Schneier on Security
A blog covering security and security technology.
« Pupillometer |
| Organized Cybercrime »
September 18, 2006
More on the HP Board Spying Scandal
Two weeks ago I wrote about a spying scandal involving the HP board. There's more:
A secret investigation of news leaks at Hewlett-Packard was more elaborate than previously reported, and almost from the start involved the illicit gathering of private phone records and direct surveillance of board members and journalists, according to people briefed on the company's review of the operation.
Given this, I predict a real investigation into the incident:
Those briefed on the company's review of the operation say detectives tried to plant software on at least one journalist's computer that would enable messages to be traced, and also followed directors and possibly a journalist in an attempt to identify a leaker on the board.
I'm amazed there isn't more outcry. Pretexting, planting Trojans...this is the sort of thing that would get a "hacker" immediately arrested. But if the chairman of the HP board does it, suddenly it's a gray area.
EDITED TO ADD (9/20): More info.
Posted on September 18, 2006 at 2:48 PM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm not carrying any brief for HP, but both hackers and board chairmen deserve due process and all we have here is an allegation in a newpaper story, albbeit one that seems very well reported.
If true, there will be plenty of hell to pay. The planting of software on the computer is almost certainly a felony under 18 USC 1030. Then there's the question of how they got physical access to the computer; that might well involve criminal trespass or breaking and entering, both common offense in the PI game.
The most intriguing possibility is that HP and its directors were engaged in a criminal conspiracy under either U.S. or California law.
I'm not naive enough to believe that equal justice under law means that Patricia Dunn will get the same treatment as the guy who wrote Zotob. But this is serious stuff and it's not going away. Companies should know that going after a journalist is a little like shooting a cop--it really makes the others pay attention.
I'm also curious about that high profile attorney that was on HP's side...if this was so obviously illegal?
It's also a bit unclear how much the chairperson knew about the details. Is there a difference between her hiring a PI and saying, "I want to know who the leaker is", and actually overseeing illegal behavior? It seems like those are not quite the same thing.
It's time we stopped pussyfooting around and called a spade a spade. There is no such thing as "pretexting". The proper term is "identity theft".
A more general question: how common is this in the investigation industry? That is, does every P.I. in the industry do this daily or is this a rogue agency with a gonzo agent?
My fear is that this kind of pretexting and and Trojan stuff is routine.
Attorneys, you say?
From the NYT:
"[...]a crucial legal opinion was supplied by a Boston firm that shares an address and phone number with one of the detective firms working on the case."
The jokes write themselves on this!
Conspiracy laws make "hiring an agent" and "performing an illicit action yourself" more or less equivalent, at least in the eyes of the law (if not the jury), assuming she knew about what they were going to do or was informed of what they did.
As usual, the details are important:
"The e-mail was embedded with software that was supposed to trace who the document was forwarded to. The software did not work, however, and the reporter never wrote any story based on the bogus document."
From the sound of it, I've used this stuff before. It was used as a service provided by some other company.
It's just a tracking gif embedded in the html email, and it required sending outbound mail through the provider's SMTP servers.
Damn I can not remember the name of the company that made it though.
Our sales guys loved it, because they could tell if proposals were indeed being forwarded around etc etc-
Illegal or not, the attorney still gets paid.
I dunno so much about the real world, but in *fiction* this sort of fraudulent acquisition of information is absolutely routine for private investigators. Geez, don't you guys watch _Veronica Mars_? :-)
Any actual private investigators, or those who have used their services and know how they got the information, lurking out ther? Um, and willing to comment?
Anyone who is concerned with the legalities of these activities should notice that both HP's own General Counsel and their outside counsel were asked if this kind of thing was OK, and they said "no problem". The outside counsel is Larry Sonsini, the most respected (some would say "most feared") attorney in Silicon Valley.
There's no question that run-of-the-mill divorce detectives do this all the time. What kind of Congressional action do you think it will take to get them to stop?
