DOCSLIB.ORG

2017-04-04 the Cybersecurity Mess 16X9

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
2017-04-04 the Cybersecurity Mess 16X9 The Cyber Security Mess Simson L. Garfinkel April 4, 2018 Spamhause Photos from https://pixabay.com 1 The Cybersecurity Mess Abstract: Why is it so hard to secure computers? After more than 40 years of concerted effort in network security, why can’t we keep the hackers out? The problem, I argue, is not the practice of computer security, but its definition, it’s very conception. As we are accepted it, computer security is what social scientists call a "wicked problem” — a poorly defined, high-impact problem for which the solution depends upon satisfying many competing stakeholders and conflicting goals. Solving the cybersecurity mess means addressing both technical factors—factors that dominate the discussion— and nontechnical factors, which reflect deep, divisive political, social, and economic problems without our society as a whole. This problems, which include the decline of the US manufacturing base, the failure of our schools at science, technology, engineering and math (STEM), an inherent power struggle between the makers of information systems and their users, and our inability to frame a coherent immigration policy, are core reasons why we are unable to make technical progress. While it is certainly possible that the need to secure our computers may force us to find a general solution to these problems, such Pollyannish hopes seem unlikely. This talk follows the history of cybersecurity efforts, showing that while there’s nothing new under the sun, things really are getting worse. And while there are little-used technologies that really can make computers dramatically more secure (such as typesafe languages, formal methods, and provably correct computer systems), these approaches are so expensive that they may never see widespread adoption. So what’s the solution? I propose that it’s resilience, redundancy, heterogeneity, and regulation. Yes, this talk is designed to leave everyone in the audience both agreeing with the speaker, and angry at the speaker. Bio: Simson Garfinkel is an adjunct lecturer at Georgetown University’s Graduate School of Data Analytics and the Chief of the Center for Disclosure Avoidance at the US Census Bureau. He was previously a computer scientist at the National Institute of Standards and Technology (2015-2017) and, before that, an Associate Professor of Computer Science at the Naval Postgraduate School (2006-2015). Before earning his PhD in Computer Science from at MIT (2002-2005), he was an award-winning journalist and a serial entrepreneur. In 2012 he was elected a Fellow of the Association for Computing Machinery for his contributions to digital forensics and to computer security eduction. 2 “The Cyber Security Risk”, Communications of the ACM, June 2012, 55(6) viewpoints VDOI:10.1145/2184319.2184330 Simson L. Garfinkel Inside Risks The Cybersecurity Risk Increased attention to cybersecurity has not resulted in improved cybersecurity. HE RISK OF being “hacked”— whatever that expression ac- tually means—is at the heart of our civilization’s chronic cybersecurity problem. De- Tspite decades of computer security research, billions spent on secure op- erations, and growing training require- ments, we seem incapable of operating computers securely. There are weekly reports of pen- etrations and data thefts at some of the world’s most sensitive, impor- tant, and heavily guarded computer systems. There is good evidence that global interconnectedness combined with the proliferation of hacker tools means that today’s computer systems are actually less secure than equiva- lent systems a decade ago. Numerous breakthroughs in cryptography, se- cure coding, and formal methods not- withstanding, cybersecurity is getting worse as we watch. So why the downward spiral? One reason is that cybersecurity’s goal of re- ducing successful hacks creates a large target to defend. Attackers have the luxury of choice. They can focus their Lorem ipsum dolor sit amet consect adipiscing nunc enim mauris sed massa efforts on the way our computers rep- resent data, the applications that pro- cess the data, the operating systems on which those applications run, the networks by which those applications communicate, or any other area that It may be that cybersecurity appears Views of Cybersecurity is possibly subverted. And faced with to be getting worse simply because The breadth of the domain means a system that is beyond one’s techni- society as a whole is becoming much many different approaches are being AREK WASZUL cal hacking skills, an attacker can go more dependent upon computers. proposed for solving the cybersecurity Y around the security perimeter and use Even if the vulnerability were not in- problem: ON BY ON BY I a range of other techniques, including creasing, the successful hacks can have ! Cybersecurity can be viewed solely social engineering, supply-chain inser- significantly more reach today than a as an insider problem. What is needed, ILLUSTRAT tion, or even kidnapping and extortion. decade ago. say advocates, are systems that prevent JUNE 2012 | VOL. 55 | NO. 6 | COMMUNICATIONS OF THE ACM 29 http://simson.net/clips/academic/2012.CACM.Cybersecurity.pdf 3 I have spent 29 years trying to secure computers... 