tURNING yOUR dEVICE aGAINST yOU!

Eavesdropping
So interesting article in BBC about the Samsung’s “Listening TV.”



This TV has voice activated controls and they don’t just take commands, but…



“If your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”



So aside from hackers (and spies) being able to turn your phone and computer mics, cameras, and GPS location data on and off to surveil and eavesdrop on you, now the dumb television set can listen in as well. 



You can be heard, seen, and found…whether you know it or not. 😉



(Source Photo: Andy Blumenthal with eyes and ears from here and here with attribution to Firas and Simon James)

Disability Rights – To Life Or Death

Disability Rights - To Life Or Death

I read today in the Wall Street Journal an editorial by Joni Eareckson Tada–which I couldn’t have disagreed with more.

Let me start by saying that I have the greatest respect for Ms. Tada who is herself a quadriplegic and has overcome unbelievable challenges to become a huge successful author, radio show host, and advocate for disabled people.

Yet in the editorial, she rails against those with disabilities that choose death over life and the laws that would enable this.

She says, “first it was assisted suicide,” and now it’s unlawful birth suits after a child was born with severe disabilities that could have been genetically screened for, and an upcoming Belgium law that may “legalize euthanasia for children with incurable diseases–who, with the support of their parents or guardians, ask to die.”

Ms. Tada calls these out as some sort of incredible “double standards” vis a vis the “freedom and dignity that the ADA [Americans With Disabilities Act] championed”–she says that “instead of helping the disabled live full lives, new laws seek to help them die.”

While I appreciate her sentiments, I cannot agree with them–not everyone is Ms. Tada who decided she wanted to live and was able and fortunate to do what she has done.

This is a free country and people deserve the right to decide for themselves, making an informed and a well-thought out decision and with their loved ones, if they are too young, old, or otherwise unable to make the decision anymore for themselves.

Having seen the ravages of disability, especially with my own mother, who suffers from Parkinson’s Disease and other ailments, I cannot believe that anyone would try to force life on someone who has endless pain and suffering and wishes only for their final peace.

Ms Tada asks, “What type of society do we want?” She goes on claiming that “if we are seeking a good society then we do well to defend the rights of the helpless-not nullify their rights,” yet this is exactly what Tada is advocating by seeking to nullify their right to end their suffering.

If it amazing that people will “put down” a sick dying animal to relieve it of it’s suffering when it is beyond cure, but we don’t show the same mercy to fellow human beings when they are in the clutches of death and torment.

There is most certainly a time when it is enough pain, enough disability, when there is no more hope, and the most decent human thing we can do is free the person from their intolerable suffering.

Life is a wonderful thing if it can be lived, but if it is a living hell, then we should be merciful and let people go to their final resting place without the anguish that only they can ever really understand.

(Source Photo: here with attribution to GizM ()17)

Balancing Cybersecurity And Citizen Freedom

Balancing Cybersecurity And Citizen Freedom

There is a very interesting discussion of the protection of Federal Networks and the Fourth Amendment in “Cybersecurity, Selected Legal Issues,” Congressional Research Service (CRS) Report for Congress (3 May 2012).

The Department of Homeland Security (DHS) in conjunction with the National Security Agency (NSA) rolled out EINSTEIN, an intrusion detection system (IDS) in early iterations, and later an intrusion prevention system (IPS) at all Internet points of presence (POPs) for the government.

The system works through copying, storage, and deep packet inspection of not only the metadata for addressing information, but also the actual contents of the flow. This handling is necessary in order to identify suspicious malware signatures and behavior and alert the United States Computer Emergency Response Team (US-CERT) in order to block, quarantine, clean, and respond to the attacks and share information about these.

However, the civil liberties and privacy issue with EINSTEIN is that according to the Fourth Amendment, we are protected from unreasonable search and seizures. Thus, there are concerns about the violation of the Fourth Amendment, when DHS monitors and inspects addressing and content of all email and Internet communications to and from federal agency employees and the public–including not only from government email accounts and systems, but also from private email accounts such as Yahoo and Gmail and social media sites like Facebook and Twitter.

