31 December 2011

Anzac Bridge

Can anyone explain why, since Anzac Bridge is closed to traffic during
fireworks, there is black plastic and fences preventing pedestrians
from watching the fireworks from the bridge?

I counted 15 NSW Police and 6 private security oafs carefully guarding nothing.

Great use of resources, NSW Government, police and RTA (and it's successor).

20 December 2011

Mégane RS 250 Cup, MY11, Extreme Blue

TomTom Traffic HD Australia

After poor previous experience with TomTom HD Traffic around Sydney on an iPhone, I strangely resubscribed hoping that over time it would improve... but it hasn't.

This morning there was an accident in North Sydney near the Sydney Harbour Tunnel. As I drove along the Gore Hill Freeway at 80 km/h the TomTom showed me traffic at a standstill. A few kilometres later as I was actually at a standstill for 10 minutes the TomTom showed no incidents and a happy green symbol...  

And of top of that, I can drive for 1/2 hour to work some days while the TomTom tries to download traffic information unsuccessfully. Of course, this morning it managed to do it before I even got out of my street (for all  the good it did).

I can't recommend it, no matter how much I want to. I get better results from Waze http://www.waze.com/.

16 December 2011

Top judge opens way for court tweets

Tweeting in court...

http://www.smh.com.au/technology/-1owpr.html

ISP filtering in Europe

In May 2011 I wrote about the SABAM case, in which Scarlet Extended SA (an ISP) had been sued by Société belge des auteurs, compositeurs et éditeurs SCRL, better known as SABAM.

That case seems to hit finality in Scarlet's appeal to the Cour d'appel de Bruxelles. The court requested a preliminary ruling from the Court of Justice of the European Union in Case C-70/10, and judgement was handed down on 24 November 2011. It held:
EU law precludes the imposition of an injunction by a national court which requires an internet service provider to install a filtering system with a view to preventing the illegal download of files (press release)  
The case turned on the E-Commerce Directive, which prevents Member State laws from requiring ISPs to carry out general monitoring of information passing through its network. The Court recognised the importance of protection of intellectual property rights, but found that the SABAM injunction would not respect fundamental rights of citizens - particularly their right to personal data and the right to receive or impart information. The personal data issue arose because Scarlet would have had to collect and identify IP addresses, which are protected personal data.
Accordingly, the Court’s reply is that EU law precludes an injunction made against an internet service provider requiring it to install a system for filtering all electronic communications passing via its services which applies indiscriminately to all its customers, as a preventive measure, exclusively at its expense, and for an unlimited period.
The full text of the judgement can be found here.

iTunes Match in Australia

iTunes Match launched in Australia, after a fashion, on 14 December 2012. However, signing up didn't result in anything happening until 16 December, when it seems that someone flipped a switch at Apple and the status started updating from "Waiting" to "Matched".

So if you're using the Australian iTunes Store then be patient, and perhaps quit iTunes once or twice to give it a kick along.

Don't forget to go into Music preferences on your iOS device and turn on iTunes Match as well!

10 November 2011

News Limited and security of your passwords

News Limited has had a lot of problems this year, and I predict that there is plenty of potential for more.

One cause may well be the fact that it stores its subscribers passwords in the clear, rather than hashing them or using other techniques to ensure that a username and password database can’t be stolen.

How do I know? I recently signed up for a trial subscription with The Australian newspaper. After signing up, they very “helpfully” sent me an email with my password in it!

So:

  1. - my password is stored as plaintext on their system; and
  2. - it was emailed in plaintext across insecure systems (the internet).

These are clear security threats. To quote Hitachi ID Systems, Inc.:

Security threats

Passwords are simply secret words or phrases. They can be compromised in many ways:

  • Users may write them down or share them, so that they are no longer really secret.
  • Passwords can be guessed, either by a person or a program designed to try many possibilities in rapid succession.
  • Passwords may be transmitted over a network either in plaintext or encoded in a way which can be readily converted back to plaintext.
  • Passwords may be stored on a workstation, server or backup media in plaintext or encoded in a way which can be readily converted back to plaintext.

The moral of this story? Don’t give News Limited any personal information that you don’t have to, and don’t use your News Limited password on any other site or system.

© 2011 Andrew Calvin

03 November 2011

The decline of Usenet

Optus recently posted the following on its web site:
Message posted at:
2011-10-18 16:27
What:
Optus News Server removal

Impact:
Optus has previously provided usenet service (Optus Newsgroup) to customers. However, following evaluation of the services that we offer to our customers, and the declining usage of usenet by our customers over the past several years, it is no longer viable to continue to provide this service. As a result, the usenet service is in the process of being disabled and removed. This service will close as of 21/11/2011. If you still want to use usenet, there are a number of commercial usenet providers that will be able to provide this service to you.
You might know these as newsgroups. usenet was one of the earliest systems available on the internet - it is, more or less, an incredibly large bulletin board with many thousands of topics and many, many posts within each topic. It was decentralised, so an organisation could choose to run its own server, and then subscribe to all or just topics of its own choosing, and in turn, share its own posts with other usenet servers.

