Tag: digital law

The good, the bad and the ugly of the proprietary software model

The last article discussed the advantages and disadvantages of the Open Source software model. We even listed some uncomfortable truths regarding its economic viability and how it could be more expensive than many proprietary products. Despite being an Open Source zealot, I want to start with the statement that I still think proprietary software is sometimes better than Open Source ones. We can not compare my case with the average customer because I have spent the last 18 years working in IT – aka I want much more control over my system than the standard PC user. At the same time, when I can, I strongly avoid using proprietary software because I want to know what runs on my device or have the ability to review it if I wish. But let me list the good, the bad, and the ugly of using proprietary software:

The good

  • Legal responsibility: Wishing or not proprietary software vendors are obliged by law in most countries to take care of their customers and the data coming with the usage of the software. And yeah, many governments try defending their citizens and their data.
  • Better support: No one will pay for proprietary software if support is not included in the price. The difference to the Open Source vendors is that you receive some hours of first-level support with the cheapest plans, which is better than nothing.
  • Centralization: Having a more centralized way of management has advantages such as faster development speed, faster decision-making process, and fewer intrigues. 
You can see a comparison between BlackBox and Whitebox software on the diagram. Open Source software is considered Whitebox because everyone can see and review its logic. On the other side, proprietary is considered as BlackBox because to analyze its behavior, analysts must use reverse engineering techniques

The bad

  • You should pay for it: One of the bad things regarding proprietary software is that people should pay for it. And the main problem is not the cost but businesswise; when you are using something you don’t have access to, you introduce a critical business dependency. What happens if suddenly this software vendor disappears?
  • Closed ecosystem: Decisions are made by the company’s owners producing the software. Customers usually do not have control or involvement in feature design and implementation. 
  • More complicated collaboration: If two companies want to work together, they should sign a contract, and by signing this contract, they “decide” how their partnership will happen. By not having a ready-for-use framework, lawyers must review every agreement and make sure that both sides are happy with it.

The ugly

  • Sometimes less secure: Proprietary software has the same security problems as Open Source software. Many hackers are pretty adept in reverse engineering and finding security holes. Additionally, proprietary vendors must pay for security audits and could not rely on an ecosystem of hardcore software engineers to do that for them.
  • Lousy support for smaller customers: The bigger a software vendor becomes, the lousier its support becomes for its small customers. And this equals them to the Open Source software vendors without support for their free plans. And yeah, there is a reason for the number of jokes regarding the quality of support provided by given operating systems manufacturer :-).
  • Weaker legal defense: The bigger a software vendor becomes, the more legally powerful it is. And this leads to fewer opportunities for its small customers to search for justice. Usually, the side with the bigger pool of resources is the winning one in legal battles.

In conclusion, there is no significant difference between proprietary and Open Source software models. The only meaningful difference is that customers could legally claim stuff easily from smaller proprietary vendors. However, once the vendor becomes too big, they hire better lawyers, and experienced lawyers are pretty good at defending corporate interests. Other than that, the tradeoff for the end customer is first-level support versus free usage.

The good, the bad and the ugly of Open Source software model

I want to start this post with the statement that I am a fierce supporter of Open Source, and all of my computers, servers, and smartphones are using different flavors of Linux. For the last ten years, I have used Windows ten times at most, all of this because some software vendors have been neglecting the Linux ecosystem for years. Other than that, I have no wish or necessity to touch Mac or Windows for anything rather than testing web or mobile apps. 

At the same time, I want to strongly emphasize that Open Source as a model has its problems and that I believe no software development practice, Open Source or proprietary, is ideal. This post aims to list some of the advantages and disadvantages the Open Source model has. Despite its widely successful spell during the last 30 or more years, the model is somehow economically broken. But, let’s start with the lists:

The good

  • Open Source is almost free: Most open source projects provide free plans for casual users or tech-savvy customers by having an ecosystem. This way, a whole set of companies can build their business model based on these freemium plans and add value.
  • More openness: People working on open source projects must make an ecosystem. And people stay in any ecosystem only if the system is open to proposals and changes according to members’ needs. In another case, the ecosystem usually does not survive for long. Additionally, everyone can review the code and search for security holes.
  • Better collaboration: Legally speaking, if two organizations want to work together, they should sign a contract on every point they want to collaborate. Organizations already know how to work with the various Open Source licenses and do not need to reinvent the wheel for their specific case.

