As noted in Spectrum's Energywise blog last year, cyber attacks against electric grids have been sharply rising, which makes the latest news from Inspector General of the US Department of Energy a bit worrisome (especially when combined with the findings of other recent cyber security reports).

Late last month, the Inspector General released an audit report of the Energy Department's smart grid investment grant program (pdf). The audit found that in the Department's rush to push $3.5 billion in smart grid stimulus grant money out to US utilities, they didn't do such a good job of ensuring that effective cyber security controls were in place.  As a result, smart grids may now be vulnerable to cyber attacks, according to a Washington Post story.

Grant recipients were supposed to have developed cyber security plans that, at a minimum, were to "describe the recipients' approaches to detecting, preventing, and communicating with regard to, responding to, and recovering from system security incidents. Further, cyber security plans were required to contain detailed descriptions of the recipients' risk assessment processes, risk mitigation strategies, and other elements of their cyber security programs."

However, the audit found that of five grant recipients it sampled, the cyber security plans from three were "incomplete, and did not always sufficiently describe security controls and how they were implemented." One of the plans they looked at "provided only a summary description of its cyber security processes." The problem wasn't limited to a few bad apples; an Energy Department review "revealed that 36 of 99 cyber security approaches submitted as part of the grant application lacked one or more required elements."

Even worse, government officials approved cyber security plans for smart grid projects even with these known weaknesses present. According to the report, the Energy Department "was so focused on quickly disbursing Recovery Act funds that it had not ensured personnel received adequate grants management training." That's a polite way of saying that many of the Energy Department folks who approved the smart grid stimulus grants had no business doing so.

The Inspector General also indicated another reason for the low priority of cyber security. Apparently, the Energy Department's smart grid grant recipients "were given the 3-year duration of the award to implement agreed-upon cyber security controls." He went on to say:

"We acknowledge that the security plans will evolve as systems are developed and implemented. However, this practice may be problematic in that any existing gaps in a recipient's security environment could allow system compromise before controls are implemented. Likewise, approved elements that were not well defined in the plan could leave the system susceptible to compromise even after the cyber security plan had been fully implemented. For example, without a well-defined risk management process, potential risks may go unidentified and related mitigating controls may not be implemented."

The Energy Department is now addressing the risk by "requiring that Technical Project Officers (TPO) and subject matter experts review the cyber security posture and recommend updates to cyber security policies when they perform their annual site visits to grant recipients."

That makes me feel so much better.

The audit didn't specify if there will be penalties for utilities that don't implement effective cyber security. Will they have to pay back the grant?

It's worth noting that short-changing cyber security in a sprint to spend government money has also happened with electronic health records (pdf). Maybe someday the government will learn that you can't shoehorn security into an IT system after it has been deployed.

Last Friday, 16 minutes of a conference call between the U.S. Federal Bureau of Investigation and the London Metropolitan Police, during which the law enforcement agencies discussed their investigation into hacking incidents believed to be the handiwork of the hacker group Anonymous, was posted on the Internet by—you guessed it—Anonymous. The Wall Street Journal quoted a New Scotland Yard spokesperson as saying, "no operational risks have been identified" by the disclosure.  But security lapses that could tarnish the agencies' reputations certainly were.

The FBI insisted in a story published in the New York Times that the call wasn't "hacked" which may be technically true but a bit irrelevant. This story in the today's Macworld.UK says that "it appears the hackers obtained an e-mail sent on Jan. 13 to law enforcement agents in the U.S., U.K., Ireland, the Netherlands, France, Germany and Sweden. The e-mail, titled 'Anon-Lulz International Coordination Call,' contained the dial-in number and access code needed for a participant to join the conference, which took place on Jan. 17." The e-mail, which is posted online, contains a list of e-mail addresses for law enforcement personnel, which I suspect are being quickly changed.

New Scotland Yard and the FBI are said to be investigating the "illegal" eavesdropping and are refusing to comment further on the matter.

