DOCSLIB.ORG

Secrecy Versus Openness — Internet Security and the Limits of Open

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

SECRECY VERSUS OPENNESS Internet security and the limits of open source and peer production Andreas Schmidt Open source and peer production have been praised as organisational models that could change the world for the better. It is commonly asserted that almost any societal activity could benefit from distributed, bottom-up collaboration — by making societal inter- action more open, more social, and more democratic. However, we also need to be mindful of the limits of these models. How could they function in environments hostile to openness? Security is a societal domain more prone to secrecy than any other, except perhaps for romantic love. In light of the destructive capacity of contemporary cyber attacks, how has the Internet survived without a comprehensive security infrastructure? Secrecy versus Openness describes the realities of Internet security production through the lenses of open source and peer production theories. The study offers a glimpse into the fascinating communities of technical experts, who played a pivotal role when the chips were down for the Internet after large-scale attacks. After an initial flirtation with openness in the early years, operational Internet security communities have put in place a form of social production that resembles the open source model in many aspects, but is substantially less open. ISBN 978-90-8891-988-6 Image Copyright Rafal Olbinski, Courtesy Patinae, Inc. www.patinae.com SECRECY VERSUS OPENNESS Internet security and the limits of open source and peer production Proefschrift ter verkrijging van de graad van doctor aan de Technische Universiteit Delft, op gezag van de Rector Magnificus prof. ir. K.C.A.M. Luyben, voorzitter van het College voor Promoties, in het openbaar te verdedigen op maandag 3 november 2014 om 10:00 uur door Andreas SCHMIDT Magister Artium in Political Science, Medieval and Modern History, Kassel University geboren te Bad Arolsen, Duitsland. Dit proefschrift is goedgekeurd door de promotor: Prof.dr. M.L. Mueller Samenstelling promotiecommissie: Rector Magnificus, voorzitter Prof.dr. M.L. Mueller, Technische Universiteit Delft, promotor Prof.dr. K. Rannenberg, Goethe-University Frankfurt Prof.dr.ir. E. Huizer, Universiteit Utrecht Prof.dr. R. Deibert Universiteit Toronto Prof.dr. N.A.N.M. Eijk, Vrije Universiteit Amsterdam Prof.dr.ir. J. van den Berg, Technische Universiteit Delft Prof.dr. M.J.G. van Eeten, Technische Universiteit Delft Prof.dr.ir. M.F.W.H.A. Janssen, Technische Universiteit Delft, reservelid ! ! ! Copyright © 2014 by Andreas Schmidt. All rights reserved. Subject to the exception immediately following, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopy- ing, recording or otherwise, without the prior permission of the author. A digital copy of this work is available at the TU Delft institutional repository, repository.tudelft.nl. Distributed by Delft University of Technology, Faculty of Technology, Policy and Management, Jaffalaan 5, 2628BX Delft, The Netherlands, and Andreas Schmidt, Laubestraße 26, 60594 Frankfurt am Main, Germany. Printed in The Netherlands Published by Uitgeverij BOXPress ISBN 978-90-8891-988-6 Keywords: information security, peer production, open source, internet governance, security govern- ance, incident response The book has been composed in Adobe Caslon Pro and Baron Neue. The manuscript was written with Scrivener, aided by Sente, Devonthink, and Word. Cover designed by Michaela Spohn, michaelaspohn.de. The Marriage of Figaro by Rafal Olbinski as cover artwork. © Rafal Olbinski, courtesy Patinae, Inc., www.patinae.com Table of Contents Acknowledgements vii 1 Introduction 1 1.1 Organising Internet security 3 1.2 The rise of remote collaboration 4 1.3 Existence and viability of peer security production 5 1.4 Research plan 11 2 Theoretical Foundations 15 2.1 Social production and the collaborative turn 16 2.2 The Internet security governance challenge 42 2.3 Secrecy vs. openness 54 2.4 Peer production of Internet security 67 3 Research Design 75 3.1 Research strategy 77 3.2 Analytical model 81 3.3 Data collection and analysis 86 4 Endangering the Internet 91 4.1 Estonian cyberattacks: A country sort of under attack 92 4.2 Conficker botnet: Wasted talent for doom 108 5 Producing Internet Security 123 5.1 Estonia 124 5.2 Conficker 142 5.3 Conclusion 161 6 Social Dimension of Internet Security 163 6.1 Distributiveness 164 6.2 Openness 179 6.3 Socialness 194 6.4 Conclusion 217 7 Limits of Openness 223 7.1 Explaining openness and secrecy 224 7.2 Drivers of secrecy 227 7.3 Trust in the security community 237 7.4 Rationalising the organisation of Internet security production 246 7.5 Conclusion: A variant of social production 255 8 Conclusion 259 8.1 A different way of producing security 262 8.2 Limitations of this study 266 8.3 Suggestions for future research 270 8.4 The state of Internet security governance 271 8.5 Opening security — a civilising