STE WILLIAMS

A guy who’s been convicted four times for drunk driving buys the identity of a man who’s imprisoned in Puerto Rico.

He uses that identity to get another driver’s license to keep driving trucks in New York. In fact, that same identity gets around: it was also sold to people in Connecticut, Florida and Massachusetts. This kind of thing goes on and on: their licenses get suspended, but many drivers skirt the law by fraudulently getting another license or stealing an identity, with one result being seriously unsafe drivers zooming around unchecked.

Eventually, the state of New York got the habitually drunk truck driver, courtesy of facial recognition (FR) technology that the state put on steroids in January 2016. His is one of a number of anecdotes that Andrew M. Cuomo, New York’s governor, dispensed in an announcement on Monday about hitting an FR milestone when it comes to fraud investigations.

As Cuomo said back in January 2016: the steroids amounted to doubling the number of measurement points mapped to each digitized driver photograph. That’s greatly improved the ability of the New York State Department of Motor Vehicles’ (DMV’s) FR system to match a photograph to one that already exists in its database:

The use of this facial recognition technology has allowed law enforcement to crack down on fraud, identity theft, and other offenses – taking criminals and dangerous drivers off our streets and increasing the safety of New York’s roadways

We will continue to do everything we can to hold fraudsters accountable and protect the safety and security of all New Yorkers.

Twenty months into the pumped-up FR program, New York is bragging about having identified more than 21,000 possible cases of identity theft or fraud, which has led to more than 4,000 arrests and more than 16,000 individuals facing administrative action.

Given FR’s notoriously high error rate, one wonders exactly how many actual convictions have resulted. It might be early to ask, given the slow wending of cases through the legal system, but I asked anyway. I’ll update the story if the governor’s office gets back to me with a conviction rate and/or with an explanation of how, exactly, the system is set up to avoid false positives.

That’s worth worrying about.

During a recent, scathing US House oversight committee hearing on the FBI’s use of FR technology, it emerged that 80% of the people in the FBI database don’t have any sort of arrest record. Yet the system’s recognition algorithm inaccurately identifies them during criminal searches 15% of the time, with black women most often being misidentified.

That’s a lot of people wrongly identified as persons of interest to law enforcement. According to a Government Accountability Office (GAO) report from August 2016, the FBI’s face recognition database has 30m likenesses.

It’s amassed all those photos from civil and criminal mugshot photos, the State Department’s visa and passport databases, the Defense Department’s biometric database, and the drivers’ license databases of 18 states. In fact, nearly half of all Americans are in an FR database that the FBI can get at without warrants or without even having to prove they have reasonable suspicion that we’ve done anything wrong.

Despite such problems with the technology, the FBI’s mammoth database has been constructed without the bureau having ever issued a privacy impact assessment as required by law. That seems to be how these things go: the situation is similar in the UK, where the Home Office is pushing ahead with FR in spite of protests and with scarce regulation.

Flaws with FR technology and policy aside, there are good reasons to go after drivers with multiple licenses. The governor’s office cites a three-year study of the FR program that was conducted by the Institute for Traffic Safety Management and Research (ITSMR), covering the period from February 2010 to January 2013, that showed that such drivers pose a serious traffic safety risk. The study found that out of more than 12,300 cases involving drivers with multiple, possibly fraudulent licenses, 24% didn’t have a valid license under their true identity.

NY DMV investigators work with federal, state, and local law enforcement agencies to arrest people tagged by FR technology who typically face one or more felony charges. The study also showed that about 50% of those identified by FR as having multiple licenses got their second license when their original license was suspended or revoked.

People like this:

• A man who used a stolen ID, as well as his real identification, to collect tax benefits under both names. He also got a passport under the false name.
• Another suspect with two identifications who worked and owned a home under his real name but collected unemployment under the false identity.
• A furniture mover who stole a customer’s identity and tried to obtain a New York license under that person’s name but was denied. He then flew to Florida, obtained a license under that customer’s name there, leased a car, took $50,000 cash from the victim’s account, and was receiving a shipment of fraudulently charged furniture when arrested.