There is a sense of hierachy, so comp.networking.tokenring was part of networking, which was part of computers. There are roughly nine major top levels, such as comp, news, rec and alt.  Many years ago I used to frequent rec.sport.mountainbiking and aus.legal for example.

The system was clever, in that a server didn't need to be online all the time. It could dial up another server or ISP, exchange posts, then disconnect again, much the way email used to be transmitted using UUCP.

As you can see, Optus is decommissioning its usenet servers, but various sources how that the amount of data posted per day continues to rise. However, I suspect that much of that data is unlawful sharing of binary data, such as movies, software, TV and music.

Usenet also helped give birth to actions for defamation on the internet. The most famous cases revolve around Dr Laurence Godfrey, who sued a number of internet service providers and universities who hosted usenet servers. In each case he requested that a defamatory posting be removed from the usenet server. Of course, since usenet posts are propagated across the world very quickly it is almost impossible to control them. If a usenet server is subscribed to a particular newsgroup it will simply receive all the posts.

His first action against Demon Internet Limited (Godfrey v Demon Internet Limited [1999] 4 All ER 342) was relatively novel, dealing with the "secondary publisher defence" under the UK Defamation Act 1996. Demon failed to take down a posting after being notified of its existence, and the UK High Court upheld Godfrey's argument that it ceased to be a protected secondary publisher once it was on actual notice. An excellent analysis of the British law at the time and proposed reforms can be found here. The case has been followed many times since, and formed the foundation of changes to laws all over the world.

Various organisations have attempted to archive usenet postings, including Google Groups, where I can find things I wrote in usenet from 1994 onwards, such as those celebrating the birth of my daughter, and issues using HyperCard 2.2 with Oracle 7.

So, while not being a huge user of usenet any more, I'll be sad to see its demise.

02 November 2011

Cyberspace November 2011


Web sites
You’re a (or part of) a small firm, and you’re busy. Does your firm have a web site? Can you articulate the goal of having it? Who maintains it? Who is responsible for each piece of content on it? Has the content been carefully designed so that it achieves your goals?

Web sites can have many functions: an electronic white pages so your clients can look up your contact details; a yellow pages so potential clients can find you based on your location or expertise; a place to provide information on areas of law to current and potential clients; and a portal for communication between clients and lawyers. Understanding why you have a web site will help you ensure that you have the right information on it. Let’s say that you use it to provide contact details only (and that’s a perfectly acceptable use) - does it have all your details? How about a Google map?

Have you thought about how it looks on a mobile phone? Many web sites are simply unusable on smaller screens. It’s easy to have a web site that detects the type of device in use and formats the content appropriately. For mobile pages you might take care so that on appropriate devices a user can simply tap your phone number to call, or your address to switch to maps or a GPS. Avoid large images, background images, and technologies that don’t always work well on mobiles, such as Flash.

Design

Getting some marketing and design advice will assist in getting the best out of this important marketing tool. Don’t talk to a tech person - speak to someone with a proven track record in design. Make sure it’s clearly laid out, free of clutter and uses fonts and colours that make it readable to all types of human conditions.

Consider what your core messages are, and what images (no clichéd images, please) might be appropriate to provide an attractive and appropriate presence. Don’t have an annoying landing page that does nothing except require someone to click on it -  and they often cause problems on a mobile browser.

Information

If you want to give clients some basic grounding by linking to other sites, such as, say the NSW Fair Trading home page (http://www.fairtrading.nsw.gov.au), then make sure that link opens the page into a new browser window, rather than replacing your own.

What are your core competencies? Consider writing a primer for your clients to read before they come in to see you - it will help them be a better client and save you time on routine matters.

Content value

Don’t clutter the site - don’t add anything unless it has a purpose and enhances the core messages. Consider “search engine optimisation” which, although often spruiked by unsalubrious types, can be very important if you want to come up in a search “Newcastle small business lawyer.”

Diarise to review your site at least every month. Make sure all the content is owned by someone, and that they understand it is part of their job to care for it. Make it easy to add and alter content by using a quality content management system.  A CMS, whether commercial or open-source will assist in SEO, avoid technical errors and eliminate broken links.

Process

To get going: How much money and time do you want to spend? Do you need to get someone to do everything for you, or can you (recognising you’re a lawyer and not a marketer or technologist) contribute? Some people may be able to go to a reputable hosting company, register a domain name, and have a CMS running within an hour. There are many of these (eg www.dreamhost.com) who offer tools that require low-medium technical skills for a quality self-service site. You may find that a blog alone is all you need (eg: http://blog.calvin.it).

26 October 2011

iPhone location services and battery life

I've noticed that compass calibration seems to be permanently on. You can tell by enabling the indicator under System Sevices.

Are there any developers out there who know, technically, what happens and its effect on battery life?

19 October 2011

The law and hacking

Privacy and bad security

Recently a major superannuation fund (pension fund to those of you overseas) in Australia was "hacked" - First State Super complained to the police that Patrick Webster had told them that member accounts were easily accessible by anyone, and proved it to them.

The so-called hack was incredibly embarrassing for First State. It seems that the URL for a member to access their account simply used the member's account number! As quoted in the Sydney Morning Herald by Asher Moses:
Plenty of computer security experts have rounded on First State, not only for the heavy-handed way it treated Webster but also for failing to detect such a glaring and easily exploited security flaw. "Changing a number in a URL bar isn't even hacking ... anyone who configures their systems to work that way is negligent," said Patrick Gray, a specialist security journalist who first broke the First State story on his podcast, Risky.biz.
I think I might have written a web site using a similar technique in the first few weeks I learned to code for .NET. Who knows what First State was thinking in deploying this software if this story is true.

Privacy

The discussion that has arisen around mandatory data breach notification laws is timely. In this case First State only notified people whose account was listed by Mr Webster, but the fact was that the entire web site was flawed and it could have easily been harvested entirely by someone with a few scripting skills. Instead of blaming Mr Webster for accessing the data, First State should have blamed itself for poor security. Instead of threatening him it should have thanked him.

The letter from Minter Ellison (three and a half weeks later) apparently was a typical lawyer's job - I trust Mr Webster obtained some good advice in response. The quotations in the SMH obviously can't give the full picture of what has gone on, but there's a flavour that First State are more interested in having a crack at Mr Webster than looking at their own failings. What First State should be doing is not worrying so much about Mr Webster deleting any data (and goodness, if he was going to misuse it or sell it it would have been long gone after three weeks) - it should be setting out to prove to its customers that no-one else has done it (a serious criminal isn't going to tell First State they've done it), and offering them free identity theft monitoring.

I'm pleased to see that the NSW Privacy Commissioner is going to take a look at this case - particularly since the limited notification by First State was not acceptable in his opinion.

Is hacking a crime? 

By way of example, the Criminal Code 1995  (Commonwealth) doesn't deal with hacking - it deals with unauthorised access to data. The Crimes Act 1900 (NSW) also deals with unauthorised access to data. Section 308B defines it as
acesss to... data... is unauthorised if the person is not entitled to cause that access...
It gets interesting when you read s 308H. It says (my paraphrase):
A person who accesses restricted data, and knows the access is unauthorised, and does it intentionally is guilty of an offence. (Max penalty 2 years imprisonment).
But did Webster access restricted data?

Restricted data is defined by s 308H (3) of  the Act to be:
data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.
Is it possible to say that First State had restricted access using an access control system? It's a pretty close call, and strongly arguable that they didn't.

Rather than an access control system we probably actually have a data access system inherent in software for extracting data from a database and displaying it through a web server. I'll make a few assumptions here:
  • Mr Webster logged in - presumably using his own account;
  • which set a session cookie or other session identifier allowing him to use the web site; 
  • he typed things into the URL box in his browser;
  • that data was parsed by normal operation of the software, put into a SQL query, and the results returned. 
That's not access control - that is just how simple web applications work.

So, if Minter Ellison actually told Mr Webster that he had breached various pieces of criminal legislation, they probably want to have a good look at themselves.

An example which borders on access control is someone who gets a new home internet router, such as a D-Link, and turns it on leaving the well-known admin username and password  of admin and password. Is that an access control system? It's a little sturdier than a URL with an account number, but it's still fundamentally flawed.

If First State Super used a master password of  "password" would that be an access control system? For a security consultant neither an account number in the URL nor an easily guessed password would be considered an access control system of any commercial value.

Why is all this important?

The law, if misunderstood by ill-informed people, makes it an offence to poke around your bank's or anyone else's web site to see how good their security is. If an account number in a URL is an "access control system" then it becomes a free-for-all for the baddies, because the goodies can't look. Luckily that is probably not the case.

Worse still, if you live in the USA you might run foul of the DMCA, where even the most hopeless access control system has been used to prevent competitors from producing rival compatible products, such as garage door openers.

11 October 2011

Voice control on the iPhone

I've been a fairly happy user of voice control on my iPhone 3GS and later the iPhone 4. I only use it for making calls, but it's very accurate both holding the phone and via the Bluetooth in the car.

Writing text and emails via Bluetooth would be nice, but I found the Dragon products didn't work well with an Australian accent.

The iPhone 4S will have much more, but I've found Vlingo (http://www.vlingo.com/) and it is better than I thought it might be. You can draft emails and SMS as well as a few other things. It's not perfect, and deeper integration into the system a la the 4S would be better, but it's an acceptable substitute.

Mythbusters duo to host Discovery documentary on Jobs

Macintosh News Network report:

"Mythbusters duo to host Discovery documentary on Jobs:
Entertainment Weekly has revealed that the Discovery network is assembling a documentary on the life of Steve Jobs, co-hosted by Adam Savage and Jamie Hyneman, the duo behind the popular show "Mythbusters."
An interesting choice of presenters... but what will be more interesting is who the researchers and scriptwriters will be!



