Saturday, 5 July 2008

PI laws and ignorance as a perspective.

Ignorance is the condition of being uninformed or uneducated, lacking knowledge or information. It seems that some desire to make this an outlook on life.

I am actually being swayed to support the introduction of additional professional laws. Not by the government, but through the constant display of ignorance I continue to see from people who refuse to look at the issue unemotionally and actually weigh the facts. In attempting to help people who do not have any professional qualifications or a degree, I keep being rebutted by those to whom I am offering advice that could help them have some slim chance of achieving their goals.

The introduction of Private Investigator (PI) licensing does not in fact, as it touted, restrict people from the practice of digital forensics in the manner posited. It is rather an increase in the expansiveness of the parties who can engage in an action that is already restricted. In this essay, I will concentrate selectively on Texas for the main part due to the difficultly on reporting issues across multiple states in a single essay.

This is NOT a new issue. This was addresses over 50 years ago and has been replayed time and again. For instance, in Kennard v Rosenberg, 127 CA 2d 340; 273 P2d 839, hrg den (1954).…“Where a statute is susceptible of two constructions, one leading to absurdity, and the other consistent with justice, good sense and sound policy, the former should be rejected and the latter adopted.”…"The uncontradicted evidence is that none of the plaintiffs herein were engaged in the private detective business or represented themselves to be so engaged. Plaintiffs were licensed engineers and as such were authorized to make investigations in connection with that profession. It seems quite clear that the private detective license law was not intended by the Legislature to place a limitation on the right of professional engineers to make chemical tests, conduct experiments and to testify in court as to the results thereof. A physician, geologist, accountant, engineer, surveyor or a handwriting expert, undoubtedly, may lawfully testify in court in connection with his findings without first procuring a license as a private detective, and, as in the instant case, a photographer may be employed to take photographs of damaged premises for use in court without procuring such a license. Likewise, plaintiff, who was hired as a consultant and expert and not as a private detective and investigator was not required to have a license as such before being permitted to testify in court as an expert."…"… it was the intent of the Legislature to require those who engage in business as private investigators and detectives to first procure a license so to do; that the statute was enacted to regulate and control this business in the public interest; that it was not intended to apply to persons who, as experts, were employed as here, to make tests, conduct experiments and act as consultants in a case requiring the use of technical knowledge."

What we see from this is that it is going to be absurd to make the claim in the way it is being made. It is more absurd to presumptively argue that all computer repair personal are now required to hold a PI license. The issue being posited is flawed.

Again to take the largest focus of this fallacious argument of the requirement for a PI license, Texas code: “§1702.324. CERTAIN OCCUPATIONS” states:

"(b) This chapter does not apply to: ...(6) a licensed engineer practicing engineering or directly supervising engineering practice under Chapter 1001, including forensic analysis, burglar alarm system engineering, and necessary data collection;...
(9) an attorney while engaged in the practice of law;
(10) a person who obtains a document for use in litigation under an authorization or subpoena issued for a written or oral deposition;
...
(12) a person who on the person's own property or on property owned or managed by the person's employer:
...
(14) a person or firm licensed as an accountant or accounting firm under Chapter 901, an owner of an accounting firm, or an employee of an accountant or accounting firm while performing services regulated under Chapter 901;
"

The issue is not (and never has been) that a PI license is required. This is an exercise in ignorance. The issue at most is the requirement of a license.

But what is an expert in the eyes of the law?
Most “Experts” are not experts. If you think that having a CCE and even a couple years experience in digital forensics makes you an expert, I am sorry to say that you are sadly mistaken.

Supreme Court Justice Potter Stewart stated, “I know pornography when I see it”, but the question is would he have known an “expert”. Some people are easy – they are fools from the word go and no issue. Some have a good track record, published works and industry acknowledgement. The issue is where the line is drawn in the middle. The easy case is where the law has already decided on the point. This includes a person with a degree in the topic. A degree will suffice for a court as will a demonstrable membership in a recognised professional body.

Even Engineers need a license.
The requirements in Texas to be a Professional Engineer are stated in Texas code 1001. This act states:
"a person may not, unless the person holds a license issued under this chapter, directly or indirectly use or cause to be used as a professional, business, or commercial identification, title, name, representation, claim, asset, or means of advantage or benefit any of, or a variation or abbreviation of, the following terms:
(1) “engineer”;
(2) “professional engineer”;
(3) “licensed engineer”;
(4) “registered engineer”;
(5) “registered professional engineer”;
(6) “licensed professional engineer”; or
(7) “engineered.”"


