Profile

Cover photo
Verified name
Benjamin Wright
Works at Lawyer -Private Practice | SANS Instructor: Law of Data Security & Investigations | Author: Law of E-Commerce | Blogs: BYOD, Cyber-attacks, Digital Forensics, Professional Training
Attended Georgetown University Law (J.D. 1984)
Lives in Dallas, Texas
927 followers|225,774 views
AboutPostsPhotosYouTube+1'sReviews

Stream

 
Collateral Damage in Active Computer Defense

When a computer defender engages in unconventional or “active” defense measures, a serious concern is collateral damage. An innocent party can be hurt. The defender may not possess enough information to know for sure who she is actively disabling or surveilling. 

In the blog post linked below, an investigator had good justification to snoop on someone. But the investigator failed to carefully factor the possibility that the target of the investigation would be considered innocent by a court. 

Thus, the good investigator looked arguably like a bad guy in the harsh light of the courtroom.

As explained in the blog post below, wise investigators and defenders can take measures to reduce the risk that an innocent party will be damaged.

#activedefense #eavesdropping #forensicinvestigation
1
Add a comment...
 
Security Vendor Liable to Third Parties? Publish a Disclaimer?

In reaction to Target’s credit card data breach, banks have sued one of Target’s security vendors, Trustwave. Trustwave audited Target’s compliance with the Payment Card Industry Data Security Standard (PCI-DSS) and provided ongoing monitoring of security for Target.

Trustwave worked for Target. It did not work for the banks. 

The banks (card issuers) claim that they incurred costs (card cancellations) because they relied on Trustwave to perform its services well and Trustwave let them down.

This Is a Rare Kind of Lawsuit

For a security vendor like Trustwave, a lawsuit by third parties is an unwelcome surprise. Trustwave agreed to work for Target for a certain price and under certain contract terms. If it made mistakes, it could be liable to Target under the terms. 

But Trustwave did not bargain to be liable to third parties.

The Credit Card System is Flawed

I have this to say in defense of security vendors who work for merchants like Target:

Breaches at Target, TJX and many, many other retailers have demonstrated that credit cards are inherently insecure as they are implemented in the US. Imposition of the PCI-DSS on merchants has not prevented the theft of data by hackers. Hackers have grown steadily more sophisticated in stealing credit card data.

Legally Warn Banks Not to Rely

The lawsuit against Trustwave motivates all security vendors to publish disclaimers. A disclaimer would remind banks that they necessarily incur substantial risks when they issue credit cards; they should not expect vendors who work for merchants to cover those risks.

A vendor, an auditor, a qualified security assessor (QSA), a penetration tester or another security consultant is motivated to publish disclaimers roughly like this: 

“Notice to all credit card issuers: When you issue credit cards, you assume much risk that the security of card data will be compromised. Although Vendor may help its merchant clients with security, credit card data security cannot be assured. Vendor may make mistakes. Vendor assumes no liability to you.”

A vendor is motivated to publish this disclaimer on its website, on official reports (like a QSA report), on social media and elsewhere.

Liability Shield?

Is a disclaimer like this guaranteed to shield a vendor from legal liability? No. But it won’t hurt.

What do you think?

Update: The banks quickly withdrew their lawsuit. My guess is they learned they had erroneous information. 

#trustwave #pcidss #targetbreach  
3
2
Lenny Zeltser's profile photoGabriel Sfestarof's profile photo
Add a comment...
 
I enjoy teaching for the SANS Institute via webcam. The webcam medium forces me to devise gimmicks -- like this Evidence sign that I brandish from time to time -- to make the learning experience more engaging and memorable.

