Jump to content
Prof. Snyder's Courses

Professor Snyder

Administrators
  • Content count

    235
  • Joined

  • Last visited

  • Days Won

    4

Professor Snyder last won the day on October 4 2013

Professor Snyder had the most liked content!

About Professor Snyder

  • Rank
    Administrator
  1. No worries, Linda. The only technical knowledge you need here is what was listed in the lecture: "Please do not struggle with the fine details of matters such as the base two numbering system. You do need to know that data traveling from one computer to another is broken into smaller units called packets which may travel very different routes often involving many legal jurisdictions." Cyber security is not primarily a technical matter. We want the Internet and other areas of cyberspace to be safe for use by "good" people but not by "bad." No technology can define good and bad for us; we have to do that ourselves. Are all political dissidents to have their use of cyberspace protected, or just pro-democracy ones? If al-Qaeda calls for destruction of the West, are those communications to be protected and "secure?" How about if the messages are not advocacy but operational messages: "The time for all units to attack is Tuesday morning, September 11." The former Secretary of State's speech, alluded to above, suggests that there is a consensus that "terrorists and criminals" must be blocked or identified. But, one man's terrorist is another man's freedom fighter. No technology can determine for us whose activities should be protected and whose should not, as well as what amount of monitoring we will permit by whom to verify that. We certainly need tech-informed policy -- knowing what options are available given current technology or what the various costs are of the tech options available, and understanding the nature of cyberspace. After that, the engineers can work toward what the people choose. I think we can all agree that Vint Cerf, who created the TCP/IP protocol, is considered to be the Father of the Internet. If his name is unfamiliar to you, you can verify my assertion with a quick web search. He is part of this group who believes that there is no technology fix for these issues. See, for example, Internet inventor Vint Cerf: No technological cure for privacy ills, July 9, 2013, or Access control changes a must for future, safe Internet, Vint Cerf says, July 26, 2013. Having been present at the founding, and arguably being the founder, Cerf is also a good source to address the issue of whether today's uses of cyberspace were foreseen. The Register, a UK new source, reported last summer: "Cerf said he was 'frankly astonished' at the range of devices that now come with an internet connection." CITE. I had thought it beyond dispute that the Internet was not designed for security. The fact that it has no method for security, cannot authenticate packets, and is completely neutral about whether a packet's payload is a recipie for cupcakes or is a virus certainly supports that hypothesis. The historical record does, too. But, dispute here on a discussion forum and in academic settings is very welcome. It helps us to question our premises and to learn. I remain confident that the Internet was not designed with security in mind. The Financial Times reported in October 2011: You can read the entire article as well as the copyright policy, here. In any event, the point is not to reexamine history, but rather to explain how we got to where we are: critical infrastructure controlled on a digital network that, for whatever reasons, has very little security built into it. Much of the reason for being where we are is subsequent developments. That is, users keep choosing convenience over security.
  2. Laurie: I believe you are referring to the third party records doctrine from the U.S. Supreme Court: you have no reasonable expectation of privacy -- and, therefore, no Constitutional protection -- for information you disclose to a third party (you and the government being the first two). The bank's records about you are the banks, not yours, under U.S. law. The opposite is true under European Law. Congress can and does enact additional statutory protections above that of the Constitution, such as the 1974(?) Privacy Act, the Stored Communications Act, and many more. Similarly, regarding you comment about Facebook, U.S. law is generally binary: something is either public or private. There is no third category such as "private from the government." Thus, so far, we don't recognize a category of "public for my friends on Facebook but private from the government."
  3. Benni: Back in 2003, I traced a guy's footsteps going back a full 12 months with cell tower data (no GPS chip). The article is too old to appear in the Pittsburgh Post-Gazette's archives, but you can get it on Westlaw or Nexus/Lexis or I could tell you more in a more private venue. That should be possible for any movements of a cellphone made since the 1980's. 2003 WLNR 5273116 Pittsburgh Post-Gazette (PA) Copyright 2003 PG Publishing Co. April 8, 2003 NEW EVIDENCE PERSUADES BANK ROBBER TO CONFESS TORSTEN OVE, POST-GAZETTE STAFF WRITER Serial bank robber Christopher Mark Lyons knew some of the tricks of the bank heist trade because he was once a teller and he'd been trained in bank security. He didn't draw attention to himself inside a bank, he knew which drawers at a teller's station contained the bigger bills, he didn't leave any fingerprints behind and he got rid of his clothes after he did a robbery. As bank robbers go, he was fairly smart -- but not smart enough. Faced yesterday with new evidence he learned about just before his federal trial was to begin, Lyons admitted that he was the "Main Street Robber" who held up eight small town banks in Pennsylvania and Ohio last year. He pleaded guilty to robbing five banks in Pennsylvania and accepted responsibility for three others in Ohio. Almost all bank robbers plead guilty, but Lyons, 22, of Banksville, was convinced right up until jury selection that federal authorities didn't have enough on him. That changed when he realized Assistant U.S. Attorney William Snyder would introduce cell phone records that placed him in the vicinity of the banks on the days of the robberies. In the case of holdups in Butler and Hermitage, for example, authorities were able to use cell tower records to reconstruct Lyons' path as he drove down Interstate 79 back to his apartment on Saw Mill Run Boulevard. Snyder didn't receive the records until Friday. Without them, the feds still had a good case. With them, Lyons knew his fate was sealed.
  4. Cybersecurity News Resources

