would make it harder for him to find a job, though he didn’t have any evidence that had happened or that anyone had even looked at his file in the first place. And so he sued Spokeo, not because their collection of data was creepy and an invasion of his privacy, but because it was inaccurate.

Spokeo supporters warned that finding in favor of Robins would mean that practically anybody could file a class-action suit on practically any tiny technical detail that some company screwed up, potentially costing millions or billions. Robins’ supporters warned that finding in favor of Spokeo would mean that nobody would ever be able to file a class-action suit ever again, unless each member could point to specific, enumerated injuries.

But instead of making either of those two decisions, the Supreme Court ruled that it wasn’t an issue because Robins couldn’t prove any concrete damages caused by the errors in the Spokeo database. The computer industry heaved a great sigh of relief and went on about its business.

That said, courts have continued using Spokeo one way or another as a precedent since then. In fact, because state courts have taken different viewpoints on it since it was decided, this means this case could go back to the Supreme Court again.

And that’s where we stand now: State courts continue to make decisions based on their interpretations of what the Spokeo case actually meant, and they don’t always agree.

For example, the Sixth and the Seventh Circuit Courts have disagreed on two cases that are essentially identical, writes Maurice Wutscher in Lexology: A debtor wanted to sue a debt collector for failing to notify her in its debt validation letter that to trigger the federal Fair Debt Collection Practices Act’s protections she had to communicate a dispute in writing. According to the Seventh Circuit, the only harm the debtor suffered was receiving the incomplete letter. In fact, the first sentence of the decision literally said, “No harm, no foul.”

But according to the Sixth Circuit, the complaint in that case alleged a concrete injury because depriving a consumer of this information put them at a greater risk of future harm, Wutscher writes. A similar case in 2016, with the Eleventh Circuit, found the same, he wrote in a separate Lexology article – though the court’s decision in that case wasn’t nearly as entertainingly written.

Even in spam cases, courts – such as the Second Circuit, earlier this year – have used Spokeo to rule on whether the person receiving the spam was actually harmed by it. In the particular Second Circuit case, the court ruled that the person getting the spam text messages was actually harmed, writes Shari Clare Lewis in the New York Law Journal.

“The circuit court noted that although text messages were different in some respects from the receipt of calls or faxes specifically mentioned in the [Telephone Consumer Privacy Act], they presented the same ‘nuisance and privacy invasion’ problems envisioned by Congress when it enacted the TCPA,” Lewis writes. In addition, the Second Circuit pointed to similar decisions made by the Third and Ninth Circuits, she adds.

Spokeo is also coming into play with a case about whether Facebook users can sue the company in a $30 billion class action suit claiming that their facial data was harvested without their consent in 2015. The district judge said the users had a right to sue and Facebook appealed to the Ninth Circuit. (In another wrinkle, the data was stored outside the state – in this case, Illinois — which the company contended meant it out was out of state jurisdiction.)

On the other hand, state courts haven’t been consistent on whether receipts having too many digits of a person’s credit card number cause actual harm. Earlier this year, the Third Circuit decided that having too many digits wasn’t an actual harm, agreeing with the Second and Ninth Circuits, writes Patrick Ryan in Ahead of the Class, a class action defense blog. On the other hand, the Eleventh Circuit had ruled in similar cases that there could be harm, he added.

It just goes to show how picky some of these cases can be sometimes. How often do you check to see how many of the digits of your credit card number were printed on a receipt, and how likely would you be to try to sue if it were incorrect? But apparently people do.

June 30, 2019  5:31 PM

Dead Cryptocurrency Founder Transferred Lots of Money Before He Died

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Cryptocurrency, Storage

Remember earlier this year when the head of a cryptocurrency company died and access to the system supposedly died with him? There was some concern at the time that it was too convenient – perhaps even that he’d faked his own death.

They haven’t found the guy or anything like that, but there have been a number of other discoveries that have thrown suspicion on the operation.

It all started on December 9, when Gerald Cotten, CEO of crypto exchange QuadrigaCX, died. The result was that his widow Jennifer Robertson said the company owed its customers some $190 million, and the company filed for creditor protection because it said it didn’t have access to the majority of its bitcoin.

Now a recently-released report by court-appointed monitor Ernst & Young, which is overseeing the bankruptcy proceedings, alleges that Cotten siphoned off money from the firm’s customers before his death, writes James Rogers for Fox News. “The report notes that substantial amounts of cryptocurrency were transferred to ‘wallet holders’ whose identity they were unable to confirm,” he writes. “Ernst & Young was also unable to find any evidence that Quadriga maintained any traditional books or accounting records since at least 2016.”

And there’s more. “It appears that User Cryptocurrency was traded on these exchanges and in some circumstances used as security for a margin trading account established by Mr. Cotton,” the report notes. “Trading losses incurred and incremental fees charged by exchanges appear to have adversely affected Quadriga’s Cryptocurrency reserves.”  (Don’t you love legal writing?)

The good news, such as it is, is that the company is now missing “only” $163 million, rather than the original $190 million, Ernst & Young reported. In addition, $25 million has been recovered. But a lot more money – including $80 million Canadian that was traded through an unnamed offshore cryptocurrency account – seems to have simply vanished.

Ernst & Young is looking at computer storage that Cotten left behind, hoping to find more records or passwords. “Three of the electronic devices (a USB stick, large MacBook laptop computer and Mr. Cotten’s home computer) were found to be encrypted (the ‘Encrypted Devices’), and as such, their contents have not been accessed to date,” the report notes. “In addition, other unencrypted devices, including two cell phones and a small MacBook laptop computer (the ‘Unencrypted Devices’) have also been imaged.” No passwords, though.

The company is also trying to gain access to Cotten’s Gmail account, which may require a court order, plus there are indications he used encrypted text messaging services. “The Monitor has identified numerous examples where Mr. Cotten requested that individuals he was communicating with through email or unencrypted text messaging transition communications from these unencrypted methods to encrypted texts, telegram or messaging methods,” the report notes. “The reasons for the usage of different email accounts and encrypted messaging services remains unclear.” In addition, the company is working its way through 77 terabytes of data from Amazon Web Services, the report notes.

Cotten had also told his family he had established a “dead man switch” – literally, in this case, but that’s what it’s called – to inform the family of his passwords should he disappear for a certain period of time, but that time went by and the family received no email, according to the report.

Obviously, the report doesn’t come out and say the guy stole the money, but it does note, “The Monitor identified significant transfers of Fiat from Quadriga to Mr. Cotten and his wife. The Monitor understands that in the last few years, Mr. Cotten and his wife, either personally or through corporations controlled by them acquired significant assets including real and personal property. The Monitor also understands that they frequently travelled to multiple vacation destinations often making use of private jet services. The Monitor has been advised that neither Mr. Cotten nor his wife had any material source of income other than funds received from Quadriga.”

So it still isn’t clear whether Cotten was trying to rip people off, or just got in over his head, and whether he just happened to die inconveniently, or skipped town and threw his wife under the bus in the process.

June 24, 2019  9:12 AM

Australian Archivists Worry About ‘Digital Dark Ages’

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

What with “but her emails” and government officials using applications like Signal to avoid having records of communications, it’s easy to forget that, actually, data doesn’t last forever.

That’s what people are finding out in Australia, where the National Archives of Australia made headlines recently by saying it expected to lose access to some of its electronic records by 2025 because it couldn’t read them anymore.

“Australia’s memory institutions are racing to digitize their magnetic tape collections before the year 2025, when archivists around the world expect it will become almost impossible to find working tape playback machines,” writes James Elton for ABC News in Australia. “The National Archives of Australia holds some 130,000 hours of audio and video tape that still need to be rescued.”

Consequently, the National Archives people are spending their days looking for old machines to play back the tapes so they can be converted to a more modern format, Elton writes. “The Archives is using its limited budget to pick up tape machines wherever it can find them,” he writes. “Archivists scour online marketplaces like eBay and Gumtree looking for machines for sale, even broken machines that can be harvested for working parts.”

People who know how to work the machines are also in short supply – and if you know how to work them, Australia may have a job for you. “As the technology has changed, people are no longer learning how to use the older machines,” Elton writes.”It’s mostly ex-industry people, working for the preservation service.”

This isn’t a new problem, and Australia isn’t alone. The issue of the “digital dark ages” has come up a number of times over the past couple of decades, as people lose access to digital information. Whether it’s due to links that no longer work, magnetic media that suffers bit rot, software formats we can no longer use, or magnetic media we can no longer read, people are increasingly concerned about what this will mean for future generations.

Other examples include the game Prince of Persia, which was laboriously restored from Apple ][ disks a few years ago; the state of Rhode Island, which lost access to some of its government email records due to incompatibilities between the different proprietary email systems state government was using; and the fact that some government agencies still use Zip drives and floppy disks, even with nuclear missiles.

