Category Archives: Security and privacy

On videoconferencing and security

Picture: Zoom

Yesterday began with a message from a business executive who was concerned with the security of Zoom, the video conferencing platform that many companies (and universities) have landed on. The reason was a newspaper article regurgitating several internet articles, partly about functionality that has been adequately documented by Zoom, partly about security holes that have been fixed a long time ago.

So is there any reason to be concerned about Zoom or Whereby or Teams or Hangouts or all the other platforms?

My answer is “probably not” – at least not for the security holes discussed here, and for ordinary users (and that includes most small- to medium sized companies I know about).

It is true that video conferencing introduces some security and privacy issues, but if we look at it realistically, the biggest problem is not the technology, but the people using it (Something we nerds refer to as PEBKAC – Problem Exists Between Keyboard and Chair.)

When a naked man sneaks into an elementary school class via Whereby, as happened a few days ago here in Norway, it is not due to technology problems, but because the teacher had left the door wide open, i.e., had not turned on the function that makes it necessary to “knock” and ask for permission to enter.

When anyone can record (and have the dialogue automatically transcribed) from Zoom, it is because the host has not turned off the recording feature. By the way, anyone can record a video conference with screen capture software (such as Camtasia), a sound recorder or for that matter a cell phone, and no (realistic) security system in the world can do anything about it.

When the boss can monitor that people are not using other software while sitting in a meeting (a feature that can be completely legitimate in a classroom, it is equivalent to the teacher looking beyond the class to see if the students are awake), well, I don’t think the system is to blame for that either. Any leader who holds such irrelevant meetings that people do not bother to pay attention should rethink their communications strategy. Any executive I know would have neither time nor interest in activating this feature – because if you need technology to force people to wake up, you don’t have a problem technology can solve.

The risk of a new tool should not be measured against some perfect solution, but against what the alternative is if you don’t have it. Right now, video conferencing is the easiest and best tool for many – so that is why we use it. But we have to take the trouble to learn how it works. The best security system in the world is helpless against people writing their password on a Post-It, visible when they are in videoconference.

So, therefore – before using the tool – take a tour of the setup page, choose carefully what features you want to use, and think through what you want to achieve by having the meeting.

If that’s hard, maybe you should cancel the whole thing and send an email instead.

Notes from ACM Webinar on blockchain (etc.)

The Next Radical Internet Transformation: How Blockchain Technology is Transforming Business, Governments, Computing, and Security Models

Speaker: Mark Mueller-Eberstein, CEO & Founder at Adgetec Corporation, Professor at Rutgers University, Senior Research Fellow at QIIR

Moderator: Toufi Saliba, CEO, PrivacyShell and Chair of the ACM PB Conference Committee

Warning: These are notes taken live. Errors and omissions will occur. No responsibility whatsoever.

  • intro: old enough to remember the discussions in the early 90s about how the internet would change mail services – completely forgetting shopping, entertainment and others
  • Blockchain solves the problem of transferring value between Internet users without a third party
  • goes beyond the financial industry, can handle any kind of transaction
  • most of the world has access to a mobile phone, only about 20% has access to the banking system
  • Blockchain is the banking industry’s Uber movement
  • Blockchain much wider than Bitcoin, will facilitate new business models.
  • Blockchain transfers rather than copies digital assets, making sure there is only one instance of it.
    • settlement process: no clearing houses or central exchanges
    • peer-to-peer transfers, validation by network
  • Example: WeChat taking over payments in China, no link to banks
  • many commercial or government services are basically “databases” that are centrally managed, with one central point of failure
  • Blockchain allows a distributed ledger, information put in cannot be changed
    • Estonia thinking about a Blockchain in case of hacking or occupation
  • public (open), private and government blockchainsxx1
  • allows new services to existing customers, lots of inefficiencies up for grabs
    • estate records, voting, domain control, escrow, etc…
    • iPayYou allows use of Bitcoin
    • Walt Disney looking at Blockchain (DragonChain) for internal transfers, also use it for tracking supply chain to their cruise ships. Opensourced it.
  • 80% of Bitcoin mining done in China
  • regulation comes with a cost
  • Shenzhen want to be Blockchain Tech capital
  • 6-level security model, developed by William Mougayar (goes through it in detail: transaction, account, programming, distributed organizations, network (51% attacks, perhaps as low as 30%, smaller blockchains more vulnerable), governance)
  • Ethereum blockchain focusing on smart contracts: Hard forked in 2016, DAO issue where somebody hacked DAO code to siphon off money, hacking the program using the blockchain (not the blockchain),
  • credit card transaction can take up to 30 days, with disputes and everthing, Blockchain is almost instant
  • How “real” is blockchain technology
    • Goldman-Sachs invested $500m+
    • 15% of top global banks intend to roll out full-scale, commercial blockchain
    • etc.
  • what is holding it back?
    • difficult to use, understand, buy in; perception of risk and legality
    • difficult to see value for the individual
  • questions:
    • what are the incentives and adoption models?
      • different philosophies: computing power must be made available in the network: industrial mining vs. BitTorrent model, the amount of computing provided will be important, if we can find a model where just a little bit from every mobile phone is required
    • what are the hard costs of Blockchain?
      • you can google the costs. There are other approaches being developed, will post some links
    • can Blockchain be compromized by a virus?
      • theoretically, yes. Bitcoin is 10 years without, open source means verification (change is happening slowly because of code inspection)
      • comes back to incentive and governance model
  • and that was that…recording will be at webinar.acm.org in a few days.

