Richmond Journal of Law and Technology

The first exclusively online law review.

Category: Uncategorized (Page 3 of 3)

Blog: Heartbleed Security Hack – Need to Change Your Password?

by Danielle Bringard, Associate Survey & Symposium Editor

 

I don’t know about you, but my heart skipped several beats after reading the first wave of news detailing the Heartbleed Security Hack.  I changed all of my passwords on various sites only to find if I had changed them before that particular web operation had updated its software I would have to change my passwords again.  Now, I find, by checking the security of a website I may be violating the law?

Heartbleed is not a virus, but a software defect.[1]  It affects OpenSSL software which is used for encryption.[2]  OpenSSL is an open source software, meaning anyone can access the code, review it, and make changes to it.[3]  So what happens when Heartbleed is exploited?  Essentially it allows a hacker to retrieve memory which may contain usernames, passwords, keys, credit card numbers, social security numbers or other useful information.[4]  Each time the hacker access the system it he or she can gain access to more information.[5]  This is a serious problem as many people now do much of their banking and shopping on the internet.

 So before you change your passwords it might be a good idea to check to see if the website is still vulnerable.  If the website hasn’t patched its software then changing your password will do you no good.  McAfee released a free tool to help consumers determine if the website they visit is safe or not.[6]  That tool can be accessed at http://tif.mcafee.com/heartbleedtest

 STOP!  Before you click that link and test a website you have in mind, you should know that some technology experts are worried that doing so could break the law.[7]  These naysayers cite the United States Computer Fraud and Abuse Act.[8]  Software that checks a website to see if it has patched the Heartbleed actually accesses that sites security certificate, which may or may not fall under the purview of 18 U.S.C. §1030.  Since everyone across the globe is experiencing the effects of Heartbleed, and it may take some time before all websites have patched their software[9], I doubt the U.S. government would prosecute a citizen simply seeking to ensure their person information remained protected or taking any proactive steps to do so.

As always, safety first. 


[1] James Lyne, How Heartbleed Happened the NSA and Proof Heartbleed Can Do Real Damage, Forbes (Mar. 14, 2014, 9:27 AM), available at http://www.forbes.com/sites/jameslyne/2014/04/14/how-heartbleed-happened-the-nsa-and-proof-heartbleed-can-do-real-damage/.

[2] Id.

[3] Id. 

[4] James Lyne, Heartbeat Heartbleed Bug Breaks Worldwide Internet Security Again (And Yahoo), Forbes (Mar. 8, 2014, 11:39 PM), available at http://www.forbes.com/sites/jameslyne/2014/04/08/heartbeat-heartbleed-bug-breaks-worldwide-internet-security-again-and-yahoo/; Craig Timberg, Heartbleed Bug Puts the Chaotic Nature of the Internet Under the Magnifying Glass, Wash. Post (April 9, 2014), available at http://www.washingtonpost.com/business/technology/heartbleed-bug-puts-the-chaotic-nature-of-the-internet-under-the-magnifying-glass/2014/04/09/00f7064c-c00b-11e3-bcec-b71ee10e9bc3_story.html.

[5] Lyne, Heartbeat Heartbleed supra note 4. 

[6] Robert Siciliano, Heartbleed: Free Tool to Check If That Site is Safe, Huffington Post (Mar. 12, 2014, 10:35 AM), available at http://www.huffingtonpost.com/robert-siciliano/heartbleed-free-tool-to-c_b_5137993.html.

[7] Anthony M. Freed, Running Heartbleed Health Checks May Be Illegal, TripWire (April 11, 2014), available at http://www.tripwire.com/state-of-security/top-security-stories/running-heartbleed-health-checks-may-be-illegal/; Michael Santarcangelo, How You Need To Respond To Heartbleed, and How You Can Explain It To Others, CSOnline (April 11, 2014, 12:27 PM), available at http://www.tripwire.com/state-of-security/top-security-stories/running-heartbleed-health-checks-may-be-illegal/.