role for the community 281 Bibliography 293 Summary 317 Samenvatting (Dutch summary) 323 Curriculum vitae 331 Acknowledgements Good research requires various methods of efficient procrastination. A superb source of comfort for aspiring scholars certainly is phdcomics.com, a website offer- ing wisdoms on the lives of promovendi that are as amusing as depressing. All too often, the brain is buzzing on other things than research, the fingers are resting on the keyboard without moving, no souffleuse would whisper words of academic wisdom and no siren lures one into the beauty of scholarly reason. Then, the adage “There is no team in thesis”1 sounds too convincing. But only then. I’m deeply grateful to all the individuals without whom this project would have been hardly viable, more difficult, not as good and considerably less fun. The mundane foundations of this research project were laid by two organisations. The Next Generation Infrastructure Foundation — and its financier, the Dutch tax- payers — have generously funded my research position at Delft University of Technology. The communications service provider XS4ALL facilitated my super- visor’s professorship and stay here in the Netherlands. I am deeply grateful for this support. The Faculty of Technology, Policy and Management and its section for Infor- mation and Communication Technology have served as my academic home base. It has been the warm, cordial, caring, and collegial place that allowed me to focus on my research. Harry Bouwman has helped with invaluable counsel during my research project. Yao-Hua Tan has been the kind of manager you need when bal- ancing research with newly arrived private responsibilities requires a flexible re- sponse. Marijn Janssen has guided me safely through the final stages of my project. Jo-Ann and Eveline have spoiled me with office supplies, bureaucratic support, and 1 J. Cham, “I in team”, PhD comics, March 25, 2013, http://www.phdcomics.com/comics/archive.php?comicid=1570 vii viii most of all with their kindness and friendship. My colleagues Bram, Fatemeh, Jan, Janneke, Tineke, Jolien, Jos, Mark, Nitesh, Mohsen, Martijn, and Anne Fleur have all contributed to an enjoyable intellectual and social climate and supported my endeavour in various ways. Over the years, I have benefited enormously from in- spiring discussions and pleasant conversations with Michel van Eeten and his team, including Shirin Tabatabaie, Floris Kreiken, and Hadi Asghari. Hadi and Coen van Leeuwen will have helped in the very last part of this endeavour. This research project has benefited immensely from the insights shared by practic- ing experts of Internet security, who were willing to discuss, often for the better part of a day, any aspect of their subject area. I am deeply grateful to Jan Priisula, Gadi Evron, Toni Koivunen, Rain Ottis, Hillar Aarelaid, Mikko Hippönen, Go- razd Božič, Kaido Raiend, Kurtis Eric Lindquist, Bill Woodcock, Merike Kaeo, Kauto Huopio, Andrus Padar, David Watson, Niklas Schiffler, Richard Perletto, Steve Santorelli, Scott McIntyre, Paul Vixie, Andre DiMinio, John Crain, Chris Lee, Tillmann Werner, Rick Wesson, Jose Nazario, Heli Tiirmaa-Klaar, and all the other persons, who prefer to remain anonymous or who I talked to ‘only’ on an informal basis. Furthermore, I feel obliged to a number of wonderful individuals, who invited me to intellectual exchanges, gave valuable input (some extensive, some brief), collabo- rated with me on papers and books, invited me to present my work, or commented theron: Brenden Kuerbis, Axel Arnbak, Ben Wagner Ingo Stützle, Roxana Radu, Jean-Marie Chenou, Markus Beckedahl, Kate Coyer, Stefaan Verhulst, Jason Hea- ley, Jan-Frederik Kremer, Benedikt Müller, Min-Chun Ku, Christian Pentzold, Giampiero Giacomello, and many others. Ralf Bendrath deserves a special thank you for luring me into this project and our joint time in Delft. The finalising of this endeavour was eased by a few helping hands. Deserving of thanks, Katarina has created the transcripts, Danielle and Patrick have proofread this study and provided helpful editorial tips. The stellar design of the cover is the result of Michaela’s artistry. The cover has been made possible by the more than generous efforts of Sherri Nahan from Rafal Olbinski’s agency Patinae Inc. And then there is Milton Mueller. I could not have been happier with his support for my pursuits, his supervision of my project and his patience. Working with a man who knows his subject area like hardly any other has been a blessing and joy. He has helped me out endlessly with super-prompt, sharp and witty comments, admonishing music collections, and revisions of countless, increasingly less imper- fect drafts. Imagine a chivalrous deep bow of warm-hearted gratitude for all of that, Milton. And for the fun we had during the project, a long-lasting smile. ix My final words here are to express my gratitude and love for my friends and family.
Recommended publications
  • ASEC REPORT Malicious Code Trend 5 6 Vol.17 Security Trend Web Security Trend

