DOCSLIB.ORG

Software Assurance

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Software Assurance Information Assurance State-of-the-Art Report Technology Analysis Center (IATAC) SOAR (SOAR) July 31, 2007 Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance Distribution Statement A E X C E E C L I L V E R N E Approved for public release; C S E I N N I IO DoD Data & Analysis Center for Software NF OR MAT distribution is unlimited. Information Assurance Technology Analysis Center (IATAC) Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance State-of-the-Art Report (SOAR) July 31, 2007 IATAC Authors: Karen Mercedes Goertzel Theodore Winograd Holly Lynne McKinley Lyndon Oh Michael Colon DACS Authors: Thomas McGibbon Elaine Fedchak Robert Vienneau Coordinating Editor: Karen Mercedes Goertzel Copy Editors: Margo Goldman Linda Billard Carolyn Quinn Creative Directors: Christina P. McNemar K. Ahnie Jenkins Art Director, Cover, and Book Design: Don Rowe Production: Brad Whitford Illustrations: Dustin Hurt Brad Whitford About the Authors Karen Mercedes Goertzel Information Assurance Technology Analysis Center (IATAC) Karen Mercedes Goertzel is a subject matter expert in software security assurance and information assurance, particularly multilevel secure systems and cross-domain information sharing. She supports the Department of Homeland Security Software Assurance Program and the National Security Agency’s Center for Assured Software, and was lead technologist for 3 years on the Defense Information Systems Agency (DISA) Application Security Program. Ms. Goertzel is currently lead author of a report on the state-of-the-art in software security assurance, and has also led in the creation of state-of-the-art reports for the Department of Defense (DoD) on information assurance and computer network defense technologies and research. She was also involved in requirements elicitation and architectural design of several high-assurance trusted guard and trusted server applications for the defense departments of the United States, Canada, and Australia; for the North Atlantic Treaty Organization; and for the US Departments of State and Energy; the Internal Revenue Service; and the Federal Bureau of Investigation. Ms. Goertzel holds a Certified Information Systems Security Professional (CISSP) and a BA from Duke University. Software Security Assurance State-of-the-Art Report (SOAR) i About the Authors Theodore Winograd (IATAC) Theodore Winograd supports the Department of Homeland Security’s Software Assurance Program, serving as a contributing author to Security in the Software Lifecycle. He also supports the National Institute of Standards and Technology’s Computer Security Resource Center, for which he has been the lead author of several Special Publications (SP), including SP 800-95, the Guide to Secure Web Services. He has provided support to the DISA Application Security Program, where he was a primary author of the Java 2 Enterprise Edition Security Checklist and the Developer’s Guide to Secure Web Services. Mr. Winograd holds a Global Information Assurance Certification (GIAC) Security Essentials Certification (GSEC). He holds a BS in Computer Engineering from the Virginia Polytechnic Institute and State University (Virginia Tech). Holly Lynne McKinley (IATAC) Holly Lynne McKinley is certified as a Systems Security Certified Practitioner (SSCP) and has earned the GSEC. Concentrating on software assurance, her client projects have ranged from technical research and guidance development to web and database programming. Ms. McKinley is a member of the Computer Security Institute and has attended conferences and presented seminars on software security, including the Institute for Applied Network Security Mid-Atlantic Forum and the Annual Computer Security Applications Conference. She holds an MS in Information Technology Systems with an Information Security concentration from Johns Hopkins University and a BS in Business Information Technology with an E-Business concentration from Virginia Tech. Lyndon J. Oh (IATAC) Lyndon J. Oh covers a broad range of intelligence analysis issues, including counterterrorism. He has previously worked on site in the information operations center of a US Government intelligence agency, where he focused on vulnerabilities in global telecommunications networks. He has previously served as an intern with the US Department of State’s Office of Burma, Cambodia, Laos, Thailand, and Vietnam Affairs. He holds an MSc (with merit) in International Relations from the London School of Economics and a BA from Wesleyan University in Middletown, CT. Michael Colon (IATAC) Michael Colon has over 16 years of experience providing software engineering solutions to the commercial, aerospace, and defense industries. Mr. Colon specializes in secure systems engineering and has broad knowledge of and experience in object-oriented development, service-oriented architecture, and intelligent agent-based computing. He managed software engineering projects for the Assistant Secretary of Defense for Networks and Information ii Software Security Assurance State-of-the-Art Report (SOAR) About the Authors Integration (ASD NII), US Army Information and Intelligence Warfare Directorate (I2WD), US Army Communication-Electronics Command (CECOM), DISA, National Security Agency (NSA), Farberware, and Hoffritz. Mr. Colon holds a BS in Computer Science and is a member of the Upsilon Phi Epsilon Computer Science Honor Society. Thomas McGibbon Data and