Yottabytes: Storage and Disaster Recovery

December 20, 2017  10:59 PM

Text-Destroying App ‘Confide’ Used in Missouri by Politicians

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, secrecy, TEXT

As you may recall, in 2014 I wrote about an app called Confide, billed as “Snapchat for business.”  Intended to send messages secretly, it didn’t allow people to read over your shoulder or let you take a screenshot, and deleted the messages after they’re read. Moreover, the company used end-to-end encryption, meaning it couldn’t read the messages, either, and the messages were never stored on the company’s servers. There was some handwringing at the time about what would happen if it got into the hands of politicians (though most of the attention appeared to be on what it could mean for infidelity).

Surprisingly, it took three years, but some politicians in Missouri recently got nailed for using it. Earlier this month, the Kansas City Star reported that Governor Eric Greitens and several staff members had the application on their personal cellphones. The paper wasn’t able to prove that the staff members were using it to conduct government business – kind of by definition — but it’s created a lot of attention in the appropriately named Show-Me State.

“In addition to Greitens — whose Confide account is under the name ‘Er Robert’ — the governor’s chief of staff, deputy chief of staff, legislative director, press secretary, policy adviser, director of cabinet affairs and several other senior staff members have Confide accounts connected to their personal cell phones,” the Star reports.  It did not say how it found this out.

“The fact that senior staff are using it as well hints that the public’s business is what’s at stake here, and if the governor and top officials are using this for public business, they are subverting the Missouri Sunshine Law,” writes the Joplin Globe in an editorial.

“For public servants, text messages constitute government communications,” writes the St. Louis Post-Dispatch in an editorial. “They’re a big deal.”

One state senator called for attorney general Josh Hawley – who is also running for the Senate — to investigate the situation, but at first he said he couldn’t because he is already defending the governor in several other legal cases, but he might appoint a special prosecutor, according to the Post-Dispatch. However, he has since said he will open an investigation.

Use of the application could violate the open records laws of Missouri, Hawley tells the Post-Dispatch.

Greitens spokesman Parker Briden had told The Star, “I don’t believe anyone has (Confide) downloaded on a state-issued device,” reports the AP. And that may well be true, but it evades the issue. The thing is, public officials have a long history of conducting public business on personal devices, either accidentally, because they thought it was more secure, or potentially to evade public records laws. So even if it’s not on a state-issued device, it could still be a problem.

Greitens blamed the liberal media for being “desperate for salacious headlines,” writes the Associated Press, and to judge by some of the comments on the articles, some Missouri voters agree with him.

Meanwhile, Hawley is suggesting that the state update its Sunshine laws to more explicitly address text messages.

Another nuance in the story is that both Hawley and Greitens are Republicans, while the state senator who called for investigation is a Democrat. Some also believe that Greitens intends to run for President in the future.

Ironically, one effect of the story has been to encourage many other Missouri politicians to sign up for the app, the Star reports. “Rep. Robert Cornejo, a St. Charles County Republican who already had a Confide account, posted a link to The Star’s story on Twitter, noting: ‘I get a notification every time one of my ‘contacts’ joins Confide. This story explains why my phone has been buzzing all morning as people (from both sides of the aisle) join.’”

December 13, 2017  3:50 PM

E-Discovery and the Alabama Recount

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
ediscovery, Electronic discovery, government

If nothing else, Tuesday’s special election for Senator in Alabama is a fascinating case of electronic discovery.

The day before the election, “Montgomery County Circuit Judge Roman Ashley Shaul granted a preliminary injunction directing counties to set voting machines ‘to preserve all digital ballot images,’” writes Mary Papenfuss in the Huffington Post. “The order was requested in a lawsuit filed last week on behalf of Alabama citizens demanding that voting records be protected.” The judge ordered ballot images to be saved for six months.

Plaintiffs said they wanted images to be preserved because they felt that the ballot design was confusing (shades of Florida 2000) and they wanted to make it easier to do a recount if it were necessary, Papenfuss writes. Moreover, state and federal law requires the images to be saved, writes Connor Sheets in AL.com.

However, later that day, Alabama’s state Supreme Court stayed that order, saying that Alabama Secretary of State John Merrill and state administrator of elections Ed Packard, “do not have authority to maintain such records or to require local officials to do so,” Sheets writes in a different AL.com article.

“The court will hold a hearing on Dec. 21 about whether to dismiss the case outright,” Sheets writes. “By that point the state will have had ample time to destroy the digital ballot images legally under the stay.”

Interestingly, the state doesn’t count the actual ballots, but the images of the ballots, Sheets writes. And it’s actually less a matter of “destroying” the records than whether election officials would push the button on each machine to direct it to save the images in the first place, though certainly any images that did get saved could get destroyed.