#cpe   #sansinstitute  
5
Emily Maxie's profile photoDazza Greenwood's profile photoBenjamin Wright's profile photo
5 comments
 
+Emily Maxie , yes. I teach this 5-day course in three formats:

1. Live, in-classroom (in two weeks I'll teach in Orlando)
2. Live, via webcam - this is what SANS calls "vLive" or "CyberCon"
3. Pre-recorded - this is what SANS calls "OnDemand"

The course and its different formats are described at http://www.sans.org/course/law-data-security-investigations

In the vLive/CyberCon format, students see me live, interacting through the webcam. Students can send me chat questions/comments.  vLive/CyberCon is where I wave handheld signs like the Evidence sign in the photo above.

When I teach vLive/CyberCon, SANS records my voice. Then it inserts the (edited) voice recording into SANS' own OnDemand platform. OnDemand is an online, pre-recorded, study-at-your-own pace course. The student hears my voice in relation to slides and notes. The student takes short quizzes along the way to demonstrate that the student is engaged and qualifying for CPE credit.
Add a comment...
 
When to Keep Email; When Not to Keep It?

For many enterprises the IT department is the first to recognize the need for a modern policy on electronic mail record retention and destruction. IT is charged with managing the media on which email is stored and the technology by which email is searched. IT is charged with finding particular email records in an audit, in an investigation or in response to an e-discovery request.

Increasingly IT sees the need to implement a system that is dedicated to archiving email.

But IT does not have the authority or expertise (by itself) to set enterprise policy on a topic like record retention. If the IT department were unilaterally to declare a policy on e-record retention, other departments would reject the policy. Departments like legal, HR, internal audit and risk management would each say, “Hey, wait. I was not consulted on this. What do those tech guys know about records management policy? They do not have the experience to evaluate the legal and practical implications of such a sensitive policy.”

So IT is often in a bind. It knows the enterprise needs a policy. But it does not have the ability to adopt the policy by itself. And it often has a hard time persuading other departments to devote concentrated energy into developing a policy.

I believe good email policy comes from a collaborative process, where all of the relevant stakeholders (departments IT, legal, HR, internal audit and risk management) work together.

The blog article linked below explains the urgency for an enterprise to adopt responsible policy on email archiving.

#electronic-archives
3
Ravi Sharma's profile photo
 
Add me 
Add a comment...
 
How to Develop Policy for Digital Archives

Historically corporate record retention policies organized records according to content. Purchase orders went in the purchase order box; invoices went in the invoice box; and so on.  

Thus, when you wanted to find or destroy records of a given content, you went to the box or folder designated for that content.

Automated Search for Content

Today, however, when you want to find particular electronic content you use a search engine.

Thus the old policy of organizing records and archives into folders/categories according to content is becoming less and less relevant. And the process of putting e-records into folders/categories according to content can be excessively labor-intensive.

Records management policy must adjust to a different paradigm, as explained in the blog post linked below.

#recordsmanagement   #emailpolicy   #recorddestruction  
2
Add a comment...
Have him in circles
927 people
 
Is Transparency an Effective Check and Balance for Privacy?

Data privacy is a delicate subject for our society. It necessarily involves trade-offs among factors like civil rights, property rights, economic convenience, public safety and national security.

Virtually all social institutions are wrestling with data privacy issues today. Whether the institution be a nonprofit, a corporation or a government agency, it is asking how much data it should collect, how the data should be protected and so on.

The blog post linked below evaluates one tool for striking the right balance with data privacy. The tool is transparency.

The blog post below examines a recent public dialog about privacy and transparency to glean some lessons of general applicability. 
The particular dialog that sparked the blog post involves Microsoft – in its capacity as cloud computing service provider – searching the contents of customer accounts for evidence of misbehavior. 

But the post linked below is not really about Microsoft. It is about methods for giving assurances to the public, methods that can apply to many institutions and in many settings.

Comments welcome.
#cloudcomputing #checksandbalances #dataprivacy
2
Stephen K's profile photo
 
A very complex issue that your article deconstructed well +Benjamin Wright. This is an area where we will see a lot of opinion that is flavored with customers own sensitivities to transparency.