The other "inside baseball" question observes that the CEO of Verizon is on HP's board of directors. Does his company give out phone records as freely as ATT did? What will it take to get them to change their practices?
"Pretexting, planting Trojans...this is the sort of thing that would get a "hacker" immediately arrested. But if the chairman of the HP board does it, suddenly it's a gray area."
Well now you are being silly.
Based on what we know, Dunn hired the investigator for legitimate reasons, i.e., a leak. A hypothetical "hacker's" motivations are likely more supect, or "gray" if you will.
That is quite an extreme position to compare Dunn to a hacker.
If Dunn broke the law, then she should be prosecuted. Based on HP stock performance, I believe reasonable people have not jumped to that conclusion.
I think that it would be easy for us to jump to a conclusion on this, but we might not necessarily be right in doing so.
There are a ton of details that still need to be filled in. Lots of speculation might not actually yield the best results in determining Dunns guilt in the matter.
Further, whether guilty or not it might be quite difficult to have a case against Dunn unless someone managed to get some sort of communication from her about the topic that will incriminate her. Plausible deniability due to distance from the lower levels of those contracted out?
"It's time we stopped pussyfooting around and called a spade a spade. There is no such thing as "pretexting". The proper term is "identity theft"."
There is no such thing as "identity theft". The proper term is "fraud".
"I'm amazed there isn't more outcry. Pretexting, planting Trojans...this is the sort of thing that would get a "hacker" immediately arrested. But if the chairman of the HP board does it, suddenly it's a gray area."
I would agree if it was Dunn who personally committed these acts. However, based on the info released so far, she hired a "Private Investigator" to get the information. Her level of guilt will likely depend on how much she instructed these PIs in how to acquire the information she was seeking.
If Dunn is guilty based on acts performed by the PI's actions, then likely anyone who ever hired a PI is also guilty of similar "impersonation" crimes/fraud committed by most, if not all, PIs.
In fact, this would pretty much criminalize the entire PI industry, since from my personal experience, all the information I have ever seen collected by PIs would have to have been gotten by "questionable", mostly illegal, means (i.e. surreptitious photos of people in private situations, acquiring driver license data for auto repo, accessing personal medical records to find adopted kids parents, etc.).
The problem w/ some of the folks wondering why the "leaker" is the _real_ problem seem to be, like many others currently in the US Administration, believing that the ends justify the means.
I dunno, but don't we have a *lot* of history that points out that the ends can never justify illegal means to *reach* those ends?
Every argument "for the greater good" has a tendency to decay into "I have a plan" that the rest of us have to hold our noses through the ugly parts and assume the results will all make it worth-while.
Those who defend Dunn's actions, or even just say she had little control over the folks she *authorized* to spy on fellow board members, seem to miss the point.
First of all, her ruthless fixation on minor press leaks seriously undermined the trust and therefore strength of the board; the very opposite of her job description and highly damaging to the value of the company.
I can't believe people would even suggest for a moment that the chair of the board (Dunn) should be excused for hiring professional identity thieves and then claiming ignorance of their methods. What kind of leader would say the buck stops on someone else's desk? And what if her defense comes down to the fact that she didn't enforce standards, or didn't take responsibility for an ethical/moral foundation...how many other things at HP did she not understand or choose to pursue with abandon? How does that make you feel about product quality or safety?
Second, not only was the means ugly, the end was ugly...as I mentioned on your post of the 7th, Tom Perkins did not step down in protest over a minor disagreement.
Thus, the question is not whether in the end a bad guy would be caught, since there are a million other ways to go, including legal methods and those approved by the board itself.
The question is whether you would sit quietly as your leader secretly spies on your personal life and all of your contacts "to catch the bad guy"? And, moreover, if you resigned in protest would you then sit idly by while the board lied to the world about your actions and implied that you did not object to their actions?
The real story is about Perkins and how he stepped down after fifty years leading HP. Even if you take the cynical view and say he was trying to force Dunn out and/or significantly revamp HP's faltering leadership, his actions speak volumes about a real sense of integrity and ethics.