38 THE PRACTICAL LAWYER (Vol. 33-No. 6) AUTHOR'S BIBLIOGRAPHY Bank Loans Term Loan Handbook, John]. McCann, ed. (Law & Business, Inc., New York City) Structuring Commercial Loan Agreements, by Roger Tighe (Warren, Gorham & Lamont, Boston) System Security Privacy Policy Usable Security Commercial Finance and Factoring Internet of Things Commercial Finance, Factoring and Other Asset-Based Lending, by Practising Law Institute (PLI, New York City, 1983) Dun & Bradstreet's Handbook of Modern Factoring and Finance, by Louis A. Moskowitz. (Thomas Y. Crowell Co., New York City) Legal Opinions Legal Opinions to Third Parties, 34 The Business Lawyer 1891 (1979) General The Professional Skills of the Small Business Lawyer, by Harry J. Haynsworth (ALI-ABA, Philadelphia, 1984) [T]here are four key points in a loan when the scrutiny of counsel is An Introduction to most productive: first, at the drafting of the commitment letter and the structuring of the loan, ... second, in connection with the closing, Computer Security counsel's involvement should begin well in advance and continue [Part 1] through a postclosing follow-up and review; third, when any amend- ment or extension of the loan is proposed; and, finally, the instant a Simson L. Garfinkel default or workout appears likely. At that point counsel should be prepared to review the loan documentation and correspondence and, in "Spies," "vandals," and "crackers" are out there, general, to provide an analysis of the relative positions of competing waiting to get into-or destroy-your databases. creditors .... R. NASSBERG, THE LENDER'S HANDBOOK (ALI-ABA, Philadelphia, 1986) AWYERS MUST UNDERSTAND is- Lawyers today must automatically L sues of computer security, both recognize insecure computer systems for the protection of their own inter- and lax operating procedures in the ests and the interests of their clients. same way as lawyers now recognize 2006 39 1991 2000 2006 > The Practical Lawyer 2014 Sept. 1987 4 Today’s systems are less secure than those of the 1970s. The lack of security is inherent in modern information systems. • Attack is easier and cheaper than defense. • Cyber “defense in depth” does not work — a single vulnerability compromises. Policies, Procedures, Awareness Physical Perimeter Internal Network Application Data Cyber can directly target inner defenses Defense in depth of nuclear reactors http://www.nrc.gov/about-nrc/regulatory/research/soar/soarca-accident-progression.html It’s easier to break things than to fix them. 5 6 Today we expect computers to crash We also expect them to be hacked. The solution is not better security 7 Cybersecurity impacts the real world. IRL (Cyber is In Real Life.) 8 Main Menu ▼ My Stories: 25 ▼ Forums Subscribe Video Search Log In RISK ASSESSMENT / SECURITY & HACKTIVISM How hackers allegedly stole “unlimited” TOP FEATURE STORY amounts of cash from banks in just hours Feds accuse eight men of participating in heists that netted $45 million. by Dan Goodin - May 9 2013, 3:45pm EDT BLACK HAT HACKING 55 FEATURE STORY (3 PAGES) Exploring Ubuntu Touch, the other Linux OS for your phone It's far from done, but Canonical's mobile work- in-progress has some good ideas. 12 STAY IN THE KNOW WITH May 2013 — LATEST NEWS $45 million stolen from US banks with phony ATM cards Android 4.3, Google Babel, and the Nexus 7: What’s in store Main Menu ▼ My Stories: 25 ▼ Forums Subscribe Video Search Log In for Google I/O? RISK ASSESSMENT / SECURITY & HACKTIVISM CHITTY CHITTY BANG BANG TOP FEATURE STORY Flying car crashes near elementary How hackers allegedly stole “unlimited” school in Canada amounts of cash from banks in just hours Wikipedia Feds accuse eight men of participating in heists that netted $45 million. GROUND CONTROL TO MAJOR TOM by Dan Goodin - May 9 2013, 3:45pm EDT BLACK HAT HACKING 55 Federal authorities have accused eight men of participating in 21st-Century Bank heists that netted a Commander Chris Hadfield bids adieu FEATURE STORY (3 PAGES) to ISS with “Space Oddity” cover whoEpxppilnogr i$n4g5 U mbiullinotnu b Tyo huacchk,ing into payment systems and eliminating withdrawal limits placed on pretphaeid o dtheberit Lcianrudsx. OS for your phone SPACEWALK WITH ME TheIt' se faigr fhrotm m doenen, bfuot rCmanoendic atl'hs meo Nbile wwo rkY- ork-based cell of an international crime ring that organized and NASA arranges a quick spacewalk to in-progress has some good ideas. executed the hacks and then us12ed fraudulent payment cards in dozens of countries to withdraw the repair leaking space station lootS TfArYo INm TH aE KuNtOoWm WIaTHted teller machines, federal prosecutors alleged in court papers unsealed Thursday. In a matter of hours on two separate occasions, the eight defendants and their confederates The British ‘Atlantis’ is withdrew about $2.8 million from New York City ATMs alone.
