I wrote a post in June on companies that choose to outsource their email, specifically using Gmail. A London, Ontario based lawyer named David Canton recently published an opinion here.
Archive by Author
Outsourcing I.T. to Google – legal comment
Tour guide presentation at Point Clark Lighthouse
http://www.flickr.com/photos/jbusch/2945015981/
We rented a friends cottage this week. Ironically it is located at the same beach I had spent vacation on for years as a child and teenager. Amberley beach is where my parents rented a cottage there for every summer for two weeks years.
About 3 km north is Point Clark. My daughter, her friend and I biked up to the Point Clark lighthouse and went for the tour. The tour was run by a girl named Meaghan. She was in grade 10 and it was her summer job. What was interesting was she was obviously nervous. Once the group arrived, you could see her clearly ‘shift’ into a rehearsed speech about the lighthouse. Fair enough, I am not a presentation expert and I’d be very nervous too.
Meaghan explained the history of the light house and how it was built and we then all climbed the 114 stairs to the top of the lighthouse. At the top, Meaghan again explained the lighthouse, it’s historic features, views and other interesting things. At certain points when she would break from speaking to let everyone look around, I started asking her questions. I was trying to get her to relax a bit. She responded very well and articulately. She would answer me easily. It was obvious she had done her homework and knew the information.
After we came down from the lighthouse, we went to the museum, which was actually the light keepers house where he and his family lived. She came to a set of pictures and pointed to them and said “This is my great aunt and uncle, one of the light keepers here back in …”. I was shocked, and if you looked at the rest of the tour, you could see the changes on their faces. From this point on, the group completely changed how they viewed Meaghan and information she was conveying. They asked more questions, and showed much more interest in what she had to say. Even Meaghan seemed to relax a bit.
After the tour, I spoke briefly to Meaghan thanked her for the tour, said she did a good job and suggested she mention at the start of the tour that her great aunt, uncle and grandparents were lighthouse keepers at the lighthouse. She seemed genuinely thankful that I commented on her tour and for the suggestion. I really hope she does. I am not a presentation expert, it is something that I have always struggled with, although I do enjoy presenting when I have something to say in an area I am experienced in. Having personal experiences like Meaghan has where her family directly worked at the lighthouse gives so much credibility to what she is saying during the tour. She is portraying the same information, but adding that personal family history makes it all the more real to the tour guests. They pay more attention to what she has to say, ask more questions and listen more attentively to her responses. Being able to add examples, or experience in any presentation helps make the presentation even better. I was told that by a excellent presenter a while back, and I always try to do that when I present. This was a perfect example of why that works.
ATM vulnerability research pulled from Blackhat
http://www.flickr.com/photos/martineian/485029758/
A presentation of research on an ATM vulnerability has been pulled from the Blackhat conference. This is too bad as I will be attending and love listening to security research of this calibre. What is more disappointing is what it says about software and systems design and development. Companies are going to have to get their heads around the fact that security design and testing has to be put into the product from the beginning. Most vendors will say they do this, but the fact of the matter is that many do not. Those that do often have good intentions, but then costs, timelines, delivery to market and other conditions cause them to drop the level of testing. Security just isn’t a priority. Personally, I feel the answer is simple. Make the vendors legally and financially responsible for the software they design and create. As soon as money is on the line, it will force the right thing. This idea is not mine either, a great write up on this concept can be found here. I think this is important.
This research was stopped because the ATM vendors do not have things fixed even after being told about it 8 months ago. But what about the bad guy? The guy that discovers a vulnerability such as this and rather then choose to present it at a conference, he just sells it to organized crime? Some would call this spreading FUD (fear, uncertanty and doubt), maybe, but I think it is easy to see it happening more and more if nothing is fixed.
No covert pictures please – removing sound from your PDA when you take a picture
http://www.flickr.com/photos/lwr/3318166499/
At work we have this white board which has a up-to-date list of a particular project my team is working on. It is nice in that you can just look up at it while in the office or anyone can walk over and get current information. One of the guys on the team likes to see the list get shorter. For these reasons we keep it on the white board. The problem is when you are working remote as I often do, how do you get or obtain the current status? My solution is to take a picture of it with my PDA before I leave at the end of each day. Besides keeping a time chronology of the project with the pictures, it allows me to pull it up on my laptop when I am not in the office and work.
This morning, I am sitting in Starbucks working away and I get my PDA out to download the latest task list picture to my laptop. In the process of getting to the application, I accidentally took a picture of my table. The mouse was on the the ‘take a picture’ selection by default and I must have pressed the enter key. Two people heard the ‘click’ noise and immediately looked over. No big deal, but I found their reactions interesting and amusing. The next thought was to ask myself the question how does one disable the sound? Turns out you cannot.
