Everyone must comply with government requests to disclose information. How far should one go when disclosing such information? This is up to the company. In a recent trend, several big IT companies including Apple, Facebook, Google and Microsoft among others teamed up to propose a change in US legislatures concerning governments spying on its citizens. The reform would make government surveillance “consistent with established global norms of free expression and privacy and with the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight”.
Archive for the ‘Legal Questions’ Category
German law has always been strict about any possible security breaches. This week German court ordered that anyone using wireless networks should protect them with a password so the third party could not download data illegally.
However, there is no order that users have to change their Wi-Fi passwords regularly, the only requirement being to set up a password on the initial stage of wireless access installation and configuration.
I’ve conducted a mini-research here in Russia. There are 5 wireless networks in range that my computer finds when at home. Although all of the networks have rather bizarre names, they are all WPA- or WPA2-protected. My guess is that people do not install wireless access at home by themselves or browse the Internet for instructions and find some on protection and passwords. At the same time, I often come across unprotected networks in Moscow and I do use them to check my Twitter account. It is obvious that to make any conclusions, one has to dive into this topic much more deeply.
What I learnt working for ElcomSoft – the company that recovers passwords and does it very well – is the following: sometimes a password is not enough. You need a good password to make sure your data is protected. WPA requires using passwords that are at least 8 characters long. Such length guarantees quite good protection. The problem as usual is the human factor. We still use admin123 and the like to protect our networks.
Fortunately, there are tools that can help you check how strong your WPA/WPA2-password is. One of such tools is Wireless Security Auditor. It makes use of various hardware for password recovery acceleration and a set of customizable dictionary attacks. The idea is simple: if this monster does not find your WPA/WPA2-password, then it is secure
Nice weekend to all.
In my previous post I suggested several variants of computer security translated by different laws. Now I’d like to get to ciphers…again viewed by law.
So, how does the law see encryption and decryption issues through glasses of security standard? First of all, it says there simply should be encryption/decryption tools available.
ENCRYTION AND DECRYPTION (A) – § 164.312(a)(2)(iv)
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must:
“Implement a mechanism to encrypt and decrypt electronic protected health information.”
Most laws define security obligations as reasonable, appropriate, suitable, necessary, adequate etc. without giving more precise directives to follow. Is it good or bad? And what should be known about these standards?
Let’s see what major security standards say about recommended security measures.
When we meet our customers at trade fairs in Germany, we are always asked questions about legality of our tools. The reason for this is that German law on so-called “hacking tools” is very strict. At the same time the wording of the respective paragraphs is unclear and ambiguous.
On Friday, German Federal Constitutional Court dismissed a complaint of an entrepreneur that production and distribution of tools for capturing traffic data is against the law. The judges said that the constitutional rights are not violated by the use of “hacking tools” (§202a-202b). According to the court decision, legal penalty applies only in the case when the software was developed with illegal intent in mind. “Double-purpose” tools that are designed to be used by law enforcement and IT security officers are not regarded illegal.