Breaking the Botnet Code

UC Berkeley Professor Dawn Song co-presented a talk on Malware and Bots at the Association for Computing Machinery's Conference on Computer and Communications Security this week.

Networks of compromised computers controlled by a central server, known as 'botnets' can be used to systematically spew spam, host malicious code, or flood a network to cut off its access to the Web. Researchers presented a tool at the conference that can decipher the structure and purpose of communications between a control server and its bots through automatic reverse engineering. The researchers parlayed the technique into a tool called Dispatcher that will analyze botnet network communications and even inject new information into the communications stream.

The researchers note that such automated tools are not yet needed for analyzing most malware since more than 90 percent of all botnets use easy-to-break encryption with their communications, making manual techniques rather easy and fast.

Yet botnets will continue to evolve, says UC Professor Song. "Botnet programs are becoming more complicated," she says. "They are using various obfuscation techniques and so on. So maybe manual analysis can work for now, but in the future, we will need better tools."

See article in Technology Review.

UC Berkeley computer science professor and privacy expert, Doug Tygar, consulted about security flaws in CalJOBS website

When "CBS 5 Investigates" discovered a state-run website may be putting hundreds of thousands of Californians at risk of identity theft, they asked UC Berkeley Computer Science professor and privacy expert Doug Tygar to take a look at a problem experienced by laid off worker Tom Diederich.

Diederich had posted his resume on CalJOBS, the state's job site, as is required for getting unemployment benefits. However, when Diederich logged back in to the site the next day, he saw someone else's information, including their name, where they live, email and phone number. The next time, he got someone else's information and the following 5 or 6 times he logged in, he saw the same info about those other people.

Professor Tygar said, "I consider that to be a serious security breach." Moreover, Tygar was able to get into the site and look at other applicants' supposedly private data. "I was able to access other people's personal information including their address, their phone numbers, email, personal details," Tygar said. Just by changing a few numbers in the URL, he was able to go in and change information on peoples' resumes. "I would in fact have been able to go through and change that if I were a malicious attacker," he said.

The glitch that allowed Diederich to click on his bookmark and read other peoples' resumes appears to be fixed. EDD said their web site team is now following up on the other possible vulnerabilities identified by CBS 5 Investigates. They say if such vulnerabilities are found, they will correct them immediately.

See full story at CBS News.

UC Berkeley Professor David Wagner contracted by the state to investigate voting logs

The state of California is conducting a months-long investigation into audit logs inside the state's electronic voting systems after reports of serious problems with the logs, even to the point where an election official or someone else could delete votes while leaving no electronic trail of such action.

According to Secretary of State Debra Bowen, the investigation is examining what the audit logs actually record and whether they can be easily altered or deleted. Bowen, appearing at an event concerning an open source voting project in development, told Threat Level that the state had contracted with David Wagner, a computer scientist with the University of California at Berkeley to investigate what the logs on the Premier/Diebold e-voting system, as well as every other voting system used in California, do and do not record.

See full article in THREAT LEVEL.

TRUST Executive Director at launch of UK's new cybersecurity center

The United Kingdom's lead center for cyber security research opens today at Queen's University Belfast. The £30 million Centre for Secure Information Technologies (CSIT) will become the UK's principal center for the development of technology to combat malicious cyber attacks and is one of the first Innovation and Knowledge Centres (IKCs) created in the UK.

Attendance at the Centre's launch of some of the most respected national and international figures in the field of cyber-security, including Larry Rohrbough, Chief Executive of TRUST, the United States' major center in the area of cyber-security at the University of California at Berkeley, highlights the significance of the new Centre to the global communications and IT industries.

Professor John McCanny, CSIT principal investigator says

"The approach adopted within CIST contrasts with the more conventional way academic research is undertaken. Our starting points tend to be larger "mission-driven" projects involving sizeable teams for which ambitious and challenging end goals have been identified".

See press release at EurekAlert!.

UC Berkeley Professor Ruzena Bajcsy receives Technical Leadership Award

The winner of the Anita Borg Technical Leadership Award, awarded to a woman that has inspired the women's technology community through outstanding technological and social contributions, is Ruzena Bajcsy, Professor of Electrical Engineering at the University of California, Berkeley as well as Director Emerita of the Center for Information Technology Research in the Interest of Society (CITRIS). Dr. Bajcsy has spearheaded new research fields, guided national policy regarding social issues and lead the computing community in addressing them.

See press release at MarketWatch.

Sequoia e-voting machine commandeered by clever attack

Using a method known as return-oriented programming, computer scientists have figured out how to trick a widely used electronic voting machine machine into altering tallies by bypassing measures that are supposed to prevent unauthorized code from running on it.

The Sequoia AVC Advantage machine is programmed to execute code only when it's stored on read-only memory chips that are difficult to install and remove. By expressly forbidding running code in random access memory, the intention was to make it impossible for attackers to inject malicious programs that might compromise the integrity of an election.

However, a computer science research team from Princeton, UC San Diego and the University of Michigan succeeded with an attack by reverse engineering first the hardware on a legally purchased Sequoia AVC Advantage and then also reverse engineer the software it ran by analyzing the ROM. The research was presented this week at the 2009 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections.

"It's excellent research," said David Wagner, a computer scientist from the University of California at Berkeley who attended the conference. "The research is significant because it illustrates that attacks get better over time and it shows just how difficult it is to protect paperless voting systems." ®

See article in The Register.

Creating the New Cybersecurity Pro; Interview with Cornell Computer Science Professor Fred Schneider

Samuel B. Eckert Professor of Computer Science at Cornell University Fred Schneider believes the future of the IT profession is handicapped by a shortage of academics to provide the training for needed IT security skills.

In an interview with GovInfoSecurity.com, Schneider contends that to produce not only the teachers, but the practitioners themselves, American universities need to create innovative graduate-level programs that provide training that encompasses not only an understanding of IT security technologies, but an understanding of why the technology is needed as well.

Schneider, also a member of the federal government's Information Security and Privacy Advisory Board and co-chair of Microsoft's Trustworthy Computing Academic Advisory Board, says

"In the longer term, when you make cybersecurity technology decisions, you want to make it within the context of things like knowing its effect on privacy, knowing whether the economics of the situation support the kinds of changes you are making and understanding about business models."

See full story and interview transcriptin GovInfoSecurity.com.

Academic: Wireless sensors can easily measure caloric intake

Shankar Sastry, Dean of Engineering at the University of California Berkeley, was recently interviewed along with Senior Director of Manhattan Research, Monica Levy, by the California Healthcare Foundation's iHealthBeat. Both Sastry and Levy discuss the current state and the promise of wireless-enabled healthcare tools.

“The cell phone is perfect because it’s like a wrist watch you carry around, I think the idea of having access to electronic medical records is transformational in that it changes electronic medical records to be personal health records,” Sastry said. ”So I think that going forward there will be a huge consumer push to be able to both record and analyze data and the cell phones are gradually becoming not just a place for repository and also for analyzing data, but also as a distributive sensor network in the sense that the cell phone can interrogate other sensors which are attached to your body.”

“It’s reasonably easy for us to measure the [caloric] in-take — the out-take has always been way, way difficult, partly because we have such different metabolic rates,” Sastry said. “But I do think with the sensing though you do get a handle on those metabolic rates. So That I think is huge: To be able to then get sense of how much you are burning up in addition to how much you are taking in.”

See more at mobilehealthnews.com.

Dr. Ruzena Bajcsy to receive HP Innovation Award

Dr. Ruzena Bajcsy, EECS Professor at the University of California, Berkeley, was among Professors selected from around the world to receive an award as part of the second annual HP Labs Innovation Research Program.

The Program is designed to create opportunities for colleges, universities and research institutes for conducting breakthrough collaborative research with HP. Given the significant contributions achieved in last year's program, which includes 61 published papers and 13 invention disclosures, HP extended a second year of funding to 31 professors in 2009.

Awardees will work with HP Labs' researchers on fundamental research areas like intelligent infrastructure, immersive interaction and cloud computing, which includes social computing.

