South Capitol Street

The New York Times has a must-read report on how Israel tested the Stuxnet computer worm which was later found effective against the Iranian nuclear program.

Highlight: “The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.”
Taegan Goddard’s Political Wire

According to a top Computer expert from Germany the Stuxnet virus which as been wreaking havoc on the Iranian nuclear program is just as effective as a military strike. Actually it is more effective,  it has set back Iran’s quest for nuclear capability by at least two years which is the best that can be hoped for with a military strike. And it was done without all the “mess” and human suffering which comes with a military strike

Little by little scientists are beginning to understand Stuxnet a computer worm developed with the sole purpose of doing what sanctions were not able to do, slow down the Iranian march to nuclear weapons. During the past year, Stuxnet the computer worm with a message from the biblical Queen Esther, not only crippled Iran’s nuclear program but has caused  a major rethinking of computer security around the globe (if you want to know how Stuxnet works click here).

According to a report in the Sunday NY Times, Stuxnet was tested in the Dimona facility in Israel’s Negev desert. Dimona is the (officially non-existent)plant where Israel runs its (officially non-existent) nuclear weapons program

Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

“To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.”

Officially US and Israeli officials will not discuss what has been going in the middle of the Negev, but new clues point to the fact that thevirus was designed as an American-Israeli project to sabotage the Iranian program.

In recent days, the retiring chief of Israel’s Mossad intelligence agency, Meir Dagan, and Secretary of State Hillary Rodham Clinton separately announced that they believed Iran’s efforts had been set back by several years.  Clinton cited the “weak” sanctions, which have supposedly damaged Iran’s ability to buy components.  Dagan, told the Israeli Knesset in recent days that Iran had run into technological difficulties (Stuxnet) that could delay a bomb until 2015.

As the virus continues to infect Iranian computers computer experts across the world are trying to figure out where Stuxnet came from. There is nothing but circumstantial evidence and it all points to the US and Israel). For example

In early 2008 the German company Siemens cooperated with one of the United States’ premier national laboratories, in Idaho, to identify the vulnerabilities of computer controllers that the company sells to operate industrial machinery around the world — and that American intelligence agencies have identified as key equipment in Iran’s enrichment facilities. Seimens says that program was part of routine efforts to secure its products against cyberattacks. Nonetheless, it gave the Idaho National Laboratory — which is part of the Energy Department, responsible for America’s nuclear arms — the chance to identify well-hidden holes in the Siemens systems that were exploited the next year by Stuxnet.

There is also the fact that computer scientists who are analyzing the computer worm have found a file name that seemingly refers to the Biblical Queen Esther.  Deep inside the computer worm that some specialists suspect is aimed at slowing Iran’s race for a nuclear weapon lies what could be a fleeting reference to the Book of Esther, the Old Testament narrative in which the Jewish Queen Esther pre-empts a Persian plot to kill all the Jews. One of the key files in Stuxnet was named “Myrtus” (myrtle) by the unknown designer. The biblical Esther’s original name was Hadassah, which is Hebrew for myrtle.

Officially, neither American nor Israeli officials will even utter the name of the malicious computer program, much less describe any role in designing it.

But Israeli officials grin widely when asked about its effects. Mr. Obama’s chief strategist for combating weapons of mass destruction, Gary Samore, sidestepped a Stuxnet question at a recent conference about Iran, but added with a smile: “I’m glad to hear they are having troubles with their centrifuge machines, and the U.S. and its allies are doing everything we can to make it more complicated.”

One interesting part of the program is that it was put in motion by President Bush. Yes liberals, this time you can say it, Bush did it.

The project’s political origins can be found in the last months of the Bush administration. In January 2009, The New York Times reported that Mr. Bush authorized a covert program to undermine the electrical and computer systems around Natanz, Iran’s major enrichment center. President Obama, first briefed on the program even before taking office, sped it up, according to officials familiar with the administration’s Iran strategy. So did the Israelis, other officials said. Israel has long been seeking a way to cripple Iran’s capability without triggering the opprobrium, or the war, that might follow an overt military strike of the kind they conducted against nuclear facilities in Iraq in 1981 and Syria in 2007.

The construction of the worm was so advanced, it was “like the arrival of an F-35 into a World War I battlefield,” says Ralph Langner, the computer expert who was the first to sound the alarm about Stuxnet. Langner, who runs a small computer security company in a suburb of Hamburg, had his five employees focus on picking apart the code and running it on the series of Siemens controllers neatly stacked in racks, their lights blinking.

He quickly discovered that the worm only kicked into gear when it detected the presence of a specific configuration of controllers, running a set of processes that appear to exist only in a centrifuge plant. “The attackers took great care to make sure that only their designated targets were hit,” he said. “It was a marksman’s job.”

For example, one small section of the code appears designed to send commands to 984 machines linked together.

Curiously, when international inspectors visited Natanz in late 2009, they found that the Iranians had taken out of service a total of exactly 984 machines that had been running the previous summer.

Interesting coincidence?

But as Mr. Langner kept peeling back the layers, he found more — what he calls the “dual warhead.” One part of the program is designed to lie dormant for long periods, then speed up the machines so that the spinning rotors in the centrifuges wobble and then destroy themselves. Another part, called a “man in the middle” in the computer world, sends out those false sensor signals to make the system believe everything is running smoothly. That prevents a safety system from kicking in, which would shut down the plant before it could self-destruct.

“Code analysis makes it clear that Stuxnet is not about sending a message or proving a concept,” Mr. Langner later wrote. “It is about destroying its targets with utmost determination in military style.”

This was not the work of hackers, he quickly concluded. It had to be the work of someone who knew his way around the specific quirks of the Siemens controllers and had an intimate understanding of exactly how the Iranians had designed their enrichment operations.

The reason why Stuxnet had knowledge of the workings of the Iranian centrifuges may have to do with the fact that those same type of centrifuges showed up in Dimona.

The account starts in the Netherlands. In the 1970s, the Dutch designed a tall, thin machine for enriching uranium. As is well known, A. Q. Khan, a Pakistani metallurgist working for the Dutch, stole the design and in 1976 fled to Pakistan.

The resulting machine, known as the P-1, for Pakistan’s first-generation centrifuge, helped the country get the bomb. And when Dr. Khan later founded an atomic black market, he illegally sold P-1’s to Iran, Libya, and North Korea.

The P-1 is more than six feet tall. Inside, a rotor of aluminum spins uranium gas to blinding speeds, slowly concentrating the rare part of the uranium that can fuel reactors and bombs.

How and when Israel obtained this kind of first-generation centrifuge remains unclear, whether from Europe, or the Khan network, or by other means. But nuclear experts agree that Dimona came to hold row upon row of spinning centrifuges.

“They’ve long been an important part of the complex,” said Avner Cohen, author of “The Worst-Kept Secret” (2010), a book about the Israeli bomb program, and a senior fellow at the Monterey Institute of International Studies. He added that Israeli intelligence had asked retired senior Dimona personnel to help on the Iranian issue, and that some apparently came from the enrichment program.

“I have no specific knowledge,” Dr. Cohen said of Israel and the Stuxnet worm. “But I see a strong Israeli signature and think that the centrifuge knowledge was critical.”

…Dr. Cohen said his sources told him that Israel succeeded — with great difficulty — in mastering the centrifuge technology. And the American expert in nuclear intelligence, who spoke on the condition of anonymity, said the Israelis used machines of the P-1 style to test the effectiveness of Stuxnet.