Load more

Recommended publications
  • ESSAY Untangling Attribution David D. Clark* and Susan Landau**
    ESSAY Untangling Attribution David D. Clark* and Susan Landau** I. Introduction In February 2010, former Director of the National Security Agency Mike McConnell wrote, "We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options and we must be able to do this in milliseconds. More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment - who did it, from where, why and what was the result - more manageable."I The Internet was not designed with the goal of deterrence in mind, and perhaps a future Internet should be designed differently. McConnell's statement is part of a recurring theme that a secure Internet must provide better attribution for actions occurring on the network. Although attribution generally means assigning a cause to an action, as used here attribution refers to identifying the agent responsible for the action (specifically, "determining * David Clark, Senior Research Scientist, MIT, Cambridge MA 02139, ddc acsail.mit.edu. Clark's effort on this work was funded by the Office of Naval Research under award number N00014-08-1-0898. Any opinions, findings, and conclusions or recommendations expressed in this Essay are those of the authors and do not necessarily reflect the views of the Office of Naval Research. " Susan Landau, Fellow, Radcliffe Institute for Advanced Study, Harvard University, Cambridge, MA 02138, susan.landau(a) rivacvink.oru. An earlier version of this Essay appeared in COMMI. ON DLTLRRING CYBERATTACKS, NAT'L RLSLARCH COUNCIL, PROCELDINGS OF A WORKSHOP ON DLTLRRING CYBLRATTACKS: INFORMING STRATEGILS AND DLVLLOPING OPTIONS FOR U.S.
    [Show full text]
  • Pgpfone Pretty Good Privacy Phone Owner’S Manual Version 1.0 Beta 7 -- 8 July 1996
    Phil’s Pretty Good Software Presents... PGPfone Pretty Good Privacy Phone Owner’s Manual Version 1.0 beta 7 -- 8 July 1996 Philip R. Zimmermann PGPfone Owner’s Manual PGPfone Owner’s Manual is written by Philip R. Zimmermann, and is (c) Copyright 1995-1996 Pretty Good Privacy Inc. All rights reserved. Pretty Good Privacy™, PGP®, Pretty Good Privacy Phone™, and PGPfone™ are all trademarks of Pretty Good Privacy Inc. Export of this software may be restricted by the U.S. government. PGPfone software is (c) Copyright 1995-1996 Pretty Good Privacy Inc. All rights reserved. Phil’s Pretty Good engineering team: PGPfone for the Apple Macintosh and Windows written mainly by Will Price. Phil Zimmermann: Overall application design, cryptographic and key management protocols, call setup negotiation, and, of course, the manual. Will Price: Overall application design. He persuaded the rest of the team to abandon the original DOS command-line approach and designed a multithreaded event-driven GUI architecture. Also greatly improved call setup protocols. Chris Hall: Did early work on call setup protocols and cryptographic and key management protocols, and did the first port to Windows. Colin Plumb: Cryptographic and key management protocols, call setup negotiation, and the fast multiprecision integer math package. Jeff Sorensen: Speech compression. Will Kinney: Optimization of GSM speech compression code. Kelly MacInnis: Early debugging of the Win95 version. Patrick Juola: Computational linguistic research for biometric word list. -2- PGPfone Owner’s
    [Show full text]
  • Digital Forensics and Preservation 1
