Tuesday, March 31, 2009

ISE press release: New CEO hired April 1

Date: April 1, 2009

Independent Security Evaluators Hires CEO

Independent Security Evaluators LLC (“ISE”), a Baltimore-based computer security consulting firm, has hired Richard “Rick” Wagoner as the Chief Executive Officer. Dr. Avi Rubin, president and founding partner of ISE, stated that the company’s rapid growth led to the need to bring in a CEO. “We have been very fortunate to have experienced significant growth since we started ISE four and a half years ago,” said Dr. Rubin. “Our client base and reputation continue to grow, and in order to continue delivering the highest level of technical consulting expertise, we felt it was time to recruit a business leader with a proven track record to manage operations and provide strategic direction for ISE. We are grateful to President Barack Obama for making Mr. Wagoner available for this job.”

Dr. Rubin and the partners of ISE believe Mr. Wagoner has the right skill set and experience to move ISE forward. “Rick offers the unique blend of drive and creativity, combined with executive management experience that we are confident will take ISE to the next level,” said Dr. Rubin.

Mr. Wagoner has held high level corporate management positions. Most recently, Mr. Wagoner was chairman and chief executive of General Motors Corporation. Although GM experienced a loss of $80 billion under his watch, Mr. Wagoner is confident that things he will be better at ISE. “The tremendous loss of market share that we experienced at General Motors in the last eight years is simply not possible at ISE. This makes my new challenge all the more exciting,” said Wagoner. He received a bachelor’s degree in economics from Duke University in 1975 and a master’s in business administration from Harvard University in 1977.

“I am thrilled to be working with such a talented group of people in the expanding field of information security,” said Mr. Wagoner. “Avi and the partners have created a very solid base from which to grow the business. I am excited to work for a company that is not unionized and to escape the cold winters of Michigan. Being in Baltimore has other advantages. If we need to go to Washington for a bailout, it’s only an hour’s drive away – no need for a corporate jet.” ISE plans to invest the savings from not needing a corporate jet back into the local community.

About ISE: ISE was founded by Dr. Rubin, a computer science professor and the Technical Director of the Information Security Institute at the Johns Hopkins University. A custom technology consulting group, ISE was established to address the need for increased information security at every level of an organization. ISE leverages academic theory and real world experience to design and build new, innovative solutions and to evaluate existing security infrastructure. In the near future, ISE expects to produce energy efficient, low cost, and highly secure automobiles.

Tuesday, March 17, 2009

Trusting Bruce Schneier is risky business - just ask Jack Bauer

In last night's episode of Fox's thriller show, 24, there is a reference to the Blowfish algorithm which was designed by Bruce Schneier. On the show, an email message that contains the expected location of Jack Bauer is encrypted using Blowfish. The FBI intercepts the message and must decrypt it if they are to find him. I was curious to see what the 24 writers had up their sleeve. The answer: the designer of Blowfish put in a back door which was known to a former CTU operative. The FBI had leverage over the former CTU man because his wife was being held and faced at least 15 years in prison. The cipher was broken in seconds. Thanks a lot, Bruce! Thanks to your back door, Bauer is now being chased as a wanted man ... at least until next week.

Monday, March 09, 2009

Facebook privacy settings - nice, but I wish they actually worked

I resisted joining facebook as long as I could, but I finally succumbed to peer pressure and joined. Like most people, I have a love-hate relationship with the site. It has been great for catching up with old friends, keeping up with what people are doing, and making announcements to large groups of friends. But facebook has also posed dilemmas at times. What do I do when someone I barely know tries to friend me? How about someone I don't know? What about someone from high school whose name sounds very familiar, but I can't for the life of me recall if we were friends or if perhaps I hated that person?

Like most people, I set a person threshold above which I accept the invitation. At the risk of offending people, I typically err on the side of accepting requests. So, I've now got over 200 facebook friends, many of whom I barely know. As such, facebook is a lot less useful. The main reason is that I have disjoint circles of friends who I know for different reasons, and with whom I have different kinds of interactions. First there's family. I like to share pictures and videos of my kids with my relatives. But, I don't necessarily want everyone to see them. I have my soccer buddies. I play in two different leagues on Sunday mornings and Thursday nights. I sometimes use my status to poke fun at something that happened in a game, or to brag about a big win. Most of my friends don't really care about that. I have my poker buddies, my geek computer science friends, my high school pals, college roommates, sailing mates, tennis partners, and other circles of friends, none of whom know each other. I've been friended by current and former students, researchers in my field at other universities, past colleagues in industry, and friends of my family since childhood. Of course, I've done a lot of the friend requesting myself. The point is that it's a diverse set of people, and that I interact with them very differently. Some of my poker buddies have tattoos and take cigarette breaks during games, while many colleagues in my field have never had a friend with fancy body markings and wouldn't be caught dead in a casino. Some of my computer science colleagues have won international awards for highly technical discoveries, while some of my soccer teammates didn't go to college.