See complete article at TRADINGMARKETS.COM.

National cyber security: Cornell's Fred Schneider will testify before Congress

Cornell University Computer Science Professor Fred Schneider, a noted expert on cyber security, will testify at the Hearing on Cyber Security Research and Development on Wednesday, June 10, organized by the Committee on Science and Technology, U.S. House of Representatives.


See announcement in Media Newswire,

Stanford's Dawson Engler Receives 2008 Grace Hopper Award

TRUST researcher and Stanford University Professor Dawson Engler was awarded the
Association for Computing Machinery Grace Murray Hopper Award for 2008.

This prestigious award is given annually to the "outstanding young computer professional of the year" who is selected based on a "single recent major technical or service contribution". Prof. Engler was cited for his groundbreaking work in developing advanced tools and techniques that automate program checking to identify software errors. His approaches based on static analysis, model checking, and symbolic execution have proven very successful at finding bugs in large and complex applications.

Technical papers describing this research are available on Prof. Engler's homepage.

Personal information of thousands of UC Berkeley students, alumni hacked

Approximately a decade's worth of information on current and former UC Berkeley students was stolen by hackers, as announced by the University last Friday. The infractions concerned records dating back to 1999 at the school's health center that included Social Security numbers, health insurance information, immunization history and the names of treating physicians.

The thefts were initially discovered about a month ago, but system administrators did not realize the scope of the attack until April 21.

University Associate Vice Chancellor for Information Technology Shelton Waggener said the hackers disguised their work as routine operations and then left taunting messages for UC Berkeley employees. Waggener says that the thieves accessed the information through the University web site.

Stanford University Professor of Computer Science John Mitchell said that thieves worldwide have set up black markets to sell stolen data, adding that Asia, Eastern Europe and Nigeria have particularly active hackers. Mitchell also stated that the taunting messages left by the Berkeley thieves may indicate they are amateurs.

"If your intent is to steal information and sell it on the black market, you're probably not going to call attention to yourself like that," he said. "It could be that these are kids."

See more in The Daily Review.

Momentum Shifts Against Google in Old Books Controversy

BNET media relates several new developments in the class action suit between Google and some authors over who will control publishing rights of millions of out-of-print books.

One of the leading legal experts on issues of intellectual property rights, UC Berkeley Professor Pamela Samuelson has written a powerful argument to the presiding judge in the case, U.S. District Judge Denny Chin. Judge Chin himself has also announced that he is extending the deadline for those wishing to oppose the settlement by four months, from May 4 to September 4.

The Justice Department is checking out the antitrust implications of the arrangements made between Google and groups representing publishers and authors, where it would be possible for millions more books to be included in Google Book Search unless the copyright holders take steps to opt out.
A larger issue to those who were not party to the deal concerns the large number of "orphan works", those whose rights holders cannot be identified.

“The proposed settlement of this lawsuit is a privately negotiated compulsory license primarily designed to monetize millions of orphan works,” wrote Professor Samuelson. “[It] would give Google a monopoly on the largest digital library of books in the world. It and BRR, which will also be a monopoly, will have considerable freedom to set prices and terms and conditions for Book Search’s commercial services. … Google will also be the only service lawfully able to sell orphan books and monetize them through subscriptions.”

See more on this story at Good Morning Silicon Valley, Los Angeles Times, and Silicon Beat.

Google Books Rival Objects to Settlement

San Francisco's digital library Internet Archive opposes the current 125 million dollar Google settlement with authors and publishers that gives Google the rights to scan and sell books on the Internet.

Dismay at the fate of orphan works, estimated at some 70 percent of books being scanned, is mounting as the May 5 deadline for objections to the settlement nears.

UC-Berkeley School of Law professor Pamela Samuelson said the issue of orphaned works should be handled by legislators, not as a settlement in a class action.

"Usually if you want a compulsory license you have to go to Congress," she said.

Professor Samuelson favors a scenario in which the Internet Archieve as well as other digital libraries in addition to Google, would get a license to scan the boks and make them available online.

"I hadn't expected them to intervene," she said. "It's an interesting development -- it's going to be interesting to see how it turns out."

See more at Law.com .

Copyright Scholar Challenges RIAA/DOJ Position

Slashdot refers to an article in New York Country Lawyer about UC Berkeley Professor Pamela Samuelson, leading copyright law scholar, publishing a 'working paper' that argues directly against the stand taken by the US Department of Justice in RIAA cases on the constitutionality of the RIAA's statutory damages theories. The Department of Justice has argued that the Court should follow a 1919 United States Supreme Court case upholding the constitutionality of a statutory damages award that was 116 times the actual damages borne, under a statute that gave consumers a right of action against railway companies.

The paper discusses, in depth, a number of issues regarding statutory damages under the Copyright Act and also concludes that the State Farm/Gore due process test is applicable to statutory damage awards under the Copyright Act.

This position is consistent with that taken in the amicus curiae filed by the Free Software Foundation in earlier RIAA case defending the defendant's Due Process defense to the RIAA's claim for statutory damages and contradicts the Department of Justice briefs, arguing that the Gore due process test applies.

See the complete working paper, Statutory Damages in Copyright Law: A Remedy in Need of Reform, by Pamela Samuelson and Tara Wheatland .

The DOJ's intervention last month on behalf of the RIAA was covered in a Slashdot posting Obama DOJ Sides with RIAA.

Google’s Plan for Out-of-Print Books Is Challenged

Slashdot mentions an article in the New York Times about a growing tide of complaints against Google in response to an extensive settlement that some feel will grant the mammoth company too much control over the "orphan books" they have been scanning into digital format. The settlement could give Google near-exclusivity with respect to the copyright of books that the author and publisher have basically abandoned. They may be out of print but while they remain under copyright, the rights holders are unknown or cannot be found.

“No other company can realistically get an equivalent license,” said Pamela Samuelson, a professor at the University of California, Berkeley, and co-director of the Berkeley Center for Law and Technology.

Critics say that without the orphan books, no competitor will ever be able to compile the comprehensive online library Google intends to create. Without competition, Google will be able to charge universities and others a high price for access to its database.

While most of the critics, including copyright specialists, antitrust scholars and some librarians, agree that the public will benefit, they say others should also have rights to orphan works.

See complete article in the New York Times.

Do Breach Notification Laws Work?

Deirdre Mulligan, professor of information technology law and policy at UC Berkeley's School of Information was one of several speakers at a Security Breach Notification symposium held in Berkeley last Friday. The symposium's directive was to try to answer the question of whether breach notification laws are actually working.

California passed the first data breach notification law in 2003, which quickly became the standard for the rest of the country. While it is clear that the laws have made the public more aware of the vulnerability of their data and have exposed poor security practices at many a business, it is unclear what other benefits the laws have had. Breach notifications should, in theory, reduce incidence of identity theft or fraudulent charges to credit cards if consumers take proper precautions when they receive a notification, as with a fraud alert or a freeze on their credit account because of suspicious transactions.

There are also other questions to ask about what effect breach notifications have on the relationship between the customer and the breached organization. While consumers often express anger and mistrust toward companies that lose their data, it is unclear how often that mistrust actually translates to action.

According to Professor Mulligan, a Ponemon study found that about 20 percent of respondents claimed to have terminated their relationship with a company after discovering the company experienced a breach. But a separate survey of companies found that the percentage of customers who actually do terminate their relationship is less than 7 percent. Both numbers need to be taken with a grain of salt.

"Consumers have a tendency to say they're going to do one thing when they actually do another," says Mulligan, "and companies also can't be relied on to honestly report the numbers of customers they lose from a breach."

See full article in Wired.

Shankar Sastry interviewed on Federal News Radio

Dr. Shankar Sastry, Dean of of the College of Engineering at the University of California, Berkeley, was interviewed by Tom Temin for 'Federal Security Spotlight' on Federal News Radio in his role as director of the Team for Research in Ubiquitous Secure Technologies (TRUST).