The vast majority of the people in the IT industry in Texas without degrees and who are not licensed but call themself an engineer are in breach of section 1001 of the occupations code already (and related state laws in other parts of the US). A Professional Engineer is an excluded occupation under Texas code 1702.324b. As a consequence, a professional engineer does not need a PI license.

In fact, section 1702 specifically states "including forensic analysis". The section of the code explicitly excludes professional engineers:
"(6) a licensed engineer practicing engineering or directly supervising engineering practice under Chapter 1001, including forensic analysis, burglar alarm system engineering, and necessary data collection;"
As with many of the other professions that one can join instead of becoming a PI, a person may work under the supervision of a licensed member.

In law, accountancy and engineering (in fact any recognised profession); this is not only common practice, but the standard. This is the nature of professional membership. Doing a course, or a degree is in itself insufficient. There is, that which is in effect the apprenticeship. This remains at the end of ones preliminary training before one may practice on one’s own. To become a CPA or be accepted by the Bar in the US is analogous to an apprenticeship in many ways. It is however a necessary step in the process of professionalising members of such a body. Engineering is no different in this regard.

This all of course begs the question, what should be argued?
The issue is not as stated that we need to stop PI laws, rather it is that we need to professionalise IT and in particular digital forensics. To some extent this can be difficult if incorrectly handled. There is a viable option in current existence in a number of existing and defined fields. The division of computer systems engineering is an already defined subset of the engineering profession. A licensed professional computer systems engineer (PEng) is already allowed to practice. This is a PEng may legally engage in the provision of unsupervised forensic services without gaining a PI license. This is with any interpretation of the PI law no matter how poor the interpretation. Similarly, a licensed attorney, accountant, insolvency practitioner, insurance investigator and many other recognised professions may engage in forensic analysis of computer systems.

Having been through University when maths was a prerequisite for any studies in computer science, and having engaged in post graduate education in maths subsequent to this, I have no issues with personally obtaining an professional engineering license in Texas. I fear that one of the issues is that others do not have this luxury.

I would extend this argument to the fact that most of those ignoring the licensing issues for what it truly is will also not have a degree in law or accounting. This makes the PI issue the favourable one to concentrate on as it is the easiest option. It takes far less effort to become a PI then an engineer, lawyer, actuary etc. The argument to fighting the introduction of a PI law however remains flawed. It is the addition of an additional party and not the subtraction of others.

Where real issues will occur for those who do not have a degree in any of the aforementioned professions or even one in computer science is that the professionalisation of digital forensics will in all probability require that one obtains a degree.

The argument that a PI license is required is flawed. The false belief that removing the PI law will legalise the provision of digital forensic services is likewise flawed. Many of the people who have a CCE who are arguing along these lines do not meet the courts test of what is an expert.

The licensing issue is only an issue when the following conditions apply:
1. You do not work for a Professional body (an accepted one)
2. You are not yourself a member of such a body (Accountant, Professional engineer, lawyer, etc) 3. You are investigating a case with direct instruction from the client who controls the systems who is not a lawyer, accountant etc.
4. You are not a PI
5. On finding evidence of criminal actions, you do not directly hand the evidence to the police etc.

The Texas 1702 specifically states "including forensic analysis"
"(6) a licensed engineer practicing engineering or directly supervising engineering practice under Chapter 1001, including forensic analysis, burglar alarm system engineering, and necessary data collection;"

Supervised and Unsupervised
In an earlier paragraph I state the term “unsupervised”. This is as it will still (even as a non-professional partitioner) be possible for a CCE who has not obtained a license of any category to work. This is aligned to the state of a paralegal in a litigation firm. In this instance, it is the partner at the law firm who is responsible for the conduct of the work, and in due order the previous exemption that applied to the attorney extends to the person who is acting to conduct work for them.

In applying something such as the US Daubert rule [1], the issue that will apply is that a CCE alone is not sufficient to express expertise.

This all comes to WHY there is a push for accreditation and licensing. To be a professional engineer I have to be a member of an accredited professional society, have state licensure etc (differs on location). If one wants to start to practice as an attorney I have to join the law society as a full member (or the bar in the US etc). Most professional societies have rules and ethical requirements.

