Secure Data Management 2012

Posted on May 10, 2012 by wunderbarb

The ninth workshop on secure data management (SDM’12) has extended its submission deadline to June 1, 2012.

The topics of interest are:

Secure Data Management
Database Security
Data Anonymization/Pseudonymization
Data Hiding
Metadata and Security
XML Security
Authorization and Access Control
Data Integrity
Privacy Preserving Data Mining
Statistical Database Security
Control of Data Disclosure
Private Information Retrieval
Secure Stream Processing
Secure Auditing
Data Retention
Search on Encrypted Data
Digital and Enterprise Rights Management
Multimedia Security and Privacy
Private Authentication
Identity Management
Privacy Enhancing Technologies
Security and Semantic Web
Security and Privacy in Ubiquitous Computing
Security and Privacy of Health Data
Web Service Security
Trust Management
Policy Management
Applied Cryptography

PST 2012

Posted on February 20, 2012 by wunderbarb

Usually, I do not make advertisement for conference and call for papers. But for Privacy Security & Trust 2012 (PST 2012), I will make an exception. If you go on the site, you will understand easily why :Wink:

The preferred topics are:

Privacy Preserving / Enhancing Technologies
Critical Infrastructure Protection
Network and Wireless Security
Operating Systems Security
Intrusion Detection Technologies
Secure Software Development and Architecture
PST Challenges in e-Services, e.g. e-Health, e-Government, e-Commerce
Network Enabled Operations
Digital forensics
Information Filtering, Data Mining and Knowledge from Data
National Security and Public Safety
Security Metrics
Recommendation, Reputation and Delivery Technologies
Continuous Authentication
Trust Technologies, Technologies for Building Trust in e-Business Strategy
Observations of PST in Practice, Society, Policy and Legislation
Digital Rights Management
Identity and Trust management
PST and Cloud Computing
Human Computer Interaction and PST
Implications of, and Technologies for, Lawful Surveillance
Biometrics, National ID Cards, Identity Theft
PST and Web Services / SOA
Privacy, Traceability, and Anonymity
Trust and Reputation in Self-Organizing Environments
Anonymity and Privacy vs. Accountability
Access Control and Capability Delegation
Representations and Formalizations of Trust in Electronic and Physical Social Systems

The submission deadline is 18 March 2012.

TELEX: a new path to anti-censorship

Posted on September 21, 2011 by wunderbarb

Usually when you want to avoid censorship on Internet, you used tools such as TOR and other anonymizing proxies. Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman propose another solution: TELEX. The idea is elegant:

The client software hides, using steganography, the query to a censored site in a query for a high-traffic innocent site. As the request is hidden, the censorship should not detect it.
Stations outside of the frontier of the censoring state, within collaborating routers, will extract the hidden query and route it to the censored site. For that purpose, they will use Deep Packet Inspection (DPI).
The censored site and the client enter into a secure channel, thus avoiding the censor to analyze the exchanged data.
The collaborating router “impersonates” the innocent site in traffic to avoid detection.

The paper presents a nice threat analysis explaining all the trade-offs to remain stealthy, the strategy that optimally locates the collaborating stations, and how to ideally select the “innocent” site. It is an excellent work that was presented at Usenix 2011.

The main issue is of course to find collaborating routers. This would require either collaborating NSPs or state-funded infrastructure. This is most probably the trickiest part to solve. An utopia?

Alex Halderman, the last author, is well known by the medias. He is the one (at that time he used John A) who in 2002 demonstrated the weakness of Sony anti-rip solution (shift key), or more recently how to retrieve keys after a cold boot.

A cloud over ownership

Posted on September 19, 2011 by wunderbarb

This is the title of an excellent article of Simson Garfinkel in Technology Review. He explores the consequences of the switch from physical cultural goods to digital cultural goods stored in the cloud. It is nothing really new but it has the advantage to be clearly stated.

The first point is about privacy. When you purchased a physical book or a CD, the merchant has no way to profile you. Of course, if you purchase it on a digital store such as Amazon, the merchant will be able to profile some of your preferences. but with a digital good stored in the cloud, the merchant will be able also to analyze how you consume this digital good. And this is even more interesting. he will know what is you prefered book among the ones you purchased. For the same result with a physical book, you need to look for the more worned book in my library.

The second point is really about persistence. When I purchase a book, it is mine until I destroy it, or give it away. With a e-book in the cloud, it is mine as long as the cloud operator accepts (or survives). This si a massive difference. I am not sure that the legislation has taken into account this shift. I do not even tackle the issue of DRM that may shape the ways I can consume the digital good.

Thus, the notion of ownership of a digital cultural good is changing. As the good itself, the ownership seems to become more ethereal. Is it good or bad? I don’t know. It is most probably useless to look for the answer, I’m afraid it is an unavoidable shift. We will have to adapt for the best and the worst.

Guidelines on Security and Privacy in Public Cloud Computing

Posted on August 16, 2011 by wunderbarb

NIST provides some recommendations when using a public cloud. This excellent document gives very practical guidelines. Every IT manager who plans to use a public cloud infrastructure, and who cares about reliability, security and liability, should read it before making any decisions and selecting the right service provider.

In front of the economic benefits of public cloud, it is extremely difficult to resist to the songs of the mermaids. This document rises some serious issues and may help to keep the things under control. For instance:

Even if you are using a public cloud, your company is accountable for the overall security of your service, i.e. even that of the outsourced part.
As the cloud computing infrastructure is highly uniform, it should be in theory easier to harden the platforms and manage its security (which is a positive point for IaaS). Unfortunately, the use of hypervisors (virtual machines) increases the surface of attack (although many people believe that virtual machines are more secure)
Sharing an infrastructure with unknown parties is a potential issue. A strong assurance should be provided for the mechanism enforcing the logical separation.
Be ready to audit your service provider if security matters to you.

A must read paper if you are about to board on the cloud boat. The paper is about public cloud. Nevertheless, some parts are also useful in the context of private cloud.

Reference

W. Jansen and T. Grance, Guidelines on Security and Privacy in Public Cloud Computing, NIST, 2011 available at http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf.

Blippy is changing

Posted on May 31, 2011 by wunderbarb

Last year, I spotted a site Blippy that was frightening me (Blippy: Do people care about privacy?). Its purpose was help you to share with others what you purchased with your credit cards. I could not believe that such site existed. What is even worse is that some people used it! They announced 100K subscriber with 30% sharing purchase. They raised up to 13 millions.

Recently, Techcrunch announced that Blippy changed its product offer. Blippy does not anymore report your purchases but allows you to post recommendations. That is far safer from the privacy point of view, but is is special?

I was hoping that this change was because people were concerned about privacy. It seems more that Blippy did not attract enough activities. Perhaps because people were not ready tho share this type of information?.

PS: In April 2010, Blippy leaked out some credit card numbers of subscribers.

Anonymity Loves Company

Posted on April 13, 2011 by wunderbarb

It is the title of an interesting paper by Roger Dingledine and Nick Mathewson. They are members of the Free Haven project. This project studies topics such us onion routing (technology used by TOR), or Mixminion an anonymous email network.

The paper presents two challenges: usability and network effect.

Usability is a typical challenge of security solutions. The authors show that often privacy setting requires technological skills that are opposed to ease of use for everybody. The easy solution is often to delegate security decision to the user, who is not necessarily the best person to decide. This reminds me the security model of Android, where you have to decide (too) many parameters.
Network effect; efficient anonymity requires to have a lot of traffic to hide within. This rises the problem of bootstrapping. And here is a nice tradeoff. If your system is extremely secure, it will most probably be difficult to use, thus attract fewer people, thus reducing the strength of anonymity. On the other hand, if the system is easy to use, thus less secure, it may attract more users, thus strengthening anonymity.
For instance, in the design of Mixminion, they had to answer the following tradeoff:

Since fewer users mean less anonymity, we must
ask whether users would be better off in a larger network where their messages
are likelier to be distinguishable based on email client, or in a smaller network
where everyone’s email formats look the same.

The three described use cases, Mixminion, TOR, and JAP, are excellent illustrations of the issues. An excellent paper.

Citation: N. Mathewson and R. Dingledine, “Anonymity Loves Company: Usability and the Network Effect,” Proceedings of the Fifth Workshop on the Economics of Information Security WEIS 2006, pp. 547-559.

The blog of content protection

A site managed by Eric Diehl

Category Archives: Privacy