Category: Internet

Hello Insecurity, Goodbye Privacy. Thank you, President Obama

Some people say that Internet Security is an oxymoron, because we hear so much about the different ways in which hackers and criminals break into our data, steal our identities, and even use information to commit “real world” crimes like burglary, when it becomes clear that someone’s gone on vacation.  Well now the Obama Administration along with the FBI and NSA are proposing to make things worse, according to an article in today’s New York Times.

According to the Times, the government is going to propose requiring that developers give up on one of the key principals of securing information– use of end to end encryption, the argument being that law enforcement does not have the visibility to information they once had, say, in the Nixon era, where the NSA acted as a vacuum cleaner and had access to anything.

As our friend Professor Steve Bellovin points out, weakening security of the Internet for law enforcement also weakens it for benefit of criminals.  Not a month ago, for instance, David Barksdale was fired from Google for violating the privacy of teenagers.  He could do that because communications between them were not encrypted end-to-end.  (Yes, Google did the right thing by firing the slime).

This isn’t the first time that the government has wanted the keys to all the castles, since the invention of public key cryptography.  Some of us remember the Clipper chip and a government-mandated key escrow system that the Clinton Administration wanted to mandate in the name of law enforcement.  A wise friend of mine said, and this applies equally now, “No matter how many people stand between me and the escrow, there exists a value of money for me to buy them off.”  The same would be true here, only it would be worse, because in this case, the government seems not to be proposing a uniform technical mechanism.

What’s worse– this mandate will impact only law abiding citizens and not criminals, as the criminals will encrypt data anyway on top of whatever service they use.

What you can do: call your congressman now, and find out where she or he stands.  If they’re in favor of such intrusive policy, vote them out.

Steve Jobs: You get a timeout

The scene at the Jobs house this week:

Steve (played by a 6 year old boy): Hmm..  the reception on my iPhone 4 sucks.  So let’s just cover it up with a software update.

Consumers Report (played by Mommy): Steve, your iPhone 4 isn’t receiving properly.  And I caught you trying to cover it up.  That will be a time out.

S: But MOM! RIM isn’t receiving well, and Motorolla isn’t receiving well.

C: That may be so, Steve, but we are talking about you and not your friends.

S: But Mom!

C: Don’t but mom me. First you caused a problem for a vast number of consumers, and then you tried to cover it up.  The least you can do is apologize, and try to make up for it.

S: Ok, here’s this phone condom.  That will certainly make up for the waste of hundreds of dollars per consumer.

C: Steve!  Go sit in the naughty chair.  You may stand up and go play with the other children when you apologize and really mean it.

Interestingly, when polled unscientifically by the Wall St. Journal, parents in Steve’s community are equally divided over whether he behaved well.  What kind of parents are those who accept such behavior?

Facebook: the last straw

I’ve complained about Facebook before, reduced my participation, and now, I am ending it.  Facebook has become what can only be described as an attractive nuisance.  One of my friends clearly had their account broken into.  The last time this happened it was possible for me to report the matter to Facebook, and they shut the account down in a matter of minutes.  This time, they not only would not do so, but there is no longer a way to report an account break-in.  The only way to send FaceBook a message is to close one’s account, and so I have done so.  Done.  Fini.  For my friends’ and your sake.

Net Neutrality Deal near betwen FCC and Telcos?

Today’s Wall Street Journal reports that mega-telcos Verizon and AT&T are in discussions with senior staff of the Federal Communications Commission (FCC) over a compromise for enabling legislation for the FCC to regulate access to the Internet.  This is no small deal.  Chairman Julius Genachowski has made very clear for quite some time that he thought there was a need to provide for some form of net neutrality to protect customers against service providers, and to insure openness.  Another thing is perfectly clear to everyone: the rules of the 1980s and 1990s certainly are antiquated.

However, one problem with net neutrality is that it can mean different things to different people.  To some it might mean protection from service providers charging for services that they themselves do not provide.  To others it might mean an inability for service providers to manage what they deem as excessive use of a shared resource (their network) by some consumers, as their cost models are all structured on the notion of over-subscription.  That is– if everyone tried to use a vast amount of bandwidth at once, we would all get very little, and not those megabits/second in the advertisement.