The expert added that Israel worked in collaboration with the United States in targeting Iran, but that Washington was eager for “plausible deniability.”

One thing can’t be denied, the Stuxnet worm has been a major obstacle to Iran’s desire to obtain nuclear weapons, saving Israel from having to attack Iran at least for a while.  Who ever developed the virus lets hope they are working on a follow-up because 2015 is not that far away.

Please email me at [email protected] to be put onto my mailing list.
Feel free to reproduce any article but please link back to http://yidwithlid.blogspot.com

YID With LID

(Orin Kerr)

…goes to the arguments made by Sony’s lawyers in a complaint and motion for a TRO in a recently-filed civil case: Sony Sues PS3 Hackers. The argument: You’re guilty of felony computer hacking crimes if you access your own computer in a way that violates a contractual restriction found in the fine print of the licensing restriction of the product imposed by the manufacturer.

I realize the complaint characterizes the defendants as hackers, and the CFAA is supposed to be about hacking. But think for a moment about the nature of this claim. You bought the computer. You own it. You can sell it. You can light it on fire. You can bring it to the ocean, put it on a life raft, and push it out to sea. But if you dare do anything that violates the fine print of the license that the manufacturer is trying to impose, then you’re guilty of trespassing onto your own property. And it’s not just a civil wrong, it’s a crime. And according to the motion for a TRO, it’s not just a crime, it’s a serious felony crime.

I’ve seen a lot of civil cases trying to use the vague language of the Computer Fraud and Abuse Act in creative ways. But this is the first case I know of claiming that you can commit an unauthorized access of your own computer. And that claim justifies today’s award for the Silliest Theory of the Computer Fraud and Abuse Act.

The Volokh Conspiracy

The disinformers claim that projections of dangerous future warming from greenhouse gas emissions are based on computer models.  In fact, ClimateProgress readers know that the paleoclimate data is considerably more worrisome than the models (see Hansen: ‘Long-term’ climate sensitivity of 6°C for doubled CO2).  That’s mainly because the vast majority of the models largely ignore key amplifying carbon-cycle feedbacks, such as the methane emissions from melting tundra (see Are Scientists Underestimating Climate Change).

Science has just published an important review and analysis of “real world” paleoclimate data in “Lessons from Earth’s Past” (subs. req’d) by National Center for Atmospheric Research (NCAR) scientist Jeffrey Kiehl.  The NCAR release is here: “Earth’s hot past could be prologue to future climate.”  The study begins by noting:

Climate models are invaluable tools for understanding Earth’s climate system. But examination of the real world also provides insights into the role of greenhouse gases (carbon dioxide) in determining Earth’s climate. Not only can much be learned by looking at the observational evidence from Earth’s past, but such know ledge can provide context for future climate change.

The atmospheric CO₂ concentration currently is 390 parts per million by volume (ppmv), and continuing on a business-as-usual path of energy use based on fossil fuels will raise it to ∼900 to 1100 ppmv by the end of this century (see the first figure) (1). When was the last time the atmosphere contained ∼1000 ppmv of CO₂? Recent reconstructions (2–4) of atmospheric CO₂ concentrations through history indicate that it has been ∼30 to 100 million years since this concentration existed in the atmosphere (the range in time is due to uncertainty in proxy values of CO₂). The data also reveal that the reduction of CO₂ from this high level to the lower levels of the recent past took tens of millions of years. Through the burning of fossil fuels, the atmosphere will return to this concentration in a matter of a century. Thus, the rate of increase in atmospheric CO₂ is unprecedented in Earth’s history.

I will repost the references at the end, since this is a review article (see also U.S. media largely ignores latest warning from climate scientists: “Recent observations confirm … the worst-case IPCC scenario trajectories (or even worse) are being realised” — 1000 ppm)

So now the question is — how much warmer was it back then?

What was Earth’s climate like at the time of past elevated CO₂? Consider one example when CO₂ was ∼1000 ppmv at ∼35 million years ago (Ma) (2). Temperature data (5, 6) for this time period indicate that tropical to subtropical sea surface temperatures were in the range of 35° to 40°C (versus present-day temperatures of ∼30°C) and that sea surface temperatures at polar latitudes in the South Pacific were 20° to 25°C (versus modern temperatures of ∼5°C). The paleogeography of this time was not radically different from present-day geography, so it is difficult to argue that this difference could explain these large differences in temperature. Also, solar physics findings show that the Sun was less luminous by ∼0.4% at that time (7). Thus, an increase of CO₂ from ∼300 ppmv to 1000 ppmv warmed the tropics by 5° to 10°C and the polar regions by even more (i.e., 15° to 20°C).

What can we learn from Earth’s past concerning the climate’s sensitivity to greenhouse gas increases? Accounting for the increase in CO₂ and the reduction in solar irradiance, the net radiative forcing—the change in the difference between the incoming and outgoing radiation energy–of the climate system at 30 to 40 Ma was 6.5 to 10 W m⁻² with an average of ∼8 W m⁻². A similar magnitude of forcing existed for other past warm climate periods, such as the warm mid-Cretaceous of 100 Ma (8). Using the proxy temperature data and assuming, to first order, that latitudinal temperature can be fit with a cosine function in latitude (9), the global annual mean temperature at this time can be estimated to be ∼31°C, versus 15°C during pre-industrial times (around 1750) (10). Thus, Earth was ∼16°C warmer at 30 to 40 Ma. The ratio of change in surface temperature to radiative forcing is called the climate feedback factor (11). The data for 30 to 40 Ma indicate that Earth’s climate feedback factor was ∼2°C W⁻¹ m⁻². Estimates (1, 11) of the climate feedback factor from climate model simulations for a doubling of CO₂ from the present-day climate state are ∼0.5 to 1°C W⁻¹ m⁻². The conclusion from this analysis—resting on data for CO₂ levels, paleotemperatures, and radiative transfer knowledge—is that Earth’s sensitivity to CO₂ radiative forcing may be much greater than that obtained from climate models (12–14).

Indeed, in the release, Kiehl notes his study “found that carbon dioxide may have at least twice the effect on global temperatures than currently projected by computer models of global climate.”

Why is the ‘real world’ warming so much greater than the models?  The vast majority of the models focus on the equilibrium climate sensitivity — typically estimated at about 3°C for double CO2 (equivalent to about ¾°C per W/m2) — only includes fast feedbacks, such as water vapor and sea ice.  As Hansen has explained in deriving his 6°C ‘long-term’ sensitivity:

Elsewhere (Hansen et al. 2007a) we have described evidence that slower feedbacks, such as poleward expansion of forests, darkening and shrinking of ice sheets, and release of methane from melting tundra, are likely to be significant on decade-century time scales. This realization increases the urgency of estimating the level of climate change that would have dangerous consequences for humanity and other creatures on the planet, and the urgency of defining a realistic path that could avoid these dangerous consequence.

For background on the tundra (and methane), see Science: Vast East Siberian Arctic Shelf methane stores destabilizing and venting:  NSF issues world a wake-up call: “Release of even a fraction of the methane stored in the shelf could trigger abrupt climate warming.”

Methane release from the not-so-perma-frost is the most dangerous amplifying feedback in the entire carbon cycle.  The permafrost permamelt contains a staggering “1.5 trillion tons of frozen carbon, about twice as much carbon as contained in the atmosphere,” much of which would be released as methane.  Methane is  is 25 times as potent a heat-trapping gas as CO2 over a 100 year time horizon, but 72 times as potent over 20 years!  The carbon is locked in a freezer in the part of the planet warming up the fastest (see “Tundra 4: Permafrost loss linked to Arctic sea ice loss“).  Half the land-based permafrost would vanish by mid-century on our current emissions path (see “Tundra, Part 2: The point of no return” and below).  No climate model currently incorporates the amplifying feedback from methane released by a defrosting tundra.