In this case where Microsoft leveraged it's intelligence resources (a mighty one at that), they used a little known T&C clause to investigate alleged IP abuse.

All this will do is make those who use the myriad of Microsoft products, rethink their use. And, in some cases it might just hurt enterprise programs which, if the case, would send a strong signal to Microsoft to backoff prying into anyone of the hundreds of Microsoft resources that have become an integral product in hundreds of millions of lives.
Add a comment...
 
Crowdfunding | The Economic Stimulus that Came Out of Nowhere

The positive economic impact of crowdfunding is hard to overstate. New technology, such as social media and mobile phones, has enabled crowdfunding to burst onto the scene as a responsible vehicle for new ventures to raise money, create jobs and grow value. 

Crowdfunding has arisen like nothing before in economic history . . . so that in the course of just a few years it has come to stand as a peer to traditional sources of early-stage funding (bank loans, angel investors, friends & family). 

Economic Innovation

Crowdfunding performs an economic service that simply could not be performed in the past. It pulls together like-minded individuals, scattered all over the world, to contribute small sums toward a project.

It has a proven track record for sifting out fraud and con men. It does this by deputizing the social-media crowd to analyze proposals and flag the bad apples.

Five years ago it was not feasible for these scattered individuals to pool their resources in support of a project in such a low-risk fashion.

Today a crowdfunding success story from 2012, Oculus VR, struck a deal to be acquired by Facebook for $2 billion. Astonishing.

Little Regulation

Rewards-based crowdfunding -- the most popular type of crowdfunding and the type that got Oculus going -- has required little regulatory oversight. Although state attorneys general have authority to go after crowdfunding fraudsters, that has not been much necessary in practice. The crowdfunding community has policed itself.

#fraudprotection #economichistory   #jobcreation  
1
Add a comment...

Benjamin Wright

Shared publicly  - 
 
TransProse | Artificial Music to Complement a Text

In the 2012 G+ post shared below I speculated about a future app that would create original ambient music to suit the listener’s mood, activity and surroundings.

Now, researchers have taken a step toward creating such an app. They have developed a program –called TransProse – that analyzes the mood or temperature of a literary passage and creates original music to reflect that mood or temperature.  

TransProse can interpret the emotions from a page in, say, Alice in Wonderland and portray those emotions with unique music. See "The Music Composed By An Algorithm Analysing The World’s Best Novels," https://medium.com/the-physics-arxiv-blog/cfaaa96198e2
 
Life-Stream Soundtrack App

A friend asked me to describe an Android app I'd like to have in the future.  Here is my answer . . .   

I have a long answer to explain one Android app.

Think of how "dull" a movie would be if it had no soundtrack music.

Music Evokes Tingle

I have long contemplated how the soundtrack music to a movie (or TV show) complements or amplifies the mood and emotions that the director is trying to convey.  Good soundtrack music sends a warm tingle up and down my body as I watch a grand Hollywood movie in a dark theater.  I love the experience!

Example Setting: Travel in an Automobile

Summer 2011 I made a long automobile journey through the central part of southern, upstate New York.  I (a Texan) did not expect the landscape to be as beautiful and mountainous as it was.  The highway, Route 17, did not dominate the scene.  The highway was modest.  It was not an interstate expressway, and there were not many cars on it.  As the highway crested over a mountain pass, an enormous, beautiful valley opened below me.  I could see for 30 miles to the West.  The valley was a forest, and the mountains around it were densely forested.  The sun was preparing to set in the West.  There was little development within my view (in other words, I couldn't see any gas stations or bill boards or big power-lines).  I felt as though I had entered a great American painting circa 1850.  The view was a majestic, untamed part of Eastern North America that I did not realize still existed.

At that moment, it would have been cool if my Android device were to play grand orchestra music that fit the scene . . . as though I was living in a John Wayne movie.

