UW Computer Security Research and Course Blog

Overview

This is a security review of “Smart Guns,” a general class of locking/use prevention mechanisms for firearms that rely on biometrics or other authentication indicators (such as “smart” chips embedded in the gun and in rings or other tokens worn by the intended user) to identify a person who is authorized to use the firearm, while preventing unauthorized persons from discharging the weapon. The Wikipedia article has some further broad overview information regarding the subject.

(Read on …)

From The Guardian, and on Slashdot.

Police in the United Kingdom may soon be be able to collect DNA samples from children if they exhibit behaviors that suggest they may commit crimes later in life, at least if Scotland Yard forensics director Gary Pugh has his way.

Pugh cites the importance of identifying future offenders, saying that “the number of unsolved crimes says we are not sampling enough of the right people.” Advocates of such programs, including the Institute for Public Policy Research, claim that most career criminals begin their lives of crime as early as 10 to 13 years old, and suggest that children from 5 to 12 years old should be profiled and sampled if they exhibit certain “risk factors.”

Even these advocates acknowledge that such treatment could have a “stigmatising” effect, but they do not seem to have any problem with gross violations of privacy in the name of improving public safety.  One concern that is not directly addressed in the article is the possibility that the negative attention such sampling and registration involves might even place more obstacles to a child’s chances of leading a normal life, perhaps even increasing the likelihood that they would turn to crime; a self-fulfilling prophecy, in other words.

Of course, an even greater issue that is sidestepped by the focus on children is the question of whether preemptive DNA sampling of any individual, adult or child, should be tolerated in any free society. Whether such programs are effective in reducing crime is not the only issue - the cost to individual liberty must also be considered. In my opinion, at least, personal freedom must always outweigh public safety, but I’m interested in hearing other ideas.

Today the House of Representatives voted on a bill that would amend the FISA Act of 1978, which deals with government wiretapping. The amendments would deny amnesty to telecommunication industries for complying with illegal warrant less wiretaps by the Bush administration but allow those companies to use government classified information in their defense to prove that they did comply with the law (if they indeed did). (Read on …)

Bruce Schneier posted on his blog earlier in the week about a new, free, open source application by the “Cult of the Dead Cow” (cDc) called Goolag Scanner. It essentially automates a technique called Google Hacking, which was pioneered by a hacker going by the handle “Johnny I Hack Stuff”. Google Hacking entails using the massive Google search engine to discover vulnerabilities on a given server or domain by using targeted searches. These searches are aimed at finding back doors, sensitive information accidentally made publicly available, vulnerabilities in server software, and more. The software, along with a friendly voice that guides you through the installation process, comes with 1,500 built-in searches to use out of the box.

(Read on …)

http://www.thestandard.com/news/2008/02/29/us-canadian-agencies-seize-counterfeit-cisco-gear

USA and Canadian law enforcement has seized US$78 million worth of Cisco routers, switches, and network cards in 400 seizures since the coordinated operation between the two nations was launched in 2005. The reason for the seizures is “illegal importation and sale of counterfeit network hardware”. Personally, I’m a little confused as to how network hardware can be imported legally, but apparently there are laws governing it. (If you’re wondering what “counterfeit” network hardware is, I’d imagine it’s the sale of previously illegally imported hardware). The involved agencies are the U.S. FBI’s Cyber Division, U.S. Immigration and Customs Enforcement, U.S. Customs and Border Protection, the Royal Canadian Mounted Police, and apparently, to some extent, the U.S. Department of Justice.

(Read on …)

While this may not be breaking news, it turns out that Facebook has taken just one more step in not respecting their user’s privacy. 

According to a semi-recent article in the New York Times, Facebook retains user profile information even after the user has requested deletion so that “a user can reactivate at any time and their information will be available again just as they left it”.

(Read on …)

Called The Reynard project, it is a series of plans for the U.S. Intelligence to monitor more internet traffic, most notably, data mining from several major MMORPGs, including WoW. The goal being to eventually create a system that can “automatically detecting suspicious behavior and actions in the virtual world.” Games often have things like bombs and assassinations in them, and it seems like the potential for a very high false positive rate is there. It kinda makes me wonder if custom UIs will have an option to use some sort of encryption with their in-game chat for those who are really bothered by big brother being over their shoulder.

Source:

http://blog.wired.com/27bstroke6/2008/02/nations-spies-w.html

http://www.joystiq.com/2008/02/23/wired-national-intelligence-seeking-terrorists-in-wow/

The government has decided to continue wiretapping phones with assistance from phone companies. These companies are also pushing a bill for immunity from lawsuits for participating in the tapping. What is the line at which informational surveillance pushes too far into privacy? Should immunity be granted?

 
Articles:

http://yro.slashdot.org/yro/08/02/24/135225.shtml
http://www.reuters.com/article/newsOne/idUSN2229053420080224

Given all the Microsoft-bashing that takes place among Linux-users, I’m surprised that no one has posted an article (that I’ve seen, at least) that clearly has an anti-Microsoft bias. Despite the bias of the following article, it makes a valid argument that Microsoft should adopt some C-variant that is more safe with regards to buffer-overflows, which are still the “bread and butter” (according to the article) of malware-authors.  The author definitely overestimates the amount of time required by a user to maintain a reasonably secure and patched system. That said, the author makes a valid point: it is the algorithm, not the language, that dictates the overall speed of an OS - hence a “safe” language would be a better choice. Unix worked fine on hardware 20+ years ago, so there is no reason Windows should not be both secure and speedy on today’s hardware.  Windows/ze-bashers, indulge.

The security of our nation’s borders is a topic of great importance. The importance of border security, like most forms of security, can only be truly appreciated when it fails. Some forms of border security failure can have devastating consequences (9/11, though I don’t presume to say that border security was alone at fault for this tragedy), while other failures can have less obvious consequence, such as the draining of tax dollars to support illegal aliens receiving free health-care and education. The problem comes down to foreigners wanting to illegally enter our country for two contrasting reasons: to either benefit from a superior quality of life or to inflict damage on our nation. Defending against illegal immigration is no easy feat, as we have to consider the vast Southern border, the even bigger (though much less troublesome) Northern border, the coasts, and all international airports. Furthermore, distinguishing via identification and authentication between a foreigner who is legally residing within our borders and one that is doing so illegally is also a very hard problem. (Read on …)