The episode demonstrates once again how easy it is to gain access to unsecured corporate communications. (The on-going UK News of the World scandal has highlighted how easy it is to gain access to voicemail systems.) There was a story a few weeks back in the New York Times about how videoconferencing systems were also vulnerable to unauthorized access. According to the story, an IT security company was able to find and potentially access "5000 [electronically] wide-open conference rooms at law firms, pharmaceutical companies, oil refineries, universities and medical centers."

While many video-conferencing systems come with security features, they are often left unactivated or are never configured properly, the Times story says.

In another communications security story from last week, the London Telegraph reported that two professors from Ruhr University Bochum in Germany have published a paper called "Don't Trust Satellite Phones." The researchers report that they "cracked two encryption systems [GMR-1 and GMR-2] used to protect satellite phone signals and that anyone with cheap computer equipment and radio could eavesdrop on calls over an entire continent."

The professors told the Telegraph that they were able to reverse engineer the encryption algorithms, and that with about US $2000 in equipment and software, they could decrypt a prerecorded satellite call using either of the two encryption standards in about 30 minutes. A country's intelligence service, which would have access to much more sophisticated equipment, could perform the decryption in real-time.

The Telegraph article states that the professors published the details of their research in hopes of prompting "ETSI (European Telecommunications Standards Institute), the organization that sets the standards, to create stronger algorithms."

Finally, in probably the most distressing IT security news from last week, VeriSign, the company that operates two of the Internet's 13 root name servers, admitted in its 10-Q filing to the U.S. Securities and Exchange commission that, "We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to management."

Note the word "breaches."

According to a Reuters story that made the disclosure widely known (the 10-Q was filed on 28 October:

"The VeriSign attacks were revealed...  [following the institution of ] new guidelines on reporting security breaches to investors...  Ken Silva, who was VeriSign's chief technology officer for three years until November 2010, said he had not learned of the intrusion until contacted by Reuters."

The VeriSign 10-Q states that "access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ('DNS') network... However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."

Reuters also says that "VeriSign's domain-name system processes as many as 50 billion queries daily. Pilfered information from it could let hackers direct people to faked sites and intercept e-mail from federal employees or corporate executives." Classified government data, said the article, moves through more secure channels.

Upon hearing the news, Stewart Baker, former assistant secretary of the U.S. Department of Homeland Security and one-time top lawyer at the U.S. National Security Agency, was quoted as saying:

"Oh my God. That could allow people to imitate almost any company on the Net."

Apparently, VeriSign's security staff discovered and responded to the attacks but for some unexplained reason failed to alert top company management until September of last year. I guess they didn't think it was important enough to bother anyone in management.

VeriSign (which sold its security business to Symantec in 2010 and states categorically that none of the acquired products have been compromised) is not providing any more details about the breaches. Maybe like the FBI and New Scotland Yard, saying anything would only embarrass them more.

Photo: iStockphoto

The Tokyo Stock Exchange suffered its most significant technical glitch since 2005 yesterday when a server experienced a problem and its back-ups didn't kick in as they were supposed to, reported Bloomberg News. As a result, trading in 222 stocks and 12 exchange-traded funds, five convertible bonds and two real estate investment trusts (see pdf for a full listing) was halted for some three and a half hours, from around 0900 to 1230 local time.

In addition, the Sapporo Securities Exchange (pdf), which shares the same Fuji Ltd. developed "arrowhead" trading system, had to suspend trading in 74 shares.

The stocks affected included Sony Corp., Hitachi Ltd., Mitsubishi Electric Corp. and Tokyo Electric Power Co. On Wednesday, Sony announced the appointment of a new CEO, and yesterday it also announced losses for the fourth year in a row. As one could imagine, traders were bemoaning the glitch as being most inopportune, this other Bloomberg story reports.

There has been a spate of stock exchange technical glitches the past several months across the world. Last month, the Johannesburg Stock Exchange halted trading for an hour due to a network problem. Further, according to a Reuters story, the JSE "was forced to halt trade several times last year, due to problems with the connection to its trading engine in London."