The justification for the use of EINSTEIN includes:

1. The government cannot reasonably get warrants in real time in order to safeguard the federal network and systems at the speed that the attacks are occurring.

2. The government places banners and user agreements on all Federal networks notifying users of monitoring, so there is no expectation of privacy in the communications.

3. The monitoring is conducted only for malicious computer activity and not for other unlawful activities—so “clean” traffic is promptly removed the system.

4. Privacy protections are ensured though review mechanisms, including Attorney General and Director of National Intelligence (DNI) reporting to Congress every six months and a sunset provision requiring monitoring reauthorization every four years.

This tension between monitoring of Federal networks and traffic and civil liberties and privacy is a re-occurring issue when it comes to cybersecurity. On one hand, we want cybersecurity, but on the other hand, we are anxious about this security infringing on our freedoms—whether freedom of expression, from search and seizure, from surveillance, or from potentially costly regulation, stifling innovation, and so forth. It is this tension that has stalled many cybersecurity bills such as the Stop Online Privacy Act (SOPA), Cyber Intelligence Sharing and Protection Act (CISPA), The Computer Security Act of 2012 and more.

In the absence of a clear way forward with legislation to regulate and enforce, or incentivize, standards and best practices for cybersecurity, particularly for critical infrastructure protection, as well as information sharing, the White House released Presidential Policy Directive/PDD-21 on Critical Infrastructure Security and Resilience to establish DHS and other federal agency roles in cybersecurity and to manage these on a risk-based model, so that critical infrastructure is identified, prioritized, assessed, and secured accordingly.

While PDD-21 is a step in the right direction, it is an ongoing challenge to mediate a balance between maintaining our values and constitutional freedoms, while at the same time securing cyberspace.

One thought is that perhaps we can model cybersecurity after the Posse Comitatus Act of 1878 that separated federal military from domestic national guard and law enforcement powers. Using this model, we can create in cyberspace a separation of cybersecurity from our borders outward by the federal government, and within the domestic private networks by our national guard and law enforcement.

Thus, we can create stronger security radiating out at the national periphery, while maintaining our important freedoms within, but always working together to identify and neutralize any and all threats to cyberspace. 😉

(Source Photo: Andy Blumenthal)

Don’t Throw Out The Pre-Crime With the Bathwater

Terrorist_screening

The Atlantic (17 April 2012) has an article this week called ” Homeland Security’s ‘Pre-Crime’ Screening Will Never Work.”

The Atlantic mocks the Department of Homeland Security’s (DHS) Future Attribute Screening Technology (FAST) for attempting to screen terrorists based on physiological and behavioral cues to analyze and detect people demonstrating abnormal or dangerous indicators.

The article calls this “pre-crime detection” similar to that in Tom Cruise’s movie Minority Report, and labels it a  “super creepy invasion of privacy” and of “little to no marginal security” benefit.

They base this on a 70% success rate in “first round of field tests” and the “false-positive paradox,” whereby there would be a large number of innocent false positives and that distinguishing these would be a “non-trivial and invasive task.”

However, I do not agree that they are correct for a number of reasons:

1) Accuracy Rates Will Improve–the current accuracy rate is no predictor of future accuracy rates. With additional research and development and testing, there is no reason to believe that over time we cannot significantly improve the accuracy rates to screen for such common things as “elevated heart rate, eye movement, body temperature, facial patterns, and body language” to help us weed out friend from foe.

2) False-Positives Can Be Managed–Just as in disease detection and medical diagnosis, there can be false-positives, and we manage these by validating the results through repeating the tests or performing additional corroborating tests; so too with pre-crime screening, false-positives can be managed with validation testing, such as through interviews, matching against terrorist watch lists, biometric screening tools, scans and searches, and more. In other words, pre-crime detection through observable cues are only a single layer of a comprehensive, multilayer screening strategy.

