Passwords are not going anyplace, but they are getting bolt-on improvements. Things like two factor tokens and text message codes. But passwords still need to be strong enough to match the application they are used for.

You don’t need to change them every 30 or 90 days. Let’s get that out of the way. If you need to change a password that often, either you’re a spy, and there’s better options, or your system is broken and needs a good consultant makeover (call us).

Passwords do need to be long and complicated. The password complexity needs to match the security requirements of your system, which is found through risk analysis. That’s a topic for another day. For now, just think in terms of how much you value what it is tied to. Money, privacy, family photos, your job. If it’s valuable to you, make a good password.

A good password is long, complex, and memorable. It contains numbers, letters, and symbols. People think symbols make it too difficult, but call it punctuation instead, and it’s much easier to work with. That last sentence contains 4 symbols. It’s also how we generally want to make passwords, out of words strung together that we can remember, with numbers and symbols.

This is 1 SUPER-STRONG Password!

That’s an example, but please don’t use it, it is now in every attack dictionary the bad guys have. And don’t use phrases from movies or songs! All the lines and all the lyrics are in all the bad guys dictionaries. You can’t even change it and use it, for example, saying “2 be or NOT 2 be? That is the ?” It’s in the dictionary. Seriously. Use random words.

But how long should it be?

Depends on how long it will take you to find out if someone is trying to break in. Some companies alert you to failed attempts, others don’t. If you don’t get alerts and it doesn’t have a two factor security setting, you should think twice about using it for valuable things.

If it does alert you, or there is a two factor piece, you can use a relatively short password. 20 characters or so, three words or more.

If it doesn’t alert you and you value the service, pick a long password. Six words.

Use a different password on every site, app, and account. Wait! It’s not hard! Because you’re also going to use Lastpass.

You can do it. You kind of have to.

Now you don’t have to change your password from Sportsteam3 to Sportsteam4 next month, and the bad guys won’t steal your money.

How Liticode Helps Clients with the Yates Memo

The Yates memo, if you haven’t heard by now, is instruction from the DoJ about holding business executives feet to the fire in legal matters where the business may be at fault. Liticode provides several service offerings, from Litigation Preparedness Evaluations to process auditing and litigation evidence assistance to help clients address these issues.

The biggest takeaway for executives is that they need to know how things stand in their area of two possibility so they aren’t blind sided by litigation.

Have your in-house counsel call us for an evaluation. Before they need to call us for litigation assistance. It’s well worth the cost to ensure your house is in order, so a business problem doesn’t become a personal problem.

Utilities for Secure Internet Use

A recent case forced us to put together a coherent list of utilities everyone should be using to avoid internet problems.

The first and most important utility is LastPass. LastPass is a container for passwords. You use it on your phone, tablet, and PC. You make up one really good passphrase you can remember easily, and let it take care of the horrible complicated passwords that keep your bank account safe. Nobody likes to type in a complicated password, so they don’t use them, and their accounts are at risk because of weak password choices. LastPass does the hard work for you.

Next, we pair LastPass with Google Authenticator. Authenticator is a free utility for two factor authentication, probably installed on your phone already, or available from either the Android appstore or iTunes. Two factor authentication means you have something in addition to your password. You can use it with all your social media accounts and probably your email. Without your password AND your Authenticator token, nobody can access your stuff, which is great! You’re safe!

Next, set up LastPass to use Google Authenticator, and viola! You are a hard target for internet criminals!

The last piece of the puzzle is integrity, or proving you are you, not some imposter. For that you need to set up an account at In keybase, you set up a key pair for encryption and digital signing. Sounds way more complicated than it is. Plus, once you have a keybase account, you can prove you are you on all your social media and websites like 9gag.

A fringe benefit of keybase is the ability to send encrypted messages.

As with all security utilities, ensure you have your data backed up before you turn on security features, especially encryption! And be sure to read the fine instruction manuals.

Now, what’s a good passphrase for LastPass? Not your favorite movie quote, at least not without some extra work. Here’s some examples of high quality pass phrases, none of which you should use, because they will all now be publicly known!

  • Ferry my horse sun* 2 the far shore for $5.
  • Left. No, right. No, left! YOUR OTHER LEFT!!
  • I had a gr8 password, but i forgot it. :,-(
  • Tension, apprehension, and dissention have begun! Not!

And that is the only thing you’ll need to remember, from now on.

Idle Time Mining

Most forensic shops have several very powerful machines for the business. Much of the time, these machines sit idle, doing nothing in between cases. Consider putting those thoroughbred boxes to more profitable use by mining virtual currencies. The additional income can smooth can flow curves, be used in purchases, and help heat the office in Winter.


Mining operations can be run from different boot disks while the machines aren’t doing anything. It’s pretty easy to set up, and the heating benefits are no joke.

You could cut your office heating bill and get some coins out of the deal.

Besides, virtual currency forensics is going to be huge business. Get involved now.

Musings on The Near Future

When we first started helping litigants with electronic evidence, there was a lack of paying clients. This was because few lawyers then had any grasp of tech who weren’t actively in tech, and courts had even less. Strange, isn’t it, that cases that could have benefitted from electronic evidence failed to capitalize on it, because the people responsible for litigation didn’t grasp is importance. Like only eating the same fast food because you don’t know there’s a restaurant one block over. But gradually it crept in. It took literally decades, but here we are. Now only the very rural or new do not grasp the import of electronic evidence materials.