The topic is a common one among archivists, and comes up a lot during Electronic Records Day (which, at the same time, archivists are trying to persuade organizations to digitize their paper archives). This problem has also led to a burgeoning business in audio and video tape restoration, especially as people become more interested in genealogy, noted one comment.

One possibility is to develop software to read the data off magnetic tapes in a different way and reconstruct the images, Elton writes.

Archivists might even work together to get companies to start manufacturing the machines again, one Australian archivist said.  “If that’s what it takes, will then we will be pursuing those strategies,” Elton writes.

June 20, 2019  9:09 AM

Counsel, Judge Beat up on HP Execs in HP-Autonomy Fraud Trial

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Autonomy, HP

It’s the gift that keeps on giving. Two former major HP executives – coincidentally, both women – testified last week in the Autonomy fraud case, and both got pushback from opposition counsel, with one even getting criticized by the judge.

In case you’ve forgotten, in the Autonomy-HP merger – officially the sixth-worst merger and acquisition of all time – HP chairman and CEO Leo Apotheker (who was fired later that year) paid $11.1 billion to acquire Autonomy, a European e-discovery company. By the following year, HP claimed that Autonomy had cooked its books to overvalue itself, wrote down the purchase a a $9 billion loss, and sold off the company’s remaining assets in 2016.

In March, a $5 billion civil lawsuit against Autonomy CEO Mike Lynch started. Testimony from former HP CFO Cathie Lesjak and former HP CEO Meg Whitman was part of this proceeding.

Interestingly, Lesjak said that she had tried to protest against the deal at the time, saying that “she had felt compelled to speak out against the acquisition at a meeting of the Silicon Valley group’s board in August that year” and that the company’s 64 percent premium was too high, writes Simon Duke in The Times. Feeling “blindsided,” Apotheker said at the time she would be fired, but before that could take place, he was fired himself. Lesjak continued working for HP until this February.

Just goes to show how dangerous groupthink can be at a company, where nobody speaks up because they don’t want to be the odd one out or are afraid of the consequences. Though, how long does it take someone to get fired at HP, anyway?

Lesjak went on to be criticized because there was no written record of the calculation of the writedown valuation.

“’I don’t know if it was ever in writing,’ Ms Lesjak said of a crucial part of HP’s calculations which accounted for $2.5bn of the writedown,” writes James Cook in the Telegraph. “’It was a verbal conversation that I had with [HP executive Andy Johnson] when we put it up on the whiteboard and we walked through it together.”

Testimony then went to Whitman, who took over as CEO after Apotheker’s firing and who presided over the Autonomy writedown.

Much of the testimony – as well as the news coverage – centered around Whitman referring to throwing Apotheker under the bus after he blamed the board, on which she sat at the time, for agreeing to the original Autonomy purchase.

“She said in an email dated Dec 14 2012 to HP’s chief communications officer Henry Gomez: ‘Happy to throw Leo under the bus in a tit for tat’ after Apotheker had said the HP board should share the blame for the failed deal,” writes Paul Sandle for Reuters. “Asked by Lynch’s counsel Robert Miles whether she was just protecting herself, Whitman said that was ‘absolutely not the case’. ‘It was a moment of disappointment and anger,’ she said. ‘I shouldn’t have said it.’”

Whitman was also criticized for accusing Lynch of fraud without sufficient proof. “The former boss of Hewlett Packard ‘shot first and asked questions later,’ a court was told,” writes Duke in a different The Times article, adding that she was accused of “trashing their reputation.”

Even Judge Robert Hildyard got into the act, throwing shade at Whitman by alluding to her failed campaign for California governor when he asked her to stop making speeches in response to questions. “Can you please stop making speeches. It’s just not what you’re here for,” he said. “You may have done that at other times in your career but it’s not what you’re here to do today.”

Hildyard also intervened in another exchange, as described by Jonathan Browning in Bloomberg News:

“I don’t know why we would ask a fraudster why he had committed fraud,” Whitman said. “We had been a victim of significant fraud.”

“No, you had an allegation of fraud,” replied Miles, who accused her of “trashing” the reputations of Autonomy managers. “And it’s nothing more than that and you know it.”

“Well, I don’t believe that’s the case,” Whitman said. “We knew exactly what had gone on here.”