29 September 2011

Lots of old re-posts

You may have seen a lot of re-posts lately - I have moved the management of my blogs from my old Google account to another. You shouldn't see any difference (although I'm still investigating whether RSS feeds have changed.

The address of this blog is http://blog.calvin.it, but you can also get here using the old address http://blog.calvin-au.com. If you're interested in our holiday travels, keep an eye on http://holidays.calvin.it from time to time. You can always email me at andrew@calvin.it.

While discussing the blogs, I've been interested in the new dynamic templates that Google has released. I'd like to use one for this blog, but they lack a few features such as the right-hand column. Maybe one day... but in the meantime you can see the templates on the calvidays blog.

Thanks for reading!
Andrew

28 September 2011

AustLII for iOS - iPad, iPhone and iPod


If you haven’t tried the AustLII app for iOS yet, you should. It’s very handy for looking up legislation in particular.
See this page on AustLII or click here to download http://itunes.apple.com/au/app/austlii/id440459400

26 September 2011

Simple accounting software for lawyers

I regularly (and was recently by an old university colleague) get asked about simple accounting software for lawyers - i.e. where no trust accounting is required.  

  1. One question that has to be asked, unless you're a barrister, is whether you are completely sure you won't need at least something to help you with controlled monies or transit money.  See for example in New South Wales s 256 of the Legal Profession Act 2004. Your State may have other regulations. 
  2. A good starting point is to contact your professional association (Law Society of NSW, Law Institute of Victoria, Bar Association etc) and find out what other people are using. They probably won't want to recommend anything, but it is useful to know what other practitioners in your situation are doing.
  3. If you're just going into sole practice for the first time and you attend a practice management course, it's a good idea to discuss this with your fellow students and lecturers.
  4. The various law societies often examine and certify software - while this is normally only for trust account packages, you will often find that the same vendors offer other modules that will do the job for you.
  5. Be careful when purchasing cheap packages - if you want or need support one day you may not find it forthcoming!
  6. Ask your bookkeeper what he/she has used in the past, is familiar with, or can suggest.

Do you have any suggestions? Please post them in the comments.


© 2011 Andrew Calvin

Cyberspace October 2011



Facebook in the courts
A USA court recently ordered a defendant to return his Facebook page to its original, allegedly infringing, state on the grounds that there was spoilation of evidence. In Katirol Co., Inc. v Kati Roll & Platters, Inc (http://goo.gl/P5sJM) the USDC in New Jersey dealt with a claim for sanctions against the defendant who had removed his profile picture which infringed the plaintiff’s intellectual property rights. The plaintiff issued a a take down request, and the defendant complied, but the plaintiff wanted the picture put back on Facebook so it could obtain PDFs of the evidence. The court held that the defendant had “spoiled” the evidence by modifying the Facebook pages. The defendant argued that it was a public site and the plaintiff could have PDFd the pages at any time. However, because the pages were in the control of the defendant it had a duty to preserve them for the purposes of the litigation. The pages were put back in the original state for a short time so that the plaintiff could PDF them for evidence.

In State of Connecticut v Robert Eleck (AC 31581) the Conn Court of Appeal dealt with a claim that the trial judge erred in not admitting (attacking credit) a Facebook printout documenting messages sent to him by a victim after an assault. The victim admitted that the Facebook account used was hers, but denied that the messages were sent by her. She claimed that the account had been hacked, the password changed, and she was locked out. The appeal point turned on whether Eleck could authenticate the authorship of the messages to the required standard. The court considered a similar case involving MySpace where messages were excluded due to lack of appropriate evidence.


A key point was that “we recognize that the circumstantial evidence that tends to authenticate a communication is somewhat unqiue to each medium.” The evidence required will differ for a telephone call, paper, email or other medium. The court held that there was insufficient evidence to connect the victim to the messages. 

Who’s the defendant?
You may recall that New Zeland has enacted the Copyright (Infringing File Sharing) Amendment Act, which provides for simplified actions against internet account holders, but has the very real risk of punishing the wrong person. This was discussed in Boy Racer, Inc., v Doe (USDC Calif C-11-02329 PDG)  (http://goo.gl/fnaHD). The Plaintiff (a copyright owner) used a BitTorrent monitoring tool and discovered that a computer at a certain IP address was torrenting one of its works. The Plaintiff’s lawyer stated in a court filing 

“At this time, the remaining unidentified Doe Defendant ... who used IP address 173.67.109.59 to illegally infringe on Plaintiff’s copyrighted works has not been served for the simple reason that he has yet to be identified.  
While Plaintiff has the identifying information of the subscriber, this does not tell Plaintiff who illegally downloaded Plaintiff’s works, or, therefore, who Plaintiff will name as the Defendant in this case.  It could be the Subscriber, or another member of his household, or any number of other individuals who had direct access to Subscribers network.  ... Plaintiff will require further discovery in this case, including  Federal Rule of Civil Procedure 34 Request for Production of Documents and Things.  That FRCP 34 Request will specifically ask to inspect Subscriber’s computer, and all those computers that subscriber has reasonable control over/access to (my emphasis), for the limited purpose of discovering who accessed the BitTorrent protocol, entered a swarm containing a File with Plaintiff’s copyrighted video, and unlawfully downloaded it.  Of course, Plaintiff’s discovery will stop there” 

I couldn’t say it any better.