We on this list are all members of what could become an accredited professional society. It is not one that is accredited to represent us as a professional association as yet and this means that there is a gap. This means there are perception issues. On top of this, a CCE alone will not satisfy the requirements of a professional designation in the eyes of the law. This would leave a graded system with CCE alone being a paraprofessional position with the requirements for a degree or its equivalent being necessary for those members wishing to practice on their own or for those who wish to start their own practice.

On top of this and what fits with the majority of people working as forensic analysts for court is that the exclusion "person who obtains a document for use in litigation under an authorization or subpoena issued for a written or oral deposition;" can be extrapolated to include CCE's and other suitably qualified people who are operating under court orders or even under the supervision of a recognised party.

The case in point includes the case where you are working under the instruction of "an attorney while engaged in the practice of law" you are also excluded from this code. Many examinations will be covered under one or more of these provisions and thus not need to be licensed directly. So if you see what I am saying now is not that you do not need to be licensed at all, but that you do not need to be a PI. A private investigator is not the ONLY licensed person able to do forensic work in Texas (and other US locations). A licensed Accountant, a licensed Engineer and many other professions all suffice. They are explicitly excluded from chapter 1702 of the Texas occupations code.

I am not stating that the states can not license forensic collections, just that this (as some suggest) does not mean that it is restricted to only PI's. It includes ALL the occupations deemed acceptable. As an engineer, doing work for an accounting firm in the course of an engagement for a law firm I would have no issues at all not having a PI license.

Given a choice, I would (if I was not already one) become an engineer BEFORE thinking of being a PI (though to be honest I have my security diploma - but let the license lapse years ago).

The solution is that those in the US who fear licensure need to act to make an organisation such as the ISFCE an accredited professional body or to instigate an acceptable alternative scheme.

[1] Evidence law allows for an attorney in the US to engage both "Testifying" and "Non-Testifying" Expert witnesses. "Non-Testifying" Expert witnesses are covered and protected by attorney-client privilege. "Testifying" Expert witnesses are not.

The case, Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993), sets the standard in US federal rules of evidence. These supply the standard for governing expert testimony.
http://www.law.cornell.edu/supct/html/92-102.ZS.html

The Daubert standard was upheld and extended in Kumho Tire Co. v. Carmichael, 526 U.S. 137 (1999). In this case a "non-scientist" technitian was allowed as an expert witness.

"This case requires us to decide how Daubert applies to the testimony of engineers and other experts who are not scientists. We conclude that Daubert’s general holding– setting forth the trial judge’s general “gatekeeping” obligation–applies not only to testimony based on “scientific” knowledge, but also to testimony based on “technical” and “other specialized” knowledge."
See http://www.law.cornell.edu/supct/html/97-1709.ZO.html (and please avoid the Wiki bastardisation).

“nothing in either Daubert or the Federal Rules of Evidence requires a district court to admit opinion evidence that is connected to existing data only by the ipse dixit of the expert.” 522 U.S., at 146. However, this does not impact the status and standing of the individual giving testimony.

P.I. Licenses for Forensic Examination in the US. The error of the statement.

US States have the rights to license professional activity - For Instance lawyers, engineers and accountants. This has already been decided in the US Supreme Court.

Kennard v Rosenberg, 127 CA 2d 340; 273 P2d 839, hrg den (1954).…

Where a statute is susceptible of two constructions, one leading to absurdity, and the other consistent with justice, good sense and sound policy, the former should be rejected and the latter adopted.”…
"The uncontradicted evidence is that none of the plaintiffs herein were engaged in the private detective business or represented themselves to be so engaged. Plaintiffs were licensed engineers and as such were authorized to make investigations in connection with that profession. It seems quite clear that the private detective license law was not intended by the Legislature to place a limitation on the right of professional engineers to make chemical tests, conduct experiments and to testify in court as to the results thereof. A physician, geologist, accountant, engineer, surveyor or a handwriting expert, undoubtedly, may lawfully testify in court in connection with his findings without first procuring a license as a private detective, and, as in the instant case, a photographer may be employed to take photographs of damaged premises for use in court without procuring such a license. Likewise, plaintiff, who was hired as a consultant and expert and not as a private detective and investigator was not required to have a license as such before being permitted to testify in court as an expert."…

"… it was the intent of the Legislature to require those who engage in business as private investigators and detectives to first procure a license so to do; that the statute was enacted to regulate and control this business in the public interest; that it was not intended to apply to persons who, as experts, were employed as here, to make tests, conduct experiments and act as consultants in a case requiring the use of technical knowledge."