Kiehl’s work is in line with other major studies, like this one:

Scientists analyzed data from a major expedition to retrieve deep marine sediments beneath the Arctic to understand the Paleocene Eocene thermal maximum, a brief period some 55 million years ago of “widespread, extreme climatic warming that was associated with massive atmospheric greenhouse gas input.” This 2006 study, published in Nature (subs. req’d), found Artic temperatures almost beyond imagination–above 23°C (74°F)–temperatures more than 18°F warmer than current climate models had predicted when applied to this period. The three dozen authors conclude that existing climate models are missing crucial feedbacks that can significantly amplify polar warming.

How long might it take for the extra warming to kick in?  That isn’t known for certain, but two major studies looking at paleoclimate data that Kiehl didn’t cite suggest it’s sooner rather than later:

A study published in Geophysical Research Letters (subs. req’d) looked at temperature and atmospheric changes during the Middle Ages. This 2006 study found that the effect of amplifying feedbacks in the climate system–where global warming boosts atmospheric CO2 levels–”will promote warming by an extra 15 percent to 78 percent on a century-scale” compared to typical estimates by the U.N.’s Intergovernmental Panel on Climate Change. The study notes these results may even be “conservative” because they ignore other greenhouse gases such as methane, whose levels will likely be boosted as temperatures warm.

A second study, published in Geophysical Research Letters, “Missing feedbacks, asymmetric uncertainties, and the underestimation of future warming” (subs. req’d), looked at temperature and atmospheric changes during the past 400,000 years. This study found evidence for significant increases in both CO2 and methane (CH4) levels as temperatures rise. The conclusion: If our current climate models correctly accounted for such “missing feedbacks,” then “we would be predicting a significantly greater increase in global warming than is currently forecast over the next century and beyond”–as much as 1.5°C warmer this century alone.

In the longer term, past 2100, if we were to get anywhere near the kind of warming that Kiehl’s analysis of the paleoclimate data suggests we are headed to, that could render large tracts of the planet uninhabitable.  That was the conclusion of a recent PNAS paper coauthored by Matthew Huber, professor of earth and atmospheric sciences at Purdue (release here).  I haven’t blogged on it, but I guess I will have to now.  The bottom line:

“We found that a warming of 12 degrees Fahrenheit would cause some areas of the world to surpass the wet-bulb temperature limit, and a 21-degree warming would put half of the world’s population in an uninhabitable environment,” Huber said. “When it comes to evaluating the risk of carbon emissions, such worst-case scenarios need to be taken into account. It’s the difference between a game of roulette and playing Russian roulette with a pistol. Sometimes the stakes are too high, even if there is only a small chance of losing.”

So don’t even think about what 29°F warming could mean.

Kiehl concludes:

The above arguments weave together a number of threads in the discussion of climate that have appeared over the past few years. They rest on observations and geochemical modeling studies. Of course, uncertainties still exist in deduced CO₂ and surface temperatures, but some basic conclusions can be drawn. Earth’s CO₂ concentration is rapidly rising to a level not seen in ∼30 to 100 million years, and Earth’s climate was extremely warm at these levels of CO₂. If the world reaches such concentrations of atmospheric CO₂, positive feedback processes can amplify global warming beyond current modeling estimates. The human species and global ecosystems will be placed in a climate state never before experienced in their evolutionary history and at an unprecedented rate. Note that these conclusions arise from observations from Earth’s past and not specifically from climate models. Will we, as a species, listen to these messages from the past in order to avoid repeating history?

Will we?

Related Posts:

• Royal Society special issue details ‘hellish vision’ of 7°F (4°C) world — which we may face in the 2060s!
• A stunning year in climate science reveals that human civilization is on the precipice
• Science: CO2 levels haven’t been this high for 15 million years, when it was 5° to 10°F warmer and seas were 75 to 120 feet higher — “We have shown that this dramatic rise in sea level is associated with an increase in CO2 levels of about 100 ppm.”
• Nature Geoscience study: Oceans are acidifying 10 times faster today than 55 million years ago when a mass extinction of marine species occurred

References:

1. S. Solomon et al Climate Change 2007: The Physical Science Basis. Contribution of Working Group I to the Fourth Assessment Report of the Intergovernmental Panel on Climate Change, S. Solomon et al., Eds. (Cambridge Univ. Press, Cambridge, UK, 2007).
2. M. Pagani, J. C. Zachos, K. H. Freeman, B. Tipple, S. Bohaty , Science 309, 600 (2005); 10.1126/science.1110063. doi:10.1126/science.1110063Abstract/FREE Full Text
3. B. J. Fletcher, S. J. Brentnall, C. W. Anderson, R. A. Berner, D. J. Beerling , Nat. Geosci. 1, 43 (2008). CrossRefWeb of Science
4. D. O. Breecker, Z. D. Sharp, L. D. McFaddenn , Proc. Natl. Acad. Sci. U.S.A. 107, 576 (2010). Abstract/FREE Full Text
5. P. K. Bijl, S. Schouten, A. Sluijs, G. J. Reichart, J. C. Zachos, H. Brinkhuis , Nature 461, 776 (2009). CrossRefMedlineWeb of Science
6. P. N. Pearson et al ., Geology 35, 211 (2007). Abstract/FREE Full Text
7. D. O. Gough, Sol. Phys. 74, 21 (1981). CrossRef
8. D. L. Royer, Geochim. Cosmochim. Acta 70, 5665 (2006). CrossRefWeb of Science
9. G. R. North, J. Atmos. Sci. 32, 2033 (1975). CrossRef
10. The cosine temperature expression can be integrated analytically to obtain the global annual mean temperature. Paleotemperatures from (5) for a subtropical location and a high southern latitude location were used to determine the two coefficients in the analytical expression for global mean temperature.
11. S. E. Schwartz, Clim. Change; 10.1007/s10584-010-9903-9 (2010). doi:10.1007/s10584-010-9903-9 CrossRef
12. J. Hansen et al., Open Atmos. Sci. 2, 217 (2008).
13. P. K. Bijl, A. J. Houben, S. Schouten, S. M. Bohaty, A. Sluijs, G. J. Reichart, J. S. Sinninghe Damsté, H. Brinkhuis , Science 330, 819 (2010). Abstract/FREE Full Text
14. D. J. Lunt et al., Nat. Geosci. 3, 60 (2010). CrossRefWeb of Science

Climate Progress

(Eugene Volokh)

I’m looking for fun math drill computer games for a 7-year-old who is pretty good at math. He’s learning two-digit multiplication (12 x 34), two-by-one-digit division yielding fractions (15 / 4), and extremely simple algebra (4x + 13 = 31). The conceptual work and problem-solving skills are being taught. But he needs some time putting the principles into practice, and my sense from knowing his temperament is that a fun computer game — as opposed to paper-and-pencil work, or even pure online drill without fun elements — is most likely to keep him engaged.

Can any of you recommend some such games? Let me know, please, if you can. Many thanks!

