DOCSLIB.ORG

Winter 2017 Vol

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Winter 2017 Vol ;login WINTER 2017 VOL. 42, NO. 4 : & Neural Nets Improve Password Choices William Melicher, Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor & DNSSEC: Useless as Used Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson & Fixing the Bitcoin Blockchain Shehar Bano, Mustafa Al-Bassam, and George Danezis & Psychological Safety in SRE Teams John P. Looney & Interview with Peter G. Neumann Columns Exiting Gracefully in Python David Beazley Perl without Perl David N. Blank-Edelman tcpdump as a Monitoring Tool Dave Josephsen Using Vault in Go Chris “Mac” McEniry Collecting Big Data Dan Geer UPCOMING EVENTS Enigma 2018 USENIX Security ’18: 27th USENIX Security January 16–18, 2018, Santa Clara, CA, USA Symposium www.usenix.org/enigma2018 August 15–17, 2018, Baltimore, MD, USA Submissions due February 8, 2018 FAST ’18: 16th USENIX Conference on File and Storage www.usenix.org/sec18 Technologies Co-located with USENIX Security ’18 February 12–15, 2018, Oakland, CA, USA SOUPS 2018: Fourteenth Symposium on Usable Privacy www.usenix.org/fast18 and Security August 12–14, 2018 SREcon18 Americas Abstract submissions due February 12, 2018 March 27–29, 2018, Santa Clara, CA, USA www.usenix.org/soups2018 www.usenix.org/srecon18americas WOOT ’18: 12th USENIX Workshop on Offensive NSDI ’18: 15th USENIX Symposium on Networked Technologies Systems Design and Implementation August 13–14, 2018 www.usenix.org/woot18 April 9–11, 2018, Renton, WA, USA www.usenix.org/nsdi18 CSET ’18: 11th USENIX Workshop on Cyber Security Experimentation and Test SREcon18 Asia/Australia August 13, 2018 June 6–8, 2018, Singapore www.usenix.org/cset18 www.usenix.org/srecon18asia ASE ’18: 2018 USENIX Workshop on Advances in Security Education USENIX ATC ’18: 2018 USENIX Annual Technical August 13, 2018 Conference www.usenix.org/ase18 July 11–13, 2018, Boston, MA, USA Submissions due February 6, 2018 FOCI ’18: 8th USENIX Workshop on Free and Open www.usenix.org/atc18 Communications on the Internet Co-located with USENIX ATC ’18 August 14, 2018 www.usenix.org/foci18 HotStorage ’18: 10th USENIX Workshop on Hot Topics in Storage and File Systems HotSec ’18: 2018 USENIX Summit on Hot Topics July 9–10, 2018 in Security Submissions due March 15, 2018 August 14, 2018 www.usenix.org/hotstorage18 www.usenix.org/hotsec18 HotCloud ’18: 10th USENIX Workshop on Hot Topics in Cloud Computing SREcon18 Europe/Middle East/Africa July 9, 2018 August 29–31, 2018, Dusseldorf, Germany www.usenix.org/hotcloud18 www.usenix.org/srecon18europe HotEdge ’18: USENIX Workshop on Hot Topics OSDI ’18: 13th USENIX Symposium on Operating in Edge Computing Systems Design and Implementation July 10, 2018 October 8–10, 2018, Carlsbad, CA, USA www.usenix.org/hotedge18 Abstract registration due April 26, 2018 www.usenix.org/osdi18 www.usenix.org/facebook www.usenix.org/gplus www.usenix.org/linkedin twitter.com/usenix www.usenix.org/youtube WINTER 2017 VOL. 42, NO. 4 EDITOR Rik Farrow [email protected] EDITORIAL MANAGING EDITOR Michele Nelson 2 Musings Rik Farrow [email protected] SECURITY COPY EDITORS Steve Gilmartin 6 Global-Scale Measurement of DNS Manipulation Amber Ankerholz Paul Pearce, Ben Jones, Frank Li, Roya Ensafi, Nick Feamster, Nicholas Weaver, and Vern Paxson PRODUCTION Arnold Gatilao 14 An End-to-End View of DNSSEC Ecosystem Management Jasmine Murcia Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, TYPESETTER David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Star Type Christo Wilson [email protected] 22 Securing the Internet, One HTTP 200 OK at a Time USENIX ASSOCIATION Wilfried Mayer, Katharina Krombholz, Martin Schmiedecker, 2560 Ninth Street, Suite 215 and Edgar Weippl Berkeley, California 94710 Phone: (510) 528-8649 26 Better Passwords through Science (and Neural Networks) FAX: (510) 548-5738 William Melicher, Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor www.usenix.org 31 The Road to Scalable Blockchain Designs ;login: is the official magazine of the USENIX Shehar Bano, Mustafa Al-Bassam, and George Danezis Association. ;login: (ISSN 1044-6397) is published quarterly by the USENIX 37 An Interview with Peter G. Neumann Rik Farrow Association, 2560 Ninth Street, Suite 215, Berkeley, CA 94710. SYSTEMS $90 of each member’s annual dues is for 42 Decentralized Memory Disaggregation Over Low-Latency Networks a subscription to ;login:. Subscriptions for Juncheng Gu, Youngmoon Lee, Yiwen Zhang, Mosharaf Chowdhury, non members are $90 per year. Periodicals and Kang G. Shin postage paid at Berkeley, CA, and additional mailing offices. SRE AND SYSADMIN POSTMASTER: Send address changes to Psychological Safety in Operation Teams John P. Looney ;login:, USENIX Association, 2560 Ninth Street, 50 Suite 215, Berkeley, CA 94710. 