Device Observes Many Aspects of the Situation

I have long dreamed of the day when my mobile device observes (a) what I am doing, like walking through the mall, waking in the morning or driving through Appalachia, and (b) my mood.  Then, the device plays background music -- like the soundtrack music in a movie -- that complements or amplifies the situation.  

Could Subscribe to Many Different Styles of Soundtracks

I have long anticipated that we will be able to subscribe to different styles of life-stream "soundtracks".  So, an Android user could subscribe to different styles of soundtracks like this:

(1)  Broadway show tunes; or
(2) ESPN sports; or
(3) classic cartoons from the 1940s and 1950s; or
(4) Disney princess movies; or
(5) Horror films; or
(6) 1980s pop music; or
(7) female jazz vocalist; or
(8) music from medieval Japan

I dream of this life-stream app being as intelligent, creative and original as a great music director (or song writer) who works in Hollywood.  Thus, the music would always sound fresh . . . just as every time I watch a good movie for the first time, all of the music is fresh.  I don't know what the music in the movie is going to be -- and I have never before heard the music -- until I experience the movie.

That will be one heck of an Android app.  I think we will see stuff like that within about 5 years.  What do you think?

[Below is an image of Route 17, but it is not the location I described above.]

Update June 2013:  Microsoft develops prototype software for smartphone to detect the user's mood.  http://science.slashdot.org/story/13/06/28/1430259/microsoft-research-adds-mood-detection-to-smartphones
1
Add a comment...
 
Proof in the Cloud

Legal and political authorities rely on computer evidence every day. More and more that evidence comes from cloud computing.

But the evaluation of that evidence by authorities such as juries can be trickier than the evaluation of traditional evidence such as ink, paper and testimony by a witness.  

Computer evidence can be manipulated in novel ways. 

However, there is reason for optimism.  One modern development does mitigate the threat that evidence is manipulated or abused: Increasingly, legal evidence is made available in the court of public opinion (on the Internet) in addition to the courtroom. The Internet enables amateur and professional forensic experts around the world to speak up when the legal system is stumped or about to make a mistake.

#digitalforensics #courtroom #expertwitness
7
1
CLEAR™| Private Investigators's profile photoS. Oller's profile photoDiligentia Group's profile photo
2 comments
 
+Benjamin Wright another bang up job on this piece.

Every bit of it was insightful and thought provoking.  I particularly liked "Such an expert is able to separate emotions from logic.  Such an expert is also able to set his or her ego aside and acknowledge when he or she does not know something or have enough data to state an opinion."

Since digital data recovery is still in it's infancy -- and there are many novice forensic practitioners -- there will be a period of time where most investigators will have to make a conscientious decision on whether to take a step back on a case.  The reality is if they push it, and are unqualified to do so, they may find themselves with egg on their face when push comes to shove (trial, etc). 
Add a comment...
 
Will Office 365 Be Practical?

I puzzle whether people will really want to work in the networked format MSFT envisions for Office 365.  Maybe some will. 

However, there will be risks, and for many people the learning curve to address those risks will be steep.  As a lawyer, I think of two risks.  

Over-sharing of Sensitive Information

One risk is that information could be over-shared in Office 365. Employees may require lots of training to fully understand how information is being shared and how to prevent over-sharing.  The Edward Snowden experience has caused some organizations  like law firms to shift toward more compartmentalization of information and records.  They don't want their own Snowden to run rampant through the organization, swiping secrets.

How to Control the Document & Records About the Document?

A second risk is that documents are often negotiated in an adversarial way (whether the adversary be internal to the organization or external). Even though the creator of a document may be able to control how it is edited, s/he may be surprised or confused how adversaries can manipulate the interpretation of  the document in Office 365's social-engineering network of connections.  

For example, I could create and control a document that is accessible to others out in the 365 network.  But my adversary (who could be a peer employee or a lawyer who represents another party) might be able to create recorded comments around the document (or connected with the document) that affect the final interpretation of the document.  (See this article about the legal influence of embedded comments in a Word doc http://hack-igations.blogspot.com/2013/11/terms-and-conditions.html .) For untrained users, Office 365's network of recorded comments could be a booby trap.