At this, Judge Robert Hildyard intervened.

“Then I wouldn’t have anything to do, would I?” the judge said. “Things have to be proven.”

June 13, 2019  9:38 AM

Hofeller Storage Case Fascinating Study in How Not to Protect Data

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security, Storage

If you saw it on tv you’d probably chide it for being a cliché: A guy who spends his whole life passing information on in phone calls so he doesn’t have anything written down in email or paper dies, and has all sorts of incriminating stuff on his un-password-protected, unencrypted computer storage.

Yet that’s apparently the situation with Thomas Hofeller, who died last August, and whose daughter discovered all sorts of information about manipulating the census and redistricting process on his storage devices.

We’re not going to get into the politics of it all. There’s plenty of that elsewhere. But it’s a fascinating study in storage.

We’re written before about the issues of the storage of people who’ve died. There’s two categories of data. One is the stuff the dead person has written to which the heirs would like access: financial records, medical records, photographs and videos, family history and so on.

The other is the stuff that the dead person really doesn’t want to get around, like browser histories, chatroom transcripts, and so on.

Finding a way to reveal the former while protecting the latter has always been a challenge, particularly if the person dies suddenly. Encrypt everything, and the heirs can’t get access to the material they need. Encrypt nothing, and all sorts of embarrassing stuff can come out.

It’s the latter case that’s coming up with Hofeller.

Ironically, he’d spent his whole life advising people to avoid putting things in writing. “Make sure your security is real.” “Make sure your computer is in a PRIVATE location.” “ ‘Emails are the tool of the devil.’ Use personal contact or a safe phone!” “Don’t reveal more than necessary.” “BEWARE of non­-partisan, or bi­-partisan, staff bearing gifts. They probably are not your friends.”

Yet when Hofeller died, he left four hard drives and 18 thumb drives of laptop backups, all in a convenient plastic bag. And apparently they weren’t password protected, or encrypted; none of the articles about this whole situation have indicated that the data was protected in any way.

His daughter, Stephanie Hofeller, had been estranged from him since 2014, writes Michael Wines in the New York Times. And that’s *really* estranged. Nobody in the family even told her that he’d died; she found out by accident by searching for him on the internet.

It’s not just the data itself that’s interesting. There’s also what the daughter did to get the data to the right people (as well as some luck).

The daughter happened to contact an organization called Common Cause to help find an attorney unrelated to her father to help settle the estate, Wines writes. As it happens, Common Cause was involved in a lawsuit regarding gerrymandering in North Carolina.

So that was Piece of Dumb Luck #1.

Moreover, the same law firm representing Common Cause in the gerrymandering lawsuit was also involved in a lawsuit regarding the citizenship question on the census.

So that was Piece of Dumb Luck #2.

Plus, the attorneys in question were smart. “They have been exceedingly careful to play by the rules,” writes Mark Joseph Stern in Slate. “Lizon offered her father’s drives to Common Cause directly, but its attorneys decided to issue a subpoena in February to obtain them formally and provide notice to third parties.”

Then came the potentially problematic part. “In February, attorneys challenging North Carolina’s legislative gerrymander notified the defendants, a group of Republican leaders in the legislature, that they’d issued a subpoena,” Stern writes. “The lawyers had asked Stephanie Hofeller Lizon to provide ‘any storage device’ containing redistricting-related documents left by her estranged father.”

And, for some reason, the attorneys defending the North Carolina gerrymandering case were asleep at the switch and didn’t think there was anything untoward about the request, and allowed it. By the time they realized something might be up, and tried to stop the process, opposing attorneys already had access to the data.

“At a hearing in April weeks after declining to challenge the subpoena, however, [attorney Phil] Strach attempted to block Common Cause’s attorneys from viewing the records they already had in their lawful possession,” Stern writes. “As Melissa Boughton reported at the time, Strach told Wake County Superior Court that he wanted the documents returned to Hofeller’s estate and implied that Lizon procured them improperly. Hofeller’s widow, Kathleen, expressly permitted Lizon to take the materials—but Strach claimed that Kathleen has been institutionalized and may not have been sufficiently competent to provide consent. (Stanton Jones, an Arnold & Porter attorney representing Common Cause, told the court that Kathleen has not been declared incompetent.) The court ignored Strach’s pleas, instead simply directing Common Cause’s attorneys to let the Republican defendants copy the Hofeller drives, pursuant to state law.”

That was Piece of Dumb Luck #3.

