Nov 142017

Two recent articles add to the list of materials that students in my lab should ponder.

The first deals with limitations of statistics in science, or at least, limitations in our understanding and application of statistics. This is an on-going topic for our data scientists to track.

A NYT article on NSA Shadow Brokers is especially worthy of your consideration, since so many of our present projects involve analysis and prediction of security-related properties.

To see how the above two readings are modestly related to one another, think about what data are used to predict opportunities to penetrate a site, what data predict potential intrusions over time, and what data are used to track uses of exfiltrated materials. Then … think about whether the science behind each is equally-well developed or applied. What limits someone performing those activities and how would scientists offer that person stronger tools? There are some great research activities lurking in the answer to that question.

 Posted by at 7:54 am on November 14, 2017
Jun 192017

Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware is another fine bit of investigative reporting by (a group that is worth following.) Read at this link the use of spyware to target journalists and advocates of views that are inconvenient to what some might view are corrupt officials.

 Posted by at 9:01 am on June 19, 2017
Aug 242016

Bloomberg reports on Baltimore Secret Cameras, which constantly record in the city. It’s a good article on how much surveillance really goes on … and in a city that has just been issued a scathing report from the Department of Justice on persistent and long-term civil rights violations in its police department. Yes, it does seem like these things go together, doesn’t it?

 Posted by at 6:31 pm on August 24, 2016
Mar 112016

We continue to promote the practice of not just following headlines (though you should do at least that!) but also looking past them to understand relevant technologies. Two articles are thus very much on point for this practice today. One is an inventory of technical considerations on FBI hacking of the iPhone, which of course has our attention because of the legal battle between Apple and FBI, and the other is a very nice recounting of the first widely known cyber attack on power grid and infrastructure which occurred in the Ukraine.

 Posted by at 12:00 pm on March 11, 2016
Feb 022016

Students and alumni at UC Berkeley have filed a lawsuit against Google for its practices of data mining and profiling their email traffic through Google’s “Apps for Education” services which it promotes widely – including on this campus. The suit claims this is a violation of the Electronic Communications Privacy Act.

Google appears to confirm the practice but asserts that while profiles are created for everyone who uses these tools, it does not target individuals for advertising based directly on the user’s information. However the company has so far been silent on how it uses these data for its other purposes, and presumably at some point will need to argue that those uses, while profitable and exploitative, are technically not a violation.

There is no such thing as a free lunch, so for users who obtain services at no direct charge from Google, it is not clear what they think is the business value to Google if not to train fairly elaborate models to recognize someone having exactly the individual’s features, and then sell use of that model to companies or government officials who want people identified. Those uses are surely good for Google, corporations and officials, but for consumers, not so much.

Google’s practices have been the open elephant in a room that few involved have an interest in acknowledging. School officials in particular have strong motivation to pay for their digital infrastructure out of their students’ liberty and pockets, and interests of those students be damned. (At UM, the message is also employee interests be damned, as we convert faculty and staff services to Google over the course of this year.)

What brings the present case forward is an assertion by the students that an earlier Google representation (that they would stop direct advertising based on the student data) was an admission that the were violating the Act in contrast to promises made at the time. Those promises are not unlike those made to students on this campus when we directed all traffic through Google servers.

 Posted by at 8:39 am on February 2, 2016
Jan 052016

Literally so, as you’ll see in the linked article, Xfinity’s Security System Flaws Open Homes to Thieves. At issue is wireless technology that is easily jammed, and Xfinity software which ‘fails positive’, meaning, if it doesn’t hear from a sensor in the house then it presumes all is well instead of alerting the homeowner in a text or email about the condition.

Xfinity so far has not responded to either the authors of the report or CERT. Maybe something is jamming their radar to consumer concerns too.

 Posted by at 10:07 am on January 5, 2016
Oct 312015

Rolling Stone carries a nice capsule summary of Tor, or ‘the onion router’, and its history. What is its future? Probably its security has been cracked already in pretty fundamental ways, but the cost of doing so for any one or another individual target remains higher than would commonly be paid by any but nation states having serious ‘national assets’ to deploy in the process.

 Posted by at 7:04 am on October 31, 2015