InfoTech & Public Policy

This certainly isn’t a heated posting, but I am very bothered by the fact that some classmates are so dismal in their opinion about the surveillance operations being carried out by the National Security Agency (NSA).  I recall the point at which two students mentioned that even if there was verifiable proof that a large-scale terrorist attack had been averted, that they would still be unhappy about being wrongly monitored by the NSA.  The same people also mentioned that they had “serious issues” with appearing on surveillance footage of some recorder placed on a street corner.  To me, it seems that individuals who, to date, have not been threatened directly by some form of attack lack an appreciation for the protection mechanism that surveillance footage can serve as.  It is easy for us to sit in Robertson Hall and discuss how the NSA wiretapping is wrong, and how cameras on street corners are wrong because of privacy issues, but what is the real object we are trying to protect, our privacy or our lives, let’s be real.  Some official/employee contracted to look through suspect footage or listen to and analyze suspicious phone conversations is very unlikely to listen to the “smoochy-woochy” garble going on between anyone one of us and our boyfriend or girlfriend.  Put yourself in their position and imagine yourself stumbling onto a personal phone call/e-mail between two lovebirds or two sports fanatics.  In your quest to find important intelligence information, it would hardly be worth your time or of any interest for you to continue listening.  In light of the degradation of privacy, some people have called for an amendment to FISA to enable the government to be able to obtain warrants more quickly than they can now.  But even if this amendment does go through, the government will likely still surveil communications at a similar rate, and in doing so, FISA is doing little more than keeping a record of those being surveiled.  Does this all of a sudden make the surveillance less of a privacy concern to those who REALLY care?  No, of course not; these individuals are unlikely to feel more privatized while any form of eavesdropping is going on, and should just deal with the surveillance accordingly as it does decidedly more good than bad.

All of this is not to say that this system is completely exempt from having any vulnerabilities, it is simply to say that realistically, most people are not interested in your personal phone calls or clips of you scratching yourself on a street corner.  However, there are some concerns in my mind, many of which were brought up in class.  For example, word or phrase searching is likely a bad method for tracking terrorist activities since terrorists are now trying to employ the use of code words to cover their tracks.  And although I find it difficult to imagine that the NSA, with its magnanimous amount of funding and resources, is performing simple phrase comparisons on e-mails, it might be a better idea to analyze the traffic rather than the content.  This way instead of being fooled by tricky messages, they can become more familiar with the underlying communications network and possibly disrupt operations that way. 

And so while technically, the eavesdropping may or may not be soundly conducted, the practical implications it carries are immense and should be accepted.  What are the real policy issues associated with eavesdropping, privacy or longevity?  I think the distinction should be clear that living life should be more important to someone a small amount of privacy.

Very recently, despite the overall difficulty of the task, the RIAA has once again clamped down on file sharing, this time on the local area networks of colleges and universities.

It seems that since the RIAA began a wave of lawsuits against illegally file-sharing students just a few years ago, the thing to do was to change the technical implementation of how music was downloaded. Many campuses have encountered the use of Direct Connect, DC++, Bit Torrents, and other file swapping technologies. Each one tried to circumvent the wording of piracy laws and allow users to continue to share files, particularly music and movies. Of course colleges and universities, where students share and download all kinds of media, typically operate one (ore more) local area networks (LANs). Many students seem to think that because LAN traffic only travels locally and not on the public, that they are less prone to being subpoenaed by the RIAA. In some sense, this is true. It is more difficult for the RIAA to monitor the local traffic of external networks, but not impossible. In light of recent work by the RIAA, they have contacted 40 university presidents across the United States with a letter urging them to seek and employ the technological means to curb on-campus file sharing via local networks.

It was initially thought that repeated lawsuits against college students would begin to instill fear in most students and deter them from illegal file sharing. However, this has not been the case, and file sharing is still an issue. In addition to taxes that are in place against many universities, the RIAA has urged many of these schools to use network filters to stop illegal file sharing. In light of the continuation of illegal file sharing, I wonder if it is possible (or feasible) for the RIAA to seek government assistance in forcing schools to employ counter file-sharing techniques. I looked into some other issues, and saw that Congress was ready to approve a bill that called for the mandatory retention of important ISP information for some extended period of time to aid in investigations, or matters of national security. Also, network non-neutrality has been suggested in Congress as a means to curbing P2P traffic. So, is it long until the government intervenes? If so, then they may be imposing large costs on many schools across the country. Some technology experts even argue that the technology is not very sound and is easy to get around.

I am not convinced that there is a simple, elegant solution to this problem, and being a music fan, I am not even sure if I want one. However, if the government can cut funding to schools that refuse to allow military recruiters on their campus, then it may not be long until mandatory file-sharing filters are on networks near you.