55 From Sysadmin to SRE in 2587 Words Vladimir Legeza ©2017 USENIX Association 59 Understanding Docker Kurt Lidl USENIX is a registered trademark of the USENIX Association. Many of the designa- COLUMNS tions used by manufacturers and sellers to distinguish their products are claimed 66 raise SystemExit(0) David Beazley as trademarks. USENIX acknowledges all 70 Practical Perl Tools: Perl without Perl David N. Blank-Edelman trademarks herein. Where those desig- nations appear in this publication and 74 Go: HashiCorp’s Vault Chris “Mac” McEniry USENIX is aware of a trademark claim, 79 iVoyeur: Tcpdump at Scale Dave Josephsen the designations have been printed in caps or initial caps. 82 For Good Measure: Letting Go of the Steering Wheel Dan Geer 87 /dev/random: Cloudbursting, or Risk Mismanagement Robert G. Ferrell BOOKS 89 Book Reviews Mark Lamourine and Michele Nelson USENIX NOTES 92 2018 Election for the USENIX Board of Directors Casey Henderson 93 Thanks to Our Volunteers Casey Henderson 94 USENIX Association Financial Statements for 2016 Musings RIK FARROWEDITORIAL Rik is the editor of ;login:. lthough ;login: no longer has theme issues, this issue is loaded with [email protected] articles about security. Sitting in lofty isolation, I thought I would A muse this time about the three problems we have with computer security: hardware, software, and people. I don’t think I’ve left anything out. Hardware Most of the computers that people use (as opposed to simpler IoT devices) have hardware designs roughly like early timesharing mainframes. For the purposes of security, our com- puters have two relevant features: memory management and privileged modes. Memory man- agement was designed to keep processes from interfering with each other and the operating system. You really don’t want someone else who is logged into another terminal (a device capable of displaying 24 lines of 80 characters each, a keyboard, and a serial interface maxing out at 19,200 baud [1]) writing into your process’s memory, and especially not the operating system’s memory. Note that terminals on early systems were often Teletype Model 33 ASRs, capable of uppercase only but also allowed input or output via a paper tape reader/puncher [2]. Teletypes used Baudot, just five bits per character, with a maximum rate of 10 characters per second. I actually used Teletypes on a Multics system in 1969. Memory management on mainframes in the 1970s didn’t always work well. In 1979, I crashed a mainframe, using a DECwriter 300, a much nicer and quieter terminal, while taking an operating systems course. I made a mistake entering a substitute command and only noticed when the command was taking forever to complete. I had created an infinite loop, essentially replacing each character with two copies of itself. What clued me in to what I had done was when other people in the terminal room started getting up and leaving, knowing it would take at least 20 minutes to reboot the mainframe. In our “modern” systems, memory management works very well at protecting processes from one another, and events like the one I just described won’t happen. This is where privilege mode [3] comes in. Because the operating system needs to be capable of doing things that normal processes cannot, the CPU switches into privilege mode when executing operating system code. While in privilege mode, the executing software can read or write anywhere in memory. Needless to say, this has made writing kernel exploits extremely popular. And as kernels are the largest single images with the most complex code (think multiple threads, locking, and device drivers) you generally run, there are lots of vulnerabilities to be found. You might be wondering why we rely on such ancient mechanisms as the hardware basis for our security. Think of these mechanisms as being like internal combustion engines: they’ve been around a long time and have gotten fantastically more efficient. There are other reasons for using these mechanisms: they are familiar to both CPU