Sastry described how TRUST, funded by the National Science Foundation and housed at the University of California at Berkeley, as a team of some of the best minds from UC Berkeley, Vanderbilt, Cornell, Carnegie-Mellon, and Stanford Universities with Smith, San Jose State University and Mills College as outreach partners, was formed to examine the interconnection between cyber infrastructure and physical infrastructure. The complex interplay of component technology, policy, law, privacy issues and economic considerations are the motivations for putting together the TRUST Center.

Prof. Sastry described how initially it was the internet that was the primary security concern with various worms and viruses emerging, but as time went on, power, water, telecommmunications and other physical infrastructures also became implicated in security concerns.

Temin raised the issue of security and health-care concerns with electronic medical records/personal health records. The issues, according to Prof. Sastry, are about trying to make sure that (a) we can collect this information and (b) we can make the information available without all the paperwork. Having the data available to the patient is also an objective.

"The issues of privacy and selective disclosure is a subject of some debate", says Sastry. "I think there are legitimate needs for the medical industry to learn about, say, the efficacy of certain drugs", but there is also a tension between personal and medical records that are seen by many entities, billing, pharmaceuticals, different kinds of doctors, he says. Sastry observed the need to stop any 'mining' of this information and a need to be able to stop a 'fishing expedition' in this area.

Trust research is focusing on both the security and the privacy of patients as well as the possibility of a patient 'customizing' their records to make some records available to their doctors only.

Another area of research involves wireless networking vulnerabilities. Sastry describes a scenario where we will literally have a 1000 radios around people, controlling the physical environment by means of embedded rfid's and wireless sensor networks, evolving to a future of computation on wireless devices. Dr. Sastry says we need a reliable and secure medium for a wireless network. Wireless airwaves are not as reliable as a wired infrastructure because they are susceptible to jamming, to retransmission, etc.

A secure communications medium interacts with privacy and security. The privacy agenda enters in subtle ways in that by anonymizing the data, for example with real-time traffic monitoring via cellphone, it is not subverted as a means of tracking someone as they are driving in traffic. Cellphones will be used more and more as sensor networks.

Sastry described TRUST's mission as deriving security solutions in a principled way that is not reactive, as with the cat-and-mouse pattern of attacks followed by solutions followed by new attacks as has been the case thus far.

To listen to the complete interview (in 3 parts), go to Federal News Radio.

D.A. considers 211 cases of possible voter fraud

The Orange County, California District Attorney's Office is investigating 211 possible cases of voter fraud in the November 4th presidential election. Registrar of Voters Neal Kelley sent the list after his office used computer databases to search for cases where one person submitted more than one ballot. Kelley says that history shows that most instances of double voting are unintentional as with a voter that submits two absentee ballots, or an absentee ballot in addition to voting at the polls.

UC Berkeley Professor David Wagner, who studies electronic voting security says that post-election audits across the state have improved recently under the heightened scrutiny of state and local officials.

"It's important for transparency because it gives voters more confidence that the right person won," Wagner said. "The big picture is the whole state of California is in good shape."

Wagner stated that these registration errors should be fixed for future elections but that it is not someting that's going to affect the outcome of an election since it is an issue of such small scale.

See complete article in OC Register.

Phone security is much better, says UC Berkeley Professor

The Akron Beacon Journal relayed comments by UC Berkeley Professor David Wagner, regarding current telephone security. When asked if there were any difference in security between using a corded phone and a cell phone, Wagner replied

"Assuming your cell phone is digital, there's not enough difference to worry about. Back when cell phones were analog, eavesdropping was easy." However today most cell phones are digital and while eavesdropping with a digital cell phone is possible, "it's pretty much out of the reach of casual interception," he said.

Wagner notes that wired phones aren't completely secure either, but said both digital cell phones and wired phones are secure enough for most people to use for everyday business. In truth, the weakest aspect of cell-phone use is the frequency of having sensitive conversations in public places without thinking about being overheard.

See more at Ohio.com.

Experts debate: Is DRM good or bad for consumers?

COMPUTERWORLD ran a story about the FTC's discussion about the controversial DRM (digital rights management) technology possibly benefiting consumers because it could give them more choices for downloading or buying copyrighted content. Others on a panel discussion about new technology products are not convinced however.

Until DRM matured, consumers had control over how they used digital content, noted Deirdre Mulligan, director of the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley, Law School. DRM is creating a "permission culture" where consumers have to ask the copyright owner's permission to play a piece of music on both a home computer and a car stereo, she said.

Until DRM, "there was a lot of breathing space in copyright law," she added.

In addition, many consumers don't understand DRM restrictions, and they're surprised when a CD that works on a home stereo can't be played somewhere else, she said. Vendors offer "little disclosure about how consumers can use" DRM-protected content, she said.

See full article at COMPUTERWORLD.

Shankar Sastry to discuss UC Berkeley's intiatives at its first Global Technology Leaders Conference

A press release came out yesterday in the Wall Street Journal's online MarketWatch announcing UC Berkeley as host of the inaugural A. Richard Newton Global Technology Leaders Conference on Thursday, November 20th.

The conference will bring together notable entrepreneurs, scientists and researchers to discuss the world's most overarching challenges and ascertain pathways to solution in the health sciences, energy and technology fields. Dean of UC Berkeley's College of Engineering, Shankar Sastry, will discuss Berkeley's initiatives in these areas. Alberto Sangiovanni-Vincentelli, professor in Electrical Engineering and Computer Sciences at Berkeley, will deliver the keynote address, "The Future of the Future."

The conference is being held during Global Entrepreneurship Week and is sponsored by the Ewing Marion Kauffman Foundation and the goal for the group is to develop a roadmap leading to new industries in energy, technology and health care.

"It is fitting to launch this annual series during a week that seeks to inspire young people to be innovative and entrepreneurial," said Lesa Mitchell, vice president, Advancing Innovation, Kauffman Foundation.

See complete story in MarketWatch.

Improving the Count; Prof. David Wagner, others pose solutions for better election system

The Boulder Daily Camera ran an article Sunday regarding problems with voting systems in general and in Boulder County specifically. Although Boulder County Commissioners agreed to spend $1.4 million on optical scanning equipment in 2004, in didn't take long for problems that still follow the county's election process showed up. In August 2004, Boulder County lagged hours behind other Colorado counties. Worse, poorly printed ballots delayed election results for 72 hours in November, 2004.

“If the proper maintenance and everything else is being done to (the scanners), this is the voting system we should be using,” said John Gideon, co-director of VotersUnite!, a non-partisan group that has been logging errors on all kinds of voting machines.

Computer scientist David Wagner of the University of California at Berkeley who studies electronic voting machines, agrees.

“Right now, I think optical scan systems are probably the most mature, reliable technology on the market,” he said. “Boulder got the best technology on the market. ... None of the voting systems are perfect, and they all have their limitations.”

See full story in The Boulder Daily Camera.

Profitability of spam finally measured

ZDNet posted an article about a key paper presented at this year's ACM Conference on Computer and Communication Security. A team of researchers, including UC Berkeley Professor Vern Paxson, used somewhat aggressive tactics to collect data that measures the conversion rate, or the rate at which an advertising impression results in a products sale, for spam. They essentially hijacked a portion of the notorious Storm botnet to inject spam that contained links to domains and storefronts they controlled.

The team's data has shown that generating 28 sales at an average of $100 each of various "male-enhancement" products required 350 million separate spam messages. This provides a yearly revenue rate of the Storm botnet for the sale of pharmaceuticals at around $3.5 million dollars.

See complete article at ZDNet.

What Could Possibly Go Wrong?

An article came out today in PCWorld regarding the progress of E-voting technology since the 2000 U.S. presidential election, although it has taken a rather zig-zagged path. After Congress passed the 2002 Help America Vote Act (HAVA), counties spent billions of dollars upgrading to new electronic voting machines, many of which were dumped when it was determined that they were either unusable or untrustworthy.

Machine malfunctions, touch-screen calibration errors, training problems with unskilled poll workers or human error on the part of the voter all impact on an election's outcome. All of the above notwithstanding, University of California computer science professor David Wagner states that bad design choices could be ferreted out if the federal government included user-interface testing as part of the certification process.

Proposed next-generation voting standards would require this type of testing, but it is not clear that these standards will be adopted, Wagner said. The Berkeley professor also said he will be watching these voter registration databases closely today.

"I don't know what to expect," he said. "Everything could go smoothly, or we could have a substantial fraction of voters who show up on Election Day, think they're registered and are told that there is some problem with their registration."

See article today in PCWorld.

David Wagner quoted in article on new trend in voting technology

In an article written by freelance technology journalist Cyrus Farivar, the concept of using cryptography for what is being called end-to-end voter-verifiability is described and analyzed.

In order for public officials to definitively show that the proposed cryptography works as it should, they would have to provide an advanced mathematical proof, or "zero-sum proof" as it is known, whose sheer size would preclude printing it on the ballot.

Among the several academics Farivar interviewed about the new cryptographic approach involved in voter-verifiable systems, Farivar quotes UC Berkeley Professor David Wagner who asks

"Will voters accept something that uses mathematics that they won't understand?"

See details in machinist.

Stephen Maurer quoted in New Scientist on DNA and Terrorism

Stephen Maurer, Director of the Goldman School Project on Information Technology and Homeland Security ("ITHS") and member of TRUST was quoted in the New Scientist September 14, 2008 article, "DNA firms step up security over bioterrorism threat" that discusses efforts to counter fears that terrorists could make deadly viruses by ordering genetic material from corporations. Maurer is quotes as saying, "The fact that they're going to share their experiences is really important." Maurer helped write the industry guidelines.

UC Berkeley Professor Doug Tygar called in as expert witness for the defense

Slashdot recounts a story published in NETWORKWORLD about the latest twist in the bizarre story of the rogue network administrator that hijacked the city's network in the last two months. With costs estimated at $1 million, city officials say they are trying to locate a mysterious networking device hidden somewhere in the network.

This device, which is referred to as a "terminal server" in court documents actually appears to be a router that was installed to provide remote access to the city's Fiber WAN network, which connects municipal computer and telecommunication systems throughout the city. The router was discovered on Aug. 28. When investigators tried to log in to the device, they were greeted with what appears to be a router login prompt and warning message saying "This system is the personal property of Terry S. Childs." Childs, a network administrator with DTIS was arrested June 12 on charges of network tampering after he refused to provide his superiors with administrative access to the city of San Francisco's network, which he'd managed for the past five years.

In a report filed before the city disclosed the hidden router, a court-appointed expert witness for the defense wrote that DTIS could easily prevent Childs from accessing the networks.

"I have seen no evidence that Mr. Childs is a 'computer hacker,' and by taking a number of simple steps, DTIS could block access by Mr. Childs to San Francisco networks," wrote Doug Tygar, a University of California, Berkeley computer science professor.

Childs next appearance is set for September 24th, when he'll face up to seven years in prison if convicted.

For complete story, see NETWORKWORLD .

Samuelson quoted about copyright and electronic access to CA laws

In a September 3, 2008 Santa Rosa Press Democrat article, "He's giving you access, one document at a time," concerning efforts to make California laws more accessible on-line, Professor Pam Samuelson was quoted

"If it's the law, the public should have access to it," she said.

Samuelson points out that the idea of copyright was established to provide people incentive to create. People are given exclusive legal rights to their paintings, writings and other works because by selling those rights they can attempt to make a living.

There is no similar need for financial incentives to establish standards such as building codes, Samuelson said. For the most part, volunteers spend long hours drafting proposed standards for things like plumbing and building. Governments often take those standards and adopt them into law.

Once the standards become law, she doesn't think people can claim copyright protections. But like Malamud, she sees the courts making the final ruling.

"I don't think it's an airtight case for either side. But I think the law favors that if something is a law, it's in the public domain," she said.

9/29/08 Update: This article has been picked up by the San Francisco Chronicle (9/27/08) and the NY Times (9/29/08).

TRUST Supports Undergraduate Security Research Experience

The Daily Californian ran an article on the UC Berkeley Summer Undergraduate Program in Engineering Research at Berkeley (SUPERB) program, including a group hosted by the TRUST Center. Led by Professor David Wagner and a group of graduate graduate student mentors, the SUPERB-TRUST participants got firsthand experience conducting research into security vulnerabilities of software applications as well as general exposure to working in a university research environment.

Plug-in opens door for self-signed SSL certs in Firefox 3

An online posting of an article in INFORMATION SECURITY MAGAZINE appeared Friday about the release of a software plugin developed by CMU Professors Adrian Perrig and Dave Anderson along with Ph.D. student Dan Wendlandt. The plugin, as part of a system called Perspectives, was designed to relieve some of the anxiety surrounding Mozilla Corp's decision to not display sites with either self-signed or expired SSL digital certificates in Firefox 3.

The Perspectives system works from a series of servers that monitor website connections recording public encryption keys over time. If the servers can authenticate that the same key has been returned for a requested site for a predetermined period of time, Perspectives will override Firefox 3's default block on the site and allow the user to proceed.

See SearchSecurity.com for details.

University of California, Berkeley Prof. Bajcsy wins Innovation Research Award

Hewlett Packard announced the 41 professors it has chosen to receive its HP Labs Innovation Research Awards, which fund joint research projects between academic research institutions throughout the world and HP Labs.

Drs. Ruzena Bajcsy and Van P. Carey, of the University of California, Berkeley were among the 41 professors selected.

"Deepening HP Labs' strategic collaboration with those in academia, government and the commercial sector ensures HP's research endeavors result in high-impact research that meets the scientific and business objectives of HP and its partners," said Prith Banerjee, senior vice president, Research, HP, and director, HP Labs. "The professors' deep technical expertise, HP Labs researchers' domain and industry knowledge, and governments' abilities to fund innovative research will come together to address the world's most complex IT challenges."

See complete story at MarketWatch.

Transit agency wants MIT students to stay gagged

The Electronic Frontier Foundation is providing legal defense for three MIT students prohibited from discussing vulnerabilities they discovered in subway card security by an order given to the Massachusetts Bay Transportation Authority by a District Court Judge.

The EFF has enlisted some high-profile academics, including UC Berkeley's David Wagner, to strengthen the case that the restraining order is antithetical to security research.

Security researchers are watching this case carefully because it could ultimately set a precedent weighing First Amendment rights to publish freely against a vendor's desire to keep embarrassing and potentially explosive details secret.

Prof. Wagner and several other high-profile academics have signed a letter to the judge on Monday that says:

We are concerned that the pall cast by the temporary restraining order will stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure. We urge that you reconsider and remove the temporary restraining order issued on August 10, 2008.

See full story at cnet.news.com

Research improves recognition software

On August 12, 2008, Allen Yang was featured on KGO TV in a segment titled, "Research improves recognition software".

NIST Advisory Group Welcomes Berkeley Professor

It was recently announced that electrical engineering and computer science professor at the University of California, Berkeley, Ruzena Bajcsy, has been selected to serve on the primary private-sector policy advisory body of the National Institute of Standards and Technology (NIST). Dr. Bajcsy's appointment to the agency's Visiting Committee on Advanced Technology (VCAT) was announced by NIST's deputy director, James M. Turner.

Bajcsy's research areas include artificial intelligence, robotics, biosystems and computational biology, and human-computer interaction. She is director emeritus of the Center for Information Technology Research in the Interest of Society (CITRIS), a UC Berkeley-based public-private partnership that develops information technology solutions to social, environmental and health care issues.

See press release in ThomasNet Industrial Newsroom.

Professor Anthony Joseph elected to the ACM

UC Berkeley Professor Anthony Joseph has been elected to the Association for Computing Machinery Council as Member-At-Large. Elected member are recognized for significant accomplishments or for achieving significant impact on the computing field.

