Moving to a Forum

By Tadayoshi Kohno at 9:59 am on February 15, 2010Comments Off on Moving to a Forum

For CSE 484 this year, we have switched from the blog format to the forum format.  The course website is online at  This year’s forum is online at  We switched from the blog format to the forum format because forums seem to provide a better opportunity for interactive discussions within the course.

Filed under: Announcements,Current Events,Security ReviewsComments Off on Moving to a Forum

Security Review: Urban Chicken Coops

By eyezac at 10:07 pm on March 13, 2009Comments Off on Security Review: Urban Chicken Coops

Chicken coops form the heart of many urban farmers’ livelihoods. Providing sustenance directly through eggs, indirectly through fertilization of soil, and supplementing any waste management system through the digestion of otherwise unusable organic matter, the occupants of these structures play a vital role in small-scale subsistence living. Yet with such a range of assets come an array of risks  and vulnerabilities. Especially as the technology underlying these systems becomes more advanced, it is essential to evaluate the implications for the their security–and the security of the urban farmer’s way of life.

(Read on …)

Filed under: Security ReviewsComments Off on Security Review: Urban Chicken Coops

Google’s Online Library

By jap24 at 9:57 pm on Comments Off on Google’s Online Library

Google has been scanning whole books and archiving them since at least 2004.  More recently, it settled a lawsuit that will allow it to legally copy copyrighted books and making them available online.  Google allows users to search their book archive at Google Book Search, and view samples or in some cases entire books.  While the ability to look at fragments of the more restricted books is only useful as advertising for luring in potential readers , the fact that some books are posted whole online is significant for the flow of information throughout the world.  As this online library expands, it could aid education and help distribute ideas worldwide.

(Read on …)

Filed under: Security ReviewsComments Off on Google’s Online Library

Security Review: New Weapons in the Fight Against Doping

By oterod at 9:57 pm on Comments Off on Security Review: New Weapons in the Fight Against Doping

The use of performance enhancing drugs and medical techniques is a serious problem in every sport, but no sport is as notorious for doping scandals as is professional cycling. While Olympic athletes, baseball players, and body builders are often caught boosting, the effect of their “cheating” on the sport, society, and economy is minimal. Marion Jones, for instance, a five-medal winner in Sydney’s 2000 summer Olympics, was retroactively indicted on drug charges and agreed to forfeit her awards. While the revelation shocked many, Jones relinquished her medals and life went on.

Professional cycling, however, is a very different story. Combining the commercialism of motorsport racing with athletic demands exceeding almost any other sport, the pressure on riders to perform is tremendous. Good performance not only makes careers, but it pleases sponsors and significantly impacts their economic standing. Sponsoring a winning Tour de France team brings in tremendous revenue for a company in Europe. Continuous defeat, on the other hand, can have devastating consequences. As such, riders must reach for the leader board not only to meet their own expectations of success and competition, but simply to remain employed.

(Read on …)

Filed under: Current Events,Ethics,Integrity,Research,Security ReviewsComments Off on Security Review: New Weapons in the Fight Against Doping

Security Review: Helios Online Voting

By Orion at 9:55 pm on Comments Off on Security Review: Helios Online Voting

The Technology

The technology being evaluated is the Helios Online Voting Booth, usable at and outlined in the 2008 Usenix Secuirty paper available at the same site. The election system does not create novel cryptographic tools or algorithms, rather it provides a protocol for using existing cryptography to make an election that is universally verifiable and provides ballot casting assurance as well as voter secrecy. (Read on …)

Filed under: Integrity,Privacy,Security ReviewsComments Off on Security Review: Helios Online Voting

Security Review: Online Taxes

By couvb at 9:51 pm on Comments Off on Security Review: Online Taxes

For the last couple of years, I have done my taxes online.  Compared to doing them by hand on paper, the online method takes far less time to fill out.  However, it also brings with it the host of security risks associated with entering sensitive data over the internet.  To successfully file your tax return, the online system must take your social security number, as well as all your personal and financial information. (Read on …)

Filed under: Security ReviewsComments Off on Security Review: Online Taxes

Security Review: Eye-Fi

By lidor7 at 9:15 pm on Comments Off on Security Review: Eye-Fi


“The Eye-Fi Card stores photos & videos like a normal memory card. When you turn your camera on within range of a configured Wi-Fi network, it wirelessly transfers your photos & videos. To your computer. Or to your favorite photo sharing web site. Or both.”