A quick look around the web and I discovered a few things on the topic of PDAs and the sound of the picture taking. RIM, the makers of Blackberry do not provide the option to disable the noise. Some speculate this is because RIM doesn’t want you covertly taking pictures, but maybe they just forgot or dropped it from the design due to time pressures. Regardless it seemed kind of silly.
It is well accepted now a days that there is no expectation of privacy in public. Stores, businesses, and places of employment have cameras both overt and covert that constantly record and store the people and activities. Street cameras downtown constantly record and store traffic and the movements of people. If this is acceptable, why is it not acceptable for a individual to take a picture? I find the assumption that there is more risk to individuals taking pictures or video than a registered business or government entity very naive. Turns out there is even an attempt somewhere in the world to put a law in place that would ‘require’ the noise on all digital devices.
No matter, like all things there are ways around it. A quick search led me to this application. Downloaded it to my blackberry and problem solved. No technical wizardry required. I can now take silent pictures of my table and I won’t disturb the people sitting over on the couch. These laws are just silly. If someone really wants to take covert pictures they will always be able to do it and regulating the technology will not help.
The question is not about technology it is about the expectation of privacy. If there is an expectation of privacy in public, then change the laws to support that and enforce it. However, based on the court decisions I have read over the years, there is never an expectation of privacy in public. I am not a lawyer, but I believe that precident has been set. If you query most people on this topic, they will assume they are being phtographed and recorded on video regularly, and they would be silly not to.
Google and Encryption with TLS/SSL (HTTPS)
http://www.flickr.com/photos/renaissancechambara/349206957/
Just a quick entry as I am busy studying for a two day exam that is this weekend.
Earlier in June, Google posted a response to an open letter on one of their blogs that indicated they are looking into the feasibility having Gmail encryption always on. Other Google applications such as Google Docs can use TLS/SSL, but it is currently not required unless the user specifies it.
Last year Rogers attempted to insert pages and frames into their subscribers browsers when they were surfing, and Google was not impressed. According to Michael Geist, it is back.
Anyone want to make any guesses as to how long before Google and other web services just turn on HTTPS to stop this and deal with the increased performance requirements?
Outsourcing I.T. to Google – Part I – The Concerns
A few months back I read a post by CEO Michael Hyatt on why he liked Gmail and why he was having his staff investigate switching their corporate email from Microsoft Exchange to Gmail. This sparked my interest from the perspective that if he would consider it, other CEOs and companies would probably give outsourcing I.T. to Google serious consideration as well.
I have been looking at Gmail and the other Google services for a completely different reasons, but I have to say that I agree with all his points. The only reason I can think of that you would not want Google to manage your corporate email would be control reasons. You no longer have physical control of the servers and functionality that house your email. This could be a problem for certain groups or businesses where privacy is extremely important as well as potential repercussions if the emails were to become public. Google states they give you complete control over your email on their system, but that statement is technically not completely truthful. Google also has access to your emails. Suppose an employee of Google read and extracted your emails. Sure Google would discipline and probably let the employee go assuming they could find out who was responsible, but what if the impact is large? What if for example, the emails of a women’s shelter using the Gmail service were published on the Internet? What about emails from a law firm concerning a sensitive and active court case were to be posted? Can you sue Google? And even if you are successful, it doesn’t change the impact of those emails becoming public. I have commented similar privacy implications before here.
The fact is when you outsource a service or function, you are giving up some control and security, no matter what any company tells you. It many cases it might be well worth the cost, but it is important to assume this risk consciously. Does anyone remember Hushmail? (They are still around). For years they boasted that even Hushmail could not read your email because it was encrypted in storage with PGP encryption. Without your passphrase or private key that you provide to connect to their service, decryption was not possible. A company using their service was being investigated by the DOJ. Despite, PGP, Hushmail was able to provide them with all the relevant emails of the company that were stored on the Hushmail servers. Yes, any company or citizen must comply with a court order, but technically they should not have been able to and they advertised this fact. I am not advocating not compling with a cout order, obviously that would be bad for any business. But, if a government can go to a outsourced company, provide a court order for a hosted companies email, documents, calendars, and part of the order is they are not to communicate any knowledge of or actions resulting from the court order, their hands are tied and you don’t know anything about it. If you host your own email at least they have to serve you with the court order so you know something is up. The applicable laws may be different too. Google servers are housed in the United States which I believe brings them under U.S. law. This could have implications as well.