UC Berkeley Professor Ruzena Bajcsy elected to American Academy of Arts & Sciences

A press release issued by UCBerkeleyNews announced that University of California Berkeley Professor Ruzena Bajcsy has been elected to the American Academy of Arts & Sciences.

"The Academy honors excellence by electing to membership remarkable men and women who have made preeminent contributions to their fields, and to the world," academy president Emilio Bizzi said in a prepared statement.

The American Academy of Arts & Sciences is one of the nation's oldest and most prestigious honorary societies and independent policy research centers.

Automatic Patch-Based Exploit Generation is Possible: Techniques and Implementations

A paper by David Brumley, Pongsin Poosankam, Dawn Song (TRUST) and Jiang Zheng, "Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications" is getting quite a bit of press:

• Slashdot
  
• Bruce Schneier's Cryptogram
  
• PC World
  
• The Register
  

Electronic Voting at the RSA Conference

The RSA Conference April 7-11, 2008 in San Francisco resulted in a few news items about the work of David Wagner.

On April 10, CNet's article, "Expert says flawed e-voting systems need constant audits," discusses Wagner's voting machine audit proposal.

On April 10, SecurityFocus' article, "Researchers tell voting firms, time for a truce," discusses efforts by security researchers and voting machine vendors to work together. Wagner is quoted: "Voting system vendors are, today, where Microsoft was ten years ago."

On April 11, ABC News had an article about threats to the upcoming US Presidential Election. The same article appears at PC World.

Update: On April 11, The Register's article, "Where were you when you learned e-voting was unreliable? presents another view on the conference.

Update: On April 16, Cringley discusses the issue with, "Voting accidents and other avoidable tragedies

Engineers Test Highly Accurate Face Recognition

The work of postdoctoral researcher Allen Yang, of Professor Shankar Sastry's Heterogeneous Sensor Network (HSN) group at the University of California, Berkeley, is the subject of an article in Wired magazine where a new facial-recognition algorithm was created by Yang with the help of researchers at both UC Berkeley and the University of Illinois at Urbana-Champaign.

"Most algorithms use what's known as meaningful facial features to recognize people-things like the eyes, nose and mouth," says Dr. Yang. "But that's incredibly limiting because you're only looking at pixels from a designated portion of the face and those pixels end up being much smaller than the whole image. Our algorithm shows that you only need to randomly select pixels from anywhere on the face. If you select enough of them, you can produce extremely high accuracy."

Yang's new algorithm may signal a quantum leap in face-recognition technology. Professor Ssstry, dean of UC Berkeley's College of Engineering notes that Yang's new method obsolesces years of research in this field.

Nonetheless, the new technique could have profound impact in many areas, with new models for online advertising, new ways of annotating video and still images, and new techniques for identifying people in public places.

See the complete article in Wired.

Debugging Election Codes

An announcement on UC Berkeley's Electrical Engineering and Computer Sciences website tells of an article featuring David Wagner in the March issue of a Berkeley Engineering publication about his work reviewing voting machine systems code.

Professor Wagner, as the Principal Investigator of a joint UC Berkeley-UC Davis project commissioned by California Secretary of State Debra Bowen, led a team whose comprehensive examination found major vulnerabilities in voting machine systems.

While the machines were questioned immediately by grassroots activists, mainstream politics and media viewed their concerns about voting machine security as mere lunatic fringe behavior. However, according to Wagner, forward-thinking election officials changed this opinion. "Some elections officers took the activists' concerns seriously and forced these vendors to pry open the covers and hand over the source code," Wagner recalls. "That's what made it real; we could actually examine the code, so it wasn't just speculation anymore."

While Wagner's review prompted Bowen to limit the machines to one per polling place, a well-designed electronic voting machine could be a benefit to democracy.

See details in Innovations.

Ranking Corporate America on Identity Theft

The New York Times covered a report compiled by Chris Hoofnagle at the Berkeley Center for Law and Technology at the University of California at Berkeley on the institutions most frequently cited by consumers in fraud complaints.

The country's largest banks and phone companies showed up most frequently, of course. To account for size, Mr. Hoofnagle factored in the total amount of deposits per institution as of Dec. 31, 2006.

Mr. Hoofnagle said he believe the study was an important step in creating an "identity theft marketplace" for consumers.

"I've been working for years to try to spark a market, a true market, for competition on preventing fraud," he said. "Some of these institutions have attempted to compete based on advertisements, but I'm a real believer in the idea that if you give consumers information, they can make better decisions."

For the complete report, see Measuring Identity Theft at Top Banks.

Demands for Personal Information Controls on Social Networking Sites Increase

A Wall Street Journal article discusses the effects to online privacy introduced by services offered on social networking sites such as Facebook and MySpace.

In the article, TRUST security and privacy researcher and clinical research specialist at the UC Berkeley Samuelson Law, Technology & Public Policy Clinic Jennifer King weighs in on the data-sharing implications of such sites and advice to users about keeping their personal information and online activity more private.

TRUST Spring 2008 Conference: April 2-3, 2008

The next TRUST Conference to be held April 2-3, 2008 at the Claremont Resort & Spa in Berkeley, CA.

The schedule is to have a full day (~8:00 AM to 5:00 PM) April 2 and a half day (~8:00 AM to 12:00 PM) April 3.

This event will provide you with an opportunity to hear firsthand about the work of TRUST faculty and students-specifically activities that:

• Advance a leading-edge research agenda to improve the state-of-the art in
  cybersecurity and critical infrastructure protection;
  
  
• Develop a robust education plan to teach the next generation of computer scientists, engineers, and social scientists; and
  
  
• Pursue knowledge transfer opportunities to transition TRUST results to end users within industry and the government.
  

For more information, see the Conference Page.

A Legal Analysis of the Sony BMG Rootkit Debacle

Deirdre Mulligan and Aaron Perzanowski of the Berkeley Center for Law & Technology published an article on Sony BMG's deployment of digital rights management (DRM) systems that threaten the security of its customer's computers and the integrity of the information infrastructure in general.The DRM systems were released by Sony BMG on millions of Compact Discs in late 2005.

A summary of the article can be found in Slashdot.

CPO Panel Highlights Privacy Challenges

On Wednesday, December 12, TRUST Policy Director Deirdre K. Mulligan participated in a panel of privacy experts for a discussion on Privacy and the Network of You. The event was hosted by Sun Microsystems and moderated by National Public Radio’s Dr. Moira Gunn. Panelists from industry, academia, and the State of California discussed a number of challenges to personal privacy, data protection, and information security as well as recent events such as the large number of data breach incidents and identity theft cases.

Prof. Mulligan, the Director of the Samuelson Law, Technology & Public Policy Clinic and a Clinical Professor of Law at UC Berkeley, was joined by Chief Privacy Officers from Agilent, Intuit, and Sun as well the Chief of the California Office of Privacy Protection.

CSO Perspective on Security Breach Notification Laws

The Samuelson Law, Technology & Public Policy Clinic at UC Berkeley released a study on the effects of security breach notification laws in the United States. The study, co-funded by TRUST, is based on a thorough literature review as well as in-depth interviews with several Chief Information Security Officers (or their equivalents) from various industries. The CISO interviews provide insight into internal organizational structure around security investment decisions, regulatory and market factors that affect investment decisions, organizational responses to the enactment of security breach notification laws, market effects of security breaches, and industry best practices. This study is part of an ongoing effort to inform public policy with research into how businesses are affected by privacy law.

Engineers Learning People Skills, Too

Shankar Sastry is quoted in an article in the Associated Press yesterday about a change in producing engineering grads that are not only technically capable but able to communicate their expertise effectively.

Dean of the College of Engineering and Director of TRUST, Sastry is asking professors to take a more Socratic approach to teaching, that is, more discussion and less rote drilling.

"The days of boot camp -- where we say "Thou shalt study physics and mathematics and, oh by the way, you'll find out what's going to come out of this next year or the year after' -- I think are gone," says Sastry.