In his own words:
"'I did not resign from the board for frivolous reasons,' he wrote, 'but because HP was standing (in) dangerous waters--waters hazardous with both illegal and unconscionable governance practices--and because my advice was being ignored.'"
"Dunn hired the investigator for legitimate reasons, i.e., a leak. A hypothetical "hacker's" motivations are likely more supect, or "gray" if you will."
Um, by your logic if a hacker is wants to find out who leaked his/her information to a company database, he/she would have a *legitimate reason* to do any number of offensive activities including spying on the personal lives of their board of directors. In other words, you only need to find evidence of a leak of your private information to have a legitimate reason to spy on people you suspect?
Is that really what you want to say? I think that is a woefully low and dangerous standard.
"If Dunn broke the law, then she should be prosecuted. Based on HP stock performance, I believe reasonable people have not jumped to that conclusion."
Without any causal link, your statement has little/no meaning. For example, on the contrary, the stock performance could indicate support for her removal from her post and for her prosecution by the DA for breaking the law.
I have to agree with your last comment Bruce, it does seem surprising that there hasn't been more controversy about this so far.
Reminds me a bit of the Sony rootkit saga; Sony were initially dismissive of complaints against them. I suspect that HP will be forced to take the issue more seriously when the Department of Justice presses charges.
"Based on what we know, Dunn hired the investigator for legitimate reasons, i.e., a leak. A hypothetical "hacker's" motivations are likely more supect, or "gray" if you will."
The point is that Dunn should not get any more benefit of the doubt, or any more leeway, than any other alleged criminal. If Dunn was fully knowledgeable and complicit in these illegal activities, she should be prosecuted in the same way any espionage ringleader (or hacker ringleader) would be. "Not getting your hands dirty" is not an excuse. Bruce is saying that if it were any "regular" person making these calls and planting software, they'd probably already be in jail. It is well-publicized that everyday security professionals, just doing their jobs, have been threatened, arrested, jailed and prosecuted for far, far less than Dunn was apparently responsible for.
Motivation does not justify strictly unethical behavior, there is no room for moral relativism here. Next you'll be saying that a robber could say "oops, well, I meant to use the money to feed the orphans," and be set free.
It is nice to see how people really think.
This was illegal, completely out of any proclaimed policies and not very clever.
And what happened ?
HP get actually rise on market after that (it was in CNN report if I remebmer correctly)
Outrage is amusingly elastic. Who would be outraged if a journalist used "pretexting" to get embarrassing information about Karl Rove? Who would advocate indicting his editor?
We've already seen examples of outrage, both real and manufactured, when reporters have used information from unauthorized recordings of phone conversations (whether landline or cellular), questionable access to voicemail records and so forth. In some of those cases publications have made civil settlements; in others, they've retracted obviously accurate stories rather than face legal nightmares. Reporters have been fired for using tapes of conversations without permission from the person on the other end.
And as Tom Perkins's position makes abundantly clear, simply not being indictable is not a sufficient qualification for continued leadership of a company such as HP.
>Outrage is amusingly elastic. Who would be outraged if a journalist used "pretexting" to get embarrassing information about Karl Rove? Who would advocate indicting his editor?
What does this bit of idle speculation have to do with whether or not HP broke the law?
Just for the record, I do think it depends on what the "embarassing" information is. If it were that Rove had a gay lover or an illegitimate child, the editor should be indicted. If it were that he'd committed multiple felonies, it's a bit more of a gray area.
The editor's actions remain illegal regardless, of course. But courts take extenuating circumstances into account all the time. As they should when law and justice conflict.
I've seen comments where people are wondering how much the chairman knew about the means that the investigators would use. Given that she must have know (or determined) that HP could not legally obtain the records through above-board means (why use expensive PIs if a call to the phone company and an above board explanation would work) then she must have at least suspected that the PIs were going to do something questionable.