Some of the machines include a switch to either save all, destroy, or save only write-in ballots, but not all the machines have the switch, according to Andrew Yawn in the Montgomery Advertiser. Alabama saved only images of the write-in ballots. Alabama Attorney General Steve Marshall wrote in a press release that “To change them, as the plaintiffs seek, would not mean simply flipping a switch, but would require the third-party vendor, Elections Systems and Software, to travel to 2,000 voting machines around Alabama to change them. This process could not be completed in a day. To attempt it the day before and day of the election would cause chaos, confusion, and delay,”

(One wonders, what is the default? And why isn’t the default simply set to be saving the images in the first place?)

This is all very interesting in light of Judge Roy Moore’s contention that he wants to have a recount of the ballots after his loss. What would there be to count? If nothing else, articles about the subject showed there’s a lot of confusion.

There are still the paper ballots, which are preserved for 22 months, according to Yawn. But because, by law, only the digital images are counted, they would presumably have to be rerun through the machines, which could end up with different results. Marshall said in his statement that that was the procedure. On the other hand, “Alabama law does not provide for such manual recounts, only a machine recount of the digital images that are taken at the time each ballot is cast,” writes Andrew Gumbel in the Guardian. “If those images are then destroyed, there is no easy way to verify that they were read and counted correctly.”

Incidentally, an automatic recount only happens if there is a .5 percent difference or less. The difference is actually about 20,000 votes, or around 1.5 percent, according to the Associated Press. “The state canvassing board will declare whether an automatic recount is needed, when it meets sometime between Dec. 26 and Jan. 3. The recount would begin within 72 hours of that decision.”

States that have given up paper ballots altogether in favor of electronic ones have varying requirements, writes Sean Steinberg in WhoWhatWhy. “Plenty of other states — including Florida, Michigan, and Wisconsin — already release their ballot images to the public upon request. Some jurisdictions, like Dane County, WI, go even further and post their ballot images online,” he writes. “Colorado has ruled in favor of keeping the ballot images, as has Arizona. While Colorado also designated ballot image files as public record, Arizona ultimately decided against making them publicly available.”

The case sets an important precedent for what could happen in the 2018 Congressional elections, writes Steven Rosenfeld in AlterNet, which are also expected to be closely contended.

November 30, 2017  9:24 PM

Supremes Hear Arguments on ‘Carpenter’ Cellphone Location Data Case

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security, smartphone

The Supreme Court has begun hearing arguments in the case of Carpenter vs. the United States, which could help determine what sort of data the government could get about you without a warrant.

As you may recall, in 2010 and 2011, two guys in Detroit were accused of robbing electronics stores of cellphones, and the Federal Bureau of Investigation (FBI) used their cellphones to prove that they were nearby a number of the incidents. To do this, the FBI went to the suspects’ cellphone providers and obtained a lot of data about the suspects’ locations – more than 12,000 for one guy, and almost 24,000 for the other guy. The defense attorneys for the guys are saying that the phones revealed so much personal data about the guys that a warrant should have been required for the search. The case is called Carpenter vs. the United States, because one of the guys is named Carpenter, and he was sentenced to 116 years for the robberies.

(An aside – 116 years? For stealing some cellphones, even tens of thousands of dollars’ worth?)

It’s complicated, because it’s all predicated on the third-party doctrine, which states that by giving a third party access to your data – such as giving the phone company the number you’re dialing – you give up protection to that data. That’s all based on a 1979 case called Smith vs. Maryland.

But as time goes on, that becomes more fraught. “I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year,” Justice Sonia Sotomayor wrote in 2012. “I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.”

Even the Attorney General who successfully argued Smith is saying its time is past. “This is taking the Smith precedent way too far, in a vastly different technological age,” writes Stephen Sachs in the Washington Post. “When the Supreme Court decided Smith, in the pre-dawn of the digital age, we didn’t know about the Internet, smartphones, cloud computing, Facebook or Twitter. No one involved in the case could foresee the digital revolution that was to come.”

Without changing the third-party doctrine, the future could be even worse. Under that third-party doctrine precedent, the government could have access to all sorts of data collected by the Internet of Things, such as how much beer you have in your fridge and your Fitbit’s data.

Moreover, such electronic surveillance is really cheap, writes Jake Lapperuque in Slate. “It previously cost roughly $250 an hour to track someone on foot and $275 an hour to track them by car,” he writes. “Now, police can track an individual with a GPS tracking device for a mere 36 cents an hour. Cellphone tracking can be as cheap as 4 cents an hour. In the past, resource constraints meant that the government could only track and log the locations and activities of a small group of people. Now it can do so for the entire population.”