 [8] John Leyden, It May Be Illegal to Run Heartbleed Checks, The Register (April 11, 2014), available at http://www.theregister.co.uk/2014/04/11/heartbleed_health_checking_services_may_be_illegal/; supra note 7.

[9] Brian Fung, Heartbleed is About to Get Worse, and Will Slow the Internet to a Crawl, Wash. Post (April 14, 2014, 2:54 PM), available at http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/. 

Blog: How many Virginians Does it Take to Screw-up a Light Bulb Phase-Out?

by: Kit Mathers,  Associate Copy Editor

 

In January, Congress, through overwhelming bipartisan cooperation, approved, and President Obama signed into law, a $1.1 trillion omnibus spending bill; a provision of which precludes the U.S. Department of Energy (“DOE”) from spending allocated funds to enforce twilight measures of a “light bulb phase-out” mandated by the 2007 Energy Independence and Security Act (“EISA”).[1]  The phase-out, which effectively began in January 2012, requires that light bulbs produce a certain level of brightness at specified energy levels.[2]  Of particular significance to the average consumer, traditional incandescent light bulbs are incapable of fulfilling the new energy efficiency standards and as of January 1, 2014 60- and 40-watt incandescent light bulbs (which represent half of the consumer light bulb market) are no longer allowed to be manufactured or imported into the U.S.[3]  Overall, the standards set forth by the EISA are predicted to result in annual electric bill savings of nearly $13-billion, power savings equivalent to the output of 30 large power plants,  and will reduce carbon dioxide emissions by about 100 million tons per year.[4]

The spending bill’s ban is not particularly formidable from the perspective of many environmentalists and “pro phase-out” light bulb manufacturers who have characterized it as a nuisance that can’t possibly derail the “market shift” toward more energy-efficient light bulbs.[5]   But should we be more supportive of the spending bill’s ban despite the EISA’s potential environmental benefits?  In support of the ban, House Republicans have stated that EISA phase-out requirements are characteristic of government overreach, and enforcement measures should not be tolerated.[6]   Is there any merit to the House Republicans’ argument?  Is federal product regulation really the proper avenue for catalyzing change in consumer power consumption?  The tension at the heart of the light bulb phase-out is representative of a fundamental issue that must be addressed in any discussion of “where” energy regulations should be focused.  I tend to agree with House Republicans who are wary of the government’s reach into consumer purchasing power, but perhaps end-user regulation (“downstream”) is the most parsimonious way of realizing change in energy use and accompanying (upstream) emissions.  Upstream regulation is inescapably difficult.  State and federal regulation of power plants and their emissions is tedious work, often drawn out interminably by litigation.  But then again, why not increasingly regulate power plants themselves if we are operating under the guise that the end goal is to limit carbon emissions and power plant out-put?  It’s not as though the light bulbs are the source of poor energy management decisions or egregious carbon emissions.   Understanding why the EISA, in large part, came to be makes the decision to regulate downstream consumer choice even less palatable.

While the EISA does not outrightly proscribe the manufacture or importation of all incandescent light bulbs, it has the net effect of increasing market  prevalence  and selection of more expensive, compact fluorescent light bulbs  (“CFLs”) and light emitting diodes (“LEDs”) which is extremely beneficial to major light bulb manufacturers.  As Timothy Carey of the Washington Examiner details, the 2007 Energy Independence and Security Act “wasn’t a case of an industry getting on board with an inevitable regulation in order to tweak it.  The lighting industry was the main reason the legislation was moving.”[7]  The light bulb industry is, by its nature, a competitive market with no significant impediments to entry.  Characteristic of such competitive markets, under the neoclassical economic model, is product pricing at marginal cost – the cost of producing one additional unit of output- which results in low profit margins.[8]  GE, Phillips and Sylvania, which dominate the U.S. incandescent light bulb market, want to “convert their dominance into price hikes,” but because market entry is not significantly encumbered by manufacturing or regulatory costs, consumers will gladly purchase new alternative brands that offer bulbs at, or close to, marginal cost.[9]   Market giants, with significant capital available for research and development programs, sought to extinguish the threat of competition (which keeps profit margins low) by expending significant money to improve the incandescent light bulb, primarily through advancing halogen, LED and fluorescent technologies.[10]  These “energy efficient bulbs” sell at a much higher price point compared to incandescent light bulbs, and because of this, consumer choice has remained somewhat stagnant and heavily biased toward incandescents.  Light bulb manufacturers, aware that consumers won’t willingly skirt cost benefit considerations in light bulb selection, have thus collaborated with groups like the NRDC in lobbying for the phase out of incandescents; their agenda being the “push” of profitable products rather than environmental conservancy.[11]  Undoubtedly, there are great advantages to newer bulb technologies, as well as associated costs.[12]  However, it’s extremely hard to justify the handcuffing of consumer freedom of choice when it is being instituted by government elites and unelected bureaucrats.[13]