But while there are plenty of anecdotes about fraudsters and criminals using duplicate licenses to commit crimes, there’s also evidence that states also work with federal or local law enforcement to conduct searches for trivial reasons, including people merely alleged to be involved in “suspicious circumstances”. That includes minor offenses such as trespassing or disorderly conduct. Then again, some records fail to reference any criminal conduct whatsoever, according to findings by the American Civil Liberties Union (ACLU).

In fact, Vermont in May demanded a halt to the state’s use of FR.

The campaigners pointed out that the issue is far from ambiguous: Vermont state law stipulates that its DMV can’t use biometrics to identify people when they get a license or other identity card.

The Department of Motor Vehicles shall not implement any procedures or processes… that involve the use of biometric identifiers.

Perhaps that’s why Governor Cuomo didn’t mention working together on FR-identified fraud cases with Vermont. His office did, however, note that in the autumn of 2015, New York worked with the state of New Jersey and identified 62 people with IDs in both jurisdictions. In addition to New Jersey, New York is now working with Maryland and Connecticut to identify people with multiple licenses.

New York’s jacked-up FR system now allows for the ability to overlay images, invert colors, and convert images to black and white to better see scars and identifying features on the face, the state says. It’s not thrown off by different hair styles, glasses, or other features that change over time. In fact, the state’s DMV won’t issue a driver license or non-driver ID until newly captured photographs make it through the FR system.

The state says that those who’ve been arrested based on investigations conducted following a potential FR match are typically charged with filing a false instrument, tampering with public records, and forgery.

Convictions or not, the DMV can still revoke licenses if the drivers are found to hold multiple licenses, regardless of statues of limitation holding that transactions are too old to pursue criminal prosecution. Such people’s true record can also be held accountable for any tickets, convictions, or crashes.

Follow @NakedSecurity
Follow @LisaVaas

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GGiGqYtUonA/

When DMARC (Domain-based Message Authentication, Reporting, and Conformance) launched in 2012, it looked to some as if the Utopia of a fully “authenticated email world” was out there.

It’s a mouthful to say and, apparently, it’s been a handful to implement with new figures suggesting that DMARC’s promised land remains elusive.

Despite strong backing at launch from Microsoft, Facebook, Google, Yahoo and PayPal, only a measly 39 of Fortune 500 companies have implemented a DMARC policy for their domains.

That leaves 124 using it in the passive “none” monitoring mode (in other words, simply watching how other DMARC domains are treating their email) and 337 who haven’t bothered at all.

Sectors that have got the DMARC memo are overwhelmingly in technology, finance and business services, leaving aerospace, energy and engineering with tiny levels of take-up.

But even in tech and finance, uptake is patchy, which seems odd given that these are the sectors most targeted by cybercriminals phishing and spoofing well-known domains for all sorts of bad reasons.

Things aren’t much better in London’s FTSE 100, the survey found, with two thirds of companies lacking DMARC in any form and only six using it in its full “reject” flag glory.

It should be catnip for email security teams, so what’s going wrong?

Earlier this summer, an exasperated US senator even sent an open letter to the Department of Homeland Security (DHS), asking why so many US government domains weren’t using DMARC, to everyone’s detriment.

The problem is DMARC isn’t catnip for email security teams at all – far from it.

DMARC is as a way for companies using email domains to define a policy that tells other domains how to treat email claiming to be from them.

Using Sender Policy Framework (SPF) and DomainKeys Identified Message (DKIM) protocols for IP address and encrypted key authentication, DMARC gives a receiving domain guidance on what to do if an email – a phishing attempt for instance – fails these tests.

DMARC, then, gives domain owners a way to receive detailed reports on abuse of their domains by fraudsters, which helps them protect the people they want to send emails to.

Obviously, this works best when everyone does it. If not enough companies adopt DMARC then the view companies have of abuse is only ever partial.

