follow me on Twitter

    Wednesday, October 29, 2008

    Live on the air in NYC on Off the Hook radio show

    I was live on the air on Off the Hook out of NYC on October 22, 2008. What a fantastic experience! Although voting machine fraud is not one of my strong suits—I didn’t know the show’s topic before I went on-- I loved discussing tech law and policy with the guys. Talking with Emmanuel Goldstein and bernieS was amazing—I read their cases in law school, and there they were on the air with me! Facing Emmanuel across the sound board and with bernieS on the phone, it felt like we were having a coffee shop discussion because they made me feel very much at ease. It wasn’t as difficult as my first TV interview; I had to constantly remind myself not to look at the camera, but that took such concentration that I seemed distracted. It was easier with radio, but it was more than just the medium. Emmanuel, bernieS, Not Kevin, Rob T. Firefly, and Voltaire on the air with me were awesome. You guys rock!

    After the show, we went for Mexican food in what I think was the Greenwich Village area of NYC. I miss talking about “geek” stuff in Maine. Among other things, we were talking about Second Life: What happens when your character is assaulted online? Legal recourse?

    For dinner, I had a very good chicken enchilada with mole sauce (bitter chocolate). I cannot find Mexican dishes with mole here in Maine, so it was a treat. After dinner, we went to a coffee shop to upload the show and then to a bar (Mars Bar) that is dark because it’s lit with a single bulb hanging from the ceiling. The graffiti is worth checking out if you can read it in the cavernous atmosphere.

    And sometime after midnight, I decided not to take the subway because I don’t know where the heck I’m going once I’d get out of the station in Brooklyn Heights, so I took a cab. The cab driver asked if I was from the midwest—could I have been given away by my slight southern accent that rears its head after a few drinks (or when I’m nervous)? Wait…midwest? That has never happened before. (But I’ve been mistaken for Michelle Madigan at Defcon. That one was the best.)

    Wednesday, October 15, 2008

    Disclosure of Security Vulerabilities and a Geocentric Universe

    The title to the presentation is the following:

    Disclosing Security Vulnerabilities: How to Do It Responsibly

    "Disclosure of security vulnerabilities is done for many reasons. Some of these reasons include: an interest in improving security; warning the public before those with nefarious interests exploit the vulnerability; or for public recognition of skills. There are also different ways to do it including in print or presentations at conferences. Considering both the reasons for disclosure and how it is done affects how security vulnerability research is accepted by the general public, the security community, law enforcement and by the designer of the product being critiqued. This presentation includes how disclosure has historically been done and the differences between the computer and electronic security communities as compared to physical security (locks, alarms, etc.) communities. Relevant legislation, intellectual property considerations and applicable criminal law will be discussed."

    I'm currently engaged in case law research for a presentation on this topic and using Westlaw in addition to my usual journalism searches. Not surprisingly, most of the cases I've read are more about violations of non-disclosure agreements and disclosure of trade secrets by disgruntled employees. However, my friend, Brenno de Winter, recently published an article titled, "Researchers Show How to Crack Popular Smart Cards." I was interested to read that researchers at universities in The Netherlands and in Germany have broadened the research done by the MIT undergrads who were not permitted to discuss or release their source code.

    What I'm discovering from my research about computer security disclosure is that a lot of the heat is primarily focused on academia. Remember Professor Ed Felten with Princeton's computer science department with SDMI? His team won the challenge, but they faced prosecution if they talked about it or tried to publish their academic research. The challenge explicitly stated: "So here's the invitation: Attack the proposed technologies. Crack them."

    However, what if the vendor producing an insecure product does not outright demand a challenge, but simply puts the product into the marketplace? A good example is the Mifare Classic and NXP Semiconductor. They fought the battle against the MIT students and, for the most part, won because their source code was not distributed.

    However, a group from the Dutch Radbouda University Nijmegen recently assembled complete published research that would allow someone to build a cloned card. The Dutch courts said that, "...researchers shouldn't fall victim to mistakes made by suppliers," and allowed publication. I was also amazed to read that a university in Germany cut down an actual chip, and by viewing the IC layers under a microscope, they were able to figure out how the chip works and derived the algorithm.

    Two different ways of figureing out security vulerabilities, but with the same result. It's now out there and readily available to a determined attacker. On the other hand, some might say that it's also readily available to a security researcher who can assess the security vulerabilities and make a better design the next time around.

    This debate is nothing new--consider Copernicus's and Kepler's revolutionary teachings and publications. But what surprises me is the fact that it is nothing new. The prosecutions--including criminal--for teaching, dicussing, and publishing are still a reality. Where would we be now if Galileo's Dialogue Concerning the Two Chief World Systems wasn't published or discussed because he feared being burned at the stake? We'd still be in a Ptolemaic system where the planets revolved around us--a pretty ego-centric way to view life (picture of a geocentric universe by Portuguese cosmographer and cartographer Bartolomeu Velho, 1568 [Bibliotèque National, Paris] above).

    Considering a modern perspective regarding security vulerability disclosures, it would be a more insecure world without discussions about design flaws. Professors like Ed Felten, although perhaps not (yet!) as influencial as Galileo, are to be lauded, not threatened with criminal prosecution.