“If a warrant isn’t required for the Carpenters of the world, it isn’t required for the rest of us either,” write Matthew B. Kugler and Sarah O. Schrup in the Los Angeles Times. “And the government will remain free to gather far more information about the behaviors and beliefs of its citizens than it should.”

On the good news side, some people had expressed concern about new Supreme Court Justice Neil Gorsuch, appointed by President Donald Trump in April, fearing that his views would be in lockstep with the President’s. But based on his questions earlier this week, he seems to be agreeing that the current system goes too far, though he’s coming at it from a different angle from the other justices: calling it a property right.

Other Justices found other ways to argue the case, with Justice Elena Kagan asking how it differed from putting a GPS on a car – which the court ruled in 2012 required a warrant.

Some Justices also suggested that Congress, not the Supreme Court, should be changing this law if necessary, pointing to examples such as the Stored Communications Act, one of the ways in which the FBI obtained access to the data without a warrant. “Justice Anthony Kennedy strongly suggested that since Congress did pass legislation governing searches like this one, the court should defer to its co-equal branch, writes Nina Totenberg for NPR. “In an area where it’s difficult to draw a line, why shouldn’t we give very significant weight to Congress’ determination, through the Stored Communications Act?” she quotes him as saying.

On the other hand, other justices pointed out, the Stored Communications Act itself is more than 30 years old, it can take Congress a long time to do something, and in the meantime, Americans’ rights would be being violated.

In general, opposition to this third-party doctrine cuts across the political spectrum, with conservative organizations and publications such as Reason, the Federalist, and the Cato Institute also chiming in. That also gave Gorsuch the opportunity to drag the Founding Fathers into it. “John Adams said one of the reasons for the war was the use by the government of third parties to obtain information forced them to help as their snitches and snoops,” he said. “Why—why isn’t this argument exactly what the framers were concerned about?” For his part, Jim Harper in the Federalist one-upped him by citing the 1215 Magna Carta.

The court could go in multiple ways. It could, for example, rule that getting such data without a warrant was ok, but only for a single day, not for weeks as in Carpenter. On the other hand, it was pointed out that  gathering that data for multiple days can actually help prove a person’s innocence by demonstrating that they went to a particular site without being associated with a crime.

The court is expected to rule on the case by June.

November 29, 2017  12:28 AM

Cryptocurrency Storage is the Latest Bitcoin Wrinkle

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Now that bitcoin and its friends have practically reached the shoeshine boy level of hysteria, people are becoming more interested in how you keep track of the things. So the topic of cryptocurrency storage has been raising its ugly head.

The traditional banking system does have its advantages, after all – your deposits are insured and stores know how to use the currency. “Normally, the value of a currency is backed up by a country’s central bank – or in the case of the euro, a whole host of countries’ central bank.That means that while it’s not protected, and values can change, there is at least someone responsible,” writes James Andrews in the Mirror UK. “With crypto currencies there is nothing backing their value at all. That means prices are based solely on what people think they’re worth, and if something undermines that belief they can go into freefall.”

Moreover, cryptocurrency owners are faced with threats from every direction, writes Alexandr Nellson in Medium (who goes on to describe his detailed recommendations about how to store bitcoin).

Keep it online? It could get stolen. It could get hacked. The place you store it could get hacked. Keep it online at home? All of that, plus you could accidentally throw it away. Your house could burn down and take your storage device with it. Keep it on some sort of physical medium, such as paper? All of that, too. Some people go so far as to carve their bitcoin keys on a piece of metal to prevent the fire-and-water problems inherent in paper, but then you have to worry about the inherent problems in each kind of metal.

“Silver, gold, copper, brass, bronze, nickel, cobalt, would survive the housefire fire unmelted,” writes the Bitcoin Wiki., which goes into great depth on every possible harm that could come to every way of storing bitcoin. “Some Aluminium alloys can survive but you have to have the right ones. At around 1500° Steel and Nickel should be okay. Titanium is above the housefire range and so is tungsten, however tungsten rings are known to shatter due to the brittle nature of the very hard metal.”

Plus, in general, the more secure the method, the harder it is to actually, like, spend it. Is any method foolproof? Unfortunately not, if only because fools are so ingenious.

This isn’t new. As long ago as 2013 – which, in the world of cryptocurrency – was a long time ago – there was a poor Welsh guy picking through the garbage dump in a fruitless search for the hard disk he’d thrown away with $7.5 million of Bitcoin on it. (If he ever did find it – now worth $72 million — he’s not letting on.) Even really smart guys like Elon Musk have reportedly lost track of their bitcoin, and he has a lot of company.