The bad

  • Lack of responsibility: Most Open Source software comes without any obligations for the authors. Whether there are security holes, bugs, or losses by using the software – authors are not responsible.
  • Too much decentralization: When a project becomes too popular, the lack of centralization increases politics and power struggles. By having multiple controlling bodies or boards of people governing the project, the number of interested parties increases and thus sometimes making the decision-making nightmare.
  • Lack of support: Some Open Source projects entirely lack technical or user support. Even if they offer support, the customer must pay too much money to get any meaningful help. The plans with the lower cost usually are not helpful enough.
On the diagram, you can see a standard crawler architecture diagram. Most of the products implementing this diagram would use Open Source components to speed up the development and lower the cost. They must live with the problems derived from using these components

The ugly

  • Sometimes less secure: Many projects do not have the proper set of resources to ensure their level of cybersecurity, despite being used by many people. A recent example of that is log4j – all major Java products use it, and at the same time, a big security hole was discovered a couple of weeks ago.
  • Complicated business model: Open Source is complex for monetization. Many products try surviving on donations or support. However, this monetization model does not scale as much as the proprietary one.
  • Legal mess: Usually, proprietary products step on Open Source ones to speed up the development time. This technique is used primarily in Start-Ups or consulting companies. However, this approach has its problems. What happens in a similar case such as log4j, where a security hole or a bug in one of your Open Source components leads to data leaks or financial losses? Who is responsible? By default, this is the user of the component, aka you.

In conclusion, Open Source is not for everyone. It could be more secure or with better support, but only if the code comes from a reputable software vendor. In all other cases, the user is left on its own to handle their security and support. Another question is whether the alternative (using only proprietary software) is better, but I will analyze this in another article.

Smart Contracts: Mission Possible

In the last article for 2021, I shall touch on one of the exciting topics in technology for the last decade. For sure, with its novel approach, blockchain technology managed to change and shape our technical landscape during that period. These days crypto is brutally adopted, and many people use cryptocurrencies every day. Additionally, we could see the mass adoption of NFT and how it changed the art industry. We saw many platforms making ICO as a replacement for IPO. All of these would not be possible without blockchain.

But what is blockchain? Essentially, blockchain is an append-only database system in which every transaction is cryptographically signed. Your digital identity is presented by a pair of public/private keys. The algorithms use these keys to encrypt/decrypt and sign/verify the data coming into and out of the database. These same keys are used to identify your wallet in the standard crypto-currencies world. However, a traditional key/value database system is not enough for real-world usage, which is why almost all blockchain networks now offer smart contracts. 

Every smart contract is a programming object with a lifecycle happening in the blockchain network. Additionally, every interaction with it is recorded and cryptographically signed with the same set of public/private keys used for your digital wallet. With such capabilities and a way for sending money, the blockchain networks offer pretty exciting opportunities:

You can see a standard workflow of using a smart contract on the diagram. The seller and buyer provide data to the code deployed in the blockchain, and it is executed to fulfill the contract
  • Replacement of standard contracts: In one ideal World, crypto would dominate people’s legal operations. It has all the tools for doing that, and many platforms, including IBM’s Hyperledger, offer such capabilities. Instead of signing on paper, people use digital signatures, and the system’s distributed nature ensures that no malicious modification can happen.
  • E-voting: Many people believe that we could replace the standard paper-based voting system entirely with the progress of zero-knowledge proof protocols. Indeed, the technology is promising and could offer genuine authenticity during the voting experience in the future. However, its current state (aka not supporting actual programming language experience) is hardly helpful for anything other than checking a simple boolean expression.
  • Decentralized Economy: In our current capitalism-based world, the parties issuing the money control the market. With the rise of crypto, that’s no longer true because now everyone can start issuing tokens and dictating how the market operates. And this is extremely helpful for smaller communities, which can detach themselves from the centralized issuing authority.

