3. Wendy Knox
Everette
Wendy Knox Everette (@wendyck) is a
hacker lawyer who began her career as a
software developer, before going to law
school, where she focused on national
security law and computer security issues.
Currently she lives in Washington State
where she advises companies on risk and
security regulations. She created and
hosted the first student webserver to host
personal homepages at her undergrad in
1995, and registered her personal domain
in 2000, but only recently got it moved to
TLS.
4. Brendan Francis
O’Connor
Described by coworkers as "not the
lawyer we need, but the lawyer we
deserve" (and he's pretty sure that wasn't
meant as a compliment), Brendan
O'Connor does security for a user-
generated content company, and
occasionally works as a security
researcher, consultant, and/or attorney
based in Seattle. His day job is building
security programs, but at night, he
transforms into a person who spends too
much time arguing with people who are
wrong on the Internet. If caught, his
companies will deny all knowledge of this
presentation.
5. Aaron Alva
Aaron Alva (@aalvatar) is a lawyer
(not yours) and hacker who works
as a technologist at the Federal
Trade Commission's Office of
Technology Research and
Investigation (OTech). He was a
recipient of the NSF CyberCorps
scholarship for his MS/JD work at
the University of Washington. At
the FTC, he explains technical
issues to attorneys working on
behalf of consumers, and conducts
research on areas that impact us
all. He fights to protect the future in
which his daughter will grow, lead,
and amaze.
6. Things to Cover in 1 hour
Updates on computer security, privacy, and tech law
topics
End user security for lawyers
Ask us questions: you have three (semi tame) hacker
lawyers, what do you want to know?
7. Tech Law Updates
A smorgasboard of updates on
computer security, privacy, and tech
law topics
10. Rule 41 & the
NIT (Network
Investigative
Technique)
Warrant
Rule 41 was updated in December 2016, and
we’re now seeing the impact.
● [G]rants courts jurisdiction to issue
remote search warrants when the
location of a sought-after device or data
has been concealed due to technological
means, and it allows for the issuance of
multi-jurisdictional remote search
warrants in certain circumstances
(https://www.justsecurity.org/35136/rule-
41-updated-needed/)
11. Rule 41 & the
NIT (Network
Investigative
Technique)
Warrant
NIT Warrants are sometimes called “FBI
Hacking” warrants
● These are not stored content warrants,
but they’re not quite Title 3 wiretaps,
either. Usually an implant or web bug of
some kind that will reveal an end user’s
IP address.
https://www.lawfareblog.com/examining-
fbi-hacking-warrant
18. A lot of the worst
security breaches
you’ve heard about
weren’t even caused
by the company you
blamed.
19. Vendor Breaches
● Target (HVAC Vendor)
● T-Mobile 2017 (Credit Check Vendor,
Experian)
● Equifax (How many of you actually use
Equifax? They’re a vendor!)
● Delta/Sears/Best Buy (24[7].ai, they do
chat stuff)
But lest you think lawyers are better...
● 13 of the AmLaw 15 (in 2016 alone)
● Mossack Fonseca (Panama Papers)
● Paradise Papers (See, lawyers are
vendors….)
21. So… what can you do
about this? As lawyers
that advise your
clients about risk?
22. Things Your
Clients Can Do
Seriously, nothing is stopping
them.
● Ask for affirmative evidence of
security from EVERY vendor
(even the ones that sell to “the
big guys)
● Create a standard, hold
vendors to the standard, and
require C Suite risk acceptance
for deviating, including a
written justification
● Require a substantive
“application security
assessment” (not “did you do a
pentest”)
25. Oh, also you kind of have to do this, because GDPR.
Article 24: the controller shall implement appropriate technical and organisational
measures to ensure and to be able to demonstrate that processing is
performed in accordance with this Regulation.
Recital 78: When developing, designing, selecting and using applications,
services and products that are based on the processing of personal data or
process personal data to fulfil their task, producers of the products, services and
applications should be encouraged to take into account the right to data protection
when developing and designing such products, services and applications and,
with due regard to the state of the art, to make sure that controllers and
processors are able to fulfil their data protection obligations.
26. Oh, also you kind of have to do this, because GDPR.
Article 28: [the processor] makes available to the controller all information
necessary to demonstrate compliance with the obligations laid down in this
Article and allow for and contribute to audits, including inspections, conducted by
the controller or another auditor mandated by the controller.
27. So: go forth and
demand answers from
your vendors.
(Also, hey lawyers:
Rule 1.6(c)...)
32. 70%
Think at this point: “so… who cares? It’s just fraud, just go set it back.”