    ASEC REPORT Malicious Code Trend 5 6 Vol.17 Security Trend Web Security Trend

    Disclosure to or reproduction for others without the specific written authorization of AhnLab is prohibited. ASEC Copyright (c) AhnLab, Inc. All rights reserved. REPORT VOL.17 | 2011.6 AhnLab Monthly Security Report AhnLab ASEC (AhnLab Security Emergency Response Center) is a Security global security response group consisting of virus analysts and CONTENTS Emergency security experts. This monthly report is published by ASEC, response and it focuses on the most significant security threats and the latest security technologies to guard against these threats. For 01. Malicious Code Trend 02. Security Trend Center further information about this report, please refer to AhnLab, a. Malicious Code Statistics 05 a. Security Statistics 14 Inc.’s homepage (www.ahnlab.com). - Top 20 Malicious Code Reports - Microsoft Security Updates- May 2011 - Top 20 Malicious Code Variant Reports b. Malicious Code Issues 16 - Breakdown of Primary Malicious Code Types - Comparison of Malicious Codes with - Zeus Source Code Leaked and Spyeye Trend Previous Month - Coreflood, a Banking Trojan - Monthly Malicious Code Reports - Online Banking Hacking Scam - Top 20 New Malicious Code Reports - Breakdown of New Malicious Code Types 03. Web Security Trend b. Malicious Code Issues 10 a. Web Security Statistics 17 - 'Dislike' Button Scam - Web Security Summary - AntiVirus AntiSpyware 2011 Scam - Monthly Blocked Malicious URLs - Scam Emails From Bobijou Inc. - Monthly Reported Types of Malicious Code - Spam Promising Nude Photo Spreads Malware - Monthly Domains with Malicious Code - Osama Bin Laden Themed Malware - Monthly URLs with Malicious Code - Distribution of Malicious Codes by Type - Top 10 Distributed Malicious Codes b. Web Security Issues 20 - May 2011 Malicious Code Intrusion: Website ASEC REPORT Malicious Code Trend 5 6 Vol.17 Security Trend Web Security Trend 01.
  • Homeland Threats and Agency Responses”

    Homeland Threats and Agency Responses”

    STATEMENT OF ROBERT S. MUELLER, III DIRECTOR FEDERAL BUREAU OF INVESTIGATION BEFORE THE COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE AT A HEARING ENTITLED “HOMELAND THREATS AND AGENCY RESPONSES” PRESENTED SEPTEMBER 19, 2012 Statement of Robert S. Mueller, III Director Federal Bureau of Investigation Before the Committee on Homeland Security and Governmental Affairs United States Senate At a Hearing Entitled “Homeland Threats and Agency Responses” Presented September 19, 2012 Good morning, Chairman Lieberman, Ranking Member Collins, and Members of the Committee. Thank you for the opportunity to appear before the Committee today and for your continued support of the men and women of the FBI. As you know, the Bureau has undergone unprecedented transformation in recent years. Since the attacks of September 11th, we have refocused our efforts to address and prevent emerging terrorist threats. The terrorist threat is more diverse than it was 11 years ago, but today, we in the FBI are better prepared to meet that threat. We also face increasingly complex threats to our nation’s cyber security. Nation-state actors, sophisticated organized crime groups, and hackers for hire are stealing trade secrets and valuable research from America’s companies, universities, and government agencies. Cyber threats also pose a significant risk to our nation’s critical infrastructure. As these threats continue to evolve, so too must the FBI change to counter those threats. We must continue to build partnerships with our law enforcement and private sector partners, as well as the communities we serve. Above all, we must remain firmly committed to carrying out our mission while protecting the civil rights and civil liberties of the people we serve.
  • When Memory Serves Not So Well Memory Errors 30 Years Later