In conclusion, blockchain is quite existing technology, but unfortunately, it is still not mature enough for mass adoption. The main concern is that it is still possible to track the money transfers and identify the real people behind the public/private key pairs despite being anonymous. The same is true for smart contracts and e-voting – for sure, no one is going to be happy if people have access to her/his real estate’s notarial act or know for whom he/she voted. 

Red team that

Red team exercises and penetration testing became our new reality. Especially with COVID-19 and the additional boost to digital transformation, we are more and more digitally dependant. Many countries have started legally enforcing business and governmental organizations to ensure better their cyber security defenses. And the best way to do that is to have regular penetration testing drills once or twice per year.

However, we should ask ourselves how effective is this practice and whether it provides a good level of security for our data and assets. To do that, let’s analyze what the usual workflow of doing a penetration test is. Every engagement in cybersecurity starts with a legal contract, which defines the rules of engagement. In this legal contract, the defending side, the client, negotiates the regulations with the attacking side, aka the penetration testing company. In the case of 3rd party requirements such as governmental and corporation integrations, the rules are defined by the 3rd party. They can even give you a list of “trusted” penetration testing companies from which you have to choose. For example, when we had to do a security audit for Google and Microsoft to allow our integrations, they provided the list of auditing partners we had to use.

On the diagram, you can see a standard Red Team drill workflow. The rules are usually not set by the attacking team

And here is one of the main problems with penetration testing – there are rules of engagement. In the Real Word scenario, there is no such thing as a set of rules. The dedicated attacker can do whatever is necessary to penetrate your defenses, and he/she will not abide by the law. Comparison to conventional military drills is not practical but could even be harmful to your team’s attitude. It is much better to compare the attacker modus operandi to what guerilla fighters do, such as asymmetric warfare, without rules, requirements, etc. Attackers will do what is necessary to penetrate you no more or less.

The second problem with penetration tests is that the attacking team usually has limited time to penetrate your organization. The whole economy around red teaming is based on projects between two weeks and two months long. After that, the attacking team must go to the next assignment. In comparison, real-world hacker teams are usually part of criminal syndicates, and these criminal syndicates have other sources of income such as human trafficking, prostitution, drugs, and weapons. They can happily try to hack one organization for a year or more, especially if it is a big enough target.

And last, but not least – different motivation. In the red team case, the motivation is to abide by a requirement or by law. It means that the penetration team will ensure that the system passes the requirements and rarely will do more. When we speak about real hacker groups, usually we have a pretty limited set of motivation types – money and personal vendetta. Both of these are much higher on the motivation scale than a simple requirement fulfillment.

In conclusion, penetration testing is a helpful activity; however, it is not a panacea. The results coming from it gives a piece of information for your organization’s current cybersecurity state. Unfortunately, the limited scope of every penetration test will not give you a 100% guarantee that attackers can not destroy your defenses. It is much better to treat the red teaming as part of our cybersecurity strategy and valuable security tools.

Are law firms high value target for hackers?

New York-based law firm fell victim to a cyber attack. That wasn’t only unfortunate for the firm alone, but for the countless celebrity clients, they represent. Their client list comprises many A-level celebrities.

All these people fell victim to hackers.

The hacker group that carried out the attack remained unnamed. It got dubbed REvil because that’s the ransomware used by the group.

The cybercriminals targeted the law firm’s internal data systems. They managed to get away with 756 gigabytes of data, which they deemed was worth $21 million in ransom. When the law firm stated they had no intention of paying a dime in ransom, the criminals released a statement that they’re doubling their ransom request to the staggering $42 million.

After the firm refused to comply with the ransom demand, the hackers released an astonishing 2.4 gigabyte batch of data. It included private files and all sorts of sensitive information: contracts, non-disclosure agreements, promotional agreements, and expense sheets, among others.