33. 0
Number of extra things I need to destroy your entire life if I can answer cell phone
calls and receive text messages at your number
34. Such as:
● Email (Forgot Password)
● Amazon (Reset Password + 2FA)
● Cable Bill (Hi, I’m you)
● Power Bill (Same thing)
● Netflix (once I have email)
● Most 2FA
● Your clients
● Washington State Bar Association (I
mean… I’m just guessing)
38. CFAA & DMCA §1201
Photo by Peter Wick CC BY-NC-ND 2.0
39. 18 U.S. Code § 1030 - Fraud and related activity in
connection with computers
CFAA covers “knowingly accessed a computer without authorization or exceeding
authorized access”
Often used in “web scraping”cases, like hiQ v. LinkedIn, which was argued before
the 9th Circuit Court of Appeals and is pending a decision
● LinkedIn sent a Cease & Desist letter to hiQ to ask it to stop scraping content
off its website, claimed it was a TOS violation
● hiQ asked for declaratory judgement that it was not violating the CFAA; won a
preliminary injunction against LinkedIn
40. DMCA §1201
“Anti-circumvention” copyright law; the latest Triannual Review occured in 2018:
https://www.copyright.gov/1201/2018/
All existing exemptions were renewed, so we can conduct security research!
“The Acting Register found that good-faith security research involving devices
beyond those covered by the current exemption is likely to be a fair use. As the
Register found in 2015, the Acting Register concluded that good-faith security
research promotes several of the activities identified in section 107 as examples
of favored purposes, including criticism, comment, teaching, scholarship, and
research.”
41. End user security
Do attorneys have an obligation to
secure their devices and
communications?
42. Security 101:
Passwords
1. Randomization
2. Length
3. Memorization vs saving it
https://www.csoonline.com/article/3228106/pa
ssword-security/want-stronger-passwords-
understand-these-4-common-password-
security-myths.html
43. Elements of a strong password
● The best option: generated by a password manager like LastPass or
1Password
● Make it long: 10 or more characters
● Make it unpredictable
● Make it complex: vary uppercase, lowercase, numbers and symbols
● Make it unique: use a unique password for each service
● Keep it secret: if you have to share it with someone, switch to a temporary
password, share that, then change it back
44. Password managers
● LastPass: https://www.lastpass.com/
● 1Password: https://1password.com/
● Not Ever KeePass:
https://www.techdirt.com/articles/20171220/1813463885
9/keeper-security-files-bullshit-slapp-suit-against-ars-
technica-letting-many-more-people-know-not-to-use-
software.shtml
● What about saving passwords in the browser?
● What about Mac’s KeyChain to save passwords?
46. BUT...
● Modern password cracking utilities don’t use pure brute force
● They do know that you substituted a 4 for an A (so leet!)
● They know phrases and quotations, not just words
● They do know that a shockingly high percentage of “strong” passwords are
○ Xxxxxxxxx...1! (One upper case, N lower case, followed by a single number and a single
special character, usually an exclamation point)
● Seriously, just use a password manager
49. Would someone SPY on a LAWYER?
● United States - Measures Affecting the Production and Sale of Clove
Cigarettes (Indonesia v. US) (DS406, WTO DSB, 2012)
● GTMO
● https://www.csoonline.com/article/3070110/security/fbi-hid-microphones-for-
secret-warrantless-surveillance-near-california-courthouses.html (San
Francisco / federal)
● https://www.nytimes.com/2008/04/28/us/28lawyers.html (Oregon
state/federal)
50. SBTx, Comm. on Prof. Ethics, Opinion 648 (2015)
“In general, considering the present state of technology and email usage, a lawyer
may communicate confidential information by email. In some circumstances,
however, a lawyer should consider whether the confidentiality of the information
will be protected if communicated by email and whether it is prudent to use
encrypted email or another form of communication. Examples of such
circumstances are:
[…] sending an email if the lawyer is concerned that the NSA or other law
enforcement agency may read the lawyer’s email communication, with or without
a warrant.”
51. SBCa, St. Comm. on Prof. Resp., Opinion 2010-179
“Similarly, encrypting email may be a reasonable step for an attorney to take in an
effort to ensure the confidentiality of such communications remain so when the
circumstance calls for it….”
52. ABA Formal Ethics Opinion 11-459
“A lawyer sending or receiving substantive communications with a client via e-mail
or other electronic means ordinarily must warn the client about the risk of sending
or receiving electronic communications using a computer or other device, or e-
mail account, where there is a significant risk that a third party may gain access.”
53. Messaging
security
● Messaging applications
like iMessages or Signal
can be more secure than
email
● Seriously, use Signal.
Download it right now,
don’t wait for the end of
class.
https://signal.org/download/
54. Email Security
● Using a webmail provider like
GMail or Proton Mail
○ Use a strong password
○ Use multifactor
authentication
● Email Attachments
○ When is it safe to open
an attachment?
55. Mobile Phone Security
1. Use a lock code or PIN to lock your phone. Longer is better. Alphanumeric is better than numeric.
2. Don’t leave your phone unlocked and unattended.
3. Do not install unknown and unverified programs on your phone. Only install apps from the
official Apple App Store or Google Play.
4. If you plan to dispose of, give away, sell or re-use your phone, make sure that all
information is deleted.
5. Backup your phone information regularly to a computer or the cloud. This will allow you to restore the
data if you lose your phone or it is damaged or compromised.