Forensic extraction of files from a browser memory cache
photo courtesy of http://www.flickr.com/photos/dotlizard/3577921340/
I was doing some network research and came across a site I had not seen before that streamed music. Similar to my previous investigation with another site, this site was playing the music, yet the network activity had already stopped.
Checking my network history monitor the music file had completed in about 15 seconds. As with the previous investigation I ran the lsof command on the web browser process to see what files were being accessed. There were no files that related to any media file. Here is an application actively playing a song for which there is no network activity and no files listed as open by this application. This caught my curiosity.
No network sockets open moving data and no files open on the file system and the song is playing away. That left memory as the the only option to where the file could be located. Firefox has the ability to show what is currently in its memory cache so I started there.
By opening a new tab and entering “about:cache” in the address bar, you will get a list of cache devices. Selecting the memory cache brought me to this page. At the top, you can see a 5MB file from the site where I was listening to the music from. Right click on the entry and select ‘Save link as’. Give it a file name and save. Firefox will produce a XHTML file.
Opening this file in your favourite text editor, you can see it contains a bunch of HTML tags, as well as a complete memory dump in ASCII format of the file. The memory dump is what we are interested in.
We need to extract the ASCII representation of the binary file. To do this, you want to search for ’00000000:’ which is the beginning of the binary data that was used by the browser application. I am using ‘VI’ above, but any edtior with search and replace will work. Delete everything prior to this number, so that the first line in the file is this line containing the ’00000000:’.
Above, you can see the start of the memory dump. You want to delete everything prior to the start of the memory dump.
Finally there are a few HTML tags at the end of the memory dump that you need to remove as well. Once you have done that, save the file as a text file. The file should just contain lines that have a memory offset and a series of hexadecimal numbers.
In order to get data in the text file ready to be converted into a binary file, we have to remove the memory offset column. This is the first column of numbers up to and including the ‘:’. To do this, I passed the file through a program called ‘awk’ and gave awk instructions to remove the first column.
The command
‘cat untouchedMem.part | awk ‘{print $1″ “$2″ “$3″ “$4″ “$5″ “$6″ “$7″ “$8″ “$9″ “$10″ “$11″ “$12″ “$13″ “$14″ “$15″ “$16}’ > untouched.hex’
takes the file called ‘untouchedMem.part’, removes the memory offset column and puts the results in a new file called ‘untouched.hex’. This file can now be converted into a binary file. To do this I used the command ‘xxd’. ‘xxd is a *nix command that can take a binary file and create a hex dump of the binary file or do the reverse. In this case we want the reverse.
The result from the command
xxd -p -r untouched.hex untouched.mp3
creates a binary file called ‘untouched.mp3′ from the ASCII hex dump file ‘untouched.hex’. Select your favourite mp3 player and play the file. You should be listening to the complete music file as transmitted to your desktop during the streaming. The process outlined here is not limited to music files. It will work for any binary file that is kept in the browser memory.
Many system investigations involve immediately pulling the plug on the target system so as to preserve as much current state as possible from the non-volatile memory. However, this is a simple example of where you would loose potential data. The concept of live forensics tries to solve this problem by extracting data from a live system. There are ways to image memory while the system is running and there are ways to fool software that is doing this as well, so one has to be careful. In a full scale investigation, one would use tools to try and image as much of the memory as you can, not just the browser memory. But for smaller investigations, this type of procedure would suffice as long as proper documentation was done as the process was being executed.
I have not tried this as of yet on windows, but I suspect it would work. Most *nix tools have a windows variant. In the case of xxd, Hextools does the same for windows. There are browser tools you can add to do this extraction automatically such as Orbit. From a forensic and explaination perspective, doing the approach this way provides a more detailed understanding and you have documented steps that occurred. This makes it easier to justify as well as understand.
My daughter thinks that downloading is illegal.
Photo courtesy of http://www.flickr.com/photos/dokas/102499448/
I picked my daughter from school the other day. As we were driving home she said. “Dad, did you know that downloading is illegal?” I asked her who told her that. She said a teacher told her. I then asked her, what is downloading? Her answer was “when you get movies and songs from the Internet”.
It really upsets me that the MPAA, RIAA and other lobby type groups have the power to actually influence the educational system in this way. It bothers me more that I have teachers teaching my child concepts that they themselves obviously do not understand and probably have read some propaganda from one of these lobby groups and assume that it is truth.
I suspect this is going to surprise some people but … downloading is _NOT_ the process of obtaining movies and songs from the Internet. Downloading _IS_ the transfer of data from one device to another, where the device receiving the data initiated the requested. Sure you can download a movie or a song, but you can also download a word processing document, you can download a database file, you can download a custom graphic, you can download a piece of open-source or free software, you can download anything really. The concept of downloading has nothing to do with what you are downloading.
