Sunday, August 2, 2009

Computer Programming and the Law: A New Research Agenda

By my best estimate, at least twenty different law professors on the tenure track at American law schools once held a job as a professional computer programmer. I am proud to say that two of us work at my law school.

Most of these hyphenate lawprof-coders rarely write any code today, and this is a shame. There are many good reasons why the world would be a better place if we began to integrate computer programming into legal scholarship (and more generally, into law and policy).

Two years ago, I wrote a blog post for a lawprof blog exploring this idea. I promised a follow-up post, but never delivered. A year later, I expanded the idea into an essay, which the good people at the Villanova Law Review agreed to publish sometime later this year. With this post, I am releasing a slightly-outdated draft of the essay for the first time to the public. You can download it at SSRN.

In the abstract, I say:

This essay proposes a new interdisciplinary research agenda called Computer Programming and the Law. By harnessing the power of computer programming, legal scholars can develop better tools, data, and insights for advancing their research interests. This essay presents the case for this new research agenda, highlights some examples of those who have begun to blaze the trail, and includes code samples to demonstrate the power and potential of developing software for legal scholarship. The code samples in this essay can be run like a piece of software—thanks to a technique known as literate programming—making this the world’s first law review article that is also a working computer program.

If you have any interest in the intersection of technology and policy (in other words, if you read this blog), please read the essay and let me know what you think. Unlike many law review articles, this one is short. And how bad could it be? It contains 350 lines of perl! (Wait, don't answer that!)

New Research Shows Severe National Security Threat Posed By Computer File-Sharing Networks

(1888PressRelease) June 02, 2009 - TORONTO, Ontario, Canada – ZapShares Inc. announced today the findings of new research that indicates computer systems located in Iran, North Korea, China, and Russia are scouring computer Peer-To-Peer (also known as “P2P”) file-sharing networks for classified information that could place national security at risk.

The research found offshore computers searching for, among other things, information pertaining to many principal United States national defense contractors, weapons system information, classified government documents, information that could be used to steal the identity of United States citizens, and other data that could place national security at risk. “What we found most alarming was the fact that a majority of these searches originated from Iran, North Korea, China, and Russia,” said Bernard Trest, President of ZapShares Inc.

In a recent study ZapShares Inc. found that large numbers of people are inadvertently sharing personal tax returns, banking and other financial information, credit card information, and other data that identity thieves could use to steal a person’s identity. “We are very concerned regarding the threat that is posed to national security since individuals within countries such as Iran and North Korea are easily capable of stealing the identity of United States citizens,” said Trest.

To view a partial list of search terms ZapShares Inc. was able to discover that computers located within Iran, North Korea, China, and Russia are searching for on P2P file-sharing networks, visit: www.zapshares.com/nationalsecurity.pdf

ZapShares Inc.(TM) was founded in 2008 to develop innovative security solutions for P2P file-sharing networks. ZapShares offers the first and only solution to help protect 200 million P2P file-sharers from rampant identity theft and lawsuits. The companies ZapShares software is a free tool that scans a user’s computer and identifies potential security threats caused by P2P software installed on a user’s computer. To learn more ZapShares, visit www.zapshares.com

If you’d like more information about ZapShares Inc., our research, or our software, or to schedule an interview with Bernard Trest, you can contact him at:

New Research in Computer Control by Head Tracking


Published: Jun 27, 2007

People with special needs require special devices for controlling a mouse or typing on a keyboard while communicating using a computer. At the ICCHP conference held July 12-14, 2006, the staff of Hansei University presented their paper on development of a new assistive technology system that facilitates hands-free control of a computer by tracking head movements. It will enable people with spinal cord injuries and other special needs to operate a personal computer efficiently.

Physically disabled people usually encounter difficulties while controlling a computer using classical devices. CameraMouse, Quick Glance 2, Smart Nav and QualiEye CameraMouse are some of the commercial mice available in the market as substitutes for a standard mouse. Other systems available commercially that facilitate the usage of a personal computer for people with physical disabilities have two major drawbacks. One, these systems need special devices and two, most of them are expensive.

The proposed system can be run on a standard Windows platform. Unlike other commercial hands-free products that use special devices, this system uses a standard USB video camera to track head movements. Apart from physically disabled people, it can be applied to users operating common devices like ATMs, vending machines and pay phones. This proposed mouse is specifically designed for people with spinal cord injuries like quadriplegia, muscular dystrophy and other conditions.

Example of tracking head movements

The system utilizes Man-Computer Interface (MCI) and a PC camera. Using a standard communication interface equipped with corresponding software the disabled user can control a PC by head movements and an eye blink for clicking. Any person with controlled movement of the head can operate the mouse. This assistive technology product is cost-effective and a disabled user can use the system for a PC mouse and a keyboard. This system can be used as an alternative for a normal mouse, because a PC camera is used to track head movements and translates these movements into cursor movements on a computer screen by using matching and tracking algorithms. The system utilizes the information for clicking, double clicking and dragging processes as it recognizes the position of the eyes. The disabled user does not require additional devices, except a standard PC camera, to use the system effectively. The advantages this system has over other commercially available systems are that the software can be customized and adjusted and it can accommodate varying degrees of control.

In order to track and translate head movements into cursor movements on a computer screen, a small nose image is used as a template and the template is compared with an input face image sequence. For the template matching process, the features taken into consideration are: nose is located at the center of the face, abrupt gradient change because of nostrils and no sudden change duration and translation of the face. This system detects the user’s nose area automatically and then uses it for template and double template matching.

The use of this assistive technology product is not restricted to disabled users only. People indulging in PC games and operating ATM machines, vending machines and pay phones can also use this system.

RELEASE: New Research Shows Severe National Security Threat Posed By Computer File-Sharing Networks

New research finds computers located in Iran, North Korea, China, and Russia scouring computer peer-to-peer file-sharing networks for information that could place national security

FOR IMMEDIATE RELEASE
PRLog (Press Release)Jun 01, 2009 – ZapShares Inc. announced today the findings of new research that indicates computer systems located in Iran, North Korea, China, and Russia are scouring computer Peer-To-Peer (also known as “P2P”) file-sharing networks for classified information that could place national security at risk.

The research found offshore computers searching for, among other things, information pertaining to many principal United States national defense contractors, weapons system information, classified government documents, information that could be used to steal the identity of United States citizens, and other data that could place national security at risk. “What we found most alarming was the fact that a majority of these searches originated from Iran, North Korea, China, and Russia,” said Bernard Trest, President of ZapShares Inc.

In a recent study ZapShares Inc. found that large numbers of people are inadvertently sharing personal tax returns, banking and other financial information, credit card information, and other data that identity thieves could use to steal a person’s identity. “We are very concerned regarding the threat that is posed to national security since individuals within countries such as Iran and North Korea are easily capable of stealing the identity of United States citizens,” said Trest.

To view a partial list of search terms ZapShares Inc. was able to discover that computers located within Iran, North Korea, China, and Russia are searching for on P2P file-sharing networks, visit: www.zapshares.com/nationalsecurity.pdf

If you’d like more information about ZapShares Inc., our research, or our software, or to schedule an interview with Bernard Trest, you can contact him at:

Phone: (416) 897-5194
Email: btrest@zapshares.com

# # #

ZapShares Inc.(TM) was founded in 2008 to develop innovative security solutions for P2P file-sharing networks. ZapShares offers the first and only solution to help protect 200 million P2P file-sharers from rampant identity theft and lawsuits. The companies ZapShares software is a free tool that scans a user’s computer and identifies potential security threats caused by P2P software installed on a user’s computer. To learn more ZapShares, visit www.zapshares.com

Saturday, August 1, 2009

More Money, More Web Scams

At Black Hat USA, WhiteHat Security researchers to highlight more and bigger-dollar hacks that don't use malware or security bugs

Jul 21, 2009 | 05:52 PM

By Kelly Jackson Higgins
DarkReading

There was the iPod repairman online who allegedly pulled in a half-million dollars defrauding Apple and its iPod customers. There was also the hacking-for-hire scheme that made the bad guys a tidy nine-figure profit.

While the security industry spends most of its energy and resources on malware- and vulnerability-based methods of attack, a lesser-known and more lucrative world of hacking is going on right under our noses that rarely comes to light unless it makes the general news. These are the low-tech and no-tech attacks and scams that don't require malware or scanners, and they are rarely reported because they don't typically involve reporting stolen credit cards or other personal information. "This is the easier, higher dollar [attacks]," says Jeremiah Grossman, CTO of WhiteHat Security. "These almost never get reported...they are basic fraud losses that everyone keeps quiet about."

Grossman and WhiteHat colleague Trey Ford, director of solutions architecture, will present a sequel to their previous Black Hat USA talk about these simple but deadly attacks at next week's Black Hat USA conference in Las Vegas. "We're going to pick up where we left off last time. These are all the ways bad guys are making money, and we'll show off real-world hacks," Grossman says. They will also align their research with the findings in Verizon's recent breach report.

The pair have a few surprises up their sleeves, but among the examples of these low-tech but clever hacks they'll highlight is that of the former www.ipodmechanic.com guy, who faces federal charges for allegedly bilking Apple for more than 9,000 replacement iPod Shuffles. "He was guessing serial numbers on iPods, filling out [warranty repair claims], and using Visa prepay gift cards to get replacement iPods," Grossman notes. But the gift cards were only for $1, and he turned around and resold the iPods for a profit.