6. When your carrier makes an update available, install the update. This helps to protect your
phone from being compromised.Consider using only trusted phone dealers and repair shops if you are worried that
your phone may be tampered with before you purchase it or while being repaired. You may want to use an
authorized but randomly chosen phone dealer or service provider.
7. Your phone may allow you to disable “Location Services” altogether if there are times you do not want your location
to be tracked and made available to third-party apps. Note that your location information will still available to the
mobile phone network provider as your phone pings nearby cell phone towers.
56. Be very wary when connecting to WiFi access
points that don't require passwords, or to WiFi
networks in public spaces such as a coffee
shop. It may be better to incur data charges
than incur the risk of connecting to a public
WiFi network.
When you use a web browser, look at the
address bar and check to see if there is a
green lock icon. The URL should also begin
with “https” -this means that the browser is
using HTTPS, which is a form of encryption. If
anyone on the network sees your traffic, they
can’t read any of it!
Read more:
https://support.google.com/chrome/answer/956
17?hl=en
57. For your home WiFi:
● WPA2-PSK (not “mixed mode” WPA)
● Make sure you update your router software
(https://arstechnica.com/information-technology/2018/06/widely-used-d-link-
modemrouter-under-mass-attack-by-potent-iot-botnet/,
https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-
infecting-50000-devices-is-worse-than-we-thought/)
58. Secure file
exchange
There are many ways to securely exchange
documents, from password-protecting them to
using a strong encryption method. Which one
you use will be based on how sensitive the
information is and what you & your client
agree on.
Lifehacker has a list of five encryption tools
they recommend for local
encryption of files: http://lifehacker.com/five-
best-file-encryption-tools-5677725
59. Secure file
exchange:
Password
Protected PDFs
Saving a PDF file with a password helps to
protect the information from being easily
read by someone who is sniffing traffic on
the network (as could happen on an open
wifi network that is not protected by a
password), or if they gained access to your
email.
Creating one on Windows:
https://www.digitaltrends.com/computing/pas
sword-protect-pdf/
Creating one on Mac:
https://support.apple.com/guide/preview/pas
sword-protect-a-pdf-prvw587dd90f/mac
60. Secure file
exchange:
Password
Protected Zip
files
7Zip for Windows:
● Download: http://www.7-zip.org/
● Tutorial:
http://www.gofree.com/Tutorials/ZipCo
mpFiles.php
Keka for Mac OS X:
● Download: http://www.kekaosx.com/en/
● Tutorial:
http://www.kekaosx.com/en/doc.php
61. Secure file
exchange:
Veracrypt
Veracrypt runs on Windows and Macs, and
allows you to create encrypted containers,
which are like disk images, to hold files.
These encrypted containers can then be
exchanged through use of Box or some other
shared drive service, or with USB keys. This
is a good tool if you have especially sensitive
files that you need to exchange, and your
client has agreed to install the software and
exchange encrypted containers.
● https://www.veracrypt.fr/en/Home.html
62. Backups
As ransomware has increased as a threat, it’s important to take
time to make sure that you have backed up your critical files,
especially if you are in a small law office and store important
client files. This handout will point you to some options for
making backup copies of your data.
If you can, you should encrypt your backups. However, it is
better to have unencrypted backups than to not backup
anything because you haven’t gotten around to setting up an
encrypted system.
● Backblaze! (We’re not shilling for them, but there’s a
reason all of Brendan’s family and many friends use it)
63. Backups:
Windows 10 built-in backup:
https://lifehacker.com/how-to-
back-up-your-computer-
automatically-with-windows-
1762867473
64. Backups: Mac OS X
Mac OS X Time Machine (built-in backup
software) tutorial:
http://osxdaily.com/2015/07/12/set-up-
time-machine-backups-mac-os-x/
65. Web
Applications
● How to secure a google
apps or O365 account
● https://landing.google.com
/advancedprotection/
● Vendor security analysis
is hard--for lawyers, just
rely on the big vendors
66. Learning
more
Attorney Specific
1. Operational Security for Lawyers:
https://lawyerist.com/series/operational-security-for-lawyers/
2. Computer Security Tools and Concepts for Lawyers:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2831739
Warrant from a NIT from https://motherboard.vice.com/en_us/article/d3b3xk/the-fbi-created-a-fake-fedex-website-to-unmask-a-cybercriminal
For those of you who get your security news from FireEye, this may come as a shock.
To be clear: there are more than this, this is just how many it took before I got bored looking up names.
Subscriber Identity Module. For GSM phones (AT&T, T-Mobile, anything in Europe) this is what tells the phone what network and phone number it is.
CC-BY: https://www.flickr.com/photos/kalleboo/4450303200
This is naturally called something different on each carrier.
Also: Password dumps from data breaches & password reuse
Stuff about helping prevent phishing
Apps like google authenticator vs a security key (some security keys are phishng resistant, apps & other keys are not)
Can put multiple keys on your accounts - helps keep access to your account if you keep one on a keychain lose it
SMS 2FA -> mention the issues here?
Network connections
Note: this is NOT THE SAME as a print password; it’s an open password you want