© 2011 Andrew Calvin

Guess where the programmer lives?

This is an app from SAP showing a map of Sydney. In the right-middle can you see the one street out of the many thousands in Sydney that has a name? :-)

09 September 2011

Navigation on iOS with Tom Tom live traffic

I've been a fairly happy user of Tom Tom Australia (and Europe) for some time. I'm pleased that we'll see an iPad native version soon, and live traffic recently came to Australia.

I subscribed to the traffic service for a month ($9) to see if I would take it for a year. Sydney traffic is pretty nasty, particularly on weekends, and I had high hopes.

They were dashed. I was in heavy traffic in Pymble for quite some time last Sunday without a peep from the Tom Tom. However, Google Maps showed it (for free).

In all, it was sometimes helpful, but if Google can do it for free then Tom Tom should do better.

© 2011 Andrew Calvin andrew@calvin.it

31 August 2011

Cyberspace September 2011

Also published in the Journal of the Law Society of New South Wales

What about the children?


Software licences are usually long, poorly drafted and unreadable. A lot of this is in an attempt to protect the author from liability which is never likely to arise. However, there are other hazards for them... The USA has the Children's Online Privacy Protection Act, which prohibits collection of email addresses from children under 13. You may be aware that Facbook prohibits children under 13 from using its product to avoid COPPA issues. However, a number of iOS (iPhone, iPad, iPod etc) applications have collected email addresses from kids, and W3 Innovations has just paid the Federal Trade Commission $50,000 as a result.

This is by no means a first for the FTC, but it reinforces the need to: think globally when writing software; consider that there are different requirements for users of various ages; and consider other diversity issues. More importantly, the FTC considers that it applies to any website from anywhere in the world which is directed at USA children. http://www.ftc.gov/privacy/coppafaqs.shtm

FOI Twitter


The UK body responsible for FOI has made it clear that applications can be submitted to government bodies via Twitter. The Information Commissioner's Office http://goo.gl/EuMLR said that "While Twitter is not the most effective channel for submitting or responding to freedom of information requests, this does not mean that requests sent using Twitter are necessarily invalid. They can be valid requests in freedom of information terms and authorities that have Twitter accounts should plan for the possibility of receiving them." It is important that the request comply with the Act, such as using a real name. Since that occurs rarely on Twitter the ICO said that it is sufficient for the user's Twitter profile to have the required information.

Section 15 of the Freedom of Information Act 1982 (Cwlth) http://goo.gl/Nq8Ho alows for a request be made in writing, giving details for notices such as an electronic address, and it be made by sending by electronic communication to an electronic address specified by the agency. I'd have to say that a request via Twitter can satisfy all those requirements, especially with the obligation on the agency under s 15(3) to assist in making a compliant request. I look forward to hearing about the first one.

Tips & tricks

  1. IP Australia has released a simple tool to assist in choosing business names (http://goo.gl/Ggjje). It can assist in the early stages of branding development by helping to rule out some names.  
  2. The Australian Business Number lookup (http://goo.gl/XXeQ8) has a new interface, and also makes it easier to cross check details on ASIC's site. This is a great way to check an ABN, ACN, business name or company name. With a little interpretation it can also alert you to when you're dealing with a trustee, so you can make the appropriate contractual amendments, or whether a business is registered for GST..  
  3. Legify (http://legify.com.au) is a great way to quickly look up Australian legislation and regulations.  
  4. My current favourite iOS applications are TuneIn Radio, TripIt, TripView, Evernote, GoodReader, ShopShop, Remember the Milk, Roboform, Tom Tom Australia, Collins English-French Dictionary, LogMeIn Ignition, Mocha RDP and Bloomberg.


Unsocial networking


The English Crown Courts have been busy sentencing prisoners for their roles in the London riots. A number of these were for using Facebook to incite rioting, and they received four years imprisonment. The Crown Prosecution Service (http://goo.gl/DPgrX) said that they were convicted under ss 44 and 46 of the Serious Crime Act 2007 for using "Facebook to organise and orchestrate serious disorder...". The pages were quickly closed and no riots occurred as a result, and the defendants were previously of good character, but the pages caused panic and revulsion in the community.

First published by Andrew Calvin andrew@calvin.it

© Copyright 2011 Andrew Calvin, Sydney, Australia

18 July 2011

Cyberspace August 2011

Managing foreign evidence


There are war crimes trials all over the world at present, and the United Nations teams that support them have a difficult job support them in multi-language proceedings. IDC recently wrote a paper (http://www.idc.com) on how the UN supports millions of documents in many formats and many languages. A litigation support system must meeting the UN’s rules as well as other standards such as the local law, rules, and regulations.

