Planning for the Future of Cyber Attack Attribution : Hearing Before the H. Subcomm. on Technology and Innovation of the H. Comm. on Science and Technology, 111th Cong., July 15, 2010 (Statement by Adjunct Professor Marc Rotenberg, Geo. U. L. Center)

Steve Bellovin, another security expert, noted recently that one of risks of the new White House plan for cyber security is that it places too much emphasis on attribution. As Dr. Bellovin explains: The fundamental premise of the proposed strategy is that our serious Internet security problems are due to lack of sufficient authentication. That is demonstrably false. The biggest problem was and is buggy code. All the authentication in the world won\u27t stop a bad guy who goes around the authentication system, either by finding bugs exploitable before authentication is performed, finding bugs in the authentication system itself, or by hijacking your system and abusing the authenticated connection set up by the legitimate user. While I believe the White House, the Cyber Security Advisor, and the various participants in the drafting process have made an important effort to address privacy and security interests, I share Professor Bellovin’s concern that too much emphasis has been placed on promoting identification. I also believe that online identification, promoted by government, will be used for purposes unrelated to cyber security and could ultimately chill political speech and limit the growth of the Internet. Greater public participation in the development of this policy as well as a formal rulemaking on the White House proposal could help address these concerns

An Analysis and Enumeration of the Blockchain and Future Implications

The blockchain is a relatively new technology that has grown in interest and potential research since its inception. Blockchain technology is dominated by cryptocurrency in terms of usage. Research conducted in the past few years, however, reveals blockchain has the potential to revolutionize several different industries. The blockchain consists of three major technologies: a peer-to-peer network, a distributed database, and asymmetrically encrypted transactions. The peer-to-peer network enables a decentralized, consensus-based network structure where various nodes contribute to the overall network performance. A distributed database adds additional security and immutability to the network. The process of cryptographically securing individual transactions forms a core service of the blockchain and enables semi-anonymous user network presence

The design and evaluation of an anonymous, two-way, ethics management reporting system

Despite a recognized need for whistleblowing systems in academic research, little to no attention has been given to the necessary requirements for and specific design of effective whistleblowing systems. In order to increase the rate of reporting, it is critical for reporting systems to be designed with the intent to reduce employee fears and inhibitions by reducing the potential for retaliation. Therefore, the goal of this three-essay dissertation was to enhance a firm\u27s ability to solicit and investigate concerns by proposing and evaluating a system aimed at fostering anonymous, two-way communication between employees and investigators of wrongdoing. In essay one, design science (Hevner et al., 2004; March & Smith, 1995; Walls, Widmeyer, & El Savvy, 1992, 2004) was employed in order to theorize and justify the design of an anonymous reporting system artifact. In doing so, existing reporting systems were examined and modern technologies were incorporated into a proposed design of an anonymous, two-way ethics management reporting system. Essay two reviewed existing theories in the extant whistleblowing literature and relied upon communication research, both inter-personal and computer-mediated, to address the limitations of prior theory regarding reduced perceptions of credibility for anonymous whistleblowers. The experiment tasked subjects with evaluating simulated two-way communication between an investigator and an employee attempting to blow the whistle on financial wrongdoing. The results provide strong evidence that two-way communication can reduce the credibility gap between perceptions of anonymous and identified whistleblowers. Lastly, essay three assessed the system design proposed in essay one from the perspective of the organizational insider. The proposed system was also compared to other channels available to report wrongdoing, such as the use of open door policies and telephone hotlines. Two simultaneous online experiments tested user perceptions of anonymity protections provided by each channel, as well as the specific whistlebloweroriented design features proposed in the design. This essay provides evidence that online reporting systems are perceived to provide significantly higher anonymity protections than phone hotlines and open door policies, while select features of the proposed system impact user perceptions of anonymity

Recent Developments on Security and Privacy of V2V & V2I Communications: A Literature Review

In the recent years Intelligent Transportation Systems and associated technologies have progressed significantly, including services based on wireless communications between vehicles (V2V) and infrastructure (V2I). In order to increase the trustworthiness of these communications, and convince drivers to adopt the new technologies, specific security and privacy requirements need to be addressed, using Vehicular Ad Hoc Networks (VANETs). To maintain VANET′s security and eliminate possible attacks, mechanisms are to be developed. In this paper, previous researches are reviewed aiming to provide information concerning matches between an attack and a solution in a VANET environment

How Do Tor Users Interact With Onion Services?

Onion services are anonymous network services that are exposed over the Tor network. In contrast to conventional Internet services, onion services are private, generally not indexed by search engines, and use self-certifying domain names that are long and difficult for humans to read. In this paper, we study how people perceive, understand, and use onion services based on data from 17 semi-structured interviews and an online survey of 517 users. We find that users have an incomplete mental model of onion services, use these services for anonymity and have varying trust in onion services in general. Users also have difficulty discovering and tracking onion sites and authenticating them. Finally, users want technical improvements to onion services and better information on how to use them. Our findings suggest various improvements for the security and usability of Tor onion services, including ways to automatically detect phishing of onion services, more clear security indicators, and ways to manage onion domain names that are difficult to remember.Comment: Appeared in USENIX Security Symposium 201

Anonymous subject identification and privacy information management in video surveillance

The widespread deployment of surveillance cameras has raised serious privacy concerns, and many privacy-enhancing schemes have been recently proposed to automatically redact images of selected individuals in the surveillance video for protection. Of equal importance are the privacy and efficiency of techniques to first, identify those individuals for privacy protection and second, provide access to original surveillance video contents for security analysis. In this paper, we propose an anonymous subject identification and privacy data management system to be used in privacy-aware video surveillance. The anonymous subject identification system uses iris patterns to identify individuals for privacy protection. Anonymity of the iris-matching process is guaranteed through the use of a garbled-circuit (GC)-based iris matching protocol. A novel GC complexity reduction scheme is proposed by simplifying the iris masking process in the protocol. A user-centric privacy information management system is also proposed that allows subjects to anonymously access their privacy information via their iris patterns. The system is composed of two encrypted-domain protocols: The privacy information encryption protocol encrypts the original video records using the iris pattern acquired during the subject identification phase; the privacy information retrieval protocol allows the video records to be anonymously retrieved through a GC-based iris pattern matching process. Experimental results on a public iris biometric database demonstrate the validity of our framework