Category Archives: Book/Paper

Marriage and Virtual Property

Posted on by
Reply

If you are a married person, as I am luckily, do you know that you may share with your spouse at least four properties you were not aware of?  URLs, websites, email accounts, and Facebook profiles.  Although they are virtual properties, they are part of your common patrimony.  Furthermore, they may have some monetary value.

As with every good, the problem starts to become complex when there is a dispute.  Are the revenues of Adsense of your personal blog an earning or a profit?  It has its importance when valuing.  How much will your Facebook friends be valued in case of divorce?

Sally Richardson studied this classification in “Classifying Virtual Property in Community Property Regimes: Are My Facebook Friends Considered Earnings, Profits, Increases in Value, or Goodwill?”   She explains the four different applicable cases:

  • Earnings are what a spouse brings by his/her direct effort
  • Profits are what a spouse gets without exerting efforts (for instance rent)
  • Increase of the value property is what a spouse generates due to tangible efforts such as building a new room.
  • Goodwill is what a spouse generates due to intangible skills such as reputation or skill.

Is my URL, eric-diehl.com an earning or a profit?  There is no straightforward answer.  Sally explores the four types of properties and shows the complexity of the issue depending on the context.  It is far too complex to summarize here.

The paper is interesting to read if you are curious.  It clearly shows that our current legal framework is not yet adapted to virtual properties.  I am sure that soon it will have because sooner or later we will see spouses fight over their personal websites, or their common Facebook profile.   If these virtual properties are part of their career (for instance celebrities), then it will be juicy.

Free ride

Posted on by
1

FreeRideDRM bashing is an Internet well-established sport.  Famous web sites, such as TechCrunch, Wired or ZDNet, which are otherwise extremely interesting, have a biased view about copyright, content owner, and copy protection.  The position of lobbying groups, such as EFF, are in the same mood.  In a nutshell, according to them, copyright laws and content owners are killing the Internet.

“Free ride” from Robert Levine is taking the opposite point of view.  He shows that denying copyright on the Internet is actually killing the Internet.

He describes the battle between three giant groups with diverging interests.   On one side, the media industry wants its cultural goods to be paid, even on the Internet.  On the other side, the Internet companies want information freely to flow.    The more information available (even pirated one), the more advertisement revenues for the Internet companies and pirated sites.  In the middle, the telecom companies initially benefited from piracy because it was a strong attractor for broadband adoption.  Now, piracy is claimed to consume a too large part of the available bandwidth, and starts to hurt these telecom companies.

The book clearly highlights these diverging interests. It also draws a landscape of the current lobbying battlefield (by showing who is financing groups such as EFF, who Google finances…).

Levine’s message is that valuable content is costly to create.  He also explains that creation is not sufficient, if not combined with promotion which is also costly (see Should you invest in the long-tail?).  Without such investment, valuable content will disappear.  Free riders (i.e. companies that use the content  without rewarding the creators) and piracy will kill the economical incentive to create.  The result would be a free Internet without valuable content to propose.  In other words, rather than creating the promised bright cultural future, Internet may create a poor cultural future.  The fact that distribution and production has a cost nearing zero on the Internet should not hide the fact that creation has a cost.  Dematerialisation often hides this cost. User generated dontent or crowd-sourced content is not necessarily at the same level of quality than professional created content.

He claims that the business models proposed by the Internet companies do not fit the economical constraints of valuable content.  As such, he is opposed to Free: the future of a radical price.

This book is refreshing because it gives an argumented position against the widely diffused position of the Internet companies.  In a democracy, it is paramount for a sound debate to hear both sides of the story.  Thus, read also this book, and only then, make your own opinion.

Conclusion:  if you regularly visit my blog, then you should read this book.  It is at the heart of our industry.

Ghost in the Wires

Posted on by
Reply

Or the official biography of Kevin Mitnick.   In the 90s, Kevin Mitnick was known as the World Most Wanted Hacker.  He is an artist of social engineering.   His book “The Art of Deception” is a reference on the topic.

This new opus tells the history of Kevin from his youth till the day he was free.  Do you remember the “Free Kevin”  protesting movement?  Is this new book interesting?  I read with pleasure “The Art of Deception”.   It is not the case with this book.  It could have been a good thriller, but the style is not right to create suspense.  It could have been a book on the havcking mindset, but the described introspection is too shallow. It could have been  a technical book, but the rare technical descriptions are uninteresti

The main interest of the book is to have an insight of his motivations:  “Getting access to things that he was not authorized”.  Nevertheless,  “The Art of Deception” gives a better view on social engineering.    An unanswered question:  why did he need to go to jail to become an ethical hacker?

