UW Computer Security Research and Course Blog

News article here, covered on Slashdot here.

Google, with the cooperation of the Cleveland Clinic, is beginning a project to record medical history and other health-related data for patients. The stated goal is to provide patients with a way to access and manage their own health data, as well as to work towards a “more efficient and effective national health care system.”

While a common database of this information could indeed be useful for patients and healthcare providers, it raises some privacy and security issues. (Read on …)

Called The Reynard project, it is a series of plans for the U.S. Intelligence to monitor more internet traffic, most notably, data mining from several major MMORPGs, including WoW. The goal being to eventually create a system that can “automatically detecting suspicious behavior and actions in the virtual world.” Games often have things like bombs and assassinations in them, and it seems like the potential for a very high false positive rate is there. It kinda makes me wonder if custom UIs will have an option to use some sort of encryption with their in-game chat for those who are really bothered by big brother being over their shoulder.

Source:

http://blog.wired.com/27bstroke6/2008/02/nations-spies-w.html

http://www.joystiq.com/2008/02/23/wired-national-intelligence-seeking-terrorists-in-wow/

Security researchers have announced the development of a ultra-fast method of cracking wireless GSM encryption in 30 minutes or less.  The 64-bit encryption algorithm was cracked in theory over 10 years ago, but the development of new technology has exploited the vulnerability on a timescale that poses a serious threat.  GSM is used by many mobile companies worldwide, including T-Mobile and AT&T in the United States.  With a GSM wireless frequency receiver and the proper resources, hackers will be able to eavesdrop on phone conversations and text messages at will.  Fortunately, the technology is currently not cheap.  The developers are charging $1,000 for a solution that cracks GSM in 30 minutes, and $100,000 for a solution that cracks it in 30 seconds.  Still, the potential for privacy invasion in the future is tremendously daunting.

Who else is ready to switch to Verizon or Sprint?

Source:  http://www.informationweek.com/story/showArticle.jhtml?articleID=206800800&cid=RSSfeed_IWK_All

The government has decided to continue wiretapping phones with assistance from phone companies. These companies are also pushing a bill for immunity from lawsuits for participating in the tapping. What is the line at which informational surveillance pushes too far into privacy? Should immunity be granted?

 
Articles:

http://yro.slashdot.org/yro/08/02/24/135225.shtml
http://www.reuters.com/article/newsOne/idUSN2229053420080224

Spy satellites will be used by local law enforcement to enforce the laws against United States citizens. Should this make us feel safer or more scared of our government?

On the one hand I expect any government to use the most sophisticated equipment it has available in the pursuit of law enforcement, but on the other, the more sophisticated the equipment gets the more difficult it will be for proper oversight to exist, and the tendency is increased (perhaps inadvertantly) that the tools will be used for nefarious purposes.

A lack of oversight has the potential to lead to disastrous results. The brouhaha that occurred over the warrantless wiretapping could be just a hint of what’s to come if programs such as this gain more ground.
When news of this type comes out I get an ominous feeling of “ickiness” about the fact that we have less and less implicit privacy (that being the general privacy to do things like walk outside into your fenced yard without risk of wanton surveillance). But at the same time I have a hard time determining where exactly the line is being crossed.

Can someone help determine where (if at all) a problem exists? Does it lie in the fact that the Federal government is using instruments of national security for issues that should be locally controlled? The Slashdot comments section has a lot of alarmist comments (including the ubiquitous “omg 1984” kind), but I’m not certain how a line is being crossed.

Source: http://yro.slashdot.org/article.pl?sid=08/02/13/2331224&from=rss

Since ISPs, most notably Comcast, some time ago began identifying and purposefully destroying or severely throttling BitTorrent connections passing through their networks, the struggles on both sides of the fence have been nothing short of a game of cat and mouse.

(Read on …)

The latest version (7) of Microsoft’s Internet Explorer web browser, like their latest Windows (Vista) operating system, is supposed to be the most secure version in the product’s history. A complete security review of either IE7 or Vista is outside the scope of this post, but there is one very interesting security feature found at the intersection of the two, called “Protected Mode.” Presented as a feature intended to limit the possible damage even if every other security feature in IE7 fails, Protected Mode limits the browser’s ability to modify the system in case of an attack while preserving the ability to execute other tasks, such as downloading files and allowing helper programs, plug-ins, and the user to interact with the browser much as before. (Read on …)

Home monitoring systems like Quiet Care exist to allow independent living for elderly people. The system works by monitoring the person’s daily movements with wireless activity sensors in each room. The information collected from these sensors is gathered at a communicator and then is sent to the Quiet Care server and is analyzed for patterns. If the server detects unusual behavior, it contacts the caregivers of the individual.

(Read on …)

According to Scientific American, the US Navy is considering to deploy a new technology, Deep Siren, to improve communication to and from submerged submarines. As of now, submarines have to be no deeper than 60 feet and towing a floating antenna behind them before they can communicate with the outside world. This makes the submarines far less agile and much easier to detect. The Deep Siren System will theoretically allow subs to communicate at any depth and speed.
(Read on …)

The other night one of my friend’s asked me about the webcam in her laptop. She was concerned about people gaining access to it and spying on her. Her fears got me to thinking about this problem.

Integrated webcams are becoming the norm in most laptops. The privacy implications of unauthorized access are staggering. A lot of us take changing in the secrecy of our own room for granted, but what if that wasn’t the case? In this security review I look at the possible weaknesses and defenses this class of products has.
(Read on …)