SmartHelp – geolocation for crisis situations

I am on the board of SmartHelp – a platform for crisis communication for emergency services (or, indeed, for any company that needs to locate its assets or employees in a hurry). The platform has been running in production in two emergency services (fire and ambulance) in Trondheim, Norway, since December 2014. It allows the public to contact the emergency service via a Smartphone interface, give precise details about where they are automatically, and also to chat and share their medical information (fully encrypted up to a medical standard.)

Here is a video demonstrating how the system works:

We are currently seeking partners for marketing and further developing this platform outside the Norwegian emergency service market. Please contact me (self@espen.com, +47 4641 0452) or Fredrik Øvergård, CEO (fredrik@radvice.no, +47 977 32 708)  for further information.

Peter G. Neumann in New York Times

Peter G. Neumann is one of my heroes – a computer science and security expert with a sense of humor (his dry comments on the Risks Digest are legendary), inventive solutions to problems (he once built a keyboard with two pedals (for “alt” and “ctrl”) to deal with carpal tunnel syndrome) and far-reaching views on most things. He is currently profiled in New York Times, including the story of the RTM Worm, which I remember clearly, and where the RISKS Forum played a role in analyzing and stopping it.

I remember an email exchange with Peter in the mid-nineties, when I was writing a research report on knowledge management for CSC Research Services. Peter has been running the email list RISKS forever (I signed up for it sometime in 1985) and when asked about how to find people to do such a job in a corporate setting he replied:

The bottom line is that moderating a newsgroup wisely takes serious dedication to, familiarity with, and commitment to the subject matter and willingness to put oneself into an intrinsically sensitive position. It does not work well if someone is arbitrarily assigned to the task.

In other words – if you want social media to work in a company, let people loose and then support the leaders that emerge, rather than try to replicate the current organization in the new medium. Not a bad insight to have 15 years ago – before this social media thing started.

Norwegian Data Inspectorate outlaws Google App use

In a letter (reported at digi.no) to the Narvik Municipality (which has started to use Google Mail and other cloud-based applications, effectively putting much of its infrastructure in the Cloud) the Norwegian Data Inspectorate (http://www.datatilsynet.no/English/), a government watchdog for privacy issues, effectively prohibits use of Google Apps, at least for communication of personal information. A key point in this decision seems to be that Google will not tell where in the world the data is stored, and, under the Patriot Act, the US government can access the data without a court order.

Companies and government organizations in Norway are required to follow the Norwegian privacy laws, which, amongst other things, requires that “personal information” (of which much can be communicated between a citizen and municipal tax, health and social service authorities) should be secured, and that personal information collected for one purpose may not be used for other purposes without the owner’s expressed permission.

This has interesting implications for cloud computing – many European countries have similar watchdogs as Norway, and many public and private organizations are interested in using Google’s services for their communication needs. My guess is that Google will need to offer some sort of reassurance that the data is outside of US jurisdiction, or effectively forgo this market to other competitors, such as Microsoft of some of the local consulting companies, which are busy building their own private clouds. Should be an interesting discussion at Google – the Data Inspectorate is a quite popular watchdog, Norway has some of the strongest privacy protection laws in the world (though, for some reason, it publishes people’s income and tax details), and Google’s motto of “Don’t be evil” might be put to the test here – national laws limiting global infrastructures.

Computer security is about finding front doors

This excellent little piece in Wired tells about a security researchers who could spy on corporate meetings by simply scanning for conference phones with “automatic accept” configured:

Using a program that Moore wrote, the researchers found the conference rooms by scanning the Internet for videoconference systems that were set up outside firewalls and configured to automatically answer calls.