“According to new research from Chainalysis, a digital forensics firm that studies the bitcoin blockchain, 3.79 million bitcoins are already gone for good based on a high estimate—and 2.78 million based on a low one,” write Jeff John Roberts and Nicolas Rapp in Fortune. “Those numbers imply 17 percent to 23 percent of existing bitcoins, which are today worth around $8,500 each, are lost.”

Ironically, according to many experts, the best way to keep your bitcoin – which are generated from the Internet – is to keep them off the Internet, a method known as “cold storage.”

Naturally, people are trying to monetize the storage, whether it’s by selling a wide variety of hardware and software devices to hold bitcoin or offering services to store it. As institutional investors start becoming more interested in cryptocurrency, bitcoin storage companies such as Coinbase are approaching them, while banks that are already working with institutional investors such as South Korea’s Shinhan Bank are expanding into storing bitcoin as well. And we’re talking big money.

“Over 100 hedge funds have been created in the past year exclusively to trade digital currency,” writes Brian Armstrong, Coinbase cofounder and CEO. “An even greater number of traditional institutional investors are starting to look at trading digital assets (including family offices, sovereign wealth funds, traditional hedge funds, and more). By some estimates there is $10B of institutional money waiting on the sidelines to invest in digital currency today.”

Indeed, another proposed form of cryptocurrency known as the Chia is built on storage itself, which is said to require less electricity than the current bitcoin technology.

In any event, whether you think cryptocurrency is the future of money, or just this generation’s tulip fever, you can’t get away from storage.

November 26, 2017  12:22 AM

What ‘Blade Runner 2049’ Teaches You About Backups

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

It turns out that the new Blade Runner movie is all about backups. Who knew. Needless to say, spoilers follow.

The original Blade Runner movie, made in 1982, was set in 2019, which means only a little more than a year from now. Sometimes I think we have a long way to go; other times, I think we’re already there. But in any event, a major plot point in Blade Runner 2049 – set in 2049, in case you couldn’t figure that out – was about an event called the Black Out, where all the data and all the backups got zapped. That meant that, by and large, people in the new movie couldn’t go back and get information about the period of the previous movie, or events before it. The Black Out was set in 2022.

An event like the Black Out certainly fits in with concerns that some people have about a “digital dark ages,” where so much data is stored only electronically that if it gets destroyed, we’ll end up losing a lot of our history. And the characters in the new movie spend a lot of time trying to track down information that used to be available, using techniques such as audio files and what looks like microfiche – all garbled and fragmented, of course.

While watching the movie, I was naturally wondering what had caused the Black Out in the first place. I was thinking, maybe a Carrington event? or something else related to the Earth’s or the Sun’s magnetic field? But it turned out to be something a lot more deliberate: Replicants had set off a nuclear bomb to create an electromagnetic pulse, which shut down everything electronic, and they had also destroyed all the archives as well, to keep humans from using the archives to track down replicants to “retire” them.

That’s all told in Blade Runner Black Out 2022, an animated short created by Shinichiro Watanabe that is one of three such features that fit in between the old and new Blade Runner movies.

Exactly how the replicants destroyed the archives isn’t clear, nor is it clear why there weren’t backups made of the archives and, uh, replicated – as it were — around the world. (Or even off of it, since “off-world” is a thing n the Blade Runner movies.) But, you know, it’s a movie.

That’s not the only discussion of backups in Blade Runner 2049. One of the characters has an electronic girlfriend, a holographic simulation that is, as they say, fully functional. But she can only exist on the protagonist’s home network until that character gets her an Emanator, a device that lets her also exist out in the world. It’s as if Amazon’s Alexa was a hologram and there’s a difference between an Echo, which has to get plugged into the house, and a battery-operated Dot, which could get carried around.

Concerned that the bad guys are spying on the protagonist using her home-based system, the electronic girlfriend suggests to the protagonist that he delete her home-based system and only keep the Emanator version – but, she warns, he has to be really careful not to let the Emanator get destroyed, or she’d get destroyed, with no backup. Naturally, with a Chekhov’s-gun foreshadowing like that, in two shakes of a lamb’s tail we’re seeing the Emanator crunched under the antagonist’s boot and the hologram is never to be seen again. Apparently backing up the Emanator itself wasn’t an option.

And in a final example of art imitating life – even before ripped-from-the-headlines — one character kills another character, then uses one of her dead body parts to get through the biometric security system on her computer. Just a couple of weeks ago, the FBI was criticized for not acting soon enough to use the fingerprints of alleged Texas shooter Devin Kelley to unlock his iPhone. It turns out that it needed to be done within 48 hours – not because the fingerprints started to decay or anything, but because Apple locks out the system after 48 hours with no contact, and requires a password.