    When Memory Serves Not So Well Memory Errors 30 Years Later

    i i i i WHEN MEMORY SERVES NOT SO WELL MEMORY ERRORS 30 YEARS LATER PH.D. THESIS VICTOR VAN DER VEEN VRIJE UNIVERSITEIT AMSTERDAM, 2019 i i i i i i i i Faculty of Science The research reported in this dissertation was conducted at the Faculty of Science — at the Department of Computer Science — of the Vrije Universiteit Amsterdam This work is part of the research programme Cyber Security with project number 628.001.021, which is nanced by the Netherlands Organisation for Scientic Research (NWO) Copyright © 2019 by Victor van der Veen ISBN 978-94-6361-334-7 Cover design by Victor van der Veen Printed by Optima Grasche Communicatie This work was written in Vim, not Emacs i i i i i i i i VRIJE UNIVERSITEIT WHEN MEMORY SERVES NOT SO WELL MEMORY ERRORS 30 YEARS LATER ACADEMISCH PROEFSCHRIFT ter verkrijging van de graad Doctor aan de Vrije Universiteit Amsterdam, op gezag van de rector magnicus prof.dr. V. Subramaniam, in het openbaar te verdedigen ten overstaan van de promotiecommissie van de Faculteit der Bètawetenschappen op donderdag 24 oktober 2019 om 13.45 uur in de aula van de universiteit, De Boelelaan 1105 door VICTOR VAN DER VEEN geboren te Hoorn i i i i i i i i promotor: prof.dr.ir. H. J. Bos copromotor: dr. C. Giurida i i i i i i i i Voor Marieke i i i i i i i i i i i i i i i i “First, it is slightly cheaper; and secondly it has the words DON’T PANIC inscribed in large friendly letters on its cover” Douglas Adams on The Hitchhiker’s Guide to the Galaxy i i i i i i i i i i i i i i i i Acknowledgements “Haha, het is echt het meest vage projectvoorstel dat ik ooit heb geschreven.” This is how Herbert pitched his open PhD position to me, back in 2013.
  • Proxylogon Is Just the Tip of the Iceberg, a New Attack Surface On

    Proxylogon Is Just the Tip of the Iceberg, a New Attack Surface On

    ProxyLogon is Just the Tip of the Iceberg A New Attack Surface on Microsoft Exchange Server! Orange Tsai USA 2021 Orange Tsai • Orange Tsai, focusing on Web and Application 0-day research • Principal Security Researcher of DEVCORE • Captain of HITCON CTF Team • Speaker of Security Conferences • Black Hat USA & ASIA / DEFCON / HITB / HITCON … • Selected Awards and Honors: • 2017 - 1st place of Top 10 Web Hacking Techniques • 2018 - 1st place of Top 10 Web Hacking Techniques • 2019 - Winner of Pwnie Awards "Best Server-Side Bug" • 2021 - Champion and "Master of Pwn" of Pwn2Own Disclaimer All vulnerabilities disclosed today are reported responsibly and patched by Microsoft Why Target Exchange Server? 1. Mail servers always keep confidential secrets and Exchange Server is the most well-known mail solution for enterprises and governments worldwide 2. Has been the target for Nation-sponsored hackers for a long time (Equation Group) 3. More than 400,000 Exchange servers exposed on the Internet according to our survey Exchange Security in the Past Years • Most bugs are based on known attack vectors but there are still several notable bugs: 1. EnglishmansDentist from Equation Group: • Recap: A only practical and public pre-auth RCE in the Exchange history. Unfortunately, the arsenal only works on an ancient Exchange Server 2003 2. CVE-2020-0688 Hardcoded MachineKey from anonymous working with ZDI: • Recap: A classic .NET deserialization bug due to a hardcoded cryptography key. This is also a hint shows Microsoft Exchange is lacking of security reviews Our Works • We focus on the Exchange architecture and discover a new attack surface that no one proposed before.
  • Users As Co-Designers of Software-Based Media: the Co-Construction of Internet Relay Chat

    Users As Co-Designers of Software-Based Media: the Co-Construction of Internet Relay Chat

    Users as Co-Designers of Software-Based Media: The Co-Construction of Internet Relay Chat Guillaume Latzko-Toth Université Laval AbsTrAcT While it has become commonplace to present users as co-creators or “produsers” of digital media, their participation is generally considered in terms of content production. The case of Internet Relay Chat (IRC) shows that users can be fully involved in the design process, a co-construction in the sense of Science and Technology Studies (STS): a collective, simultaneous, and mutual construction of actors and artifacts. A case study of the early de - velopment of two IRC networks sheds light on that process and shows that “ordinary users” managed to invite themselves as co-designers of the socio-technical device. The article con - cludes by suggesting that IRC openness to user agency is not an intrinsic property of software- based media and has more to do with its architecture and governance structure. Keywords Digital media; Communication technology; Co-construction; Design process; Ordinary user résumé Il est devenu banal de présenter l’usager comme cocréateur ou « produtilisateur » des médias numériques, mais sa participation est généralement envisagée comme une production de contenus. Le cas d’IRC (Internet Relay Chat) montre que les usagers des médias à support logiciel peuvent s’engager pleinement dans le processus de conception, une co-construction au sens des Science and Technology Studies : une construction collective, simultanée et mutuelle des acteurs et des artefacts. Une étude de cas portant sur le développement de deux réseaux IRC éclaire ce processus et montre que les « usagers ordinaires » sont parvenus à s’inviter comme co-concepteurs du dispositif.
  • Pirates of the Isps: Tactics for Turning Online Crooks Into International Pariahs

    Pirates of the Isps: Tactics for Turning Online Crooks Into International Pariahs

    21st CENTURY DEFENSE INITIATIVE CyBER SECuRITy #1 July 2011 Pirates of the ISPs: Tactics for Turning Online Crooks Into International Pariahs Noah Shachtman 1775 Massachusetts Ave., NW Washington, D.C. 20036 brookings.edu Pirates of the ISPs: Tactics for Turning Online Crooks Into International Pariahs Noah Shachtman CyberSeCurity #1 July 2011 21st CENTURY DEFENSE INITIATIVE Acknowledgements every research paper is a group effort, no mat- My Wired.com colleagues—ryan Singel, kevin ter what it says on the byline. this project relied Poulsen, kim Zetter and David kravets—cover more on outside assistance than most. brookings the cybersecurity beat better than anyone. this Senior fellows Peter Singer and ken lieberthal paper would have been impossible without them, were the ones who convinced me to explore the and without brian krebs, master investigator of broad topic of cybersecurity. the panel they as- the online underworld. sembled gave me new insight with every meeting; my colleague allan friedman was an especially bill Woodcock, rick Wesson, Jeff Cooper, tyler invaluable tutor and remarkably generous with Moore, audrey Plonk, Jim lewis, Dmitri alpero- his time. heather Messera and robert o’brien vitch, Paul Nicholas, Jessica herrera-flannigan, provided important research and logistical sup- Jart armin, richard bejtlich, Steve Schleien, Jona- port. My research assistant, adam rawnsley, was than Zittrain and many, many others steered me tireless in his exploration of the minutiae of ev- away from my worst ideas and towards those few erything from tort law to pirate havens. not-so-bad ones. for that, i am deeply in their debt. brookings recognizes that the value it provides to any supporter is in its absolute commitment to quality, independence and impact.
  • Forensics 2Ème Partie

    Forensics 2Ème Partie

    actu l’ACTUSÉCU est un magazine numérique rédigé et éditésécu par les consultants du cabinet de conseil XMCO 34MAI 2013 SPÉCIAL INVESTIGATIONS Forensics 2ème partie Investigations Forensics Les étapes et réflexes essentiels pour la réalisation d’une mission forensics. APT1 Résumé et analyse de l’étude menée par Mandiant. Conférences BlackHat, JSSI et HITB. Actualité du moment Analyses du malware Dervec, de la vulnérabilité Java (CVE-2013-0422) et des at- - taques 0day ciblant ColdFusion. buildscharac Et toujours… les logiciels et nos Twitter favoris ! 1 Ce document est la propriété du cabinet XMCO. Toute reproduction est strictement interdite. ® we deliver security expertise www.xmco.fr 2 Ce document est la propriété du cabinet XMCO. Toute reproduction est strictement interdite. édito MAI 2013 [ 45 millions de dollars.... 5 millions chacun ] Ils sont neuf. Ils ont agi dans 27 pays et sont allés jusqu’à retirer 2,4 millions dans des distributeurs automatiques de billets : plus de 40 000 retraits en espèces !!! Bref, un job à plein temps, particulièrement bien rémunéré, mais qui comporte quand même quelques risques... Voici, en synthèse, la news qui est tombée le 10 mai 2013. Comment ne pas la reprendre dans le deuxième numéro de l’ActuSécu consacré au Forensic ? Attention, n’y voyez aucune espèce d’opération marketing conjointe : nous n’avons pas mandaté ces cybercriminels pour promouvoir l’activité de recherche de preuve ! Plusieurs anomalies, dont cette phrase, se trouvent dans cet édito. J’ai fait cela parce que personne ne fait jamais aucun retour sur mon unique contribution à notre magazine. Mais il faut bien admettre que cette information vient confirmer un phénomène de plus en plus constaté : la reconversion d’une partie de la criminalité vers la cybercriminalité.
  • An Interdisciplinary Introduction