Here are a few facts to think about when you hear the term net neutrality:

  • The tools service providers might use to give themselves some sort of market advantage are the very same ones they may need to use to protect consumers against denial-of-service attacks: it is in the average consumer’s best interest that bandwidth from rogue BoTs be limited.  Differentiating between protection against BoTs and protectionism may prove difficult to regulators.
  • Bandwidth on the Internet is not the same as a phone call.  If you’ve ever been in a disaster situation, such as an earthquake or a hurricane, you’ll remember that there may have been times when you picked up the phone and got no dialtone.  That is not how the Internet works.  Most applications make use of Transmission Control Protocol (TCP), which is designed to share whatever bandwidth there is.  While voice and video require a minimum to function properly, even modern day tools like Skype & iChat AV can step down their use of bandwidth when they see quality degrading.
  • Most of us weren’t born yesterday, and it’s plainly obvious that there are very few telcos in the United States.  The government has, since the passing of the Sherman Act in 1890, taken the position, with good reason in my opinion, that monopolies are bad, and that high levels of concentration are not good for consumers, either.  Prosecution through that act as a means of redress, however, is a last resort, because…
  • Such prosecutions take years if not decades, are often at the whim of administrations, and often do not succeed. Three examples of arguably failed prosecutions include IBM, AT&T, and Microsoft.  In the case of IBM, the U.S. dismissed the case when Ronald Reagan became president.  AT&T is arguably a failed attempt, because we are very close to right back where we started.  In the case of Microsoft, European regulators have provided far more oversight than our own Justice Department, perhaps in part due to the non-European nature of the company, but also due to a lack willingness to go further by the Bush administration.  Hence it is better to nip a problem in the bud.  This is one reason for the FCC to have a role.
  • At stake is not whether or not consumers will see a choice of service providers, but whether content providers and etailers, sites like mlb.com and Amazon will have a choice.  Otherwise, we get to a two-sided market, where those who own the so-called eyeball networks also own the other end, providing an enormous price control lever.
  • Properly considered, network neutrality as a concept protects against the idea that you have to go to a service provider to implement new applications features in the network.  This is the core strength of the Internt, but it’s not clear that regulation is needed.  For one thing, I would hope that providers understand that new features and applications are in their best interests, since they get to sell more bandwidth, and perhaps even offer a few such features to their, and other, customers.

That’s what all the fuss is about.

Wrap-up of this year’s WEIS

This year’s Workshop on the Economics of Information Security (WEIS2010) enlightened us about Identity, privacy, and the insecurity of the financial payment system, just to name a few presentaitons.

Every year I attend a conference called the Workshop on Economics of Information Security (WEIS), and every year I learn quite a bit from the experience.  This year was no exception.  The conference represents an interdisciplinary approach to Cybersecurity that includes economists, government researchers, industry, and of course computer scientists.  Run by friend and luminary Bruce Schneier, Professor Ross Anderson from Cambridge University, and this year with chairs Drs. Tyler Moore and Allan Friedman, the conference includes an eclectic mix of work on topics such as the cyber-insurance (usually including papers from field leader Professor Rainer Böhme, soon of University of Münster), privacy protection, user behavior, and understanding of the underground economy, this year’s conference had a number of interesting pieces of work.  Here are a few samples:

  • Guns, Privacy, and Crime, by Allesandro Acquisti (CMU) and Catherine Tucker (MIT), provides an insight into how addresses of gun permit applicants posted on a Tennessee website does not really impact their security one way or another, contrary to arguments made by politicians.
  • Is the Internet for Porn? An Insight Into the Online Adult Industry – Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda and Christopher Kruegel provides a detailed explanation of the technology used to support the Internet Porn industry, in which it claims provides over $3,000 a second in revenue.
  • The password thicket: technical and market failures in human authentication on the web – Joseph Bonneau and Sören Preibusch (Cambridge) talks about just how poorly many websites manage all of those passwords we reuse.
  • A panel on the credit card payment system, together with a presentation that demonstrated that even credit cards with chips and pins are not secure.  One of the key messages from the presentation was that open standards are critically important to security.
  • On the Security Economics of Electricity Metering – Ross Anderson and Shailendra Fuloria (Cambridge) discussed the various actors in the Smart Grid, their motivations, and some recommendations on the regulatory front.

The papers are mostly available at the web site, as are the presentations.  This stuff is important.  It informs industry as to what behaviors are both rewarding and provide for the social good, as well as where we see gaps or need of improvement in our public policies, especially where technology is well ahead of policy makers’ thinking.