A few days before the JSE glitch, the Financial Times of London reported that a "technical glitch" delayed the start of trading on the SIX Swiss Exchange for three hours. The FT article also noted that "more than 20 [technical glitch] incidents were reported on Europe’s share trading venues last year with NYSE Euronext, Borsa Italiana and the London Stock Exchange among those to suffer high-profile outages as messages went missing, index levels failed to update and hardware failed. Last month BATS Chi-X Europe, Europe’s largest share trading venue, was knocked out for more than seven hours."

Then in December the NASDAQ suffered a problem with that resulted in quoting delays as it opened, while in November the New York Stock Exchange has a problem disseminating trades and quotes in about 300 stocks. Also in November, the Toronto Stock Exchange experienced a glitch that affected stocks with ticker symbols M through Z. In addition, the Australian Securities Exchange (ASX) experienced an outage for four hours in late October, its second outage of the year.

The numerous glitches, as well as the "flash crash" in 2010 and the continuing number of mini-flash crashes since then, have caused the US Securities and Exchange Commission (SEC) to revisit its exchange disaster management guidelines it developed in the 1980s, a story last week in the Wall Street Journal reported.

The concern is that the "technological arms race in financial markets," as Andrew Lo, director of the Laboratory for Financial Engineering at M.I.T. put it in a recent New York Times article, may be creating unintended consequences that  could cause chaos in the markets if a trading system goes haywire.

The SEC hopes, the WSJ says, to develop guidelines "to span the 13 U.S. stock exchanges and other" that would lay out in an orderly way what would happen in case of exchange outages or other technical glitches.

Some exchanges off the record told the WSJ that they think the current SEC disaster management guidelines are perfectly fine and don't need to be revised. These exchanges argue that because the potential financial/reputational consequences for stock exchanges created by a major technical glitch are so high that they will do everything in their power to keep one from happening.

Yeah, right. I've heard that sort of reasoning before in regard to other financial institution endeavors; I didn't believe it then, and I don't believe it now either.

And I bet that the Tokyo Stock Exchange thought those back-up servers would work without fail, too.

The Washington Post is reporting that the Economic Development Administration (EDA), an agency of the US Department of Commerce, has had its Internet access temporarily cut because of the discovery of a virus in its computer networks on January 20th. According to the Post, the agency decided "out of an abundance of caution" to isolate the EDA's network and keep its employees from accessing the Internet since the 24th of January.

The Post states that the agency, which helps generate and retain existing jobs, and stimulate industrial and commercial growth in economically troubled areas of the United States, set up a " temporary, bare bones Web site [that] is providing contact information for the small agency and data on federal funding opportunities."

The EDA's web site currently has this message displayed:

"EDA’s web site is experiencing a disruption in service. The agency is working to address the issue and resume normal operations asap."

The Post story says that the agency, which has 215 employees, doesn't know why it was targeted or what information was taken. It also doesn't seem to know when it will allow its employees to go back online.

The EDA's experience is similar to what happened in Canada about the same time last year. For more than six weeks, Canada's Treasury Board had to severely restrict access to the Internet by its employees because of a successful cyber phishing attack. The Post doesn't say how the virus got into EDA's network, but employee phishing is a good probability.

Last week, European Commission vice-president for Justice, Fundamental Rights and Citizenship, Viviane Reding presented a draft set of reforms of the EU's 1995 data protection rules. The new rules have made more than a few companies unhappy, most notably Google and Facebook.

According to Reding's proposed reforms (as outlined in a press release and in supporting documents), there would be a single EU-wide set of rules for personal data protection, not the country by country hodgepodge of interpretations of the 1995 rules that exists now.

Personal data is defined in the privacy proposals as:

"Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking web sites, medical information, or a computer IP address. The EU’s Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet. "

In addition, companies and organizations would need to notify their national supervisory authority—the one in the country in which they are primarily based—of "serious data breaches" within 24 hours "if feasible." Serious breaches includes data that is "accidentally or unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorised persons." This 24-hour reporting requirement will likely cause a lot of debate. In the regulatory description of the reforms (pdf), the section that defines "feasible" goes on for more than a page and is filled with numerous caveats.