Applications for SECuR-IT, WISE and SUPERB available until January 31, 2008

Applications to three summer TRUST programs are now being taken. The closing date for applications is January 31, 2008. The three programs are:

Summer Experience, Colloquium and Research in Information Technology at Stanford University and San Jose State University (SECuR-IT)
June 2 to August 8, 2008: Stanford & San Jose
Deadline for applications: January 31, 2008

Summer Undergraduate Program in Engineering Research at Berkeley (SUPERB)
June 9 - August 01, 2008: Berkeley
Deadline for applications: January 31, 2008

Women’s Institute in Summer Enrichment (WISE)
June 8th through 13th, 2008: Ithaca, New York
Deadline for applications: March 31, 2008

FaceBook: Giving Personal Info for Profit?

Facebook, the Internet social networking site, has decided to allow companies to create personalized ads for account holders (which number more than 50 million active users) with their friends' profile pictures attached. Professor Ken Birman, computer science, and a member of the Team for Research in Ubiquitous Secure Technology (TRUST) thinks that Facebook's announcement is another step on an already slippery slope toward a lack of social privacy.

Professor Birman said "I worry that we're gradually creating the world of Minority Report", referring to the futuristic sci-fi film where passersby are tracked as they move and are assailed with personalized advertising projected on walls. "We're witnessing a massive erosion of privacy, and society as a whole seems to be accepting this trend without even questioning it."

For the complete article see the Nov. 14th issue of the Cornell Daily Sun

Stanford/TRUST faculty offer Advanced Computer Security Certificate Online: What You Don’t Know Can Hurt You

TRUST faculty Dan Boneh and John Mitchell have developed an
Advanced Computer Security Certificate that can be taken as online classes. The BusinessWire article states

"Specific topics covered include secure software design, buffer overflows, SQL injection attacks, authentication, access control, data integrity, symmetric encryption, public-key cryptography, and more. The Advanced Computer Security certificate program requires six courses three core and three electives. The instructors regularly update the content. Each course is self- paced and approximately six hours long, and is available at any time. Detailed information about the program is found at http://proed.stanford.edu/?security."

Security Focus Interviews Adam Barth about DNS Rebinding

Security Focus has an interview with TRUST's Adam Barth. The interview, "Rebinding attacks unbound." Adam is quoted as saying:

"I'm a Ph.D. student at Stanford University and a member of the Stanford Web Security Lab. Collin Jackson, Andrew Bortz, Weidong Shao, Dan Boneh, and I are presenting a paper at the 2007 ACM Conference on Computer and Communications Security, detailing how to protect browsers from DNS rebinding attacks."

Adrian Perrig Leads Research Team Dedicated To Analyzing and Disrupting Internet Attackers' Black Markets

Trust researcher Adrian Perrig's work is highlighted in a CMU press release: "Carnegie Mellon's Adrian Perrig Leads Research Team Dedicated To Analyzing and Disrupting Internet Attackers' Black Markets." The work, done in conjuction with Vern Paxson and others is described as:

To stem the flow of stolen credit cards and identity data, Carnegie Mellon researchers proposed two technical approaches to reduce the number of successful market transactions, including a slander attack and another technique, which were aimed at undercutting the cyber-crooks verification or reputation system.

"Just like you need to verify that individuals are honest on E-bay, online criminals need to verify that they are dealing with 'honest' criminals," Franklin said.

In a slander attack, an attacker eliminates the verified status of a buyer or seller through false defamation. "By eliminating the verified status of the honest individuals, an attacker establishes a lemon market where buyers are unable to distinguish the quality of the goods or services," Franklin said.

The researchers also propose to undercut the burgeoning black market activity by creating a deceptive sales environment.

Perrig's team developed a technique to establish fake verified-status identities that are difficult to distinguish from other-verified status sellers making it hard for buyers to identify the honest verified-status sellers from dishonest verified-status sellers.

"So, when the unwary buyer tries to collect the goods and services promised, the seller fails to provide the goods and services. Such behavior is known as 'ripping.' And it is the goal of all black market site's verification systems to minimize such behavior," said Franklin.

The work has also been featured in a Slashdot.

The "Profiles in Team Science" document and website covers TRUST

Deborah Illman's, "Profiles in Team Science," has a nicely done overview of the Team for Research in Ubiquitous Secure Technology (TRUST).

Deirdre Mulligan: Data breach laws have had positive effect

Deirdre Mulligan is quoted in Silicon.com's article, "Data breach laws 'make companies serious about security'."

The legislation has had a positive effect on security, according to Deirdre Mulligan, clinical professor of law at the UC Berkeley School of Law.

She told silicon.com: "I believe that the law has heightened the attention paid to information security. The initial impact of the law was likely to make incidents public but the lasting effect should be to reduce the number and severity of breaches by creating incentives to invest in security."

Mulligan said her research had shown that security breaches drive information exchange among security professionals - for example some chief security officers summarised news reports from breaches at other organisations and circulated them to staff with 'lessons learned' from each incident.

She said: "The goal of the law was to improve security practices, not provide notices. Research and anecdote both suggest that it has improved practices along many dimensions. As practices improve, notices should decrease."

Some organisations have a 'that could have been us' moment and patch systems with similar vulnerabilities to the organisation that had a breach. The introduction of the legislation has meant an improved focus on security and better information about costs of failure, which allows for sounder investments, she added.

Pam Samuelson named a Berkman Center Fellow

Pam Samuelson was named a fellow to the Berkman Center for Internet & Society. Professor Samuelson will be presenting the keynote on October 10 to the IP and the Trend towards Openness conference. Details about Berkman fellows may be found in: "UN: Berkman Center Announces 07-08 Fellows."

Engineering a new curriculum

CNet's article, "Engineering a new curriculum," discusses an interview with UC Berkeley Dean of Engineering Shankar Sastry. Dean Sastry discusses changes in the engineering curriculum, including mixing soft sciences such as sociology and economics with engineering. This work is also part of the mission of the Team for Research in Ubiquitous Secure Technology (TRUST).

Trust Autumn 2007 Conference

The TRUST Autumn 2007 Conference October 10-11, 2007 will be held in Ithaca, NY and hosted by TRUST partner institution Cornell University.

Conference Information - The latest information on the event can be found on the conference page of the TRUST website at http://www.truststc.org/conferences/07/FallRetreat/. Please check back frequently as this page will be updated as more information is available.

Conference Hotel Information Trust website account required, see How can I request a login account on this website?

Registration - In order to plan for your arrival and have an accurate headcount of attendees, please register to let us know you will be attending the conference. You may register online.

Schedule - We are still finalizing the conference agenda and schedule of events. The conference will run from ~8:30 AM to 5:30 PM on October 10 and ~8:30 AM to 12:00 PM on October 11. Breakfast and lunch will be provided both days and we are organizing a dinner for the evening of October 10. Please check the conference page of the TRUST website for the latest information and agenda.

The conference will feature TRUST researchers who are advancing a leading-edge agenda to improve the state-of-the art in cybersecurity and critical infrastructure protection. It will provide you with an opportunity to hear firsthand about research, education, outreach, and technology transition activities within the TRUST center. We hope you will join us for this exciting event! If you have any questions or need additional information, please contact Sally Alcala, the TRUST Program Coordinator, at salcala at eecs dot berkeley edu or 510-643-8425.

Symatec Graduate Fellowship

Darren Shou, Senior Manager at Symantec Research Labs writes:

[...]we're now accepting applicants for our 2008 Symantec Fellowship. This is a multiple award, one year fellowship for graduate students pursuing innovative research related to information security and availability. It provides a $20,000 stipend, plus tuition and fees and is distinguished by an opportunity to work along-side our leading researchers.

http://www.symantec.com/about/careers/college/fellowship.jsp

UK House of Lords report, "Personal Internet Security," includes TRUST talk summaries

TRUST faculty briefed the UK House of Lords Science and Technology committee when they visited UC Berkeley on March 7, 2007. Summaries of their talks can be found on pages 103-106 of the final report, "Personal Internet Security."

