Network Security Blog

I make no bones about it, I’m a very big fan of the concept of tokenizing credit card numbers as early in the merchant stream as possible.  For some merchants this will mean that they are replacing their credit cards with random tokens in their back end servers, using the token internally, but still storing the credit card in a heavily defended server somewhere in the data center.  For other merchants tokenization will mean encrypting the data at the PIN pad, sending it to their acquiring bank and receiving a token to use in place of the credit card number within their own systems and thereby taking most of the merchant’s systems out of scope for a PCI assessment.

These sound like, and are, both worthy uses of tokenization, there’s a lot of confusion about the difference between these two extremes of the technology and especially about how these differences can affect your implementation and scope!  Which is why I’m glad to see an article like Walter Conway’s, “Playing Token Trick or Treat“.  As much as many people would like to see a straight forward review of specific products that allow for tokenization, this is still to much of a nascent technology for reviews to be realistic or useful.  Anyone who implements a tokenization solution will be on the cutting edge, and in many cases will be beta testing technologies for the manufacturers.  It’s early enough in the process that by being involved in a tokenization project, you can actually have a large influence on the products we see over the next few years.  Which is exactly why it’s so very important to know exactly which questions to ask when evaluating and implementing a tokenization solution.

Walt’s first question is probably the most important of them all, “Have you found all your cardholder data?”  Even if you’re not assessing a tokenization solution, this is an important question to be asking yourself on a regular basis.  And once you’ve asked it, go back and ask again.  And again.  And again.  Until you’ve asked half a dozen or more times and continue to ask every few months, you won’t have any level of certainty that you’ve found it all.  Even then, it’s possible you’ll develop a leak somewhere and cardholder will pollute portions of you’re network that were never intended to hold or secure cardholder data. 

Walt has a good number of other questions you should be asking if you’re assessing, or just curious about, a tokenization solution.  Make sure you understand the possibilities and the pitfalls of any solution before you make the leap of faith required to implement such a young technology. 

Update 10/11/10:  Here’s the second article on tokenization and some of the questions to ask, “If your token vendor goes bankrupt, what happens to your data?”

I am not a lawyer and I don’t even pretend to understand the complexity of our patent system when it is applied to software, but I’m always astounded when company’s file lawsuits based on broad, over-arching technology solutions.  I find this especially distressing when it affects a market that is, in itself, a fairly simple idea, like database encryption.  So when I received a press release from Protegrity stating they’d filed suit against Ingrian, Safenet, NuBridges and Voltage this morning, it did not sit well with me.

I’ve seen too many companies over the last decade that are nothing more than patent trolls who acquire patents specifically for the purpose of lawsuits.  Protegrity clearly is not a patent troll, they’ve been very active in the database encryption market and likely have every right to file this lawsuit.  I’m more concerned in a number of ways with the turn our patent process has taken since software patents were allowed than this particular lawsuit, but I’m hoping that Protegrity isn’t using a legal attack to take out some of it’s biggest competitors in the field of database encryption.  Only time will tell if it has that affect, whether it’s intended or not.

The other thing that really worries me is the affect this will have on the still young end-to-end encryption market space.  Will the potential of a lawsuit based on these or other patents related to E2E have a chilling affect on new technology that shows the potential to make huge improvements in credit card security?  Or is there so much money to be made in the E2E field, so many big names backing the smaller players, that the potential of a lawsuit will be overcome by the potential to make a profit?  I suspect the potential lawsuits will make companies think twice, but in the end the potential profit will quickly overcome any worries about lawsuits.

As always, read the press release, read between the lines and make your own decision.  I’ve included the entire press release below the break for your review.

Continue Reading »

We’ve been hearing about the Aurora attacks on Google and a host of other companies since early January.  So why is it that NSS Labs is finding that the majority of the End Point Protection (aka AV) companies aren’t protecting against the vulnerability yet?  And why is AVG upset with NSS Labs and their testing methods? To answer these questions and many more, Rich and Martin were joined tonight by Vikram Phatak, the CTO of NSS Labs.  Vik gave us some of the back story on why they were testing AV products and some of the surprising discoveries they made.  It’s not easy being an independent testing company and sometimes you’re going to annoy people despite your best efforts.  And sometimes people are going to be annoyed with you no matter what.

One point Vik wanted to make that didn’t make it into the podcast is that the 0day that was used in the Aurora attack is not just being used against corporate targets.  It’s being used against consumers as well, so it’s important that the average home user be aware that their AV product may not be protecting them at this point.  What is part of the podcast is a discussion of how many AV vendors are trying to protect against the payload that malware is attempting to deliver, not the exploit itself.  Both are important points people need to be aware of.