Companies and organizations would also need to get explicit consent from web site visitors whenever personal data is being processed.

Further, under the proposals, EU citizens will have a limited "right to be forgotten." As described in this EU supporting document (pdf), the right to be forgotten is tied in with a concept of "privacy by default", i.e.,

"... if you no longer want your personal data to be processed, and there is no legitimate reason for an organisation to keep it, it must be removed from their system. Data controllers must prove that they need to keep the data rather than you having to prove that collecting your data is not necessary. Providers must take account of the principle of ‘privacy by default’, which means that the default settings should be those that provide the most privacy. Companies will be obliged to inform you as clearly, understandably and transparently as possible about how your personal data will be used, so that you are in the best position to decide what data you share."

However, according to this article in the New York Times, this right to be forgotten is not meant to apply to any information that appears about a person on the Web. The Times quoted Reding as saying:

“It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.”

The proposals are also meant to ensure that EU citizens will be able to get "free and easy" access to any personal data being kept by a web site, and be able to transfer it "easily" from service provider to service provider (Reding calls this the "right of data portability"). For example, a person on Facebook would be able to easily transfer all their personal information residing there to another social media site, and demand that Facebook delete all the information it had on that person.

The new rules, assuming they are adopted, will also apply to personal data that is handled abroad by companies that are offering services to EU citizens. Companies and organizations in violations of the proposed rules could incur penalties of up to €1 million or up to 2% of the global annual company turnover.

Reaction to the proposals was decidedly mixed. EU companies were unhappy but seemed to be resigned to the changes. Other companies, especially those outside the EU, like Facebook and Google, indicated that they would be looking to modify some of the proposals.

Facebook was subtle with its dismay, according to an article in the Wall Street Journal:

"Facebook Inc. Chief Operating Officer Sheryl Sandberg already issued an implicit warning, drawing attention to the €32 billion ($41.72 billion) value that the company has generated for the European economy. Her implication was clear: You change things at your peril."

Google was more direct. According to this story in the Financial Times of London, Google said that some of the proposed reforms could "break the Internet." As noted above, an EU citizen's IP address is considered to be personal information. As such, Google is concerned that every web site would first have to ask a visitor if they really wanted to visit the site, as well as inform them on what the site intended to do with any information related to the activities engaged in while visiting the site. Implied in the reforms is that the web site would also have to inquire whether the visitor wanted the fact that they ever visited the site erased when they left it as well.

Another WSJ article on the privacy proposals reported that the European Telecommunications Network Operators' Association which represents some 40 telecommunication companies worried about much the same thing and the proposed reforms' practicality:

"Repeatedly requiring explicit consent during an online experience undermines the goal of enabling consumers to make informed decisions in an environment that is not overly intrusive."

Google also wants clarification on the operational details of the proposed reforms which may affect its own privacy policies. Google is moving to harmonize its 70 different data privacy policies which include the capability for data to be shared among Google applications by the 1st of March.

The EU privacy proposals will now be sent to the European Parliament and EU member states. If adopted, it be two years before they become law. So it may not before late 2014 before the proposals take effect.

Today begins a coordinated effort by fifteen of the leading email service and technology providers including AOL, Bank of America, Facebook, Google, LinkedIn, Fidelity Investments, Microsoft, PayPal and Yahoo to reduce phishing emails and spam.

According to a press release by DMARC.org (DMARC stands for Domain-based Message Authentication, Reporting & Conformance), this group of companies and others has been working on developing an email authentication technical framework standard based on the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) standards for the past 18 months.

The press release states that:

"The DMARC specification addresses concerns that have traditionally hindered widespread deployment of an authenticated, trusted email ecosystem. Today, email receivers lack a reliable way to know the extent to which an email sender uses standards like SPF and DKIM for authenticating their messages. As a result, providers must rely on complex and imperfect measurements to separate legitimate unauthenticated messages sent by the domain owner from fraudulent phishing messages sent by a scammer."

