Esta tarde he tenido el placer de asistir en ESADE, Facultad de Derecho, al seminario “Legal Research Seminar: La valoración de la prueba científica” impartido por el Prof. Dr. Michele Taruffo, Catedrático de Derecho Procesal de la Universidad de Pavia (Italia).
Tras la presentación del profesor Xavier Abel del amplísimo perfil del profesor Taruffo, éste ha iniciado su ponencia, refiriéndose a la complejidad del campo señalando un tomo sobre su mesa, creo que “Reference Manual on Scientific Evidence: Third Edition”, editado por The National Academies Press junto con el Federal Judicial Center y disponible para su descarga en PDF aquí (1038 páginas…).
Ha indicado el profesor que dividiría su presentación en tres apartados, tocando tres cuestiones que considera relevantes.
Continue reading “Legal Research Seminar: La valoración de la prueba científica”
Comentarios desactivados en Legal Research Seminar: La valoración de la prueba científica
The feds are so comfortable in this ethically-challenged landscape in large part because they are also the largest single employer… on both sides. One in four U.S. hackers is an FBI informer, according to The Guardian. The FBI and Secret Service have used the threat of prison to create an army of informers among online criminals.
While security dudes tend to speak in terms of black or white hats, it seems to me that nearly all hats are in varying shades of gray.”
I, Cringely: “When Enginyeers Lie”.
Comentarios desactivados en Shades of grey
Against this backdrop of increasingly frequent attacks, on Thursday, June 2, 2011, we were able to confirm that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin, a major U.S. government defense contractor. Lockheed Martin has stated that this attack was thwarted.
As a result, we are expanding our security remediation program to reinforce customers’ trust in RSA SecurID tokens and in their overall security posture. This program will continue to include the best practices we first detailed to customers in March, and will further expand two offers we feel will help assure our customers’ confidence:
- An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
- An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
Open Letter to RSA SecurID Customers.
Under the new framework, the use of a weapon such as Stuxnet could occur only if the president granted approval, even if it were used during a state of hostilities, military officials said. The use of any cyber-weapon would have to be proportional to the threat, not inflict undue collateral damage and avoid civilian casualties.
Comentarios desactivados en Choose your weapon
Though federal courts can indeed be slow, it took Shadur only three days from the case assignment to issue a memorandum order that opened with these words:
“It seems that attorney John Steele (“Steele”) might be well advised to stay away from Las Vegas or other casinos, because his current filing on behalf of plaintiff Boy Racer, Inc. has—despite odds in the range of 25 to 1—been assigned at random to the calendar of this District Court, which had previously been the recipient of another random assignment of a Steele-filed action (that one being CP Productions, Inc. v. Does 1-300, No. 10 C 6255). This Court had ended up dismissing the CP Productions action for the reasons stated in its February 7, 2011 memorandum order and its February 24, 2011 memorandum opinion and order, which (among other reasons) rejected attorney Steele’s effort to shoot first and identify his targets later.”
Enter DGW! (again) :
After being honored with an Oscar for best motion picture last year, the makers of The Hurt Locker have now also secured the award for the biggest file-sharing lawsuit the world has ever witnessed. By targeting at least 24,583 alleged BitTorrent users, Voltage Pictures hopes to recoup millions of dollars in settlements to compensate the studio for piracy-related losses.”
The math shows that this scheme could turn out to be extremely profitable for the parties involved. If ‘only’ 10,000 of the alleged infringers eventually pay a $2,000 settlement this would bring in $20 million. In comparison, that’s more than the $17 million The Hurt Locker grossed at the U.S. box office.”
See also here for some background.
Comentarios desactivados en Shoot first, identify later?
However, to counter any threats, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data,” he said. “We have policies and procedures in place to mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multilayered information systems security.”
From WSJ, via BB.
See also arstechnica and NYT (registration required).
Reminder: Required Actions for SecurID Installations (March 18th, 2011).
RSA strongly urges customers to follow both these overall recommendations and the recommendations available in the best practices guides linked to this note.
- We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
- We recommend customers enforce strong password and pin policies.
- We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
- We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
- We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
- We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
- We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
- We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.
- We recommend customers update their security products and the operating systems hosting them with the latest patches.”
See also securosis and schneier.
Uptate: Reuters via BB.
Comentarios desactivados en RSA SecureID breach & Lockheed Martin hacker attack
All complex systems contain parasites. In any system of cooperative behavior, an uncooperative strategy will be effective — and the system will tolerate the uncooperatives — as long as they’re not too numerous or too effective. Thus, as a species evolves cooperative behavior, it also evolves a dishonest minority that takes advantage of the honest majority. If individuals within a species have the ability to switch strategies, the dishonest minority will never be reduced to zero. As a result, the species simultaneously evolves two things: 1) security systems to protect itself from this dishonest minority, and 2) deception systems to successfully be parasitic.”
From Schneier on Security.
Comentarios desactivados en Cooperative and defective strategies
To provide an additional layer of evasion, two-fold plausible deniability can be used to provide the covertly communicating parties two chances to deny the presence of hidden information. In their first attempt, the parties simply deny the very existence of hidden data. If the first approach does not succeed, they still have the option to only reveal the less sensitive information and deny the presence of any other hidden data on the medium as
in Anderson et al. (1998); McDonald and Kuhn (1999); Pang et al. (2003).”
Paper: “Designing a cluster-based covert channel to evade disk investigation and forensics” Hassan Khan, Mobin Javed, Syed Ali Khayam, Fauzan Mirza; Elsevier’s “Computers & Security” 30 (2011) p 35 -49
Via Schneier on Security
Via New Scientist
Comentarios desactivados en Cluster positioning as a code
Our results lead to three conclusions: First, built-in commands are effective, but manufacturers sometimes implement them incorrectly. Second, overwriting the entire visible address space of an SSD twice is usually, but not always, sufficient to sanitize the drive. Third, none of the existing hard drive-oriented techniques for individual file sanitization are effective on SSDs. This third conclusion leads us to develop flash translation layer extensions that exploit the details of flash memory’s behavior to efficiently support file sanitization. Overall, we find that reliable SSD sanitization requires built-in, verifiable sanitize operations.”
From USENIX via The Register.
Comentarios desactivados en Reliably Erasing Data from Flash-Based Solid State Drives
Or was it ArsTechnica?
Comentarios desactivados en Schneier on Anonymous vs HBGary