Tag: Security

  • CALEA II: Risks of wiretap modifications to endpoints

    Today I joined a group of twenty computer scientists in issuing a report criticizing an FBI plan to require makers of secure communication tools to redesign their systems to make wiretapping easy. We argue that the plan would endanger the security of U.S. users and the competitiveness of U.S. companies, without making it much harder…

  • Internet Voting Security: Wishful Thinking Doesn’t Make It True

    [The following is a post written at my invitation by Professor Duncan Buell from the University of South Carolina. Curiously, the poll Professor Buell mentions below is no longer listed in the list of past & present polls on the Courier-Journal site, but is available if you kept the link.] On Thursday, March 21, in…

  • Security Lessons from the Big DDoS Attacks

    Last week saw news of new Distributed Denial of Service (DDoS) attacks. These may be the largest DDoS attacks ever, peaking at about 300 Gbps (that is, 300 billion bits per second) of traffic aimed at the target but, notwithstanding some of the breathless news coverage, these attacks are not vastly larger than anything before.…

  • How the DMCA Chills Research

    I have a new piece in Slate, on how the DMCA chills security research. In the piece, I tell three stories of DMCA threats against Alex Halderman and me, and talk about how Congress can fix the problem. “The Chilling Effects of the DMCA: The outdated copyright law doesn’t just hurt consumers—it cripples researchers.” “These…

  • How the Nokia Browser Decrypts SSL Traffic: A "Man in the Client"

    Over the past couple of days there has been some press coverage over security researcher Guarang Pandya’s report that the browser on his Nokia phone was sending all of his traffic to Nokia proxy servers, including his HTTPS traffic. The disturbing part of his report was evidence that Nokia is not just proxying, but actually…

  • Predictions for 2013

    After a year’s hiatus, our annual predictions post is back! As usual, these predictions reflect the results of brainstorming among many affiliates and friends of the blog, so you should not attribute any prediction to any individual (including me–I’m just the scribe). Without further ado, the tech policy predictions for 2013:

  • Turktrust Certificate Authority Errors Demonstrate The Risk of "Subordinate" Certificates

    Update: More details have continued to come out, and I think that they generally support the less-paranoid version of events. There continues to be discussion on the mozilla.dev.security.policy list, Turktrust has given more details, and Mozilla has just opened up for public viewing their own detailed internal response documentation (including copies of all of the…

  • You found a security hole. Now what?

    The recent conviction of Andrew “Weev” Auernheimer for identity theft and conspiracy has renewed interest in the question of what researchers should do when they find security vulnerabilities in popular products. See, for example, Matt Blaze’s op-ed on how the research community views these matters, and Weev’s own response. Weev and associates discovered a flaw…

  • Uncertified voting equipment

    (Or, why doing the obvious thing to improve voter throughput in Harris County early voting would exacerbate a serious security vulnerability.) I voted today, using one of the many early voting centers in my county. I waited roughly 35 minutes before reaching a voting machine. Roughly 1/3 of the 40 voting machines at the location…

  • Goodbye, Stanford. Hello, Princeton!

    [Editor’s note: The Center for Information Technology Policy (CITP) is delighted to welcome Arvind Narayanan as an Assistant Professor in Computer Science, and an affiliated faculty member in CITP. Narayanan is a leading researcher in digital privacy, data anonymization, and technology policy. His work has been widely published, and includes a paper with CITP co-authors…