Friday Oct 02, 2009

GHC09: Susan Landau: Bits and Bytes: Explaining Communications Security (and Insecurity) in Washington and Brussels

Susan Landau started out giving us her history about how she went from a theoretical computer science faculty member at a university to someone working at Sun Microsystems on public policy. A path she said she wasn't working towards, but feel she must've been just a little bit, or she wouldn't have ended up where she is.

The US first started doing wire tapping during the Civil War! Wow!  Apparently we didn't slow down - not only did the US use wire tapping to watch criminals, but they were also doing it on congress people and supreme court judges! In particular, a congress person could be talking about the FBI budget and the FBI would be listening in! Clearly a conflict of interest!

Congress didn't like this and put in a law to regulate this - requiring wire taps to only be for a specific person at a specific number

In 1994 a US law was passed that required all digitally switched telephones to be built wire tapped enabled!  The equipment was to be designed by the FBI, much to the chagrin of telephony providers.

This is problematic - in 2004-2005, it was discovered that some non US diplomats had been wiretapped - but not by a government entity! (at least not officially.) This was discovered when there was some problems with text messaging on one of these phones. They found the switch in Greece, which had been bought from a US company with the wire tapping software disabled - so no auditing software was enabled.  Someone very knowledgeable with the switch used a rootkit to get in, turn on the wire tapping software and then targeted these diplomats! With no auditing software enabled, the Greek phone company had no idea this was happening until there were problems with the text messages! Once this illegal wire tap was discovered, the phones that were listening in suddenly went dark and the perpetrators were never found. Very scary stuff!

This is a clear example of how software made to "protect" us can actually be used to spy on innocent people - terrifying indeed!

All of this gets much more complicated with technology like VoIP (Voice over Internet Protocol) where people do not have a set phone number, it is done with the IP address which will vary every time you reconnect your laptop or mobile device to the network. What this means is it is very hard to pinpoint the caller - one of the risks here is that the wrong person will be eavesdropped upon.

Landau knows it is very important for society to have secure communications - to enable conversations with first responders, for example, and we need to have the technology to do this.

Landau continues on about how much more devastating natural disasters are than terrorist attacks, yet for some reason they don't get nearly as much news and political coverage as a terrorist attack. I wonder if we all feel we're more protected from a random natural disaster? Or if we are fascinated with how evil someone would have to be to purposefully hurt another human? hrm.

President Bush apparently authorized warrantless wire tapping in 2001 - and this was relatively unknown and undiscovered until 2007. She wrote an op-ed for the Washington Post on this topic, and next thing she knew, she was the expert on privacy. This is good, in that she now has Washington's ears, but she realized she needed to find more people to help support her in this and she was happy to find many intelligent, bright and like minded folks.

Now she's been working on reviewing public policy - basically doing law reviews. Landau jokes that she feels she's in training to be a lawyer.

If you want to get into public policy, you need to learn their stuff: "laws, policies, motives", to speak well, write well and have great courage.  She believes these are all the traits that a good engineer should have as well, so perhaps it's a career path after all. :-)

Thursday Oct 01, 2009

GHC09: Technical Track: E-voting & privacy with health records

This session started out with a fun talk on electronic voting by Dr. Kathy S Faggiani, though it's unfortunate that she seemed to be preaching to the choir. It's not her fault - it seems only people really interested in security of voting and wary of the existing digital voting machines came to the room.

She did a fun experiment with her son that was inspired by California's Secretary of State, Debra Bown who had stated that she had to de-certify California's electronic voting machines because of all the mistakes they made that a first year computer science student wouldn't do.  As her son was in his second year, he went and wrote a voting system... turns out his also wasn't as secure as it should've been :-)

Electronic voting is really tricky, though, as you all know. We, as individuals, want to know that our vote counted - but if we're given a receipt that shows how we voted (or with a number where we can look up later on the internet who our vote was cast for),  you would be susceptible to vote coercion. This is also why I do not like absentee voting, and am saddened by the state of California's push to force us to do this by taking away polling places and "reminding" you about three times a year to sign up for permanent absentee voting status.

I've read too many stories about voter fraud and simply cannot trust our society to do the right thing in their own homes. I've already heard stories about ballots being stolen from mail boxes. \*sigh\*

Faggiani mentioned that Hawaii did "successfully" run an all electronic election, managed by Everyone Counts.  While it was deemed a success, the voter turnout in this already low-voter state dropped by 83%.  Seems like a disaster to me.  Clearly the voting was not as accessible to all of the voting public as they thought it would be - since it was all done by cell phone or Internet.

The next talk was on A Cryptographic Solution for Patient Privacy in Electronic Health Records by Melissa Chase.  Another area where we are very concerned with the integrity and privacy of the data, yet she pointed out many successful attacks on this information over the last few years.  One very egregious example was a doctor that was blogging about his patient's records without their consent. Who needs hackers when someone is giving away your private data for free? \*yikes\*

Chase covered problems with different encryption key schemes, including saving the private key on the primary server and escrow systems, and went on to propose a hierarchical encryption scheme which seems promising.

She is a strong advocate of making sure the patient is in control of the data and decides where it can go and which doctor can see the data.

This is a fascinating area of research, very important to all of us, and could revolutionize health care in industrialized nations, but there are still many issues to solve like how to handle emergencies when the patient may not be able to "unlock" their data.

Wednesday Aug 12, 2009

Reasonable Expectation of Privacy?

I've seen a lot of discussions lately about maintaining your privacy or personal identity on the Internet.

Let me tell you now - if you post something to a newsgroup, blog, Facebook, Myspace, Twitter, Friendster, Orkut, IRC, BBS, or send it in email to a mailing list, it's no longer private.  If you have a health condition you don't want people you work with to know about, don't blog about it or put anything in your Facebook status on it. Instead, talk to your doctor, talk to groups in person, keep a journal at the side of your bed.

I learned about the permanence of such things on the Internet in 1998 when I was interviewing for a job and and the interviewer pulled up a little site called DejaNews, a great search engine for netnews that has since been subsumed by Google, and he instantly knew that at the time I had been learning to play the bass guitar, had a pet snake, and had previously worked as a SunOS/Solaris system administrator.  He looked at my questions I had asked, to see if they were intelligent and well thought out. He looked at how I handled the responses I got. Was I gracious? Did I understand the information people were sharing with me?

Fortunately for me, I met his standards and the rest of the interview went well from there and I got the job.  I was shocked, though, I knew of no such service! I thought that once your postings fell off the news server, they were gone forever. Boy, was I naive!

I watch younger people on Facebook and MySpace posting all sorts of crazy things. Very personal things. Sometimes it's simply venting, but other times the attacks can be targeted at a specific person or be revealing very personal information on themselves or their own lack of self control.

I think we're doing a great disservice to future generations if we aren't teaching elementary school kids about the Internet Archive and Google's massive cache. Our ability to grasp the repercussions of our online actions is not keeping up with the technology.

When I was a teenager, my worst fear was having a physical note I handed to someone end up being shared. But, that was one note. Now our equivalents in email and text messages can be digitally shared in seconds with hundreds of people, and you can't take it back.

Some people mistakenly believe that stuff on Facebook can only be seen by your friends. In general, depending on how you have security set up, that's true - unless someone uses a screen capture.  Take these recent "passive aggressive notes" - one woman ("exhibit d") actually managed to lose her job through Facebook (and this is not the first instance I've heard of for that). 

Yes, I realize she clearly was not thinking about who was in her friend list before posting, but it still could've been shared by someone else later. I've also seen examples of people screen capturing things that were obvious typos to use to embarrass people forever.

So, whatever you're doing, if you're doing it on the Internet in semi-public forums, don't expect it to be private.

Most of us would believe that at least we can still have privacy in our own homes...

(Oh, please don't mention wiretapping.... or message interception.....)


Valerie's former weblog. The new one can be found at


« April 2014