 All in all, it is extremely important to ask, where (or at what phase) should regulatory efforts be focused (and why)?  The upstream power plants, downstream consumers, or both?  Perhaps the fact that light bulb manufacturers are sustaining windfall profits from federal regulation is an inevitable consequence; in any regulatory effort there will always be a party that benefits, perhaps grossly, from regulation.  It will be interesting to see what happens to the spending bill’s ban in the coming months, and whether or not downstream regulation will accomplish its goals.


[1] Bill Chappell, Obama Signs Trillion-Dollar Spending Bill, NPR, (January 17, 2014), http://www.npr.org/blogs/thetwo-way/2014/01/17/263511534/obama-signs-trillion-dollar-federal-spending-bill.

[2] Jeremy Kaplan, Last light: Final Phaseout of Incandescent Bulbs Coming Jan. 1, FOX NEWS, (December 13, 2013), http://www.foxnews.com/tech/2013/12/13/final-phase-out-incandescent-light-bulbs-jan-1/.

[3] Patrick J. Kiger, U.S. Phase-out of Incandescent Light Bulbs Continues in 2014 with 40-, 60-Watt Varieties, NATIONAL GEOGRAPHIC, (December 31, 2013), http://energyblog.nationalgeographic.com/2013/12/31/u-s-phase-out-of-incandescent-light-bulbs-continues-in-2014-with-40-60-watt-varieties/.

[4] NRDC Fact Sheet, Shedding New Light on the U.S. Energy Efficiency Standards for Everyday Light Bulbs, NRDC, (January 2013), http://www.nrdc.org/energy/energyefficientlightbulbs/files/shedding-new-light-FS.pdf.

[5] Wendy Koch, Congress to Bar Enforcement of Light-bulb Phaseout, USA TODAY, (January 14, 2014), http://www.usatoday.com/story/news/nation/2014/01/14/coal-projects-light-bulb-rules/4476103/.

[6] Timothy P. Carney, Industry, not Environmentalists, Killed Traditional Light Bulbs, WASHINGTON EXAMI
NER, (January 1, 2014), http://washingtonexaminer.com/article/2541430.

[7] Id.

[8] See id.

[9] See id.

[10] See id.

[11] For a comical portrayal of the “story behind the ban” (in both the U.S. and Canada) see this crude cartoon: http://www.youtube.com/watch?v=ta2ozf_uJJ8 (a feature from infra note 15).

[12] It’s contended that new light bulb technologies are not all that “efficient” when used by the average consumer. I recommend looking at Paul Wheaton’s website for a critique of the science behind the phase-out:  http://www.richsoil.com/CFL-fluorescent-light-bulbs.jsp.

[13] See id. 

