Category Archives: Security and privacy

Notes from ACM Webinar on blockchain (etc.)

The Next Radical Internet Transformation: How Blockchain Technology is Transforming Business, Governments, Computing, and Security Models

Speaker: Mark Mueller-Eberstein, CEO & Founder at Adgetec Corporation, Professor at Rutgers University, Senior Research Fellow at QIIR

Moderator: Toufi Saliba, CEO, PrivacyShell and Chair of the ACM PB Conference Committee

Warning: These are notes taken live. Errors and omissions will occur. No responsibility whatsoever.

  • intro: old enough to remember the discussions in the early 90s about how the internet would change mail services – completely forgetting shopping, entertainment and others
  • Blockchain solves the problem of transferring value between Internet users without a third party
  • goes beyond the financial industry, can handle any kind of transaction
  • most of the world has access to a mobile phone, only about 20% has access to the banking system
  • Blockchain is the banking industry’s Uber movement
  • Blockchain much wider than Bitcoin, will facilitate new business models.
  • Blockchain transfers rather than copies digital assets, making sure there is only one instance of it.
    • settlement process: no clearing houses or central exchanges
    • peer-to-peer transfers, validation by network
  • Example: WeChat taking over payments in China, no link to banks
  • many commercial or government services are basically “databases” that are centrally managed, with one central point of failure
  • Blockchain allows a distributed ledger, information put in cannot be changed
    • Estonia thinking about a Blockchain in case of hacking or occupation
  • public (open), private and government blockchainsxx1
  • allows new services to existing customers, lots of inefficiencies up for grabs
    • estate records, voting, domain control, escrow, etc…
    • iPayYou allows use of Bitcoin
    • Walt Disney looking at Blockchain (DragonChain) for internal transfers, also use it for tracking supply chain to their cruise ships. Opensourced it.
  • 80% of Bitcoin mining done in China
  • regulation comes with a cost
  • Shenzhen want to be Blockchain Tech capital
  • 6-level security model, developed by William Mougayar (goes through it in detail: transaction, account, programming, distributed organizations, network (51% attacks, perhaps as low as 30%, smaller blockchains more vulnerable), governance)
  • Ethereum blockchain focusing on smart contracts: Hard forked in 2016, DAO issue where somebody hacked DAO code to siphon off money, hacking the program using the blockchain (not the blockchain),
  • credit card transaction can take up to 30 days, with disputes and everthing, Blockchain is almost instant
  • How “real” is blockchain technology
    • Goldman-Sachs invested $500m+
    • 15% of top global banks intend to roll out full-scale, commercial blockchain
    • etc.
  • what is holding it back?
    • difficult to use, understand, buy in; perception of risk and legality
    • difficult to see value for the individual
  • questions:
    • what are the incentives and adoption models?
      • different philosophies: computing power must be made available in the network: industrial mining vs. BitTorrent model, the amount of computing provided will be important, if we can find a model where just a little bit from every mobile phone is required
    • what are the hard costs of Blockchain?
      • you can google the costs. There are other approaches being developed, will post some links
    • can Blockchain be compromized by a virus?
      • theoretically, yes. Bitcoin is 10 years without, open source means verification (change is happening slowly because of code inspection)
      • comes back to incentive and governance model
  • and that was that…recording will be at in a few days.

SmartHelp – geolocation for crisis situations

I am on the board of SmartHelp – a platform for crisis communication for emergency services (or, indeed, for any company that needs to locate its assets or employees in a hurry). The platform has been running in production in two emergency services (fire and ambulance) in Trondheim, Norway, since December 2014. It allows the public to contact the emergency service via a Smartphone interface, give precise details about where they are automatically, and also to chat and share their medical information (fully encrypted up to a medical standard.)

Here is a video demonstrating how the system works:

We are currently seeking partners for marketing and further developing this platform outside the Norwegian emergency service market. Please contact me (, +47 4641 0452) or Fredrik Øvergård, CEO (, +47 977 32 708)  for further information.

Peter G. Neumann in New York Times

Peter G. Neumann is one of my heroes – a computer science and security expert with a sense of humor (his dry comments on the Risks Digest are legendary), inventive solutions to problems (he once built a keyboard with two pedals (for “alt” and “ctrl”) to deal with carpal tunnel syndrome) and far-reaching views on most things. He is currently profiled in New York Times, including the story of the RTM Worm, which I remember clearly, and where the RISKS Forum played a role in analyzing and stopping it.

I remember an email exchange with Peter in the mid-nineties, when I was writing a research report on knowledge management for CSC Research Services. Peter has been running the email list RISKS forever (I signed up for it sometime in 1985) and when asked about how to find people to do such a job in a corporate setting he replied:

The bottom line is that moderating a newsgroup wisely takes serious dedication to, familiarity with, and commitment to the subject matter and willingness to put oneself into an intrinsically sensitive position. It does not work well if someone is arbitrarily assigned to the task.

In other words – if you want social media to work in a company, let people loose and then support the leaders that emerge, rather than try to replicate the current organization in the new medium. Not a bad insight to have 15 years ago – before this social media thing started.