In less than two hours, they found systems installed in 5,000 conference rooms around the country, including an attorney-inmate meeting room at a prison, an operating room at a university medical center, and a venture capital company where prospects were pitching their companies while laying out their financial details on a screen in the room.

As I always say – introduce too complex technology and too onerous password rules, and you end up with people using the same password for everything, ditching passwords altogether – or writing the password on a Post-It note and taping it to the back of their keyboards.

Notes from Cory Doctorow talk in Oslo

Cory was here to launch the (New) Norwegian version of his book Little Brother, but, of course, this meeting is not as much about the book as about issues of intellectual property, DRM, legislation thereof, as well as the future of information industries such as publishing.

Cory started with “his usual talk” – interesting, as always – about how encryption works, how it is really strong but easily broken from the outside since the key must be distributed, and then on about how the publishing industry is locking up the work of artists in complicated and, given the technology evolution, largely self-defeating.

Cory structures this around three claims by the industry – that DRM works, that extensions of copyright is necessary to preserve artist’s income, and that the industry should have extra-judiciary powers to shut people out from the Internet upon accusation of copyright infringements. The last one is rather interesting, given all the things people do on the Internet today.

The issue is that we are all copyright infringers, because the rules are arcane and really geared towards the relationship between industry and professional artists, with lawyers and everything. That means that we are all vulnerable to capricious accusations, especially given today’s search technology.

(Not really a point in writing this down in detail, I guess, it will be all over Youtube and other places anyway.)

The debate featured Bjarne Buset, Bente Kalsnes, Eirik Newth and Cory. Bjarne Buset, head of digital strategy at Gyldendal (a large publisher) had the hardest task, since he argues in favor of DRM. Bente Kalsnes from origo.no, an online community, pointed out that the publishing industry has been very slow in developing alternative business models. Eirik Newth talked about how we need to sit down and do a typical Scandinavian solution, stepping off the rhetoric and focusing on privacy, users’ rights, and creators’ right.

I tried to make the point that this debate is getting too politicized. The market will fix this, it is called a disruptive innovation, and there will be a lot of noise and then some of the players will make it across and others won’t. secondly, the the debate is being polluted by a lot of idiots who say that stealing is OK, because music should be cheaper or Microsoft is evil. Like some of my (business school!) students, who copy Microsoft Office and justifies it by saying that Microsoft makes so much money and the product is too expensive.

Anyway, I had an interesting discussion afterwards with some of the usual suspects as well as Bjarne Buset. At some point him and I need to enter into a highly publicized bet as to the future of the publishing industry. In the meantime, it is rather depressing to watch the publishing industry go down the oh-so-noble road to self-destruction, just like the record industry.

Update Sept. 17: Forteller has a good post and a recording of the debate (86Mb mp3).

Update Sept. 20: Here is a (rather fuzzy) video of Cory’s talk, as usual he speaks (seemingly) ex tempore:

http://vimeo.com/moogaloop.swf?clip_id=6657959&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1

Doctorow @ Litteraturhuset from Veslebror Serdeg on Vimeo.

Risky analysis

Bruce Sterling Schneier has a good article on the dangers of risk analysis when estimating software projects – and, by extension, estimating the risk of terrorist attacks.

It is the everyday risks that kill you – largely because the effect is delayed and the risk itself not very visible. I seem to remember someone proposing that the way to get responsible driving would be not to increase the safety level of the car, but instead decrease it – for instance by outlawing seat belts and mandating a four inch sharp metal spike placed in the middle of the steering wheel.

If too much imagination can make us overly risk-averse, a heavy dose of reality might have the opposite effect.

Airport insecurity

I am thinking a lot about security now, since a discussion last week on security in the 2.0 Enterprise – where the conclusion was that we need to get away from perimeter security and over towards something asset-based, i.e. securing what really matters and not faking security by having showy and inconvenient moats and drawbridges.

This funny but deeply serious article in The Atlantic takes on the example of airport security with all its symbols and holes. As Bruce Schneier (a real security expert) repeatedly has pointed out, hijackers can no longer get into the cockpit. Furthermore, passengers would attack hijackers on sight, rather than cooperate with them. Hence, the bluff that got the 9/11 hijackers in control of four airplanes will no longer work.

But we persist in implementing security that does little but increase the cost of flying, inconveniencing everyone, and, ironically, making flying (or, at least, turning up at the airport) less secure. As the article points out, the most dangerous place in the airport is where many people are waiting closely together in an unsecured area. In other words, in the security control line, perfect in case somebody wants to repeat the Lod airport massacre.