"By introducing a standards-based framework, DMARC has defined a more comprehensive and integrated way for email senders to introduce email authentication technologies into their infrastructure. For example, a sender could set policies to easily request a provider to discard unauthenticated email in order to block phishing attacks. The specification also creates a mechanism for email providers to send detailed reports back to email senders to help catch any gaps in the authentication system. This feedback loop raises the trust level within the email ecosystem and makes it easier to detect and stop phishing attempts."

According to a story in the Wall Street Journal, PayPal has been using email authentication technologies since 2007, and is now blocking some 200 000 phishing-type emails a day.

By using the DMARC standard, a company could send an email to a customer with a link embedded within it, and the customer could actually trust that clicking on the link won't send them to some malware site. Currently, companies—especially banks such as Bank of America —tell customers that they don't send emails with such embedded links, and to never click on them.

The press release goes on to say that DMARC intends to send its authentication framework standard to Internet Engineering Task Force (IETF) for standardization after further field testing.  

DMARC.org obviously hopes that other email senders will sign up to the standard, which will make it increasingly hard for phishers and spammers to operate. However, it will take a while before a critical mass is reached, and it may take some time for email recipients to begin trusting links in company emails even if the DMARC standard takes off. I, for one, will still be highly suspicious of any email I get from a company telling me to click on a link, DMARC standard or not.

The WSJ story also points out that even if every email sender were to follow the standard, it won't totally eliminate email fraud. However, "it will mean that scammers [will] need to find new addresses with which to launch their attacks. Instead of crafting an email that looks like it comes from paypal.com, for instance, it would need to come from 'paypalpayments.com' or some other fake site."

Forcing spammers and phishers in that direction will also make it easier for search engines to detect them as well. However, I suspect what will also happen is that spammers and phishers will start using the good old-fashion telephone more to try to find victims.

Yesterday, Secretary of Defense Leon Panetta announced a set of new US defense spending priorities (pdf) which would reduce defense spending by $259 billion over the next five years and $487 billion by 2023. As part of the new priorities, the US Army and Marine Corps would see cuts of 72,000 and 20,000 service personnel respectively, some military bases would be closed or realigned, and the US Navy and Air Force would retire a number of ships and aircraft.

However, defense spending will be increased for special ops, cyberwar ops, and unmanned systems. The latter has received a lot of attention this past week in the press. Last Sunday, Peter Singer, the director of the 21st Century Defense Initiative and a senior fellow in foreign policy at the Brookings Institution and author of Wired for War, wrote an op-ed in the New York Times titled, "Do Drones Undermine Democracy?"

This has been a question Singer been asking for some time (see my interview with Singer for Spectrum "The Rise of the Robot Warriors"), without good answers coming forth from successive US administrations.

In his op-ed, Singer outlines the rapid growth in the use of armed drones to carry out US foreign policy without much debate in the US Congress or in the US public at large about the practice or its implications. He writes that:

"In 2011, unmanned systems carried out strikes from Afghanistan to Yemen. The most notable of these continuing operations is the not-so-covert war in Pakistan, where the United States has carried out more than 300 drone strikes since 2004."

"Yet this operation has never been debated in Congress; more than seven years after it began, there has not even been a single vote for or against it. This campaign is not carried out by the Air Force; it is being conducted by the C.I.A. This shift affects everything from the strategy that guides it to the individuals who oversee it (civilian political appointees) and the lawyers who advise them (civilians rather than military officers)."

Singer goes on to write:

"I do not condemn these strikes; I support most of them. What troubles me, though, is how a new technology is short-circuiting the decision-making process for what used to be the most important choice a democracy could make. Something that would have previously been viewed as a war is simply not being treated like a war."

This change in attitude toward what constitutes war not only involves the use of unmanned systems, of course, but also government-sponsored application of cyberwar ops against another country's systems. The use of special ops forces in foreign countries has also created diplomatic challenges, but usually Congress has some (if not much) oversight in their application.

It is interesting as well as troublesome to note that increased defense funding is exactly in the areas where, to use Singer's words, "short-circuiting the decision-making process" by the executive branch of the US government is possible.

