Tuesday, July 24, 2012

Austin to Aurora

Austin 1966
San Ysidro CA 1984
Edmond OK, 1986     
Ridgewood NJ 1991
Royal Oak MI 1991     
Dearborn MI 1993
Dana Point CA 1993
Oklahoma City 1995
Dunblane Scotland  1996
Columbine 1999
Goleta CA 2006
Virginia Tech 2007
Fort Hood TX 2009
Tucson AZ 2011
Utoya Norway 2011

A tragic litany.  More tragic because we have already forgotten some of the worst of them.  More tragic because they have become routine.  More tragic because it does not include the hundreds that die in gun violence every day.  Yet more tragic because we stand immobile as the rate and the scale escalate.  

Aurora CO 2012.  The citizens of Aurora can take great pride in their own courage and in how their First Responders reacted in the face of this insanity.  Of course,  New York City grants nothing in courage to any other city.  We have the most courageous and disciplined citizens.  We are confident that we have the best trained, best led, most professional, and most heroic fire and police men and women in the world.  We were not surprised to learn that the leader of Aurora's finest is one of ours.

Have you ever heard a more professional press briefing than was given by Aurora's Chief of Police, Dan Oates?  It was complete, accurate, and measured.  He said exactly what he intended to say.  He knew with precision what he did not want to say and deflected questions on those things in a professional manner.  Those of us who have been there understand that such a degree of professionalsim is the result of a lifetime of training, discipline and  experience.  We all got a little teary when he realized what a great job his team had done, that all the training had paid off.  

Another professional briefing came from Lt. Andra Brown of the San Diego Police Department.  She was called out of bed at dawn to run interference for the accused perpetrator's family.  That briefing is not yet on YouTube but perhaps it will still show up.  However, another of her interview is and it demonstrates that she is a pro.

Even the media has been restrained and professional.  They have not hounded the families of the victims, or even of the perpetrator, with "How does it feel to …..?"  While some of the questions put to the authorities were not going to get an answer, they were respectful and legitimate.  They gave the professionals the opportunity to explain to an anxious public why they cannot be answered.

I hope that our response as a nation continues to be measured and proportionate.  That is not to say "business as usual."  Business as usual is not proportionate.  

We need to take another look at gun control.  We are law enforcement and security professionals; ours is the art of the possible.  We do not allow the perfect to become the enemy of the good. Some place between where we stand and giving up any pretense at the Second Amendment, there has to be better place.  

That place includes an assault weapon ban, a ban on large capacity magazines, and a tax and controls on the purchase of ammunition.  Guns did not cause these events and no change in the law, which will no be more than marginally effective, is going to prevent them.  Dunblane and Utoya tell us that.  However, these are changes that stand on their own merit.  They are measured and consistent with both the Rule of Law and civil liberties.   

Our presidential candidates tell us that we should not act out of the anger and grief of the moment, that it is not timely.  I agree that we should not act out of anger and grief.  However, it is a year and a half since Tucson and two generations since Austin.  I stand with Mayor Bloomberg who asks "If not now, when?"

Over the weekend a journalist pointed out  that  the Metropolis of Batman is what our cities will look like if we surrender the state's monopoly on the use of armed force.  Batman is not a real hero.  Real heroes do not wear masks; they wear little shields that say "Serve and Protect."  Real heroes do not wear capes; they wear turn-out coats.  

No, Batman is a thug, a vigilante.  He has given up on the Rule of Law, on the idea of civil society.  We pretend that he is on the side of the good guys,  but we cannot allow individuals to administer their own brand of justice.  At least one, probably most, of the perpetrators of events in that litany, were, at least part of the time, at least in their own sick heads,  administering their own brand of justice.  

From Robin Hood to Batman, fantasy is populated by vigilantes.  It is part of our culture. It is motivated by our innate sense of justice and our frustration when an imperfect system fails to deliver it.  It is motivated by our historic fear of tyranny.  But we are grown-ups.  Grown-ups do not act out their juvenile fantasies.  We do not lionize those that do.  Vigilanteism is the problem, not the solution,

As citizens we have to be worthy of our First Responders.  We have to commit to the Rule of Law.  We have to perfect government, not abandon it.  Without surrendering our Liberties, we have to give up any claim to vigilante justice.. 

As law enforcement and security professionals we too have to commit to the Rule of Law.  If we are to maintain the state's monopoly on the use of force, then as the agents of the state, we must use it conservatively and professionally.  We must be civil.  We have to emulate the best of our peers and follow the best of our leaders.  We have to forswear arrogance, swagger, and intimidation.  Only then will we be seen as professionals and be paid the big bucks.