In light of our recent talks about viruses and worms, I decided to do a little bit of reading about cyber terrorism. I was surprised to see that now, perhaps more than ever, the U.S. technological infrastructure may be at risk.

Recent research has shown that politically motivated computer attacks are growing in number. In a similar fashion, technologically waged attacks are being seen as an accompaniment to actual physical attacks, and technological attacks are also being aimed at progressively more lucrative targets. These factors in combination with the fact that the U.S. is currently at war with a radically motivated group should be of some cause for concern, but there are countermeasures available. Let’s first look at some of the motivations of the attackers.

In a report on the vulnerability of U.S. technological infrastructure, a committee reports that participants in the war against the United States in Iraq are extremely radically motivated (be it religiously/politically) individuals who do not have great resources for censuring their adversary. For this reason, cyber terrorism becomes a very attractive option to these groups. Cyber attacks are an extremely cost-efficient way for poorer individuals to cause great financial and technological burdens to a perceived superpower. While their technical capabilities are still quite limited, there are some notable examples of such attacks. In the early 2000’s, Israel and Palestine have repeatedly hacked one another’s political and religious web sites and defaced them by posting inappropriate pictures/messages promoting their ideologies. Similar defacing techniques were used by China against the United States as well as by Yugoslavia against Kosovo in the 90’s. The ongoing war in Iraq may be causing the same resentment in Iraqi fighters, and as a result, the U.S. should maybe expect similar attacks.

Hackers today typically target high value goals. In the United States, an outage at Wall Street, or an attack on the national power grid might render the country helpless. There are, as we have studied in part, a number of viruses, worms, DoS/DDoS attacks, buffer overrun attacks, and other hacks that about anyone can employ to cause damage to the technological infrastructure of another individual/country, the technical details of which would cause this paper to expand geometrically. As a result, I will recommend some preventative measures that can be taken to avert such potential disaster.

Best practice programming should be used. In other words, developers should be sure that their software does not contain easily exploitable crevasses such as an overrun attack. Be sure to implement good security policies. A network’s integrity is only maintained by its weakest link. Also, system administrators should take time to secure their infrastructure. Web servers should be housed on machines that are separate from key operating machines. Also, networks should be monitored for suspicious activities, and contingencies should be developed for combating or recovering from large-scale cyber attacks. If proper practices are followed, then cyber attacks, and the resulting damage, can easily be averted.

http://news.yahoo.com/s/ap/20060420/ap_on_hi_te/anti_ad_skipper;_ylt=Ar9k5D0l.y0yco9M2RBVnggjtBAF;_ylu=X3oDMTA5aHJvMDdwBHNlYwN5bmNhdA–

Recently, we’ve heard a lot of talk about network neutrality. To a lot of people, especially those who are of the technical persuasion, non-neutrality over a computer network immediately seems like a bad idea. It did to me when I first heard about it. However, it seems to me that non-neutrality might be a good thing in at least one instance: P2P file sharing.

We have noted how regulating networks, communications networks in particular, could be biased in the way that it could favor a certain type of user over another, but I believe that network mandates against file sharing on behalf of internet service providers are a mutually beneficial way for all users of that company’s network service to enjoy better performance. P2P traffic takes up a notable amount of bandwidth despite technologies (like BitTorrent) that pretty effectively distribute large files to various users over the Internet. This traffic usurps such large amounts of bandwidth that other users often experience delays to net congestion. So, does this fact make it a viable option for ISPs to limit the amount of bandwidth that goes to P2p traffic on their network? I would argue “yes”.

I think a main problem with this particular type of network traffic is that users simply initiate a download, and then let it run for hours, or even days at a time. This essentially limits the bandwidth available to other users who are “surfing” the Internet or using it more analogously in general. Limiting bandwidth to these “touch-and-go” users would certainly yield improvements for more casual users, but is this method of capping the bandwidth the best solution? Are there other ways to justify limiting P2P traffic while maintaining network neutrality?

One possible solution is for the providers to acquire more bandwidth for its users, but as we have seen in class, this imposes an enormous cost on the provider, one that is so great in fact, that the prices for customer are likely to be so high that providers might expect to lose business in spite of providing greater transfer rates. Another possible solution is to offer tiered services, which a fair amount of providers offer already. This requires that those who wish to use larger amounts of bandwidth be responsible for footing more of the cost. Perhaps you could be expected to pay more per unit of time downloading or per amount of data you download. This seems like a reasonable solution at first, but it is easy to see that users paying for some basic network access service will continue to pay the non-premium rates, but continue downloading at an alarming rate. So essentially, tiered services do nothing to stop network congestion due to P2P traffic.

All this being the case, I believe that restrictions on P2P traffic that will improve the connection quality of all network users goes to further the end-to-end principle, and is seemingly an acceptable form of network non-neutrality.