In another lucrative scam that also played off of the iPod's popularity, a group of DJs in the U.K. set up their songs to be sold online via iTunes and Amazon.com. To bump up their royalties, they purchased their own songs from the sites using stolen credit cards, Grossman says, and made close to $300,000. "People looking at their credit card bill weren't likely to see a dollar here and there" if their account had been used in the scam, he says.

In their previous research, Grossman and Ford have shed light on abusing business logic flaws -- or weaknesses in the business processes themselves -- such as using a simple script to manipulate the results of an online poll. The techniques themselves aren't necessarily new, but the Web model makes them more lucrative than ever (and no exploits are required).

"There are three different tiers of hackers: ones who use bots and malware; ones who use commercial scanners and don't care what ecommerce site they hack; and the top tier that's very targeted" in their attacks, Grossman says. "No one is off-limits anymore. People are going to try these things on you."

The researchers will also reveal details of a hack that resulted in a nine-figure profit.

BlackHat USA 2009: Russian's Organized Crime Heritage Paved Way For Cybercrime

Russia's longstanding history with organized crime has nurtured a current crop of sophisticated cybercrime organizations dedicated to information stealing and political "hacktivism."

During a BlackHat USA 2009 presentation, Dmitri Alperovitch, McAfee Internet threat researcher, said that Russia's history of organized crime has paved the way for the emergence of highly sophisticated cybercrime organizations that have spearheaded the emergence of Internet worms, botnets, spamming, phishing and credit card forums.

But fundamentally, there is little difference between cybercrime and other types of crime. "At the end of the day, it's about the money," he said.

Alperovitch said that the current security environment is ripe for cybercriminals. Unlike other types of crime, cybercrime has low barriers to entry, there is little prevention and few enforcement mechanisms, and the returns are "enormous." The "ease of doing business" has facilitated a reported 275,000 incidents in 2008 which translates to about $265 million lost in the U.S. alone, he said.

And that's just the tip of the iceberg, Alperovitch said.

Russia, in particular, has a long history of organized crime, he said. Organized crime emerged during Lenin/Trotsky era. Russian prisons, known as Gulags, housed criminals who formed a distinct organization known as "Thieves and Law."

"Out of these places evolved sophisticated organizations," Alperovitch said.

Members of these organizations were required to abandon their existing families and commit solely to the organizations, using tattoos as a language to communicate their rank and the crimes they have committed.

"Violations of this code were punishable by physical mutilation and even death," Alperovitch said. "They viewed crime as a way of life. They were willing to live and die for their organization."

Initially, Russian cybercrime had its roots in software piracy. However, cybercrime took off following a 1994 Citibank hack linked to St. Petersburg, which allowed attackers to access more than $10 million via the telephone system. Much of that money was never recovered.

"It was difficult to prosecute," Alperovitch said. "What was clear was that this was not a one-man operation."

In the late 1990s, Russian cybercriminals were an integral part of the creation and the monetization of botnets and Internet worms, Alperovitch said, which paved the way for organized crime organizations built around spamming and phishing.

"They realized early on there is a lot of money to be made in spamming and phishing," he said.

But the attacks were motivated by more than just money. Russian cybercriminals realized that cybercrime efforts could be used for political activism, or "hacktivism," which was reflected in denial of service attacks on Estonia in 2005 and on the Georgian government and news Web sites in 2008.

By mid-2000, these organizations were full-fledged businesses. One cybercrime organization, known as CarderPlanet, specialized in the theft and sale of credit cards and identifying information.

As they developed, these organizations operated like corporations, and assigned jobs to members to buy, sell and trade stolen information. "This is about business. This is all about money. These guys are businessmen. They pay for advertising," said Keith Mularski, an FBI cyber division special agent.

They also created Web forums in which they could communicate with other hackers in the cyber underground.

Incrementally, law enforcement began to catch up to some of the Russian cybercrime organizations. Among those recently arrested was Maxim Yastremsky, a hacker partly responsible for the 2006 TJX breach and Roman Vega, mastermind behind credit card dump sites and carding forums.

Mularski described a deep undercover operation over a three-year time span in which he posed as a cyber criminal on the DarkMarket forum. The sting resulted in the arrest of 56 indivduals worldwide, more than $70 million in potential economic loss prevented, and recovery of 100,000 compromised credit cards, he said.

When people think of cybercrime -- this is the first thing I thought of -- everybody is a geek," Mularski said. "Really, the cybercrime out there is highly organized."