For the past decade we’ve had a labor shortage, which has worked out well for us, providing a stable enough demand to operate as an independent consulting group, but that is changing.   As the lawyers have become more knowledgeable, demand for technical expertise and billable hours have shrunk, while more professional consultants crowd the field. Fortunately, it is not exactly a commodity service, so we have not suffered a drawdown, but it has limited growth. We see two areas of interest in the near future.

One, is the typical business Oroborus cycle of acquisition and merger. We will likely meet this fate within several years, being small and specialized. Not a problem except as it leads to stagnating methods and standardized responses with higher costs. Sorry, consumers.

The second area is far more dire, and that is the advent of expert systems, or what the ignorant refer to as AI. Experts systems are codified judgement engines that modify their rules based on results. They “learn” from outcomes. Where an expert now collects, processes, and constructs affidavits or testimony, eventually 95% of that work, and the lawyer activity surrounding it, will be done by a supervised expert system.

At which point our job, the technical consultant, turns to criticizing and improving those systems. But it will drastically alter the legal playing field. Especially where one side can afford it and one can’t. We will likely need to extend the right to counsel to include the right to expert system advice. 

One day there will be a public defender computer made of old code and rusty hardware trying to keep up with too many cases and the shiny new Wall Street supercomputer expert system.

I, for one, welcome our new robot overlords as they can be mathematically proven to be fair and unbiased and mistake free. But that’s still at least a decade away, more likely two. 


to the big man himself for passing the HCISSP exam on the first try! Liticode considers the HCISSP a necessary standard for working on HIPAA and hospital security and litigation consulting. No cert is too much of a reach for our valued clients.

On the Structured Interdependence of Policy

Corporate documentation is a multifaceted pyramid structure.  It begins with the business plan and statement of purpose.  The departments are chartered to spell out purpose, responsibilities, and control.  The charters are supported in policy.  Policy is frequently interdepartmental in reach.  Nothing is done in a vacuum.  The policies are detailed in procedures, standards, and other documents.

Everything fits into the structure, which makes it strong.  Errors in the documentation expose a company to risk from a variety of sources.  Every action taken by the company should be traceable back to one of the documents.  The documentation exists to protect and guide the actions of the employees.

It shouldn’t just be a bunch of paper in a binder that gets reprinted once a year for auditors.  It shouldn’t be a stick used only to discipline.

If policies aren’t the inspiration for action, they’re in need of overhaul.  You can tell the vitality of a company by its policy manual.  Is yours a lighthouse in the storm, or a pair of handcuffs?

Proof of Proper Electronic Evidence Collection

One of the nice things about electronic evidence is that it is relatively trivial to create a “provable” methodology to refute any complaints regarding evidence veracity.

For example, assuming you collect widely and preserve broadly, when it comes time to cull and produce materials for review, this should be done using scripts (small computer programs rapidly written by professional resources) which remain with the culled materials for later review, should there be any doubts.

Provided with both the original sources and the cull scripts, the production materials should always be the same. Providing the opposition approves of the scripts written, there can be no doubt about the veracity of the materials produced.

While scripts remain largely unchanged between cases, a general search for strings is simple enough, narrowing the cull intelligently requires more skill, and true targeted refinement requires pattern manipulation skills not commonly found amongst technicians. Yet these culling scripts can drastically reduce the size of the evidence for consideration, and simplify case dynamics.

GIven the sizes of preservation sets, the key to a quality case, is the speed with which it proceeds and the quality of the interaction. Good culling improves the legal experience and is best done using a combination of standard process and expert eye, depending on the complexity. Spending money on expert assistance such as that provided by Digital Trust® results in saved money over the life of the case, frequently drastic savings.

Using and providing scripts for review ensures the materials produced are incontestable.

Truecrypt Kerfluffle

In late May of 2014 the developers of Truecrypt posted version 7.2 with some issues that caused a flurry of concern and activity ultimately resulting in the developers attempting to shut down the product.  It appears as of now that there may be some shenanigans going on in the code, but nobody knows for sure at this point.  All we know is that 7.2 was compromised and should be avoided.

However, if you are considering abandoning TC altogether, you might want to delay a bit until more is known.  First off, the program has not been abandoned by the community and is hastily reforming in what is hoped will ultimately be a clean version thoroughly examined by the open source community.  Second, many clients have a tremendous investment in the program, and change will be expensive.  Third, it still works as far as anyone knows.  There has been no “skeleton key” disclosure, and as of now it seems at worst that a large government agency can read the files, but they are not a threat to most people’s use.

Digital Trust’s guidance on the software at this time is: if you are traveling with highly sensitive material and relying on Truecrypt to avoid compromise by another agency, (you’re a fool and) change those travelling devices to another form of encryption.  If however, you are in a relatively safe security environment and relying on Truecrypt to protect basic privacy and legal confidence, take no action at this time, unless you are using version 7.2, in which case we advise immediate downgrading and cleanup.

The cost of converting existing business assets to a new program should be weighed against the likelihood that all of this ends benignly.  For the majority of our clients we are advising you to remain with Truecrypt and simply not upgrade to 7.2.  Should the situation change, we will recommend further action at that time, but for now, just keep working with what you have.

To be as clear as possible: those clients currently relying on 7.1a or lower should continue to do so and not upgrade past 7.1a.

“Keep calm and don’t upgrade.”