Archive for the ‘Security’ Category

[This is a post about security and privacy.  In this post, I speak about what could go wrong if you do not properly secure your computer, and my thoughts about encryption and privacy.]

I am reviewing a case where a group of “zombie” infected computers have been hacked to work together (a “botnet”), and it appears as if the courts are going after ZeroAccess as the crime ring behind the botnet. In my readings, a federal judge has blocked the IP addresses belonging to ZeroAccess-infected computers because they allegedly directed many of their millions of infected computers to click on a number of paid ads, where the advertisers using Google, Bing, and Yahoo! have paid out an estimated $2.7 Million per month from the ad revenue generated as a result of these clicks. The lawsuit is for what is known as “click fraud,” and it got me thinking about 1) the application to the bittorrent lawsuits, and 2) to privacy and security in general.

While I have NO REASON to think the following is happening, it is completely plausible that one or more “infected” computers could be directed to connect to various bittorrent files without the computer owners being aware of the “zombie” status of their computers (e.g., the software is being run as a service, or minimized without an icon showing on the desktop).  While the connections to the bittorrent swarms are happening, the copyright trolls could be “coincidentally” monitoring the bittorrent swarms as the downloads are happening unbenownst to the computer owner. When the copyright holders (“copyright trolls”) send the DMCA letters to the ISPs, or when they file John Doe copyright infringement lawsuits against the subscribers, the ISPs would correctly confirm and coroborate that it was the subscriber’s ISP who was connected to the bittorrent swarm at that particular date and time, and the problematic conclusion would be that it was the subscriber who downloaded the file. And, when the download was complete, even though the malware would likely “cover its tracks” by deleting all traces of itself, it would be programmed to leave the downloaded copyrighted file in some obscure randomized file folder on the subscriber’s computer to be “conveniently” found by the forensic examiners during the lawsuit. I understand that malware could also actually alter the computer’s logs based on analyzing the computer owner’s past browsing history and program usage (most people do not clean this) to make it look as if it was the ACCUSED SUBSCRIBER who was “at his computer at the time of the download.” This could all happen without the knowledge of the subscriber being aware that the computer was infected with the malware or that the illegal downloads were taking place.

While this feels a bit sci-fi’ish, and again, I have no reason to think this is actually taking place, the technology is certainly around for this to happen.  I have personally watched enough podcast videos on Hak5 demonstrating how this could be done, and I could figure out ways to alter the malware program to gain administrator access to the computer and change the system logs on the computer before deleting itself.  If someone as simple as me could figure out how to do it, for sure the more crafty ones will eventually stumble onto this scheme as well. For this reason, I am writing this article as a warning to take your computer’s security and your online privacy seriously, and here are the simple steps I would take if it were my own computer.

Step 1: Don’t balk, but make sure you have antivirus software and anti-malware software running on your machine. Also make sure your software and virus definitions are up to date. I have my personal favorites as far as software goes, but quite frankly, free or paid software both do their job fine. There are many free anti-malware programs out there, so make sure the one you use is not malware itself. For free malware detection, I find SuperAntiSpyware and MalwareBytes to be sufficient.

Step 2: Protect your identity and your browsing habits. This depends on how much “tin hat” you want to go, but I personally use JonDoFox’s version of the Firefox browser. There is a STEEP learning curve to use it (meaning, the add-ons will initially break most of the websites you use, and most websites need to be configured once before you get it the way you like it), but in my opinion it is worth the effort to learn. You can check your current browser security at http://ip-check.info/ (by the way, I do not use JonDo anonymization software because they charge by the actual usage; rather, I opt for the less secure route of encrypting my traffic using a secure VPN provider). On the flip side, for convenience, I also use Comodo Dragon Chrome which is a faster, less secure browser, but I have many add-ons that I’ve installed (e.g., Scriptsafe, AdBlock Plus, etc.), and I keep the software running in the Sandboxie software. That way, if some critter gets past my defenses (e.g., think, “CryptoLocker,” or other ransomware which encrypts your files and charges you hundreds of dollars in bitcoins as ransom to decrypt them), it won’t get access to my hard drive files.

