Rapid7 announced that an attacker with a directional antenna and a laptop can eavesdrop on wireless keyboards manufactured by Microsoft, Logitech, and other vendors, capturing every keystroke from a distance of over 30 feet away. This leaves corporate networks open to illicit intrusion and data theft that will probably look like a data breach originating from within the company.
For a look at the hacker will get, go to this interesting presentation.
Would this be Reckless Personal Information Handling if this vulnerability was exploited at your company?
If Bill C-27 (2nd Session, 39th Parliament with first reading on 21 Nov 07) will make it an offence to recklessly make available or sell personal information knowing it will be used to commit fraud.
The wording that concerns me:
Everyone commits an offence who transmits, makes available, distributes, sells or offers for sale another person’s identity information, or has it in their possession for any of those purposes, knowing or believing that or being reckless as to whether the information will be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence
How will the term “reckless” be defined and measured? The people writing this law need to take into consideration what has happened with the requirement to safely store firearms.
In the case of the law requiring the safe storage of firearms, a group of street gang members rappeled down the side of an apartment building and broke into an apartment, and for four days, they continuously used industrial power tools to open a huge money safe and steal some handguns. Without a clear definition in law of what constitutes “safe storage”, the gun owner was charged with unsafe storage of the firearms. This type of malicious misuse will surely follow if Bill-C27 is passed without a clear definition of what constitutes being reckless.
The CRA vs. Canadian men
by Karen Selick, National Post Published: Wednesday, November 07, 2007
A wonderful article about the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act and the infinite stupidity of the bureaucrats enforcing acts written by inept people who do not understand or care about the consequences of the laws they create.
The following appeared on Michael Geist’s Blog:
The government’s response to the PIPEDA review included a promise to consult on possible reforms to the law, including the creation of a mandatory data breach notification requirement. On Friday, Industry Canada published the promised consultation in the Canada Gazette, asking Canadians for comments on the data breach requirement along with a series of smaller changes to Canada’s national privacy law. For those that don’t have PIPEDA consultation fatigue - this is effectively the third consultation on these issues in the past 18 months (the Privacy Commissioner consultation, the Ethics Committee hearings, and now the Industry Canada consultation) - the deadline for responses is January 15, 2008.
In Canada, parties to a civil action must disclose all documents in their possession and control that relate to the lawsuit.
This broad documentary disclosure and production requirement has prompted many provinces to adopt an implied undertaking rule that protects parties from improper publication of the disclosure materials. Violation of this undertaking may lead to a conviction for Contempt of Court.
The disclosure material may only be published once it has been exposed in open court in some manner, such as in testimony, as an exhibit, or as part of an affidavit. Of course, the contents of the Discovery transcript may not be published.
Disclosure material and Discovery transcripts do occasionally appear in court files. Whoever handles this material must understand what may be copied and disseminated, and what must remain in the court file. Otherwise somebody may end-up facing an unsympathetic Judge. After all, ignorance is no defense.
Hidden devices set up in the local arena, municipal building and firehall in small Ontario community
The Globe and Mail reports that the small rural Ontario municipality of Highlands East, in the Haliburton area, had installed cameras in several facilities. The article described the device thusly:
“The camera was powered up and broadcasting both audio and video, it was set up so anybody within about 300 feet who had that type of receiver could watch in there and listen with impunity.”
I think somebody in Highlands East should read Part VI of the Canadian Criminal Code. If this device captured audio then it might be considered a listening device used to illegally intercept private communications.
Bill C-299 is an Act to amend the Criminal Code, the Canada Evidence Act and the Competition Act (personal information obtained by fraud) and was introduced in Parliament as a Private Member’s Bill by The Honourable James Rajotte on May 17, 2006. It was referred to the Standing Committee on Justice and Human Rights after it had received Second Reading on November 1, 2006.
This legislation will actually make it easier to commit fraud. It will protect criminals, debtors, tax cheats, child support debtors, and welfare thieves by making it impossible to bring them before the courts. It will make a civil judgement worth less than the paper it is printed on. This will make identity fraud more common by eliminating any avenues to determine a person’s real identity. The tools available to private sector investigators to catch, identify, or prosecute these people are constantly being legislated out of existence.
Private Investigators investigate these crimes on behalf of banks, insurance companies, business corporations, and their legal counsel when the police refuse to act because the damage doesn’t exceed their magic number, or they avoid involvement altogether by saying it’s a civil matter. Who will fraud victims turn to when Private Investigators are rendered useless, the police won’t act, and the courts become a useless waste of money — The Hon. James Rajotte?
For an full understanding of how damaging this legislation will become, please read Pretext, Privacy & Private Investigators by Kevin D. Bousquet.
