Tuesday, April 10, 2007

The RIAA and the MPAA Want Pretexting Back

The RIAA and the MPAA are none-to-happy about the anti-pretexting bill put into place by President Bush back in January, and as such, recently submitted an amendment to the bill in California that would allow the two organizations to utilize pretexting in their endless search for online pirates.

Although the amendment has not gone through yet, it would certainly be a dangerous precedent if it did. The anti-pretexting bill really does a public service in protecting citizens from corporate overreach - we can only hope that it is turned down.

2 comments:

Sami said...

Being unfamiliar with "pretexting," I spent some time looking it up and I thought It might be helpful to give a brief explanation of the practice, in case I wasn't the only one in the dark.

"Pretexting" is a form of social engineering (read manipulation) in which a "bad guy" presents you with an elaborate lie (the pretext) in order to extract personal information from you.

For example, a few weeks ago I got an email from the University Credit Union claiming they were updating their security or some such, and requesting my password, social security number, account number, etc. All the elements of deception, from the official-sounding format of the message to the look-alike "USC Credit Union" logo helped the email appear legitimate; and I naively forked over the valuable information. As you may have guessed, I was in fact a victim of "pretexting."

Consequently, I WHOLEHEARTEDLY agree with Cameron that this amendment MUST NOT go through. However, I find it very interesting that the anti-pretexting law was passed to specifically criminalize pretexting of phone records, by the very administration caught up in so much hot water over tapping phone lines. Also, I find it "interesting" (read despicable) that the RIAA and MPAA are actually attempting to legitimize a practice which by definition is deceitful.

But regardless of whether or not this amendment passes, pretexting will likely continue; and with more and more of our "private" information online (does that equal "in the public record"?), I think the real question is how can we protect ourselves RATHER than how can we discourage the practice.

qubitsu said...

To jump onto this social engineering note:

As humans, it seems that the way we perceive threats tends to be simplistic and culturally informed. Social engineering works because it becomes easy to penetrate a system of protection with simple knowledge about the "culture of protection" in a given environment.

In the case of a USC Credit Union phishing email, there is an "offline" culture of security that prescribes color schemes and logos as symbols of legitimacy. Alternatively, an "online" culture of security prescribes proper "https" URLs, certificates, digital signatures, and other best practices for legitimacy--and access to this knowledge largely requires cultural participation in order to be meaningful.

To characterize "black hat social engineering": Why hack computers withinin a tech context when humans within cultural contexts are eminently hackable?