This seems a bit like some rich person hiring someone (not an art dealer) to obtain a piece of art that they saw in a museum for them and then being shocked when the police tell them that their hired thug stole the piece.
I would assume that the chairman was presented with evidence of the leaker's indiscretion. This evidence must have included phone records that anyone with any kind of clue would know couldn't have been obtained legally. At the least she should have consulted with her corporate legal staff about the likely means through which such information was acquired.
The current approach that CEOs and corporate officers seem to be taking suggests that if they are being honest, they are either incredibly stupid or profoundly ignorant of the law, ethics and the internal processes of their corporations. I have a hard time swallowing this. I could imagine that when she tasked her subordinates with starting the investigation that she was unaware of the means by which it would be executed. I cannot swallow the suggestion that she was presented with the results that she was incapable of figuring out that something unethical and/or illegal was involved...and if she was then she should never have management responsibilities in the future...
"...the stock performance could indicate support for her removal from her post and for her prosecution by the DA for breaking the law."
Sounds reasonable to me. If that is true, then by stepping down Dunn did the right thing for HP.
Did you intend to lead the conversation in that direction?
Francoise notes that If Dunn was fully knowledgeable and complicit in these illegal activities, she should be prosecuted in the same way any espionage ringleader (or hacker ringleader) would be. Both Francoise & Bruce seem to agree with the majority of those out there - regular people who do this go to jail and Dunn should face the same accountability.
Funny how Hewlett-Packard's running some ads that say "Go far, keep your secrets close http://www.iwantmyess.com/?p=100 Keep them close unless you work for HP or are a journalist writing about HP...
What I find amazing is that this doesn't seem to have affected the stock price. It was actually up after the news, but over the last week and a half isn't showing any major movement.
It looks to me like people who trade stock don't think this is as big a deal as people who work in information security.
As a very small-time shareholder, I toyed with the idea of selling my 30 shares if Dunn didn't step down, but now I'm waffling...how long should I wait until someone is indicted? Does my tiny cry of outrage count for squat? (Not even.)
@Dave and Marko
Will no one rid me of this meddlesome priest?
that's "turbulent priest" and i was thinking the same thing, you beat me to it.
"A later e-mail from that same address included an attachment believed to have contained marketing information about a new HP product. That attachment, government investigators told Kawamoto, had the ability to track the e-mail, notify the sender if it was opened, tell the sender if the e-mail was forwarded, and what IP address to which it had been forwarded."
That doesn't sound like an attachment. That sounds like a web beacon. Which will get you the IP address of a company's NAT firewall or web proxy, which might be why accounts say it didn't work.
> Then there's the question of how they
> got physical access to the computer;
> that might well involve criminal
> trespass or breaking and entering,
> both common offense in the PI game.
We now know that HP uses ReadNotify.com to track the e-mail. They didn't have physical access to the computer.
The HP lawyer made the argument that the creator of the e-mail owns the copryight *to* the e-mail, and under the DMCA they have a legal right to track what happens to their copyrighted material. In fact in theory, under the DMCA, you can be prosecuted for disabling the tracking mechanism.
There was a long thread on slashdot on how to get around ReadNotify:
I thought the tracking was inside a document attached to the email - not the email itself.
It probably didn't work because they invented a new bogus HP person to "leak" the document from, and were hoping the reporter would forward the bogus document back to her real inside source for verification... talk about a *long-shot* - they should have just given all the board members individually-tracked documents, and seen which one sent it to the reporter...
Althought the actions taken by HP to find the leak were not appropriate, nor is the leaking of confidential corporate information. Why has no one written about the director that was repeatedly leaking the confidential information? Has anyone written their view regarding what action should have been taken by HP to prevent the leaks from continuing? How about answering this regardless of whether you think that leaking the information was a violation of the individual's corporate responsibility as a director?
Judge drops all charges against Dunn.
This doesn't undo the damage to her reputation.
At least she will have the peace of mind from behaving honarably by stepping down and eventally being found innocent in the eyes of the law.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.