Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of "scareware" purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.

The case filed by the Washington attorney general's office names Texas-based Branch Software and its owner James Reed McCreary IV, alleging that McCreary's company caused targeted PCs to pop up misleading security alerts about security threats on the victims' computers. The alerts warned users that their systems were "damaged and corrupted" and instructed them to visit a Web site to purchase a copy of Registry Cleaner XP for $39.95.

I would have thought that existing scam laws would be enough, but Washington state actually has a specific law about this sort of thing:

The lawsuits were filed under Washington's Computer Spyware Act, which among other things punishes individuals who prey on user concerns regarding spyware or other threats. Specifically, the law makes it illegal to misrepresent the extent to which software is required for computer security or privacy, and it provides actual damages or statutory damages of $100,000 per violation, whichever is greater.

The Anchorage Daily News reports back in September 2004:

Sarah Palin never thought of herself as an investigator. Yet there she was, hacking uncomfortably into Randy Ruedrich’s computer, looking for evidence that the state Republican Party boss had broken the state ethics law while a member of the Alaska Oil & Gas Conservation Commission.

The next week, when Palin went back to work at the AOGCC, she noticed that Ruedrich had removed his pictures from the walls and the personal effects from his desk. But as she and an AOGCC technician worked their way around his computer password at the behest of an assistant attorney general in Fairbanks, they found his cleanup had not extended to his electronic files.

The technician “said it looked like he tried to delete this, but she knew a way to go around and get some of the deleted stuff,” Palin said in an interview. “I didn’t know what I was looking for, but I was there.”

And this is how Salon reports the same incident:

“In a neat symbolic fit, the agent responsible for Alaska’s current moment of reform and modernization is a woman, a breed once nearly as rare in far Northwest politics as a Democrat. Sarah Palin, a libertarian and hockey mom from the fast-growing suburbs of Anchorage, began her political career — as an appointed member of the state’s Oil and Gas Commission — by hacking into the computer of another commissioner, Randy Ruedrich, chairman of the Alaska Republican Party. Palin was seeking the evidence that she would eventually use to charge him with an improper relationship with lobbyists. (Ruedrich would later settle state ethics charges against him by paying a $12,000 fine.)”

Is this where the McCain administration is going to get their computer security expertise? She’s not a security expert but it is nice to see someone at the level of state govenor who knows their way around a computer.

The lawsuit claimed that the students’ planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A different federal judge, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.

“The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk,” said EFF Staff Attorney Marcia Hofmann. “A presentation at a security conference is not some sort of computer intrusion. It’s protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security — the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not.”

This sets a good precedent for future cases, and perhaps next time a similar situation arises, a judge will not be so quick to issue a gag order. It’s not a happy ending yet though, as the original lawsuit is still in effect.

As Chris Wysopal pointed out last week, the MBTA’s ire is misdirected. Rather than suing the vendor who sold them the defective system, they sued and attempted to silence the students who discovered the weakness. This is 2008, not 1988 — did they honestly think a gag order would prevent the information from reaching the general public? The DEFCON presentation was already available on the Intertubes prior to the injunction being issued, and the MBTA attorneys included a copy of the confidential whitepaper with their filing, thereby making it public.

I guess you wouldn’t expect that a transit authority would have paid any attention to theCiscogate fiasco from a few years ago. That presentation never got out either, did it? All that taxpayer money the MBTA spent on ridiculous lawsuits and restraining orders could have been put toward fixing the security flaws. What a concept.

Since the 1999 Columbine High School shootings and the 9/11 terrorist attacks, many parents feel better having a way to contact their children. But hundreds of students on cell phones during an emergency can cause problems for responders.

"There's a huge difference between feeling safer and being safer," says Kenneth Trump, president of National School Safety and Security Services.

According to Trump, students' cell phone use during emergencies can do three things: increase the spread of rumors about the situation, expedite parental traffic at a scene that needs to be controlled and accelerate the overload of cell-phone systems in the area.

Tom Hautton, an attorney for the National School Board Association, said that cell phones in schools also can lead to classroom distractions, text-message cheating and inappropriate photographs and videos being spread around campus.

We are just naturally inclined to make irrational security decisions when it comes to our children.