    01000100 01010000 Digital 01000011 Forensics 01000100 and Preservation 01010000 Jeremy Leighton John 01000011 01000100 DPC Technology Watch Report 12-03 November 2012 01010000 01000011 01000100 01010000 Series editors on behalf of the DPC 01000011 Charles Beagrie Ltd. Principal Investigator for the Series 01000100 Neil Beagrie 01010000 01000011DPC Technology Watch Series © Digital Preservation Coalition 2012 and Jeremy Leighton John 2012 Published in association with Charles Beagrie Ltd. ISSN: 2048-7916 DOI: http://dx.doi.org/10.7207/twr12-03 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior permission in writing from the publisher. The moral right of the author has been asserted. First published in Great Britain in 2012 by the Digital Preservation Coalition. Foreword The Digital Preservation Coalition (DPC) is an advocate and catalyst for digital preservation, ensuring our members can deliver resilient long-term access to digital content and services. It is a not-for- profit membership organization whose primary objective is to raise awareness of the importance of the preservation of digital material and the attendant strategic, cultural and technological issues. It supports its members through knowledge exchange, capacity building, assurance, advocacy and partnership. The DPC’s vision is to make our digital memory accessible tomorrow. The DPC Technology Watch Reports identify, delineate, monitor and address topics that have a major bearing on ensuring our collected digital memory will be available tomorrow. They provide an advanced introduction in order to support those charged with ensuring a robust digital memory, and they are of general interest to a wide and international audience with interests in computing, information management, collections management and technology.
    [Show full text]
  • Design Principles and Patterns for Computer Systems That Are
    Bibliography [AB04] Tom Anderson and David Brady. Principle of least astonishment. Ore- gon Pattern Repository, November 15 2004. http://c2.com/cgi/wiki? PrincipleOfLeastAstonishment. [Acc05] Access Data. Forensic toolkit—overview, 2005. http://www.accessdata. com/Product04_Overview.htm?ProductNum=04. [Adv87] Display ad 57, February 8 1987. [Age05] US Environmental Protection Agency. Wastes: The hazardous waste mani- fest system, 2005. http://www.epa.gov/epaoswer/hazwaste/gener/ manifest/. [AHR05a] Ben Adida, Susan Hohenberger, and Ronald L. Rivest. Fighting Phishing Attacks: A Lightweight Trust Architecture for Detecting Spoofed Emails (to appear), 2005. Available at http://theory.lcs.mit.edu/⇠rivest/ publications.html. [AHR05b] Ben Adida, Susan Hohenberger, and Ronald L. Rivest. Separable Identity- Based Ring Signatures: Theoretical Foundations For Fighting Phishing Attacks (to appear), 2005. Available at http://theory.lcs.mit.edu/⇠rivest/ publications.html. [AIS77] Christopher Alexander, Sara Ishikawa, and Murray Silverstein. A Pattern Lan- guage: towns, buildings, construction. Oxford University Press, 1977. (with Max Jacobson, Ingrid Fiksdahl-King and Shlomo Angel). [AKM+93] H. Alvestrand, S. Kille, R. Miles, M. Rose, and S. Thompson. RFC 1495: Map- ping between X.400 and RFC-822 message bodies, August 1993. Obsoleted by RFC2156 [Kil98]. Obsoletes RFC987, RFC1026, RFC1138, RFC1148, RFC1327 [Kil86, Kil87, Kil89, Kil90, HK92]. Status: PROPOSED STANDARD. [Ale79] Christopher Alexander. The Timeless Way of Building. Oxford University Press, 1979. 429 430 BIBLIOGRAPHY [Ale96] Christopher Alexander. Patterns in architecture [videorecording], October 8 1996. Recorded at OOPSLA 1996, San Jose, California. [Alt00] Steven Alter. Same words, different meanings: are basic IS/IT concepts our self-imposed Tower of Babel? Commun. AIS, 3(3es):2, 2000.