Analysis Center for Software (DACS) Thomas McGibbon has served as the Director of DACS since 1994. He has over 30 years of experience in software development, systems development, and software project management. He is author of several DACS state-of-the-art reports on software engineering topics. He holds an MS in Software Engineering from Southern Methodist University and a BS in Mathematics from Clarkson University. He is a Certified Software Development Professional (CSDP). Elaine Fedchak (DACS) Elaine Fedchak has most recently worked with the Cyber Operations Group, supporting research in developing tools and systems for network and enterprise defense. Her association with DACS began in 1983. She has been involved in numerous aspects of software engineering evolution and research, from DoD-STD-2167 and the first concepts of software engineering environments, to Ada, to leveraging web technologies in support of DACS functions. She has written several state-of-the-art reports and other technical papers. Ms. Fedchak currently holds a CISSP. Robert Vienneau (DACS) Robert Vienneau has assisted in developing a system for measuring the performance of Net-Centric Enterprise Services (NCES) in a tactical environment; an identification and authentication architecture for the Information Management Core Services (IMCS) project; a processor for space-based radar; a real-time, high-resolution synthetic aperture radar image formation system; an automated intrusion detection environment; and systems supporting research in multichannel signal processing simulation and detection. Mr. Vienneau has supported the DACS for more than two decades, including in analyses of software metrics data, in designing web page interfaces to DACS databases, in designing and conducting experiments, and in writing and editing state-of-the-art reports. He holds an MS in software development and management from the Rochester Institute of Technology and a BS in mathematics from Rensselaer Polytechnic Institute. Mr. Vienneau is a member of the Institute of Electrical and Electronic Engineers (IEEE). Software Security Assurance State-of-the-Art Report (SOAR) iii iv Software Security Assurance State-of-the-Art Report (SOAR) About IATAC The Information Assurance Technology Analysis Center (IATAC) provides the Department of Defense (DoD) with emerging scientific and technical information to support defensive information operations. IATAC’s mission is to provide DoD with a central point of access for information on emerging technologies in information assurance (IA). Areas of study include system vulnerabilities, research and development, models, and analysis to support the effective defense against information warfare (IW) attacks. IATAC focuses on all defensive activities related to the use of information, information-based processes, and information systems (IS). One of 20 Information Analysis Centers (IACs) sponsored by DoD, IATAC is managed by the Defense Technical Information Center (DTIC). IATAC’s basic services provide the infrastructure to support defensive information operations. These services include collecting, analyzing, and disseminating IA scientific and technical information; supporting user inquiries; database operations; current awareness activities (e.g., the IAnewsletter); and developing critical review and technology assessment and state-of-the-art reports (SOAR). Software Security Assurance State-of-the-Art Report (SOAR) v About IATAC SOARs provide in-depth analyses of current technologies, evaluate and synthesize the latest information resulting from research and development activities, and provide a comprehensive assessment of IA technologies. Topic areas for SOARs are solicited from the IA community to ensure applicability to emerging warfighter needs. Inquiries about IATAC capabilities, products, and services may be addressed to: Gene Tyler, Director 13200 Woodland Park Road, Suite 6031 Herndon, VA 20171 Phone: 703/984-0775 Fax: 703/984-0773 Email: [email protected] URL: http://iac.dtic.mil/iatac SIPRNET:
Load more

Recommended publications
  • BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications
    ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo.
    [Show full text]
  • Oracle with Metasploit
    Oracle Penetration Testing Using the Metasploit Framework Chris Gates & Mario Ceballos Metasploit Project Abstract Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built- in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access. In this whitepaper we will present an Oracle Pentesting Methodology and give you all the tools to break the "unbreakable" Oracle as Metasploit auxiliary modules. We've created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks. The modules are currently only supported under Linux and OSX. Oracle Penetration Testing Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USERNAME/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks. Locating an Oracle System You will typically find most Oracle installations by performing port scanning in the target netblock. The Oracle listener default port is 1521 but can listen on an port generally in the 1521-1540 range. You can also discover oracle instances by scanning other common Oracle ports. Review http://www.red- database-security.com/whitepaper/oracle_default_ports.html for common Oracle ports. Generally running a service scan will NOT give you the Oracle TNS Listener version but updated fingerprints for new versions of Nmap may yield versions in some situations.
