Friday, February 27, 2009

Weekly Roundup

Wednesday, February 25, 2009

Hacker Turf War

Per our demonstration on cache poisoning I found this report from the SANS Internet Storm Center particularly relevant. SANS researcher Daniel Wesemann recently found and analyzed malware that altered an infected computers hosts file - exactly what we did in class on Monday.

Wasemann noted that most malware is designed to 'blackhole' updates from anti-virus vendors and patches from operating systems. 'Blackholing' is a term used to described how a cache poisoning attack would re-route traffic to an unreachable location. blackholing anti-virus updates and operating systems patches will prevent a user from detecting an infection or from the computer automatically fixing the underlying vulnerability.

However, this particular piece of Malware that Wasemann analyzed contained "200 or so domains that are reconfigured to point to ... but, surprisingly, not domains of commercial software. Rather, it looks like a turf war is in progress between malwares, and this particular species tries to null out the connections of the competition."

The IP address is the address for your computers loopback adapter. Traffic routed to this destination will effectively disappear. Therefore, the authors of this malware sample are trying to prevent rival malware from gaining control over an infected computer. Infected computers have monetary value in the cyber criminal underworld. As a result, cyber criminals are incented to protect their property.

Discussion for class:

  • Does this type of cache poisoning attack affect confidentiality, integrity, or availability? Can it affect all three?
  • Who is responsible for addressing vulnerabilities in software and hardware? The end user? The manufacturer? The Internet Service Provider?

Tuesday, February 24, 2009

Chinese IT Firm Accused of Links to Cyberwarfare

An article recently published by Defense News entitled Chinese IT Firm Accused of Links to Cyberwarfare provides more insight into our discussion on the power of attacking the integrity of software, systems, and data. This article states that certain Chinese IT companies were actively probing popular software applications for vulnerabilities that could be easily be exploited.

According to the article, "in the past 10 years, Beijing-based Venus Info Tech has become the dominant provider of information technology (IT) network security to the Chinese intelligence and military community.
 It also has been accused of providing hacker services that help the Chinese government penetrate foreign government computer networks."

Further, the article notes that China's operating agreements with Microsoft and other technology vendors gives companies like Venus Info Tech the ability to examine source code in popular software. Having access to source code would allow a hacker to more easily find and exploit vulnerabilities. Specifically the article states,
several Chinese firms and government agencies have deep access to the source code of Microsoft Windows, the operating system that drives most of the world’s computers.
 In 2003, Microsoft opened the code to the China Information Technology Security Certification Center (CNITSEC), a government agency, under a government security plan that was intended to “provide a trustworthy computing environment,” said Tim Chen, then vice president and CEO, Microsoft Greater China, in 2003. He resigned in 2007.
 “Depending on the level of access they were provided, it would certainly seem to provide the Chinese with insight into flaws that they could exploit,” Henderson said. “You get enough people poring over the code, and I imagine you could design viruses based on weaknesses you find in the code.”

Discussion for Class:

Why would an adversary be interested in gaining the ability to easily discover and exploit vulnerabilities in popular software applications?

Sunday, February 22, 2009

The Future of Dating?

Lets hope not. Otherwise im screwed.

courtesy of Abstruse Goose ...

Friday, February 20, 2009

Weekly Roundup


A couple of administrative points. If anyone has any questions about the mid-term do not hesitate to drop me an email. I'll be available all weekend if anything comes up. Additionally, we're now moving into the Information Security portion of the class. For those that feel as though we've worn the Privacy track thin this will be a welcome relief. Finally, we're about half way through the semester and many students have yet to post any items to the blog. Do not wait until the last day of class to do this as it will distract you from writing your final paper.

Sunday, February 15, 2009

Weekly Roundup

Thursday, February 12, 2009

Privacy: A Debate No Longer

Our guest speaker, Brian Drake, kept his promise and provided an excellent write up of his talk. Please take a moment and review his write up hosted on his blog.

Mid-Term Time

Please answer one question from Section I, one questions from Section II, and one questions from Section III. Please pay careful attention to the word limits. Exams are due to me via email at the beginning of class on February 23, 2009. Late submissions will be penalized.

Answers will be evaluated based on the following criteria:
  • the use of lessons learned from our readings, discussions, and relevant outside sources
  • creativity and original thinking
  • the clarity and conciseness of your writing
Section I: You must answer one of the following questions.
A. Discuss the impact of Moore's Law on privacy. What risks does Moore's Law present to privacy? What are the potential rewards? How has Moore's Law changed definitions of privacy? (750 word limit)

B. How have definitions of privacy changed throughout history? How do you think definitions of privacy will change in the future? (750 word limit)

Section II: You must answer one of the following questions
A. design a comprehensive national privacy law. Explain the fundamental tenants of your privacy law? What legal protections would you include? (500 word limit)

B. How does the eightmaps website impact privacy? Are privacy and transparency mutually exclusive goals in this case? What privacy protections can be implemented to ensure that the reuse of personal information from political donor rolls does not have a chilling effect on participation in the political process? (500 word limit)

Section III: You must answer one of the following questions
A. What is the function of Google's new Latitude Service? Does it harm privacy? If so, how? If not, why not? (250 word limit)

B. Do social networking sites like Facebook or MySpace harm or protect privacy? (250 word limit)

Sunday, February 8, 2009

More on Balancing Transparency and Privacy

Ive already received criticism for the idea of validating the identity of individuals that want to download and repurpose government data as reported by the New York Times. As a result of these criticisms, I thought it would be useful if I provided a more in depth explanation of my recommendations.

First, I'm more interested in credentialing those individuals or organizations that want to repurpose data and less concerned about those that simply want to view data. In the interest of preserving transparency I think individuals or organizations should be able to freely view government data, but I think privacy is eroded when individuals or organizations are able to copy and repurpose government data without any accountability.

In the case of eightmaps, I think the State of California was correct to publish the information on those individuals and organizations that contributed to the passage of Prop 8. Citizens have a right to know who donated to political candidates and ballot initiatives. Without this right there would be no transparency and it would be too easy for the political process to be corrupted. However, I think that the State of California was incorrect in its decision to post the Prop 8 donors online in an excel spreadsheet that anyone could download and reuse in any manner they see fit. In effect, the State allowed anyone to access and repurpose that data with no oversight.

The key here is developing a process that balances the sometimes competing goals of transparency and privacy. Both goals are essential for a healthy democracy and I think what were are currently witnessing, as demonstrated by the eightmaps example, is how the increased accessibility of personal information has disrupted the delicate balance between transparency and privacy. It is true that this data was always available to those individuals willing to spend the time to travel to local courthouse. However, the advent of the Internet has now made this same data increasingly accessible to anyone with a computer and an Internet connection. The Internet, in this case, has disrupted the balance and increased transparency at the expense of privacy.

I therefore think that governments should create a process by which individuals or organizations have to be credentialed in some way before they are able to copy and reuse government data. Specifically, I think the government should validate and track the names and contact information of individuals or organizations that download government data. Ideally, this credentialing system would force a more responsible use of personal information or at least make the creator of websites like eightmaps more accountable for their use of the data.

Saturday, February 7, 2009

All The News That's Fit to Print

The New York Times just ran another piece about the eightmaps website. Our class is mentioned at the end of the article. Here a snippet from the article:

“The key here is developing a process that balances the sometimes competing goals of transparency and privacy,” said the professor, Ned Moran, whose undergraduate class on information privacy spent a day discussing the eightmaps site last month.

“Both goals are essential for a healthy democracy,” he said, “and I think we are currently witnessing, as demonstrated by eightmaps, how the increased accessibility of personal information is disrupting the delicate balance between them.”
Read the piece over and let me know what you think. Have a great weekend!

Friday, February 6, 2009

Weekly Roundup

Wednesday, February 4, 2009

Digital Signs and Privacy

Harley Geiger from the Center for Democracy and Technology has posted an excellent write-up on the privacy implications of digital signs. According to Geiger, digital Signs are "are just flat screens displayed in some trafficked area, playing a video loop. The contents of the video are often controlled via computer, enabling one master location to control thousands of connected units." Geiger also notes that the digital signage industry is currently pursuing aggressive measure to track consumers. Specifically, Geiger writes that
Digital signage companies are tracking consumers in a number of ways. The most common method may be itsy-bitsy cameras hidden in the signs that record the age, race, and gender of passersby. Other companies use Bluetooth or radio frequency identification (RFID) tags. Some are also using consumers’ mobile phones to trigger ads; the signage system can then deliver coupons to the phones. All of these technologies have the potential to identify individual consumers and gather personal data about them, without giving consumers any choice in the matter.
Discussion for class:
  • What, if any, are the privacy issues with how the digital signage industry is using facial recognition cameras and other technologies that can identify consumers?
  • What privacy protections or policies can the digital signage implement to mitigate any concerns about how it is using technology to improve its efficiency?

Farewell JuicyCampus

Im sure most of you will be happy to read this ...

Tuesday, February 3, 2009

O'Harrow's Paradox

I thought it necessary to revisit an element of our discussion last night. It was noted that O'Harrow's No Place to Hide suffered from an apparent logical paradox. One the one hand O'Harrow contends that the data collection industry has built an omniscient data collection system that is capable of tracking our every move. On the other, O'Harrow points out a number of examples that highlight this industry's incompetence.

On the surface this paradox defies resolution. However, I believe that a more nuanced analysis of this contradiction reveals that both contentions are true. In other words, I believe that the data collection industry is capable of both gathering data on our daily movements but also negilent in its approach to validating and protecting our personal information.

The private sector in general and the data collection industry in particular has built an incredibly efficient data collection infrastructure capable of inhaling our personal information. However, I am not convinced that a similarly sophisticated capability exists to properly analyze, store, and secure this mass of personal information.

I welcome your input on this argument.

RFID Tracking

Our brief discussion of RFID may have seemed a bit futuristic, but it is important to understand the potential privacy implications of this technology. As we discussed in class a widespread deployment of this technology could bring incredible efficiencies and convenience to everyday life, but RFIDs could also be abused in frightening ways to harm privacy.

An example of one way that RFID tags can be abused can be found at the website. According to its website,

RFtracker maintains two databases: a "match" database, which matches RFID tag numbers with the people who possess goods bearing those tag numbers; and a "sightings" database, which holds records of RFID tag sightings by RFID readers located around the world (with time, place, and tag number). If you already have a tag number, you can use the "sightings" database to see where that tag has been sighted. (This service is free, although you'll have to pay if you want "real-time" data, which includes sightings within the past 24 hours; you can choose to have real-time data sent to you via e-mail, pager, or text message.) If all you have is the name of the person that you want to track, you'll want to start with our "match" database, to see if it includes any RFID tags associated with that person.

Check out the demos on the site to get a feel of how RFID can be used to track people's movements.

Monday, February 2, 2009

10 Years Ago Today

I realize that most of you were probably playing with stuffed animals 10 years ago, but this post courtesy of the Technology Liberation Front is especially poignant to me as it was approximately 10 years ago that I hooked up to the Internet via a 56.6k dial-up modem that, at the time, I thought was blazingly fast.  

This quick scan of the technology landscape 10 years ago really hammers home the impact of Moore's Law on the ubiquity of information communications technology in today's digital world.

Hacking RFIDs

Check out the following YouTube! video which illustrates how easy it is to hack and clone RFID tags.  Despite these known weaknesses it appears that RFID is on the march.  

Justice Scalia on Privacy

Supreme Court Justince Antonin Scalia recently spoke on privacy rights in the digital age at conference in New York City hosted by the Institute of American and Talmudic Law. The Associated Press provided this write-up on Justice Scalia's remarks. During his speech Scalia is quoted as saying, "Every single datum about my life is private? That's silly." Further, Scalia said, "I don't find it a secret what I buy, unless it's shameful."

Justice Scalia seemed to endorse of view of privacy which focuses on the nature of information. In other words, what you buy at the grocery store shouldnt be protected but your perscription medications probably should be.

Daniel Solove takes issue with Scalia's comments and notes that privacy can be invaded even if the information disclosed is not considered to be shameful. Solove writes,
Privacy can be invaded even if the information disclosed isn't shameful. For example, one's Social Security Number isn't shameful, yet we protect it as private because it can affect our data security. In many cases, one's financial information isn't shameful, but many desire to protect it as private -- not to prevent embarrassment, but because they simply don't want others to know about their financial condition.
Discussion for Class:
  • Is it sensible to try to define privacy by focusing on the nature of information? If so, how do you avoid creating a long running and ever changing laundry list of what is private?
  • Is it problematic to try to define privacy by what is shameful and what is not? How widely would the definition of shameful vary?
  • Does Justice Scalia confuse secrecy with privacy?

Sunday, February 1, 2009

Privacy and Health

One of your classmates picked up the following story in the New York Times and provided the following write-up:

In Sunday’s edition of the New York Times, an editorial titled “Your E-Health Records”( discussed the new electronic health record system and what it meant for individuals’ privacy. While reasons such as lower costs and higher quality are cited for the switch from paper to electronic, this move has also brought up the trade-off of a patient’ privacy. As we have discussed in class, once something is put on the internet there is virtually no getting rid of it. Additionally, hacking into electronic records is infinitely easier than breaking into an office and stealing the paper copies, therefore rendering that “private” information significantly less private.
While Congress is working on passing bills that would ostensibly prevent such abuses, there is no doubt that the opportunities for misuses of private information are now unlimited. The article mentions some examples that I found especially significant, such as the fact that employers, with the now easily acquired health records, might refuse to hire a potential employee with the information that they might be more expensive to cover with health insurance. Such situations only create a more discriminatory work place, allowing employers to exploit personal health as a money-saving technique.
I think this specific area of privacy encroachment is particularly noteworthy because it involves something an individual has no control over. When the government pulls up credit card records or checks what books one has taken out of the library, it is ultimately reviewing actions that an individual has made a conscious decision to execute. However, an individual has clearly less control regarding their personal health. For example, one’s status of being diabetic and therefore as a potential employee might require a more expensive health insurance is not a role he or she has made a conscious decision to undertake. A person should not suffer any repercussions from a situation outside of their control, especially concerning certain unavoidable health issues.

Weekly Roundup