Step 2.1: This belongs to the previous step, but encrypting your traffic is very important. There is a phrase, “I have nothing to hide… from people I trust,” and I stand by that phrase. With the NSA and government snooping, and the ISPs watching your every move, regardless of whether you are doing something wrong or not, it is a smart idea to not give all of your shopping and browsing activities to your ISP and to Uncle Sam. There are also many commercial trackers and social networks who track you for commercial purposes as well — everything I say above applies for them too.

Step 3: Secure e-mail, secure chat… The best way to protect your e-mail is to encrypt it.  Unfortunately, e-mail by its nature is insecure, and even if you encrypt the contents of your e-mail, the METADATA (e.g., your own e-mail address, to whom you are e-mailing, the time and date of your e-mail, along with the geolocation of you IP address you use to connect to the e-mail server, etc.) remains exposed.  The only foolproof way I know to encrypt e-mail is to use Pretty Good Privacy (PGP) software.  The problem is that it is simply inconvenient.  In order to encrypt your e-mail, you need to not only setup and share your own public and private keys, but you need to find and look up the keyrings of those you want to communicate with.  While there are attempts to incorporate encryption into e-mails (e.g., projects such as gnupg), the average person does not encrypt their e-mails, and trying to get everyone to do so is just an exercise in futility.  Plus, we know that the NSA saves encrypted e-mails for the sole purpose of trying to “break” the encryption because “if you use encryption, you are presumed to be using it for a criminal purpose.”  Thus, I am unhappy with the current state of technology with the adoption of encryption for sending e-mails, but for the time being, this is the way it is.

Secure chat is very easy, and there are many convenient ways to encrypt your instant messages.  Whether you are using the Pidgin software with the encryption plug-in, or whether you are using Cryptocat or any of the secure chat softwares readily available for the PCs, iPhones, and Androids, achieving perfect security is very doable.  For me, I do not encrypt my e-mails, and whenever I have a friend or peer who has the capability to encrypt our chat sessions, I have him do so just for the “geeky” fun excitement of it.

Step 4: Keeping your own computer clean and neat. Your Microsoft Windows operating system keeps logs of pretty much everything you do, and it is specifically the failure to clean up after yourself which can give malware the chance to impersonate you. Similarly, by not regularly cleaning up after yourself, should you one day face a lawsuit, a forensics expert can glean an ungodly amount of information about you, your whereabouts on a certain date and time, and your activities (e.g., whether you were surfing the web or writing a text file, and, which text file you were writing at that particular time and date) just by reviewing your logs. Now I personally do not trust my Microsoft Windows operating system not to “spy” on me, and if I had it my way, I’d run a Linux operating system (I have in the past, and I may in the future), but for the time being, be aware that the “privacy” settings in Windows stops NOBODY from snooping on you. I have not figured this one out yet (especially since most of my law firm’s software are Windows-based), but Windows is simply a minefield of privacy leaks and data you don’t want about yourself recorded and logged.

While this is certainly not even close to a solution, I run CCleaner from Piriform regularly to clean up the logs and to keep my computer relatively clean.  I would love to delve into the depths of my operating system and tweak certain settings to shut off the “phone home” leaks in my system — I simply do not have the time, the “tin hat” motivation, or the skill to do so.

Step 5: Lastly (and there are probably a million other steps I could take, but I like to keep things simple). I encrypt my hard drive data 1) in my computer, 2) outside of my computer (e.g., external drives and thumb drives), and 3) in the cloud. There are many ways to do this, most popularly is the “TrueCrypt” software. If you cannot encrypt your drives (I cannot, since my computer is a Windows 8 machine and TrueCrypt has not figured out how to encrypt UEFI systems yet), then create a large container, and set up your programs (e.g., Thunderbird Mail) to store your files in your encrypted container.  Better yet, install the program onto the encrypted drive so that it is not in your C:\Program Files folder.  That way, if your computer is ever stolen or lost, your programs and your data will remain unusable and encrypted. I often take this one step further and have Windows configured (to the extent possible) to use the encrypted drive to store my “Desktop” and my “My Documents” folder. Thus, if I do not unlock the encrypted drive when I first log in, my computer does not work properly, and I get a blank desktop. Along with this, my computers have log-in passwords which I have activated before the operating systems even boot. I have this running because even little me knows which piece of software one can run to bypass the password on Microsoft Windows machines.