Shankar Sastry named Dean of UCB College of Engineering

Shankar Sastry has been named Dean of the College of Engineering at UC Berkeley.

Ken Goldberg named director of Center for New Media

UC Berkeley Professor Ken Goldberg has been named director of the Center for New Media.

Beyond SCADA Research Strategies and Roadmap

"National Workshop on Beyond SCADA: Networked Embedded Control for Cyber-Physical Systems (NEC4CPS): Research Strategies and Roadmap," by Bruce Krogh, Marija Ilic and S. Shankar Sastry is available for download by TRUST Members.

This annual report is a draft version of the final report to be published by the National Coordination Office (NCO) of the NITRD. The final version of this report will also be the final report for the NSF grant to support the two workshops:

1. National Planning Workshop, March 16, 17, 2006 and
   
2. Final National Workshop held November 8,9, 2006.
   

The details of the participants, program, and the presentations at the workshop and discussions on a Wiki site are available at http://truststc.org/scada (See also Appendix 1 and 2 of this report for this information for the second of the workshops).

EUUS High Confidence Evolutionary Embedded Systems Annual Report

Professor Shankar Sastry has released the "Annual Progress Report, Joint EU-US-Tekes Workshop, "Long Term Challenges in High Confidence Evolutionary Embedded Systems", Grant No CNS-06369330".

Intellectual Property Scholars Conference: August 8 and 9: Chicago

The Berkeley Center for Law and Technology is one of the sponsors of the Intellectual Property Scholars Conference to be held August 8 & 9 at DePaul in Chicago. Aaron Burstein will present Toward a Culture of Cyber Security Research.

Technology and Privacy Workshop, Berkeley, June 22

The Berkeley Center for Law and Technology and the Team for Research in Ubiquitous Secure Technology (TRUST) are hosting a day-long workshop for academics and advocates to discuss technology and privacy issues on Friday, June 22nd at the University of California, Berkeley, Boalt Hall School of Law Goldberg Room.

The main goals of this workshop are:

1. to help academics identify research opportunities in privacy law
   
2. to help academics engage the policy process, and
   
3. to help advocates identify existing research for use in their work.
   

It will be an excellent opportunity to develop strategy, identify empirical data for more research, and to think about theoretical frameworks of privacy. The format will be a directed discussion, with panels of civil liberties advocates, technologists, and consumer privacy experts. A full schedule and agenda will be posted soon.

Please let Chris Hoofnagle (choofnagle at law.berkeley.edu) know if you'd like to attend.

June 22: 3rd Trustworthy Interfaces for Passwords and Personal Information (TIPPI) Workshop

On June 22, Stanford will host the 3rd Trustworthy Interfaces for Passwords and Personal Information (TIPPI) Workshop.

EU-US Workshop on Wirelessly Networked Embedded Systems

The EU-US Workshop on Wirelessly Networked Embedded Systems will occur on 10 July, 2007, in University of Edinburgh. This workshop is the fourth in the series of themed EU-US workshops after Paris (2005), Washington (March 2006) and Helsinki (June 2006). The theme of the Edinburgh workshop is "Cyber-Physical Systems and Beyond".

TRUST 2006-2007 Annual Report Available

The TRUST 2006-2007 Annual Report is now available.

California Voting Computer review panel includes David Wagner

The California Secretary of State's website has an article, "Top-To-Bottom Review," that says:

Secretary of State Debra Bowen will begin a thorough top-to-bottom review of the voting machines certified for use in California the week of May 14, 2007. The review is designed to restore the public's confidence in the integrity of the electoral process and is designed to ensure that California voters are being asked to cast their ballots on machines that are secure, accurate, reliable, and accessible.

The panel will include TRUST members David Wagner, Deirdre Mulligan and Joseph Lorenzo Hall.

David Wagner testifies on Electronic Voting

David Wagner supplied written testimony, "Testimony on Voting System Testing and Cerification," to the Committee on Oversight and Government Reform, Subcommittee on Information Policy, Census, and National Archives on May 7, 2007.

Respectful Cameras

Technology Review's article, Respectful Cameras, discusses the Respectful Cameras work at UC Berkeley of Jeremy Schiff and Professor Ken Goldberg. See also a 2005 presentation, "Too Close For Comfort: Free Speech, Privacy, and the Demonstrate Project," which discusses the Demonstrate project.

Trust Autumn 2007 Conference: October 10 & 11

The dates for the Trust Autumn 2007 Conference at Cornell have been set: October 10 & 11. Larry Rohrbough announced the event:

The next TRUST conference to be held October 10-11, 2007 in Ithaca, NY at TRUST partner institution Cornell University.

This event will provide you with an opportunity to hear firsthand about the work of TRUST faculty and students-specifically activities that

1. advance a leading-edge research agenda to improve the state-of-the art in cybersecurity and critical infrastructure protection;
   
2. develop a robust education plan to teach the next generation of computer scientists, engineers, and social scientists; and
   
3. pursue knowledge transfer opportunities to transition TRUST results to end users within industry and the government.
   

Conference details such as hotels are not yet finalized. We will announce the hotel information on the TRUST mailing list and update the conference page.

If you have questions, please contact Sally Alcala, the TRUST program administrator.

David Wagner testified at US House Hearing.

On March 25, David Wagner, a member of TRUST, testified in front of the Elections Subcommittee of the Committee on House Administration. He testified on making voting machine source code available.

NY Times covers ID Theft Senate Hearing

The March 21 NY Times article, "To Fight Identity Theft, a Call for Banks to Disclose All Incidents" covers Chris Jay Hoofnagle's testimony to the Senate Judiciary Subcommittee on Terrorism. Hoofnagle is a member of TRUST, see his blog for details. Brian Krebs of the Washington Post mentions the testimony in his blog posting, "Hot Air Swirls Around ID Theft Measure."

TRUST Participant to testify in U.S. Senate Committee

TRUST Participant Chris Jay Hoofnagle will testify on March 21 at the hearing on "Identity Theft: Innovative Solutions for an Evolving Problem" for the U. S. Senate Committee on the Judiciary Subcommittee on Terrorism, Technology and Homeland Security.

SECuR-IT Summer Paid Internship

SECuR-IT: Summer Experience, Colloquium and Research in Information Technology is a ten-week residential program with paid internship co-located at Stanford University and San Jose State University. SECuR-IT will run from June 10, 2007 until August 15, 2007.

SECuR-IT is a collaboration between the Team for Research in Ubiquitous Secure Technology (TRUST) and our industry/academic workgroup and is a new TRUST program. The topic for the intern experience is network security. The ten-week Summer 2007 program will be a cohort of 20 graduate students selected from a national pool of applicants. The internship experience will be with leading Silicon Valley network security companies, such as SUN, Symantec and Deloitte & Touche.

Weekly seminars will bring a variety of UC Berkeley, Stanford and San Jose State University faculty together in an exciting lecture format. The seminars will be designed to support the network security topics germane to our industry sponsor internship activities. Industry guest speakers will also be invited to speak at the seminars. For further information, including an online application, see the SECuR-IT webpage.

UC Berkeley course: "Coding for Policy and Regulating Design"

We are pleased to announce a new course this semester: "Coding for Policy and Regulating Design." We invite TRUST student researchers to participate.

The course, led by Deirdre Mulligan, is intended to acquaint Berkeley graduate students with literature from a range of disciplines that considers whether, when and how to embed policy in technical systems. The course will draw on theoretical literature about embodying values in technology design, consider the various entry points available for influencing technological design in the direction of policy or social values, and through case studies identify and imagine mechanisms for determining when technology should be viewed as "policy-making" and how various actors -- technologists, policymakers, end-users -- can participate in decisions about what policies the technology enables.

The course welcomes students with a variety of backgrounds, including technical computer science and engineering students, and law and social science students interested in understanding the opportunities and challenges present in embedding policy in technical systems.

290-20 Coding for policy and regulating design

[The official meeting time is weekly Monday 4-5p but we will instead meet from Monday 4-6p every other week.]