Blog: The CSI Effect

by Emma Buck, Associate Staff

 

Like millions of Americans, I appreciate a good crime show where you can cheer on the good guys and count down the episodes until Bones and Booth or Castle and Beckett or DiNozzo and David get together. However, this harmless entertainment may be creating jury biases that are very hard to account for and eliminate. With the rise of television shows such as CSI, NCIS, Bones, and Law and Order, many legal professionals speculate that jurors with no criminal justice or forensic science experience are approaching trials with an innate bias formed from viewing these programs. While some say that these shows assist the jury in following criminal proceedings, prosecutors and defense attorneys alike argue that jurors are unable to objectively view the strengths and weaknesses of the evidence presented at trial because they have formed unrealistic expectations of what is normal in a criminal trial.[1] This phenomenon is referred to as the “CSI Effect.”

In the recent and highly publicized Zimmerman trial, the prosecution faced problems related to the CSI Effect. In his closing statement, prosecuting attorney John Guy stated, “There are no Rachel Jeantels on CSI.”[2] Rachel Jeantel was Trayvon Martin’s friend who was on the phone with him moments before he died. She has been ridiculed across the nation for her informal and hostile testimony during the trial.[3] However, witnesses are individuals and the majority of them are not going to be as polished and articulate as those seen on shows such as CSI. Guy’s comment highlights the prosecution’s concern that, despite the probative value of her testimony, jurors may not respect the evidence provided by Jeantel simply because it is not what they expect to see from a star witness.

Prosecutors struggle with the CSI Effect when there is a limited amount or complete lack of physical evidence.[4] In television dramas, the brilliant forensic scientist (whose office is somehow just an elevator ride away from both the interrogation room and the coroner’s office—looking at you, NCIS) is always able to recover a fiber or a hair or a bead of sweat that conclusively ties the suspect to the crime. These expectations are simply not realistic. Many cases are decided based on non-scientific data, such as witness testimonies, or when the physical evidence is a piece of the puzzle rather than the conclusive answer.[5] These juries also know of the tests that can be used and are hesitant to convict without knowing that Abby has run everything through the mass spec, even if these tests are unnecessary. To combat this, some prosecutors have even taken to having experts provide negative evidence, testifying that these tests are unnecessary and that the evidence was thoroughly processed.[6]

While this issue is primarily felt on the side of the prosecution, defense attorneys also claim that the CSI Effect has made their jobs more difficult.[7] When there is physical evidence, jurors are unlikely to question its validity. Essentially, the extreme sophistication and likeability of television’s forensic heroes and heroines has left jurors with the impression that once evidence has been gathered, it is flawless.[8] Defense attorneys must carefully point out potential flaws in the evidence in hopes that the jurors are willing to ignore their preconceived notions about the criminal justice system operating smoothly and with complete accuracy.

Litigators across the nation have taken action to minimize the impact of the CSI Effect on juries. This has primarily come in the form of adapting voir dire questions to determine whether the CSI Effect will influence a juror, crafting jury instructions that minimize jury miscomprehension, and utilizing expert witnesses for both positive and negative evidence.[9] Some states have specifically approved voir dire questions related to the CSI Effect.[10] While we would all like to believe that jurors are able to separate what they see on television from the realities of the courtroom, lawyers must be prepared to handle these unrealistic expectations. So next time that you curl up to watch Temperance “Bones” Brennan discover the murder location based on dust residue in the victim’s bones from the murder weapon, remember that criminal law is not “as seen on TV.”


[1] http://www.economist.com/node/15949089

[2] http://www.washingtonpost.com/blogs/compost/wp/2013/07/12/the-weirdness-of-the-george-zimmerman-trial/

[3] http://tv.msnbc.com/2013/06/27/zimmerman-trial-how-will-the-jury-react-to-rachel-jeantel/

[4] http://www.usnews.com/usnews/culture/articles/050425/25csi.htm

[5] http://usatoday30.usatoday.com/life/television/news/2004-08-05-csi-effect_x.htm

[6] http://www.economist.com/node/15949089

[7] http://www.npr.org/2011/02/06/133497696/is-the-csi-effect-influencing-courtrooms

[8] http://usatoday30.usatoday.com/news/nation/2004-08-05-csi-effect_x.htm

[9] http://apps.americanbar.org/litigation/committees/trialevidence/articles/winterspring2012-0512-csi-effect-jurors.html