The data dump wasn’t the only bombshell the cybercriminals dropped. They claimed to have an ace up their sleeve. They had private documents belonging to the American President. The law firm was quick to deny having any business dealings with the President. They only claimed that his name only got mentioned in some of their documents connected to their other clients.

Due to the hack’s success and the massive breach of privacy, the FBI got involved. They advised against paying the ransom as, in most such cases, payment doesn’t do much besides cost the victim money.

If you’re a victim of cybercriminals, you’re in a lose-lose situation. If you refuse to pay them, they can release the information they stole if that’s what they wish, and the victims get left to deal with the consequences. To pay the ransom they demand means you’re accepting their promise to destroy the data they stole.

You can see a standard distribution for malware types on the diagram and how the malware authors target their victims. In the case of organizations, the main approaches for crime making are data steal and ransomware

Can you trust the word of hackers? No, you can’t. However, it is essential to know that if the criminals do not hold their word, no one will pay the ransom to have this final option. Unfortunately, paying the ransom usually motivates more and more criminal groups to execute such operations.

This hack wasn’t their first attempt to score big. The attackers carried an attack on a foreign currency dealer as well. However, the ransom demand they went with paled compared to the $42, or even $21, million they demanded from the law firm. In this case, they asked for $6 million under threat to delete customer data. After a few weeks of having their services kept offline, the dealer caved and coughed up $2.3 million as payment.

Especially with COVID-19, more and more law and financial companies can become a target to attackers. It is essential to understand that blind fate into your cloud provider is only part of the equation. Every organization must take care of its defenses and upgrade them as much as it can. Only doing this can make attackers’ life harder.

The Legality of Private Servers

The legality of privately owned servers is a much-discussed topic with large grey areas and varying laws in different countries.

In general, that legality is determined by a sample amendment, similar to this one: “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

In other words, this means that the government and other institutions, organizations, and people, in general, do not have the right to search or control privately owned servers. They should not check what the servers store, except that there is reasonable evidence of illegal content.

A warrant to search a privately owned server would not be issued out of false claims because a judge has to examine whether the given evidence is sufficient. However, web servers are usually quite transparent, and illegal content on them is easily detected.

How is that a grey area then, and how liable are those individuals owning servers?

In the case of illegal content linked to a specific web server, people on the internet can see the server’s content and report it if they deem it inappropriate. If many people do this, it will eventually get removed in many cases.

However, if it is not a web server, then people would have no real reason to examine it without evidence of illegal content. Responding to other people reporting illegal content on one’s server by instantly removing it can make the server owner less liable.

Private Game Servers – Legal or Not?

One interesting legal case is the video gaming industry. Online games usually connect to a central server. That presents the issue of the game being unplayable once the online game and its server are gone.

Many people have chosen to counter this issue by setting up their game servers. That also allows them to change the game, revive old games for nostalgia’s sake or change aspects about it to meet their own needs, and so on.

But how legal is it to set up a private server without the game developer’s permission? Usually, this can happen through leaked or stolen codes, which is illegal in itself as it breaches copyright.

Furthermore, private server hosts often take donations to keep the server running. Emulating current servers is more troublesome than bringing back old games that no longer exist.

More Grey Areas

Another grey zone is whether you are the one hosting the server or playing on it. While hosting may easily be illegal, playing on private servers is not. People doing it can still get in trouble, in any case.

There is a difference between official laws and license agreements that the user has with the gaming company and developer. Playing on private servers can infringe the contract you have entered into with the game developer.

Since copyright is usually concerned with distribution issues rather than private use, it is unlikely you will get fined. Still, if you want to support the game developer because you love the game and want to see more of it coming to life, you should play on the official servers instead. Not to mention connecting to a not official game server can expose your machine to cyber attacks. Most of these not official game servers do not have proper cybersecurity defenses.

The only reason and grey zone that would warrant playing on private servers is if the game’s developers abandoned it with no official server left.