    An Interdisciplinary Introduction

    Index # See OMB and, 82, 83–84 2-factor authentication, 57, 295, 296 Paperwork Reduction Act, 82 9/11/2001. September 11, 2001 supply chain security, 166, 170 60-Day Cyberspace Policy Review, 100–101, 130, 259 active responses to threats, 207–208, 237–238 256-bit encryption, 193 acts of law, 263 300A and 300B reports, 170 actual cost (AC), 152–154, 156, 299–300, 302 414s (hackers), 6 ACWP (actual cost of work performed), 152 1930s IT infrastructure, 185 “adequate security,” 171 1940s IT infrastructure, 75 Administrative Procedure Act (APA), 266 1950s IT infrastructure, 75–76, 185¬ advanced notices of proposed rulemaking (ANPR), 260, 1960s cybersecurity issues, 4, 76–77, 95 266 1970s cybersecurity issues, 5, 179 advanced persistent threats (APTs), 203–204, 276,- 277 1980s cybersecurity issues, 4–9, 77–81, 82, 185 Advanced Research Projects Agency (ARPA), 4 1990s cybersecurity issues, 9, 81–90, 223–225, 276 Advanced Research Projects Agency Network (AR 2000s cybersecurity issues, 9, 89, 90–101, 220, 276 agenciesPANET), 4, 179 A2010s cybersecurity issues, 10, 101–104, 221–222, 276 African Network Information Centre (AfriNIC), 278 A circulars. See under civilian.audits, 241 See civilian agencies OMB budgets, 260 AC (actual cost), 152–154, 156, 299–300, 302 acceptable levels of risk, 36 classified/unclassified protective markings, 79 acceptable quality level (AQL), 145 compliance standards, 168–169 accepting risks, 16, 20, 22, 60–61 creation of, 266 access codes, 236 cybersecurity policy role, 69–70 access points, 233, 258 Federal Register rules publication, 260 accessibility of systems intelligence.FISMA requirements, See intelligence 97–98, agencies 171 corporate systems, 233 impact on projects, 123 health care systems, 224 military.
  • Cryptographic Software: Vulnerabilities in Implementations 1

    Cryptographic Software: Vulnerabilities in Implementations 1

    Pobrane z czasopisma Annales AI- Informatica http://ai.annales.umcs.pl Data: 03/10/2021 00:10:27 Annales UMCS Informatica AI XI, 4 (2011) 1–10 DOI: 10.2478/v10065-011-0030-7 Cryptographic software: vulnerabilities in implementations Michał Łuczaj1∗ 1Institute of Telecommunications, Warsaw University of Technology Poland Abstract – Security and cryptographic applications or libraries, just as any other generic software products may be affected by flaws introduced during the implementation process. No matter how much scrutiny security protocols have undergone, it is — as always — the weakest link that holds everything together to makes products secure. In this paper I take a closer look at problems usually resulting from a simple human made mistakes, misunderstanding of algorithm details or a plain lack of experience with tools and environment. In other words: everything that can and will happen during software development but in the fragile context of cryptography. UMCS1 Introduction I begin with a brief introduction of typical mistakes and oversights that can be made during program implementation in one of the most popular programming languages, C[1]. I also explain the concept of exploitable memory corruption, how critical it is and where it leads from the attacker’s point of view. A set of real-world examples is given. Some well known previously disclosed vulner- abilities are brought to illustrate how a flaw (sometimes even an innocent looking) can fatally injune security of the whole protocol, algorithm. There is much to discuss as failed attempts at implementing cryptographic primitives — or making use of cryptog- raphy in general — range broadly.
  • D10.3: Description of Internet Science Curriculum