    [Show full text]
  • Attribute-Based, Usefully Secure Email
    Dartmouth College Dartmouth Digital Commons Dartmouth College Ph.D Dissertations Theses and Dissertations 8-1-2008 Attribute-Based, Usefully Secure Email Christopher P. Masone Dartmouth College Follow this and additional works at: https://digitalcommons.dartmouth.edu/dissertations Part of the Computer Sciences Commons Recommended Citation Masone, Christopher P., "Attribute-Based, Usefully Secure Email" (2008). Dartmouth College Ph.D Dissertations. 26. https://digitalcommons.dartmouth.edu/dissertations/26 This Thesis (Ph.D.) is brought to you for free and open access by the Theses and Dissertations at Dartmouth Digital Commons. It has been accepted for inclusion in Dartmouth College Ph.D Dissertations by an authorized administrator of Dartmouth Digital Commons. For more information, please contact [email protected]. Attribute-Based, Usefully Secure Email A Thesis Submitted to the Faculty in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science by Christopher P. Masone DARTMOUTH COLLEGE Hanover, New Hampshire August, 2008 Examining Committee: (chair) Sean W. Smith, Ph.D. David F. Kotz, Ph.D. Christopher J. Bailey-Kellogg, Ph.D. Denise L. Anthony, Ph.D. M. Angela Sasse, Ph.D. Charles K. Barlowe, PhD Dean of Graduate Studies Abstract A secure system that cannot be used by real users to secure real-world processes is not really secure at all. While many believe that usability and security are diametrically opposed, a growing body of research from the field of Human-Computer Interaction and Security (HCISEC) refutes this assumption. All researchers in this field agree that focusing on aligning usability and security goals can enable the design of systems that will be more secure under actual usage.
    [Show full text]
  • Jason I. Hong
    Jason I. Hong Human Computer Interaction Institute Office: +1 412 268 1251 School of Computer Science Fax: +1 412 268 1266 Carnegie Mellon University Email: jasonh at cs cmu edu 5000 Forbes Ave Web: http://www.cs.cmu.edu/~jasonh 3523 Newell Simon Hall GScholar: https://scholar.google.com/citations?user=MoFbcc0AAAAJ Pittsburgh, PA 15213‐3891 Citizenship: USA ORCID: http://orcid.org/0000‐0002‐9856‐9654 Research Interests In the near future, our smart devices will know almost everything about us. How can we make use of all of this rich sensor and behavioral data to improve our lives? At the same time, this same data poses many new kinds of risks. How can we make privacy and security easily understandable by people who are not experts? How can we ensure that machine learning models built on this data is fair, accountable, transparent, and ethical? In my research, I draw on ideas and methods from human‐computer interaction, systems, behavioral sciences, and machine learning. Most of my current work centers on smartphones and the emerging Internet of Things. I also make use of data from crowdsourcing or social media, both to better understand people’s behaviors as well as to “outsource” the labor required to manage privacy and security. Education 2005 Ph.D., Computer Science, University of California at Berkeley Advisor: James Landay Thesis topic: An Architecture for Privacy‐Sensitive Ubiquitous Computing 1997 B.S., Discrete Mathematics, Georgia Institute of Technology Highest honors 1997 B.S., Computer Science, Georgia Institute of Technology
    [Show full text]
  • Why Patents Are Bad for Software
    SOFI SIMSON L. GARFINKEL firm RICHARD M. STALLMAN mos MITCHELL KAPOR serve their case! sole l Lotu shee Why Patents Are Bad patei whic whei for Software since cept ticip, one Patents can't protect with or invigorate the pear! computer software ligen sheel "i% Septembeer 1990, users of the industry; they can longer be able to automatically cor- thep ,opular XyVVrite word processing only cripple it. rect common spelling errors by near] ........ 4-a M _ in Ai~~~~trhints otter ~~~~nroc~cin a th~ae not' e ht ft- tp program got a Ulstur1ll1 ltLLUtI Il F",aall~r, C11%,aF"`1 u"L 1 LL L%. gram . "~ T .1 " "-----" ·-- -'-·-L----- - the .tmail trom Xy1uest, Inc., me mlsspelle word. In audtion, to ex- is exi program's publisher: pand abbreviations stored in your so el personal dictionary, you will have prob] "In June of 1987, we introduced an automatic cor- to press control-R or another designated hot key." r rection and abbreviation expansion feature in XyWrite netw III Plus. Unbeknownst to us, a patent application for a XyQuest had been bitten by a software patent- on a related capability had been filed in 1984 and was sub- one of the more than two thousand patents on com- thou sequently granted in 1988. The company holding the puter algorithms and software techniques that have pater patent contacted us in late 1989 and apprised us of the been granted by the U.S. Patent and Trademark Office softm existence of their patent. since the mid- 1980s. The owner of the patent, Produc- comI We have decided to modify XyWrite III Plus so tivity Software, had given XyQuest a choice: license any c that it cannot be construed as infringing.