Norwegian Data Inspectorate outlaws Google App use

In a letter (reported at to the Narvik Municipality (which has started to use Google Mail and other cloud-based applications, effectively putting much of its infrastructure in the Cloud) the Norwegian Data Inspectorate (, a government watchdog for privacy issues, effectively prohibits use of Google Apps, at least for communication of personal information. A key point in this decision seems to be that Google will not tell where in the world the data is stored, and, under the Patriot Act, the US government can access the data without a court order.

Companies and government organizations in Norway are required to follow the Norwegian privacy laws, which, amongst other things, requires that “personal information” (of which much can be communicated between a citizen and municipal tax, health and social service authorities) should be secured, and that personal information collected for one purpose may not be used for other purposes without the owner’s expressed permission.

This has interesting implications for cloud computing – many European countries have similar watchdogs as Norway, and many public and private organizations are interested in using Google’s services for their communication needs. My guess is that Google will need to offer some sort of reassurance that the data is outside of US jurisdiction, or effectively forgo this market to other competitors, such as Microsoft of some of the local consulting companies, which are busy building their own private clouds. Should be an interesting discussion at Google – the Data Inspectorate is a quite popular watchdog, Norway has some of the strongest privacy protection laws in the world (though, for some reason, it publishes people’s income and tax details), and Google’s motto of “Don’t be evil” might be put to the test here – national laws limiting global infrastructures.

Computer security is about finding front doors

This excellent little piece in Wired tells about a security researchers who could spy on corporate meetings by simply scanning for conference phones with “automatic accept” configured:

Using a program that Moore wrote, the researchers found the conference rooms by scanning the Internet for videoconference systems that were set up outside firewalls and configured to automatically answer calls.

In less than two hours, they found systems installed in 5,000 conference rooms around the country, including an attorney-inmate meeting room at a prison, an operating room at a university medical center, and a venture capital company where prospects were pitching their companies while laying out their financial details on a screen in the room.

As I always say – introduce too complex technology and too onerous password rules, and you end up with people using the same password for everything, ditching passwords altogether – or writing the password on a Post-It note and taping it to the back of their keyboards.

Notes from Cory Doctorow talk in Oslo

Cory was here to launch the (New) Norwegian version of his book Little Brother, but, of course, this meeting is not as much about the book as about issues of intellectual property, DRM, legislation thereof, as well as the future of information industries such as publishing.

Cory started with “his usual talk” – interesting, as always – about how encryption works, how it is really strong but easily broken from the outside since the key must be distributed, and then on about how the publishing industry is locking up the work of artists in complicated and, given the technology evolution, largely self-defeating.

Cory structures this around three claims by the industry – that DRM works, that extensions of copyright is necessary to preserve artist’s income, and that the industry should have extra-judiciary powers to shut people out from the Internet upon accusation of copyright infringements. The last one is rather interesting, given all the things people do on the Internet today.

The issue is that we are all copyright infringers, because the rules are arcane and really geared towards the relationship between industry and professional artists, with lawyers and everything. That means that we are all vulnerable to capricious accusations, especially given today’s search technology.

(Not really a point in writing this down in detail, I guess, it will be all over Youtube and other places anyway.)

The debate featured Bjarne Buset, Bente Kalsnes, Eirik Newth and Cory. Bjarne Buset, head of digital strategy at Gyldendal (a large publisher) had the hardest task, since he argues in favor of DRM. Bente Kalsnes from, an online community, pointed out that the publishing industry has been very slow in developing alternative business models. Eirik Newth talked about how we need to sit down and do a typical Scandinavian solution, stepping off the rhetoric and focusing on privacy, users’ rights, and creators’ right.

I tried to make the point that this debate is getting too politicized. The market will fix this, it is called a disruptive innovation, and there will be a lot of noise and then some of the players will make it across and others won’t. secondly, the the debate is being polluted by a lot of idiots who say that stealing is OK, because music should be cheaper or Microsoft is evil. Like some of my (business school!) students, who copy Microsoft Office and justifies it by saying that Microsoft makes so much money and the product is too expensive.

Anyway, I had an interesting discussion afterwards with some of the usual suspects as well as Bjarne Buset. At some point him and I need to enter into a highly publicized bet as to the future of the publishing industry. In the meantime, it is rather depressing to watch the publishing industry go down the oh-so-noble road to self-destruction, just like the record industry.

Update Sept. 17: Forteller has a good post and a recording of the debate (86Mb mp3).

Update Sept. 20: Here is a (rather fuzzy) video of Cory’s talk, as usual he speaks (seemingly) ex tempore:

Doctorow @ Litteraturhuset from Veslebror Serdeg on Vimeo.

Risky analysis

Bruce Sterling Schneier has a good article on the dangers of risk analysis when estimating software projects – and, by extension, estimating the risk of terrorist attacks.

It is the everyday risks that kill you – largely because the effect is delayed and the risk itself not very visible. I seem to remember someone proposing that the way to get responsible driving would be not to increase the safety level of the car, but instead decrease it – for instance by outlawing seat belts and mandating a four inch sharp metal spike placed in the middle of the steering wheel.

If too much imagination can make us overly risk-averse, a heavy dose of reality might have the opposite effect.