Architecture Is Policy: The Legal and Social Impact of Technical Design Decisions

March 30, 2010 by Leave a comment

Over on the CUPS blog I wrote up a summery of the EFF board panel on the legal and social impact of technical design decisions.

Abstract:

Technology design can maximize or decimate our basic rights to free speech, privacy, property ownership, and creative thought.  Board members of the Electronic Frontier Foundation (EFF) discuss some good and bad design decisions through the years and the societal impact of those decisions.

Filed under Education, Research Tagged with , , , ,

Book: Applied Security Visualization

March 30, 2010 by Leave a comment

I just ordered a book entitled “Applied Security Visualization” written by Raffael Marty. The author previously wrote a chapter in “Security Data Visualization: Graphical Techniques for Network Analysis“, another book on how to bring visualization techniques and tools to the aid of the security community. I was somewhat disappointed with the Security Data Visualization book as I felt that it was just throwing eye candy at what I consider to be a serious problem. Many of the tools put forward by the Security Data Visualization book fail to follow the principles put forward by Edward Tufte on how to create useful and effective data visualizations. I have not yet had a chance to review “Applied Security Visualization” but based on the author’s other work I am hopeful for a clearer and more useful application of visualizations to the security domain.

Filed under Education, Research Tagged with , ,

Value of “who is stalking me” functionality

March 15, 2010 by Leave a comment

The Register has an interesting story today on a Facebook app which claims to offer the ability to see who is looking at your profile information but really is just a spam application. The claim is of course bogus as Facebook doesn’t give any application information about who has viewed your profile. Instead the application posts all over your wall and sends out spam messages with the goal of getting ad revenue from people visiting the site and adding the application.

What is interesting about this is that people are intrigued enough by an app that offers feedback on who has viewed their profile that they are continuously falling for the scam. In fact there are at least 25 different versions of this application on Facebook.

Filed under News, Research Tagged with ,

DHS: A roadmap for cybersecurity research

February 1, 2010 by Leave a comment

DHS has released a report entitled “A Roadmap for Cybersecurity Research” in which they outline what they consider to be the major research challenges in cybersecurity. Both “Privacy-Aware Security” and “Usable Security” made the list. Each research direction has several pages worth of discussion about the topic and the current interesting research challenges in that area. Both Lorrie Cranor’s book, “Security and Usability: Designing Secure Systems That People Can Use“, and SOUPS are cited under resources in the Usable Security section.

– Kami

Filed under News, Research Tagged with ,

ITRC data theft report

February 1, 2010 by 1 Comment

The Identity Theft Resource Center (ITRC) released their Data Breaches report for 2009. They analyzed 498 breaches which resulted in approximately 222 million compromised records.

The main highlights are:

  • paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
  • business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
  • malicious attacks have surpassed human error for the first time in three years
  • Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

. . . .

The ITRC Breach Report also monitors how breaches occur. ITRC Breach Report – By Attribute. This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches. For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009. This was a change from all previous years, where human error was higher than malicious attacks. One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information. For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Some additional interesting facts from the report:

  • In 2009 insider thefts account for 16.9% of breaches. In 2007 insider thefts accounted for 6.1% of breaches.
  • Insider thefts may have accounted for 16.9% of breaches but it only accounted for 0.1% of compromised records. The majority of those records came from Business and Government/Military sectors.
  • Paper (physical pieces of paper) breaches accounted for 26% of all breaches in 2009. However, paper breaches only accounted for just under 200,000 compromised records vs. 222 million electronic records compromised.

Filed under Research Tagged with , , ,

Behavioral Advertising

January 26, 2010 by 1 Comment

Behavioral advertising is used by groups, such as online advertisers, to track users as they move around the internet. This method allows third parties to infer and learn significant amounts of information about users and their browsing habits. Members of my research lab, CUPS, have studied how users perceive the issues surrounding behavioral advertising.

Researchers in the Computer Science Department at Worcester Polytechnic Institute are interested in educating users about what information your browser shares with web pages it visits. They setup a web page called What They Know where users can go to see what information they are broadcasting. Users visitors can also see the trends from past visitors.

Update: EFF has a site you can visit which shows the identifiable information your browser broadcasts to every site you visit.

Update: What They Know has published a report of their findings.