    [Show full text]
  • Proceedings of the Conference on Digital Forensics, Security, and Law 2012 Richmond, Virginia May 30-31
    Proceedings of the Conference on Digital Forensics, Security, and Law 2012 Richmond, Virginia May 30-31 Richmond, Virginia May 30-31, 2012 Conference Chair Glenn S. Dardick Longwood University Virginia, USA Association of Digital Forensics, Security and Law Copyright © 2012 ADFSL, the Association of Digital Forensics, Security and Law. Permission to make digital or printed copies of all or any part of this journal is granted without fee for personal or classroom use only and provided that such copies are not made or distributed for profit or commercial use. All copies must be accompanied by this copyright notice and a full citation. Permission from the ADFSL is required to make digital or printed copies of all or any part of this journal for-profit or commercial use. Permission requests should be sent to Dr. Glenn S. Dardick, Association of Digital Forensics, Security and Law, 1642 Horsepen Hills Road, Maidens, Virginia 23102 or emailed to [email protected]. ISSN 1931-7379 ADFSL Conference on Digital Forensics, Security and Law, 2012 Sponsors 2 ADFSL Conference on Digital Forensics, Security and Law, 2012 Contents Committee ................................................................................................................................................ 4 Schedule ................................................................................................................................................... 5 Update on the State of the Science of Digital Evidence Examination ................................................
    [Show full text]
  • Appendices Appendix 1: Curriculum Vitae Cvs Including Education
    Appendices Appendix 1: Curriculum Vitae CVs including education, employment history, a list of the proposer’s most important previous publications, the journals in which they appeared, book reviews, and important honors and other awards have been supplied as individual attachments. Appendix 2: Conflict of Interest There are no potential significant conflicts of interest or source of bias related to this proposal on behalf of the primary investigators, key project staff, or the grantee institution. All activities conducted or hosted by the Program on Information science, which hosts this project, are governed by the Massachusetts Institute of Technology’s conflict of interest policy. Activities conducted at Harvard University are governed by substantially similar policies.1 These policy requires that all MIT and Harvard researchers comply with both Federal and sponsor-specific conflict of interest (COI) disclosure requirements. This policy requires annual disclosure and administrative review of all significant financial interests, and details on how an SFI entity does or does not have a relationship to each sponsored research project. A significant financial interest explicitly includes but is not limited to: ● Remuneration valued at $5K or more in the last 12 months from any entity other than the university 1 See http://research.fas.harvard.edu/policies/financial-conflicts-interest-disclosures ; http://law.harvard.edu/faculty/resources/conflict-of-interest-policy.html Page A1 ● Any equity interest in a non-publicly traded entity; and any equity interest of at least $5K in a publicly traded entity ● Any income related to patents or other intellectual property rights For information on MIT’s full policies on responsible and ethical conduct of interest, including conflict of interest policies and procedures see: http://web.mit.edu/conduct/conflict.html.