Network Security Podcast, Episode 189, March 16, 2010
Time:  39:56

Show Notes:

• Vulnerability-based protection and the Google “Operation Aurora” attack
• NSS Labs’ Questionable Report – Note that the screen shot shown is of the Firefox browser, not IE in any form
• AVG & The Aurora Exploit
• Questionable Questions (and some answers)
• 7th Annual ISSA Security Conference
• Please take our short listener survey to help us create a better podcast!

My friend Alex Hutton and the rest of the RISK Team at Verizon Business have done it again! This time rather than release a report about breaches however, they’ve release the Verizon Incident Sharing Metrics Framework (VerIS for short).    All the awesomeness that went into creating the 2009 Verizon Breach Report is being shared with the incident response community so that we can compare apples to apples when it comes to compromises.  Rather than each company capturing it’s own unique dataset and creating statistics in their own particular way, VerIS is a framework that allows companies to capture the same sorts of data at the compromise and compare it directly to the compromises other companies are seeing.  This is exactly what we’ve been asking for since the first Verizon Breach Report.

One of the highlights of the year for me is when the Verizon Breach Report comes out.  Many of us have anecdotal evidence of breaches and know on a visceral level that if we don’t secure our networks and enforce policies that bad things are going to happen.  But the Breach Report is what allows us to take it from feelings and anecdotes to being able to show our company’s leadership exactly what lapses in security have led to many of the breaches in the last year.  If you haven’t read the 2009 Verizon Breach Report, stop reading this and go review it now.  After you’ve read that, you may also want to fill out some marketing surveys and read the Trustwave Global Security Report of 2010. Or at least read Rich’s short review of the report.  Including the part where he asks the folks at SpiderLabs to use a standard base of metrics.

The Verizon Incident Sharing Metrics Framework gives us the ability to start collecting one of the things security is sorely missing:  common collection and comparison methods for breaches.  Long ago and far, far away I used to be in the life insurance biz and one of the cornerstones of insurance is actuarial tables. An insurance company can look at your height, weight, sex, and several dozen other statistics and tell you very easily if you’re likely to die from some factor within the span of their insurance policy.  It’s no accident that as you become older insurance becomes more expensive.  They know exactly what your chances are compared to those like you, in large part because they’ve had centuries of common data to draw from and create tables how those factors affect your long term survival.  And as much as we talk about statistics in security, we’re a fledgling science and have a relatively small, confused dataset to draw from when creating our own actuarial tables.  We literally don’t even have enough information to know what we don’t know yet, let alone create any sort of meaningful security measure to breach relationships.   VerIS gives us a chance to start changing this.

Read the slick on what data VerIS is aimed at collecting and how it can be sliced and diced; I make no secret of the fact that I’m more of a consumer of the final information than I am interested in how it was collected.  But what I find fascinating and important is the goals Verizon Business is setting with this framework.  It’s not meant to be the last word in incident metrics; it’s only a starting point that other companies can extend.  VzB is actually looking for help extending the framework and making it as powerful as they can.  The VerIS Framework is meant to promote information sharing and if enough people contribute to the underlying datasets, we can get something important out of this as a community.  It’s not hard to add your own unique twist to how you slice and dice the information, but what’s important is that we have a common set of statistics to start from so we can know we’re comparing the same factors when looking at breaches.

It’s going to be a while before we have anything as deep and rich (and boring) as an insurance company’s actuarial tables.  But if a common framework gives us the possibility of being able to scientifically state what security measures are effective and which are only skin deep, VerIS is a winner.  One of the complaints about a compliance framework like PCI is that it doesn’t respond well to changes in the real world.  But what if the PCI Council mandated the use of something like the Verizon Incident Sharing Framework and made changes to the next version of PCI based on that instead of vendor and merchant wants and desires?  Now that would make PCI something truly effective.

*Full disclosure:  I work as a QSA at Verizon Business for my day job.  However everything about this blog is strictly my opinion and no one but my wife has more than a cursory influence on what I write here.

I am amazed that the administration at Lower Merion School District (LMSD) couldn’t figure out something my eight year old son realized in just a few minutes, “Spying on people in their own home is wrong.  And really creepy.”  But they obviously couldn’t, so when they supplied 18oo students with Apple laptops 18 months ago, they included software with the laptops that would allow them to track stolen laptops and remotely turn on the iSight cameras on the Macs and take pictures of the thief.  Or pictures of a student doing something unnamed and naughty in his own home.  And then use that picture as evidence to prove that a student was doing something inappropriate in his own home.  After all, who’d ever think a teenager with a laptop would do something inappropriate when home, alone, with access to the Internet and all the sites that are normally forbidden to him?