    [Show full text]
  • Senior Data Engineer Cala Health, Inc
    875 Mahler Road, Ste. 168 Burlingame, CA, 94010 +1 415-890-3961 www.calahealth.com Job Description: Senior Data Engineer Cala Health, Inc. About Cala Health Cala Health is a bioelectronic medicine company transforming the standard of care for chronic disease. The company's wearable neuromodulation therapies merge innovations in neuroscience and technology to deliver individualized peripheral nerve stimulation. Cala Health’s lead product, Cala Trio™, is the only non-invasive prescription therapy for essential tremor and is now available through a unique digital business model of direct- to-patient solutions. New therapies are under development in neurology, cardiology, and psychiatry. The company is headquartered in the San Francisco Bay Area and backed by leading investors in both healthcare and technology. For more information, visit CalaHealth.com. The Opportunity We are looking for a Senior Data Engineer to expedite our Data Platform Stack to support our growth and also enable new product development in a dynamic, fast-paced startup environment. Specific Responsibilities also include ● Key stakeholder in influencing the roadmap of Cala’s Digital Therapeutics Data Platform. ● Build, operate and maintain highly scalable and reliable data pipelines to enable data collection from Cala wearables, partner systems, EMR systems and 3rd party clinical sources. ● Enable analysis and generation of insights from structured and unstructured data. ● Build Datawarehouse solutions that provide end-to-end management and traceability of patient longitudinal data, enable and optimize internal processes and product features. ● Implement processes and systems to monitor data quality, ensuring production data is always accurate and available for key stakeholders and business processes that depend on it.
    [Show full text]
  • BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications
    ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo.
    [Show full text]
  • Metasploit Framework «Back|Track-[IT]
    Metasploit Framework www.backtrack.it «Back|Track-[IT] www.backtrack.it (c) 2009 brigante - fiocinino [email protected] [email protected] Metasploit Framework Metasploit Framework www.backtrack.it Metasploit Framework www.backtrack.it Questo documento è rivolto a tutti coloro che vogliono conoscere cos'é, come viene utilizzato e cosa comporta l' uso del “Metasploit Framework”, parte del Metasploit Project. Metasploit è più di un semplice progetto per la sicurezza informatica, è un vero è proprio insieme di strumenti, (appunto denominato Framework), che ha praticamente rivoluzionato l' intero mondo della sicurezza informatica. Come per la stragrande maggioranza della nostra documentazione verrà, anche in questo documento, dato spazio sia alla parte teorica che alla parte pratica e descrittiva, con svariati esempi e con la descrizione dettagliata alcuni nostri video, reperibili naturalmente dall' apposita sezione del nostro portale. “Che cos'é Metasploit” Metasploit Project nasce con l' intento di fornire informazioni su vulnerabilità, sviluppo di sistemi di rilevamento di intrusioni e semplificare le operazioni di penetration testing. Il sub-project più conosciuto è il Metasploit Framework, un' insieme di strumenti per lo sviluppo e l'esecuzione di exploits, di shellcodes, auxiliary, opcode noto per lo sviluppo di strumenti di elusione ed anti- rilevamento. Uno dei principali Goals del “Metasploit Project” è quello di mirare principalmente a fornire informazioni utili allo sviluppo di nuove tecniche di pentesting e di firme per
    [Show full text]
  • 0.1 Problems
    0.1. PROBLEMS 1 0.1 Problems 1. Among the fundamental challenges in information security are confi- dentiality, integrity, and availability, or CIA. a. Define each of these terms: confidentiality, integrity, availability. b. Give a concrete example where confidentiality is more important than integrity. c. Give a concrete example where integrity is more important than confidentiality. d. Give a concrete example where availability is the overriding con- cern. 2. From a bank's perspective, which is usually more important, the in- tegrity of its customer's data or the confidentiality of the data? From the perspective of the bank's customers, which is more important? 3. Instead of an online bank, suppose that Alice provides an online chess playing service known as Alice's Online Chess (AOC). Players, who pay a monthly fee, log into AOC where they are matched with another player of comparable ability. a. Where (and why) is confidentiality important for AOC and its customers? b. Why is integrity necessary? c. Why is availability an important concern? 4. Instead of an online bank, suppose that Alice provides an online chess playing service known as Alice's Online Chess (AOC). Players, who pay a monthly fee, log into AOC where they are matched with another player of comparable ability. a. Where should cryptography be used in AOC? b. Where should access control used? c. Where would security protocols be used? d. Is software security a concern for AOC? Why or why not? 5. Some authors distinguish between secrecy, privacy, and confidential- ity. In this usage, secrecy is equivalent to our use of the term con- fidentiality, whereas privacy is secrecy applied to personal data, and 2 confidentiality (in this misguided sense) refers to an obligation not to divulge certain information.