“Touch ID allows the owner to set a fingerprint to open the device,” write Elizabeth Weise and Kevin Johnson in USA Today. “However, Touch ID stops working if the phone hasn’t been unlocked for more than 48 hours — at that point the user must type in the passcode, according to Apple’s website. Too many unsuccessful attempts to unlock a passcode can lock down a phone permanently. If the phone had been set up to accept a fingerprint, the FBI could have used Kelley’s finger to open the phone during that 48 hour window, if he had recently unlocked it. Apple’s Touch ID feature can be engaged with a dead person’s finger,” they assure us.

Eww. (Why would Apple put in that feature?. Surely they don’t expect a rash of bad guys sawing off the fingers of their victims after 48 hours to get into their phones?)

In any event, who knows. Maybe the next Blade Runner movie will be about disaster recovery.

November 18, 2017  9:18 PM

Pornography Conviction Gives ‘Flash Memory’ a Whole New Meaning

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Flash, SD cards

LPT (Life Pro Tip): When you move from an apartment, take your child pornography with you.

Carpet installers in an apartment in Beaumont, Texas, found three SD cards in an empty closet. “As they started carpeting a bedroom in the vacant apartment on June 5, 2013, workers found something odd tucked away at the top of a door frame. There were three SD cards that belonged in a camera — and it looked like they had been hidden in the room.”

(One could wonder why people installing carpet were looking at the top of a door frame in the first place.)

And of course they promptly did what you’re not supposed to do: Stuck them into one of their devices to see what was on them.

They got more than they bargained for.

When they looked at the SD cards, they discovered they had child pornography on them, so they called the cops and reported it (and fortunately weren’t arrested themselves in the process). “The cards contained 97 images of child pornography, prosecutors say, as well as 222 images of child erotica,” writes Jared Gilmour of the McLatchey newspapers. “Those images showed a girl younger than 10 engaging in sex with an adult man,” who has since been arrested and sentenced after being identified in the pictures.

This was in the mainstream media, so technical details are admittedly sketchy. Newspaper articles reference discoveries made through “computer forensics,” which in this particular case could simply be a matter of looking at the directory on the SD card. For example, “Police were also able to prove, using digital forensics, that the cards were last accessed during the time period when Hawkins was leasing the unit” – in other words, the “date modified” field in a directory. (Reminds me of when some of my reporter friends would explain that they had found a piece of information by the “careful application of journalistic principles,” which meant they asked somebody.)

In addition, none of the articles mentioned anything about a password or encryption, so it would appear that the photos were readily visible to the casual observer. The articles indicated that the memory card “belonged in a camera,” but many cameras in this day and age can use the same kind of SD cards as a smartphone, so it isn’t clear how it was determined that thememory card came from a camera specifically. Consequently, it also isn’t clear whether he was using a device that could have encrypted the photos, such as a smartphone. If it isn’t actually possible to encrypt photos on a camera, as opposed to a smartphone, that seems like it would be an interesting security hole.

The upshot is that, four years after the carpet installers discovered the SD cards, Charles Henry Hawkins, 57, was convicted for possessing child pornography, a third-degree felony. He was sentenced to ten years in prison – the maximum sentence — as well as having to pay a $10,000 fine and register as a sex offender for the rest of his life. He probably will also be a lot better about taking his SD cards with him in the future.

October 31, 2017  1:05 PM

Queen’s Security Data on USB Stick

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

We’ve written before about the dangers of USB sticks and why it’s not a good idea to poke ones that you find lying around into your computer. But here’s a story that’s different: An unemployed guy found a USB stick in a pile of leaves in the street, plugged it into a computer in the library – bad human! Bad! – and it turned out to be the security plans for when Queen Elizabeth visits Heathrow Airport.


According to the Mirror, which broke the story after the unemployed guy took the USB stick to them, the device contained 76 folders with 174 files totaling 2.5 GB, which were neither encrypted nor password-protected. “It revealed:

  • The exact route the Queen takes when using the airport and security measures used to protect her
  • Files disclosing every type of ID needed – even those used by covert cops – to access restricted areas
  • A timetable of patrols that was used to guard the site against suicide bombers and terror attacks
  • Maps pinpointing CCTV cameras and a network of tunnels and escape shafts linked to the Heathrow Express
  • Routes and safeguards for Cabinet ministers and foreign dignitaries
  • Details of the ultrasound radar system used to scan runways and the perimeter fence”

So there’s three main issues here.

First, how did the files get onto a USB stick in the first place? Are they the actual files used by Heathrow Airport? If that’s the case, they’d better start locking down their security procedures (even though airport chief executive John Holland-Kaye assured members of Parliament that the airport was “completely secure”). For example:

  • Which of their computers have unsecured USB ports that support a USB stick?
  • How many people have access to those files?
  • How many of the people with access have authorization to download those files without it being logged?
  • How many people can leave the facility with a USB stick without it being detected?
  • If this was an authorized download, why wasn’t it encrypted?