Tuesday, July 17, 2012

The Rule of Law

We use the code words, the rubric, the concept,  Rule of Law, often without thinking about what the concept  embraces. Indeed our application of the Rule is still evolving.  Every now and then it is useful to enumerate the components and measure ourselves against them.  

One definition of the Rule of Law is that every citizen is subject to the law.  "Not even the King" is exempt.  Thus, the concept of the Rule of Law is antithetical to the idea of the "Divine Right of Kings."

Under the Rule of Law, all use of deadly force is reserved to the king and his agents, to the state and the police.  While a citizen may use force in the defense of his home, in public places he has a "duty to retreat."  While we recognize certain exceptional circumstances in which an "un-sworn" citizen may exercise police powers, "exceptional" is the key word and the guiding principle.  

Recently, in an expressed intent to "reduce crime," some states have adopted laws which expand the circumstances under which the citizen may resort to armed force, but the results have been mixed at best.

Included in the idea of "not even the King" is that of a limited state and government. While most orderly and stable governments have generally accepted limits, in our constitutional system, at least in theory, ours is a government of enumerated powers.  The government may do only those things that it is explicitly authorized to do.  Everything else is reserved to the citizen and implicitly forbidden to the state. Our officials, officers, magistrates, and agents swear "to preserve and protect the Constitution." This is in stark contrast to the British who swear allegiance and loyalty to the sovereign, even though their Magna Carta may be the earliest example of express limits on the king.

Included in our understanding of the Rule of law is the presumption of innocence.   Some of us may think of this in terms of the responsibility of the state to bear the burden of proof in criminal trials.  However, this right follows us into the street.  We do not have to demonstrate our innocence in order to be able to travel.  "Driving while Hispanic" is not a crime and cannot be made one, not even in Arizona or Louisiana.  

An Independent judiciary is essential to the rule of law. Whether appointed or elected, the judiciary must, be able to operate without interference from or fear of other branches of government.  Military courts and tribunals are an exception to this rule so they must be used with care and restraint.  

Part of the idea of the rule of law is that of sanctity of contract, i.e., parties must do what they promise to do.   Indeed, a special form of contract, called treaty, is the basis of international law.  While most contracts are routinely carried out, and while they are rarely called upon to do so, under the Rule of Law, the courts may be called upon to adjudicate and enforce contracts.

The rule says the citizen may not be deprived of life or property without due process of law, that is without "following the exact course of the law."  Of course, killing a citizen without charge, indictment, arraignment, bail, timely trial by jury, and right of appeal would violate this principal.  "Nice people do not do that."  States that even pretend to the Rule of Law would not do that.  

While it may not be obvious until stated, the idea of equality before the law is implicit in the idea of the Rule of Law, that is, all are subject to the law.  Not only must the state treat all citizens equally, it must protect one from another.  This idea is troubling in a democracy because it is an exception to the Democratic Rule, the one that says "the majority rules."  Under the Rule of Law, the majority may not use the coercive power of the state to tyrannize and terrorize any minority.  The majority may not use the coercive power of the state to enforce majoritarian orthodoxy.  No thought police.  No censorship. No state religion or prayer.  The state may not compel an oath, any oath, not even one, particularly not one, of allegiance to the state.  

A fundamental test of the Rule of Law is that the citizen should not live in fear.  He should not fear his neighbors; he should not fear the King and his officers.  The citizen surrenders his right to the use of force to the state in return for protection from the thugs.  That is no bargain if he must fear the king more than the thugs.  Many of our minorities live in perpetual fear of the king. Do I have to name them?  We should all keep in mind that if the state can oppress anyone with impunity, it can oppress everyone with immunity.  

Like Liberty, the Rule of Law is indivisible.  The whole depends on each of the parts. One cannot pick and choose among them.  Pull out a brick and the structure falls. Courts, legislatures, law enforcement professionals, even information assurance professionals, and individual citizens must play their role in checking the inherently coercive power of the king and his minions. "The price of liberty is eternal vigilance."

The alternative to the Rule of Law is rule by men, fallible, corruptible, zealous, and ambitious men.  We call it tyranny.  As law enforcement and security professionals, we are often in the role of officers of the state; that is why this is an appropriate forum for this discussion.  We must periodically remind ourselves that we take our oath to the law, not to the majority, not to the state.  To carry out our duties in a professional manner and earn the big bucks, we must  strive for accuracy, honor, restraint, and courtesy.   We must wear the Rule of Law as our uniform, as our only authority.       

