Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts
2008-07-02
Readying children for a police state
A coworker sent me a link to this wiretap kit for children ages 10-14 being sold by Toys-R-Us. This is just terrifying on so many levels...
2008-05-11
Measuring the Effectiveness of Bulk Data Collection
While decompressing from a brutal day of studying for a crypto final, I came across an article on BBC which argues that "huge investment in closed-circuit TV technology has failed to cut UK crime." My first thought was, did they really expect it to?
A lot has been made by the media and bloggers of the efforts in London to deploy thousands of CCTV cameras, much of it surrounding civil liberties of British citizens. I'm going to set aside civil liberties concerns for now and focus on more objective measurements (not that these issues are not important, but rather they aren't important to my point here).
To sell or design a widespread CCTV system on some notion that the thought of Big Brother will somehow keep the citizenry well-behaved is so tragically Orwellian that I don't think it warrants another mention. However it was sold to the public or government, and regardless of these silly claims, measuring its success in terms of crime reduction belies the real investigative benefit of such a system: as a forensic tool.
To bring this into an area which I have more expertise, I think of CCTV in the same way that I think of full packet capture on an important network segment. How much sense would it make to have an analyst sit and watch every packet, every flow, every session that blows by this sensor? How much would I expect detection of malicious activity to increase? Not at all. Even if it were possible for an analyst to keep up with the data rate of the sensor (which is the case with CCTV), so few things happen in the timespan of the human attention span that have investigative prima facie meaning that I would expect the results to be negligible. However, when placed in the context of a known attack, suddenly benign or minute details become significant. That white van parked in a parking spot that leaves 1 minute after a robbery a block away now has some meaning. That weird base64-encoded comment in HTML is now of concern.
Active monitoring of these dragnet systems is ludicrous. If some correlative system can be built to reduce data - and that's a big if - then some limited monitoring might make sense, but we are nowhere close to having a technique that will allow us to do so and this argument is moot.
The bigger story is that only 3% of London's street robberies [are] being solved by security cameras. This is certainly concerning, but this is one slice of crime. How do these tools assist in other crimes? The information provided in that article is limited. I would like to see a comprehensive study on the forensic use of this tool by London police - perhaps one is available that I haven't seen. Both the police and the media should start focusing their attention on this aspect of the system - for critique, improvement, and measuring success. That's what we'll be doing as we build a full packet capture system at work, and how we'll be measuring its success.
A lot has been made by the media and bloggers of the efforts in London to deploy thousands of CCTV cameras, much of it surrounding civil liberties of British citizens. I'm going to set aside civil liberties concerns for now and focus on more objective measurements (not that these issues are not important, but rather they aren't important to my point here).
To sell or design a widespread CCTV system on some notion that the thought of Big Brother will somehow keep the citizenry well-behaved is so tragically Orwellian that I don't think it warrants another mention. However it was sold to the public or government, and regardless of these silly claims, measuring its success in terms of crime reduction belies the real investigative benefit of such a system: as a forensic tool.
To bring this into an area which I have more expertise, I think of CCTV in the same way that I think of full packet capture on an important network segment. How much sense would it make to have an analyst sit and watch every packet, every flow, every session that blows by this sensor? How much would I expect detection of malicious activity to increase? Not at all. Even if it were possible for an analyst to keep up with the data rate of the sensor (which is the case with CCTV), so few things happen in the timespan of the human attention span that have investigative prima facie meaning that I would expect the results to be negligible. However, when placed in the context of a known attack, suddenly benign or minute details become significant. That white van parked in a parking spot that leaves 1 minute after a robbery a block away now has some meaning. That weird base64-encoded comment in HTML is now of concern.
Active monitoring of these dragnet systems is ludicrous. If some correlative system can be built to reduce data - and that's a big if - then some limited monitoring might make sense, but we are nowhere close to having a technique that will allow us to do so and this argument is moot.
The bigger story is that only 3% of London's street robberies [are] being solved by security cameras. This is certainly concerning, but this is one slice of crime. How do these tools assist in other crimes? The information provided in that article is limited. I would like to see a comprehensive study on the forensic use of this tool by London police - perhaps one is available that I haven't seen. Both the police and the media should start focusing their attention on this aspect of the system - for critique, improvement, and measuring success. That's what we'll be doing as we build a full packet capture system at work, and how we'll be measuring its success.
2008-03-11
EPIC files FTC complaint on spyware-for-sale
My roommate, a lawyer for EPIC, recently filed a complaint with the FTC about companies that sell spyware on the premise that it, well, lets you spy on people. This is a novel approach to tackle a serious problem that aggravates the current explosion of malicious software on the internet.