The Volokh Conspiracy

(Eugene Volokh)

From State v. Jensen (Dec. 29, 2010):

¶37 This case was not a classic whodunit. Jensen’s counsel told the jury in opening statements that the facts will prove Julie killed herself and tried to frame Jensen for her murder. Thus, any evidence favoring the State’s homicide charge or disfavoring Jensen’s suicide/framing theory strengthened the State’s case. Again, we underscore that the below summary is meant only to be illustrative and does not convey the entirety of the compelling case the State presented to the jury:

1. The computer evidence. This was probably the most incriminating other evidence. In October 1998, the Jensens’ home computer revealed that searches for various means of death coincided with e-mails between Jensen and his then-paramour, Kelly, discussing how they planned to deal with their respective spouses and begin “cleaning up [their] lives” so they could be together and take a cruise the next year. Jensen was evasive when Kelly asked him how he planned to take care of his “details” and, significantly, Jensen’s e-mails did not mention divorce at all. On the same date Jensen was planning a future with Kelly, his home computer revealed Internet searches for botulism, poisoning, pipe bombs and mercury fulminate. A website was visited that explained how to reverse the polarity of a swimming pool — the Jensens had a pool — by switching the wires around, likening the result to the 4th of July. The State pointed out the absence of Internet searches on topics like separation, divorce, child custody or marital property.

Significantly strong was the evidence of the Internet sites visited on the morning of Julie’s death. Exhibit 89 reveals a 7:40 a.m. search for “ethylene glycol poisoning.” Jensen told Ratzburg that the morning of Julie’s death she “could hardly sit up,” she “was not able to get out of bed,” and she “was not able to move around and function.” Jensen said he was propping Julie up in bed at 7:30 a.m., which was ten minutes before the search for ethylene glycol poisoning, and that he did not leave home to take their son to preschool until 8:00 or 9:00 a.m.

Finally, the State presented abundant evidence that Julie rarely used computers and that, in contrast, Jensen was a skilled computer user and avid Internet surfer.

Note that this was just part of the evidence introduced to the jury; I quote this to show how such evidence could be used, in conjunction with other evidence, and not to suggest that such evidence alone would generally suffice to convict.

The Volokh Conspiracy

(Orin Kerr)

Last week, the Eleventh Circuit decided an important case, United States v. Rodriguez, on the computer crime statute known as the Computer Fraud and Abuse Act, 18 U.S.C. 1030. The decision by Judge Pryor touches on the same issue that was in play in the Lori Drew case: When does violating express conditions on computer use constitute a crime? The court’s conclusion seems right on its specific facts, but I worry that it will be construed as adopting a very broad theory that would be very troubling. So I wanted to introduce the legal issue, then talk about the Rodriguez case, and then return to the legal issue and talk about how it might apply going forward.

I. The Prohibition on Unauthorized Access

First, some context. Federal law makes it a crime to “exceed authorized access” to a “protected computer” and thereby obtain “information.” 18 U.S.C. 1030(a)(2)(C). Essentially everything on the planet Earth that contains a microchip is a “protected computer”; any data at all counts as “information”; and merely reading information counts as “obtaining” it. As a result, whenever you’re using a computer, the line between computer use that is legal and computer use that can have you arrested and thrown in jail hinges almost entirely on what makes computer use “exceed authorized access.”

The phrase “exceed authorized access” is a defined phrase, but unfortunately the definition is almost entirely circular. According to 18 U.S.C. 1030(e)(6), “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.” That’s not a very helpful definition, if you think about it. Entitlement and authorization mean the same thing. As a result, the definition just says that you exceed authorized access when you have authorization but then you, well, exceed it, by doing something you’re not authorized to do. The missing aspect of the definition is what principle governs authorization (or entitlement, if you prefer). Is it just the computer owner’s say so? Does it require the computer owner to put up some sort of password gate that limits authorization? How do you know what you’re entitled to do for purposes of the criminal law?

This is a really hard question, I think. To see why it’s hard, consider the following eight scenarios. Specifically, consider which of the people in these scenarios “exceeded authorized access” to a computer in violation of federal law:

1) A government employee who has access to a sensitive national security database that he is only permitted to use for official reasons instead uses the database in order to collect private data and sell it to the Chinese government.
2) An Social Security Administration employee who has access to a Social Security database that he is only permitted to use for official reasons instead uses the database just to check out private information on friends and others for purely personal reasons.
3) An associate of a consulting company who is told that he can only access his employer’s computer files for work-related reasons instead looks through the employer’s files because he is thinking of leaving to start a competitor business and is looking for ideas of future clients and services.
4) A city employee who is told that he can only access the city’s computer for work-related reasons instead spends five minutes a day surfing the Internet for pornography.
5) A mother who signs up for a MySpace account that the Terms of Service condition on being entirely truthful in setting up a profile instead lies on the profile and uses the MySpace account anyway.
6) A law student who is forbidden by law school policy to access the law school network during class decides to do so anyway to check his e-mail during a particularly boring lecture.
7) The New York Times reports that there is a website set up at www.dontvisitthiswebsite.com that has some incredible pictures posted. But there’s a catch: The Terms of Service of the website clearly and unambiguously say that no one is allowed to visit the website. A reader of the Times wants to see the pictures anyway and visits the website from his home Internet connection.
The Volokh Conspiracy announces a new rule that you are only allowed to the visit the blog is your goal in doing so is to further libertarianism. Someone visits the blog to post comments criticizing libertarianism.

So which of these eight scenarios violate the federal criminal law prohibiting exceeding authorized access to a computer? In my experience, almost everyone says that the first scenario does. Most say that the second does, too. Scenarios #3, #4, and #5 draw a mixed reaction. Finally, most people think #6 isn’t a crime, and pretty much everyone agrees it would be utterly ridiculous for #7 or #8 to be a crime.

The problem is that the statute doesn’t provide an obvious way to get to these intuitive results. The intuitive results are based on intuitions of harm. We instinctively think that harmful things should be a crime, while entirely innocuous things shouldn’t be. But the prohibition on unauthorized access does not include a harm element. The statute prohibits exceeding authorized access in the model of a trespass statute, not exceeding authorized access in a way that is likely to cause a lot of harm. (Harm matters to get to the felony provisions, but not the misdemeanor provisions.) All eight scenarios listed above are variations on the same basic theme: In each case, the person was told by the owner/operator of the computer that they were not permitted to use the computer in that way or for that reason — but they did so anyway. All of which raises a profoundly important question: What principle governs when the announced restrictions on using a computer triggers criminal liability?

II. United States v. Rodriguez

The new case, United States v. Rodriguez, involved Scenario #2. Rodriguez was a Social Security Administration employee who used the SSA computers for purely personal reasons. The opinion explains:

From 1995 to 2009, Roberto Rodriguez worked as a TeleService representative for the Social Security Administration. Rodriguez’s duties included answering questions of the general public about social security benefits over the telephone. As a part of his duties, Rodriguez had access to Administration databases that contained sensitive personal information, including any person’s social security number, address, date of birth, father’s name, mother’s maiden name, amount and type of social security benefit received, and annual income.

The Administration established a policy that prohibits an employee from obtaining information from its databases without a business reason. The Administration informed its TeleService employees about its policy through mandatory training sessions, notices posted in the office, and a banner that appeared on every computer screen daily. The Administration also required TeleService employees annually to sign acknowledgment forms after receiving the policies in writing. The Administration warned employees that they faced criminal penalties if they violated policies on unauthorized use of databases. From 2006 to 2008, Rodriguez refused to sign the acknowledgment forms. He asked a supervisor rhetorically, “Why give the government rope to hang me?” To monitor access and prevent unauthorized use, the Administration issued unique personal identification numbers and passwords to each TeleService employee and reviewed usage of the databases.