Wednesday, July 11, 2012

Decision on Appeal of Patco v. Ocean Bank

On July 3, 2012 the United States Court of Appeals, First Circuit, returned a decision in the appeal of PATCO CONSTRUCTION COMPANY, INC., Plaintiff, Appellant (the customer) v. PEOPLE'S UNITED BANK, d/b/a Ocean Bank, Defendant, Appellee (the bank).  This decision reversed material findings of the lower court and remanded the case to the lower court for processing.  

Specifically, the appeals court reversed the summary judgment granted to Ocean Bank.  It found that this order relied upon a finding that the security offered by Ocean Bank was "commercially reasonable." a finding which the appeals court rejected.  

This is an important decision.  It brings this case into agreement with the decision in Experi-Metals v. Comerica, a case based upon similar facts and law, in which the court held for the plaintiff.  It reduces the probability that The Supreme Court would grant certiari for a further appeal.  It upholds the provisions of Article 4A of the Uniform Commercial Code (UCC) which govern the rights, duties, and liabilities of banks in commercial wire transfer.  The default under this provision is that if the transaction is "not authorized," the bank stands the loss.   This is also consistent with the bank's common law responsibility to ensure that transactions are authorized.  

When I read that this verdict had been reversed, I went back to my blog,
http://whmurray.blogspot.com/search?q=PATCO to review what I had written on the case.  Most of what I wrote stands up pretty well after a year and in light of the verdict on appeal  The exception was my expressed hope that the case would NOT be appealed. I was concerned that it might accept as fact the finding of the lower court that the security procedures were "commercially reasonable" and thereby establish a bad precedent.   Mark Patterson, co-owner of PATCO thought better of it, did appeal, and was vindicated.  Fortunately for all, the appeals court revisited that question as a matter of law.  

Patterson struck a powerful blow for small and mid-size businesses in their asymmetric relationship with their banks.  He says, "It is great news for victims out there who are going after banks that have not been keeping their customers' money secure, (It's) a wake up call."  Kudos to Patterson.

I continue to be impressed with the ability of the courts to sort out these very complicated issues.  This decision is informative, instructive, and easy to read.  Even if one were to dispute it, the decision sets forth a clear record of both facts and law for our consideration, discussion, and enlightenment.  I commend it to all bankers, small to medium businesses and municipalities, information assurance professionals, and those engaged in computer forensics.  One need not be a lawyer or a security professional to appreciate it.  

The facts, documented in and relied upon by the decision, describe the security options available to Ocean Bank in NetTeller, the e-banking application software from Jack Henry & Associates.   These include:
  • UserID and Password
  • One-time-password (OTP) Tokens*
  • Out-of-band Authentication*
  • User selected image for recognizing the bank*
  • Customer Device Recognition by IP address and cookie*
  • Transaction Risk Profiling
  • Challenge-Response based upon shared secrets
  • Dollar Amount threshold for invoking Challenge-Response**
  • Access to intelligence from the eFraud Network including IP addresses of known hostile systems
  • Risk Scoring Reports
Some of these features and implementations are licensed from the security firm, RSA/Cyota. 

Ocean Bank implemented more than half of these features but there was a problem with those they chose not to implement.  First, they did not implement the user selected image, a shared secret, intended to help the customer distinguish between the bank's system and a spoof of it before exposing his credentials.  This feature is sufficiently widely used that false bank sites are not a preferred attack.  

However, they also failed to implement the measures most effective against the favored attack, credential re-play, i.e., out-of-band or one-time-password authentication, and transaction risk scoring and monitoring.  

One of these features they mis-used.  The court agreed with testimony of an expert witness that, by lowering the transaction threshold for invoking challenge-response from only those transactions above $1000- to all transactions above $1-, the bank increased the probability that the responses would be compromised and thereby weakened the system.

After Patco became a customer, Ocean Bank offered out-of-band (e-mail) alerts of all activity on an opt-in basis (Preferences, alerts).  Patco claims that it was unaware of the offer and did not opt-in.  I would argue that out-of-band alerts and confirmations are so efficient that they should be on by default.

Other  facts not in dispute include that Patco hired an "IT Consultant" who ran a "malware scan" against the machine in question.  The scanner, which was intended for remedial rather than forensic use, contaminated the machine and destroyed some evidence.  I hope that none of my audience would have made such gross errors as hiring someone unqualified to do forensic work or failing to conserve evidence.  

The court accepted expert testimony that "at the time in question keylogger malware was a persistent problem throughout the financial industry."  Therefore, the risk that the userID, password, and challenge responses would all be simultaneously captured was foreseeable.  