Filed under Education, Research Tagged with ,

Yahoo! Key Scientific Challenges Program

January 8, 2010 by Leave a comment

Yahoo! is running their Key Scientific Challenges Program again this year. Their website has lists of ideas for projects that they consider to be major scientific challenges.

Under Security challenges they list this challenge which I found interesting:

Scalable and Integrated access control for users
Users share data with a variety of applications within and outside Yahoo. Each of these applications has their own Terms of Service forcing users to specify separate access control rules for each application. This frustrates users and users feel like they have relinquished all control of where their data ends up. The challenge here is to design an integrated access control language and mechanism that can be used across applications from different organizations. At the very least, this would allow users to identify which information they have disclosed and to whom across different applications. Another challenge is to design a scalable “access control broker” that brokers access to user information to applications that satisfies user defined permissions.

They also have a section for privacy challenges where I found this:

Tracking user locations privately
Mobile phones these days are capable of being tracked with very high resolution. Many applications provide fine grained location services, like finding your friends, nearby attractions, coupons, ads, and even location aware dating. However, there is a huge privacy risk for the individuals who opt-in. Moreover, current access control mechanisms are either opt-in (in which case you usually don’t have too much control of who can access your data and who can’t) or opt-out (in which case you miss out on the location services). Problems in this space are:

  • Can individuals be tracked in such a way that the individual cannot be uniquely identified from the logs?
  • Can an application which tracks an individual share this information with a third party vendor/application, while preserving the individual’s privacy?
  • What is the right access control language for location tracking?

Filed under Research Tagged with , , ,

Social networking data taxonomy

November 20, 2009 by Leave a comment

On his blog Schneier proposed a taxonomy of social networking data.  I’ve copied the taxonomy below.

1. Service data. Service data is the data you need to give to a social networking site in order to use it. It might include your legal name, your age, and your credit card number.

2. Disclosed data. This is what you post on your own pages: blog entries, photographs, messages, comments, and so on.

3. Entrusted data. This is what you post on other people’s pages. It’s basically the same stuff as disclosed data, but the difference is that you don’t have control over the data — someone else does.

4. Incidental data. Incidental data is data the other people post about you. Again, it’s basically same same stuff as disclosed data, but the difference is that 1) you don’t have control over it, and 2) you didn’t create it in the first place.

5. Behavioral data. This is data that the site collects about your habits by recording what you do and who you do it with.

Schneier’s taxonomy is interesting as it focuses on data transfer and ownership. In the United States data ownership is a continuously debated issue. When I give my medical records to my doctor does my doctor now own those records such that he can give them to anyone he chooses as long as he complies with HIPPA? When I give my data to Facebook who now owns that data? When I allow a third party Facebook application to access my data who now has control of that data?

In his taxonomy Schneier seems to be implying that we should group social networking data based on the context under which it was collected and who controls it. I like this idea. I think this taxonomy well models how people perceive the flow of ownership of data. If I put data in my space then I should control it. If I give you data then you control it. If you ask me for data through a form then you control it.

Filed under Research Tagged with , , ,

Psychology and Security resources

November 2, 2009 by Leave a comment

Ross Anderson put together a web page which contains many resources in the intersection of psychology and security. The site includes papers, books, conferences and people.

Filed under Research, Useful sites Tagged with

Drawing trees in Processing

October 21, 2009 by 2 Comments

I’ve been looking at different ways to draw trees (the kind found in forests) using the Processing language. Below are some of the good examples I found online.

Tree example

Simple examples of a tree in processing.

http://processing.org/learning/topics/tree.html

http://www.openprocessing.org/visuals/?visualID=2925

Blossom

This sketch lets the user plant trees which then quickly grow and randomly branch. When the tree is tall enough it also blossoms with flowers.

http://mavdisk.mnsu.edu/kallhw/blossom/blossom.html

ExploreTree

This is a representation of the tree of life. The tree is written in processing and allows a user to explore different species and how they are related to each other. The tree lets you follow different branches to learn more about a species. It also provides links to Wikipedia to learn more.

http://www.exploretree.org/

OpenProcessing Tree Generation

A collection of different tree generation Processing sketches.

http://www.openprocessing.org/collections/?collectionID=19

3D tree at OpenProcessing

Filed under Research Tagged with

Older posts

Newer posts