Trials of Milosevic, Karadzic and Mladic set the scene for processes to support these complex and very lengthy trials, with legal teams from many countries. Not only was the evidence in several languages, but it also had to be free-text searchable and made available in other languages. The Yugoslavian trials have used over 13 languages.

What’s so hard? Free-text in multiple languages is challenging, because the system needs to understand that words spelled the same may mean very different things, and word-stems that you think might work just won’t. A library in French is a bibliotheque, whereas a librairie is a bookshop. Caution in French can mean bail; and chair in French means flesh. During war crimes trials these things can cause grave confusion. But these are basic problems - when you have millions of documents from many sources it is important for a system to understand if the word is being used as a noun or verb, and to know that Mr Black is not a colour. We haven’t even considered the difficulties arising from Eastern European character sets such as Cyrillic.

There are other issues - quite often the evidence in such trials is from the media - newspaper reports and television footage. This material must be carefully managed, made available to legal representatives, and a chain of custody ensured so that there can be no allegations of tampering.

The Yugoslavian trials used products by ZyLAB, who have a small presence in Australia but are not well known in the litigation support space. The IDC paper reported that the same free text search results could be achieved querying in multiple languages, and the various types of professionals working on matters had customised workspaces. The paper doesn’t cover this, but I imagine in such cases there will be prosecution and defence lawyers, military, law enforcement, anthropologists and others who all need varying levels of access to this information.

Security


Do you like using your smart phone or iPad on the bus? Of course you are careful to hide the keyboard when entering a username or password,  but that may not be enough. According to The Unofficial Apple Weblog a jailbreak app for iOS allows your seat-mate to aim the camera at your device and look for the slight blue glow on the virtual keyboard after typing. It can then reassemble the username and password.

The Cloud...


Dropbox is a popular application that will synchronise the contents of folders between many computers, mobile phones and tablets. It’s tempting to use it as the filing system for a small firm where the principal is on the move and needs documents.
However, Dropbox recently accidentally turned off its password authentication system for four hours, and it has also been disclosed that your documents are not fully encrypted on their servers. In other words, they can provide your documents to others under subpoena. So much for that part of the cloud.

On the topic of the cloud, an iPad app idocument REVIEW (http://goo.gl/wK2rm) offers you the chance to review discovery on your iPad from the cloud while biding your time in the registrar’s list. I’ve not used it, but it seems that you upload your documents to the vendor, who processes them  and you then sync them to your iPad. You then review the docs on the iPad, and upload a datafile back to the vendor when you’re done. It might even be therapeutic.

21 June 2011

Australian web host Distribute.IT hacked

The Sydney Morning Herald has reported (http://www.smh.com.au/technology/security/4800-aussie-sites-evaporate-after-hack-20110621-1gd1h.html) that Distribute.IT has irretrievably lost the data for 4,800 web sites hosted on its infrastructure.

I have no idea if this is accurate, but we can easily examine some possibilities...

There are many ways to back up these days, and a popular way is to use "snapshots" which capture (on the initial snapshot) a copy of the data, and on subsequent snapshots only the delta (or changes) are snapped. This is very quick and involves no downtime. Many snapshots can be kept and restores can be instant.  Many storage network providers such as NetApp work in just this way. The primary backups are on spinning disc and it's fast and convenient.

However, prudence suggests that a belt and braces approach is best. Normally an enterprise will have a primary data centre and a redundant data centre at a separate physical location. If one centre loses power or collapses in a heap due to storage or networking issues the redundant centre comes on-line. Since they are on separate subnets and likely to be fire walled, a hack on one centre won't affect the other. Controls can also be put in place to prevent automatic mirroring of more than a certain percentage of changes without human intervention.

So, snapshots provide a great first line of defense, but there is no substitute for disconnected storage. Even Google uses tapes to back up data, as shown in some recent Gmail outages. It doesn't have to be tape, but either way you have disconnected storage, stored off-site, that can't be affected by a hack or a fire. A weekly offline backup in combination with 2 hourly snapshotting would seem to be an enterprise grade approach to Disaster Recovery.

What's Disaster Recovery? Just that. If you have a disaster, you can recover. What's an example of a disaster? Let's see, maybe a hacker getting in, trashing your servers, your SAN and your snapshots? What's your plan to recover from that? My corporation does very real, very detailed DR tests and they are audited. DR is a real problem, and there are real solutions.

If you did your tape or other offline backup weekly, you may lose up to a week's work, but that's better, way better, than nothing.

Now we also need to consider the terms of service between Distribute.IT and its clients. I have not seen it, but it is common to see any or all of the following clauses:

- disclaimer for any indirect or consequential loss arising out of system unavailability;
- limitation of liability to the equivalent of one year's hosting fees or re-supply of the services;
- disclaimer for any direct losses.

These all mean that customers will have minimal recourse to the web host, and even more so if they go out of business. You might check whether your web host is appropriately insured for events like this, and you should have a chat with your broker about your own insurance. Business interruption insurance may not cover something like this, so you need to treat your web site like a core business asset - just the same as a insuring your factory or buildings.