If they aren’t the actual files used by the organization, what are they? Notes? Someone else’s actual files? The provenance of the data needs to be ascertained. “Given the location of the find, close to Heathrow, it is thought more likely that an airport worker had accessed the data and inadvertently lost the USB drive,” writes Simon Calder for the Independent. “But it is believed more likely that whoever lost the memory stick had security clearance to access the data, if not necessarily to take the information away from Heathrow on a portable drive.” He didn’t say, however, who thought and believed this or where he got this information.

Second, how did the files come to be on a USB stick in the street, about six miles from the airport (though one source says ten miles)?

  • Do we have a careless worker who dropped the files they were taking home to work on?
  • A careless terrorist who was supposed to bring them to a meeting? “Oops, my bad.”
  • A careless spy who dropped the files they were planning to sell to someone?
  • Someone discarding the files after they had already made copies or sold them to someone?
  • An attempt to sow fear, uncertainty, and doubt by revealing that the information was out in the world, thus making people afraid to visit Heathrow, or even London itself, for fear of a terrorist attack? As far as terrorism goes, fear of an attack – especially just before the busy holiday season — is almost as good as an actual attack, and it isn’t nearly as dangerous and doesn’t hurt people.

And if it was somebody being careless, they were doubly careless not to encrypt the files – though we know that, despite governments’ insistence that encryption is a tool for terrorists and child pornographers, terrorists often don’t encrypt their own files. On the other hand, if the release of the information was the goal, it would be important not to encrypt them, because otherwise how would people know to be afraid that the information was released?

Third, how did the files come to be on a USB stick on that street?

  • Were they dropped?
  • Were they deliberately placed there? Was it a dead drop of some sort?
  • Were they intended to be found by that person? Or by someone else and this other person picked them up? (We’ve been binging on The Americans lately; can you tell?)
  • How many other such USB sticks with the Queen’s security plans are out there? Where else might copies of that data be?

One thing is for sure: People are going to be seriously scanning the ground for USB sticks in England for a while. Hopefully they’ll take them to the police rather than poking them into their computers – because, you know, that’s still a bad thing to do.

October 27, 2017  9:06 PM

Eek! NYPD Doesn’t Do Backups!

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

It’s not often that backups get mentioned in court cases – let alone that people get chided for not doing their backups – but that happened recently in a New York courtroom. Sadly, it seems like the issue is more one of people not knowing technical terminology, though that’s scary enough in itself.

It all started in 2013, when the Bronx Defenders, a nonprofit advocacy group, tried filing public records requests using New York’s Freedom of Information Law (FOIL) – the state equivalent of the national Freedom of Information Act — regarding the New York Police Department’s (NYPD) civil forfeiture account. Since then, Bronx Defenders and NYPD have been back and forth in court, with NYPD insisting that the information isn’t available or is too hard or expensive to get. In one instance, NYPD took 19 months to respond to an inquiry when it was supposed to respond within 10 days.

This comes up because reports indicate that NYPD has a balance sheet of as much as $68 million in civil forfeitures, but it isn’t clear where it came from or when. The department has also been criticized for several years about its lack of transparency on the issue. People have reported that assets including cash, cars, house keys, cell phones and prescription medication were taken from them when they weren’t charged with a crime, and they were unable to get them back.

This is interesting in an IT sense because NYPD reportedly spent $25.5 million in 2009 for its Property and Evidence Tracking System (PETS) database to help it track this information. In fact, according to a 2012 Computerworld award nomination form, “The cradle-to-grave life cycle of property and evidence invoiced in PETS is visible upon demand. From the moment an invoice is created, all related actions and movements (who, what, where, when, and why) are captured up until the moment the invoice is closed.” Which seems to be just what people are asking for, and just what NYPD is saying the system can’t do.

So where do the backups come in? An affidavit from Christian Schnedler, the director of strategic technology programs in the information technology bureau for NYPD, includes the statement, “PETS is the NYPD’s only property and evidence tracking system. Currently, there is no secondary or back-up system, and no repository of the data in PETS outside of PETS itself.”

Consequently, Manhattan Supreme Court Judge Arlene Bluth had kittens. “That’s insane,” she reportedly said. “Do you want the Daily News to be reporting that you have no copy of the data?”

Alert the media.

“New York City is one power surge away from losing all of the data police have on millions of dollars in unclaimed forfeitures, a city attorney admitted to a flabbergasted judge on Tuesday,” reported Adam Klasfeld in Courthouse News.

And, naturally, having been called out, the Daily News also chimed in. “The NYPD may be one computer hiccup away from losing track of tens millions of dollars it has taken from members of the public,” concurred Max Jaeger.