Is downloading bad? According to my daughter it is. An analogy would be teaching the concept that guns are bad. As a normal citizen in Canada it is illegal to carry a handgun. Any citizen wandering around with a handgun strapped to their belt will have people scared, running away and win themselves a meeting with a police swat team very quickly. If you see a police officer wandering around with a gun on their side, there is no panic, no running away. People just carry on. The gun isn’t bad. It is who has the gun that determines good or bad. As a society we assume that police will only use their guns for good and so seeing a uniformed police officer with a gun is perfectly acceptable. This is one of the reasons why plain clothed officers go to great lengths to hide their side arms, the general public can not be certain they are law enforcement just by looking at them.
With downloading, everyone has the ability to do it and there are no restrictions. It has been and continues to be a normal part of computing since the days when on-line bulletin board systems were popular. The concept of moving data from one device to another is what makes the Internet work. Every time you go read a web page, blog, or watch a news clip from a news site you could argue that you are technically ‘downloading’.
I am now slowly educating my daughter on the concepts of downloading and uploading. Once those are grasped, I’ll work on what is illegal and what is not when using downloading. I hope that if schools and other educational institutions do choose to teach children about why downloading content that you do not own is wrong, they first understand the concepts themselves and teach it properly.
What constitutes a valid source of information?
courtesy of http://www.flickr.com/photos/stephangeyer/3497409683/
I came across this post on high school student readiness for university. What interested me were the questions towards the end of the article. “What is an author?”, “Who has the authority or expertise to speak?”, “How is trust established?”, “What counts as evidence?” I would love to know if there is a consensus on these. I suspect not, and I suspect there never will be.
I know some computer scientists that present great research at conferences, do amazing work, and are really smart. Many of them do not have formal schooling but are ‘self taught’. Are they experts? In my eyes within their subject area they sure are. I have no issues referencing them or their work as supporting evidence for a particular problem or project I am working on or involved with. Anyone that implies they are not qualified because they haven’t published papers through ‘official’ channels is just being silly.
Similar to Music. There are people such as Jann Arden that I believe have no formal music training (she indicated this once at a concert I attended). I on the other hand took many years of formal piano. If anyone was to take my knowledge of music over Jann Arden due to my ‘formal’ training, I’d seriously question their intelligence.
Is Wikipedia bad? For me it depends on who writes and edits the particular article in question. How do you verify someones credentials? Not sure. Personally, I just assess for myself and use common sense. For example, if there is a article on a musical concept that Jann Arden or others in her area of expertise agree with and support then personally I would be fine using it as a reference.
I am glad the questions above are being discussed. I’d love to listen in on the discussions.
Extracting audio and video from Imeem and other flash sites
http://www.flickr.com/photos/soldiersmediacenter/1039179706/
The other evening I was working on my laptop with imeem.com running in the background. At a point I required a change, I grabbed a quick trace file of imeem transferring a video for play. The transfer was done quite quickly and although the video was playing, most of it had yet to be played. Obviously it must be stored on disk somewhere, and my browser was accessing it. Executed the list open files command ‘lsof | grep -i firefox’ and parsed for firefox. The result was many open files. There were a few that caught my attention in swap (/tmp), so I filtered on them.
What interested me was this line:
firefox 6887 mike 82u REG 8,1 54674048 892940 /tmp/FlashaxZz4P
I copied that file to my videos directory. Selected the file and opened if up with VLC. As expected it is a flash file containing the video I was previously watching.
Subsequent investigation at a some other sites revealed that this is not imeem specific, but the flash player itself. It works for music, video, and any other type of flash file. If you close the browser window, then the file is ‘deleted’ so if you do want to copy it, you have to do this prior to closing the browser tab. I haven’t checked, but I suspect that any of the standard forensics tools would be able to extract the file even if it was ‘deleted’. Finally, the video or music starts playing while downloading is still in progress, so you have to be sure the file has completed downloading.
Given that imeem allows you to play a video or song as often as you wish, I don’t really know why someone would bother copying the video or music for general watching. I could see from an evidence perspective wanting to copy exactly what a subject was watching or listening to and putting those files into evidence in case the file becomes no longer available, changes location, or the subject claims that it was not what they were seeing or listening to. A copy of the file along with the network trace of the file request, submitted with appropriate documentation, hashes would be useful in these cases.
Not sure how this would work on a Microsoft Windows System given the swap process is different, but I may investigate that later to see if there are simlar results.