In August 2008, the Administration flagged Rodriguez’s personal identification number for suspicious activity. Administration records established that Rodriguez had accessed the personal records of 17 different individuals for nonbusiness reasons. The Administration informed Rodriguez that it was conducting a criminal investigation into his use of the databases, but Rodriguez continued his unauthorized use. None of the 17 victims knew that Rodriguez had obtained their personal information without authorization until investigators informed them of his actions.

Based on his conduct, Rodriguez was charged with 17 counts of unauthorized access, convicted, and sentenced to serve a year in prison. On appeal, he argued that his conduct did not exceed authorized access. In an opinion by Judge Pryor, the Eleventh Circuit treated that argument as almost frivolous:

The policy of the Administration is that use of databases to obtain personal information is authorized only when done for business reasons. Rodriguez conceded at trial that his access of the victims’ personal information was not in furtherance of his duties as a TeleService representative and that “he did access things that were unauthorized.” In the light of this record, the plain language of the Act forecloses any argument that Rodriguez did not exceed his authorized access.

In a subsequent part of the opinion, Judge Pryor made clear that “Rodriguez exceeded his authorized access and violated the Act” because “he obtained personal information for a nonbusiness reason.” Rodriguez tried to argue that he should not be held liable because his violation of SSA policy did not cause a greater harm or have a greater scheme to cause harm. But Judge Pryor properly noted that the basic prohibition on unauthorized access did not require a harm:

The misdemeanor penalty provision of the Act under which Rodriguez was convicted does not contain any language regarding purposes for committing the offense. See id. § 1030(c)(2)(A). Rodriguez’s argument would eviscerate the distinction between these misdemeanor and felony provisions. That Rodriguez did not use the information to defraud anyone or gain financially is irrelevant.

III. Commentary: What Are The Limits of Rodriguez?

Just based on its facts, the result in Rodriguez seems sound. In a sense, it is unremarkable. Indeed, the First Circuit noted the same conclusion in dicta in an early case with almost identical facts. See United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997) (noting, in an unauthorized access prosecution of an IRS employee who accessed the IRS database for personal reasons, that the defendant “unquestionably exceeded authorized access” by using the sensitive database for personal reasons). See also Commonwealth v. McFadden, 850 A.2d 1290 (Pa Super. Ct. 2004) (interpreting a state unauthorized access statute to punish use of a sensitive police computer system for personal reasons). And I suspect most people will say that based on the facts of Rodriguez, the result was correct. Rodriguez seems like a really bad guy, and his conduct was a pretty serious privacy violation.

What troubles me is that the Eleventh Circuit’s rationale seems broader than the facts of this one case. The rationale of the opinion suggests that the issue was trivially easy: There was a policy on access; the defendant violated it after being told not to; and therefore he exceeded authorized access. Pretty straightforward. The clarity of the rationale seems to support the view that accessing an employer’s computer for “a nonbusiness reason” after being told not to do so is a crime not just in this case, but for any limitation imposed and for any nonbusiness reason. In other words, while the rationale covers scenario #2, it also seems to cover scenario #3 and #4. And I suspect some readers will read the opinion to support even more of the scenarios — maybe #5, maybe even #6 and #7.

In a recent article, I tried to offer a way out of this mess: constitutional vagueness doctrine, the doctrine used in the Lori Drew case. In my essay, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561 (2010), I argued that defense attorneys should challenge readings of the unauthorized access as unconstitutionally vague in order to force the courts to adopt narrow interpretations. My view is that the requirements of vagueness doctrine should force courts to say that only certain kinds of restrictions on computer use in certain kinds of contexts can constitutionally be used to trigger the criminal prohibition on unauthorized access.

I don’t think such an argument would have worked for the defendant in the Rodriguez case, to be clear. Those facts strike me as pretty close to the core of the prohibition. But I’m worried about the next case. And I don’t think these are idle concerns. Scenarios #3, #4, and #5 are based on real criminal cases charged in the last two years. Scenario #3 is based on United States v. Nosal, 2009 WL 981336 (N.D. Cal. 2009); Scenario #4 is based on State v. Wolf, 2009 WL 1152185 (Ohio App. 2009); and Scenario #5 is based on the Lori Drew case. State and federal prosecutors have shown that they’re willing to take favorable precedents like Rodriguez and run with them through the different scenarios. Given that, it’s troubling to me when a court endorses the government’s theory in a case like this without any apparent realization of where the government is going next or the broader possible impact of the decision. To be clear, I’m not blaming the panel: This was a very strong panel; the opinion was authored by an excellent judge; and the facts of this case were pretty egregious. But I think the issue is a bit more complicated than the opinion suggests, and it’s frustrating when defense attorneys don’t successfully bring out these complications in ways that judges can factor in to their decisions.

Finally, if vagueness doctrine doesn’t help cure some of the problems with Section 1030, it would be nice if Congress revisited the statute to explain just what it wanted to criminalize. But then I wouldn’t hold my breath expecting that to happen any time soon.

For more on the overbreadth concerns raised by the Computer Fraud and Abuse Act, see my article Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes published in the NYU Law Review in 2003.

The Volokh Conspiracy

(Orin Kerr)

Last week, the Eleventh Circuit decided an important case, United States v. Rodriguez, on the computer crime statute known as the Computer Fraud and Abuse Act, 18 U.S.C. 1030. The decision by Judge Pryor touches on the same issue that was in play in the Lori Drew case: When does violating express conditions on computer use constitute a crime? The court’s conclusion seems right on its specific facts, but I worry that it will be construed as adopting a very broad theory that would be very troubling. So I wanted to introduce the legal issue, then talk about the Rodriguez case, and then return to the legal issue and talk about how it might apply going forward.

I. The Prohibition on Unauthorized Access

First, some context. Federal law makes it a crime to “exceed authorized access” to a “protected computer” and thereby obtain “information.” 18 U.S.C. 1030(a)(2)(C). Essentially everything on the planet Earth that contains a microchip is a “protected computer”; any data at all counts as “information”; and merely reading information counts as “obtaining” it. As a result, whenever you’re using a computer, the line between computer use that is legal and computer use that can have you arrested and thrown in jail hinges almost entirely on what makes computer use “exceed authorized access.”

The phrase “exceed authorized access” is a defined phrase, but unfortunately the definition is almost entirely circular. According to 18 U.S.C. 1030(e)(6), “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.” That’s not a very helpful definition, if you think about it. Entitlement and authorization mean the same thing. As a result, the definition just says that you exceed authorized access when you have authorization but then you, well, exceed it, by doing something you’re not authorized to do. The missing aspect of the definition is what principle governs authorization (or entitlement, if you prefer). Is it just the computer owner’s say so? Does it require the computer owner to put up some sort of password gate that limits authorization? How do you know what you’re entitled to do for purposes of the criminal law?