designers and programmers (see People, below). There was an alternative design, a mainframe built in the mid-to-late ’60s: the GE 645 (later Honeywell). The GE 645 had segment registers, essentially hardware used to add an offset to each memory address. Unlike memory management, segment registers as used in this design weren’t limited to large page sizes, so it was possible to have programs that could treat 2 WINTER 2017 VOL. 42, NO. 4 www.usenix.org EDITORIAL Musings different areas of memory as if they were different physical If I had been working as the CSO of a large financial company compartments, and limit access to those compartments. Please whose main business had to do with identity records, I would read my interview with Peter G. Neumann in this issue for more have insisted on having simple parsers, but also a gateway, a type on segmentation. of application firewall, that would limit access to the database to the expected queries, and rate limit the number of responses Intel’s flagship CPUs in the later ’80s also used segment regis- permitted.
Load more

Recommended publications
  • Cyber Defense Emagazine – June 2018 Edition Copyright © Cyber Defense Magazine, All Rights Reserved Worldwide
    …130+ Packed Pages This Month… CyberDefenseTV.com continues to grow with more interviews of C level executives in the Cyber HotSeat… BlackHat Trip Report and Great C Level InfoSec Thought Leader interviews… Transforming Cyber Security An End to the Era of Passwords? The Impact of SOAR on Incident Response Steps The Art of Phishing and How To Fight It …and much more… 1 Cyber Defense eMagazine – June 2018 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide CONTENTS BlackHat Conference 2018 Trip Report........................................................................................ 15 Transforming Cyber Security........................................................................................................ 35 Cyber Security Tips for Business Travelers................................................................................... 38 Building blocks to manage the supply chain ............................................................................... 40 Cyber PSYOP: The New Way to Impact Opinons and Politics ..................................................... 42 Let Passwords Go Extinct ............................................................................................................. 45 The Impact of SOAR on Incident Response Steps ........................................................................ 47 2018 is Late but Still the Right Time to Bid Goodbye to Malware Prone SMBv1 ...................... 50 Best Practices for DDoS Mitigation in the Terabit Attack Era ...................................................
    [Show full text]
  • Success Strategies in Emerging Iranian American Women Leaders
    Pepperdine University Pepperdine Digital Commons Theses and Dissertations 2017 Success strategies in emerging Iranian American women leaders Sanam Minoo Follow this and additional works at: https://digitalcommons.pepperdine.edu/etd Recommended Citation Minoo, Sanam, "Success strategies in emerging Iranian American women leaders" (2017). Theses and Dissertations. 856. https://digitalcommons.pepperdine.edu/etd/856 This Dissertation is brought to you for free and open access by Pepperdine Digital Commons. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of Pepperdine Digital Commons. For more information, please contact [email protected], [email protected], [email protected]. Pepperdine University Graduate School of Education and Psychology SUCCESS STRATEGIES IN EMERGING IRANIAN AMERICAN WOMEN LEADERS A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Education in Organizational Leadership by Sanam Minoo July, 2017 Farzin Madjidi, Ed.D. – Dissertation Chairperson This dissertation, written by Sanam Minoo under the guidance of a Faculty Committee and approved by its members, has been submitted to and accepted by the Graduate Faculty in partial fulfillment of the requirements for the degree of DOCTOR OF EDUCATION Doctoral Committee: Farzin Madjidi, Ed.D., Chairperson Lani Simpao Fraizer, Ed.D. Gabriella Miramontes, Ed.D. © Copyright by Sanam Minoo 2017 All Rights Reserved TABLE OF CONTENTS Page LIST OF TABLES ........................................................................................................................