The Eye-Fi card is an SD memory card used with cameras, capable of connecting to wi-fi networks and uploading to sharing sites like Flickr, Picasa, etc.  It’s also capable of specifying privacy levels for each upload.  All these configurations can be set using their software on a registered computer on the same network.  Photos can be uploaded as you take them as long as you are connected to the network.

The assets include the card, photos, and the website account information/access.  The card is expensive and can contain sensitive and private photos.  As mentioned, the photos being uploaded can be private.  The website account information/access is also valuable because you don’t want your password and account compromised.  Knowing the password could compromise your accounts on other sites.  Also you don’t want unauthorized photos uploaded or unauthorized actions on your account.

Adversaries may include anyone who is interested in potentially private photos and malicious adversaries who want to take control of or exploit your website accounts.  Adversaries could gain access to these assets through a number of ways.  Since the Eye-Fi card communicates via wireless, if the messages were unencrypted and the protocol reverse engineered, it’s conceivable that messages could be spoofed, tricking the configured computer on the network to conduct unauthorized actions like uploading different photos to the photo sharing website accounts.  Photos could also be intercepted through the network.  Also, depending on the protocol, if account information is being transmitted back and forth between the Eye-Fi card and the configured computer, these messages could be intercepted and account information such as passwords could be read.  The product description seemed to suggest that the card could be configured wirelessly.  If this were the case, then a malicious user could spoof the configuration messages and reconfigure the card.

A good defense perhaps would be to require configuration of the card to happen only while the card if physically plugged into the configured computer.  At this point, the computer and the Eye-Fi card could easily exchange symmetric keys in order to encrypt exchanged messages.  This also prevents a malicious person from spoofing configuration messages.  The account information should be kept on the configured computer and shouldn’t be transmitted across the network.  Since I’m not familiar with the details of the protocol, it’s possible that Eye-Fi already employs some or all of these security measures.

Requiring that the Eye-Fi card is physically connected to the configured computer is an extra inconvenience in order to enforce more security.  The entire idea behind the card is to make the photo uploading process easier and more convenient and enforcing this kind of security is likely not a priority.  Additionally, if the network you’re on is one you own and you already require a key to access the network, then Eye-Fi use is probably already secure from adversaries outside of your network.

However, it’s interesting to consider that as technology evolves, wireless will become more and more commonplace, and companies will likely continue to push convenience as a priority.  And often this convenience will come with the cost of security.  As it is, wireless already has its fair share of security issues but hasn’t become a mainstream concern.  With more users using wireless and more assets becoming accessible via wireless, more and more adversaries may find it worth their while to exploit wifi weaknesses.

Filed under: Security ReviewsComments Off on Security Review: Eye-Fi

Security Review: Hollywood Awards Presentations

By ericm6 at 8:56 pm on Comments Off on Security Review: Hollywood Awards Presentations

Big Hollywood parties have big time guest lists, so it’s no wonder that many people want to be there.  These include both (mostly) benign fans and some people of the less benign variety.  Hence, security at these events is a big deal.  In 2000, the event’s security made national headlines when the oscar statues were stolen by a shipping company employee.  More recently, Scott Weiss has been trying to crash all variety of big Hollywood parties, including the Grammy’s, the Golden Globes, and the Oscars, producing a documentary on the topic.

Assets and Security Goals:

  • The safety of attendees.  The guest lists of these events contains lots of famous names that could be the target of attacks  on their personal safety.
  • The timeliness of the event.  These events are usually televised live, with lots of advertising revenue depending on the event showing on time.  Failing to do so would cause significant losses to many parties involved.
  • The exclusivity of the event.  Failing to prevent the general public form obtaining access to the even would dilute the exclusivity and mysticism of the even, making the event feel less important overall

Potential Adversaries:

  • Personal enemies.  The guests are often famous, meaning they’ve made a name for themselves, generally meaning they’ve also made a few enemies, who may want to harm them.
  • Paparazzi.  These pseudo journalists will do anything to capture or make a story about some celebrity, often at the epense of that person’s reputation and possibly safety.
  • Overzealous fans.  These fans can go overboard in their attempts to meet the Hollywood star in question, possibly causing safety issues for that person.