In sum, you could take privacy to an extreme. The best privacy is the “trust no one” type of privacy. For some cases (e.g., our cloud storage backup servers are “trust no one,” meaning not even the company who hosts our data has the keys to unencrypt the encrypted data which is stored on their servers), using the best security is feasible and doable. But there are limits and there are sacrifices to your privacy, and it usually comes at the benefit of having more convenience. Truly, the most secure password is one not stored in a text file, or written on a piece of paper, but one that is in someone else’s head (not even your own).  The best security is not using a computer or connecting to the internet at all. Then again, that is not feasible to most of us who live in the internet. However, learning to take steps to protect your privacy (within reason) can only work towards your benefit.

Read Full Post »

This will be a tough article to write, but someone needs to say this.  If you are accused as a John Doe Defendant in a bittorrent lawsuit, your first step needs to be to make your identity online disappear. 

I would use politically correct terminology such as “manage your online presence,” but simply quite frankly, “disappearing” yourself and making your online presence go away is probably the most effective thing that you can do in order to avert the attention of the copyright trolls to other John Doe Defendants.  If they cannot find you online, then they will not know how to pressure you to pay them their extortion settlement amounts.

This is obviously not well known or else we all would do it, but quite frankly, everything you do online is tracked these days.  Marketing companies, commercial websites such as common as Amazon.com, social networking websites such as Facebook, LinkedIn, Twitter, Myspace, Google+, etc. all track you by 1) the information you provide them, and 2) by your activities.  Have you ever wondered why you can log onto so many sites using your Facebook login?  Is this because they are being nice or because they are recording your search habits to create massive portfolios all about YOU.  Even when you are smart and you manage your privacy settings in these sites, they still tell volumes about you and your friends without your permission.  And, even when you lock everything down, there are still companies who create profiles on you based on your credit card transactions, where you register your driver’s license, and where you choose to keep your body (e.g., where your smart phone’s GPS logs the location associated with your cell phone provider’s account).

Quite frankly the lack of privacy we have is staggering, and what little we can do to protect ourselves online we should do.  And, for the inevitable volumes of data that are compiled on each of us without our permission, there are mechanisms in place to remove yourself from their databases.  Since much of this is online, removal in many cases is instant, and it is worth the effort and time to do this (even if you are not accused in a lawsuit).

Just a few days ago, there was a LifeHacker article entitled, “AdjustYourPrivacy Locks Down Your Entire Internet Life from One Page,” where Lifehacker discussed a website — http://www.adjustyourprivacy.com — which has buttons that you can click on to manage your online privacy.  The website has essentially five steps (detailed below), and I suggest that each one of you visit this page and work through the links on the site.


This is a bit complicated, but the amount of information about you that you can prevent from being leaked to the world is staggering.  I am not advocating closing down your Facebook or your LinkedIn accounts, although in my opinion this is the best option, especially for those of you who take pictures and videos of yourselves when you are at a bar after a few drinks.  I am also not advocating making yourself invisible to your friends, but I do think that you should be vigilant to make sure you actually know the people who are your friend, because for all you know, a plaintiff attorney can look at one social network of yours where you have 800 friends and choose a buddy of yours from that account and do a friend request which most people will approve and click “okay” without thinking twice or investigating who is really “friending” them.  This is called social engineering and is outside the scope of this article.

What I AM suggesting here is taking the time to read the privacy options and setting your privacy settings to avoid outside “non-friends” from seeing your posts or your profile.  I would also obviously shut down all applications “apps” linked to your account which often report everything you do to the companies I am discussing in this article.  Take “Angry Birds,” “Farmville,” or any of the online free games as an example.  Did you ever wonder why these game are free and what they report about you?  Did you think they merely show banner ads to you? Or are they also installing cookies and do they stay resident on your machine after you close the game watching and reporting your every move?  I am not being paranoid here, I am merely telling you to be smart.