    [Show full text]
  • Understanding Flaws in the Deployment and Implementation of Web Encryption
    Understanding Flaws in the Deployment and Implementation of Web Encryption Suphannee Sivakorn Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences COLUMBIA UNIVERSITY 2018 © 2018 Suphannee Sivakorn All rights reserved ABSTRACT Understanding Flaws in the Deployment and Implementation of Web Encryption Suphannee Sivakorn In recent years, the web has switched from using the unencrypted HTTP protocol to using encrypted communications. Primarily, this resulted in increasing deployment of TLS to mitigate information leakage over the network. This development has led many web service operators to mistakenly think that migrating from HTTP to HTTPS will magically protect them from information leakage without any additional effort on their end to guar- antee the desired security properties. In reality, despite the fact that there exists enough infrastructure in place and the protocols have been “tested” (by virtue of being in wide, but not ubiquitous, use for many years), deploying HTTPS is a highly challenging task due to the technical complexity of its underlying protocols (i.e., HTTP, TLS) as well as the complexity of the TLS certificate ecosystem and this of popular client applications suchas web browsers. For example, we found that many websites still avoid ubiquitous encryption and force only critical functionality and sensitive data access over encrypted connections while allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to flaws that can expose sensitive information or functionality tothird parties. Thus, it is crucial for developers to verify the correctness of their deployments and implementations.
    [Show full text]
  • Building Secure and Reliable Systems
    Building Secure & Reliable Systems Best Practices for Designing, Implementing and Maintaining Systems Compliments of Heather Adkins, Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea & Adam Stubblefi eld Praise for Building Secure and Reliable Systems It is very hard to get practical advice on how to build and operate trustworthy infrastructure at the scale of billions of users. This book is the first to really capture the knowledge of some of the best security and reliability teams in the world, and while very few companies will need to operate at Google’s scale many engineers and operators can benefit from some of the hard-earned lessons on securing wide-flung distributed systems. This book is full of useful insights from cover to cover, and each example and anecdote is heavy with authenticity and the wisdom that comes from experimenting, failing and measuring real outcomes at scale. It is a must for anybody looking to build their systems the correct way from day one. —Alex Stamos, Director of the Stanford Internet Observatory and former CISO of Facebook and Yahoo This book is a rare treat for industry veterans and novices alike: instead of teaching information security as a discipline of its own, the authors offer hard-wrought and richly illustrated advice for building software and operations that actually stood the test of time. In doing so, they make a compelling case for reliability, usability, and security going hand-in-hand as the entirely inseparable underpinnings of good system design. —Michał Zalewski, VP of Security Engineering at Snap, Inc. and author of The Tangled Web and Silence on the Wire This is the “real world” that researchers talk about in their papers.
    [Show full text]
  • Improving Security and Performance in Low Latency Anonymous Networks
    Improving Security and Performance in Low Latency Anonymous Networks by Kevin Scott Bauer B.S., University of Denver, 2005 A thesis submitted to the Faculty of the Graduate School of the University of Colorado in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer Science 2011 This thesis entitled: Improving Security and Performance in Low Latency Anonymous Networks written by Kevin Scott Bauer has been approved for the Department of Computer Science Prof. Dirk Grunwald Prof. Douglas Sicker Prof. Shivakant Mishra Prof. Nikita Borisov Prof. Stefan Savage Date The final copy of this thesis has been examined by the signatories, and we find that both the content and the form meet acceptable presentation standards of scholarly work in the above mentioned discipline. Bauer, Kevin Scott (Ph.D., Computer Science) Improving Security and Performance in Low Latency Anonymous Networks Thesis directed by Co-Chairs Prof. Dirk Grunwald and Prof. Douglas Sicker Conventional wisdom dictates that the level of anonymity offered by low latency anonymity networks increases as the user base grows. However, the most significant obstacle to increased adoption of such systems is that their security and performance properties are perceived to be weak. In an effort to help foster adoption, this dissertation aims to better understand and improve security, anonymity, and performance in low latency anonymous communication systems. To better understand the security and performance properties of a popular low latency anonymity network, we characterize Tor, focusing on its application protocol distribution, geopo- litical client and router distributions, and performance. For instance, we observe that peer-to-peer file sharing protocols use an unfair portion of the network’s scarce bandwidth.