When LMSD purchase 1800 Mac laptops for their student body, they made what was obviously a legitimate decision in their eyes: place software on the laptops that would allow the district to track their investment if it was lost or stolen.  These are laptops we’re talking about, they’re highly mobile and cost approximately $2000 each, so it’s understandable that the district might want to protect their investment.  But they never told the students or their parents that the software came as part of accepting the laptops.  As far as I can tell, the software installed was most likely one of the following:  LoJack, Undercover, MacTrak, BigFix or Hidden.  All of these systems are meant to be used to track stolen laptops, have the ability to turn on the camera remotely and can take screen captures and pictures through the Mac’s iSight camera.  There maybe several other solutions, and with the exception of BigFix, these are all consumer level products that are meant for one user to track one laptop and aren’t really meant for tracking a large number of users.  This is important because an enterprise version of this spyware is going to have significant logging capabilities, where as a consumer version might be utterly lacking in logging.  Allegedly, only two administrators had access to the systems for turning on the tracking and camera capabilities of the software.  What we’ll have to see now is what sort of logging the use of the software generated.  If it’s a consumer level product, I don’t have much hope for an accurate count, unless the tracking service itself keeps a log of how often the tracking of each laptop is turned on.  LMSD maintains that they “only” used the software 42 times or less than 50, their stories are conflicting.

I’ve been working in IT for a long time and a lot of my friends and acquaintances are people who would loosely be called ‘hackers’ by the public.  I don’t mean the people who are trying to break into your computer, I mean the people who test the limits of any system they come in contact with, just to see what it can do.  Most of the people I know who are good at their IT and computer security jobs are like this; they want to push the envelope so that they know what their systems can and cannot do.  Which is why having tracking and spying software on student laptops scares the snot out of me!  I know from personal experience that one of the first things the administrators of this system probably did was test it to see what they could and could not see from using the spying software, see if they’d be detected when it was turned on and see how they’d be tracked when they did turn on the spy software.  In and of itself, this attitude isn’t a bad thing, it’s part of the nature of the business we work in and the people it attracts.  But given the sensitive nature of who and where these laptops were going to be, unless there’s a complete, unmodifiable log of everything that was done using the spyware, I’m all but certain it was abused at least once during the time it was enabled on student laptops.

Another potential for abuse is exactly what happened to crack this whole issue wide open; a well meaning, if ignorant, Vice Principal used the capability of the spyware to take a picture of a student doing something he wasn’t supposed to.  It’s not clear yet exactly what the nature of the student’s abuse was, if his laptop had been reported stolen, if the software was activated for some other reason or if this was part of a systematic spying on the students.  What is known is that the Vice Principal used pictures taken from the iSight camera with the spying software to confront a student and his family with evidence of wrongdoing in a misguided attempt by the Vice Principal to do what she considered to be the right thing.  Unluckily for her, when it comes to spying on students at home, it’s much less of a slippery slope and more of a sudden drop off into the abyss of ‘1984‘.  I guess the whole school district skipped the ethics class when they were earning their teaching credentials.

The scariest potential abuses of this system both involve people who’d purposefully and knowingly break the rules the school set around this spying system.  Imagine if one of the administrators of the spyware was a closet pedophile or simply thought one of the students was much more mature than his or her years.  Students probably had their laptops sitting on their desks and undressed in front of them fairly often; after all, normal people don’t think their laptop is going to spy on them, so why bother turning it off or closing it before getting ready for bed.  Even worse is the thought that some student or malicious outsider (the classic media definition of ‘hacker’) found out that LMSD had this software installed and was able to break into the spyware system and use it at will.  These are merely suppositions, worse-case scenarios, but they are some of the factors that LMSD should have thought of before implementing spyware on student laptops.  A system such that has this much potential for abuse should have a similarly appropriate level of tracking, alerting and logging to prevent the curious and malicious from doing unethical, illegal and immoral.  Don’t be surprised if at some point in the near future pictures of LMSD students start showing up on the Internet.