An investigator (digital forensic) is not required to have a license as a PI. Plain and Simple. This does not make a shread of differnce be it in the US state of Texas, Georgia or even CA. They can be required to have a license, this is NOT the same statement as a requirement for a PI license.

The issue is needing a state professional license. This can be a PI license.

It Can also be one of any of the aforementioned ones. It is also illegal to work as a lawyer sans a licence. It is even a crime In All US States to Call yourself an engineer without being a professional engineer.

Again the issue is with a licence requiement an is NOT a PI issue. The Courts have upheld the rights of the states to license And ALL US states have professional excluslusions.

Friday, 4 July 2008

Defamation and the Internet

Australian defamation laws are complicated by a state based nature in that they differ across each jurisdiction in content and available defences. Various Australian state laws include offence provisions for both civil defamation and criminal defamation. Civil liability transpires as a consequence of publications that are expected to harm a person's reputation and the penalties are monetary. Criminal liability transpires as a consequence of publications that concern society, including those with a propensity to imperil the public peace, and penalties in the majority of jurisdictions incorporate incarceration. Significant distinctions exist between civil and criminal defamation law in relation to both liability and defences.

The Western Australian Supreme Court decided in Rindos v. Hardwick[1] that statements distributed in a discussion list can be defamatory and lead to an action. The court thought that it was inappropriate to apply the rules differently to the Internet from other means of communications. The court acknowledged the instigator’s accountability for defamatory proclamations broadcast across a discussion group[2]. The matter of the liability of other participants on the list was not considered during the trial.
It is considered unlikely that an ISP would scrutinize all material presented across its network[3] and this may not be economically feasible[4]. Mann & Belzley address this though “targeting specific types of misconduct with tailored legal regimes”[5]. These regimes would leave the ISP responsible for the defamatory publications of its users where they have failed to take reasonable action to mitigate these infringements. The existing law in Australia leaves all parties considered to be a “publisher” liable[6]. Cases do exist[7] where ISPs have removed content proactively.

The common law defense of innocent dissemination exists in Australia. Thompson v Australian Capital Television[8] demonstrated this when Channel 7 asserted that transmission of a “live” show to the ACT retransmitted from Channel 9 NSW in effect placed it as a subordinate publisher that disseminated the material of the real publisher devoid of any material awareness or influence over the content of the show. They argued that this was analogous to a printer or newspaper vendor.

The High Court held that the defense of innocent dissemination is available to television broadcasts as well as printed works. In this instance it was held that the facts demonstrated Channel 7 maintained the capacity to direct and oversee the material it simulcasts. The show was broadcast as a live program through Channel 7's choice. They chose this format in full knowledge that a diffusion of the show would be next to instantaneous. The where further conscious of the nature of the show, a “live-to-air current affairs programme”[9] and understood that this program conceded an elevated risk of transmitting defamatory material. It was decided by the facts that Channel 7 was not a subordinate publisher on this occasion.

The Federal Broadcasting Services Act 1992[10] affords a legislative defence to an ISP or Internet Content Host (ICH) that transmits or hosts Internet based content in Australia if they can demonstrate that they were reasonably unaware of the defamatory publication. s.91(1) of Schedule 5 to the Broadcasting Services Act[11] grants that a law of a State or Territory, or a rule of common law or equity, has no effect to the extent to which the ISP “was not aware of the nature of the internet content”.

The BSA[12] defines "internet content" to exclude "ordinary electronic mail". This is a communication conveyed using a broadcasting service where the communication is not "kept on a data storage device". Consequently, the s.91 defence will not be offered in cases concerning such material. In such cases, an ISP or ICH may be still attempt to rely on the defence of innocent dissemination. The applicability of the common law defence of innocent dissemination remains to be determined by the Australian courts.[13] As a consequence, any reliance on these provisions by an ISP or ICHs carries a measure of risk.