    [Show full text]
  • An Experience Sampling Study of User Reactions to Browser Warnings in the Field
    An Experience Sampling Study of User Reactions to Browser Warnings in the Field Robert W. Reeder1, Adrienne Porter Felt1, Sunny Consolvo1, Nathan Malkin2, Christopher Thompson2, and Serge Egelman2;3 1Google, Mountain View, CA 2University of California, Berkeley, CA 3International Computer Science Institute, Berkeley, CA {rreeder,felt,sconsolvo}@google.com, {nmalkin,cthompson,egelman}@cs.berkeley.edu ABSTRACT Due to their importance, browser warnings have received a Web browser warnings should help protect people from mal- great deal of attention. Initially, browser warnings gained ware, phishing, and network attacks. Adhering to warnings a reputation for low adherence rates [17, 19, 37, 40, 41]. keeps people safer online. Recent improvements in warning Vendors responded to this research with improvements. In design have raised adherence rates, but they could still be 2013, the Chrome and Firefox teams released data showing higher. And prior work suggests many people still do not that contemporary warnings had relatively high adherence understand them. Thus, two challenges remain: increasing rates—except for the Chrome HTTPS error warning, which both comprehension and adherence rates. To dig deeper into still suffered from low adherence (only 30% of users adhered user decision making and comprehension of warnings, we to the warnings) [2]. After further work, Chrome’s HTTPS performed an experience sampling study of web browser secu- error warning caught up, and now up to 70% of users adhere rity warnings, which involved surveying over 6,000 Chrome to the warnings [21, 22, 44]. Despite these improvements, and Firefox users in situ to gather reasons for adhering or not HTTPS warning adherence rates can still be improved.
    [Show full text]
  • (2010-2013). He Is a Creator of the Spread Toolkit ( the First Scalable Group Communication System with Strong Semantics
    Forum on Cyber Resilience Member Biographies as of 2019-04 Fred B. Schneider (NAE), is Samuel B. Eckert Professor of Computer Science at Cornell University. He joined Cornell's faculty in Fall 1978, having completed a Ph.D. at Stony Brook University and a B.S. in engineering at Cornell in 1975. Schneider's research has always concerned various aspects of trustworthy systems —systems that will perform as expected, despite failures and attacks. Most recently, his interests have focused on system security. His work characterizing what policies can be enforced with various classes of defenses is widely cited, and it is seen as advancing the nascent science base for security. He is also engaged in research concerning legal and economic measures for improving system trustworthiness. Schneider was elected a fellow of the American Association for the Advancement of Science (1992), the Association of Computing Machinery (1995), and the Institute of Electrical and Electronics Engineers (2008). He was named Professor-at-Large at the University of Tromso (Norway) in 1996 and was awarded a Doctor of Science honoris causa by the University of Newcastle-upon-Tyne in 2003 for his work in computer dependability and security. He received the 2012 IEEE Emanuel R. Piore Award for "contributions to trustworthy computing through novel approaches to security, fault-tolerance and formal methods for concurrent and distributed systems". The U.S. National Academy of Engineering elected Schneider to membership in 2011, the Norges Tekniske Vitenskapsakademi (Norwegian Academy of Technological Sciences) named him a foreign member in 2010, and the American Academy of Arts and Sciences elected him in 2017.
    [Show full text]
  • Women Know Cyber
    WOMEN KNOW CYBER 100 Fascinating Females Fighting Cybercrime STEVE MORGAN & DI FREEZE WOMEN KNOW CYBER: 100 Fascinating Females Fighting Cybercrime Copyright © 2019 by Cybersecurity Ventures ISBN 978-1-7330157-0-7 All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law. For permission requests, write to the publisher, addressed “Attention: Permissions Coordinator,” at the address below. Cybersecurity Ventures 83 Main Street, 2nd Floor, Suite 5 Northport, N.Y. 11768 This book is dedicated to my six children. Without you, my first book would have been completed thirty years ago. I thank God for showing me what’s most important in life. – Steve Morgan Cybersecurity Conference Sponsor FutureCon produces cutting-edge events aimed at CISOs, IT security professionals, and cybersecurity companies – bringing together the best minds in the industry for a unique experi- ence. These one-day events in more than 20 cities throughout North America feature thought- provoking presentations by industry leaders, esteemed keynote speakers, and a panel session with cybersecurity experts. Each FutureCon event provides attendees with the very latest and highest level vendor-neutral training in the security community. FutureCon's founder, Kim Hakim, is a U.S. Navy veteran with more than two decades of experience producing thousands of cybersecurity conferences. "Women Know Cyber" book signings and special programs will be held at FutureCon events.
    [Show full text]
  • Enhancing Cybersecurity: the Role of Innovation Ecosystems
    SEMINAR SUMMARY APRIL 2019 ENHANCING CYBERSECURITY: THE ROLE OF INNOVATION ECOSYSTEMS EXECUTIVE SUMMARY This document summarizes the conversations from the seminar “Enhancing Cybersecurity – The Role of Innovation Ecosystems” that took place on February 13th 2019 at the Massachusetts Institute of Technology in Cambridge, Massachusetts. The goal of the Seminar was to advance participants’ knowledge of innovation ecosystems for innovation in cybersecurity. Its approach was to emphasize the growing agglomeration of innovation-driven enterprises creating innovative solutions, and the tightly-coupled inter- dependencies in these hubs of entrepreneurs, governments, risk-capital, universities and large corporations. The Seminar was organized by the MIT Innovation Initiative (MITii), the Federmann Cyber Security Center at the Hebrew University of Jerusalem (HCSRC), Israel’s National Cyber Directorate (INCD), the UK Department for Digital, Culture, Media & Sport (DCMS), and the UK Science & Innovation Network. Forty participants representing all of the ecosystem stakeholders (governments, universities, corporations, entrepreneurs, and risk capital) were invited to participate (see Appendix B). The Main Insights: • Cybersecurity is an area of technological, corporate and regulatory innovation that emphasizes the growing agglomeration of innovation-driven enterprises and inter- dependencies between entrepreneurs, governments, risk-capital, universities and large corporations. Innovation ecosystems thus provide an important lens to understand the specific case of innovation in cybersecurity, and to enhance our understanding of innovation ecosystems in general. • This insight is key for practitioners and promoters of innovation in cybersecurity, as the lessons from wider ‘innovation ecosystems’ become more and more relevant to their efforts. As such, the multi-stakeholder ecosystem approach (broadly defined) can help enhance and accelerate innovation in cybersecurity, as it has elsewhere.