As far as I can tell, facebook does not recognize that people live in many different communities. I'd like the ability to post one status message to all my relatives and a different one to all my technical colleagues. I'd like to post pictures of my kids that only our group of friends that I will refer to as "parents of our kids' friends in school" can see. I tried to figure out a way to do this, and discovered a feature on facebook that allows you to make lists of friends. Then, supposedly, you can control the access to your facebook information based on these lists.

Either I do not understand how these features work, or more likely, they do not actually work correctly. (If the former is true, then facebook has designed privacy features that a computer scientist specializing in computer security and privacy cannot understand, and so they better get to work on their interface.) In the privacy setting screen, under Settings->Privacy->Profile, you can set who can see various information, such as profile, status, wall postings, videos that you are tagged in, and others. If you select "Custom", you can specify a friend list. There is also a nifty feature that lets you see your page as any of your friends who you select would see it. So, for example, I can specify Ann Rubin and see what my facebook pages look like when Ann Rubin access them, based on my privacy settings. I played around with this for a while. I set a friends list that consists of personal friends who I tend to socialize with. Selecting the names was an interesting exercise. The threshold I set was whether I had gotten together with this person in a purely social setting in the last two years. I set it so that only people on this list could view my status updates and my wall postings. I then set my status and posted some things to my wall.

Next, I viewed my facebook home page as one of my friends who was not on the social list. The status was not visible, but the wall posting was. I've since experimented quite a bit with the privacy settings using friend lists, and I've found that some of the features simply don't work. It is possible that I'm not doing it right. It wouldn't be the first time. But I consider myself an expert in this sort of thing, and if I can't get it right, I don't think there's much hope for the broader facebook user population. I wonder to what extent facebook has tested their custom settings options in their privacy settings. The only thing worse than not providing privacy features is providing privacy features that do not actual give the claimed privacy. Think of how much trouble you could get in. I might have posted pictures of myself sailing on a day that I was supposed to be at work, believing that my JHU colleagues, my department chair, or most seriously my students couldn't access my wall. It's a good thing that I tested the features before feeling comfortable using them.

The bottom line is that there really is no privacy for information that you volunteer onto facebook. If something would embarrass you, or would be inappropriate for certain friends, you shouldn't post it thinking that only the other friends will see it. In theory, facebook is an excellent way to keep up with people and to notify people of your activities in a twitter-like fashion. But, when it comes to privacy, facebook still has a lot of work to do to.

Thursday, March 05, 2009

I'll update my software when I'm good and ready - thank you

Not since I got my first iPhone (after waiting in line for a few hours) have I been as excited to get a new gadget as I was last week when my new Amazon Kindle 2 arrived. It did not disappoint. The screen resolution, using the new e-ink technology, is absolutely stunning. You have to see it to believe it. I immediately purchased the book that I've been reading in hard cover, Ken Follet's World Without End, and I put the heavy volume on the bookshelf for good. I also downloaded samples of Barak Obama's book about his father and of course, of my book Brave New Ballot, so I could show it to people. The books download in under a minute. I read in the instructions that the battery lasts much longer when the wireless modem is off, so once I downloaded my books, I turned off the modem.

Yesterday, Amazon released the Kindle for iPhone app - another exciting development. I installed the app, and the iPhone automatically downloaded the books that I had purchased on my Kindle. I checked out World Without End, and the book opened to the spot that I was reading on the Kindle a couple of days ago when I turned off the wireless modem. Very nice! Amazon's Whisper Sync technology kept the iPhone version and the Kindle version at the same spot. Unfortunately, this meant that I had to keep the Kindle modem on if I wanted the iPhone to know where I was. That was okay. I could either remember to turn on the modem for a short while when I finished reading on the Kindle, or just keep it on and remember to charge it.

I wanted my iPhone to know where I was in the book, so I turned on the kindle modem. That's when I discovered a "feature" in the Kindle that I did not like. The Kindle suddenly went blank and a progress bar came on, along with the words "Software is updating" or something like that. I don't remember the exact words. The Kindle had a software upgrade, and without any prompting, it performed the update. Presumably, this was the update that disabled text to speech on some of the books (see this article).

Now, I am a gadget freak. I am an early adopter of almost every cool new gadget that comes out. I can barely count the numbers of items in my house that udpate their own software. My Blu-Ray DVD player, my DVR, my Apple TV, my computers, my iPhone, my digital camera, and even my refrigerator (just kidding) - they all get software updates all the time. But first, they ASK ME. It is only civilized. Amazon has decided that it is not a users' choice whether or not to update the Kindle software. This is downright rude.

When I first studied the idea of software updates on common devices, back when I worked at AT&T Labs, and we were designing security protocols for cable modems, I was very concerned. But, proper use of digital signatures and public key cryptography can greatly reduce the security risks. However, software updates are disruptive. They can break things, and they might come at a very inconvenient time. The user owns his devices, and it should be his choice whether or not to update the software. I do not like the auto software update on the Kindle one bit. I hope that the next software update that happens to me while I'm in the middle of reading will change the software update process so that the user can decide whether or not to update.

Other than that, I love my Kindle. I read a lot, and now the experience is that much better. Now, I wait for Kindle 3. What will it have? Color? Touchscreen? Virtual Display in my contact lenses? It will be exciting, and hopefully, it will let me control software updates.