    D10.3: Description of Internet Science Curriculum

    D10.3: Description of Internet Science Curriculum Sorana Cimpan, Kavé Salamatian, Thomas Plagemann, Meryem Marzouki, Žiga Turk, Jonathan Cave, Tamas David-Barrett, Marco Prandini To cite this version: Sorana Cimpan, Kavé Salamatian, Thomas Plagemann, Meryem Marzouki, Žiga Turk, et al.. D10.3: Description of Internet Science Curriculum. [Research Report] European Commission. 2014. hal- 01222260 HAL Id: hal-01222260 https://hal.archives-ouvertes.fr/hal-01222260 Submitted on 12 Apr 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Distributed under a Creative Commons Attribution - NonCommercial - NoDerivatives| 4.0 International License Description of Internet Science Curriculum ICT - Information and Communication Technologies FP7-288021 Network of Excellence in Internet Science D10.3: DESCRIPTION OF INTERNET SCIENCE CURRICULUM Due Date of Deliverable: 31/05/2014 Actual Submission Date: 12/07/2014 Revision: FINAL Start date of project: December 1st 2011 Duration: 42 months Organisation name of lead contractor for this deliverable: UoS Authors: Sorana
  • Hardware Mechanisms for Distributed Dynamic Software Analysis

    Hardware Mechanisms for Distributed Dynamic Software Analysis

    Hardware Mechanisms for Distributed Dynamic Software Analysis by Joseph Lee Greathouse A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Science and Engineering) in The University of Michigan 2012 Doctoral Committee: Professor Todd M. Austin, Chair Professor Scott Mahlke Associate Professor Robert Dick Associate Professor Jason Nelson Flinn c Joseph Lee Greathouse All Rights Reserved 2012 To my parents, Gail and Russell Greathouse. Without their support throughout my life, I would never have made it this far. ii Acknowledgments First and foremost, I must thank my advisor, Professor Todd Austin, for his help and guid- ance throughout my graduate career. I started graduate school with the broad desire to “research computer architecture,” but under Professor Austin’s watch, I have been able to hone this into work that interests us both and has real applications. His spot-on advice about choosing topics, performing research, writing papers, and giving talks has been an invaluable introduction to the research world. The members of my committee, Professors Robert Dick, Jason Flinn, and Scott Mahlke, also deserve special gratitude. Their insights, comments, and suggestions have immea- surably improved this dissertation. Together their expertise spans low-level hardware to systems software and beyond. This meant that I needed to ensure that any of my ideas were defensible from all sides. I have been fortunate enough to collaborate with numerous co-authors. I have often published with Professor Valeria Bertacco, who, much like Professor Austin, has given me invaluable advice during my time at Michigan. I am extremely lucky to have had the chance to work closely with Ilya Wagner, David Ramos, and Andrea Pellegrini, all of whom have continued to be good friends even after the high-stress publication process.
  • The Copyright Crusade

    The Copyright Crusade

    The Copyright Crusade Abstract During the winter and spring of 2001, the author, chief technology officer in Viant's media and entertainment practice, led an extensive inqUiry to assess the potential impact of extant Internet file-sharing capabilities on the business models of copyright owners and holders. During the course of this project he and his associates explored the tensions that exist or may soon exist among peer-to-peer start-ups, "pirates" and "hackers," intellectual property companies, established media channels, and unwitting consumers caught in the middle. This research report gives the context for the battleground that has emerged, and calls upon the players to consider new, productive solutions and business models that support profitable, legal access to intellectual property via digital media. by Andrew C Frank. eTO [email protected] Viant Media and Entertainment Reinhold Bel/tIer [email protected] Aaron Markham [email protected] assisted by Bmre Forest ~ VI ANT 1 Call to Arms Well before the Internet. it was known that PCs connected to two-way public networks posed a problem for copyright holders. The problem first came to light when the Software Publishers Association (now the Software & Information Industry Association), with the backing of Microsoft and others, took on computer Bulletin Board System (BBS) operators in the late 1980s for facilitating trade in copyrighted computer software, making examples of "sysops" (as system operators were then known) by assisting the FBI in orchestrat­ ing raids on their homes. and taking similar legal action against institutional piracy in high profile U.S. businesses and universities.' At the same time.