Contrary to what The Atlantic states that pre-crime screening is “doomed from the word go by a preponderance of false-positives,” terrorist screening is actually is vital and necessary part of a defense-in-depth strategy and is based on risk management principles. To secure the homeland with finite resources, we must continuously narrow in on the terrorist target by screening and refining results through validation testing, so that we can safeguard the nation as well as protect privacy and civil liberties of those who are not a threat to others.

Additionally, The Atlantic questions whether subjects used in experimental screening will be able to accurately mimic the cues that real terrorist would have in the field. However, with the wealth of surveillance that we have gathered of terrorists planning or conducting attacks, especially in the last decade in the wars in Iraq and Afghanistan, as well as with reams of scientific study of the mind and body, we should be able to distinguish the difference between someone about to commit mass murder from someone simply visiting their grandmother in Miami.

The Atlantic’s position is that  terrorist screening’s “(possible) gain is not worth the cost”; However, this is ridiculous since the only alternative to pre-crime detection is post-crime analysis–where rather than try and prevent terrorist attacks, we let the terrorists commit their deadly deeds–and clean up the mess afterwards.

In an age, when terrorists will stop at nothing to hit their target and hit it hard and shoe and underwear bombs are serious issues and not late night comedy, we must invest in the technology tools like pre-crime screening to help us identify those who would do us harm, and continuously work to filter them out before they attack.

(Source Photo: here with attribution to Dan and Eric Sweeney)

A Word Indeed

The information in your smartphone and managed by your telecommunications carrier is available and accessible to others with today’s tools and following the right processes.Bloomberg BusinessWeek(29 March 2012) reports on a new tool for law enforcement that captures your data from smartphones.It is called the Cellebrite or Universal Forensic Extraction Device (UFED).

As the video describes it works with almost every mobile device out there–over 1,800 of them.

And when attached to a smartphone, it can extract everything from your call log, emails, texts, contact list, web history, as well as photos and videos.

The forensic tool can even retrieve deleted files from your phone.

Your smartphone is a digital treasure trove of personal information and the privacy protection afforded to it is still under debate.

The article cites varying court opinions on “whether it’s fair game to examine the contents of a mobile phone without a warrant,” since it is in the suspect’s immediate possession.

According to law enforcement sources quoted in the article, “we use it now on a daily basis.”

Aside from the contents on the phone itself, Bloomberg BusinessWeek (29 September 2012) earlier reported that telecommunications companies are also storing your personal data for various lengths of time.

For example, detail call records and text contacts are retained for up to 7 years and phone location information indefinitely, depending on the carrier.

This data is available too under the processes specified in the Electronic Communications Privacy Act.

While the technology is constantly getting better for us to electronically manage our information and communicate with each other, the reach and life cycle of digital information can certainly be far and long.

As we should all by now know, working remotely, digitally, in cyberspace, and encrypting, deleting, or even attempting to destroy data files does not ensure their ultimate privacy.

In that respect, both digital and non-digital information are the same in one very important facet and that is as we all learned early in life that “a word once said cannot be taken back.”

Which Big Brother

Brother_in_arms

About a decade ago, after the events of 9/11, there was a program called Total Information Awareness (TIA) run out the Defense Advanced Research Projects Agency (DARPA).

The intent was develop and use technology to capture data (lots of it), decipher it, link it, mine it, and present and use it effectively to protect us from terrorists and other national security threats.

Due to concerns about privacy–i.e. people’s fear of “Big Brother”–the program was officially moth-balled, but the projects went forward under other names.

This month Wired(April 2012) reports that the National Security Agency (NSA) has almost achieved the TIA dream–“a massive surveillance center” capable of analyzing yottabytes (10 to the 24th bytes) of data that is being completed in the Utah desert.

According to the article, the new $2 billion Utah Data (Spy) Center is being built by 10,000 construction workers and is expected to be operational in a little over a year (September 2013), and will capture phone calls, emails, and web posts and process them by a “supercomputer of almost unimaginable speed to look for patterns and unscramble codes.”