(Attorneys for the two sides have also been arguing over whether all the data is to be brought forth, or information that appears to be personal should be withheld.)

The result of finding the files is that people opposed to adding a citizenship question on the census were able to find out that there were other motives behind adding the question – just in time to file a motion about it before the Supreme Court, which is about to address the citizenship question, and just before the North Carolina gerrymandering case comes to trial in July.

Perry Mason would be proud.

May 31, 2019  10:28 PM

Another Judge Rules Against Compelled Biometric Cellphone Unlocks

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security

A second judge has ruled that having to use biometrics, such as a fingerprint or your face, to unlock your cellphone when you’ve been accused of a crime is a violation of the person’s Fifth Amendment rights against self-incrimination.

That’s after a first one in January.

As with a number of the cases around law enforcement trying to get information out of a person’s cellphone or laptop, the crime in question was child pornography. Exactly which law enforcement agency was doing this, and in what city, and the suspect’s name, was all sealed.

The judge in question is Idaho Chief U.S. Magistrate Judge Ronald E. Bush. “Using the individual’s fingerprints for this purpose would constitute a search and seizure under the Fourth Amendment,” he writes in his ruling. “For a search and seizure to be lawful under the Fourth Amendment it must be ‘reasonable.’ A search or seizure is unlawful, and therefore unreasonable, when it violates a person’s constitutional rights. Here, compelling the use of the individual’s fingerprints violates the Fifth Amendment right against self-incrimination because the compelled unlocking of the phone with fingerprints would communicate ownership or control over the phone. Because the compelled use of the individual’s fingerprints violates the Fifth Amendment, the search and seizure would not be reasonable under the Fourth Amendment. Thus, the Fourth Amendment and the Fifth Amendment prohibit the result sought by the Government.”

In contrast, “Furnishing a blood sample, for instance, or providing a handwriting or voice exemplar, standing in a lineup, or submitting to fingerprinting for identification purposes are not testimonial communications because such actions do not require the suspect ‘to disclose any knowledge he might have’ or to ‘speak his guilt,’” Bush continues.

Bush also notes that there were at least four other cellphones in the house with the suspect, so it isn’t at all clear that this particular cellphone was known to belong to the suspect. “The applicant avers that, when questioned at the residence at the time the earlier search warrant was executed, the individual told law enforcement his/her phone was in the bathroom. A phone was found in a bathroom, and the application implies that the individual was not in the bathroom when that statement was made,” Bush writes. “But three other phones were also located during the search. There is no specific information about how many bathrooms were in the residence. There is no information about whether the individual lives alone or whether anyone else lives or was in the residence at the time of the search. To be clear, none of these facts are determinative of the Court’s conclusion in this case. But they do illustrate that any connection between the individual and the phone at issue here is more tenuous than it might be under other circumstances.”

As in the January case, the judge is a magistrate, meaning his ruling could be overturned on appeal, as was a 2017 case in Illinois. In fact, law enforcement agencies are already trying to overturn the January case, using the Illinois case as a precedent, because it “held that no Fifth Amendment testimonial act occurs when agents press a subject’s fingers against a Touch ID sensor on an iPhone, because ‘the government agents will pick the fingers to be pressed on the Touch ID sensor, so there is no need to engage the thought process of any of the residents at all in effectuating the seizure,’ and applying the fingerprint to the sensor ‘is simply the seizure of a physical characteristic, and the fingerprint by itself does not communicate anything,’” the U.S. Attorney in California writes.

The reason this is an issue is that for some time now, it’s been true that, while people may or may not be required to give their cell phone passwords to law enforcement, they were required to give fingerprints and other biometric agents. That’s because a fingerprint is something you have, similar to the way that you can be compelled to give up a blood sample to test for alcohol. And just last August, law enforcement forced a suspect to unlock their iPhone with their face. These were all cited in the request to overturn the January ruling.

It’s also important to point out that, in both the January and May cases, it wasn’t altogether clear that the cellphone in question belonged to the suspect, and the case could indeed be made that using biometrics to unlock it would prove ownership. It’s not clear, for example, that the judges would have made the same ruling if there was a single person and a single cellphone in the house, making it much easier to demonstrate the cellphone in question belonged to the suspect.

In any event, with this ruling, and the one in January (as well as the similar one in Illinois in 2017 that was overturned), it’s getting more likely that this will eventually wind up in front of the Supreme Court.



Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: