Web Firms to Adopt 'No Track' Button.

Support for a do-not-track button by a coalition of Internet giants, including Google, has emerged as part of the White House's call for Congress to pass a "privacy bill of rights" giving people more control over personal data collected about them.

Google and others had been working around the privacy settings of millions of people that use Apple's Safari web browser on their iPhones and computers. The code Google was using to bypass the privacy settings was noticed by Stanford researcher Jonathan Mayer, CS/law student with Professor John Mitchell.

Google disabled its code after being contacted by the Wall Street Journal. A Google spokesman said that

Our updated Privacy Policy will make our privacy practices easier to understand, and it reflects our desire to create a seamless experience for our signed-in users.

See the Wall Street Journal Technology articles on Google's iPhone tracking and No-Track Button for details.

Internet is still vulnerable to cyber-criminals

A January 21, 2012 San Francisco Chronicle article "Internet is still vulnerable to cyber-criminals" by James Temple discusses Mark Bowden's book "Worm: The First Digital World War," which describes the October 21, 2002 attack on the Internet Domain Name Servers.

The SF Chronicle article states:

Internet Protocol version 6, will create more root name servers and add other security protections.

"But the general consensus today is that it's still pretty fragile," said Doug Tygar, professor of computer science at UC Berkeley.

See also the October 3, 2011 review of 'Worm'.

Android apps and advertising: A bit too cozy

A Tech Republic blog entry "Android apps and advertising: A bit too cozy" features the research of TRUST Ph.D. student Adrienne Porter Felt.

Adrienne asked non-computer scientists: “Do you think the advertiser can use the app’s permissions?” Twelve people answered with:

Yes: 5
No: 2
I don’t know: 5

It turns out that the answer is not that simple.

Adrienne's blog entry "Advertising and Android Permissions" states:

"Can an advertiser use an app’s permissions?"

"When you see an advertisement in an application, there are three parties. First, there’s the application itself, which asks the user for permissions. Second, there’s the advertising library, which is shoved into the application and therefore gains access to all of the app’s permissions. Third, the advertising library displays the advertisement itself. The advertisement can’t directly use any of the permissions, but the advertising library might share information with the company that is running the ad. So if you see an REI ad while playing a game, you should know that the invisible ad library gets all of the game’s permissions, and it might share information like your location with REI."

Adrienne is a student of Berkeley Professor David Wagner.

Carrier IQ cell phone monitor software is a nightmare

TRUST Professor Stephen Wicker was quoted in a NetworkWorld article, "Cornell Prof: Carrier IQ affair 'my worst nightmare'". Carrier IQ is software present on various cell phones that provides call quality and other feedback to cell phone companies.

The article quotes Professor Wicker:

"This is my worst nightmare," says Stephen Wicker, a professor of electrical and computer engineering at Cornell. "As a professor who studies electronic security, this is everything that I have been working against for the last 10 years. It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention.

"Carrier IQ claims that the collected data is 'anonymized.' Let's give this a moment's thought -- about all that it deserves. How hard would it be to 'de-anonymize' a pile of text messages between me and my wife? My mother? My children? Banking IDs with passwords?"

The article was also picked picked in a Slashdot article.

White House Honors Cornell's Salman Avestimehr with PECASE

TRUST investigator and Cornell Professor Salman Avestimehr was named a recipient of the Presidential Early Career Award for Scientists and Engineers, the highest honor bestowed by the United States government on science and engineering professionals in the early stages of their research careers.

Nominated by the National Science Foundation, Prof. Avestimehr was recognized as one of the Nation's "most meritorious scientists and engineers whose early accomplishments show the greatest promise for assuring America's preeminence in science and engineering and contributing to the awarding agencies' missions." The award includes a multi-year research grant.

The press release from the White House, which includes the full list of recipients, is available here. A press release from the Cornell University School of Electrical and Computer Engineering is available here.

"The Science of Cyber Security"

US News and World Report's article, "The Science of Cyber Security" by Marlene Cimons gives an overview of the Team for Research in Ubiquitous Secure Technology (TRUST). Dean Shankar Sastry is quoted:

"“We no longer can afford to be reactive in our attitudes about cyber security,” ...

“Our current approach is bolt-on, rather than built-in patches, bolted on, like an afterthought. We need to be proactive.”

Erika Chin: "Seven ways to hang yourself with Google Android"

The research work of Erika Chin, an EECS graduate student studying smartphone security was featured in a Consumer Reports online magazine article titled "Def Con 19: Android apps ask for too much power". Erika and principal researcher Yekaterina Tsipenyuk O’Neil reported that after studying dozens of Android apps, 30 percent of them were over privileged and creates a larger security risk to your personal information and phone.
(Based on text by Miyoko Tsubamoto)

Stanford's Dan Boneh Receives Dean's Award for Industry Education Innovation

TRUST researcher and Stanford University Professor Dan Boneh was awarded the School of Engineering Dean's Award for Industry Education Innovation. The award is given for "outstanding teaching and exemplary leadership in industry education" and Dan was recognized for his leadership of the Stanford Advanced Computer Security Certificate program as well as teaching courses on computer systems security and cryptography. These courses are offered by the Stanford Center for Professional Development which focuses on connecting working professionals worldwide to the research and teaching of Stanford University faculty in the School of Engineering and related academic departments.

TRUST Researchers to Lead Intel Security Center

Intel Labs announced the creation of the Intel Science and Technology Center for Secure Computing (ISTCSC) to be led by UC Berkeley with partner institutions Carnegie Mellon, Drexel, Duke, and Illinois.

The center's work will focus on making personal computers safer from malware, securing mobile devices, and protecting personal data when it is distributed across the Internet by giving people more control over it. The center is the second announced by Intel as part of their 5-year, $100 million ISTC program that will increase university research, accelerate innovation, and encourage tighter collaboration between university thought leaders and Intel. The ISTCSC will be funded at a level of $2.5 million per year for five years.

The center will be co-led by TRUST investigator and UC Berkeley Professor David Wagner and Intel Senior Principal Engineer John Manferdelli. Among the faculty researchers participating in the center are TRUST investigators Anthony Joseph, Vern Paxson, Dawn Song, and Doug Tygar from UC Berkeley and Adrian Perrig from Carnegie Mellon.

Intel released a press statement announcing the creation of the center and the center’s website contains a white paper describing the center’s research agenda.

Audio Captchas defeated

Stanford Professor John Mitchell, postdoctoral research Elie Bursztein and their colleagues have developed a way to defeat the audio version of Captchas. See The Register and the Stanford News coverage.

Stephen Wicker on iOS user privacy

Professor Stephen Wicker was quoted in Network World's article "Cornell prof warns iPhone, iPad users: "We're selling our privacy" about the recently reported location logging by the iPhone and iPad. The Network World article quotes Professor Wicker:

"It is vitally important to recognize that cellular telephony is a surveillance technology, and that unless we openly discuss this surveillance capability and craft appropriate legal and technological limits to that capability, we may lose some or all of the social benefits of this technology, as well as a significant piece of ourselves," says Stephen Wicker, Cornell professor of electrical and computer engineering. "Most people don't understand that we're selling our privacy to have these devices."

Doug Tygar on the LinkedIn outage in China

Bloomberg's February 25, 2011 article
"LinkedIn Service Is Restored in Beijing After `Jasmine' 24-Hour Disruption" discusses how LinkedIn was blocked in China after a user posted comments about how "Tunisia’s Jasmine Revolution should spread to the Asian nation that’s been ruled by the Communist Party since 1949." The article quotes TRUST's Doug Tygar:

“Often, this is done as a sort of a warning signal -- sort of a shot across the bow,” said Doug Tygar, professor of computer science at the University of California at Berkeley. “A portion of that is symbolic.”

The quote was also printed on page D-1 of the San Francisco Chronicle, "Business Report - The Chronicle with Bloomberg."

Cornell's Hakim Weatherspoon Awarded Sloan Fellowship

TRUST investigator and Cornell University Prof. Hakim Weatherspoon was named a recipient of the 2011 Sloan Research Fellowship of the Alfred P. Sloan Foundation.

Sloan Research Fellowships seek to stimulate fundamental research by early-career scientists and scholars of outstanding promise and are awarded yearly to researchers in recognition of distinguished performance and a unique potential to make substantial contributions to their field.

A press release of the 2011 fellowship awards is available here.

Car Theft by Antenna

According to new research to be presented at the Network and Distributed System Security Symposium next month in San Diego, California, car thieves of the future might be able to get into a car and drive away without forced entry and without needing a physical key.

Researchers successfully attacked eight car manufacturers' passive keyless entry and start systems—wireless key fobs that open a car's doors and start the engine by proximity alone. Because a car won't open or start if the signal from its key takes too long to arrive, the researchers devised a way to speed communication between their their antennas. They were able to keep the signals in analog format, which reduced their delay from microseconds to nanoseconds, making their attack more difficult to detect.

David Wagner,professor of computer science at the University of California at Berkeley who has studied the cryptographic systems used in keyless entry systems, says the research "should help car manufacturers improve auto security systems in the future." Wagner doesn't think the research ought to make car owners anxious. "There are probably easier ways to steal cars," he says. But, he adds, a "nasty aspect of high-tech car theft" is that "it doesn't leave any sign of forced entry," so if a thief did use this method to steal a car, he says, it might be hard for police and insurance companies to get sufficient evidence of what happened. Wagner believes that manufacturers, police, and insurance companies all need to prepare for this eventuality.

See full article in Technology Review, published by MIT.

Commerce announces new shop to oversee online security

NextGov.com's article "Commerce announces new shop to oversee online security" covers Commerce Secretary Gary Locke's announcement that

The Obama administration is creating an office that will coordinate with the private sector to establish a secure pathway for people, organizations and computer programs to execute online transactions...

Locke spoke at an industry forum sponsored by many groups, including TRUST.

White House Honors Vanderbilt's Bradley Malin

TRUST investigator and Vanderbilt University Professor Bradley Malin was named a recipient of the Presidential Early Career Award for Scientists and Engineers, the highest honor bestowed by the United States government on science and engineering professionals in the early stages of their research careers.

Nominated by the National Institutes of Health and Department of Health and Human Services, Prof. Malin was recognized as one of the Nation's "most meritorious scientists and engineers whose early accomplishments show the greatest promise for assuring America's preeminence in science and engineering and contributing to the awarding agencies' missions." The award includes a multi-year research grant.

The press release from the Office of Science and Technology Policy (OSTP), which includes the full list of recipients, is available here.

"Fabric" To Weave Security into Code

Cornell computer science faculty, Fred Schneider and Andrew Meyers are developing a new computer platform, dubbed Fabric, that offers a way to build security into computer systems from the start by incorporating security in the language used to write the programs.

Professor Schneider states that until now, computer security has been reactive; when hackers discover a way in, we patch it.

"Our defenses improve only after they have been successfully penetrated," he explained.

Fabric's programming language, an extension of the widely used Java language, builds in security as the program is written. Fabric is still a prototype, being tested on a database of Cornell computer science students.

Schneider and Myers plan to scale it up for very large distributed systems, provide for more complex security restrictions on objects and enable "mobile code" — programs that can reside on one node of a network and be run on another with assurance that they are safe and do what they claim to do. And perhaps most important (and perhaps hardest), they hope to provide formal mathematical proof that a system is really secure.

See article in
Dr. Dobb's, The World of Software Development.

UC Berkeley's Dawn Song Awarded MacArthur Fellowship

TRUST researcher and UC Berkeley Professor Dawn Song was named a 2010 MacArthur Fellow by the John D. and Catherine T. MacArthur Foundation.

The so-called "genius award" is given to individuals "who have shown extraordinary originality and dedication in their creative pursuits and a marked capacity for self-direction" as well as "exceptional creativity, promise for important future advances based on a track record of significant accomplishment, and potential for the fellowship to facilitate subsequent creative work." Prof. Song, one of 23 recipients of this year's award, was cited for her work in applying "rigorous theoretical methods to understand the deep interactions of software, hardware, and networks that make computer systems vulnerable to attack or interference."

Details on Prof. Song's work and her award are available here.

TRUST Autumn 2010 Conference: Nov. 10-11, 2010

The next TRUST Conference will be held November 10-11, 2010 at the Jen-Hsun Huang Engineering Center on the campus of Stanford University. The conference will run from approximately 8:00 AM to 5:00 PM both November 10 and 11.

This event will provide attendees with an opportunity to hear firsthand about the work of TRUST faculty and students-specifically activities that:

• Advance a leading-edge research agenda to improve the state-of-the art in cyber security and critical infrastructure protection;
  
  
• Develop robust education and diversity plans to teach the next generation of computer scientists, engineers, and social scientists; and
  
  
• Pursue knowledge transfer opportunities to transition TRUST results to end users within industry and the government.

For more information, see the TRUST Autumn 2010 Conference Page.

WSJ: "J.P. Morgan Wrestles Web Snarl

UC Berkeley Professor Doug Tygar was quoted in a September 15, 2010 Wall Street Journal website article, "J.P. Morgan Wrestles Web Snarl." The article discusses an outage at chase.com. Professor Tygar is quotes as stating, ""if they have so much trouble with a software failure, what happens with an actual attack?"

UC Berkeley's Pamela Samuelson wins IP3 Award

UC Berkeley Law Professor and renowned scholar Pamela Samuelson is one of four winners of this year's IP3 Award from the Washington-based public interest group Public Knowledge.

As a director of the Berkeley Center for Law & Technology, Samuelson is being acknowledged for her work in information policy, particularly in such areas as privacy, copyright, freedom of expression, intellectual property and consumer protection.

"Public Knowledge has been the most important voice for public-spirited intellectual property and Internet policy,” says Samuelson. “I’m pleased that this organization believes I have made contributions to these same policies worthy of being named to this award."

See more in the Berkeley Law News Archive.

Web add-ons compromise 'private browsing'

A study by Dan Boneh of Stanford University claims that many browser add-ons or website security measures stop the 'private browsing' mode from working correctly.

Boneh and team examined the private browsing functions on Mozilla's Firefox, Microsoft Internet Explorer, Google Chrome and Apple's Safari and discovered all four were affected. Moreover, they discovered that all browsers retained the generated key pair even after private browsing ends which could leak the site's identity to an attacker.

"We found that private browsing was more popular at adult web sites than at gift shopping sites and news sites, which shared a roughly equal level of private browsing use," Boneh said in the report.

"This observation suggests that some browser vendors may be mischaracterising the primary use of the feature when they describe it as a tool for buying surprise gifts."

Boneh and his researchers say they believe they are the first to show that 'private browsing' can be compromised.

See full article at PC Advisor. Related articles appear at THIN!.co.uk and BBC NEWS.

Patents seen as low priority for software firms

Tom Abate's San Francisco Chronicle article, "Patents seen as low priority for software firms" discusses the paper written by Stuart J. H. Graham, Robert P. Merges, Pamela Samuelson and Ted M. Sichelman, "High Technology Entrepreneurs and the Patent System: Results of the 2008 Berkeley Patent Survey."

The article quotes Pamela Samuelson:
"More than 80 percent of the biotech, medical device and hardware firms we surveyed have or have applied for patents. . . About two-thirds of software firms have no patents and have not applied for any."

The study is also discussed by Phyorg, Broadbandbreakfast and Canadaviews.

Vanderbilt medical researchers, engineers play major role in new national center established to secure the privacy of electronic health information

The Vanderbilt University News Network released an article on Friday announcing the $15 million awarded to create a new center for health information and privacy. The center, headquartered at the University of Illinois, will include researchers from Vanderbilt University; University of California, Berkeley; Carnegie Mellon University; Dartmouth College; Harvard Medical School; Johns Hopkins University; Northwestern Memorial Hospital; Stanford University; University of Massachusetts, Amherst and the University of Washington.

It is one of four health care research centers established and funded for four years with American Recovery and Reinvestment Act of 2009 funds as part of the $60 million Strategic Healthcare Information Technology Advanced Research Projects on Security (SHARPS) program.

“Our participation in the new SHARPS center reflects the fact that Vanderbilt has become highly visible in the field of health care security and privacy,” said Janos Sztipanovits, director of the Institute for Software Integrated Systems (ISIS) at Vanderbilt’s School of Engineering.

Vanderbilt has gained experience in this area through its participation in the TRUST Science and Technology Center founded in 2006 by the National Science Foundation. The $40 million TRUST Center, whose core members are the University of California, Berkeley; Carnegie Mellon University; Cornell University; Stanford University; and Vanderbilt University, is one of the nation’s leading research consortiums focusing on the scientific foundations of system security and privacy. Vanderbilt has headed up TRUST’s health-care-related program.

See full article at VUCast.

Andrew Myers net radio interview: "Build security into applications"

Cornell Associate Professor Andrew Myers was interviewed on FederalNewsRadio about "Build security into applications":

"His theme: Software developers generally go about writing programs all wrong, when it comes to cyber security."

"He has come up with a concept called 'secure by design and construction' that designs out cybersecurity vulnerabilities."

"He recently presented his research to the House Subcommittee on Science and Technology."

Keeping Medical Data Private

Researchers at Vanderbilt University have developed an algorithm that simultaneously protects privacy of patients while allowing medical records to be used for research on the genetics of disease.

The new method, published online April 12 in the Proceedings of the National Academy of Sciences, simply disguises parts of the medical history data that are not relevant to a geneticist’s specific research question using an algorithm that looks through health records and makes some aspects of them more general.

“We’re hoping that it’s a game-changer,” says Bradley Malin, a biomedical informatics specialist from Vanderbilt University in Nashville who helped develop the method. The problem is, it's not all that difficult to follow a specific set of codes backward and identify a person, says Malin.

See articles in Science News and MIT's Technology Review.

Loose Clicks Sink Ships

Since it is possible to analyze audio recordings of keystrokes, computer scientists have been able to reconstruct accurate transcripts of what is being typed, including passwords. By contrast with more sophisticated types of espionage, it is very easy to do. All that is needed is a cheap microphone and a desktop computer.

While past attempts at writing software to decipher the recorded keyboard sounds have only been at most 80% successful, Doug Tygar and colleagues at the University of California, Berkeley have developed software that achieves 96% accuracy. The software can decode anything, including scrambled ten-character passwords.

Dr. Tygar suggests simply turning up the radio to thwart these auditory invasions. However, since background noise will be ultimately overcome with more sophisticated recording, Tygar recommends that typed passwords be phased out, to be replaced with biometric checks or multiple types of authorization that combine a password with silent verification (e.g., clicking on a pre-selected image in an array of images).

See full article in The Economist.

"How Lenders Overlook the Warning Signs of ID Theft"

Brad Stone's NY Times Blog entry "How Lenders Overlook the Warning Signs of ID Theft" discusses Chris Hoofnagle's paper "Internalizing Identity Theft. The abstract for that paper says:

"Why has identity theft remained so prevalent, in light of the development of ever more sophisticated fraud detection tools? Identity theft remains at 2003 levels – 9.9 million Americans fell victim to the crime in 2009."

"One faction explains the identity theft as a problem of a lack of control over personal information. Another argues conversely that identity theft may be caused by a lack of access to personal information by credit grantors. This article presents data from a small sample of identity theft victims to explore a different dimension of the crime, one that suggests alternative interventions."

"Drawing upon victim and impostor data now accessible because of updates to the Fair Credit Reporting Act, the data show that identity theft impostors supply obviously erroneous information on applications that is accepted as valid by credit grantors. Thus, the problem does not necessarily lie in control nor in more availability of personal information, but rather in the risk tolerances of credit grantors. An analysis of incentives in credit granting elucidates the problem: identity theft remains so prevalent because it is less costly to tolerate fraud. Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts."

Stone's article gives an overview of how lenders approved credit applications, "one victim found four of six fraudulent applications submitted in her name contained the wrong address; two contained the wrong phone number and one the wrong date of birth."

Stone's article was also picked up by Slashdot

'MULE' Prototype Uses Location for Authentication

Researchers at CMU (Carnegie Mellon University) have constructed a location-based encryption model for protecting data in lost or stolen laptops with little or no user interaction or IT administrative overhead.

The so-named Mobile User Location Specific Encryption (MULE) method encrypts only sensitive files on a user's laptop.

In a paper entitled Mobile User Location-specific Encryption (MULE): Using Your Office as Your Password researchers say

Our goal is to remove user effort associated with encryption technology while achieving the same or better security comparedto traditional password-based approaches. For example, with MULE, a user can securely store encrypted copies of bank records and tax returns on a laptop, and automatically gain access when opening those files in the home office, CMU CyLab technical director Adrian Perrig and CMU graduate student Ahren Studer write in their paper on MULE. "After a thief steals the laptop, the only way to recover the files is to break into the user's home."

See Tech Center: Insider Threat article in Dark Reading .

Security flaw exposed on Home Shopping Network

When a possible security flaw exposing customers of a large television shopping network to credit card fraud was encountered by a user, ABC's 7 On Your Side contacted computer security expert at UC Berkeley Doug Tygar, who suggested that they find out for themselves if her fears were founded.

The customer tried the 'Shop by Remote' feature on Home Shopping Network but directed her order to be shipped to her sister's address and found she could do so without her sister even knowing about it. This result was brought back to Tygar.

"I didn't believe it," he said. "I was shocked that you could do that, that such an obvious and large hole would be left open."

Tygar says requiring passwords is an industry standard. It is true that HSN requires both a user name and password when customers shop online. However, neither are required with HSN's "Shop by Remote" feature.

"I would imagine they would be able to deploy a password mechanism in a matter of days. It shouldn't take that much effort," Tygar said.

See full article at 7 on Your Side .

Breaking the Botnet Code

UC Berkeley Professor Dawn Song co-presented a talk on Malware and Bots at the Association for Computing Machinery's Conference on Computer and Communications Security this week.

Networks of compromised computers controlled by a central server, known as 'botnets' can be used to systematically spew spam, host malicious code, or flood a network to cut off its access to the Web. Researchers presented a tool at the conference that can decipher the structure and purpose of communications between a control server and its bots through automatic reverse engineering. The researchers parlayed the technique into a tool called Dispatcher that will analyze botnet network communications and even inject new information into the communications stream.

The researchers note that such automated tools are not yet needed for analyzing most malware since more than 90 percent of all botnets use easy-to-break encryption with their communications, making manual techniques rather easy and fast.

Yet botnets will continue to evolve, says UC Professor Song. "Botnet programs are becoming more complicated," she says. "They are using various obfuscation techniques and so on. So maybe manual analysis can work for now, but in the future, we will need better tools."

See article in Technology Review.

UC Berkeley computer science professor and privacy expert, Doug Tygar, consulted about security flaws in CalJOBS website

When "CBS 5 Investigates" discovered a state-run website may be putting hundreds of thousands of Californians at risk of identity theft, they asked UC Berkeley Computer Science professor and privacy expert Doug Tygar to take a look at a problem experienced by laid off worker Tom Diederich.

Diederich had posted his resume on CalJOBS, the state's job site, as is required for getting unemployment benefits. However, when Diederich logged back in to the site the next day, he saw someone else's information, including their name, where they live, email and phone number. The next time, he got someone else's information and the following 5 or 6 times he logged in, he saw the same info about those other people.

Professor Tygar said, "I consider that to be a serious security breach." Moreover, Tygar was able to get into the site and look at other applicants' supposedly private data. "I was able to access other people's personal information including their address, their phone numbers, email, personal details," Tygar said. Just by changing a few numbers in the URL, he was able to go in and change information on peoples' resumes. "I would in fact have been able to go through and change that if I were a malicious attacker," he said.

The glitch that allowed Diederich to click on his bookmark and read other peoples' resumes appears to be fixed. EDD said their web site team is now following up on the other possible vulnerabilities identified by CBS 5 Investigates. They say if such vulnerabilities are found, they will correct them immediately.

See full story at CBS News.

UC Berkeley Professor David Wagner contracted by the state to investigate voting logs

The state of California is conducting a months-long investigation into audit logs inside the state's electronic voting systems after reports of serious problems with the logs, even to the point where an election official or someone else could delete votes while leaving no electronic trail of such action.

According to Secretary of State Debra Bowen, the investigation is examining what the audit logs actually record and whether they can be easily altered or deleted. Bowen, appearing at an event concerning an open source voting project in development, told Threat Level that the state had contracted with David Wagner, a computer scientist with the University of California at Berkeley to investigate what the logs on the Premier/Diebold e-voting system, as well as every other voting system used in California, do and do not record.

See full article in THREAT LEVEL.

TRUST Executive Director at launch of UK's new cybersecurity center

The United Kingdom's lead center for cyber security research opens today at Queen's University Belfast. The £30 million Centre for Secure Information Technologies (CSIT) will become the UK's principal center for the development of technology to combat malicious cyber attacks and is one of the first Innovation and Knowledge Centres (IKCs) created in the UK.

Attendance at the Centre's launch of some of the most respected national and international figures in the field of cyber-security, including Larry Rohrbough, Chief Executive of TRUST, the United States' major center in the area of cyber-security at the University of California at Berkeley, highlights the significance of the new Centre to the global communications and IT industries.

Professor John McCanny, CSIT principal investigator says

"The approach adopted within CIST contrasts with the more conventional way academic research is undertaken. Our starting points tend to be larger "mission-driven" projects involving sizeable teams for which ambitious and challenging end goals have been identified".

See press release at EurekAlert!.

UC Berkeley Professor Ruzena Bajcsy receives Technical Leadership Award

The winner of the Anita Borg Technical Leadership Award, awarded to a woman that has inspired the women's technology community through outstanding technological and social contributions, is Ruzena Bajcsy, Professor of Electrical Engineering at the University of California, Berkeley as well as Director Emerita of the Center for Information Technology Research in the Interest of Society (CITRIS). Dr. Bajcsy has spearheaded new research fields, guided national policy regarding social issues and lead the computing community in addressing them.

See press release at MarketWatch.

Sequoia e-voting machine commandeered by clever attack

Using a method known as return-oriented programming, computer scientists have figured out how to trick a widely used electronic voting machine machine into altering tallies by bypassing measures that are supposed to prevent unauthorized code from running on it.

The Sequoia AVC Advantage machine is programmed to execute code only when it's stored on read-only memory chips that are difficult to install and remove. By expressly forbidding running code in random access memory, the intention was to make it impossible for attackers to inject malicious programs that might compromise the integrity of an election.

However, a computer science research team from Princeton, UC San Diego and the University of Michigan succeeded with an attack by reverse engineering first the hardware on a legally purchased Sequoia AVC Advantage and then also reverse engineer the software it ran by analyzing the ROM. The research was presented this week at the 2009 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections.

"It's excellent research," said David Wagner, a computer scientist from the University of California at Berkeley who attended the conference. "The research is significant because it illustrates that attacks get better over time and it shows just how difficult it is to protect paperless voting systems." ®

See article in The Register.

Creating the New Cybersecurity Pro; Interview with Cornell Computer Science Professor Fred Schneider

Samuel B. Eckert Professor of Computer Science at Cornell University Fred Schneider believes the future of the IT profession is handicapped by a shortage of academics to provide the training for needed IT security skills.

In an interview with GovInfoSecurity.com, Schneider contends that to produce not only the teachers, but the practitioners themselves, American universities need to create innovative graduate-level programs that provide training that encompasses not only an understanding of IT security technologies, but an understanding of why the technology is needed as well.

Schneider, also a member of the federal government's Information Security and Privacy Advisory Board and co-chair of Microsoft's Trustworthy Computing Academic Advisory Board, says

"In the longer term, when you make cybersecurity technology decisions, you want to make it within the context of things like knowing its effect on privacy, knowing whether the economics of the situation support the kinds of changes you are making and understanding about business models."

See full story and interview transcriptin GovInfoSecurity.com.

Academic: Wireless sensors can easily measure caloric intake

Shankar Sastry, Dean of Engineering at the University of California Berkeley, was recently interviewed along with Senior Director of Manhattan Research, Monica Levy, by the California Healthcare Foundation's iHealthBeat. Both Sastry and Levy discuss the current state and the promise of wireless-enabled healthcare tools.

“The cell phone is perfect because it’s like a wrist watch you carry around, I think the idea of having access to electronic medical records is transformational in that it changes electronic medical records to be personal health records,” Sastry said. ”So I think that going forward there will be a huge consumer push to be able to both record and analyze data and the cell phones are gradually becoming not just a place for repository and also for analyzing data, but also as a distributive sensor network in the sense that the cell phone can interrogate other sensors which are attached to your body.”

“It’s reasonably easy for us to measure the [caloric] in-take — the out-take has always been way, way difficult, partly because we have such different metabolic rates,” Sastry said. “But I do think with the sensing though you do get a handle on those metabolic rates. So That I think is huge: To be able to then get sense of how much you are burning up in addition to how much you are taking in.”

See more at mobilehealthnews.com.

Dr. Ruzena Bajcsy to receive HP Innovation Award

Dr. Ruzena Bajcsy, EECS Professor at the University of California, Berkeley, was among Professors selected from around the world to receive an award as part of the second annual HP Labs Innovation Research Program.

The Program is designed to create opportunities for colleges, universities and research institutes for conducting breakthrough collaborative research with HP. Given the significant contributions achieved in last year's program, which includes 61 published papers and 13 invention disclosures, HP extended a second year of funding to 31 professors in 2009.

Awardees will work with HP Labs' researchers on fundamental research areas like intelligent infrastructure, immersive interaction and cloud computing, which includes social computing.

See complete article at TRADINGMARKETS.COM.

National cyber security: Cornell's Fred Schneider will testify before Congress

Cornell University Computer Science Professor Fred Schneider, a noted expert on cyber security, will testify at the Hearing on Cyber Security Research and Development on Wednesday, June 10, organized by the Committee on Science and Technology, U.S. House of Representatives.


See announcement in Media Newswire,

Stanford's Dawson Engler Receives 2008 Grace Hopper Award

TRUST researcher and Stanford University Professor Dawson Engler was awarded the
Association for Computing Machinery Grace Murray Hopper Award for 2008.

This prestigious award is given annually to the "outstanding young computer professional of the year" who is selected based on a "single recent major technical or service contribution". Prof. Engler was cited for his groundbreaking work in developing advanced tools and techniques that automate program checking to identify software errors. His approaches based on static analysis, model checking, and symbolic execution have proven very successful at finding bugs in large and complex applications.

Technical papers describing this research are available on Prof. Engler's homepage.

Personal information of thousands of UC Berkeley students, alumni hacked

Approximately a decade's worth of information on current and former UC Berkeley students was stolen by hackers, as announced by the University last Friday. The infractions concerned records dating back to 1999 at the school's health center that included Social Security numbers, health insurance information, immunization history and the names of treating physicians.

The thefts were initially discovered about a month ago, but system administrators did not realize the scope of the attack until April 21.

University Associate Vice Chancellor for Information Technology Shelton Waggener said the hackers disguised their work as routine operations and then left taunting messages for UC Berkeley employees. Waggener says that the thieves accessed the information through the University web site.

Stanford University Professor of Computer Science John Mitchell said that thieves worldwide have set up black markets to sell stolen data, adding that Asia, Eastern Europe and Nigeria have particularly active hackers. Mitchell also stated that the taunting messages left by the Berkeley thieves may indicate they are amateurs.

"If your intent is to steal information and sell it on the black market, you're probably not going to call attention to yourself like that," he said. "It could be that these are kids."

See more in The Daily Review.

Momentum Shifts Against Google in Old Books Controversy

BNET media relates several new developments in the class action suit between Google and some authors over who will control publishing rights of millions of out-of-print books.

One of the leading legal experts on issues of intellectual property rights, UC Berkeley Professor Pamela Samuelson has written a powerful argument to the presiding judge in the case, U.S. District Judge Denny Chin. Judge Chin himself has also announced that he is extending the deadline for those wishing to oppose the settlement by four months, from May 4 to September 4.

The Justice Department is checking out the antitrust implications of the arrangements made between Google and groups representing publishers and authors, where it would be possible for millions more books to be included in Google Book Search unless the copyright holders take steps to opt out.
A larger issue to those who were not party to the deal concerns the large number of "orphan works", those whose rights holders cannot be identified.

“The proposed settlement of this lawsuit is a privately negotiated compulsory license primarily designed to monetize millions of orphan works,” wrote Professor Samuelson. “[It] would give Google a monopoly on the largest digital library of books in the world. It and BRR, which will also be a monopoly, will have considerable freedom to set prices and terms and conditions for Book Search’s commercial services. … Google will also be the only service lawfully able to sell orphan books and monetize them through subscriptions.”

See more on this story at Good Morning Silicon Valley, Los Angeles Times, and Silicon Beat.

Google Books Rival Objects to Settlement

San Francisco's digital library Internet Archive opposes the current 125 million dollar Google settlement with authors and publishers that gives Google the rights to scan and sell books on the Internet.

Dismay at the fate of orphan works, estimated at some 70 percent of books being scanned, is mounting as the May 5 deadline for objections to the settlement nears.

UC-Berkeley School of Law professor Pamela Samuelson said the issue of orphaned works should be handled by legislators, not as a settlement in a class action.

"Usually if you want a compulsory license you have to go to Congress," she said.

Professor Samuelson favors a scenario in which the Internet Archieve as well as other digital libraries in addition to Google, would get a license to scan the boks and make them available online.

"I hadn't expected them to intervene," she said. "It's an interesting development -- it's going to be interesting to see how it turns out."

See more at Law.com .

Copyright Scholar Challenges RIAA/DOJ Position

Slashdot refers to an article in New York Country Lawyer about UC Berkeley Professor Pamela Samuelson, leading copyright law scholar, publishing a 'working paper' that argues directly against the stand taken by the US Department of Justice in RIAA cases on the constitutionality of the RIAA's statutory damages theories. The Department of Justice has argued that the Court should follow a 1919 United States Supreme Court case upholding the constitutionality of a statutory damages award that was 116 times the actual damages borne, under a statute that gave consumers a right of action against railway companies.

The paper discusses, in depth, a number of issues regarding statutory damages under the Copyright Act and also concludes that the State Farm/Gore due process test is applicable to statutory damage awards under the Copyright Act.

This position is consistent with that taken in the amicus curiae filed by the Free Software Foundation in earlier RIAA case defending the defendant's Due Process defense to the RIAA's claim for statutory damages and contradicts the Department of Justice briefs, arguing that the Gore due process test applies.

See the complete working paper, Statutory Damages in Copyright Law: A Remedy in Need of Reform, by Pamela Samuelson and Tara Wheatland .

The DOJ's intervention last month on behalf of the RIAA was covered in a Slashdot posting Obama DOJ Sides with RIAA.

Google’s Plan for Out-of-Print Books Is Challenged

Slashdot mentions an article in the New York Times about a growing tide of complaints against Google in response to an extensive settlement that some feel will grant the mammoth company too much control over the "orphan books" they have been scanning into digital format. The settlement could give Google near-exclusivity with respect to the copyright of books that the author and publisher have basically abandoned. They may be out of print but while they remain under copyright, the rights holders are unknown or cannot be found.

“No other company can realistically get an equivalent license,” said Pamela Samuelson, a professor at the University of California, Berkeley, and co-director of the Berkeley Center for Law and Technology.

Critics say that without the orphan books, no competitor will ever be able to compile the comprehensive online library Google intends to create. Without competition, Google will be able to charge universities and others a high price for access to its database.

While most of the critics, including copyright specialists, antitrust scholars and some librarians, agree that the public will benefit, they say others should also have rights to orphan works.

See complete article in the New York Times.

Do Breach Notification Laws Work?

Deirdre Mulligan, professor of information technology law and policy at UC Berkeley's School of Information was one of several speakers at a Security Breach Notification symposium held in Berkeley last Friday. The symposium's directive was to try to answer the question of whether breach notification laws are actually working.

California passed the first data breach notification law in 2003, which quickly became the standard for the rest of the country. While it is clear that the laws have made the public more aware of the vulnerability of their data and have exposed poor security practices at many a business, it is unclear what other benefits the laws have had. Breach notifications should, in theory, reduce incidence of identity theft or fraudulent charges to credit cards if consumers take proper precautions when they receive a notification, as with a fraud alert or a freeze on their credit account because of suspicious transactions.

There are also other questions to ask about what effect breach notifications have on the relationship between the customer and the breached organization. While consumers often express anger and mistrust toward companies that lose their data, it is unclear how often that mistrust actually translates to action.

According to Professor Mulligan, a Ponemon study found that about 20 percent of respondents claimed to have terminated their relationship with a company after discovering the company experienced a breach. But a separate survey of companies found that the percentage of customers who actually do terminate their relationship is less than 7 percent. Both numbers need to be taken with a grain of salt.

"Consumers have a tendency to say they're going to do one thing when they actually do another," says Mulligan, "and companies also can't be relied on to honestly report the numbers of customers they lose from a breach."

See full article in Wired.

Shankar Sastry interviewed on Federal News Radio

Dr. Shankar Sastry, Dean of of the College of Engineering at the University of California, Berkeley, was interviewed by Tom Temin for 'Federal Security Spotlight' on Federal News Radio in his role as director of the Team for Research in Ubiquitous Secure Technologies (TRUST).

Sastry described how TRUST, funded by the National Science Foundation and housed at the University of California at Berkeley, as a team of some of the best minds from UC Berkeley, Vanderbilt, Cornell, Carnegie-Mellon, and Stanford Universities with Smith, San Jose State University and Mills College as outreach partners, was formed to examine the interconnection between cyber infrastructure and physical infrastructure. The complex interplay of component technology, policy, law, privacy issues and economic considerations are the motivations for putting together the TRUST Center.

Prof. Sastry described how initially it was the internet that was the primary security concern with various worms and viruses emerging, but as time went on, power, water, telecommmunications and other physical infrastructures also became implicated in security concerns.

Temin raised the issue of security and health-care concerns with electronic medical records/personal health records. The issues, according to Prof. Sastry, are about trying to make sure that (a) we can collect this information and (b) we can make the information available without all the paperwork. Having the data available to the patient is also an objective.

"The issues of privacy and selective disclosure is a subject of some debate", says Sastry. "I think there are legitimate needs for the medical industry to learn about, say, the efficacy of certain drugs", but there is also a tension between personal and medical records that are seen by many entities, billing, pharmaceuticals, different kinds of doctors, he says. Sastry observed the need to stop any 'mining' of this information and a need to be able to stop a 'fishing expedition' in this area.

Trust research is focusing on both the security and the privacy of patients as well as the possibility of a patient 'customizing' their records to make some records available to their doctors only.

Another area of research involves wireless networking vulnerabilities. Sastry describes a scenario where we will literally have a 1000 radios around people, controlling the physical environment by means of embedded rfid's and wireless sensor networks, evolving to a future of computation on wireless devices. Dr. Sastry says we need a reliable and secure medium for a wireless network. Wireless airwaves are not as reliable as a wired infrastructure because they are susceptible to jamming, to retransmission, etc.

A secure communications medium interacts with privacy and security. The privacy agenda enters in subtle ways in that by anonymizing the data, for example with real-time traffic monitoring via cellphone, it is not subverted as a means of tracking someone as they are driving in traffic. Cellphones will be used more and more as sensor networks.

Sastry described TRUST's mission as deriving security solutions in a principled way that is not reactive, as with the cat-and-mouse pattern of attacks followed by solutions followed by new attacks as has been the case thus far.

To listen to the complete interview (in 3 parts), go to Federal News Radio.

D.A. considers 211 cases of possible voter fraud

The Orange County, California District Attorney's Office is investigating 211 possible cases of voter fraud in the November 4th presidential election. Registrar of Voters Neal Kelley sent the list after his office used computer databases to search for cases where one person submitted more than one ballot. Kelley says that history shows that most instances of double voting are unintentional as with a voter that submits two absentee ballots, or an absentee ballot in addition to voting at the polls.

UC Berkeley Professor David Wagner, who studies electronic voting security says that post-election audits across the state have improved recently under the heightened scrutiny of state and local officials.

"It's important for transparency because it gives voters more confidence that the right person won," Wagner said. "The big picture is the whole state of California is in good shape."

Wagner stated that these registration errors should be fixed for future elections but that it is not someting that's going to affect the outcome of an election since it is an issue of such small scale.

See complete article in OC Register.

Phone security is much better, says UC Berkeley Professor

The Akron Beacon Journal relayed comments by UC Berkeley Professor David Wagner, regarding current telephone security. When asked if there were any difference in security between using a corded phone and a cell phone, Wagner replied

"Assuming your cell phone is digital, there's not enough difference to worry about. Back when cell phones were analog, eavesdropping was easy." However today most cell phones are digital and while eavesdropping with a digital cell phone is possible, "it's pretty much out of the reach of casual interception," he said.

Wagner notes that wired phones aren't completely secure either, but said both digital cell phones and wired phones are secure enough for most people to use for everyday business. In truth, the weakest aspect of cell-phone use is the frequency of having sensitive conversations in public places without thinking about being overheard.

See more at Ohio.com.

Experts debate: Is DRM good or bad for consumers?

COMPUTERWORLD ran a story about the FTC's discussion about the controversial DRM (digital rights management) technology possibly benefiting consumers because it could give them more choices for downloading or buying copyrighted content. Others on a panel discussion about new technology products are not convinced however.

Until DRM matured, consumers had control over how they used digital content, noted Deirdre Mulligan, director of the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley, Law School. DRM is creating a "permission culture" where consumers have to ask the copyright owner's permission to play a piece of music on both a home computer and a car stereo, she said.

Until DRM, "there was a lot of breathing space in copyright law," she added.

In addition, many consumers don't understand DRM restrictions, and they're surprised when a CD that works on a home stereo can't be played somewhere else, she said. Vendors offer "little disclosure about how consumers can use" DRM-protected content, she said.

See full article at COMPUTERWORLD.

Shankar Sastry to discuss UC Berkeley's intiatives at its first Global Technology Leaders Conference

A press release came out yesterday in the Wall Street Journal's online MarketWatch announcing UC Berkeley as host of the inaugural A. Richard Newton Global Technology Leaders Conference on Thursday, November 20th.

The conference will bring together notable entrepreneurs, scientists and researchers to discuss the world's most overarching challenges and ascertain pathways to solution in the health sciences, energy and technology fields. Dean of UC Berkeley's College of Engineering, Shankar Sastry, will discuss Berkeley's initiatives in these areas. Alberto Sangiovanni-Vincentelli, professor in Electrical Engineering and Computer Sciences at Berkeley, will deliver the keynote address, "The Future of the Future."

The conference is being held during Global Entrepreneurship Week and is sponsored by the Ewing Marion Kauffman Foundation and the goal for the group is to develop a roadmap leading to new industries in energy, technology and health care.

"It is fitting to launch this annual series during a week that seeks to inspire young people to be innovative and entrepreneurial," said Lesa Mitchell, vice president, Advancing Innovation, Kauffman Foundation.

See complete story in MarketWatch.

Improving the Count; Prof. David Wagner, others pose solutions for better election system

The Boulder Daily Camera ran an article Sunday regarding problems with voting systems in general and in Boulder County specifically. Although Boulder County Commissioners agreed to spend $1.4 million on optical scanning equipment in 2004, in didn't take long for problems that still follow the county's election process showed up. In August 2004, Boulder County lagged hours behind other Colorado counties. Worse, poorly printed ballots delayed election results for 72 hours in November, 2004.

“If the proper maintenance and everything else is being done to (the scanners), this is the voting system we should be using,” said John Gideon, co-director of VotersUnite!, a non-partisan group that has been logging errors on all kinds of voting machines.

Computer scientist David Wagner of the University of California at Berkeley who studies electronic voting machines, agrees.

“Right now, I think optical scan systems are probably the most mature, reliable technology on the market,” he said. “Boulder got the best technology on the market. ... None of the voting systems are perfect, and they all have their limitations.”

See full story in The Boulder Daily Camera.

Profitability of spam finally measured

ZDNet posted an article about a key paper presented at this year's ACM Conference on Computer and Communication Security. A team of researchers, including UC Berkeley Professor Vern Paxson, used somewhat aggressive tactics to collect data that measures the conversion rate, or the rate at which an advertising impression results in a products sale, for spam. They essentially hijacked a portion of the notorious Storm botnet to inject spam that contained links to domains and storefronts they controlled.

The team's data has shown that generating 28 sales at an average of $100 each of various "male-enhancement" products required 350 million separate spam messages. This provides a yearly revenue rate of the Storm botnet for the sale of pharmaceuticals at around $3.5 million dollars.

See complete article at ZDNet.

What Could Possibly Go Wrong?

An article came out today in PCWorld regarding the progress of E-voting technology since the 2000 U.S. presidential election, although it has taken a rather zig-zagged path. After Congress passed the 2002 Help America Vote Act (HAVA), counties spent billions of dollars upgrading to new electronic voting machines, many of which were dumped when it was determined that they were either unusable or untrustworthy.

Machine malfunctions, touch-screen calibration errors, training problems with unskilled poll workers or human error on the part of the voter all impact on an election's outcome. All of the above notwithstanding, University of California computer science professor David Wagner states that bad design choices could be ferreted out if the federal government included user-interface testing as part of the certification process.

Proposed next-generation voting standards would require this type of testing, but it is not clear that these standards will be adopted, Wagner said. The Berkeley professor also said he will be watching these voter registration databases closely today.

"I don't know what to expect," he said. "Everything could go smoothly, or we could have a substantial fraction of voters who show up on Election Day, think they're registered and are told that there is some problem with their registration."

See article today in PCWorld.

David Wagner quoted in article on new trend in voting technology

In an article written by freelance technology journalist Cyrus Farivar, the concept of using cryptography for what is being called end-to-end voter-verifiability is described and analyzed.

In order for public officials to definitively show that the proposed cryptography works as it should, they would have to provide an advanced mathematical proof, or "zero-sum proof" as it is known, whose sheer size would preclude printing it on the ballot.

Among the several academics Farivar interviewed about the new cryptographic approach involved in voter-verifiable systems, Farivar quotes UC Berkeley Professor David Wagner who asks

"Will voters accept something that uses mathematics that they won't understand?"

See details in machinist.

Stephen Maurer quoted in New Scientist on DNA and Terrorism

Stephen Maurer, Director of the Goldman School Project on Information Technology and Homeland Security ("ITHS") and member of TRUST was quoted in the New Scientist September 14, 2008 article, "DNA firms step up security over bioterrorism threat" that discusses efforts to counter fears that terrorists could make deadly viruses by ordering genetic material from corporations. Maurer is quotes as saying, "The fact that they're going to share their experiences is really important." Maurer helped write the industry guidelines.

UC Berkeley Professor Doug Tygar called in as expert witness for the defense

Slashdot recounts a story published in NETWORKWORLD about the latest twist in the bizarre story of the rogue network administrator that hijacked the city's network in the last two months. With costs estimated at $1 million, city officials say they are trying to locate a mysterious networking device hidden somewhere in the network.

This device, which is referred to as a "terminal server" in court documents actually appears to be a router that was installed to provide remote access to the city's Fiber WAN network, which connects municipal computer and telecommunication systems throughout the city. The router was discovered on Aug. 28. When investigators tried to log in to the device, they were greeted with what appears to be a router login prompt and warning message saying "This system is the personal property of Terry S. Childs." Childs, a network administrator with DTIS was arrested June 12 on charges of network tampering after he refused to provide his superiors with administrative access to the city of San Francisco's network, which he'd managed for the past five years.

In a report filed before the city disclosed the hidden router, a court-appointed expert witness for the defense wrote that DTIS could easily prevent Childs from accessing the networks.

"I have seen no evidence that Mr. Childs is a 'computer hacker,' and by taking a number of simple steps, DTIS could block access by Mr. Childs to San Francisco networks," wrote Doug Tygar, a University of California, Berkeley computer science professor.

Childs next appearance is set for September 24th, when he'll face up to seven years in prison if convicted.

For complete story, see NETWORKWORLD .

Samuelson quoted about copyright and electronic access to CA laws

In a September 3, 2008 Santa Rosa Press Democrat article, "He's giving you access, one document at a time," concerning efforts to make California laws more accessible on-line, Professor Pam Samuelson was quoted

"If it's the law, the public should have access to it," she said.

Samuelson points out that the idea of copyright was established to provide people incentive to create. People are given exclusive legal rights to their paintings, writings and other works because by selling those rights they can attempt to make a living.

There is no similar need for financial incentives to establish standards such as building codes, Samuelson said. For the most part, volunteers spend long hours drafting proposed standards for things like plumbing and building. Governments often take those standards and adopt them into law.

Once the standards become law, she doesn't think people can claim copyright protections. But like Malamud, she sees the courts making the final ruling.

"I don't think it's an airtight case for either side. But I think the law favors that if something is a law, it's in the public domain," she said.

9/29/08 Update: This article has been picked up by the San Francisco Chronicle (9/27/08) and the NY Times (9/29/08).

TRUST Supports Undergraduate Security Research Experience

The Daily Californian ran an article on the UC Berkeley Summer Undergraduate Program in Engineering Research at Berkeley (SUPERB) program, including a group hosted by the TRUST Center. Led by Professor David Wagner and a group of graduate graduate student mentors, the SUPERB-TRUST participants got firsthand experience conducting research into security vulnerabilities of software applications as well as general exposure to working in a university research environment.

Plug-in opens door for self-signed SSL certs in Firefox 3

An online posting of an article in INFORMATION SECURITY MAGAZINE appeared Friday about the release of a software plugin developed by CMU Professors Adrian Perrig and Dave Anderson along with Ph.D. student Dan Wendlandt. The plugin, as part of a system called Perspectives, was designed to relieve some of the anxiety surrounding Mozilla Corp's decision to not display sites with either self-signed or expired SSL digital certificates in Firefox 3.

The Perspectives system works from a series of servers that monitor website connections recording public encryption keys over time. If the servers can authenticate that the same key has been returned for a requested site for a predetermined period of time, Perspectives will override Firefox 3's default block on the site and allow the user to proceed.

See SearchSecurity.com for details.

University of California, Berkeley Prof. Bajcsy wins Innovation Research Award

Hewlett Packard announced the 41 professors it has chosen to receive its HP Labs Innovation Research Awards, which fund joint research projects between academic research institutions throughout the world and HP Labs.

Drs. Ruzena Bajcsy and Van P. Carey, of the University of California, Berkeley were among the 41 professors selected.

"Deepening HP Labs' strategic collaboration with those in academia, government and the commercial sector ensures HP's research endeavors result in high-impact research that meets the scientific and business objectives of HP and its partners," said Prith Banerjee, senior vice president, Research, HP, and director, HP Labs. "The professors' deep technical expertise, HP Labs researchers' domain and industry knowledge, and governments' abilities to fund innovative research will come together to address the world's most complex IT challenges."

See complete story at MarketWatch.

Transit agency wants MIT students to stay gagged

The Electronic Frontier Foundation is providing legal defense for three MIT students prohibited from discussing vulnerabilities they discovered in subway card security by an order given to the Massachusetts Bay Transportation Authority by a District Court Judge.

The EFF has enlisted some high-profile academics, including UC Berkeley's David Wagner, to strengthen the case that the restraining order is antithetical to security research.

Security researchers are watching this case carefully because it could ultimately set a precedent weighing First Amendment rights to publish freely against a vendor's desire to keep embarrassing and potentially explosive details secret.

Prof. Wagner and several other high-profile academics have signed a letter to the judge on Monday that says:

We are concerned that the pall cast by the temporary restraining order will stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure. We urge that you reconsider and remove the temporary restraining order issued on August 10, 2008.

See full story at cnet.news.com

Research improves recognition software

On August 12, 2008, Allen Yang was featured on KGO TV in a segment titled, "Research improves recognition software".

NIST Advisory Group Welcomes Berkeley Professor

It was recently announced that electrical engineering and computer science professor at the University of California, Berkeley, Ruzena Bajcsy, has been selected to serve on the primary private-sector policy advisory body of the National Institute of Standards and Technology (NIST). Dr. Bajcsy's appointment to the agency's Visiting Committee on Advanced Technology (VCAT) was announced by NIST's deputy director, James M. Turner.

Bajcsy's research areas include artificial intelligence, robotics, biosystems and computational biology, and human-computer interaction. She is director emeritus of the Center for Information Technology Research in the Interest of Society (CITRIS), a UC Berkeley-based public-private partnership that develops information technology solutions to social, environmental and health care issues.

See press release in ThomasNet Industrial Newsroom.

Professor Anthony Joseph elected to the ACM

UC Berkeley Professor Anthony Joseph has been elected to the Association for Computing Machinery Council as Member-At-Large. Elected member are recognized for significant accomplishments or for achieving significant impact on the computing field.

UC Berkeley Professor Ruzena Bajcsy elected to American Academy of Arts & Sciences

A press release issued by UCBerkeleyNews announced that University of California Berkeley Professor Ruzena Bajcsy has been elected to the American Academy of Arts & Sciences.

"The Academy honors excellence by electing to membership remarkable men and women who have made preeminent contributions to their fields, and to the world," academy president Emilio Bizzi said in a prepared statement.

The American Academy of Arts & Sciences is one of the nation's oldest and most prestigious honorary societies and independent policy research centers.

Automatic Patch-Based Exploit Generation is Possible: Techniques and Implementations

A paper by David Brumley, Pongsin Poosankam, Dawn Song (TRUST) and Jiang Zheng, "Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications" is getting quite a bit of press:

• Slashdot
  
• Bruce Schneier's Cryptogram
  
• PC World
  
• The Register
  

Electronic Voting at the RSA Conference

The RSA Conference April 7-11, 2008 in San Francisco resulted in a few news items about the work of David Wagner.

On April 10, CNet's article, "Expert says flawed e-voting systems need constant audits," discusses Wagner's voting machine audit proposal.

On April 10, SecurityFocus' article, "Researchers tell voting firms, time for a truce," discusses efforts by security researchers and voting machine vendors to work together. Wagner is quoted: "Voting system vendors are, today, where Microsoft was ten years ago."

On April 11, ABC News had an article about threats to the upcoming US Presidential Election. The same article appears at PC World.

Update: On April 11, The Register's article, "Where were you when you learned e-voting was unreliable? presents another view on the conference.

Update: On April 16, Cringley discusses the issue with, "Voting accidents and other avoidable tragedies

Engineers Test Highly Accurate Face Recognition

The work of postdoctoral researcher Allen Yang, of Professor Shankar Sastry's Heterogeneous Sensor Network (HSN) group at the University of California, Berkeley, is the subject of an article in Wired magazine where a new facial-recognition algorithm was created by Yang with the help of researchers at both UC Berkeley and the University of Illinois at Urbana-Champaign.

"Most algorithms use what's known as meaningful facial features to recognize people-things like the eyes, nose and mouth," says Dr. Yang. "But that's incredibly limiting because you're only looking at pixels from a designated portion of the face and those pixels end up being much smaller than the whole image. Our algorithm shows that you only need to randomly select pixels from anywhere on the face. If you select enough of them, you can produce extremely high accuracy."

Yang's new algorithm may signal a quantum leap in face-recognition technology. Professor Ssstry, dean of UC Berkeley's College of Engineering notes that Yang's new method obsolesces years of research in this field.

Nonetheless, the new technique could have profound impact in many areas, with new models for online advertising, new ways of annotating video and still images, and new techniques for identifying people in public places.

See the complete article in Wired.

Debugging Election Codes

An announcement on UC Berkeley's Electrical Engineering and Computer Sciences website tells of an article featuring David Wagner in the March issue of a Berkeley Engineering publication about his work reviewing voting machine systems code.

Professor Wagner, as the Principal Investigator of a joint UC Berkeley-UC Davis project commissioned by California Secretary of State Debra Bowen, led a team whose comprehensive examination found major vulnerabilities in voting machine systems.

While the machines were questioned immediately by grassroots activists, mainstream politics and media viewed their concerns about voting machine security as mere lunatic fringe behavior. However, according to Wagner, forward-thinking election officials changed this opinion. "Some elections officers took the activists' concerns seriously and forced these vendors to pry open the covers and hand over the source code," Wagner recalls. "That's what made it real; we could actually examine the code, so it wasn't just speculation anymore."

While Wagner's review prompted Bowen to limit the machines to one per polling place, a well-designed electronic voting machine could be a benefit to democracy.

See details in Innovations.

Ranking Corporate America on Identity Theft

The New York Times covered a report compiled by Chris Hoofnagle at the Berkeley Center for Law and Technology at the University of California at Berkeley on the institutions most frequently cited by consumers in fraud complaints.

The country's largest banks and phone companies showed up most frequently, of course. To account for size, Mr. Hoofnagle factored in the total amount of deposits per institution as of Dec. 31, 2006.

Mr. Hoofnagle said he believe the study was an important step in creating an "identity theft marketplace" for consumers.

"I've been working for years to try to spark a market, a true market, for competition on preventing fraud," he said. "Some of these institutions have attempted to compete based on advertisements, but I'm a real believer in the idea that if you give consumers information, they can make better decisions."

For the complete report, see Measuring Identity Theft at Top Banks.

Demands for Personal Information Controls on Social Networking Sites Increase

A Wall Street Journal article discusses the effects to online privacy introduced by services offered on social networking sites such as Facebook and MySpace.

In the article, TRUST security and privacy researcher and clinical research specialist at the UC Berkeley Samuelson Law, Technology & Public Policy Clinic Jennifer King weighs in on the data-sharing implications of such sites and advice to users about keeping their personal information and online activity more private.

TRUST Spring 2008 Conference: April 2-3, 2008

The next TRUST Conference to be held April 2-3, 2008 at the Claremont Resort & Spa in Berkeley, CA.

The schedule is to have a full day (~8:00 AM to 5:00 PM) April 2 and a half day (~8:00 AM to 12:00 PM) April 3.

This event will provide you with an opportunity to hear firsthand about the work of TRUST faculty and students-specifically activities that:

• Advance a leading-edge research agenda to improve the state-of-the art in
  cybersecurity and critical infrastructure protection;
  
  
• Develop a robust education plan to teach the next generation of computer scientists, engineers, and social scientists; and
  
  
• Pursue knowledge transfer opportunities to transition TRUST results to end users within industry and the government.
  

For more information, see the Conference Page.

A Legal Analysis of the Sony BMG Rootkit Debacle

Deirdre Mulligan and Aaron Perzanowski of the Berkeley Center for Law & Technology published an article on Sony BMG's deployment of digital rights management (DRM) systems that threaten the security of its customer's computers and the integrity of the information infrastructure in general.The DRM systems were released by Sony BMG on millions of Compact Discs in late 2005.

A summary of the article can be found in Slashdot.

CPO Panel Highlights Privacy Challenges

On Wednesday, December 12, TRUST Policy Director Deirdre K. Mulligan participated in a panel of privacy experts for a discussion on Privacy and the Network of You. The event was hosted by Sun Microsystems and moderated by National Public Radio’s Dr. Moira Gunn. Panelists from industry, academia, and the State of California discussed a number of challenges to personal privacy, data protection, and information security as well as recent events such as the large number of data breach incidents and identity theft cases.

Prof. Mulligan, the Director of the Samuelson Law, Technology & Public Policy Clinic and a Clinical Professor of Law at UC Berkeley, was joined by Chief Privacy Officers from Agilent, Intuit, and Sun as well the Chief of the California Office of Privacy Protection.

CSO Perspective on Security Breach Notification Laws

The Samuelson Law, Technology & Public Policy Clinic at UC Berkeley released a study on the effects of security breach notification laws in the United States. The study, co-funded by TRUST, is based on a thorough literature review as well as in-depth interviews with several Chief Information Security Officers (or their equivalents) from various industries. The CISO interviews provide insight into internal organizational structure around security investment decisions, regulatory and market factors that affect investment decisions, organizational responses to the enactment of security breach notification laws, market effects of security breaches, and industry best practices. This study is part of an ongoing effort to inform public policy with research into how businesses are affected by privacy law.

Engineers Learning People Skills, Too

Shankar Sastry is quoted in an article in the Associated Press yesterday about a change in producing engineering grads that are not only technically capable but able to communicate their expertise effectively.

Dean of the College of Engineering and Director of TRUST, Sastry is asking professors to take a more Socratic approach to teaching, that is, more discussion and less rote drilling.

"The days of boot camp -- where we say "Thou shalt study physics and mathematics and, oh by the way, you'll find out what's going to come out of this next year or the year after' -- I think are gone," says Sastry.

Applications for SECuR-IT, WISE and SUPERB available until January 31, 2008

Applications to three summer TRUST programs are now being taken. The closing date for applications is January 31, 2008. The three programs are:

Summer Experience, Colloquium and Research in Information Technology at Stanford University and San Jose State University (SECuR-IT)
June 2 to August 8, 2008: Stanford & San Jose
Deadline for applications: January 31, 2008

Summer Undergraduate Program in Engineering Research at Berkeley (SUPERB)
June 9 - August 01, 2008: Berkeley
Deadline for applications: January 31, 2008

Women’s Institute in Summer Enrichment (WISE)
June 8th through 13th, 2008: Ithaca, New York
Deadline for applications: March 31, 2008

FaceBook: Giving Personal Info for Profit?

Facebook, the Internet social networking site, has decided to allow companies to create personalized ads for account holders (which number more than 50 million active users) with their friends' profile pictures attached. Professor Ken Birman, computer science, and a member of the Team for Research in Ubiquitous Secure Technology (TRUST) thinks that Facebook's announcement is another step on an already slippery slope toward a lack of social privacy.

Professor Birman said "I worry that we're gradually creating the world of Minority Report", referring to the futuristic sci-fi film where passersby are tracked as they move and are assailed with personalized advertising projected on walls. "We're witnessing a massive erosion of privacy, and society as a whole seems to be accepting this trend without even questioning it."

For the complete article see the Nov. 14th issue of the Cornell Daily Sun

Stanford/TRUST faculty offer Advanced Computer Security Certificate Online: What You Don’t Know Can Hurt You

TRUST faculty Dan Boneh and John Mitchell have developed an
Advanced Computer Security Certificate that can be taken as online classes. The BusinessWire article states

"Specific topics covered include secure software design, buffer overflows, SQL injection attacks, authentication, access control, data integrity, symmetric encryption, public-key cryptography, and more. The Advanced Computer Security certificate program requires six courses three core and three electives. The instructors regularly update the content. Each course is self- paced and approximately six hours long, and is available at any time. Detailed information about the program is found at http://proed.stanford.edu/?security."

Security Focus Interviews Adam Barth about DNS Rebinding

Security Focus has an interview with TRUST's Adam Barth. The interview, "Rebinding attacks unbound." Adam is quoted as saying:

"I'm a Ph.D. student at Stanford University and a member of the Stanford Web Security Lab. Collin Jackson, Andrew Bortz, Weidong Shao, Dan Boneh, and I are presenting a paper at the 2007 ACM Conference on Computer and Communications Security, detailing how to protect browsers from DNS rebinding attacks."

Adrian Perrig Leads Research Team Dedicated To Analyzing and Disrupting Internet Attackers' Black Markets

Trust researcher Adrian Perrig's work is highlighted in a CMU press release: "Carnegie Mellon's Adrian Perrig Leads Research Team Dedicated To Analyzing and Disrupting Internet Attackers' Black Markets." The work, done in conjuction with Vern Paxson and others is described as:

To stem the flow of stolen credit cards and identity data, Carnegie Mellon researchers proposed two technical approaches to reduce the number of successful market transactions, including a slander attack and another technique, which were aimed at undercutting the cyber-crooks verification or reputation system.

"Just like you need to verify that individuals are honest on E-bay, online criminals need to verify that they are dealing with 'honest' criminals," Franklin said.

In a slander attack, an attacker eliminates the verified status of a buyer or seller through false defamation. "By eliminating the verified status of the honest individuals, an attacker establishes a lemon market where buyers are unable to distinguish the quality of the goods or services," Franklin said.

The researchers also propose to undercut the burgeoning black market activity by creating a deceptive sales environment.

Perrig's team developed a technique to establish fake verified-status identities that are difficult to distinguish from other-verified status sellers making it hard for buyers to identify the honest verified-status sellers from dishonest verified-status sellers.

"So, when the unwary buyer tries to collect the goods and services promised, the seller fails to provide the goods and services. Such behavior is known as 'ripping.' And it is the goal of all black market site's verification systems to minimize such behavior," said Franklin.

The work has also been featured in a Slashdot.

The "Profiles in Team Science" document and website covers TRUST

Deborah Illman's, "Profiles in Team Science," has a nicely done overview of the Team for Research in Ubiquitous Secure Technology (TRUST).

Deirdre Mulligan: Data breach laws have had positive effect

Deirdre Mulligan is quoted in Silicon.com's article, "Data breach laws 'make companies serious about security'."

The legislation has had a positive effect on security, according to Deirdre Mulligan, clinical professor of law at the UC Berkeley School of Law.

She told silicon.com: "I believe that the law has heightened the attention paid to information security. The initial impact of the law was likely to make incidents public but the lasting effect should be to reduce the number and severity of breaches by creating incentives to invest in security."

Mulligan said her research had shown that security breaches drive information exchange among security professionals - for example some chief security officers summarised news reports from breaches at other organisations and circulated them to staff with 'lessons learned' from each incident.

She said: "The goal of the law was to improve security practices, not provide notices. Research and anecdote both suggest that it has improved practices along many dimensions. As practices improve, notices should decrease."

Some organisations have a 'that could have been us' moment and patch systems with similar vulnerabilities to the organisation that had a breach. The introduction of the legislation has meant an improved focus on security and better information about costs of failure, which allows for sounder investments, she added.