    [Show full text]
  • Simson Garfinkel / May 24, 2016 / Page 1 Testimony and Statement for the Record of Simson L. Garfinkel, Ph.D.1 Information Te
    National Institute of Standards and Technology • US Department of Commerce Testimony and Statement for the Record of Simson L. Garfinkel, Ph.D.1 Information Technology Laboratory National Institute for Standards and Technology Hearing on “De-Identification and the Health Insurance Portability and Accountability Act (HIPAA)” Subcommittee on Privacy, Confidentiality & Security National Committee on Vital and Health Statistics May 24-25, 2016 Hubert H. Humphrey Building U.S. Department of Health and Human Services Washington, D.C. “Overview and framing of current issues” 9:15 - 10:00 a.m. May 24, 2016 Executive Summary As part of its mission of promoting US innovation and industrial competitiveness by advancing measurement science, standards, and technology, NIST is pursuing research in the area of data de-identification. Interest in de-identification extends far beyond healthcare. De-identified data can protect privacy of data subjects, but it can also be re-identified. The identifiability of data in a dataset depends on the difficulty of linking that dataset with data elsewhere in the global data-sphere. Data that appear correctly de-identified today might be identifiable tomorrow based on a future data release. Geographic information is especially difficult to de-identify. The HIPAA Safe Harbor is an approach to de-identifying; while it isn’t it does usefully provide data scientists with a bright line rule for de-identifying data. Although most de-identification in healthcare today is based on field suppression and generalization, techniques that employ field swapping and the addition of noise may result in datasets that simultaneously do a better job protecting privacy and can provide researchers with more accurate statistical results.
    [Show full text]
  • The FBI's Cybercrime Crackdown 4/4/04 10:23 PM
    The FBI's Cybercrime Crackdown 4/4/04 10:23 PM << Return to article The FBI's Cybercrime Crackdown A new breed of special agent is taking on high tech criminals. By Simson Garfinkel November 2002 To protect the classified information stored on her desktop computer, Special Agent Nenette Day uses one of the most powerful tools on the planet—an air gap. Make my day: Special Agent Nenette Day points to an IBM ThinkPad resting on the table behind her Day hunts down computer crooks from desk. “That computer is hooked up to the Internet,” she says. her Boston office. (Photograph by Paul Foley) “But if you break into it, have a good time: there’s no secret work on it.” Two meters away on her desk sits Day’s other computer—a gray-and-chrome minitower emblazoned with a red sticker proclaiming that its hard drive is classified SECRET. “This,” she says protectively, “holds my e-mail.” Day readily talks about the ThinkPad, describing how she got it as part of a big purchase by the Federal Bureau of Investigation (FBI) a few years ago and explaining that it’s now somewhat out-of-date. And she happily shows off a collectible action figure—still in its display box—a colleague brought back from Belgium. It’s a “cyberagent” with a gun in one hand and a laptop computer in the other. But if you let your eyes drift back to that red SPONSORED LINKS sticker and try to copy the bold, black words printed on it, Day will throw you out of her office.
    [Show full text]
  • United States District Court Eastern District of Texas Texarkana Division
    Case 5:07-cv-00019-DF Document 1 Filed 01/31/07 Page 1 of 5 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF TEXAS TEXARKANA DIVISION Simson Garfinkel, Plaintiff, Civil Action No. 5:07cv19 v. Judge Folsom Decru, Inc., and Network Appliance, Inc., JURY DEMANDED Defendants. COMPLAINT AND JURY DEMAND Plaintiff Simson Garfinkel ("Garfinkel"), by and through his undersigned counsel, for his Complaint against defendants Decru, Inc. ("Decru") and Network Appliance, Inc. ("NetApp"), alleges the following upon information and belief, except as to those allegations concerning Garfinkel, which are alleged upon knowledge: THE PARTIES 1. Garfinkel, a resident of Belmont, Massachusetts, is an Associate Professor at the Naval Postgraduate School in Monterey, California, and a fellow at the Center for Research on Computation and Society at Harvard University. Garfinkel received three Bachelor of Science degrees from the Massachusetts Institute of Technology (MIT) in 1987 and a Ph.D. in Computer Science from MIT in 2005. Garfinkel is the author of numerous publications relating to computer security. 2. Decru is a Delaware Corporation having a principal place of business at 275 Shoreline Drive, Fourth Floor, Redwood City, CA 94065. NYC:721524.6/1-102030 Case 5:07-cv-00019-DF Document 1 Filed 01/31/07 Page 2 of 5 3. NetApp is a Delaware Corporation having a principal place of business at 495 East Java Drive, Sunnyvale, CA 94089. Decru is a wholly-owned subsidiary of NetApp. Decru and NetApp are sometimes collectively referred to herein as "defendants." JURISDICTION AND VENUE 4. This Court has jurisdiction over the subject matter of the claims asserted herein pursuant to 28 U.S.C.
    [Show full text]