Andrew Calvin
andrew@calvin.it

02 June 2011

Not really tech

I recently had the chance to do some laps of Eastern Creek International Raceway in a brand new (2011) Volkswagen Golf R and  Golf GTI.

I have to say that the Golf R (it’s 4WD) exhibited outstanding handling, particularly under heavy brakes while turning. An exercise in obstacle avoidance showed that you could easily steer while either letting the ABS do its job, or cadence braking.
The day was unbelievably wet, and the track had pools of water as well as a VERY slippery section. The stability coming over the hill just before the straight inspired confidence, and despite the downpour it was very comfortable at 180 km/h down the straight.

The Golf GTI was similar, and a great drive. It tended to lift at the back a little, but like the R, once you learned to trust it it looked after you in the wet.
Both cars had excellent ABS, but some braking exercises showed that good cadence braking could beat the ABS.

I’ve got a Polo GTI on order at the moment, but that Golf R really inspired me.

05 May 2011

Westpac web site & EFTPOS down

It seems that as of 5 May 2011 the Westpac Bank web site is down, and the Westpac/St George EFTPOS network is down. Many merchants are affected.

22 April 2011

Apple storing location data

There's been a fuss this week about a file on the iPhone and iPad that stores location data - consolidated.db.

There's an article at http://weblogs.dailypress.com/technology/pressforward/blog/2011/04/iphone_location_tracking_conso_1.html where an IT professional discusses how this is not news, and has been written about previously.

I agree with the general approach that these sorts of files are nothing to get excited about - I imagine such a file rapidly improves geolocation startup. I've just been traveling through Thailand, Cambodia and Malaysia and was quite surprised at how fast my iPhone 4 located my current position - a few seconds after getting off a plane.

16 March 2011

Cyberspace April 2011

One of the issues in smaller practice is often the lack of a document management system (DMS). We’ve discussed cloud computing and document management many times over the years, but it’s not done yet.

Some accounting packages have a DMS module as an add-on, but it may be too complex or expensive for small teams. There are quite a number of software-as-a-service offerings available, and these provide robust version control and security. The real value of a DMS lies in access control, filing in ways more flexible than just folders, search and version management. What would make it even better for the mobile lawyer is access to documents from anywhere without security concerns. I’ve written in the past about Zoho and other products that can do this for you, but they tend to all have their own specialist interface rather than using Word, which most of us rely on.

A few recently launched methods (although they’ve been around in beta for a long time) of using the power of Word or Excel while storing the documents online are Google Cloud Connect, Microsoft Office 365, and Microsoft Skydrive (www.skydrive.com) using either the full version of Office or the Web App version. They all make document sharing easy.

Each has its strengths: Google’s concurrent editing is useful for some, and use of labels and collections is great for organising your documents - particularly those that ‘belong’ in more than one folder. However, the Cloud Connect add-in for Office really doesn’t have all the features that it needs. It’s easy to create and store a document using Word, but it’s not clear how you use Word to later edit it. Having said all that, the ability to really organise your documents can be very valuable. Let’s say you prepare a great property development agreement for your client. You would file it under the client and matter, but you could also tag it with “property”, “precedent”, “PDA” and anything that will help you find it and use it as a precedent at a later date. Just search on PDA in a couple of years and quickly find those documents for re-use. You could easily file presentations and papers under appropriate tags and re-use and share that research material with your colleagues.

Office 365 requires some money, time and energy in getting the product up and running and has many features. It works well if you use a lot of Microsoft products. Skydrive is clever and the web-based version of Office works very well (no local copy required), but filing will be a mess after the first few hundred documents, as it is purely folder-based

Something that no-one other than the dedicated DMS companies has addressed for document storage is how the document lifecycle is managed. I haven’t seen any tools in cloud-based systems that allow you to assign disposal policies to folders, tags or classes of documents. You shouldn’t do bulk deletes based just on the date - you need to keep board minutes for the life of a company, but you can delete that old conveyancing file. Another problem may occur if you own a major asset and dispose of it - how do you get the documents out of the system and give them to the purchaser? Or perhaps you decide to move to another cloud provider - how is it easy to get your data moved?

My company regularly receives requests to produce documents that relate to third parties, often when we are not even involved in the relevant litigation or inquiry. Let’s assume we used Skydrive to store our documents, and that was common knowledge - could someone subpoena Microsoft for our documents? A non-disclosure agreement may result in Microsoft notifying us, but without further action Microsoft may just have to comply with the subpoena.