    You "newbie" folks can change your caption to whatever you want in the same place where you apparently uploaded your photo: the display name option on your My Profile screen. Or, we can do it for you.
  5. Cybersecurity News Resources

    Yes, kpsigafo, I would recommend almost anything from Bruce Schneier. For those of you who are not familiar, he is a security guru (beyond cyber, too) who is the Security Futurologist at BT (was British Telecom) and who is presently at Harvard Law School's Center for Internet and Society. His 2012 book "Liars and Outliers: Enabling the Trust that Society Needs to Thrive" is of particular interest, and I assign a small portion of it in the longer, on-campus version of this course.
  6. Good point, Larry, thanks. But, I don't think that you are "disagree[ing] with Slide 40." The slide does not say, "disadvantages" or "weaknesses" of cyberspace. The listed attributes are meant to be just that -- attributes -- regardless of whether they are good or bad. In fact, some of those are both good and bad. As you say, the "bottommost layer doesn’t care about the type of data." Hence, as Professor Zittrain put it: Confidentiality I appreciate your explanation of the protocols. That is clear and helpful. [i’ve attached a diagram for non-tech people.] The C-I-A Triad you explain is, as you say, “to properly protect data in a cyber environment” (emphasis mine). Please consider that what protects data may or may not be the same as what promotes national security in cyberspace (or overall cyber security). The integrity and availability legs of the triad are less controversial, but the confidentiality leg runs counter to public policies in other areas. Consider, for example, the interstate highway system you mention. Passenger vehicles are permitted to move payloads around confidentially, except for a registration plate which can be decoded by the government. The plate does not tell you about the nature of the cargo or payload, but it does tell the government the identity of someone responsible for the vehicle. Commercial trucks, however, must have the name of the company in plain English for all to see on the doors. And, many types of cargo must be identified – flammable, poison, explosive, etc. Many people have proposed doing away with confidentiality on the Internet. As you know, the Internet has the Cap’n Crunch problem: the paths that carry data also carry code, and the packets have both the envelope address information as well as the content of the message in them. Thus, it is difficult to inspect the packet to identify the sender and recipient without also having the opportunity to inspect the contents. But, we want to know the sender and recipient sometimes. Secretary of State Clinton had this to say in 2010: Studies show that people are much more likely to commit crimes (and just be rude) when anonymous. Also, without attribution, criminal prosecutions are very hard and deterrence in cyberspace nearly impossible. But, if we are to avoid anonymity (in at least some contexts) and to have attribution, and if packets contain both user ID and content, we can’t have complete confidentiality of data. Here is Richard Clarke’s proposal, which would also make confidentiality and security somewhat inconsistent (although you could still encrypt the content). Clarke, Richard A.; Knake, Robert (2010-04-02). Cyber War: The Next Threat to National Security and What to Do About It (pp. 273-274). Harper Collins, Inc.. Kindle Edition. [since you seem to be a techie, I will attach to this comment an optional article about MilNet-P.MilNet.pdf] In any event, only limited confidentiality is likely to be the rule, just like on the highways. Today’s uses were not foreseen Although “[a]ny good architecture should always expect the unforeseen” and “[t]he original engineers knew that the Internet would be used in ways never imagined,” there is little or no evidence to suggest that they foresaw today’s uses. I frequently get asked why on Earth anyone would design a computer network (or network of networks) to handle critical infrastructure and commerce in which you must trust the sender of packets to put their correct return address on them. The point is that it was not designed for today’s uses. No one would build a system to operate critical infrastructure this way. Commercial use of the Internet was illegal until about 1992. The designers of the Internet did expect unforeseen uses, but commercial use was foreseen and banned. You had to be a trusted entity to get access to the Internet in the 1980’s, so there was no need to build in security and authentication measures. Allowing unknown people to access the Internet was foreseen and banned. We got to where we are, I submit to you, not by design but by evolution. As you say, the designers offered speed or reliability. They did not offer security. The computers on the ‘net were all in locked buildings owned by the military or universities, and they were too big to carry around. [Recall, too, Vint Cerf saying, “We expected this to apply to all computers on the Internet, all 10,000 of them.” The designers did not foresee billions of computers connected.] Linda L. asks us to consider the tradeoffs and to think of completely new options not thought of before. That is really the heart of this course, and arguably the tougher challenge. As my engineering colleagues say: “Tell us what you want and we will build it. But first, you have to decide what you want.” The engineers don’t want to make the tradeoffs. They build a highly confidential environment to protect political dissidents, but that would also protect terrorists and child pornographers. They could build a system requiring 100% authentication or the packet won’t be delivered, but that would allow governments to crush dissent and democracy. We not only don’t know where the lines should be drawn, but we don’t even know who should draw them – users from the ground up, international government from the top down, nation states, the private sector, stakeholders. It’s hard and its fun. Welcome to Cyber Security Law & Policy.
  7. Federal Cyber Service

    The United States Government has a program for providing scholarships for students who choose to study information assurance. According to the U.S. Office of Personnel Management at https://www.sfs.opm.gov/ : Details and application procedures can be found at https://www.sfs.opm.gov/ . Syracuse University is one of the participating institutions.
×