The good news is that in addition to the civil suit the Lower Merion School District has been hit with, the FBI has started an investigation into the allegations of wrong doing.  The lawsuit alone is going to cost LMSD more than losing every last laptop would have, possibly by several orders of magnitude.  The business decision to track the laptops therefore turns out to be an utter failure.  Hopefully the FBI will be able to poke around the LMSD systems deeply enough that they’ll find any abuse of the system or confirm the districts assertion that the system was only used 42 times.  This is where all the logging capabilities of the spyware will be tested and the software vendor should expect a subpoena and visit from the FBI soon.  My suggestion to the FBI would be to pay special attention to any system administrator or school official that has had their computer recently re-imaged; while not proof of guilt, given the severity of the potential crimes that could be committed with the schools spyware, it’d be worth sending out the hard drives for recovery of the previous file system.
 
I truly hope that the FBI finds that the LMSD number of 42 times the spyware was used is accurate.  That would mean that most of my worst case scenarios haven’t happened.  But I suspect that even if the system wasn’t purposefully abused, 42 only represents the number of times that the spyware was used while going through the proper processes and procedures at the school district; it might have been used or abused many more times by the people who had access to it by design or by flaw.  And even if 42 is accurate, it will be up to a jury to decide if each of those uses were justifiable and legal.  In a civil court it’s going to be much harder for the school district to defend itself than it will be when the criminal charges are brought against the people responsible for the installation of the spyware.  And I’m confident that at least one person will be brought up on charges unless the whole school district is run and managed by people who are perfect angels.  Given that the system has already been abused, I’m pretty sure that supposition has been disproven.

I’m a parent of two pre-teen boys.  I probably wouldn’t have accepted a laptop from the school for either of them personally; I have more than enough computing power at home that I don’t need to bring someone else’s computer into the house.  And if this had happened in my school district, I’d be screaming for blood.  The school administrators who instigated and ran this program need to lose their jobs; they obviously don’t have enough of a moral compass to understand the difference between right and wrong and have no right to be working with children and teaching the next generation.  That may sound harsh, but these are people who thought that the security and safety of a few laptops was more important than the privacy and safety of the students who were using the same laptops.  A piece of hardware may be expensive, but it’s infinitely less important than my children and the children who live in the Lower Merion School District.  The inability to see that fact is proof of their utter lack of suitability to be working with children in the first place.

It may be that we find out that the spyware LMSD installed was never abused and that every instance of it’s use was justifiable.  But the installation and use of the system in the first place without notifying the parents and students was a utter and complete violation of these families civil liberties and right to privacy, not to mention the administrator’s ethical responsibility.  It shows that the school district placed more value on the laptops than the Constitutional rights of these families.  I find that unacceptable and hope that between the civil suit and the FBI investigation a strong message is sent to schools around the country that this sort of spying on students is not and never will be acceptable in any way, shape or form.  I hate to think about what I’d do if I ever found out my sons’ school district was spying on them in this way; there’s a reason I earned the nickname “Captain Privacy”. 

• BoingBoing:  School used student laptop webcams to spy on them at school and home
• NBC Bay Area:  School Spies on Students at Home With Webcams: Suit
• Uncommon Sense Security:  They’ve gone too far.  Waaaay too far.
• Courthouse News Service:  Big Brother is here:  Families say schools snoop in their homes with district issued laptops and webcams
• Lower Merion School District:  LMSD response to invasion of privacy allegation
• Lower Merion School District:  Letter from Dr. McGinley to parents/guardians regarding laptop security 
• Lower Merion School District:  Update from Dr. McGinley regarding high school student laptop security – 2/19/10
• Endgadget:  School allegedly uses student’s laptop webcams for espionage, lawsuit ensues
• TechEYE.net:  PA School offers practical less in George Orwell’s 1984
• ZDNet.com:  Lower Merion laptop flap:  District deactivates tracking feature
• Full text of the civil lawsuit
• Ars Technica:  School backs off on laptop spying policy in wake of lawsuit
• Techdirt:  School district says it only turned spy cameras on 42 times; FBI now investigating
• AppScout:  The “SpyBook”:  Take a deep breath people

I knew it had to be just a matter of time before someone took advantage all of the jailbroken iPhones and created another malicious tool to pwn them.  This time the attacker has been RickRolling iPhone users, changing the background on the phones to a picture of Rick Astley.  The worm is fairly simple and uses the default password set up on the SSH daemon when you jailbreak your iPhone, so if you’ve taken the 5 minutes required to change the password, you’re perfectly safe from the effects of the worm.  Of course, it’s written by someone in Australia going by the name of ‘ikee’ and generally has only been hitting phones down under, but given that the ikee code was released, along with an interview, it’s only a matter of time before someone else creates a new version that does something much nastier than putting up a picture of an 80′s pop icon.  I can think of a couple of people I know who’d be willing to put pictures of goats or lemons or things with spelling close to that on your iPhone.  And those are just the people who are there to be playful.