If DMARC is like the wisdom of the crowd, it has drawbacks. For a start, it needs a lot of experience to implement without causing the sort of problems that ends with email admins being told to clear their desks. Limitations in the ageing SPF protocol don’t help either.

Did we mention that DMARC can be time-consuming to administer when using external email services?

The biggest flaw of all is simply that DMARC only solves part of the problem. Even if universally adopted, criminals can find ways around using it a toolbox of tricks including hijacking or using legitimate domains (which pass authentication) to send emails mocked up to look genuine. Domain abuse isn’t the only game in town.

Nobody doubts wider DMARC adoption could make a difference. The question is whether the difference is seen by companies as worth the expense and hassle. Without wanting to sound pessimistic, it’s as if some companies have lost faith in security’s grand Utopias.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/J51vOry65ak/

More than a third of national critical infrastructure organisations have not met basic cybersecurity standards issued by the UK government, according to Freedom of Information requests by Corero Network Security.

The FoIs were sent in March 2017 to 338 organisations including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations. In total, 163 responses¹ were received, with 63 organisations (39 per cent) admitting to not having completed the “10 Steps” programme. Among responses from NHS Trusts, only 58 per cent had completed the scheme.

In the event of a breach, critical infrastructure organisations could be liable for fines of up to £17m, or 4 per cent of global turnover, under the government’s proposals to implement the EU’s Network and Information Systems (NIS) directive from May 2018.

The findings suggest that many key organisations are not as resilient as they should be in the face of growing and sophisticated cyber threats. Corero’s questions revealed that by not detecting and investigating brief DDoS attacks, organisations could be “leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks”.

When asked “Have you suffered Distributed Denial of Service (DDoS) cyber attacks on your network in the last year?”, just eight organisations (5 per cent) responded “yes”. ®

¹Many organisations withheld information in the interests of national security, according to Corero.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/29/critical_national_infrastructure_cybersecurity/

We’re back after the long weekend, so get yourself up to date with everything we’ve written in the past  week – it’s roundup time.

Monday 21 August 2017

• News in brief: ban on killer robots urged; Apple’s hidden job advert; torrent sites blocked Down Under
• ‘Gloomy times ahead’ for security on critical infrastructure, warn experts
• The $500 gizmo that cracks iPhone passcodes – and how to stop it
• Return to sender: military will send malware right back to you
• Concerns ignored as Home Office pushes ahead with facial recognition

Tuesday 22 August 2017

• News in brief: AWS buckets leak more data; NHS hit by hacker; ‘Mr Smith’ may publish GoT episodes
• US appeals court curbs police power to seize cellphones
• ‘Smart’ solar power inverters raise risk of energy grid attacks
• Fake news: Mozilla joins the fight to stop it polluting the web
• Foxit backtracks after declining to fix zero-days exposed by ZDI

Wednesday 23 August 2017

• News in brief: Google pulls 500 apps from Play; lottery boss sentenced; drone owners told to update
• The .fish website that caught visitors in a phishing net
• Storm breaks over AccuWeather phoning home without consent
• Google bakes in sweeter security for Android Oreo
• Facebook is making its Safety Check feature permanent

Thursday 24 August 2017

• Verizon: US government requests for phone records on the up
• Malware rains on Google’s Android Oreo parade
• Energy firm slapped with a fine after making 1.5m nuisance calls
• Are you a student? Your personal data is there for the asking

Friday 25 August 2017

• News in brief: ‘GoldSun’ arrested at LAX; update bricks smart TVs; Facebook ‘shuts 1m accounts a day’
• Judge scales back data demand on inauguration riot-related web host
• Hackable flaw in connected cars is ‘unpatchable’, warn researchers
• Identity theft at ‘epidemic’ levels, warn experts
• ‘Clever’ TapDance approach to web censorship that works at ISP level
• Touchscreens ‘at risk from chip in the middle attack’, warn researchers
• Celebgate 3.0: Miley Cyrus among victims of photo thieves

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Image of days of week courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fo3vo0FMbNo/

Perhaps you’re one of those people who would never, ever send an “intimate” picture to anyone – even your partner – online.

Good. But if you can’t resist bragging about your vacation or the concert tickets you just got by posting the boarding pass or the tickets – anything with a barcode – on social media or any other public platform, you’re exposing yourself in a different, but still very risky, way.

No, you won’t be publicly embarrassed – it’s not like an open raincoat. But it could still cost you – big time, because it’s a bit like an open wallet – or passport. That barcode has lots of information about you in it, and it’s info that is not terribly difficult to decode. If you post it, it’s like handing it out to just about anybody, including people who would love to spoof your identity or do other bad things with it. When they know your travel plans, they know when you won’t be home.

You can’t say you haven’t been warned. A few security experts – Brian Krebs among them – have written in the past that a boarding pass can provide a window into not just your current travel and frequent flyer account number, but future travel plans and personally identifiable information (PII) – phone number, address, passport number and more – as well.

Not everybody listened, apparently. People are still doing it. Krebs reported this past week that a search on Instagram for “boarding pass” yielded 91,000 results, and “concert tickets” brought up 42,000 results.

And security researcher Michael Špaček, who gave a talk (in Czech) at a recent conference organized by CZ domain in the Czech Republic, wrote a summary of it, which included telling what he was able to get from a picture of a British Airways boarding pass that a friend of his posted on Instagram before a trip to Hong Kong with his wife.

All he had to do was enter the booking reference on the BA website and find out his friend’s birth date (which was on his Facebook profile) to get his passport number, to be allowed to change the details on his account – cancel future flights, edit the passport number, citizenship, expiration date and date of birth – which he didn’t do. Fortunately the “victim” was a friend.

Špaček also noted that barcodes for boarding passes are increasingly on mobile devices like smartphones or smart watches. The so-called “Aztec code” has all that information as well, including frequent flyer numbers. In another case, he got an Aztec code image for a United Airlines boarding pass. While United guards that number with anything in print – providing only the last three digits and masking the rest – the full number is within the Aztec code.

In that case, he found he could hijack the account simply by selecting “Forgot Password” on the United website and answering a couple of easy security questions. In an update, Špaček said United has since added a third security measure that requires the customer to click a link that then generates an email to enable changing the password.

But he wasn’t impressed. “Nowadays, I’d be able to just trigger such an email,” he wrote.

OK, but Špaček is a security researcher. How many other bad people would have the savvy to do this stuff? Turns out you don’t need much savvy. As Krebs reported almost two years ago, there are websites to help you out. “Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site,” he wrote.

Some of the exposure risks are not a traveler’s fault. Krebs cited a talk from last year’s CCC (Chaos Communication Congress) in Berlin by security researchers Karsten Nohl and Nemanja Nikodijevic, who pointed out that the six-digit booking code, also known as the PNR (passenger name record) amounts to a temporary password, but it is printed on every piece of checked luggage.

But their advice is relatively simple. For starters, don’t be an exhibitionist – keep those images off the internet. But also, don’t leave boarding passes tucked into the seatback on the plane – don’t even throw them in the trash. Shred them. If you can’t resist posting them on social media, black out the bar code and the PNR, at a minimum.

Your friends will be impressed when you send them pictures – after you return home.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0AFWEF58Zw4/

A major Swedish web hosting has been compromised and its entire customer database leaked.

The company, Loopia, made the announcement here, saying the breach happened last Tuesday (August 22), and it notified customers on Friday, advising of a system-wide password reset and telling them to update their personal information.

The statement says “the hackers have had access to parts of the customer database, including personal and contact information and encrypted (hashed) passwords to Loopia Kundzon”. Payment information such as credit cards didn’t leak, the company says, and customers’ hosted sites and e-mail services weren’t compromised.

The company explained the three-day delay on the basis that it needed time to secure its systems before it went public about the breach.

CEO Jimmie Eriksson told local outlet NyTeknik: “We were not sure how the attackers had gone, and needed a clearer picture of it before we went out with information. Now all customers have been informed. As an additional security measure, we have changed all customer numbers and passwords to all customer accounts”.

According to Upphandling24, Loopia has “hundreds of thousands” of customers, the largest of which include “Stockholm City, [the] Karolinska Institute and Västra Götaland Region”. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/29/loopia_hacked_customer_data_revealed/

Criminals are constantly attempting to log into digital video recorders by using their default credentials, the SANS Institute has found.

The organisation revisited recorders’ security because the devices’ lack of helped the Mirai botnet to run riot in October 2016, thanks to its modus operandi of logging in to devices using their default passwords. Mirai built an army of digital video recorders (DVRs) and used them to spawn history’s biggest DDOS attack. Mirai also spawned widespread panic and/or concern about Internet of Things security, specifically the lack thereof.

Johannes B. Ullrich, dean of research at the SANS Technology Institute thought it would be interesting to see if such an attack could still work, so hung an “Anrai”-branded DVR on the net, with default configuration and password “xc3511” unchanged, power cycled it every five minutes and watched for 45 hours and 42 minutes.

The results of that effort were scary: 1,254 logins with the default password. Or one every two minutes.

It gets worse: Ullrich says SANS sees “100,000-150,000 sources participating in telnet scans”, so between clueless users and manufacturers who don’t implement on-activation password changes, he thinks Mirai-style attacks are here to stay.

The one ray of sunshine he offers is that “Many of these devices are buggy enough, where the owner is used to regular reboots,” which means bad actors will be locked out of the devices. For two minutes, anyway. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/29/sans_mirai_dvr_research/

Chinese drone company DJI has removed hot-patching frameworks discovered in its apps by hackers – and is beginning to reveal GPL-licensed elements in its code.

Informed sources told The Register the latest versions of DJI’s Go app, which is the mobile app used for controlling the firm’s drones in flight, have had JSPatch and Tencent Tinker stripped out of them.

As we previously reported, these hot-patching frameworks seemed likely to break Apple and Google’s terms and conditions for their app stores. This was because those two frameworks allow new code to be pushed into the app outside of the mandatory code review process operated by both app store firms.

The company had promised to remove both frameworks by the end of August.

DJI is also revealing some GPL-licensed source code for items inside the Go app. This is a step forward; in the past, the firm had been criticised by some (for example, here) for not doing this. GPL licence terms mean users of GPL-licensed code should, in theory, make source code available for GPL-licensed software that is released to the public.

Drone hacker SasquatchLabs posted on a popular drone forum that DJI had told him: “Furthermore, our engineering team is working internally, and with vendors, to investigate other source code and will provide the status upon completion. DJI has also designated a team to oversee open source software compliance on an ongoing basis.”

It appears that the general thrust of the various drone hackers is to secure enough access to the aircraft’s firmware so as to allow modifications that could exclude the possibility of updates from DJI disabling drones made by them.

The conflict is between people who, not unreasonably, believe that paying for something entitles you to full control over it versus DJI, which is increasingly being leaned upon by governments and regulators as some users fly their drones with varying degrees of stupidity.

While DJI’s app includes GPS-based geofencing technology, some users have encountered difficulties in getting these restrictions lifted in specific cases.

Cracking the drone’s firmware so users can modify it would enable users, legitimate and otherwise, to effectively ignore these restrictions. In the UK, geofenced areas cover places such as prisons, airports and, strangely, Stoke City’s football stadium. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/29/dji_gpl_source_code/

Point-of-Sale systems from SAP had a vulnerability that allowed them to be hacked using a $25 Raspberry Pi or similar device, according to research unveiled at the Hack in the Box conference in Singapore last week.

Critical vulnerabilities in SAP’s POS – since resolved – created a means for hackers not only to steal customers’ card data but to gain unfettered control over the server, enabling them to change prices of goods with the help of a simple device, according to ERPScan.

SAP developed a patch after being alerted to the problem by ERPScan in April, allowing the enterprise app security specialists to go public with their discovery last week.

The root cause of the problem was that pre-patch SAP POS Xpress Server systems failed to perform any authentication checks for critical functionality that requires user identity. As a result, administrative and other privileged functions could be accessed without any authentication.

Attack scenario against SAP POS system [source: ERPScan blog post]

Left unpatched, the vulnerabilities would allow attackers to gain complete control of vulnerable systems, opening the door to espionage, fraud, and sabotage.

“The vulnerabilities enable remote starting and stopping POS terminals,” ERPScan explains. “An attacker can remotely turn off all POS terminals within a merchant. Such DoS attack can be very costly for big retailers.”

The exploit enables changing credit card number data masking so that all digits of a customer’s card number will be printed on a receipt (prohibited by PCI-DSS, the credit card industry regulations). This information can be sent directly to a hacker’s server – as shown in the clip below.

SAP POS is client-server technology that forms part of the SAP for Retail line-up. The technology is used by 80 per cent of the retailers in the Forbes Global 2000.

“Broadly speaking, it’s not a problem of SAP. Many POS systems have similar architecture and thus same vulnerabilities,” said Dmitry Chastuhin, one of the researchers who identified the vulnerabilities. “So, once an attacker is in the network, he or she gains full control of the system, including prices and credit card data. That’s unbelievable how woefully insecure we are when just swiping a card.”

In a statement, SAP confirmed the issue and urged customers to patch their POS systems, if they hadn’t done so already.

SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. All vulnerabilities in question in SAP Point of Sale (POS) Retail Xpress Server have been fixed, and security patches are available for download on the SAP Support Portal. We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Support Portal immediately.

Youtube Video

®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/29/sap_pos_vulnerability/

Exclusive A new crowdfunding appeal to help security researcher Marcus Hutchins has begun, after persons unknown spammed his old one with potentially ruinous credit card spam.

Hutchins was the security researcher who found a way to cripple the WannaCry ransomware that took down a large chunk of Britain’s National Health Service, amongst other organizations and companies. He is currently under house arrest in Los Angeles after being accused by the FBI of writing and selling the Kronos banking malware.

The researcher was arrested by the Feds as he was about to board an airplane home after visiting the Black Hat and DEF CON security conferences in Las Vegas. He has since been charged and released on a $30,000 bond with a GPS cuff, but without the usual restrictions on internet use that usually accompany computer crime accusations. He has pled not guilty.

A donation site was set up shortly after his arrest – legal costs in the US can be insane and the 23-year-old isn’t that well off – but it was quickly drowned in a sea of stolen credit card numbers. As a result, Tarah Wheeler, a friend of Hutchins and a fellow security specialist, wanted to find a better way.

“We checked out the crowdfunding site CrowdJustice for two and a half weeks to make sure this would work,” she told The Register. “I began the phone call to them by saying ‘Look, I’m sorry, but we’re going to need to do some pentesting.'”

The fund went live on Monday morning and has already met over half of its $10,000 goal, although there’s a stretch goal of $15,000. The money is solely to pay legal fees, not Hutchins’ living expenses, and Wheeler said small pop-up fundraisers will be held later on to keep the legal fund topped up.

“Thank you doesn’t seem enough,” said Marcus’s mother Janet Hutchins. “We have been overwhelmed by the support and generosity shown to Marcus and ourselves.”

Given that Hutchins is living in a strange city and a new apartment with very little in the way of support, it might be nice to set up some kind of Amazon wishlist, you might think, or maybe a plane ticket for his relatives to visit him. But legally that’s complicated, so his friends are concentrating on getting the lawyers paid before Hutchins is back in court next month.

“It’s so wonderful to see the community coming together to see them help a kid,” Wheeler said. “This is not about innocent or guilty – it’s about someone being prosecuted under the Computer Fraud and Abuse Act, a flawed law that’s being used as a mallet over the head of security researchers.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/28/crowdfunding_for_hutchins_legal_fees/