Singer warns in his op-ed that the unfettered use of US unmanned systems outside of declared war zones invites the same types of behavior from other countries that are quickly building their own unmanned systems. The US will be hard pressed to complain about it when it does happen.

Singer ends his op-ed by arguing that the US Congress and Americans as a people need to reclaim their voice in deciding where and when the US applies military force. He writes:

"The Constitution did not leave war, no matter how it is waged, to the executive branch alone.

"In a democracy, it is an issue for all of us."

While I personally agree with Singer that renewed Congressional involvement is needed, I think the genie is out of the bottle for good on this one, for better or worse. I can't see the current administration—or the next if it is replaced in this year's election—voluntarily giving up this new-found power without a monumental fight. And I also don't see Congress wanting to challenge the executive branch on this issue, because it can blame the President for anything that might go wrong using an unmanned system, and take partial credit for anything that goes right. The current situation fits in well with Congress's long-standing modus operandi: being able to criticize without having to be accountable.

There was another unmanned aerial system article this week, this time appearing in the LA Times. It concerns the Navy's new X-47B Unmanned Combat Air System (UCAS). The story reports that:

"The X-47B marks a paradigm shift in warfare, one that is likely to have far-reaching consequences. With the drone's ability to be flown autonomously by onboard computers, it could usher in an era when death and destruction can be dealt by machines operating semi-independently."

I found the story a bit overwrought, although it does raise the points Singer was discussing in his New York Times op-ed. Singer is also quoted in the story as saying that the X-47B is just one of many programs involved in developing armed autonomous aerial systems.

Armed autonomous aerial systems, which the US Air Force envisions being available by 2047(pdf) if not before, pose another set of thorny legal and policy issues that need to be confronted. For example, with current armed unmanned systems, there is at least some level of accountability when a weapon is fired and it hits something that shouldn't have been hit. In an armed autonomous aerial system that does the same thing, who is accountable?

The LA Times story quotes Noel Sharkey, Professor of Artificial Intelligence and Robotics at University of Sheffield, England in regard to the issue of accountability:

"Lethal actions should have a clear chain of accountability. This is difficult with a robot weapon. The robot cannot be held accountable. So is it the commander who used it? The politician who authorized it? The military's acquisition process? The manufacturer, for faulty equipment?"

Good questions all, with few good answers.

In the final bit of unmanned system news this week, the US Air Force is planning to cancel the remaining purchases of Global Hawk Block 30 high-altitude surveillance drones due to cost and technical considerations. As a result, the Air Force is now planning to keep its U-2 reconnaissance aircraft, which were scheduled to begin to be retired in 2013 and then moved back to 2015, until at least 2023. My bet is that they will be around way after that date.

As a Risk Factor post late last week noted, the U.S. National Research Council’s Committee on Electronic Vehicle Controls and Unintended Acceleration agreed with the National Highway Traffic Safety Administration’s (NHTSA) conclusion that electronic throttle control systems (ETCs) were not the cause of the alleged sudden unintended acceleration (SUA) in Toyota vehicles. With the NRC's publication of the report on SUA, most observers felt that the case on SUA was closed.

However, this week the New York Times and others ran stories about a freedom of information lawsuit (pdf) by Safety Research and Strategies claiming that NHTSA is hiding evidence of SUA in a Prius that was was witnessed by NHTSA investigators. The Times story states that:

"The suit seeks transcripts, recordings, photographs and videotapes generated by a visit of two federal investigators to the home of a senior government official who had complained about sudden, unexplained acceleration of his own Prius. According to a sworn statement by the official, Joseph H. McClelland, investigators visited his Chambersburg, Pa., home last May 17, documented the sudden acceleration problem and recorded evidence of it."

The NHTSA investigators, witnessing the SUA incident (during which, the Times said, "the car over-accelerated three times and its electronic displays began blinking wildly"), apparently asked the Prius owner not to drive his car anymore. They also told him that the agency might be interested in purchasing the Prius to investigate further the apparent SUA they had just witnessed.