#negotiation #office365   #electroniccontract  
 
Future of Microsoft Office is a shared, context-driven model. Sorry, college students.
2
Craig Janssen's profile photoBenjamin Wright's profile photo
3 comments
 
Thanks for the information, I will check it out and pass it along...
Add a comment...
People
Have him in circles
927 people
Work
Occupation
Lawyer
Skills
Public speaker on digital law and cyber investigations
Employment
  • Lawyer -Private Practice | SANS Instructor: Law of Data Security & Investigations | Author: Law of E-Commerce | Blogs: BYOD, Cyber-attacks, Digital Forensics, Professional Training
    Lawyer, present
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Dallas, Texas
Contact Information
Work
Phone
1.214.403.6642
Address
Dallas, Texas
Story
Tagline
SANS Inst Law
Introduction

Benjamin Wright is an attorney in private practice, advising clients on privacy, outsourcing, IT security and forensic investigations. He teaches e-discovery, BYOD and cyber-investigation law for SANS Institute.

Mr. Wright has published hundreds of blog posts on technology law.  Search them.

Wright is known for promoting screencast video to document legal investigations in social media and audit evidence in online trading platforms.

To email Mr. Wright, please send to ben_wright at compuserve dot com; put "BLOG" in subject line.

Speaker and Author  

Mr Wright is a frequent public speaker at professional groups like state CPA societies and Institute of Internal Auditors.  As author of technology law books such as Law of Electronic Commerce, he blogs on electronic data, records, security and social media law, and he spots trends, such as the rise of activists and whistleblowers wielding small video cameras. 2010: Russian financial authorities tapped Mr. Wright for advice on regulation and investigations in the micro-finance industry.

Mr. Wright is (sometimes) editor for compliance topics at SANS Institute's Securing The Human program.

Associations

Texas Bar Association publishes an attorney profile on Mr. Wright.

Mr. Wright graduated Georgetown University Law 1984.  He mentors students at SMU's Lyle School of Engineering.

Mr. Wright is known for bringing attention to the power of terms, conditions, contracts, disclaimers, warnings and other notices -- like those below -- published through online media.

IMPORTANT: No public comment by Mr. Wright (blog, book, tweet, video, update, speech, article, podcast or the like) is legal or other professional advice.  If you need legal advice, you should hire and consult a lawyer.

Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk. 

Public Discussion

Mr. Wright's public blogs, tweets, videos, web comments and the like are intended to promote public discussion.  They are not intended to advertise or solicit legal services.  They constitute the online update service for the book Law of Electronic Commerce.  Originally released 1991, and revised continually since then, the book is published by Wolters Kluwer Law and Business.

Compliance

Mr. Wright strives to comply with all applicable laws.  He does not have and never has had intention to infringe the rights of anyone.  If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642.  Also, please state publicly on Mr. Wright's blogs or pages that he is wrong.  Promptness helps mitigate damage. 

Any person accessing Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Mr. Wright's interests.

Forming an Attorney-Client Relationship

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchange of private messages with Mr. Wright does not, by itself, create an attorney-client relationship.

Privacy/Security Vision 

Some people provide Mr. Wright private information.  Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security.  It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure. 

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication. 

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright often earns financial or other reward from those he mentions or links on blogs and social media, such as Yellow Brick, Messaging Architects, SANS Institute, Credant Technologies, state CPA societies, Park Avenue Presentations, LabMD and others.

