Category Archives: Blog

All Blog posts

WOW! It’s been a while

It has been way to long since I’ve posted anything here.  For the diligent, thank you for sticking with me.  I’m back on the train and will get back to regular posts.

My practice has been picking up, so I’ve been a bit busy.  For those that don’t know, my legal practice is centered around cybersecurity issues.  Primarily:

  • Mergers and Acquisitions diligence
  • Risk Assessment
  • Security and privacy policy creation and review
  • Breach planning and response
  • Cyber-insurance
  • PCI-DSS, HIPAA HITECH, GDPR analysis and review
  • Negotiating Technology Agreements
  • Terms of Use
  • End User License Agreements
  • Helping startups address security issues
  • IT Counseling
  • Calling out Security “snake oil” salespeople

It is a fun and interesting way to spend my days.  I get to play with all the areas of my firm’s practices, I get to meet cool and interesting people, and I get to solve problems.

There is a great essay from Eric S. Raymond called “How to Become a Hacker“.  It is one of my favorite pieces of writing on what hackers are and the ethos.  I need to reread it every year or so to remind me that there are people like me and how I need to focus my attention.  Everyone should read the essay. The 5 attitudes ESR calls out, that have become my mantras are:

1. The world is full of fascinating problems waiting to be solved.

2. No problem should ever have to be solved twice.

3. Boredom and drudgery are evil.

4. Freedom is good.

5. Attitude is no substitute for competence.

My practice really does let me find “fascinating problems waiting to be solved” and I feel really enthused every time I get to find that solution.

Anyway, more to come.

Website accessibility under Title III

When I was in law school our assignment for mock trial in Legal Research and Writing was a debate regarding whether websites were “places of public accommodation” under title III of the Americans with Disabilities Act.

This was a fairly novel idea at the time.  Title III requires that places of public accommodation, like grocery stores, must make their stores accessible to disabled shoppers.  As with any law school mock trial assignment we had to argue both sides with equal fervor.

Over the last several years this debate has continued in real courtrooms across the country.  This month another court stepped into the fray.  In Juan Carlos Gil v. Winn-Dixie Stores, Inc., the judge ruled the Winn-Dixie grocery store must make its website accessible to the disabled.  Gil, the plaintiff, is legally blind and the Winn-Dixie website was incompatible with screen readers that he used to browse the website.

The Judge in this case did not specifically address whether a website is a place of public accommodation, but stated:

The Court need not decide whether Winn-Dixie’s website is a public accommodation in and of itself, because the factual findings demonstrate that the website is heavily integrated with Winn-Dixie’s physical store locations and operates as a gateway to the physical store locations.

This integration with the physical Winn-Dixie stores is more than just an advertising platform but

The services offered on Winn-Dixie’s website, such as the online pharmacy management system, the ability to access digital coupons that link automatically to a customer’s rewards card, and the ability to find store locations, are undoubtedly services, privileges, advantages, and accommodations offered by Winn-Dixie’s physical store locations.

Thus, the judge found that Winn-Dixie had violated the ADA Title III and issued an injunction which requires, among other provisions, that Winn-Dixie’s

website must be accessible by individuals with disabilities who use computers, laptops, tablets,
and smart phones

If you would like to test how your webpage renders on a screen reader, there is a chrome extension called ChromeVox, that will let you browse the web using a screen reader.  Anyone who doesn’t understand the reason why this is important should install this extension and browse the web for a half and hour with your eyes closed.  The experience should be quite enlightening.

We have to do better: Pacemaker security

Last week Billy Rios and Jonathan Butts published a research on the security of pacemakers.  In all they identified over 8000 vulnerabilities in third-party components within the subsystems of 4 major vendors’ physician programming and home monitoring devices.

These vulnerabilities exist primarily because vendors are able to cut development time by using commonly available libraries.  While the libraries may be considered secure when initially deployed, over time new vulnerabilities are discovered.  Unfortunately the patches for these vulnerabilities are not uniformly applied.

This is a common problem with embedded devices, internet-of-things things, and industrial control systems.  The use of public libraries makes sense to get a product to market, but many vendors don’t account for the update and patch process.

Additionally, as I’ve written about before, many vendors still use hardcoded or backdoor passwords.  The researches have been able to verify hardcoded credentials in three of the four devices tested.

We have to demand better from the vendors selling critical information technology, whether it is an industrial control system or medical equipment.  Simple vulnerabilities like insecure libraries, the inability to patch, and hardcoded credentials must be addressed by vendors.

Grasping blockchain, it’s more than just bitcoin

OK, OK, I said I wouldn’t mention the “ransomware that shall not be named” again, but…

With all the focus on how people are supposed to pay to have their files decrypted, a lot of people have been asking about bitcoin.  There are many types of cryptocurrency, bitcoin is simply one of them.  Each cryptocurrency, though, relies on a technology called “blockchain.”

Blockchain, in turn, is much larger than cryptocurrency.  It is really a technology that can help track real estate ownership, transfer of tangible property, contracts,  and other agreements.

Now, I’m not going to get into the nitty-gritty.  There are a bunch of articles, books, websites, and YouTube videos that can explain the cryptography and protocols underlying blockchain.  What I would like to do is give a very high explanation of blockchain.  So, from 40,000 feet:

  1. Someone wants to transfer something to someone else (bitcoin, property, contract)
  2. That person creates a transaction with the other party.
  3. The transaction is grouped with other transactions to create a “block”
  4. The block is transferred to nodes responsible for validating the block (miners)
  5. Once the block is validated, it is added to the blockchain

The blockchain is  then autonomously distributed to a peer-to-peer network.  In effect blockchain is a widely distributed write-only ledger, so blocks cannot be altered without the entire network becoming aware of the modification.  This transparency adds to the technology’s security.

For an idea of where blockchain could be headed, check out an article I co-wrote for the e-commerce times.