This is a really hard question, I think. To see why it’s hard, consider the following eight scenarios. Specifically, consider which of the people in these scenarios “exceeded authorized access” to a computer in violation of federal law:

1) A government employee who has access to a sensitive national security database that he is only permitted to use for official reasons instead uses the database in order to collect private data and sell it to the Chinese government.
2) An Social Security Administration employee who has access to a Social Security database that he is only permitted to use for official reasons instead uses the database just to check out private information on friends and others for purely personal reasons.
3) An associate of a consulting company who is told that he can only access his employer’s computer files for work-related reasons instead looks through the employer’s files because he is thinking of leaving to start a competitor business and is looking for ideas of future clients and services.
4) A city employee who is told that he can only access the city’s computer for work-related reasons instead spends five minutes a day surfing the Internet for pornography.
5) A mother who signs up for a MySpace account that the Terms of Service condition on being entirely truthful in setting up a profile instead lies on the profile and uses the MySpace account anyway.
6) A law student who is forbidden by law school policy to access the law school network during class decides to do so anyway to check his e-mail during a particularly boring lecture.
7) The New York Times reports that there is a website set up at www.dontvisitthiswebsite.com that has some incredible pictures posted. But there’s a catch: The Terms of Service of the website clearly and unambiguously say that no one is allowed to visit the website. A reader of the Times wants to see the pictures anyway and visits the website from his home Internet connection.
The Volokh Conspiracy announces a new rule that you are only allowed to the visit the blog is your goal in doing so is to further libertarianism. Someone visits the blog to post comments criticizing libertarianism.

So which of these eight scenarios violate the federal criminal law prohibiting exceeding authorized access to a computer? In my experience, almost everyone says that the first scenario does. Most say that the second does, too. Scenarios #3, #4, and #5 draw a mixed reaction. Finally, most people think #6 isn’t a crime, and pretty much everyone agrees it would be utterly ridiculous for #7 or #8 to be a crime.

The problem is that the statute doesn’t provide an obvious way to get to these intuitive results. The intuitive results are based on intuitions of harm. We instinctively think that harmful things should be a crime, while entirely innocuous things shouldn’t be. But the prohibition on unauthorized access does not include a harm element. The statute prohibits exceeding authorized access in the model of a trespass statute, not exceeding authorized access in a way that is likely to cause a lot of harm. (Harm matters to get to the felony provisions, but not the misdemeanor provisions.) All eight scenarios listed above are variations on the same basic theme: In each case, the person was told by the owner/operator of the computer that they were not permitted to use the computer in that way or for that reason — but they did so anyway. All of which raises a profoundly important question: What principle governs when the announced restrictions on using a computer triggers criminal liability?

II. United States v. Rodriguez

The new case, United States v. Rodriguez, involved Scenario #2. Rodriguez was a Social Security Administration employee who used the SSA computers for purely personal reasons. The opinion explains:

From 1995 to 2009, Roberto Rodriguez worked as a TeleService representative for the Social Security Administration. Rodriguez’s duties included answering questions of the general public about social security benefits over the telephone. As a part of his duties, Rodriguez had access to Administration databases that contained sensitive personal information, including any person’s social security number, address, date of birth, father’s name, mother’s maiden name, amount and type of social security benefit received, and annual income.

The Administration established a policy that prohibits an employee from obtaining information from its databases without a business reason. The Administration informed its TeleService employees about its policy through mandatory training sessions, notices posted in the office, and a banner that appeared on every computer screen daily. The Administration also required TeleService employees annually to sign acknowledgment forms after receiving the policies in writing. The Administration warned employees that they faced criminal penalties if they violated policies on unauthorized use of databases. From 2006 to 2008, Rodriguez refused to sign the acknowledgment forms. He asked a supervisor rhetorically, “Why give the government rope to hang me?” To monitor access and prevent unauthorized use, the Administration issued unique personal identification numbers and passwords to each TeleService employee and reviewed usage of the databases.

In August 2008, the Administration flagged Rodriguez’s personal identification number for suspicious activity. Administration records established that Rodriguez had accessed the personal records of 17 different individuals for nonbusiness reasons. The Administration informed Rodriguez that it was conducting a criminal investigation into his use of the databases, but Rodriguez continued his unauthorized use. None of the 17 victims knew that Rodriguez had obtained their personal information without authorization until investigators informed them of his actions.

Based on his conduct, Rodriguez was charged with 17 counts of unauthorized access, convicted, and sentenced to serve a year in prison. On appeal, he argued that his conduct did not exceed authorized access. In an opinion by Judge Pryor, the Eleventh Circuit treated that argument as almost frivolous:

The policy of the Administration is that use of databases to obtain personal information is authorized only when done for business reasons. Rodriguez conceded at trial that his access of the victims’ personal information was not in furtherance of his duties as a TeleService representative and that “he did access things that were unauthorized.” In the light of this record, the plain language of the Act forecloses any argument that Rodriguez did not exceed his authorized access.

In a subsequent part of the opinion, Judge Pryor made clear that “Rodriguez exceeded his authorized access and violated the Act” because “he obtained personal information for a nonbusiness reason.” Rodriguez tried to argue that he should not be held liable because his violation of SSA policy did not cause a greater harm or have a greater scheme to cause harm. But Judge Pryor properly noted that the basic prohibition on unauthorized access did not require a harm:

The misdemeanor penalty provision of the Act under which Rodriguez was convicted does not contain any language regarding purposes for committing the offense. See id. § 1030(c)(2)(A). Rodriguez’s argument would eviscerate the distinction between these misdemeanor and felony provisions. That Rodriguez did not use the information to defraud anyone or gain financially is irrelevant.

III. Commentary: What Are The Limits of Rodriguez?

Just based on its facts, the result in Rodriguez seems sound. In a sense, it is unremarkable. Indeed, the First Circuit noted the same conclusion in dicta in an early case with almost identical facts. See United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997) (noting, in an unauthorized access prosecution of an IRS employee who accessed the IRS database for personal reasons, that the defendant “unquestionably exceeded authorized access” by using the sensitive database for personal reasons). See also Commonwealth v. McFadden, 850 A.2d 1290 (Pa Super. Ct. 2004) (interpreting a state unauthorized access statute to punish use of a sensitive police computer system for personal reasons). And I suspect most people will say that based on the facts of Rodriguez, the result was correct. Rodriguez seems like a really bad guy, and his conduct was a pretty serious privacy violation.

What troubles me is that the Eleventh Circuit’s rationale seems broader than the facts of this one case. The rationale of the opinion suggests that the issue was trivially easy: There was a policy on access; the defendant violated it after being told not to; and therefore he exceeded authorized access. Pretty straightforward. The clarity of the rationale seems to support the view that accessing an employer’s computer for “a nonbusiness reason” after being told not to do so is a crime not just in this case, but for any limitation imposed and for any nonbusiness reason. In other words, while the rationale covers scenario #2, it also seems to cover scenario #3 and #4. And I suspect some readers will read the opinion to support even more of the scenarios — maybe #5, maybe even #6 and #7.

In a recent article, I tried to offer a way out of this mess: constitutional vagueness doctrine, the doctrine used in the Lori Drew case. In my essay, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561 (2010), I argued that defense attorneys should challenge readings of the unauthorized access as unconstitutionally vague in order to force the courts to adopt narrow interpretations. My view is that the requirements of vagueness doctrine should force courts to say that only certain kinds of restrictions on computer use in certain kinds of contexts can constitutionally be used to trigger the criminal prohibition on unauthorized access.

I don’t think such an argument would have worked for the defendant in the Rodriguez case, to be clear. Those facts strike me as pretty close to the core of the prohibition. But I’m worried about the next case. And I don’t think these are idle concerns. Scenarios #3, #4, and #5 are based on real criminal cases charged in the last two years. Scenario #3 is based on United States v. Nosal, 2009 WL 981336 (N.D. Cal. 2009); Scenario #4 is based on State v. Wolf, 2009 WL 1152185 (Ohio App. 2009); and Scenario #5 is based on the Lori Drew case. State and federal prosecutors have shown that they’re willing to take favorable precedents like Rodriguez and run with them through the different scenarios. Given that, it’s troubling to me when a court endorses the government’s theory in a case like this without any apparent realization of where the government is going next or the broader possible impact of the decision. To be clear, I’m not blaming the panel: This was a very strong panel; the opinion was authored by an excellent judge; and the facts of this case were pretty egregious. But I think the issue is a bit more complicated than the opinion suggests, and it’s frustrating when defense attorneys don’t successfully bring out these complications in ways that judges can factor in to their decisions.