More relevant to his motivations, this was specifically filed in an attempt to raise awareness and combat the use of spyware by men stalking and harassing women. Imagine what a powerful weapon this would be for a jealous ex or predator. The perpetrators already have figured this out. Legally, this is a gray area. Prosecutors are hesitant to pursue cases given the lack of precedent, and that means law enforcement is hesitant to build a case. While the legal system goes through the long and painful process to figure out the ground rules on this type of software (it has its uses - investigators will use this type of software legally to build cases with appropriate legal authority), people are suffering. By claiming unfair trade practices, as EPIC has, attention is drawn to the issue, and hopefully vendors will stop encouraging troubled individuals to break the law through their advertising.
He and I would appreciate it if you spread the word.
More relevant to his motivations, this was specifically filed in an attempt to raise awareness and combat the use of spyware by men stalking and harassing women. Imagine what a powerful weapon this would be for a jealous ex or predator. The perpetrators already have figured this out. Legally, this is a gray area. Prosecutors are hesitant to pursue cases given the lack of precedent, and that means law enforcement is hesitant to build a case. While the legal system goes through the long and painful process to figure out the ground rules on this type of software (it has its uses - investigators will use this type of software legally to build cases with appropriate legal authority), people are suffering. By claiming unfair trade practices, as EPIC has, attention is drawn to the issue, and hopefully vendors will stop encouraging troubled individuals to break the law through their advertising.
He and I would appreciate it if you spread the word.
2008-02-03
HistoryCENTER: Spying
My TiVo knows me well. This morning, it recorded a show on The History Channel titled "HistoryCENTER: Spying." History Channel's Steve Gillon does a good job of presenting material in this show from the few other episodes I've seen, but while educational, I normally find HistoryCENTER as exciting as watching paint dry. This one happens to fall right between one of the bigger political debates of the time and my profession, and as such I was immediately drawn in. The description, from their website:
Security vs. Civil Liberties: How have presidents during wartime walked the sometimes difficult line between protecting Americans and their civil liberties? And will the Bush Administration's decision to spy on American citizens without warrants end up as a chapter or footnote in American history? Guests: Timothy Naftali, professor of history at the University of Virginia's Miller Center and David Kahn, author of The Reader of Gentleman's Mail . Hosted by History Channel resident historian Steve Gillon.
I suspect this aired a year or two ago, but it is relevant today nonetheless. I found it an interesting historical perspective on the issue, and as fair and balanced as anything else I've seen on this topic. It's a javascript nightmare, but a replay of this is available courtesy of AOL Video.
If you're in the industry, you should care about and pay close attention to these discussions. Remember than what you're doing as security analysts is, in many cases, spying (network security monitoring, auditing transactional content, etc). How these public debates are resolved may directly impact our field, and in our positions of trust, we're obligated to strike a fair balance between the powers granted to us and the privacy of those impacted by our actions.
Quis custodiet, ipsos custodes?
Security vs. Civil Liberties: How have presidents during wartime walked the sometimes difficult line between protecting Americans and their civil liberties? And will the Bush Administration's decision to spy on American citizens without warrants end up as a chapter or footnote in American history? Guests: Timothy Naftali, professor of history at the University of Virginia's Miller Center and David Kahn, author of The Reader of Gentleman's Mail . Hosted by History Channel resident historian Steve Gillon.
I suspect this aired a year or two ago, but it is relevant today nonetheless. I found it an interesting historical perspective on the issue, and as fair and balanced as anything else I've seen on this topic. It's a javascript nightmare, but a replay of this is available courtesy of AOL Video.
If you're in the industry, you should care about and pay close attention to these discussions. Remember than what you're doing as security analysts is, in many cases, spying (network security monitoring, auditing transactional content, etc). How these public debates are resolved may directly impact our field, and in our positions of trust, we're obligated to strike a fair balance between the powers granted to us and the privacy of those impacted by our actions.
Quis custodiet, ipsos custodes?
2008-02-01
Recommended Reading: IEEE Security & Privacy
A few months ago, I was first introduced to IEEE Computer Society's Security and Privacy bi-monthly periodical. Available in both print and web format, I've found most of the articles insightful, useful, or theoretically promising. So far. Hype has claimed many a fine resource in the field, but I'm optimistic IEEE will be able to insulate this one from that common fate. Yes, our industry is still quite nascent. I'm glad to see a reputable, mature organization like IEEE attempt to put some discipline around it. I'll be the first to admit it's not perfect, but it certainly shows promise. To see what I'm talking about, check out their latest highlights. Articles appear by both recognized industry professionals (Bruce Schneier for example, of whom I'm a particularly big fan, in the last issue), as well as researchers with something valuable and intelligent to say who may not be "household" names.
They have an RSS feed. I suggest subscribing on your favorite reader and checking out the summaries for a few issues, you may find this a worthwhile investment. Or, become an IEEE member and enjoy all the benefits of their world-class online library and access to the top professionals in many technical fields.
They have an RSS feed. I suggest subscribing on your favorite reader and checking out the summaries for a few issues, you may find this a worthwhile investment. Or, become an IEEE member and enjoy all the benefits of their world-class online library and access to the top professionals in many technical fields.
Subscribe to:
Posts (Atom)