    [Show full text]
  • Metasploit Pro User Guide
    4.11 USER GUIDE Getting Started First things first. If you haven't installed Metasploit yet, check out this these instructions if you're a commercial user. Otherwise, if you already have Metasploit installed, congratulations! You've come to the right place to get started. What's Metasploit? Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. The platform includes the Metasploit Framework and its commercial counterparts: Metasploit Pro, Express, Community, and Nexpose Ultimate. Metasploit Framework The Metasploit Framework is the foundation on which the commercial products are built. It is an open source project that provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing. Thanks to the open source community and Rapid7's own hard working content team, new modules are added on a regular basis, which means that the latest exploit is available to you as soon as it's published. There are quite a few resources available online to help you learn how to use the Metasploit Framework; however, we highly recommend that you take a look at the Metasploit Framework Wiki, which is maintained by Rapid7's content team, to ensure that you have the most up to date information available. You can also use the sidebar navigation on the left to view the documentation that is available on this site; just click on the Metasploit Framework topic or search for the topic you want. Either way, if you are unable to find what you need, let us know, and we will add it to the documentation back log.
    [Show full text]
  • Financial Fraud and Internet Banking: Threats and Countermeasures
    Report Financial Fraud and Internet Banking: Threats and Countermeasures By François Paget, McAfee® Avert® Labs Report Financial Fraud and Internet Banking: Threats and Countermeasures Table of Contents Some Figures 3 U.S. Federal Trade Commission Statistics 3 CyberSource 4 Internet Crime Complaint Center 4 In Europe 5 The Many Faces of Fraud 6 Small- and large-scale identity theft 7 Carding and skimming 8 Phishing and pharming 8 Crimeware 9 Money laundering 10 Mules 10 Virtual casinos 11 Pump and dump 12 Nigerian advance fee fraud (419 fraud) 12 Auctions 14 Online shopping 16 Anonymous payment methods 17 Protective Measures 18 Scoring 18 Europay, MasterCard, and Visa (EMV) standard 18 PCI-DSS 19 Secure Sockets Layer (SSL) and Transport Secured Layer (TLS) protocols 19 SSL extended validation 20 3-D Secure technology 21 Strong authentication and one-time password devices 22 Knowledge-based authentication 23 Email authentication 23 Conclusion 24 About McAfee, Inc. 26 Report Financial Fraud and Internet Banking: Threats and Countermeasures Financial fraud has many faces. Whether it involves swindling, debit or credit card fraud, real estate fraud, drug trafficking, identity theft, deceptive telemarketing, or money laundering, the goal of cybercriminals is to make as much money as possible within a short time and to do so inconspicuously. This paper will introduce you to an array of threats facing banks and their customers. It includes some statistics and descriptions of solutions that should give readers—whether they are responsible for security in a financial organization or a customer—an overview of the current situation. Some Figures U.S.
    [Show full text]
  • Mdcg 2019-16
    Medical Device Medical Device Coordination Group Document MDCG 2019-16 MDCG 2019-16 Guidance on Cybersecurity for medical devices December 2019 This document has been endorsed by the Medical Device Coordination Group (MDCG) established by Article 103 of Regulation (EU) 2017/745. The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission.The document is not a European Commission document and it cannot be regarded as reflecting the official position of the European Commission. Any views expressed in this document are not legally binding and only the Court of Justice of the European Union can give binding interpretations of Union law. Page 1 of 46 Medical Device Medical Device Coordination Group Document MDCG 2019-16 Table of Contents 1. Introduction ........................................................................................................................................ 4 1.1. Background ............................................................................................................................. 4 1.2. Objectives ............................................................................................................................... 4 1.3. Cybersecurity Requirements included in Annex I of the Medical Devices Regulations ........ 4 1.4. Other Cybersecurity Requirements ......................................................................................... 6 1.5. Abbreviations .........................................................................................................................
