April 24, 2014

avatar

Christopher Yoo on Comcast and Competition: When Antitrust Lawyers Do the Math

Today at 12:30, Christopher Yoo will give a live-streamed talk at CITP entitled “The Open Internet in the Aftermath of Verizon v. FCC: What Comes Next?” Yoo will talk about the Verizon v. FCC ruling that overturned the FCC’s network neutrality rules, and place them in the context of the proposed merger between Comcast and Time Warner. Yesterday, unnamed sources within the FCC gave a possible answer to Yoo’s question: a “fast lane” for sites and services that pay for preferential access to Comcast’s customers. The FCC is reportedly considering new rules that would permit broadband Internet providers to discriminate against specific content as long as they don’t do so in an “anticompetitive manner.” The FCC will then be left to decide what makes for anticompetitive behavior — a domain typically left to antitrust law.
[Read more...]

avatar

Mesh Networks Won’t Fix Internet Security

There’s no doubt that the quality of tech reporting in major newspapers has improved in recent years. It’s rare these days to see a story in, say, the New York Times whose fundamental technical premise is wrong. Still, it does happen occasionally—as it did yesterday.

Yesterday’s Times ran a story gushing about mesh networks as an antidote to Internet surveillance. There’s only one problem: mesh networks don’t do much to protect you from surveillance. They’re useful, but not for that purpose.
[Read more...]

avatar

Eternal vigilance is a solvable technology problem: A proposal for streamlined privacy alerts

Consider three recent news articles about online privacy:

  • Google+ added a new feature that shows view counts on everything you post, including your photos. It’s enabled by default, but if you don’t want to be part of the popularity contest, there’s a setting to turn it off.

  • There is a new privacy tool called XPrivacy for Android that protects you from apps that are hungry for your personal information (it does this by by feeding them fake data).

  • A new study reveals that several education technology providers have intrusive privacy policies. Students and parents might want to take this into account in making choices about online education services.

These are just a few examples of the dozens of articles that come out every month informing privacy-conscious users that they need to change some setting, install a tool, or otherwise take some action to protect their privacy. In particular, companies often release new features with permissive defaults and an opt-out setting. It seems that online privacy requires eternal vigilance.

Eternal vigilance is hard. Even as a privacy researcher I often miss privacy news that affects me; for the majority of people who don’t have as much time to devote to online privacy, the burden is just too much. But before concluding that the situation is hopeless, let’s ask if there’s a technological solution.

[Read more...]

avatar

Bitcoin hacks and thefts: The underlying reason

Emin Gün Sirer has a fascinating post about how the use of NoSQL caused technical failures that led to the demise of Bitcoin exchanges Flexcoin and Poloniex. But these are only the latest in a long line of hacks of exchanges, other services, and individuals; a wide variety of bugs have been implicated. This suggests that there’s some underlying reason why Bitcoiners keep building systems that get exploited. In this post I’ll examine why.

[Read more...]

avatar

Heartbleed and passwords: don’t panic

The Heartbleed bug has captured public attention this week like few security vulnerabilities before it. This is a good thing, as indeed this is a catastrophic flaw. Many people have focused on its impact on passwords with headlines like “Security Flaw Exposes Millions Of Passwords” and “Change these passwords right now.” Heartbleed certainly could have been used to steal millions of passwords. However, while Heartbleed gives the security community plenty of new problems to worry about, it doesn’t introduce any problems for passwords that haven’t existed for a long time and I’d discourage widespread panic about passwords. [Read more...]
avatar

Heartsick about Heartbleed

Ed Felten provides good advice on this blog about what to do in the wake of Heartbleed, and I’ve read some good technical discussions of the technical problem (see this for a particularly understandable explanation).

Update Apr 11: To understand what Heartbleed is all about, see XKCD. Best. Explanation. Ever.

In this brief posting, I want to look at a different angle – what’s the scope of the vulnerability? [Read more...]

avatar

How to protect yourself from Heartbleed

The Heartbleed vulnerability is one of the worst Internet security problems we have seen. I’ll be writing more about what we can learn from Heartbleed and the response to it.

For now, here is a quick checklist of what you can do to protect yourself.
[Read more...]

avatar

Cookies that give you away: The surveillance implications of web tracking

[Today we have another announcement of an exciting new research paper. Undergraduate Dillon Reisman, for his senior thesis, applied our web measurement platform to study some timely questions. -Arvind Narayanan]

Over the past three months we’ve learnt that NSA uses third-party tracking cookies for surveillance (1, 2). These cookies, provided by a third-party advertising or analytics network (e.g. doubleclick.com, scorecardresearch.com), are ubiquitous on the web, and tag users’ browsers with unique pseudonymous IDs. In a new paper, we study just how big a privacy problem this is. We quantify what an observer can learn about a user’s web traffic by purely passively eavesdropping on the network, and arrive at surprising answers.
[Read more...]

avatar

Historic E.U. Net Neutrality Win Shows Maturing Digital Rights Advocacy

After a 5-year long campaign by European and U.S. digital rights NGOs, today the European Parliament turned a dubious Commission proposal on its head to safeguard the principle of net neutrality. It’s a historic win, and all over the news. It also shows how digital rights advocacy is maturing. [Read more...]

avatar

Secure protocols for accountable warrant execution

Last week the press reported that the White House will seek to redesign the NSA’s mass phone call data program, so that data will be held by the phone companies and accessed by the NSA, subject to a new warrant requirement. The Foreign Intelligence Surveillance Court will issue the warrants.

Today Josh Kroll and I, with colleagues at Stanford University, released a draft paper on how to use cryptography to implement warrants to data in a secure, private, and accountable way.
[Read more...]