Attribution

Some images and sounds associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain.  Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas.   Tel: +1.214.403.6642

Bragging rights
I am a humble student of technology law.
Education
  • Georgetown University Law (J.D. 1984)
    Law, 1981 - 1984
  • Trinity University
    English, 1978 - 1981
Basic Information
Gender
Male
Other names
Ben Wright
Links
Benjamin Wright's +1's are the things they like, agree with, or want to recommend.
Code of Conduct | The Honeynet Project
honeynet.org

Below, you will find the Honeynet Project's proposed code of conduct. We invite you to submit comments until 5/1/2012 to project@honeyne

Report: Mysterious Happenings at JPMorgan?
www.cnbc.com

I've tried a number of times to understand The Wall Street Journal's story headlined "J.P. Morgan Rankled by Risk," but I still don't get it

Blog - Michael Daugherty
michaeljdaugherty.com

Trying to write a book while running a company and having the government knocking on your door calls for drastic measures. I needed to get t

Answers to Google Social Network - Google+
googleplusanswers.com

A continually improving collection of questions and answers created, edited, and organized by thousands who use the Google+ social network.

Is Zippo Getting Zapped? | Litigation News | ABA Section of LitigationA...
apps.americanbar.org

Florida court rejects Zippo’s “sliding scale” for jurisdiction over Internet activity.

Web Preservation by Screencast — Slaw
www.slaw.ca

Slaw is Canada's online legal magazine ISSN 1925-6175. home about. • about Slaw. • our contributors. • our columnists. archives. • by da

Spy Privacy Subpoena Law: Definition of Data Security Breach
hack-igations.blogspot.com

When Has Privacy of Credit Card or Social Security Numbers been Compromised? Security Incident Response and Information Protection Law. Many

Introduction to MobiSec video
blog.secureideas.com

We just wanted to post a quick update to let you know about a new video. Kevin (working with James) recorded a "quick" introduction to OWASP

FINRA and the SEC Move One Step Closer to JOBS Act Implementation
www.cfira.org

Washington, D.C. (PRWEB) January 31, 2013 – Earlier this week FINRA invited prospective Crowdfunding portals to voluntarily file an interim

Computer forensic delays a growing problem? | Cybercrime Review
www.cybercrimereview.com

It is hard not to notice the growing number of cases that revolve around or discuss the delays associated with processing computer forensic

Hide & seek profile research Discreet & Confidential
www.hideandseekpr.com

Hide & seek profile research. Discreet & Confidential. We all have felt the stings of betrayal from lies told by people very close t

Microsoft DMCA Notice ‘Mistakenly’ Targets BBC, Techcrunch, Wikipedia an...
torrentfreak.com

Over the last year Microsoft asked Google to censor nearly 5 million webpages because they allegedly link to copyright infringing content. W

The FTC is Suing Me... - Michael Daugherty
michaeljdaugherty.com

The cat has finally come flying out of the bag. In 2008, someone (and we know exactly who it is) stole our file. We believe it has always be

Lawyer removed as counsel, alleged to have encouraged client to install ...
www.cybercrimereview.com

In Zang v. Zang, 2012 U.S. Dist. LEXIS 123383 (S.D. Ohio, August 30, 2012), the defendant's motion to disqualify plaintiff's counsel was gra

Social Networking Sites Assist Investigations | Security Management
www.securitymanagement.com

Law enforcement officers and private investigators are turning to social media to assist them with investigations. Facebook and other Web si

SEC Chair Testifies that SEC Expects to Meet Deadline for Crowdfunding R...
www.cfira.org

The Jumpstart Our Business Startups Act (JOBS Act) became law on April 5, 2012 and requires the SEC to implement rules within 270 days to al

Ning – Create a Social Networking Site with Ning, the Best Social Site P...
www.ning.com

The World's Largest Platform for Creating Social Websites™

I have visited the Gallery numerous times over the years, most recently last week. The Gallery is a rare treasure, one of the best-kept secrets in New York. Serious antique collectors must check it out. Call ahead for an appointment.
Quality: ExcellentAppeal: ExcellentService: Excellent
Public - 11 months ago
reviewed 11 months ago
2 reviews
Map
Map
Map