However, Safety Research and Strategies says, the NHTSA decided months later that the SUA seen was most likely related to the Prius's high mileage (280 000 miles) and age (it is a 2003 model). It therefore rejected a software-related cause to the unintended acceleration, and was no longer interested in buying the car.

Safety Research and Strategies, which bills itself as a research, consulting and advocacy firm, and has advised consumers suing Toyota over SUA, has bought the car for $27 000, the Times states. The objective of its lawsuit is the remaining 16 out of 22 pages of the NHTSA investigators' notes and videos of the Prius SUA.

Safety Research claims that the NHTSA is not interested in the Prius because it is not interested in anything that would contradict its own study indicating that, "There is no electronic-based cause for unintended high-speed acceleration in Toyotas. Period." You can read more about the episode from Safety Research and Strategies' perspective at its web site.

I don't know the likelihood of this particular Prius suffering from software-based SUA, but at the very least the NHTSA didn't do itself any public relations favors by seeming to dismiss out of hand what appeared to be an actual case of SUA, and then failing to release all of its internal documents on the incident. Now it looks like the NHTSA has something to hide.

I'll keep tabs on this story, and let you know what, if anything, turns up.

Want to look at someone else’s e-mails or scan the contents of their computer? Just dial 1-800-HACK-4-ME. (I'm kidding, but finding a real hacker is nearly that simple.) At least that was the upshot of a Wall Street Journal article reporting on the open secret that is the proliferation of hacker-for-hire services.

As an example of the phenomenon, the article describes the ongoing kerfuffle between two billionaire brothers who are in a tug of war over the family business and its global holdings. To help secure his hold on the fortune, the elder brother hired a private investigator who, in turn, hired someone from a shadowy collective called the Invisible Hacking Group. The investigator, in court testimony, said he had previously retained the group’s services for security-testing of Web-based e-mail accounts.

According to the private investigator, the hackers used social engineering to get the younger brother’s e-mail password. After the older brother sent the group information including the target's e-mail address, the names of friends and colleagues, and examples of topics that interested him, the hackers sent an e-mail to the target that seemed as if it had come from an acquaintance. But the message actually installed keylogger software that let the hackers capture the target's e-mail password.

How much did the older brother pay to gain an advantage in the battle over hundreds of millions of dollars? The private investigator says he forked over the princely sum of £256 (roughly U.S. $400)

The younger brother’s lawyer said his client "was horrified to discover the privacy of his e-mail accounts had been compromised."

Though the Invisible Hacking Group has since gone underground and few traces of the group exist, the investigator revealed that he was told to send payment to Chengdu, China. Message-board posts from 2004 indicate that it was in the business of online spying. One message read: "Do you want to know what your business competitors are doing online everyday?"

"It's not hard to find hackers," Mikko Hyppönen of computer-security firm F-Secure Corp., told the Wall Street Journal. Computer specialists interviewed for the article also noted the easy accessibility of tools that help do-it-yourselfers hack into someone's e-mail.

Though computer security experts say these companies have operated in the open, the spotlight shone on them in the wake of the Journal article may be causing them to scurry back behind the walls, so to speak. One example is hiretohack.net, a self-described group of technology students based in Europe, the U.S. and Asia. The service, which boasted that it could crack passwords for major e-mail services in less than 48 hours, is now down. But there’s obviously nothing to prevent the group from reappearing under another name.

Just how big is the hacker-for-hire industry? According to the WSJ article:

“A U.K. government report took a shot at putting numbers to the problem last year: It estimated that computer-related industrial espionage cost U.K. businesses about £7.6 billion (or about $11.8 billion) annually in loss of information that could hurt a company's chances of winning open tenders, and loss of merger-related information. Cyber intellectual-property theft cost business an additional £9.2 billion annually, it estimated.”

But these numbers are likely on the conservative side because many firms, in an attempt to protect their reputations and prevent customers from fleeing, fail to report such attacks.

The U.S. Supreme Court in a unanimous but somewhat contentious decision (pdf) ruled yesterday that secretly planting Global Positioning-System (GPS) devices on a suspect's vehicle without a court order violated the suspect's Fourth Amendment right against unreasonable searches.