As a result of this decision, we now know some things with confidence approaching certainty that were in question after the original decision.  These include:

In electronic wire transfer, risk for unauthorized transactions lies primarily with the bank, not the customer.  the burden of proof is on the bank, not the customer.  

The requirement of the UCC that security be "commercially reasonable," trumps the Federal Financial Institution Examination Council, the FFIEC, Authentication Guidance.  Literal compliance with the Guidance may not be 'commercially reasonable."  

"Commercially reasonable" is a higher threshold than previously thought; higher than the banks have pretended.  

The court heard testimony on the pervasiveness of key-loggers and concluded that the risk of credential replay is "foreseeable."  Therefore, by default, "strong authentication" to resist such re-play is indicated.

However, such authentication is not enough.  In determining whether or not a transaction is "authorized," and again by default, banks must look beyond the credentials accompanying it to whether the transaction is reasonable for the customer in question. 

Some things are still in doubt, and some questions still open.  For example, 

We think we know that there was a key-logger on the Patco machine.  However, because Patco's agent corrupted the machine, we will never know to a certainty. 

The record is not clear as to whether "alerts" were offered or accepted.

Finally and most importantly, we still do not know what obligations, if any, Patco had if the security offered by the bank is "commercially unreasonable."  Under Article 4A there is an alternate to "commercially reasonable" security as a means for the bank to shift some or all of the liability to the customer.  Only the first was actually litigated in Patco v. Ocean Bank.  The second, authorization by means of an agreed upon security procedure, was not reached or considered by the lower court.  Under the remand, this question may arise.  There is a difference between the Patco and the bank as to whether there was such an agreement, what it called for, and whether or not Patco met its responsibility under such an agreement. 

The advice that we as information assurance and forensic professionals give our principals must reflect this decision.  

This is not "rocket science."  NetTeller and other commercial-off-the-shelf (COTS) software offer both strong authentication options and software for scoring the risk of a transaction.  

We should make it clear to our business clients that, while the bank must take the risk for an unauthorized transaction, the bank is not responsible for consequential damages.  Moreover, the bank will try to transfer this fundamental responsibility to them by contract.   They should choose their banks carefully, ensure that the bank offers "commercially reasonable" security, and understand and comply with their agreement with the bank.  Specifically, they should  reconcile their accounts in a timely manner, and reconcile variances promptly.  By default, "timely" equates to daily.  Finally, they must resist compromise of their systems and credentials.  I use my iPad for e-banking and recommend to my clients that they use a dedicated and locked down system for e-banking.  

It should be clear from the facts and findings in this case that both the bank and the customer, both acting in good faith, did counter-productive, not to say "stupid," things.  Neither our bank or our small business clients are experts in security.  Left only to their own resources, they are vulnerable to costly, not to say fatal, errors.  They are dependent upon us.  We owe them diligence and competence if we are to be called professionals and be paid the big bucks.

Monday, July 2, 2012

Robin Hood was a Thug

When I was a boy, I thought that the English were the most noble of all people.  I was Irish Catholic and of Scottish decent; I still thought they were heroes.  They had great propaganda.  They won every movie that I ever saw.  Generations later comes Mel Gibson and they started to lose their luster.

One of the great Saxon heroes was Robert of Locksley, AKA "Robin Hood."  Talk about good PR.  He was played by every popular leading man from Errol Flynn to Kevin Costner, Russell Crowe, and Sir Sean Connery.  His legend was that "he stole from the rich and gave to the poor."  Who does that sound like?  In any case, he did it by force.  He was a thug, a hoodlum, a terrorist, a vigilante, and a bully.  

Today we have a competition as to who is going to be the biggest bully on the block called the Internet.  We have lots of candidates from criminals to nation states.

First we have the publishing industry personified by the RIAA and the MPAA. They missed the message from Steve Jobs about how to become rich in a world of diminishing reproduction cost; "Lower your prices and make it up on volume." a message as old as the Gutenberg press.  Instead they are attempting to use their money to co-opt the coercive power of government to force everyone else, particularly all Internet service providers and users, to bear the cost of a losing battle to enforce their obsolete business model.

One of their attempts to do this is CISPA, the so-called Cyber Intelligence Sharing and Protection Act, but there is no shortage of bills in congress that favor them at the expense of the ordinary law-abiding Internet user.  This obnoxious law all but eviscerates the Fourth Amendment, by granting immunity from both criminal and civil liability to both government and industry for sharing and using personal data for any intelligence gathering, investigation or prosecution purpose.  About all it requires is that a perpetrator assert that they had a "good faith" belief that they were on the side of the angels.  One effect is to shift the burden of proof from the perpetrator to the victim.  Lots of luck with that. 