28 February 2011

Cybercrime in Australia

The Federal Attorney-General recently released a public consultation paper relating to Australia’s consideration of the Council of Europe Convention on Cybercrime. It is possible that Australia will become a signatory to the treaty.
It is, it seems, the only treaty dealing with the issues of online fraud, hacking, theft of data, child pornography and damage to data. That seems surprising, since it was agreed on 23 November 2001!
The convention is typical in that it prescribes matters that parties should adopt in local law, although Article 2 provides that it should deal with offences committed internationally as well. The principal areas dealt with are:   
  • Title 1 – Offences against the confidentiality, integrity and availability of computer data and systems
  • Title 2 – Computer-related offences (fraud)
  • Title 3 – Content-related offences (child pornography)
  • Title 4 – Copyright and related rights
  • Title 5 – Aiding, abetting, corporate liability
Each of the areas is to be governed by the criminal law (although parties have a discretion)
After setting out the offences, it goes on to deal with matters such as protection of rights, but also preservation of data for investigative purposes. The latter is where things can get murky, as it starts to delve into areas requiring ISPs to do certain things. While every business quite rightly has record-keeping obligations, I trust that these laws will be proportionate and not driven by self-interest of just one stakeholder.
Article 20 deals with real-time collection of traffic data, but notes that the law should be able to   
compel a service provider, within its existing technical capability… to produce traffic data, in real-time, associated with specified communications…
Let’s hope the focus here doesn’t just end up on theft of copyright material. Better still, let’s hope that rights holders find great ways to easily licence their material!
Matters such as extradition, information sharing for investigations and mutual assistance generally are also dealt with in Chapter III.   In summary, this Convention seems like a good thing, but as always, the devil is in the detail (or in this case, the local law).

Adobe Phishing Scam

Watch out for an email advertising new updates for Adobe Acrobat. The site is http://www.adobe-new-updates.com

While the email is quite amateurish, some people may be taken in, particularly given the frequency of updates to Acrobat.

The text is:

Adobe is pleased to announce that a new version of Acrobat PDF Reader was released today with new features, options and improvements.
http://www.adobe-new-updates.com
What's new in this version :
* Read, search, and share PDF files.
* Convert to PDF.
* Export and edit PDF files
* Add rich media to PDF files
* Combine files from multiple applications
* Increase productivity and process consistency
* Streamline document reviews
* Collect data with fillable PDF forms
* Protect PDF files and content
* Comply with PDF and accessibility standards
To get more and upgrade to this version, go to  :
http://www.adobe-new-updates.com
Start downloading the update right now and let us know what you think about it.
We're working on making Adobe Acrobat Reader better all the time !
Talk soon,
The people at Adobe       
Copyright © 2011 Adobe Systems Incorporated. All rights reserved.

Technorati Tags:

15 February 2011

Cyberspace March 2011

Better results

Google has launched an extension for Chrome named “Personal Blocklist”. It allows you to block certain domains from appearing in your search results such that if you regularly search for legal terms, and a useless or low quality site always turns up in the results, you can block it. Google will receive notification of the blocking, and may tailor its results to the world at large. The idea is simple - let the world edit out poor quality sites. No doubt people will attempt to abuse this by trying to block competitors or sites that they have a beef with, and I suspect Google has processes in place to detect this.


What are poor quality results? Sites that steal other people’s data, shallow aggregators, or those that use words caught by search engines but don’t deliver on the promise. Other descriptions are webspam and content farms. Content farms are proliferating and can be lucrative, as the idea is that a publisher pays writers to churn out (usually low quality) content that helps drive searchers to the site. The publisher makes money by placing advertising on the site.  Even reputable publishers are guilty of this type of poor quality from time to time, particularly when a ‘review’ of a product is nothing more than regurgitating a press release or release notes from a software update. Worse still, content is frequently simply copied from blogs and other sites (some of my pieces now appear on the internet under others’ by-lines).


Two factor security

Security is a hassle. Like being tidy, it involves more work than being slack - having strong passwords that are different for every site you use is a hassle. But the net is full of stories of the problems created when accounts are hijacked, such as the old ‘I was robbed in London’ story. An email account is cracked and an email is sent to the entire address book asking for a money transfer because of theft of wallet/passport/credit cards/etc. To prevent this you use multi-factor authentication. 


There are systems such as the RSA dongle my company uses for remote access, where I have to login using a username, password, and a 6 digit number from a keyfob that changes every 60 seconds. Even if you have my password you can’t do anything without the RSA device. Paypal also offers this facility, and Google is now offering two factor authentication for its accounts as well. The authorisation code is either an SMS, using an app on common phones, or even an automated phone call. Given that many businesses now use Google Apps for serious work this is a major enhancement to the platform.


Privilege and email

A recent USA case of Holmes v Petrovich Development Company, LLC (http://www.courtinfo.ca.gov/opinions/documents/C059133.PDF) noted that an email sent by an employee to her lawyer from her work computer was not a ‘confidential communication between a client and a lawyer’ within the meaning of the Californian legislation. i.e. there was no waiver of privilege, since there was no privilege in the first place. This particular legislation contemplates the use of email generally, and privilege is not affected by the general fact that third parties assist in the delivery of email.  However, the employee had acknowledged her workplace rule that communications are not private and may be monitored. The court likened this to claiming privilege when consulting her attorney in a workplace conference room in a loud voice with the door open.  The privilege legislation requires that the communication be transmitted by a means which... discloses the information to no third persons other than those who are present to further the interest of the client in the consultation...” It follows that even if she had been suing a third person there would have been no privilege in the emails since her employer had a right to read them.