I’ve said it a number of times in the last week, but it bears saying again:  If you’ve jailbroken your iPhone, change your iPhone’s root password immediately!

By the way, I don’t know anyone who’s jailbroken their iPhone in order to access pirated software, everyone I’ve talked to did it so they could install software that unlocks capabilities that Apple doesn’t want us to have in existing apps, for example tools like xGPS and SBSettings.

Last year Microsoft released a tool called COFEE (Computer Online Forensic Evidence Extractor) to law enforcement agencies around the nation and around the world a couple of years ago.  While COFEE is a professional tool, it’s meant for the average police officer who may not have a lot of experience with computers; you just plug a USB key with COFEE installed and if autorun is enabled on the computer, it will run a series of diagnostics, writes a report and generally gives a quick and dirty analysis of the computer.  It’s not an exhaustive tool and most of the commands and tools the COFEE uses are things that you already have on your computer and could run manually any time you want.  It’s a tool law enforcement officers need and should have, and it’s been a pretty closely guarded tool – until now.

In the last 48 hours, a user on the what.cd uploaded torrent of COFEE and made it available for any user to download.  Which, of course, means that it’s now available on any number of bittorrent sites.  The site it was originally found on did something they rarely do and took the torrent offline, but it was already too late and the tool is in the wild.  Even if many of the bittorent sites agree to pull the torrent, there’s enough users who have the file and enough sites that will be uncooperative that it’s very unlikely that this djinni can be put back in the bottle.  The fact that this tool has been a big mystery before now has made it very enticing, but getting your hands on a copy has been limited to a very few people who were in law enforcement or had friends that were.

It needs to be pointed out that is owned and jealously guarded by Microsoft.  I won’t be surprised if they start going after people to get this removed from the Internet.  Surprisingly the folks at What.cd say they took down the torrent on their own, with no prompting from either Microsoft or law enforcement.  It may be that they decided the amount of attention it could draw to a site like theirs was more than they were willing to itself.  Or it could be they did it for altruistic reasons, but I’m more willing to believe in the former than the latter.

Now that the COFEE has been spilled into the tubes of the Interweb thingy, what are our moral and ethical responsibilities as security professionals concerning the tool?  Should we ignore it and hope the police can pull it off the bittorrent sites before everyone and their brother have a copy?  Should we be reporting people who make it available?  Or should we be reviewing the tool ourselves and proposing ways to make it better?  This is a tool that’s aimed at letting police officers who are computer novices collect valuable forensics information using applications that are available natively in Windows and creating a simple report for future reference.  While this is interesting, it’s nothing top secret or even that revolutionary.  I suspect the main reason it was only available to law enforcement officers was to keep the malware creators and hackers from the limits of COFEE and figuring ways to prevent it from collecting anything if they ever have their own computers compromised. 

Personally I think the tool’s been leaked and rather than try to get it back, law enforcement and the security community should be concentrating on providing an even better tool that will do everything COFEE can do and more using open source tools.  There are any number of forensics tools already out there that will do a very good job of evaluating a desktop’s running configuration that could be made at least as easy to use as COFEE; the hard part would probably be getting law enforcement agents to accept something that didn’t have a huge name like Microsoft behind it.  For example, if a limited version of Backtrack was created that would run when you plug a USB key into the computer, the amount of data collected could be greatly increased. 

If there are already other tools available that can easily and cheaply provide law enforcement with forensics evidence they can use in court, I don’t know of them and would appreciate some pointers.  If not, someone needs to create something and make it available to law enforcement, especially if it’s something that’s easy for a computer neophyte to use.  I don’t think that having COFEE leaked reduces it’s effectiveness or makes it harder for law enforcement to use, but I believe that the open source community can create a better tool and make it available to everyone without feeling a need to keep it’s capabilities secret. 

Jailbreaking an iPhone unlocks some very useful features that the iPhone is lacking and gives you the control over your device that you should have in the first place.  Just getting access to the xGPS project and it’s turn by turn directions has been more than enough reason for my friend Bob to jailbreak his phone multiple times.  But as Uncle Ben once told Peter Parker, “With great power comes great responsibility.”  Apple locked down the iPhone in part to protect users from the bad guys out there and if you’re in the Netherlands with a jailbroken iPhone, you may be regretting having a taken your security into your own hands.