[1] Rindos v. Hardwicke No. 940164, March 25, 1994 (Supreme Ct. of West Australia) (Unreported); See also Gareth Sansom, Illegal and Offensive Content on the Information Highway (Ottawa: Industry Canada, 1995) .
[2] Ibid, it was the decision of the court that no difference in the context of the Internet News groups and bulletin boards should be held to exist when compared to conventional media. Thus, any action against a publisher is valid in the context of the Internet to the same extent as it would be should the defamatory remark been published in say a newspaper.
[3] RECORDING INDUSTRY ASSOCIATION OF AMERICA, INC., (RIAA) v. Verizon Internet Services, 351 F.3d 1229 (DC Cir. 2003); See also Godfrey v Demon Internet
[4] ; Further, in the US, the Digital Millennium Copyright Act’s (DMCA’s) “good faith” requirement may not require “due diligence” or affirmative considerations of whether the activity is protected under the fair-use doctrine. In contrast, FRCP 11 requires “best of the signer’s knowledge, information and belief formed after reasonable inquiry, it is well grounded in fact and is warranted by existing law…”. Additionally, with the DMCA, penalties attach only if the copyright owner “knowingly, materially” misrepresents an infringement, so the copyright owner is motivated to not carefully investigate a claim before seeking to enforce a DMCA right.
[5] Note - supra
[6] Thompson v Australian Capital Television, (1996) 71 ALJR 131
[7] See also “Google pulls anti-scientology links”, March 21, 2002, Matt Loney & Evan Hansen , www.News.com, Cnet, http://news.com.com/2100-1023-865936.html; “Google Yanks Anti-Church Site”, March 21, 2002, Declan McCullagh, Wired News, http://wired.com/news/politics/0,1283,51233,00.html; “Church v. Google How the Church of Scientology is forcing Google to censor its critics”, John Hiler, Microcontent News, March 21, 2002, http://www.microcontentnews.com/articles/googlechurch.htm; Lawyers Keep Barney Pure, July 4, 2001, Declan McCullagh, Wired News, http://www.wired.com/news/digiwood/0,1412,44998,00.html.
[8] Supra Note.
[9] Supra Note.
[10]
[11] s.91(1) of Schedule 5 to the Broadcasting Services Act states:
(i) subjects, or would have the effect (whether direct or indirect) of subjecting, an internet content host/internet service provider to liability (whether criminal or civil) in respect of hosting/carrying particular internet content in a case where the host/provider was not aware of the nature of the internet content; or
(ii) requires, or would have the effect (whether direct or indirect) of requiring, an internet content host/internet service provider to monitor, make inquiries about, or keep records of, internet content hosted/carried by the host/provider.
[12] The Broadcasting Services Act specifically excludes e-mail, certain video and radio streaming, voice telephony and discourages ISP's and ICH's from monitoring content by the nature of the defense. See also, Eisenberg J, 'Safely out of site: the impact of the new online content legislation on defamation law' (2000) 23 UNSW Law Journal; Collins M, 'Liability of internet intermediaries in Australian defamation law' (2000) Media & Arts Law Review 209.
[13] See also EFA, Defamation Laws & the Internet

Thursday, 3 July 2008

Actors who define the Internet

Primary Malfeasors
The primary malfeasors that impact internet content or service providers are those who proffer or obtain illicit material across the Internet. This material ranges from breaches of copyright, objectionable content, child pornography, unlicensed gambling, and trademark dilution or infringement as well as a number of less common offences including as money laundering and terrorism. Most countries have strict licensing requirements for gambling sites if they allow this activity at all. A website can offer its services to any nation if it so chooses. As such, an online casino could be setup to solicit clients from other jurisdictions that do not allow online gambling (such as the USA).

In other cases, the provision may be legal in its own jurisdiction (such as the offering of “hard-core” pornography in Denmark) but breach the laws where it is being accessed. An individual that introduces malware into the Internet is also placing content onto the systems that compromise the Internet. This is an action that could threaten many other people and organisations. As many SCADA[i] systems are connected to networks, an Internet worm could have the impact of affecting the physical world.

[i] Supervisory Control And Data Acquisition. These are systems that are used by many critical services, including power and emergency services.

Wednesday, 2 July 2008

Thinking of getting a gift?

Well here it is.... The ultimate gift for your loved one!
... At least if they are a compliance hounded IT geek.

Available from good bookstores now.