Finally, if vagueness doctrine doesn’t help cure some of the problems with Section 1030, it would be nice if Congress revisited the statute to explain just what it wanted to criminalize. But then I wouldn’t hold my breath expecting that to happen any time soon.

For more on the overbreadth concerns raised by the Computer Fraud and Abuse Act, see my article Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes published in the NYU Law Review in 2003.

The Volokh Conspiracy

My computer has returned to its ways, meaning it took me a full two hours to get it to even open up email and Internet Explorer! Needless to say, blogging may be difficult.

I have a post in draft I will now shoot off quickly, but after that, we’ll have to see.

In the meantime, please shmooze in the comments. And if you want to help out with my New Computer Fund, see here.

Israellycool

As if all the stories about body scanners and crotch-grabbing weren’t enough to cause you to question the effectiveness of the TSA, here’s a story from Houston where they missed an actual weapon as it made its way through their security scans:

Houston businessman Farid Seif says it was a startling discovery. He didn’t intend to bring a loaded gun on a flight out of Houston and can’t understand how TSA screeners didn’t catch it.

Nearing the height of last year’s Christmas travel season, TSA screeners at Bush Intercontinental Airport somehow missed a loaded pistol, one that was tucked away inside a carry-on computer bag.

“I mean, this is not a small gun,” Seif said. “It’s a .40 caliber gun.”

Seif says it was an accident which he didn’t realize until he arrived at his destination. He says he carries the glock for protection but forgot to remove it from his bag. He reported the incident as soon as he landed, shocked at the security lapse.

“There’s nothing else in there. How can you miss it? You cannot miss it,” Seif said.

Authorities tell ABC News the incident is not uncommon, but how often it occurs is a closely guarded government secret. Experts say every year since the September 11 attacks, federal agencies have conducted random, covert tests of airport security.

A person briefed on the latest tests tells ABC News the failure rate approaches 70 percent at some major airports. Two weeks ago, TSA’s new director said every test gun, bomb part or knife got past screeners at some airports.

“It’s very concerning. I’m very scared. First of al, I can’t even believe it could happen,” traveler Joy Mansfield said.

“It makes you wonder what exactly all the security hoopla is all about if a loaded gun can go through,” traveler Leeza Erfesoglou said.

Indeed, it does make you wonder. Although I guess that things would’ve been different if Seif had hidden the gun in an area that would’ve been subject to TSA groping.

H/T: Radley Balko

Outside the Beltway

This out of Michigan. Leon Walker (pictured above) of Rochester Hills is charged under a law meant to prevent identity theft, and could face up to five years in prison, for reading his wife’s email.

Using a laptop in the couple’s home, Walker logged on to his wife’s Gmail account and learned she was having an affair. Walker believed the affair involved a man with an abusive history and provided information to his wife’s first husband to protect their child. Walker and his wife have since divorced and she is pressing charges.

The Detroit Free Press reports:

About 45% of divorce cases involve some snooping — and gathering — of e-mail, Facebook and other online material… those are generally used by the warring parties for civil reasons — not for criminal prosecution.

Clara Walker claims the laptop in question was her personal laptop and the email account was password protected. Leon Walker has responded that the computer was a family laptop and that his wife kept a small notebook next to the computer with her passwords for various accounts.

Oakland County, Michigan prosecutors insist that Walker’s actions fall within the statute and are proceeding with the charges. They point out that Walker is a computer technician and argue that Clara Walker had an expectation of privacy despite the two living in the same house at the time. It is the first time the law has been used for criminal prosecution in such a case.

The case raises all manner of related issues involving accounts beyond email and family members other than spouses. The scenario that comes to me is this: a divorced couple where one parent has custody of a child and the non-custodial parent accesses the child’s Facebook to gather information s/he can use in a change of custody proceeding or to modify child support. Assuming the non-custodial parent was not a Facebook friend and got into the child’s Facebook by accessing the child’s password, is it subject to prosecution?

How about monitoring a child’s computer usage and discovering that one of his/her friends is engaged in cheating at school, then reporting it? How about a live-in relative and their interest in various forms of online pornography? A house guest?

Ah, the slippery slope.

The Moderate Voice

YID With LID

From AP:

Within the pastel walls of a modest suburban office, Israeli high-tech workers have accomplished a feat that still eludes their political leaders: They have created a partnership with the Palestinians.

Israeli-Palestinian peace talks may be stalled, but that hasn’t stopped a small but steady trickle of Israeli technology companies from seeking to work with people on the other side of the decades-old conflict.

Israeli CEOs say it’s their way of bringing a little bit of peace to their troubled corner of the world. But the real reason they’re hiring Palestinians, they acknowledge, is because it simply makes good business sense.

“The cultural gap is much smaller than we would think,” said Gai Anbar, chief executive of Comply, an Israeli start-up in this central Israeli town that develops software for global pharmaceutical companies like Merck and Teva.

At a previous job, he worked with engineers in India and eastern Europe, but found communication difficult. So in 2007, when he was looking to outsource work at his new start-up, he turned to Palestinian engineers. He said they speak like Israelis do — they are direct and uninhibited. Today, Comply employs four Palestinians.

Palestinian engineers have also warmed up to the idea. “I doubt you would find a company who says, ‘I am closed for business’” to Israelis, said Ala Alaeddin, chairman of the Palestinian Information Technology Association.

So when is the BDS movement going to protest this?

Elder of Ziyon

According to a top Computer expert from Germany the Stuxnet virus which as been wreaking havoc on the Iranian nuclear program is just as effective as a military strike. Actually it is more effective,  it has set back Iran’s quest for nuclear capability by at least two years which is the best that can be hoped for with a military strike, without all the “mess” and human suffering due to war.

Little by little scientists are beginning to understand Stuxnet a computer worm developed with the sole purpose of doing what sanctions were not able to do, slow down the Iranian march to nuclear weapons. During the past year, Stuxnet the computer worm with a biblical calling card, not only crippled Iran’s nuclear program but has caused  a major rethinking of computer security around the globe (if you want to know how Stuxnet works click here)

“It will take two years for Iran to get back on track,” Langer said in a telephone interview [with Jpost]  from his office in Hamburg, Germany. “This was nearly as effective as a military strike, but even better since there are no fatalities and no full-blown war. From a military perspective, this was a huge success.”

Langer spoke to the Post amid news reports that the virus was still infecting Iran’s computer systems at its main uranium enrichment facility at Natanz and its reactor at Bushehr.

Last month, the International Atomic Energy Agency (IAEA), the United Nation’s nuclear watchdog, said that Iran had suspended work at its nuclear-field production facilities, probably as result of the Stuxnet virus.

Because it benignly hides in computers and back up systems,  some scientists have claimed that there is only one way of getting rid of the virus, throw out every computer involved with the Iranian nuclear program and get new ones, otherwise they will continually be re-infecting themselves. Langer agrees.

According to Langer, Iran’s best move would be to throw out all of the computers that have been infected by the worm, which he said was the most “advanced and aggressive malware in history.” But, he said, even once all of the computers were thrown out, Iran would have to ensure that computers used by outside contractors were also clean of Stuxnet.