The department quickly backpedaled. “’Contrary to some published reports suggesting that NYPD does not electronically back up the data in its Property and Evidence Tracking System (PETS), all such data is backed up continuously in multiple data centers,’ stated Deputy Commissioner Stephen Davis,” writes  Emma Whitford in the Gothamist.

Meanwhile, the city of New York has also passed a law requiring the NYPD to report on seized property data on an annual basis, according to Bronx Defenders. It is scheduled to go into effect in 2019.

In context, it’s looking like what Schnedler actually meant to say was that there wasn’t an alternative “backup” method to retrieve the data, not that there were no backups at all. Not the sort of terminology mistake you want your director of strategic technology to be making, particularly when talking to a judge.

On the other hand, the NYPD apparently couldn’t even agree on whether the database was from IBM. “This article has been modified to remove a reference to whether the NYPD’s database is IBM, something that the parties dispute,” reported Klasfeld. As it turns out, the hardware is from IBM; the software was from SAP, and the underlying technology was an IBM DB2 SQL database, according to the 2012 Computerworld award nomination form.

What the basic issue appears to boil down to is that the database user interface is intended to deal with one record at a time, and NYPD is saying it would be overly burdensome to have to retrieve the information in that way. Database experts are saying, look, just write an SQL query to retrieve the raw data out of the database. It isn’t clear whether NYPD actually doesn’t understand this concept, or is just dragging its feet.

And some of the briefings are absolutely hysterical, as is typically the case when computer things come up in court. The judge cites one affidavit, noting “’the PETS system was not designed to generate accurate reports of aggregate numbers of invoice property by type of hold, with values, precinct, type of investigations, and whether the investigation led to an arrest or not,” she quoted. “Does that mean that PETS can generate inaccurate or somewhat inaccurate reports? These unanswered questions compel this Court to direct respondents to file an answer to the petition.”

That said, it’s always nice to be reminded to do backups. Another round of oral arguments is scheduled for December 12.

October 13, 2017  1:19 PM

New Micron VP Charged With SanDisk Insider Trading

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Micron, SanDisk

Being accused of security fraud at your previous company. “I’ll take ‘Things Not to Do During Your Probationary Hiring Period’ for $500, Alex.”

Nonetheless, Anand Jayapalan, the new vice president of Micron’s Storage Business Unit, has been accused of the Securities and Exchange Commission (SEC) with insider trading at SanDisk only about six weeks into his new job.

As you may recall, Micron hired SanDisk cofounder Sanjay Mehrotra in April as CEO, to replace Mark Durcan, who was planning to retire after taking over as CEO following the death of Steve Appleton in 2012 from a plane crash. Since then, in addition to shutting down the company’s Lexar consumer division, he had hired at least three former SanDisk executives into the Boise, Idaho, company:

  • SanDisk’s senior vice president of corporate engineering, Jeff VerHeul, as senior vice president of Micron’s Non-Volatile Engineering
  • SanDisk’s chief strategy officer and Enterprise Solutions head, Sumit Sadana, as chief business officer.
  • SanDisk’s vice president of marketing for Enterprise Storage Solutions, Anand Jayapalan, was hired on August 21 to head Micron’s solid-state storage business and expand it in large market segments including the cloud, enterprise, and client computing, reporting to Sadana

At the time, the market was pretty happy about these hires. “Clearly, Mehrotra plans to align the product strategies of Micron’s four business segments—computing and networking, storage, mobile, and embedded—to market trends and customer demands,” wrote Paige Tanner in August for The Market Realist, in an article called “Do the Changes in Micron’s Management Suggest New Hope?”

But on September 29, the SEC filed its complaint. And it was a doozy.

You may recall Fusion-IO, which went public in 2011. SanDisk purchased Fusion-IO in 2014. And the SEC figured out that Jayapalan’s uncle Ananda Kumar Ananda, aunt Vijaya Ananda, and wife Rajni Nair appeared to be acting on insider information by purchasing large amounts of Fusion-IO stock soon after SanDisk had decided to buy Fusion-IO, and selling it soon after the sale was announced. (The SEC complaint has an entire page listing the various connections and relationships between the four people, as well as an entire page of times they were less than honest about their relationships and the stock trades.)

Now, it’s not like someone needed insider information to figure out that Fusion-IO was an acquisition target. Heck, I wrote as much as in July, 2013. But the timing was suspicious. Altogether, the family members purchased more than 78,000 shares of Fusion-IO using eight different accounts the weekend after Jayapalan was informed of the likely purchase, after never having bought the company’s stock before. This was all after 20 phone calls during the three-day weekend among the four people.