Then there is our avenging vigilante, Anonymous.  Admittedly, Anonymous tends to "afflict the powerful" but otherwise seems to be arbitrary in its selection of targets.  While one may sometimes be sympathetic with their choice, one is often outraged.  Moreover, almost any two people will disagree over their choices.

Microsoft has recently embarked upon a program to disable bot-nets by taking down their command and control nodes.  While Microsoft is transparent, accountable, and subjects their action to prior approval of a court, this is still an exercise of power.  Not just anyone could do this.  Google and FaceBook are similarly powerful.  They have information about us that dwarfs the imagination.  It  is the power that we fear.  We fear Google, who assures us that they would 'do no evil.' no less than FaceBook, that admits to, not to say brags about, being amoral.  

In a recent report to Congress, the DoD asserted that the People's Republic of China is engaged in a massive electronic espionage program targeting our industry.  Troubling if true, but suspect because government lies and is amoral.  On the other hand, the PRC is clearly a target of the world's largest and most capable intelligence apparatus, the National Security Agency.  

Our government would have us believe that China's efforts are different from ours at least to the extent that they target our industry and share the product with their businesses.  I doubt that the Chinese appreciate this sophistry.  Again there is the problem of trust in government, in general, and NSA in particular.   By turning NSA on its citizens, in patent violation of the law, the government has destroyed a generation of trust and the trust of a generation.  

Perhaps the biggest bully on our block is the United States Department of Defense.  They used computer software and the Internet to conduct sabotage against another sovereign nation in peacetime.  At the same time, they published rules of engagement that said that they could retaliate with armed force against any other nation that did the same to them.  Sounds like school yard ethics to me.  Of course, the best behavior that we can expect of government is political, never ethical; we cannot even agree on the politics.

We have two defenses against these bullies.  First, we can demand transparency and accountability.  Second, we can insist upon the requirement for warrants.

Of course, the thugs, particularly the government, resist accountability and transparency.   "Anonymous" tells you in their name that they do not intend to be transparent.   In the case of Operation Fast and Furious, illegal on its face, the Department of Justice, has resisted all attempts to hold anyone accountable.  Indeed, the refusal of the Obama administration to produce evidence is now seen as more important than the original egregious offense.  

The government has all kinds of excuses for resisting any investigation of its crimes.  These range all the way from protecting ongoing investigations, sources and methods, to executive privilege.  Indeed in the case of Fast and Furious, the government appears to have initiated an investigation of itself in order to create a shield against congressional oversight.  We are told that our need to hold government accountable must yield to the needs of the government rather than the other way around.  

The government resists the use of warrants even when there is probable cause and issuance would be all but automatic.  For example, instead of getting a warrant to install a tracking device on the vehicle of a citizen suspected of trafficking  in  scheduled drugs, the administration installed the device and asserted that a warrant was not required.  Could it be that they spent all of that time, money, and effort defending the absence of a warrant just so the citizen would fear "unreasonable searches and seizures,"  the Fourth Amendment notwithstanding. 

CISPA is another case where the government seeks to overcome the Constitutional requirement for a warrant.  CISPA simply creates a legislative exception to the Constitutional requirement.  One would hope that the courts will hold such a law unconstitutional.  Indeed, one would hope that a courageous Congress would never pass such a law.  

The Rule of Law stands in perpetual peril, here and around the world. While the bullies do, and should, provoke fear, they are also justified and protected by fear. Our fear of retaliation, the judgment of our peers, firing, civil suits, rejection by primary electorates, criminal indictments, terrorists, competition from China, misuse and abuse of personal data, financial fraud, denial of service, and leakage or loss of data are being used by the bullies to justify their power.  Little wonder that we feel like mice in a world of giants.  While some of the fear is natural and perhaps even justified, the consequences of yielding to it, and acting from it, are to be feared far more.

In my school yard there was a hero who stood up to the bullies.  His name was Sammy Ina and I wanted to be just like him, a hero.  I stand in awe of the three hundred fireman who died on 9/11 because "it was their job."  

As law enforcement and information assurance professionals it is our job to resist the bullies, to insist upon transparency and accountability for ourselves and all others, to act only with warrants based upon probable cause, to protect the citizen, and to go into harms way.  It is our job to be, not just professionals and earn the big bucks, but to be heroes.