    [Show full text]
  • BSI Medical Devices: Webinar Q&A
    ISO 14971:2019 Risk Management for Medical Devices: Webinar Q&A November 2019 BSI Medical Devices: Webinar Q&A ISO 14971:2019 Risk Management for Medical Devices 13 November 2019 Page 1 of 10 ISO 14971:2019 Risk Management for Medical Devices: Webinar Q&A November 2019 Q&A Q. Should EN ISO 14971:2012 be used to demonstrate continued compliance to the ERs or GSPRs or use the 2019 revision of the standard? A. A manufacturer must demonstrate compliance to the applicable legislation. Harmonization of a standard allows for a presumption of conformity to the applicable legislation where the standard is applied and the manufacturer considers the Qualifying remarks/Notes in Annex Z. Additional clarification has been made available from the European Commission, whereby it is now considered that the recent editions of standards published by standardizers reflect the state of the art, regardless of its referencing in the OJEU and therefore the ISO 14971:2019 version represents the state of the art for the Medical Device Directives and Regulation. This update is welcomed as it provides clarity for industry and ensures manufacturers need only to comply with a single version of a standard. It is anticipated the 2019 revision will be harmonized to the Regulations. Q. From the Date of Application of the MDR and IVDR will the technical documentation for existing Directive certificates be required to be updated to the 2019 revision of the standard, considering the transitional provisions of MDR Article 120 and IVDR Article 110? A. A manufacturer must demonstrate compliance to the applicable legislation.
    [Show full text]
  • A Reference Architecture for Secure Medical Devices Steven Harp, Todd Carpenter, and John Hatcliff
    FEATURE © Copyright AAMI 2018. Single user license only. Copying, networking, and distribution prohibited. A Reference Architecture for Secure Medical Devices Steven Harp, Todd Carpenter, and John Hatcliff Abstract and users cannot assume that medical Steven Harp, is a distinguished We propose a reference architecture aimed at devices will operate in a benign security engineer at Adventium Labs in supporting the safety and security of medical environment. Any device that is capable of Minneapolis, MN. Email: steven. devices. The ISOSCELES (Intrinsically connecting to a network or physically [email protected] Secure, Open, and Safe Cyber-Physically exposes any sort of data port is potentially at Enabled, Life-Critical Essential Services) risk. How should we think about and Todd Carpenter, is chief engineer architecture is justified by a collection of design manage risk in this context? at Adventium Labs in Minneapolis, principles that leverage recent advances in This question has been explored exten- MN. Email: todd.carpenter@ software component isolation based on sively.3,4 Special publications from the adventiumlabs.com hypervisor and other separation technologies. National Institute of Standards and Technol- The instantiation of the architecture for ogy (e.g., 800-39) provide a conceptual risk John Hatcliff, PhD, is a particular medical devices is supported by a management framework.5,6 AAMI TIR577 distinguished professor at Kansas development process based on Architecture describes how security risk management State University in Manhattan, KS. Analysis and Design Language. The architec- can be integrated with safety risk manage- Email: [email protected] ture models support safety and security ment (e.g., as addressed in ISO 14971 and analysis as part of a broader risk management specifically for medical devices in IEC framework.
    [Show full text]
  • Security Versus Security: Balancing Encryption, Privacy, and National Secuirty
    SECURITY VERSUS SECURITY: BALANCING ENCRYPTION, PRIVACY, AND NATIONAL SECUIRTY Jackson Stein (TC 660H or TC 359T) Plan II Honors Program The University of Texas at Austin 05/04/2017 __________________________________________ Robert Chesney Director of Robert Strauss Center Supervising Professor __________________________________________ Mark Sainsbury Department of Philosophy Second Reader ABSTRACT Author: Jackson Stein Title: Security vs. Security: Balancing Encryption, Data Privacy, and Security Supervising Professors: Robert Chesney, Mark Sainsbury This paper analyzes the current debate over encryption policy. Through careful evaluation of possible solutions to ‘going dark’ as well has weighting the costs and benefits of each solution, we found exceptional access to information more harmful than helpful. Today, there seems to be no singular leading answer to the going dark problem. Exceptional access to data and communications is a simple solution for a simple problem, however going dark is very complex, and requires a multifaceted and refined solutions. Widespread encryption forces those listening—whether it is the NSA, FBI, foreign governments, criminals or terrorist—to be much more targeted. As for the going dark metaphor, it seems as though we are not entirely “going dark”, and yet we are not completely bright either. There are dark and bright spots coming and going across the technological landscape battling in a perpetual technological arms race. The findings of this paper, ultimately determine there to be no policy that doesn’t come without some cost. That said, there are a number of ways in which law enforcement can track criminals and terrorist without weakening encryption, which we determine to be the best direction in any win lose situation.
    [Show full text]