“It is extremely difficult to clean up installations from Stuxnet, and we know that Iran is no good in IT [information technology] security, and they are just beginning to learn what this all means,” he said. “Just to get their systems running again they have to get rid of the virus, and this will take time, and then they need to replace the equipment, and they have to rebuild the centrifuges at Natanz and possibly buy a new turbine for Bushehr.”

It is unlikely that Iran would take the time (a year or more) to take that drastic step.

Widespread speculation has named Israel’s Military Intelligence Unit 8200, known for its advanced Signal Intelligence (SIGINT) capabilities, as the possible creator of the software, as well as the United States.

No one knows for sure where the virus came from, but there is evidence that Israel is probably behind the Stuxnet worm, evidence of biblical proportions. If not Israel maybe the virus is a sign from God. Computer Scientists who are analyzing the computer worm have found a file name that seemingly refers to the Biblical Queen Esther, the heroine from the Book of Esther the Old Testament narrative in which the Jews pre-empt a Persian plot to destroy them (ancient Persia is today’s Iran).

Langer said that in his opinion at least two countries – possibly Israel and the United States – were behind Stuxnet.

Israel has declined comment on its suspected involvement in the Stuxnet virus, as they traditionally decline to comment on any possible military action, whether they are involved or not. 

“We can say that it must have taken several years to develop, and we arrived at this conclusion through code analysis, since the code on the control systems is 15,000 lines of code, and this is a huge amount,” Langer said.

“This piece of evidence led us to conclude that this is not by a hacker,” he continued. “It had to be a country, and we can also conclude that even one nation-state would not have been able to do this on its own.”

Last week we reported that Stuxnet was still damaging the computers running the Iranian nuclear computers.

How do we know? Because a US site that has been studying the Stuxnet worm has been inundated with requests for information from Iran:

Eric Byres, a computer expert who has studied the worm, said his site was hit with a surge in traffic from Iran, meaning that efforts to get the two nuclear plants to function normally have failed. The web traffic, he says, shows Iran still hasn’t come to grips with the complexity of the malware that appears to be still infecting the systems at both Bashehr and Natanz.

“The effort has been stunning,” Byres said. “Two years ago American users on my site outnumbered Iranians by 100 to 1. Today we are close to a majority of Iranian users.”

He said that while there may be some individual computer owners from Iran looking for information about the virus, it was unlikely that they were responsible for the vast majority of the inquiries because the worm targeted only the two nuclear sites and did no damage to the thousands of other computers it infiltrated.

At one of the larger American web companies offering advice on how to eliminate the worm, traffic from Iran has swamped that of its largest user: the United States.

Perhaps more significantly, traffic from Tehran to the company’s site is now double that of New York City.

Ron Southworth, who runs the SCADA (the Supervisory Control and Data Access control system that the worm specifically targeted) list server, said that until two years ago he had clearly identified users from Iran, “but they all unsubscribed at about the same time.” Since the announcement of the Stuxnet malware, he said, he has seen a jump in users, but few openly from Iran. He suspects there is a cat-and-mouse game going on that involves hiding the e-mail addresses, but he said it was clear his site was being searched by a number of users who have gone to a great deal of effort to hide their country of origin.

Byres said there are a growing number of impostors signing on to Stuxnet security sites.

“I had one guy sign up who I knew and called him. He said it wasn’t his account. In another case a guy saying he was Israeli tried to sign up. He wasn’t.”

The implication, he says, is that such a massive effort is a sign of a coordinated effort.

Who ever created the Virus, the fact that it has set back the Iranian nuclear program without requiring a military strike should earn them a massive bonus. No matter what country they come from.

Please email me at [email protected] to be put onto my mailing list.
Feel free to reproduce any article but please link back to http://yidwithlid.blogspot.com

YID With LID

In a way Iran is like the character Rocky from the movies. Every time the Sylvester Stallone character would be in the middle of getting the crap beaten out of him, he would scream “you ain’t so bad,” but the audience would know better because they would see the blood flying every time the poor guy would get hit.

The computers running the centrifuges enriching uranium in Iran were infected by the Stuxnet computer work sometime last spring. As the virus has built its way throughout the Iranian computer network, it has caused the centrifuges to speed up and slow down in ways that burn them out causing them to break down. It is  the most sophisticated cyber-weapon ever created. Scientists who have examine  the worm describe it as a cyber-missile designed to penetrate advanced security systems. It targeted and took over the controls of the centrifuge systems at Iran’s uranium processing center in Natanz, and it targeted the massive turbine at the nuclear reactor in Bashehr.

Last week Iranian President Ahmadinejad, after months of denials, reluctantly admitted that the worm had penetrated Iran’s nuclear sites, but he said it was detected and controlled. His statement was like Rocky’s “You aint so bad!”

How do we know? Because a US site that has been studying the Stuxnet worm has been inundated with requests for information from Iran:

Eric Byres, a computer expert who has studied the worm, said his site was hit with a surge in traffic from Iran, meaning that efforts to get the two nuclear plants to function normally have failed. The web traffic, he says, shows Iran still hasn’t come to grips with the complexity of the malware that appears to be still infecting the systems at both Bashehr and Natanz.

“The effort has been stunning,” Byres said. “Two years ago American users on my site outnumbered Iranians by 100 to 1. Today we are close to a majority of Iranian users.”

He said that while there may be some individual computer owners from Iran looking for information about the virus, it was unlikely that they were responsible for the vast majority of the inquiries because the worm targeted only the two nuclear sites and did no damage to the thousands of other computers it infiltrated.

At one of the larger American web companies offering advice on how to eliminate the worm, traffic from Iran has swamped that of its largest user: the United States.

Perhaps more significantly, traffic from Tehran to the company’s site is now double that of New York City.

Ron Southworth, who runs the SCADA (the Supervisory Control and Data Access control system that the worm specifically targeted) list server, said that until two years ago he had clearly identified users from Iran, “but they all unsubscribed at about the same time.” Since the announcement of the Stuxnet malware, he said, he has seen a jump in users, but few openly from Iran. He suspects there is a cat-and-mouse game going on that involves hiding the e-mail addresses, but he said it was clear his site was being searched by a number of users who have gone to a great deal of effort to hide their country of origin.

Byres said there are a growing number of impostors signing on to Stuxnet security sites.

“I had one guy sign up who I knew and called him. He said it wasn’t his account. In another case a guy saying he was Israeli tried to sign up. He wasn’t.”

The implication, he says, is that such a massive effort is a sign of a coordinated effort.

Because it benignly hides in computers and back up systems,  some scientists have claimed that there is only one way of getting rid of the virus, throw out every computer involved with the Iranian nuclear program and get new ones, otherwise they will continually be re-infecting themselves. It is unlikely that Iran would take the time (a year or more) to take that drastic step.

No one knows for sure where the virus came from, but there is evidence that Israel is probably behind the Stuxnet worm, evidence of biblical proportions. If not Israel maybe the virus is a sign from God. Computer Scientists who are analyzing the computer worm have found a file name that seemingly refers to the Biblical Queen Esther, the heroine from the Book of Esther the Old Testament narrative in which the Jews pre-empt a Persian plot to destroy them (ancient Persia is today’s Iran).

Wherever it came from, any virus that is slowing down Iran’s quest for nuclear weapons is doing God’s work. Now if those same people could develop a virus that could shut down WikiLeaks. 

Please email me at [email protected] to be put onto my mailing list.
Feel free to reproduce any article but please link back to http://yidwithlid.blogspot.com

YID With LID