A Dutch hacker has started breaking into iPhones that have been jailbroken and left SSH running with the default root password.  This enabled the hacker to log into the iPhones and send the owner a message telling them their iPhone is insecure.  It goes on to give them a link and asks for 5 euros in order to secure the phone.  This has been sighted on a relatively few iPhones so far, but it’s not inconceivable that this could be weaponized and used on a much wider scale.

This just highlights that the act of jailbreaking your iPhone or hacking any manufacturer’s device places the onus of securing the device back on the owner rather than on the manufacturer.  I have no problem complaining about companies like Time Warner who’ve consistently given their users given their users insecure routers.  The company is supplying and configuring the device, the responsibility (and the power) to secure the routers is theirs and theirs alone.  The user has no ability to make changes and in most cases, probably doesn’t know much more than how to plug the router in and turn it on. 

But once you’ve taken the steps to jailbreak an iPhone or hack your router, you’ve relieved the company of that responsibility.  It may not take much, but if you’ve done the necessary research to download the tools to free your device, you are also taking on the responsibility of securing the same device.  So take the time to do a little more research and figure out what steps you need to take beyond just jailbreaking to secure your iPhone, or whatever device you’re hacking into today.

Fraud alerts on your credit cards are one of those really useful tools that have been put in place by law, only to be neutered by the same law.  They’re great in that they put a lock on your credit scores and let you know when anyone is trying to open an account in your name, but at the same time they’re incredibly hard to use because you have to fill out paperwork every three months.  There is an extended fraud alert that will protect you for a period of seven years, but in order to qualify for that, you have to provide a police report proving that you’ve been targeted by identity theft.  To top off the insult from the credit reporting companies, you have to file separate fraud alerts with each company and maintain them yourself if you want to be relatively safe.

Enter Lifelock; for a small monthly fee they would maintain your fraud alerts for you and even provide a number that creditors could call in order to unlock your credit ratings.  This was great for consumers, it let them keep their credit scores locked so that it was that much harder for someone to open an account in your name or for the credit card companies to review your credit score and send your monthly junk mail offerings.  This a big win for us, but it cuts into the major source of the big three credit scoring companies, Experian, TransUnion and Equifax.  If too many people keep their credit scores hidden, the scoring companies can’t sell their big lists of names, or at least those lists lose some of their value.  So in 2008, Experian sued LifeLock to block the practice and won.  Experian and LifeLock have settled the lawsuit and LifeLock is forever forbidden from filing credit locks on behalf of consumers.

According to Experian and LifeLock, this is a positive for LifeLock, which it is.  They get to move out of the shadow of a nasty lawsuit and rework their business model to find something else to do to help protect consumers.  Experian and the other two credit scoring companies find this to be a huge win, since this sets precedence and makes it that much harder for any other company to provide a similar service.  The big loser in this transaction is us, the consumer, since we now have to remember to reset our credit lock with all three credit scoring companies every three months if we want to protect ourselves.  Thanks, Experian.  You’ve made it perfectly clear what you’re really trying to protect: your revenue stream.

I knew about the Miranda act and the Fifth Amendment, but I’d never really realized how little protection they offer if you decide to talk.  The words “Anything you say can and will be used against you” really mean exactly what they say.  I’m not much of a trouble maker, despite what some of my previous employers might say, but after watching a pair of videos from the University of Alberta (watch them below or on the Law is Cool site), the only words I’m going to say to a police officer from now on are going to be “I want to talk to my lawyer”. 

The point that the professor makes again and again is that there is nothing you can say to a police officer that is going to help you.  You are infinitely more likely to say something that can be used against you, even if your innocent, than anything you say helping you.  The part that surprised me, is that even if you say something that could help you to the police, your attorney can’t use it in your defense.  That may just be the law in Canada, but I’m not willing to take the chance.

Even if you’re completely innocent and were just a witness to a crime, do yourself a favor and have a lawyer present.  It’ll cost you some money, it’ll cost the police some time, but it might make the difference between potential problems and walking out of the police station at the end of the interview.  People get excited and make mistakes, and things sometimes come out the wrong way.  Better to remain silent and be thought a fool than open your mouth and remove all doubt.  The officer in the video states several times that the police are allowed to lie in interviews; in a worse case scenario, what you thought was just making a statement could turn into a full on interrogation if you misspeak, even if it’s an honest mistake. 

This should make the holiday season interesting; my BiL is a Southern California police officer and I don’t think he’d see the humor in me bringing a lawyer to the family get togethers.