The Fourth Amendment of the U.S. Constitution proclaims:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

I have blogged about the privacy issues involved in these types of government-sponsored searches several times (for example, Police Use of GPS Without a Warrant: Legal or Illegal? and Police Use of GPS Without a Warrant Ruled Illegal by Federal Court),  and there have been a couple of IEEE Spectrum podcasts on the subject as well (see The Car as Informant and GPS Tracking Without a Warrant).

The constitutional issue involved has been confused because some courts, at both the state (e.g., the Wisconsin State District 4 Court of Appeals) and federal (e.g., a district court in Missouri just last month) have ruled previously that police putting GPS trackers on suspects' vehicles was legal, while others, including the New York State Court of Appeals, have said such activity was not. The court cases where GPS tracking was ruled legal will now have to be reassessed.

What makes yesterday's Supreme Court ruling still confusing and increases the likelihood of another case related to the tracking of suspects by electronic means being argued before it, is that five of the court members—Justices Scalia, Roberts, Kennedy, Thomas, and Sotomayor—concurred under one line of reasoning (Justice Sotomayor filed a separate concurring opinion), while the other four, Justices Alito, Ginsburg, Breyer, and Kagan, concurred using a different line. Each group said the other needed to rethink its arguments. (Interestingly, the split was not down "party" lines; Sotomayor does not often vote with the first four justices named nor does Alito with the last three.)

According to a story at CNN—and the 34-page opinion, which I encourage you to wade through—the five justices led by Scalia reasoned that the government, by placing a surveillance device on a suspect's vehicle, was committing an illegal trespass under the Fourth Amendment, i.e., the Government was obtaining "information by physically intruding on a constitutionally protected area." Because the government's trespass was clearly involved, the information gained from the secretly placed GPS system was not admissible in court.

That said, the five justices' opinion did acknowledge that what's left up for future constitutional debate was whether getting the same information from other electronic sources without having to resort to physical trespass was legal or not. Their opinion said that it may be legal for the government to keep visual track of a suspect in public places for as long as it likes and has the resources to devote to such an activity. However, the government "achieving the same result through electronic means, without an accompanying trespass [may be] an unconstitutional invasion of privacy," but the justices - with an apparent sigh of relief—stated that "the present case does not require us to answer that question."

The other four justices agreed to disagree with their colleagues using the idea of illegal trespass as the basis for their opinion, and didn't like their kicking the electronic surveillance privacy can down the road. Justice Alito, writing for this group, made their collective annoyance very clear by writing that:

"This holding, in my judgment, is unwise. It strains the language of the Fourth Amendment; it has little if any support in current Fourth Amendment case law; and it is highly artificial."

As summarized in the CNN story, Alito argued that Scalia et al. "...did not address larger legal concerns of searches in the digital age, including GPS. [Alito] said the court should have used this case to clarify the limits of police monitoring of wireless personal communication devices like mobile phones and Internet use."

Alito et al. looked at the issue from what one might call a more  "what does the public believe a reasonable expectation to privacy to mean" perspective. In Justice Alito's words:

"I would analyze the question presented in this case by asking whether respondent’s reasonable expectations of privacy were violated by the long-term monitoring of the movements of the vehicle he drove."

Their opinion pointed out that before improvements in surveillance technology, the government would not have even attempted to track a low-level suspect for weeks at a time because of the cost and manpower required. This created a privacy expectation in the public's mind. Now, however, the technology to conduct electronic tracking is ubiquitous and inexpensive. Does this technological capability mean, as some in government have argued, that the public now has to change its notion of privacy? This group of justices aren't so sure.

The Supreme Court may soon have another case with which to attack this issue which is being reviewed in the U.S. District Court of Arizona involving the government's use of "stingray" cell phone tracking devices.

All the justices did seem to agree, however, that Congress needs to get involved in defining what reasonable expectations of privacy and unreasonable searches mean in the electronic age, and the sooner the better.