CAATTS and the common issues to consider

Working around common data analysis challenges
There are several common challenges that can turn into problems for even the most experienced data miners when preparing their data for reporting. It's a best practice to review the following list with each new data set that you get because it will save you time when joining tables, summarizing data, and conducting other data mining activities. With a little data "massaging" and awareness of some of these items (converting field types, extracting fields that are completely blank, etc.) you can actually "prepare" the data for the report:

  • improperly imported data field formats;
  • querying and calculating numbers that have been imported as text or other format;
  • querying and calculating dates and ranges that have been imported as text or other format;
  • thinking that just because the query executes without error that it has run correctly;
  • not using control totals;
  • trying to accomplish too much in a single query (in MS Access);
  • dealing with large data sets;
  • ensuring CSV files import correctly by removing commas from data fields;
  • desired data is a portion of data in an existing field or is broken into multiple fields (such as MMDDYY);
  • queries are too complicated or long to perform singularly;
  • sharing database analysis results with other people;
  • queries are too numerous to easily keep track of (MS Access);
  • compacting databases to save disk space;
  • making sure you have sufficient hardware for analyzing large data sets including:
  • a speedy processor, sufficient RAM to enhance processing speed and stability; and
    enough data storage capacity to store on the hard-drive disk.
  • not spot checking query output with expected output from originating table;
  • only pulling the data you need by segmenting your request (such as by cost center or specific organization identifier) and avoiding the desire to "have it all"; and
  • splitting raw data files using a text editor (MS Word) or another database product (SQL Server or Idea).
The following are simple ideas for queries to get you started. The query may need to be modified slightly depending upon your data and tool selected.

Procurement fraud queries
Using the "Find Duplicates" functionality, identify cases where a vendor may have submitted the same invoice twice. Sorting and grouping and then changing fields used for sorting and group. (Group by vendor, then sort first by date, then by amount, etc.)

Examine the data for same vendor, same amount, and same date (duplicate information to allow for vendor submitting the same invoice but changing the invoice number).

Examine the data for same vendor, same amount, and same invoice number (duplicate identification to allow for vendor submitting same invoice but changing the date).

Examine the data for same vendor and same amount, which will result in the largest resultant data set.ATF and Split Purchases

Examine the data for split purchases (just under a cut-off dollar amount) and multiple transactions on the same day to the same vendor within a few dollars of each other.

For after-the-fact purchases compare the purchase order date and the invoice date. Create an expression that calculates the number of days between the two dates.
Expense report fraud queries using either tool

Import the list of expenditures that are within $1 of a key authorization threshold. (For example, if an original receipt is required for all employee expense over $30, pull all transactions that are $29.00 to $29.99.)

Group by employee to see if certain employees routinely expense items just under the threshold using the summary functionality (group by, count, and sum), and calculate the frequency and value of transactions just below the authorization threshold.

Investigate employees that have a significantly higher number of transactions just falling below a key authorization threshold to understand especially if the item descriptions are inadequate to confirm such as multiple entries for "Taxi."
Payroll fraud queries using either tool

Import the list of all employee receiving salary from the last period.

Import the list of all authorized, current employees:Using the "Find Unmatched" functionality in the Query Wizard, follow the steps to identify employees that are receiving salary but aren't on the list of authorized employees.

Annualize the salary payments of the last payroll cycle for all employees excluding expense reports reimbursement, bonus payments, etc.

Join to the personnel table on employee number.

Compare the annualized salary calculation with the authorized salary amount.

Investigate any discrepancies.
Queries for gaps in check register using either tool

Sort the transactions by check number field, showing the vendor paid, date of payment, and amount paid.

Look for sequences that are missing or check numbers that don't comply with standard numbering technique.
Queries for dormant account activity using either tool

Review activities by accounts that may not be actively used.

Date of the last transaction for each account can be determined by applying the Maximum function with the data entry date.

Determine if dates of transactions only seem to occur during a short time period and research the account purpose.

Tuesday, 1 July 2008

Comments from Jura

I have been told not to use the work email on this issue.

One of the issues is that a potential client that the firm I work for was a Jura importer. Writing this did not add clients, rather the opposite.

The accounting firm I work for does not get clients from vulnerability reports and this is not what I do for them. As such the claim by Jura that I am doing this as a means of contaction more clients is ludicrous.

My Employer is an accounting firm of which I am a security person, so the claim they make is misinformation. I primarily do forensic work, not vulnerability analysis for them.

I stated that the only affected product was the F90 with the connectivity kit and have at no times stated that any other product was involved.

