Archive for June, 2009

The Social Hyperlink: Lada Adamic’s Hypertext’09 keynote

Tuesday, June 30th, 2009

AISL CO-PI Lada Adamic gave a keynote talk at Hypertext’09, the 20th ACM Conference on Hypertext and Hypermedia, held June 29 – July 1 in Trento. Lada’s talk, The Social Hyperlink, covered the influence of social networks on the World Wide Web, peer-to-peer systems, and virtual worlds. You can get her slides here.

Can cyberwar treaties avert an arms race?

Sunday, June 28th, 2009

Should the nations of the world work toward a treaty banning or at least limiting cyberwars? If we don’t, might we fall into an arms race that could be bad for everyone? Would A war in cyberspace be less dangerous for people than traditional wars? Or maybe worse?

John Markoff and Andrew Kramer have an interesting article, U.S. and Russia Differ on a Treaty for Cyberspace in Sunday’s New York Times.

“The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks that could wreak havoc on computer systems and the Internet. Both nations agree that cyberspace is an emerging battleground. … But there the agreement ends. Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official.
    The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, American officials say. “We really believe it’s defense, defense, defense,” said the State Department official, who asked not to be identified because authorization had not been given to speak on the record. “They want to constrain offense. We needed to be able to criminalize these horrible 50,000 attacks we were getting a day.”

Russia has some specific proposals that it would like to have considered. But there are complications that arise due to cybercrime and Internet censorship.

“In a speech on March 18, Vladislav P. Sherstyuk, a deputy secretary of the Russian Security Council, a powerful body advising the president on national security, laid out what he described as Russia’s bedrock positions on disarmament in cyberspace. Russia’s proposed treaty would ban a country from secretly embedding malicious codes or circuitry that could be later activated from afar in the event of war. Other Russian proposals include the application of humanitarian laws banning attacks on noncombatants and a ban on deception in operations in cyberspace — an attempt to deal with the challenge of anonymous attacks.

But American officials are particularly resistant to agreements that would allow governments to censor the Internet, saying they would provide cover for totalitarian regimes. These officials also worry that a treaty would be ineffective because it can be almost impossible to determine if an Internet attack originated from a government, a hacker loyal to that government, or a rogue acting independently.”

The article makes the interesting revelation that this is not the first time that cyberspace arms control have been discussed between the US and Russia.

“In 1996, at the dawn of commercial cyberspace, American and Russian military delegations met secretly in Moscow to discuss the subject. The American delegation was led by an academic military strategist, and the Russian delegation by a four-star admiral. No agreement emerged from the meeting, which has not previously been reported. Later, the Russian government repeatedly introduced resolutions calling for cyberspace disarmament treaties before the United Nations. The United States consistently opposed the idea.

John Arquilla, an expert in military strategy at the Naval Postgraduate School in Monterey, Calif., who led the American delegation at the 1996 talks, said he had received almost no interest from within the American military after those initial meetings. “It was a great opportunity lost,” he said.

UK cyber attack capability

Saturday, June 27th, 2009

This week the BBC had a story about the UK’s cyber security programs, UK ‘has cyber attack capability’, with this video interview with Gordon Brown.

The article leads with this surprising discussion of the UK’s offensive capabilities.

“The UK has the ability to launch cyber attacks but does not use it for industrial espionage like some other countries, minister Lord West has said. He refused to be drawn on whether it was used for military purposes.

He told BBC Radio 4′s PM programme the UK faced coordinated Huber attacks “on a regular basis” from other countries including Russia and China. And he confirmed that the British government had approached the Russian and Chinese governments to ask them to stop the attacks. “We have had a dialogue with them in the past and I wouldn’t want to go into what goes on in terms of debate at the moment,” he told the BBC.

Pressed on whether Britain used cyber attacks itself, he said: “We do not go and attack other nations to try and find from them their industrial secrets.” But he added: “I think it would be very silly of any nation not to have an ability to use cyber space for the safety and security of its nation.” Pressed further on Britain’s cyber warfare capabilities, he said: “We have an ability to do things and we have got very good and very talented people who have worked on this.”

The article also quotes Lord West, the UK’s first cyber security minister, as saying that they had recruited “a team of former hackers for its new Cyber Security Operations Centre” at GCHQ.

“They had not employed any “ultra, ultra criminals” but needed the expertise of former “naughty boys”, he added. “You need youngsters who are deep into this stuff… If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys,” he said.

Gates puts NSA in charge of USCYBERCOM

Wednesday, June 24th, 2009

The NYT reports in New Military Command for CyberspaceNew Military Command for Cyberspace that that the DoD has put NSA in charge of a a unified U.S. Cyber Command to oversee the protection of military networks against cyber threats.

“Defense Secretary Robert M. Gates on Tuesday ordered the creation of the military’s first headquarters designed to coordinate Pentagon efforts in the emerging battlefield of cyberspace and computer-network security, officials said. Pentagon officials said Mr. Gates intends to nominate Lt. Gen. Keith Alexander, currently director of the National Security Agency, for a fourth star and to take on the top job at the new organization, to be called Cybercom. The new command’s mission will be to coordinate the day-to-day operation — and protection — of military and Pentagon computer networks.”

USCYBERCOM is a subordinate unified command under the US Strategic Command.

Murat Kantarcioglu on Facebook Privacy Issues

Monday, June 22nd, 2009

KDAF-TV in Dallas/Fort Worth did a story on privacy and social media featuring an interview with Murat Kantarcioglu.

“Online Social Networks are redefining privacy and personal security, but how much of your personal life have you already given up? A professor at UT Dallas says chances are you’ve given up more than you know.

Misunderstood Wall Between Intelligence and Law Enforcement

Saturday, June 20th, 2009

A 2004 report prepared for the 9/11 Commission looked at the oft cited problem that various information sharing policies resulted in a “wall” between intelligence and law enforcement agencies. That 3 page report was recently declassified.

“Legal Barriers to Information Sharing: The Erection of a Wall Between Intelligence and Law Enforcement Investigations”, Commission on Terrorist Attacks Upon the United States, Staff Monograph, Barbara A. Grewe, Senior Counsel for Special Projects, 20 August 2004.

One of the study’s conclusions is that there was no legal reason why intelligence information could not have been shared before 9/11 but that many people thought that there were legal restrictions.

“The information sharing failures in the summer of 2001 were not the result of legal barriers but of the failure of individuals to understand that the barriers did not apply to the facts at hand. Simply put, there was no legal reason why the information could not have been shared.”

So, if the applicable laws and official policies were not the the problem, changing them doesn’t directly address the problem. To me this report points out an opportunity for those of us working with computer-based policy systems.

We can and should create prototype systems that can help humans by (1) automatically rendering opinions about what existing policies allow and prohibit; (2) providing good explanations for those opinions; (3) letting people examine the reasoning and data provenance underlying the opinions and explore related situations through alternate assumptions and counterfactuals; and (4) collecting feedback from people for analysis and to drive the evolution of the policy systems.

This is a tall order, but there is a lot of prior work on explanation in expert systems that we can draw on.

(spotted on FAS Secrecy News)

Researchers ask Google to make HTTPS the default

Thursday, June 18th, 2009

A group of 37 researchers in information security and privacy law have sent an open letter to Google encouraging the company to enable HTTPS as the default protocol for Google Mail, Docs, and Calendar. Doing so, the letter says, will protect Google customers’ communications from theft and snooping.

“Google uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session. However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. Few users know the risks they face when logging into Google’s Web applications from an unsecured network, and Google’s existing efforts are little help.

Support for HTTPS is built into every Web browser and is widely used in the finance and health industries to protect consumers’ sensitive information. Google even uses HTTPS encryption, enabled by default, to protect customers using Google Voice, Health, AdSense and Adwords.

Rather than forcing users of Gmail, Docs and Calendar to “opt-in” to adequate security, Google should make security and privacy the default.”

See the post on Wired’s Threat Level blog for more information and a quote from Google in response.

“Google responded Tuesday morning, saying that it is already ahead of the pack by even offering HTTPS, and that the company is looking into whether it would make sense to turn it on as the default for all Gmail users.

“Free, always-on HTTPS is pretty unusual in the e-mail business, particularly for a free e-mail service,” Google engineer Alma Whitten wrote Tuesday morning on Google’s security blog. ”It’s something we’d like to see all major webmail services provide.”

The company is planning a trial where small samples of different types of Gmail users will be shifted to a default HTTPS to see how fast things load, how happy users are and what networks or computer setsups fair badly, according to Whitten.

“Unless there are negative effects on the user experience or it’s otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users,” Whitten wrote, noting that the extra cost associated with the computing power needed for encyrption was not holding the company back.”