You’ll notice that to do a full search, many of these services charge a subscription fee which no doubt your plaintiff attorneys pay.   You’ll also notice that there are likely MULTIPLE RECORDS on you based on the many places you have lived in the past.  Don’t just look for your current information and your current e-mail.  Dig a bit.



Even though everything that I blog about and everything that I post online is not done anonymously, if I was not an attorney helping clients accused in these bittorrent cases, I would certainly be anonymous.

When I surf the web, I do it anonymously.  When I make financial transactions, I always make sure I am using SSL or a secure and encrypted connection.  When I browse my personal e-mail or even check the news, I do it using VPN software and if this is not feasible, I use a custom browser (e.g., JonDoFox) on top of my Firefox browser for complete protection.  I also always have OpenDNSCrypt running (which in my opinion doesn’t do much, but for whatever it is worth, I have it running because I am not paranoid, but I am not giving the ISPs (who also collect information on you) data on me if I don’t have to).  I also encrypt my drives on all my computers and regularly clean traces of my activities on my computer.  That way, if my computer is taken at an airport, or if for some reason I am accused of something (e.g., copyright troll tries to get MY computer to learn about a client), everything is encrypted.  This is simply a responsible and prudent thing to do.  With everything I have written here, in my opinion, it is irresponsible NOT to be vigilant with your private information.

All this being said, there is a lot about me which is still online.  But what you see online, chances are that I LET IT BE ONLINE knowing that many will see it.


This is probably the most important point, and it is counterintuitive.  If you are named in a lawsuit, eventually a site such as RFC Express (http://www.rfcexpress.com) or other legal docket websites will index your name and search engines will post it online making it obvious to employers and peers that you have been implicated in a lawsuit, sometimes for embarrassing content.

While overtly saying this is outside the scope of this article, it is probably a good idea to create as much content as you can (e.g., join social networking sites, and “manage your online presence”) to BURY the lawsuit (e.g., 12 pages in) so that when someone searches for your name on a search engine, the lawsuit will not show up.  That way, your involvement in this lawsuit will not hurt your future chances for employment, or for your business to get contract with customers, etc.  

If you are named in a lawsuit, my opinion is that you should not only TAKE DOWN the information about yourself in STEPS 1-5 that I have outlined above, but you should SET UP SOCIAL NETWORKING ACCOUNTS AS POSSIBLE, FILLING IT WITH CONTENT THAT YOU WOULD LIKE THE WORLD TO KNOW ABOUT YOU.

I cannot say this strong enough.  You need to protect your privacy, and if you are involved in a lawsuit where opposing counsel is a copyright troll, a patent troll, or anyone who will want to use the information online against you to solicit or extort large sums of money from you, it is wise to protect yourself and manage your online profile.  I hope this helps.

Read Full Post »

LinkedIn Question by Vagelis Hristidis: Desired Features or Properties of a Patents Search Engine

I have been working for a year now on a search engine for patents. Clearly, a key property is the quality of search, that is, discovering the most relevant patents. But are there any other useful features (e.g., automatically email the results of a search) or properties (e.g., encrypt queries for privacy) that are missing from current patent search systems?

Dear Vagelis,

Interesting question regarding encryption. Generally, I have never seen anything in terms of encryption on the public patent searching sites. However, any web site that offers SSL or https:// access is encrypted and thus you likely won’t have any issues when using those.

More generally, I have found that simply by using proper security on your system (e.g. connecting to routers with WPA) is sufficient to achieve your needs of privacy. In other words, if you’re worried about people snooping on your patent searches, then don’t connect to public internet wireless access points without proper protection.

As for e-mailing the results of a search, offhand I’ve seen that feature in a number of places. My favorite search tool is patentlens.net (http://www.patentlens.net/patentlens/structured.cgi) which allows me to save and e-mail my search results.

I hope this helps.

Robert Z. Cashman is a patent litigation attorney / patent attorney in Houston, TX.  He has started an informative website using the name Cashman IP which will be a resource for those who wish to obtain a patent or for those who would like to find out how to prevent companies from stealing their inventions. Services include help with entering into IP Agreements & Licensing options, IP Enforcement and Litigation, and Strategic Counseling.

Read Full Post »