Category: Computer Crimes

Posted on

The XP’s EOL. History Will Teach Us Nothing

Windows XP is dead in Redmond, but alive and kicking in a huge quantity of devices such ? ATMs. When the news hit the media, waves of “concerns” for the security of our money and safety stormed the public, with no actual effect on the Microsoft’s strategies. And history keeps repeating with domotics, wearable technologies and in-car systems.

This aftermath was easy to foresee when some “clever” IT manager chose to go proprietary when moving its ATM infrastructure “to the next step”, but between this and the open source alternative a third option would have spare us all the current trouble: just put into the agreement a source-code escrow provision, to guarantee the (big) client against the End-of-Life of the software.

Sure, this wouldn’t have been a cheap solutions (we’re not talking about a bunch of PHP code, here) but there are no free beers and easy life can’t last forever. If you go proprietary and enjoy the safety(?) of having somebody else who cares about bugs, patches and updates, you need to have a contingency plan for the moment when your licensor plugs-off the cord that keeps alive the software you’re using.

And now history is re-repeating itself. We’re on the edge of a new invasion of pervasive technology based on Apple’s OSX or – again – Microsoft Windows Whatever, and in a bunch of years we will complain again that because of a copyright issue we can’t enter our home, use the fridge, watch the television, start the car, know what’s the time, have a medical diagnosis and so on…

A final, collateral, question: where do the corporate lawyers were, when those agreement have been signed?

Posted on

The Italian Data Protection Authority to start a code reviewing investigation

Better late then ever: a press release from the Italian Data Protection Authority ? advertises the data-protection oriented review of a certain number of apps.

This initiative should be a major concern for the (yet unaware) software industry, whose intellectual and industrial property might be endangered by a deep peep into its well protected secrets. Neither are clear the criteria that will lead to the app selection, nor whether or not the DPA will asks the developers for source code access.

Unless this IDPA investigation is just an empty PR stunt, it should be carried on by accessing the source code or reverse-engineering the executables: but doing so without signing NDAs and/or provide guarantees of non exploitation is an approach that the industry will likely reject.

Furthermore, if the software check will target only a certain kind of companies, leaving the other players of the same market safe from the scrutiny, this might be held as an unfair alteration of the market dynamics. And things might be much worse if the targeted companies are the smallest one, instead of the big fishes in the pond.

Mind, the lack of data-protection compliant programming isn’t a new or unforeseen issue – as the history of software can witness – but the IDPA never actually cared that much. For instance, it didn’t move a finger when back in 2002 ALCEI (a civil-rights Italian NGO) asked in vain the IDPA to check the claims of the existence of hidden features of a certain series of Telindus routers that posed significant threats to the users’ data protection.

 

 

Posted on

Data Protection vs Data Retention

One of the oddities of the Data Protection legal framework is the relationship between Data Retention and Data Protection and the (wrong) notion that when the retention period has expired, the retained data must be deleted.

Let’s start from scratch: as soon as the services work properly, an ISP has no need to preserve the traffic data, but since we don’t live in a perfect world, problems happen so it is necessary to retain some information for troubleshooting and traffic shaping; furthermore, customers’ claims, billing and legal issues strongly support the need to save some more information. Thus, ISPs – though on a voluntary basis – do collect and retain traffic-related information as long as these information are useful to pursue legitimate goals.

Enter the Data Retention. With a questionable motive, ISPs are now forced – forced – to retain for a limited time some traffic data for the sake of the law enforcement community. In other words, what before the Data Rention Era was voluntary, now is mandatory.

But what happens when the mandatory retention period expires? The answer is (supposed to be) easy: the ordinary Data Protection legal regime comes back into force, so the ISPs are – or should be – free to either continue keeping those data (for legitimate purposes) or deleting it.

Posted on

How Linkedin Helped to Fight a Possible Scam

Among the usual daily flow of e-mails that submerges me, today I’ve spotted a request for contact coming from a North-European research firm active in the healthcare sector. Its CFO asked for information about a possible breach of contract litigation.

I didn’t have any reason to think of this e-mail as a scam, but there was “something” definitely odd in the message. So I checked both the person and the company name on the Internet and they were real. Still, I wasn’t convinced and decided to have a look at the message header: again, I got contradictory results. The mail server used to send the message was in a remote part of the US, belonging to a local ISP with no apparent connection with both Europe and the Healthcare industry the message was (apparently) coming from.

This couldn’t be a coincidence so I’ve searched the Linkedin profile of the manager that allegedly sent me the message and dropped him an in-mail (so to be sure about his identity and affiliation) and… gotcha! He replied confirming that it wasn’t him the sender of the message.

To put it short, it was a scam and being on Linkedin helped both me to avoid a fraud and this company to discover that it is targeted by an identity theft.