A representative from the firm that does testing for Jura contacted my stating that they had extensively tested one of the other products and did not find this issue. I have not tested another product by Jura and they are unrelated. This comment is equivalent to stating that a hole in Linux has some relation to one in Windows. This is pure ignorance.

The response was:
"Two years ago our German test lab analyzed the Web-Module calles “Web Pilot” of Jura with the Jura Impressa Z5 coffee machine. The test report is only available in German . See: http://www.protectstar-testlab.org/award/innovation/protectstar_impressa_z5_web_pilot_web.pdf"

I stated that the Internet connectivity kit connects to the Internet. I did not state it is connected to the WWW. The software associated with this product runs on a users machine. This software has a bug.

Yes the software has to be installed, but the ONLY way to use the "Internet Connectivity Kit" is to have this software installed. I find the idea strange that the coffee maker management could be sold but not installed.

The memory unit in the "Internet Connectivity Device" has an input validation flaw. This allows a connected "Internet Connectivity Device" to be uploaded with invalid info. This can impact the host. I have validated that this can crash the machine.

As stated, my employer is not a security services firm, we are an audit firm. So the misinformation is from Jura.

Even if I was with a "security firm", the comment "If a security services company tries to evaluate potential security holes by affirming the contrary, one almost can’t help but think that this is an uninspired way of acquiring new clients" is incredibly ignorant. It demonstrates a marked disrespect for their clients - which I WAS one of.

--------------------------------------------------
Comment JURA Elektroapparate AG
Article “Hacker attack on JURA fully automatic coffee machine”

Current press reports are referring to a news item published by Craig Wright on securityfocus.com. JURA Elektroapparate AG is well aware of these articles which the company clearly qualifies as misinformation. The Internet Connectivity Kit which can optionally be acquired for only one device (IMPRESSA F90/F9) will at no times connect the coffee machine to the world wide web. Its settings can therefore only be changed by the machine’s rightful owner.

If a security services company tries to evaluate potential security holes by affirming the contrary, one almost can’t help but think that this is an uninspired way of acquiring new clients. JURA will get in touch with the author of the original contribution and resolve the matter.

JURA Elektroapparate AG, a Swiss company with worldwide operations, leads the field in innovation for fully automatic home coffee machines. Founded in Niederbuchsiten, Solothurn, in 1931, the company has 282 employees in Switzerland and 243 abroad working with its foreign distributors. JURA's consolidated revenues in 2007 totaled CHF 384.0 million, 13.3% of which was generated in Switzerland and 86.7% by international markets.

Further information

JURA Elektroapparate AG
Press Office
CH-4626 Niederbuchsiten
Tel: 062/389 83 40
Fax: 062/389 83 35
mediainfo@jura.com
http://www.jura.com/

Sunday, 29 June 2008

Tisk, tisk, tisk...

Jo Stew Rattray, Director of Vectra Corp. has commited the greatest of academic crimes, plagiarism.

I was reading “Insecure” the other day when I noted the article “by” Jo Stewart-Rattray titled “Information Security Governance: the nuts and bolts”.
http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf

I quote “by” as this publication is significantly plagiarized. Over 25% of the document is directly copied and a large amount is paraphrased without accreditation. I have read the majority of it as the article in Information Systems Control Journal, Volume 5, 2001, “Harnessing IT for Secure, Profitable Use” by Erik Guldentops, CISA. Basically, the article is stolen. She has claimed the work of another as her own. So much for running a security company.

Whatever happened to ethics in IT Security?

Ms Stewart-Rattray is a member of the ACS and ISACA. She is also branch executive of each of these in SA, Au. She should take greater care to change the text or better yet, reference the actual author. You will note from the example image displaying matching sentences that the distinction is minimal between the 2 texts. This is but one of many examples. Erik Guldentops is not noted as the source.
A change of language from US to Australian is still plagiarism.
Similarly, changing “So” to “thus” and removing the word “effective” does little to hide the document source.

Other extracts from this document align to other internet sources.



Update
Practicing due-dilligence and careful prudence, the editors at INSECURE have removed the offending publication.


For the publishers, this is likely one of their worst fears. If they do not act on cases such as this, they can be held vicariously liable for the fraud of another.

Congratulations to the editors at INSECURE for their prudent actions.

Let us hope that they do not have to do this in the future.