    [Show full text]
  • The Computer Fraud and Abuse Act: Protecting the United States from Cyber-Attacks, Fake Dating Profiles, and Employees Who Check Facebook at Work, 5 U
    University of Miami Law School Institutional Repository University of Miami National Security & Armed Conflict Law Review 7-1-2015 The omputC er Fraud and Abuse Act: Protecting the United States from Cyber-Attacks, Fake Dating Profiles, and Employees Who Check Facebook at Work Kristin Westerhorstmann Follow this and additional works at: http://repository.law.miami.edu/umnsac Part of the Military, War and Peace Commons, and the National Security Commons Recommended Citation Kristin Westerhorstmann, The Computer Fraud and Abuse Act: Protecting the United States from Cyber-Attacks, Fake Dating Profiles, and Employees Who Check Facebook at Work, 5 U. Miami Nat’l Security & Armed Conflict L. Rev. 145 (2015) Available at: http://repository.law.miami.edu/umnsac/vol5/iss2/9 This Note is brought to you for free and open access by Institutional Repository. It has been accepted for inclusion in University of Miami National Security & Armed Conflict Law Review by an authorized administrator of Institutional Repository. For more information, please contact [email protected]. The Computer Fraud and Abuse Act: Protecting the United States from Cyber- Attacks, Fake Dating Profiles, and Employees Who Check Facebook at Work Kristin Westerhorstmann* ABSTRACT Each year, the frequency andseverityof cyber-attacks continue to increase. With each new threat comes more pressure on the government to implement an effectiveplanforpreventing these attacks. The first instinct has been to attempt either to enact more laws,orto broaden thescope of already-existing laws such as the Computer Fraud and Abuse Act (CFAA). The CFAA, the federal hacking statute, has been called the worst law in technology for itsexcessively broad scope and vague provisions, whichhaveresulted in arbitrary and discriminatory enforcement, conflicts with the federal private nondelegation doctrine, and in overcriminalization.
    [Show full text]
  • Measuring HTTPS Adoption on The
    Measuring HTTPS Adoption on the Web Adrienne Porter Felt, Google; Richard Barnes, Cisco; April King, Mozilla; Chris Palmer, Chris Bentzel, and Parisa Tabriz, Google https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/felt This paper is included in the Proceedings of the 26th USENIX Security Symposium August 16–18, 2017 • Vancouver, BC, Canada ISBN 978-1-931971-40-9 Open access to the Proceedings of the 26th USENIX Security Symposium is sponsored by USENIX Measuring HTTPS Adoption on the Web Adrienne Porter Felt1, Richard Barnes2, April King3, Chris Palmer1, Chris Bentzel1, Parisa Tabriz1 1Google, 2Cisco, 3Mozilla 1felt, palmer, cbentzel, [email protected], [email protected], [email protected] Abstract [1, 24, 32, 3]). They plan to make further changes as HTTPS becomes the default standard [30, 3]. How HTTPS ensures that the Web has a base level of pri- close is the Web to considering HTTPS a default? vacy and integrity. Security engineers, researchers, and browser vendors have long worked to spread HTTPS to as much of the Web as possible via outreach efforts, de- In this paper, we measure HTTPS adoption rates from veloper tools, and browser changes. How much progress the perspectives of both clients and servers. A key chal- have we made toward this goal of widespread HTTPS lenge is that there are many ways to measure client us- adoption? We gather metrics to benchmark the status age and server support of HTTPS, each yielding differ- and progress of HTTPS adoption on the Web in 2017. ent findings on the prevalence of HTTPS. For example, To evaluate HTTPS adoption from a user perspective, HTTPS is a much higher fraction of browser page loads we collect large-scale, aggregate user metrics from two if the metrics count certain types of in-page navigations.
    [Show full text]
  • Towards More Effective Censorship Resistance Systems
    Towards more Effective Censorship Resistance Systems by Mohammad Tariq Elahi A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Doctor of Philosophy in Computer Science Waterloo, Ontario, Canada, 2015 © Mohammad Tariq Elahi 2015 Some rights reserved. BY NC SA This thesis consists of material all of which I authored or co-authored: see Statement of Contributions included in the thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. ii Statement of Contributions The content in Chapter 2 was co-authored with Colleen Swanson, who provided the dis- cussion of the global adversary and the failed limited sphere of influence assumption. John Doucette provided the framework and preliminary analysis of the simple censor cases, Steven Murdoch provided the real world problem motivation and the simulator and its de- scription, and Hadi Hosseini provided a portion of the related work discussion in Chapter 3. George Danezis provided a sketch and core code for the two PrivEx variants in Chapter 4. Kevin Bauer provided the Tor simulation patch and scripts while Mashael AlSabah pro- vided the related work discussion in Chapter 5. The rest of this thesis contains original content and was authored under the supervision of Ian Goldberg. iii Abstract Internet censorship resistance systems (CRSs) have so far been designed in an ad-hoc manner. The fundamentals are unclear and the foundations are shaky. Censors are, more and more, able to take advantage of this situation.
    [Show full text]