CCN: 42710
1-2 units (2 credits with project or paper TBD)
Room 205 South Hall
If you need a CEC to add the class, contact Joe Hall.

Trust Students to speak at negative option FTC Meeting

Professor Deirdre Mulligan's Ph.D. students Jens Grossklags and Nathan Good will be speaking at the Federal Trade Commission workshop in late January on "Analyzing Negative Option Marketing". For further details, see the FTC Negative Option website.

iCAST/TRUST Conference Held

The The International Collaboration for Advancing Security Technology (iCAST)/Trust conference was held in Taiwan January 8 - 10, 2007. The conference website includes PDFs of the presentations.

Vern Paxson is now an ACM Fellow

Trust member Vern Paxson is now an ACM Fellow. He was cited "For contributions to Internet measurement and intrusion detection."

The logic of privacy

The Economist's article, "The logic of privacy" discusses the work of John Mitchell, Adam Barth and Anupam Datta, where they are using a philosophical theory called contextual integrity to help explain when individuals feel uncomfortable with their privacy. Contextual integrity is a theory developed by Helen Nissenbaum of New York University. The article states:

"This theory acknowledges that people do not require complete privacy. They will happily share information with others as long as certain social norms are met."

Beyond a Physical Conception of the Fourth Amendment: Search and Seizure in the Digital Age

January 26th, 2007
http://stlr.stanford.edu/symposium.html
Stanford Law School

Technological change increasingly complicates criminal investigation: third-party Internet service providers, not individuals, store sensitive user information such as e-mail, while global positioning satellites allow the government to track private
citizens' movements and thermal imaging technology permits law enforcement to monitor activity inside the home. Recent high-profile legal cases have involved government
requests for user identification and content from technological giants such as Apple and Google, bypassing the users themselves. These issues are exemplified by the current political controversy over NSA surveillance and the need for judicial oversight. In short, a physical conception of privacy may no longer be adequate when technology allows the tracking of new kinds of personal information that is accessible in entirely new ways.

Current scholarship continues to play an essential role in expanding the legal thinking on the 4th Amendment in ways that can keep pace with this dizzying technological progress. The Stanford Center for Internet and Society, Stanford Criminal Justice Center and Stanford Technology Law Review have invited scholars and practitioners from around the country to participate in a Symposium this January on
the future of the 4th Amendment in this digital age.

Hear what the experts have to say, and let them know your opinions, through our symposium: Beyond a Physical Conception of the Fourth Amendment: Search and Seizure in the Digital Age. Top technology and privacy experts from across the country will argue about the Internet, criminal procedure, RFID, and the Constitution.

Best of all, you can participate! Five authors' drafts will appear on the symposium website for commenting before (and after) the live event. Read, respond, and be heard in the live discussion!

SUPERB TRUST: June-August, 2006

The Team for Research in Ubiquitous Secure Technology (TRUST) will sponsor eight undergraduate students from diverse backgrounds and cultures, to participate in the Summer Undergraduate Program in Engineering Research at Berkeley during the summer of 2007 (SUPERB-IT).

These students will be working with graduate student mentors throughout the summer performing research and supporting activities in the area of information technology and TRUST related topics.

An example of past TRUST research topics have included:
- Design of a Distributed Tracking System for Camera Networks
- Camera Networks and Computer Vision
- Time Synchronization Security in Sensor Networks
- Implementation of an Electronic Medical Record System
- Analysis of Wireless Connectivity in Sensor Network Deployments

This is an excellent opportunity for students to conduct research directly with our faculty in an eight-week program. Our program is made possible by the generous support of the National Science Foundation, and UC Berkeley's College of Engineering.

For details, see the TRUST SUPERB Website

Information for EECS applicants for SUPERB-IT:
Elisa Lewis, SUPERB Program Coordinator
SUPERB-Information Technology
(510) 642-7372 (tel)
(510) 643-7846 (fax)
elisa at eecs berkeley edu

Contact Information for SUPERB TRUST:
Dr. Kristen Gates
Executive Director of Education,
Team for Research in Ubiquitous Secure Technologies (TRUST)
University of California, Berkeley
(510) 642-3737
kgates at eecs berkeley edu

Women's Institute in Summer Enrichment (WISE): June 10-17, 2007

The Women's Institute in Summer Enrichment (WISE) will be held July 10-17, 2007 at the University of California, Berkeley campus. WISE participation is open to US professors and post-doctoral fellows, and Ph.D. candidates studying at US universities. Participation is limited to 30 people and will be selected from a nationwide pool of applicants who have demonstrated outstanding academic talent. The application deadline is March 31, 2007 at 4 PM (Pacific). Women will be given strong consideration although everyone is encouraged to apply. For further details, see the WISE website.

Deirdre Mulligan and Pam Samuelson to speak at DIMACS

Deirdre Mulligan and Pam Samuelson will speak at the DIMACS Workshop on Information Security Economics on January 18 - 19 at Rutgers.

ACM Honors Eugene Spafford and Michael Schroeder

ACM's Special Interest Group on Security, Audit, and Control (SIGSAC) has honored Purdue Professor Eugene Spafford and Michael Schroeder of Microsoft Research. Professor Spafford is a member of Trust's Distinguished External Advisory Board, Dr. Schroeder is an industrial participant in Trust. For details about their awards, please see "ACM Group Honors Computer Security Experts."

November 8-9: Beyond Scada Meeting Held

The Beyond SCADA: Networked Embedded Control for Cyber Physical Systems meeting was held on November 8 and 9 in Pittsburgh, PA.

Deirdre Mulligan speaks at FTC Conference

Deirdre Mulligan spoke at the Federal Trade Commission Public Hearings on Protecting Consumers in the Next Tech-ade at George Washington University. (Report: The FTC and Consumer Privacy in the Coming Decade)

Electronic Voting Sacramento Bee Editorial by Deirdre Mulligan

The Sacramento Bee has an editorial "Counting on Security" by Deirdre K. Mulligan.

'Unblinking'; Visual Privacy Symposium held at UCB

Unblinking: New Perspectives on Visual Privacy in the 21st Century," a Cross-Disciplinary Symposium was held on the Berkeley campus.

Cyberconflict Fall Symposium held at George Mason

The Cyberconflict Fall Symposium was held at the Law School on the George Mason University Arlington Campus.

Security and Identify Theft Risks and shortcomings in the DOD Interim Voting Assistance System

Security and Identity Theft Risks of the DoD's Security and Identity Theft Risk by David Jefferson, Avi Rubin, Barbara Simons, and David Wagner discusses shortcomings in the DOD Interim Voting Assistance System (IVAS).

Building a Better Voting Machine

David Wagner's views on "Building a Better Voting Machine" are discussed in Wired.

Education Fast Track Modules

Kristen Gates has posted the Education Fast Track Modules.

Overview and Educator's Guide, Larry Howard

Larry Howard has written an article called "Overview and Educator's Guide" that includes an embedded flash movie describing the process for defining a course profile and uploading files to the TRUST Academy Online (TAO).

TRUST Fall Retreat

The TRUST Fall Retreat was held on October 8-9 in Pittsburgh, PA.

Exploring the Privacy Implications of Trustworthy Information Systems Workshop

"Exploring the Privacy Implications of Trustworthy Information Systems Workshop for TRUST researchers".

Presentation by Prof. Fred Schneider of Cornell University

Professor Fred Schneider of Cornell University gave a presentation entitled What Price Insularity? Dialogs about Computer Security Failings.

SRI Council Meeting

SRI International Identity Theft Technology Council Meeting, Menlo Park, CA.

Article by Ken Goldberg in the Berkeley Alumni Magazine

The Berkeley Alumni Magazine has an article "Private eyes" that discusses Ken Goldberg's research involving video cameras and our expectation of privacy in public places.

iCast-Trust Berkeley Kickoff

iCast-Trust Berkeley Kickoff

Cylab researchers address phishing fraud

Carnegie Mellon CyLab Researchers Create New System To Address Phishing Fraud