We will  keep a good description of ethical hacking.

What I do now fuels the same passion for hacking I felt during all those years of unauthorized access.  The difference can be summed up in one word: authorization.
I don’t need authorization to get in.
It’s the word that instantly transforms me from the World’s Most Wanted Hacker to one of the Most Wanted Security Experts in the world.  Just like magic.

Conclusion: This book is not mandatory on the shelves of security people.  “The Art of Deception” is mandatory.

Reference

[1]
K.D. Mitnick and W.L. Simon, Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker, Little, Brown and Company, 2011

[2]
K.D. Mitnick and W.L. Simon, The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons, 2003.

TELEX: a new path to anti-censorship

Posted on by
Reply

Usually when you want to avoid censorship on Internet, you used tools such as TOR and other anonymizing proxies.  Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman propose another solution: TELEX.  The idea is elegant:

  • The client software hides, using steganography, the query to a censored site in a query for a high-traffic innocent site.  As the request is hidden, the censorship should not detect it.
  • Stations outside of the frontier of the censoring state, within collaborating routers, will extract the hidden query and route it to the censored site.  For that purpose, they will use Deep Packet Inspection (DPI).
  • The censored site and the client enter into a secure channel, thus avoiding the censor to analyze the exchanged data.
  • The collaborating router “impersonates” the innocent site in traffic to avoid detection.

The paper presents a nice threat analysis explaining all the trade-offs to remain stealthy, the strategy that optimally locates the collaborating stations, and how to ideally select the “innocent” site.   It is an excellent work that was presented at Usenix 2011.

The main issue is of course to find collaborating routers.  This would require either collaborating NSPs or state-funded infrastructure.  This is most probably the trickiest part to solve.  An utopia?

Alex Halderman, the last author, is well known by the medias.   He is the one (at that time he used John A) who in 2002 demonstrated the weakness of Sony anti-rip solution (shift key), or more recently how to retrieve keys after a cold boot.

A cloud over ownership

Posted on by
Reply

This is the title of an excellent article of Simson Garfinkel in Technology Review.  He explores the consequences of the switch from physical cultural goods to digital cultural goods stored in the cloud.  It is nothing really new but it has the advantage to be clearly stated.

The first point is about privacy.  When you purchased a physical book or a CD, the merchant has no way to profile you.  Of course, if you purchase it on  a digital store such as Amazon, the merchant will be able to profile some of your preferences.  but with a digital good stored in the cloud, the merchant will be able also to analyze how you consume this digital good.  And this is even more interesting.  he will know what is you prefered book among the ones you purchased.  For the same result with a physical book, you need to look for the more worned book in my library.

The second point is really about persistence.  When I purchase a book, it is mine until I destroy it, or give it away.  With a e-book in the cloud, it is mine as long as the cloud operator accepts (or survives).  This si a massive difference.  I am not sure that the legislation has taken into account this shift.   I do not even tackle the issue of DRM that may shape the ways I can consume the digital good.

Thus, the notion of ownership of a digital cultural good is changing.  As the good itself, the ownership seems to become more ethereal.  Is it good or bad?  I don’t know.  It is most probably useless to look for the answer, I’m afraid it is an unavoidable shift.  We will have to adapt for the best and the worst.

 

 

Guidelines on Security and Privacy in Public Cloud Computing

Posted on by
Reply

NIST provides some recommendations when using a public cloud.  This excellent document gives very practical guidelines.  Every IT manager who plans to use a public cloud infrastructure, and who cares about reliability, security and liability, should read it before making any decisions and selecting the right service provider.

In front of the economic benefits of public cloud, it is extremely difficult to resist to the songs of the mermaids.  This document rises some serious issues and may help to keep the things under control.  For instance:

  • Even if you are using a public cloud, your company is accountable for the overall security of your service, i.e. even that of the outsourced part.
  • As the cloud computing infrastructure is highly uniform, it should be in theory easier to harden the platforms and manage its security (which is a positive point for IaaS).  Unfortunately, the use of hypervisors (virtual machines) increases the surface of attack (although many people believe that virtual machines are more secure)
  • Sharing an infrastructure with unknown parties is a potential issue.  A strong assurance should be provided for the mechanism enforcing the logical separation.
  • Be ready to audit your service provider if security matters to you.

A must read paper if you are about to board on the cloud boat.  The paper is about public cloud.  Nevertheless, some parts are also useful in the context of private cloud.

Reference

W. Jansen and T. Grance, Guidelines on Security and Privacy in Public Cloud Computing, NIST, 2011 available at http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf.