Internet Censorship and Control

Academic papers, Internet censorship, Legal issues, Politics, Privacy technology

The Internet is and has always been a space where participants battle for control. The two core protocols that define the Internet – TCP and IP – are both designed to allow separate networks to connect to each other easily, so that networks that differ not only in hardware implementation (wired vs. satellite vs. radio networks) but also in their politics of control (consumer vs. research vs. military networks) can interoperate easily. It is a feature of the Internet, not a bug, that China – with its extensive, explicit censorship infrastructure – can interact with the rest of the Internet.

Today we have released an open-access collection (also published as a special issue of IEEE Internet Computing), of five peer reviewed papers on the topic of Internet censorship and control, edited by Hal Roberts and myself (Steven Murdoch). The topics of the papers include a broad look at information controls, censorship of microblogs in China, new modes of online censorship, the balance of power in Internet governance, and control in the certificate authority model.

These papers make it clear that there is no global consensus on what mechanisms of control are best suited for managing conflicts on the Internet, just as there is none for other fields of human endeavour. That said, there is optimism that with vigilance and continuing efforts to maintain transparency the Internet can stay as a force for increasing freedom than a tool for more efficient repression.

Workshop on the Economics of Information Security 2013

Academic papers, Politics, Security economics, Security psychology

I’m liveblogging WEIS 2013, as I did in 2012, 2011, 2010 and 2009. This is the twelfth workshop on the economics of information security, and the sessions are being held today and tomorrow at Georgetown University. The panels and refereed paper sessions will be blogged in comments below this post (and there’s another liveblog by Vaibhav Garg).

Security and Human Behaviour 2013

Academic papers, Politics, Security economics, Security psychology, Social networks, Usability

I’m liveblogging the Workshop on Security and Human Behaviour which is being held at USC in Los Angeles. The participants’ papers are here; for background, see the liveblogs for SHB 2008-12 which are linked here and here. Blog posts summarising the talks at the workshop sessions will appear as followups below. (Added: there is another liveblog by Vaibhav Garg.)

A further observation on quantum computing

Academic papers, Security engineering

Today we’ve published a paper showing that Bell’s inequality is violated in fluid mechanics. What has this to do with computing or security? Well, when we posted a paper back in February pointing out that hydrodynamic models of quantum physics raise questions about the scalability of quantum computing, a number of people asked for a better explanation of how this squares with the Bell tests. John Bell proved an inequality in 1964 that applies to classical particles but that is broken by quantum mechanical ones. In today’s paper we show that Bell’s inequality does not hold in classical fluid dynamics, as angular momentum and energy are delocalised in the fluid.

This may have implications for engineering, science and philosophy. On the engineering front, nine-figure sums have been poured into developing quantum computers, but even advocates of quantum computing admit they don’t really work. As our February paper argued, a hydrodynamic interpretation of quantum mechanics may suggest reasons why.

On the scientific front, the Bell tests are commonly seen as excluding not just local hidden-variable models of quantum mechanics, but local realism too. Our paper shows that the two are distinct, and thus leaves more room for research on quantum foundations. It also shows that we should be more careful in our use of terms such as ‘local’ – which might be of interest to the philosophers; the Bell tests do not draw quite as clear a dividing line between the quantum and classical worlds as many have believed.

Revisiting secure introduction via hyperlinks

Academic papers, Protocols, Security engineering, Web security

Today at W2SP I presentednew paper making the case for distributing security policy in hyperlinks. The basic idea is old, but I think the time is right to re-examine it. After the DigiNotar debacle, the community is getting serious about fixing PKI on the web. It was hot topic at this week’s IEEE Security & Privacy (Oakland), highlighted by Jeremy Clark and Paul van Oorschot’s excellent survey paper. There are a slew of protocols under development like key pinning (HPKP), Certificate Transparency, TACK, and others. To these I add s-links, a complementary mechanism to declare support for new proposals in HTML links. Continue reading Revisiting secure introduction via hyperlinks

A search engine for code

Academic papers, Security engineering, Seminars, Useful software

In a seminar today, we will unveil Rendezvous, a search engine for code. Built by Wei-Ming Khoo, it will analyse an unknown binary, parse it into functions, index them, and compare them with a library of code harvested from open-source projects.

As time goes on, the programs we need to reverse engineer get ever larger, so we need better tools. Yet most code nowadays is not written from scratch, but cut and pasted. Programmers are not an order of magnitude more efficient than a generation ago; it’s just that we have more and better libraries to draw on nowadays, and a growing shared heritage of open software. So our idea is to reframe the decompilation problem as a search problem, and harness search-engine technology to the task.

As with a text search engine, Rendezvous uses a number of different techniques to index a target binary, some of which are described in this paper, along with the main engineering problems. As well as reverse engineering suspicious binaries, code search engines could be used for many other purposes such as monitoring GPL compliance, plagiarism detection, and quality control. On the dark side, code search can be used to find new instances of disclosed vulnerabilities. Every responsible software vendor or security auditor should build one. If you’re curious, here is the demo.

Traceability in the Queen's Speech

Legal issues, News coverage, Politics

The Queen’s speech at today’s state opening of Parliament includes the prediction:

“In relation to the problem of matching Internet protocol addresses, my Government will bring forward proposals to enable the protection of the public and the investigation of crime in cyberspace”

This is all that remains of the Home Office’s ambition to bring forward a revised version of the Draft Communications Data Bill that two Parliamentary Select Committees were so unimpressed by, and which the Liberal Democrats have declined to support.

The sole issue on which there appears to be political consensus is that “something must be done” about the traceability failure that regularly occurs when the Internet is accessed from a smartphone. The shortage of IPv4 addresses means that the mobile companies cannot give each smartphone a unique IP address — so hundreds of users share the same IP address with only the TCP/UDP source port number distinguishing their traffic. Because this sharing is done very dynamically the mobile phone companies find it problematic to record the source port mapping, and they have argued that the way the EU Data Retention Directive is written they have no obligation to make and keep such records.

I wrote about this issue at some length on this blog in January 2010, although until very recently the Home Office considered it to be tantamount to a state secret and were extremely coy about discussing it in the public.

The Queen’s “bring forward proposals” phrase appears to cover a range of options:

  • the mobile companies decide that they can manage to log the source port mapping data after all;
  • the Home Office pays for new kit at the mobile companies that will allow source port mapping to be done;
  • there is a short bill (or clause in another bill) that requires the logging to be done (this might avoid any question of payments being ultra vires, or would ensure compliance by companies (possibly broadband suppliers) that looked like becoming stragglers;
  • there are discussions but nothing happens at all — perhaps because the tide turns against Data Retention as being a necessary and proportionate policy. A number of other EU countries have found it to be incompatible with fundamental human rights.

The Open Rights Group (ORG) have recently produced a pamphlet (available online here) setting out how surveillance might be better approached in this century. I contributed the chapter on the technical issues…

… if you don’t have time to read the whole thing then the New Statesman has an edited version of my chapter; and you can watch a short video of myself (and two other contributors) explaining the major issues.

How Privacy is Lost

Legal issues, News coverage, Politics, Privacy technology

On Friday I went to a fascinating lobbying meeting on the new EU data protection regulation. Europe is by default the world’s privacy regulator, as America doesn’t care and no-one else is big enough to matter; so this is really important. Some 3000 amendments have been proposed and the regulation is in the final stages of the committee process; the rapporteurs of the various parties are negotiating compromise amendments which should be ready for a vote within weeks. So the pressure is really on.

Friday was extraordinary because all the lobbyists came together in one room to argue their cases. This is because the liberal shadow rapporteur Alexander Alvaro was injured in a car crash last month, so Sarah Ludford, a London MEP, took over at the last minute. Normally lobbyists see MEPs singly or in small groups, but as time was short Sarah called a mass meeting at Europa House in London. So we all got to hear what the others were pushing for. Campaigners for open government say we’d have better laws if more if the process was public; here’s an example where that happened (literally) by accident.

I am posting my notes of the meeting here, as it’s a good case history of how lobbying works, as well as of how our privacy is being lost. There were about 100 people present, of which only 5 were from civil society. Most were corporate lobbyists: good-looking, articulate and impressive, but pushing some jaw-dropping agendas. For example the lovely lady from the Association of British Insurers found it painful that the regulation might ban profiling that was unfair or discriminatory.

Continue reading How Privacy is Lost

Liveblog – MedConfidential.org launch

Legal issues, News coverage, Politics, Security economics

I’m at the launch in London of the new campaign for medical privacy, MedConfidential.org. Sam Smith and I will be liveblogging the day’s events in comments below. For background, see here, here, here and here. Most of today’s audience are from groups for whom medical privacy is particularly important, such as charities dealing with rape victims, substance abuse, sexual health and child wefare.