Somewhat recently, we have talked about companies that compile “dossiers” of individuals that contain sensitive or otherwise personal information. One such example was ChoicePoint, who leaked as many as 45,000 personal records to 50 “suspicious” companies. Bank of America and LexusNexis are two other notable companies who have lost the valuable information of their customers. It is immediately clear why the transfer of such information is detrimental to the individual, but what’s not so clear is how to stop it.

Recently, as many as 20 states have enacted some type of legislation that requires these data brokering companies to notify users whose information has somehow compromised. A precise definition of compromised is still unclear. Must an unauthorized party have accessed the data directly? If so, which types of data are so sensitive that their owner must be notified? Can a limit be put on this? Also, is there any cause for alarm if the data has been encrypted. Companies who maintain CPNI records might argue that near-constant encryption of all data causes access issue for the rightful owners. A new IBM architecture presents a convenient solution to these issues! It’s called “Secure Blue”.

Computers do indeed already try to implement encryption both through software and hardware methods. However, if hackers are clever enough, I suppose that they can get at valuable information before it actually reaches an encryption engine. So in an effort to thwart this, IBM has implemented encryption natively in its new hardware. This means that information will now travel around nearly all of the time in an encrypted format, save of course necessary times such as outputting information to the user display. This should be especially useful to companies who are concerned with having to notify users for breaches of data since in most laws, there are loopholes that allow carrier’s to do nothing if the data was encrypted. Equally important, IBM maintains that the native encryption takes nearly no extra time to take place, and places no extra overhaul on the processing/access speed of all information.

While the three aforementioned paragraphs may contain a number of different controversial points, perhaps the most controversial is an argument posted to an online blog (Slashdot) by a number of different users: Secure Blue will not be allowed onto the market without an NSA approved backdoor. Throughout the recent outbreak of NSA cases in which domestic spying has occurred, computer security experts have begun to wonder just how useful any security system is if it must have a built-in workaround. It is my belief that [near] perfect privacy/security is perfect with some of these new inventions, however, privacy is not selective. That is to say that no one can pick and choose who is entitled to complete privacy and who is not. This being the case, we are all doomed to have some NSA backdoor accessibility to our system, which contradicts the initial security measures being taken to protect it. However, it is this accessibility that also keeps us from completely obfuscating the plans of potential terrorists or frauds. So, it is my estimation that with this new technology Secure Blue, near perfect security is certainly possible, but due to instability in the political realm, its marketability lacks and its implementation becomes highly unlikely.

As Avi noted in his post about encryption, it is “ computationally infeasible” for an outsider to be able to determine both the “encryption key” as well as the process in which the key was used to encrypt the information into ciphertext. However, that is not to say that the use of encryption in a communications system is guaranteed to make the system secure. For example, SSL, which is a prominent security protocol used in nearly all secure online connections (https://), involves a public key exchange. A notable method of key exchange, Diffie-Hellman, is vulnerable to a “man-in-the-middle” attack in which someone receives and then re-sends all traffic involved in the exchange without ever being detected. Thus, a system of communication is vulnerable, even in spite of the use of clever encryption methods.

Also, there are some concerns on behalf of the carriers that encrypting too much information will cause the regular access of common information to take too long. As we will see, this is not a legitimate concern as the bottleneck on the amount of time it takes to access your own personal information is not the encryption protocol in use, but the actual speed of the connection.

I (by I, I mean our group) propose the 3-part model show at the end of this passage.

This model assumes that the carrier is large and has a certain level of technological capabilities, namely the database and web server are separate machines. This model also assumes that the end user is authenticated, that is to say that the person behind the client machine is who he/he claims to be, and their password’s integrity is maintained.

The first point of concern is the channel between the client and the web server. A security protocol named SSL is a nice way for a client to establish a secure connection through the use of a message authentication code, or a MAC, which can verify the integrity and authenticity of messages traveling back and forth, and a “handshake” between the two devices that confirms that each node is a trusted party. SSL, when used in conjunction with http, forms a secure connection that is believe to be secure [enough].

The next point that is a potential security concern is not the web server, but the database itself. Fortunately, the web server is not an effective spot for an attack to steal sensitive information, it is only effective for creating a Denial of Service situation. If an attack were waged on the database, then an intruder to the system could easily steal tons of extremely valuable information in a short time. Thus, it is absolutely imperative that the raw data sitting on the database server resides in an encrypted form. Encryption today is so strong that the Earth would likely end before the cipher could be cracked.

The final concern about encrypting information is that of look-up speed and accessibility. It turns out that the bandwidth capabilities of the client’s connection to the web server trump the time it takes for the data to be looked up/encrypted. This fact makes it entirely possible for carriers to efficiently/effectively implement encryption for security purposes.