  • Given the large guest lists generally include many lesser-known celebrities and their entourage, security personnel generally don’t know everyone on the guest list, so it’s possible to impersonate one of these people given the right fake credentials.
  • While electronic keycards are common, there is quite often an entrance without the capability to verify these that’s used by service personnel, making the system trivial to bypass.
  • As always, the human element applies, in that if a person acts like they belong at the event, no one tends to question that fact, once they’re inside.  Moreover, Weiss has found that security personnel will often back down from asking question is you claim to be in a hurry, not wanting to make themselves a target of the guests anger.

Potential Defenses:

  • The electronic keycard system could be expanded to be at every entrance, making passes much more difficult to duplicate.
  • Better training and protection from retribution for security personnel could help prevent the specific human weaknesses exploited by Weiss and company.

In conclusion, while the parties are generally secure from a large scale perspective, becoming totally secure for such a large even will be extremely difficult and possibly be at the cost of usability of the system.  The celebrities generally don’t want to be bothered with security, so the system will likely have backdoors built in to allow them easy access in, which could make any of these upgrades moot anyways.

Filed under: Physical Security,Security ReviewsComments Off on Security Review: Hollywood Awards Presentations

Security Review: AI

By sal at 8:55 pm on Comments Off on Security Review: AI

Although thanks to Sarah Connor from The Terminator, 1997 wasn’t quite the day machines went out of control, autonomous systems become more and more integrated into our lives. Although AI might take many years to get developed to the level of human intelligence, it is also possible that breakthrough is just around the corner. Therefore, in order to not be taken by surprise it is important to start addressing security of the autonomous systems on the broad level.
In this article I will address several concerns and possible ways to deal with them, as there are multiple assets at stake – human lives, material things, in fact, almost everything of reach and a little beyond.
I would categorize aspects of AI into two major categories – AI on mobile devices and AI on stationary devices, of which I will focus more on mobile, as, from the first glance, they seem to be the most dangerous, as can cause direct physical harm.
Who might be potential adversaries in the context of AI systems? Here are some of them: Creator of the devil machinery, outside person willing to exploit and manipulate the system, by giving it incentives. And apparently, AI system itself – even without the intention of the creator, some unknown processes might happen in neurons of the system.
There can be numerous judicial and technological means that can be implemented to reduce possible negative outcomes. I am not a big fan of restrictions, as it will drag development of the technology. Nevertheless, here are they:
Obvously, protection from unauthorized access and intrusion detection, using one of the common methods to prevent from accessing and manipulating hardware directly.
Here are more related specifically to AI:
Restriction on the AI algorithm  – do not allow algorithm which seemed to work, but could not be fully understood take care of the children, for example.
Restrictions on incentives for mobile robots – it is important to carefully think about what stimulus can be left and what should be eliminated, so that system doesn’t create a danger striving to reach for that incentive. Note, it is possibly, will not  be possible to make it always happy, as it might restrict its willingness to learn.
Allow only pre-learned machines to go wander on their own, thus, disabling learning capabilities.
Requirement of restricted weight/power – humans should be able to deal with them.

Although the cars that drive themselves will likely be safer, it is not so clear with fully developed learning AI system implanted in flexible mobile machinery, unless necessary precautions are implemented.
Additionally, there are numerous other questions, including ethical coming with further development of AI, such as whether it can be considered a slavery, for example. Regulations on Artificial intelligence systems are inevitable, and users and developers should be thinking of them and be prepared for them.

Filed under: Security ReviewsComments Off on Security Review: AI

Security Review: Web based Remote Access

By sojc701 at 8:36 pm on Comments Off on Security Review: Web based Remote Access

Many operating systems include some sort of remote access solution by default. Windows XP, for example, ship with Microsoft’s Remote Desktop as a simple remote administration interface. Even OpenBSD, the Unix variant which is usually regarded as the most secure operating system available, includes SSH, which, again, is a simple and secure application that allows command-line access over a network connection to the remote computer.

Without the built-in applications, there are other solutions to control clients remotely with web-browsers, such as RemotelyAnywhere and LogMeIn. People can access their computer in which software that provided by these companies is installed on any platform.

These tools provide users convenience, but they bring security concerns as well. To control clients, first users login their account in which the list of all clients is stored. If this system were compromised, it would be easy for attackers to control clients.

(Read on …)

Filed under: Security ReviewsComments Off on Security Review: Web based Remote Access
Next Page »