UW Computer Security Research and Course Blog

Some community colleges in the UK are starting to use facial recognition software to check students into school (article at http://www.cambridge-news.co.uk/cn_news_home/displayarticle.asp?id=396794).  The article focuses on the positive benefits of the new system.  The key benefit is in the time savings of checking the students in.  They also noted that having the data on who is currently at school is helpful in the case of fire drills (or real fires for that matter).

While this technology does make some administrative tasks much simpler and easier to carry out, it is important that steps are taken to keep this data secure.  For example, if an attacker could comprimise the system, they could potentially track/stalk students more effectively.  There is also the issue of false positives and false negatives.  If a malicious person is recognized as a legitimate student, then they might be able to hide the fact that that student is missing, among other possibilities.  On the flip side, if a legitimate student is not recognized, this would likely cause annoyance if they are informed, or could lead to the assumption that they are skipping when in fact they are there.

According to an article at the Guardian, dozens of companies in the UK had been buying personal information about potential employees from a company called the Consulting Association in violation of British data protection laws.  The Data Protection Act made it illegal to collect and distribute private information about individuals without telling them.  The Consulting Association aggregated information from the companies that subscribed to its services, and in return it gave them data on workers trying to get jobs.  The files kept by the Consulting Association included data on union activity and other private details.  Some workers in the British construction industry have claimed for years that companies have been blacklisting union activists, and one worker may have been blacklisted after filing an unfair dismissal case against an employer. This event represents a violation of privacy of employees, and an attempt to stifle organized labor.

(Read on …)

A recent article from Ars Technica, modded to high popularity on Digg, reports that last year’s Pwn2Own winner is predicting that Safari will be the first browser to crash in this months”s contest.

Pwn2Own, in Vancouver BC, is part of the CanSecWest security conference. It challenges hackers to find and exploit vulnerabilities in popular web browsers including Safari, Firefox, Google Chrome, Internet Explorer, and Opera; on popular platforms including Windows, Mac OS, and mobile phones. The first person to hack each machine gets to take it home.The article highlights two interesting facets of security research:

• Encouraging “breaking” something makes it more secure. The Pwn2Own competition is motivated, not by malevolence, but by a desire to actually improve the software. This can be confusing to those outside the security community, who often see any attempt to hack as malicious – often creating disturbing headlines about well-meaning hackers being prosecuted legally. By providing a competition encouraging such behavior, the Pwn2Own competition is actually helping web browser developers to make their products more secure.
• “Perceptions” of security are extremely important. This article was modded up extremely high on Digg – and why? Because some hacker “feels like” Safari is less secure. Talking about actual bugs and exploits are not interesting/understandable to readers but they do care, in general terms, about whether a browser is more or less secure, even though they don’t know what exactly that means.

The implications of browser security are increasingly important as the browser wars continue, and as web-based applications are coming to dominate computing. With more and more people storing more of the information and performing more transactions online, the assets involved in securing online actions are extremely important. Furthermore, as 4 popular browsers are in competition, their relative security features are a major distinction for prospective users.

In about two weeks, the competition will take place right near our own school – sending hackers into a frenzy, and developers in a frenzy to fix the holes.

New technology arising from the UK is focusing on helping the elderly through technology.  In particular, they are creating devices which can help dementia patients be able to live on their own for longer.  Typically, when people start suffering from dementia, or experiencing memory loss, it is vital that someone be appointed to watch over them to be sure they don’t unknowingly do something harmful or forget to do something vital.  This could involve a family member living with them and watching after them 24/7, or moving to an inpatient center or nursing home, under the supervision of a nurse.  Engineers at Bath University beleive that computers can solve this problem, and help the family member or nurse, allowing the individual to stay at home longer.

The new technology involves a system integrated into the user’s home which has functions such as monitoring actions, speaking to you, turning off appliances, contacting help when needed, and even emailing a status to family members or caretakers.  The system can remind you to turn off appilances or shut off the water if you forgot to, and can even turn them off itself if the user fails to comply.  If the user unexpectedly gets up in the middle of the night, the system will turn the light on for you, and, if you are gone for long enough, will start talking to you and letting you know that “it seems a little late – don’t you think you should be getting back to bed?”

(Read on …)