Blog: Privacy Concerns and the New iPhone

by Silvia Lee, Associate Staff

 

People waited in lines all over the world on Friday, September 20th to purchase Apple’s latest release, the iPhone 5s. Among the mobile device’s new features is a fingerprint scanner built into the home button. After an initial set-up, Apple’s proprietary “Touch ID” technology can scan sub-epidermal layers to allow users to unlock their phones and make iTunes purchases by scanning their fingerprint. Addressing privacy and security issues, Apple has stated that the biometric data is encrypted and stored only on the device and the information will not be sent to Apple’s servers or Cloud service. In addition, third party apps will not have access to the Touch ID system.

The much talked-about feature has at least one lawmaker voicing his concerns. Senator Al Franken, the Chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, has written a letter to Apple CEO Tim Cook in which he poses several questions regarding the new technology. One of his concerns is whether Apple considers the biometric data to be “contents” of communication or a “subscriber number or identity.”[1] Under the Stored Communication Act, “content” cannot be freely disclosed to law enforcement agencies without a warrant, while “subscriber number or identity” requires only a subpoena.[2]  

            Senator Franken is also concerned with how secure the fingerprint scanner actually is. He notes that “[p]asswords are secret and dynamic; fingerprints are public and permanent.”[3] If a passcode is compromised, users can change it for a new one, but fingerprints are unique and unchangeable. He fears that someone could lift a user’s fingerprint and use it to hack into the phone and all the information stored within.

The idea of lifting a fingerprint and hacking into an iPhone 5s has been turned into a competition on a website launched by Nick DePetrillo and Robert Graham. The site is crowdfunding a bounty for the first Touch ID hack. The duo claims their motives are to show that it is more difficult than people think. The crowdfunding campaign has raised over $5,000.00 so far and garnered much attention on Twitter with the hashtag #istouchidhackedyet.[4] In order to win the bounty, the hackers must post a video detailing the process of lifting a fingerprint from an everyday object (like a beer mug) and using it to unlock an iPhone 5s.[5] As of 10:00 no official winner of the bounty has been declared, but the Chaos Computer club from Germany is rumored to have accomplished the feat and have published a step-by-step guide.[6]

So far Apple has stayed silent on the matter. However, with a successful Touch ID hack a mere two days after the phone’s release and Senator Franken’s request for answers to his queries within a month, Apple may be pushed to speak sooner than anticipated.


[1] Andrea Peterson & Hayley Tsukayama, Fingerprint Scanner for iPhone 5s Raises Privacy, Security Concerns, Wash. Post, (Sept. 20, 2013), http://www.washingtonpost.com/business/technology/fingerprint-scanner-for-iphone-5s-raises-privacy-security-concerns/2013/09/20/0992cbee-222f-11e3-966c-9c4293c47ebe_story.html.

[2] Sen. Al Franken, Sen. Franken Questions Apple on Privacy Implications of New Fingerprint Technology, Al Franken (Sept. 20, 2013), http://www.franken.senate.gov/?p=press_release&id=2562.

[3] Id.

[4] Adam Vrankulj, Can the iPhone 5s Be Spoofed With a Lifted Print? Hackers Crowdfund Reward to Find Out, Biometric Update (Sept. 20, 2013), http://www.biometricupdate.com/201309/can-the-iphone-5s-be-spoofed-with-a-lifted-print-hackers-crowdfund-reward-to-find-out (Arturus Rosenbacker originally pledged $10,000 toward the bounty but has since been discovered as a scammer, http://www.zdnet.com/charlatan-hijacks-iphone-5s-fingerprint-hack-contest-fools-press-7000020978/).

[5] istouchidhackedyet, www.istouchidhackedyet.com (last visited Sept. 22, 2013 11:30 P.M.).

[6] How to Fake Fingerprints? Chaos Computer Club, (Sept. 22, 2013), http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?language=en

Page 3 of 3

Powered by WordPress & Theme by Anders Norén