In fact, the uncle borrowed about a third of the more than $600,000 purchase price through margin loans. “Kumar made this large and substantially leveraged investment in Fusion stock at a time when his medical practice was in substantial decline, he owed nearly $100,000 in credit card debt, and after he had suffered what he described as a ‘drastic’ reduction in his personal income between 2012 and 2014, as his salary dropped by approximately one-third,” notes the SEC’s complaint. The SEC also noted that the aunt and uncle bought and sold Fusion-IO stock at the same time, which they had never done before, that the aunt had never made such big trades before, and that the uncle typically bought and held stock rather than selling it a short time afterwards.

After the SanDisk purchase of Fusion-IO was announced, the stock went up by 22 percent, and Jayapalan’s family members earned more than $200,000.

The SEC wants the four people to pay back all the money they made, as well as any interest they earned on it, plus civil penalties. The SEC didn’t say how much the penalties should be, but civil penalties can be up to three times the profit earned on insider trading.

Interestingly, the SEC doesn’t seem to want to charge them with criminal insider trading, which carries a sentence of up to 20 years and a fine of up to $5 million. Nonetheless, the complaint makes several references to how the defendants “knew or should have known” that what they were doing was wrong — the definition for “willful” that typically delineates the difference between civil and criminal insider trading.

No word on what’s happening with Jayapalan’s job, though one might expect he won’t necessarily get a great first-quarter review.

September 30, 2017  5:44 PM

Cobbling Together the Toshiba Memory Chip Sale

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Apple, Flash, samsung, toshiba, western digital

We’ve been waiting a while to find out about the Toshiba memory chip sale, it looks like it might finally be settled: A sale, sort of, with an eventual IPO.

Sort of?

“While it says that it sold its chip division, it didn’t really,” writes Tim Culpan for Bloomberg Gadfly. “It merely pawned it to Bain until it can afford to buy it back again.”

As you may recall, this all started this spring when Toshiba revealed it had lost a lot of money constructing, of all things, nuclear plants. At that time, the company said it intended to sell its memory chip division, hoping to raise at least $18 billion from it, and was also hoping to complete the sale by June. Which it obviously didn’t do. Without the sale, Toshiba faces delisting from the stock exchange due to its losses.

There’s a lot of moving parts to this deal:

  • Toshiba is investing 350.5 billion yen and in return gets 40.2 percent of the company.
  • SK Hynix (which used to be Hyundai Electronics) is investing 395 billion yen (around $3.5 billion) and in return will get less than 15 percent of the company.
  • Hoya is investing 27 billion yen — 1.4 percent of the money — and in return gets 9.9 percent of the company.
  • A partnership led by Bain Capital — appropriately called Pangea — is investing a total of 415.5 billion yen (around $3.7 billion) and in return gets 49.9 percent of the company. Those partners include:
  1. Apple, which is investing 165 billion yen (around $1.47 billion). Why does Apple care? Because Toshiba is the second-biggest manufacturer of the flash memory chips that its iPhone and iPad use. Why can’t it use the number-one manufacturer? Because that’s iPhone competitor Samsung.
  2. Dell, Seagate and Kingston, which are investing a total of 250 billion yen, with Seagate specifically saying it would invest up to $1.25 billion.
  3. Bain Capital, which itself is investing an additional 212 billion yen.

Why don’t the percentages of investment and equity match? Because, for example, SK Hynix is taking a smaller percentage of equity to avoid antitrust issues, Culpan writes. Another factor is that between Toshiba and Hoya, Japanese companies still retain a majority interest in the company – “a keen wish of the Japanese government,” Reuters writes. SK Hynix and the American companies will not have voting rights; their primary interest is access to the unit’s chips.

There were, in fact, so many moving parts that a press conference on the deal was cancelled because the participants hadn’t agreed on some of the details, according to Reuters.

In addition, Western Digital is continuing to throw a cog into the works. “A Western Digital subsidiary, SanDisk, shares ownership with Toshiba of a flash memory production operation in Japan,” explains Jonathan Soble in the New York Times. “Because of that, the American company contends that its approval is necessary for Toshiba to sell the chip unit. Western Digital – which in September had been rumored to have bought the Toshiba unit itself — said this week that it would seek an injunction against the deal.” In the meantime, Toshiba and SanDisk are undergoing arbitration to settle the multiple lawsuits they’re filing against each other, according to Toshiba.

That has also led to state-sponsored Innovation Network Corp. of Japan and Development Bank of Japan backing out of the consortium, write  Pavel Alpeyev and Yuki Furukawa for Bloomberg. In the meantime, what could happen is that the three joint ventures owned by Western Digital could be withdrawn from the sale, they write.

Assuming the whole thing works out – it is expected to close by March 31 — Culpan expects an IPO around 2020.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: