Category: security

Facebook: the last straw

I’ve complained about Facebook before, reduced my participation, and now, I am ending it.  Facebook has become what can only be described as an attractive nuisance.  One of my friends clearly had their account broken into.  The last time this happened it was possible for me to report the matter to Facebook, and they shut the account down in a matter of minutes.  This time, they not only would not do so, but there is no longer a way to report an account break-in.  The only way to send FaceBook a message is to close one’s account, and so I have done so.  Done.  Fini.  For my friends’ and your sake.

Wrap-up of this year’s WEIS

This year’s Workshop on the Economics of Information Security (WEIS2010) enlightened us about Identity, privacy, and the insecurity of the financial payment system, just to name a few presentaitons.

Every year I attend a conference called the Workshop on Economics of Information Security (WEIS), and every year I learn quite a bit from the experience.  This year was no exception.  The conference represents an interdisciplinary approach to Cybersecurity that includes economists, government researchers, industry, and of course computer scientists.  Run by friend and luminary Bruce Schneier, Professor Ross Anderson from Cambridge University, and this year with chairs Drs. Tyler Moore and Allan Friedman, the conference includes an eclectic mix of work on topics such as the cyber-insurance (usually including papers from field leader Professor Rainer Böhme, soon of University of Münster), privacy protection, user behavior, and understanding of the underground economy, this year’s conference had a number of interesting pieces of work.  Here are a few samples:

  • Guns, Privacy, and Crime, by Allesandro Acquisti (CMU) and Catherine Tucker (MIT), provides an insight into how addresses of gun permit applicants posted on a Tennessee website does not really impact their security one way or another, contrary to arguments made by politicians.
  • Is the Internet for Porn? An Insight Into the Online Adult Industry – Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda and Christopher Kruegel provides a detailed explanation of the technology used to support the Internet Porn industry, in which it claims provides over $3,000 a second in revenue.
  • The password thicket: technical and market failures in human authentication on the web – Joseph Bonneau and Sören Preibusch (Cambridge) talks about just how poorly many websites manage all of those passwords we reuse.
  • A panel on the credit card payment system, together with a presentation that demonstrated that even credit cards with chips and pins are not secure.  One of the key messages from the presentation was that open standards are critically important to security.
  • On the Security Economics of Electricity Metering – Ross Anderson and Shailendra Fuloria (Cambridge) discussed the various actors in the Smart Grid, their motivations, and some recommendations on the regulatory front.

The papers are mostly available at the web site, as are the presentations.  This stuff is important.  It informs industry as to what behaviors are both rewarding and provide for the social good, as well as where we see gaps or need of improvement in our public policies, especially where technology is well ahead of policy makers’ thinking.

FBI spots potential danger to a school – on Facebook

As opposed to my previous post, BBC reports an instance where the FBI has made use of public information to predict a possible threat to St Aelred’s Catholic Technology College in England.  The information was on Facebook, and was available probably because the defendant hadn’t protected his postings, perhaps due to FB’s confusing approach to privacy.  Imagine, however, that FB didn’t confuse anyone, and this information were protected.  Would the FBI have been prevented from warning St. Aelreds?  If if they couldn’t, would Facebook?  And if Facebook didn’t would the FBI insist on new powers?  Watch this space.

American in exile with no due process

Imagine taking a vacation to some exotic place, perhaps even going to school abroad for a few months, and then being told that you can’t go home.  The New York Times reports that such is the tragic situation of Yahya Wehelie, a young American who went to Yemen to study, at the insistence of his parents.  He found himself on the No Fly List, for reasons we don’t know, and given no reasonable way to get home to Virginia.

Here we see the juxtaposition of many principles:

  • The government responsibility to protect Americans on the ground and in the air from terrorism;
  • The individual’s freedom to travel;
  • Government responsibility to enforce trade other policies, such as that of importation of prohibited goods; and
  • An individual’s right to freedom from unreasonable search and seizure.

Americans have the fewest rights when flying back to the United States.  You can expect to be searched, probed, and prodded.  You don’t have the right to carry a bottle of water into an airport, and you can expect substantial inconvenience, especially if you are disabled, when traveling.  You can expect your laptop to be confiscated.

The situation is changing, however.  A recent decision by a federal judge limits rummaging through laptops of American citizens.  Another decision is clearly needed: Americans deserve the right to face their accusers, to hear allegations, and to be able to respond to those charges so that they can receive justice.  The basic premise of an airport search is to address threats that are not amenable to taking the time to have such a hearing.  Several weeks should be more than plenty of time for a case to be heard by a competent judge.  Having some random person stick your name on a list is what one should expect of  Nineteen Eight-Four and Brazil, and of America.

What would you do if it were your son trying to get home?

Several blogs worth mentioning

Today I bring to your attention two excellent pieces of work.  The first is by friend and colleague John Levine, whose books you may have read.  He is in fact today writing about the eBooks industry.  I have something of a personal interest in the topic, not so much because I’ve written books (I write RFCs), but because my wife wrote an excellent book, in which the publisher encouraged her to create an eBook.  It was ripped off and circulating on P2P networks within days of its ePublication.  How annoying.  Anyway, John goes to some lengths to talk about the economics of the situation.  He’s a great and incisive writer, and a pointer to his writings can now be found on my little blog roll to the right of this post on Ofcourseimright.com.

Separately, Bruce Schneier has been writing about Worst Case Thinking, and what it means to him.  While I don’t agree with everything Bruce writes in that article (particularly about his nuclear example), I do agree that societies generally do an extremely poor job of risk management.  To me that is because those challenging incumbent politicians always aim for the emotional side of the brain, to get people angry that Something Bad happened, and so incumbents avoid risk at all costs.  To me that’s not good government.  Don’t get me wrong.  Some risks are not worth taking, but let’s be smart about it.