While DOD is most interested in “deepnet”–“data beyond the reach of the public” such as password protected data, governmental communications, and other “high value” information, the article goes on to describe “electronic monitoring rooms in major US telecom facilities” to collect information at the switch level, monitor phone calls, and conduct deep packet inspection of Internet traffic using systems (like Narus).

Despite accusations of massive domestic surveillance at this center, Fox News(28 March 2012) this week reported that those allegations have been dismissed by NSA. The NSA Director himself, General Keith Alexander provided such assurances at congressional hearings the prior week that the center was not for domestic surveillance purposes, but rather “to protect the nation’s cyber security,” a topic that he is deeply passionate about.

Certainly new technologies (especially potentially invasive ones) can be scary from the perspective of civil liberties and privacy concerns.

However, with the terrorists agenda very clear, there is no alternative, but to use all legitimate innovation and technology to our advantage when it comes to national security–to understand our enemies, their networks, their methods, their plans, to stop them, and take them down before they do us harm.

While, it is true that the same technologies that can be used against our enemies, can also be turned against us, we must through protective laws and ample layers of oversight ensure that this doesn’t happen.

Adequate checks and balances in government are essential to ensure that “bad apples” don’t take root and potentially abuse the system, even if that is the exception and not the rule.

There is a difference between the big brother who is there to defend his siblings from the schoolyard bully or pulls his wounded brother in arms off the battlefield, and the one who takes advantage of them.

Not every big brother is the Big Brother from George Orwell’s “1984” totalitarian state, but if someone is abusing the system, we need to hold them accountable.

Protecting national security and civil liberties is a dual responsibility that we cannot wish away, but which we must deal with with common sense and vigilance.

(Source Photo: here)

>Biometrics and Enterprise Architecture

>

Biometrics is “the study of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits.” (Wikipedia)

Biometrics is crucial for identifying and taking out of play enemy combatants, terrorists, and criminals or for providing access to trusted employees or partners in public or private sector organizations, like the intelligence community, defense, security, and various sensitive industries like financial, telecommunications, transportation, energy, and so forth.

National Defense Magazine, November 2007 has an article on the significant advances being made in biometric technologies and their applications to our organizations.

According to “’The National Biometrics Challenge,’ a report produced by the Office of the President’s National Science and Technology Council…’a tipping point in the maturation of the technology has been reached.’

Both the FBI’s Information Services Division and The Department of Defense Biometric Fusion Center are leading the way in this field.

Currently, identity is established based on the trinity: “something you know (such as a password), something you have (like an identity card), or something you are, which is where biometrics comes in.”

Biometrics includes technologies for recognizing fingerprints, facial features, irises, veins, voices, and ears, and even gait.

But these are technologies identification means are not fool-proof: remembering multiple complex passwords can be dizzying and identity cards can be lost, stolen, or forged. So biometrics becomes the cornerstone for identity management.

However, even biometrics can be spoofed. For example, fake rubber fingers have been used in lieu of a real fingerprint (although now there are ways with living flesh sensors to protect against this). So therefore, biometrics is evolving toward “multi-modial” collection and authentication. This could involve using 10 fingerprints versus one or combing fingerprint, iris scans, and digital mugshots (called the “13 biometrics template” and used to gain access in U.S. managed detention centers in Iraq) or some other combination thereof.

Biometrics has advanced so much so that an Iris scan system from Sarnoff Corp. of Princeton NJ “can scan and process 20 people per minute from distances of about 10 feet awat, even those who are wearing glasses.”

The keys to further enterprise application of these technologies in our enterprises are the following:

  1. Lowering the cost (especially to make it available to local law enforcement agencies)
  2. Making it rugged enough for extreme environments for the military
  3. Making it portable so that it can be used for a variety of law enforcement and defense operations
  4. Reengineering business processes so that measurements are captured, stored, accessible, and readily available for making a match and generating a decision on someone’s identity in real-time
  5. Developing policies that “effectively govern the proper use of the data” and ensure adequate protection for civil liberties and privacy.

Overall, biometrics has moved from emerging technology to applied technology and needs to be planned into your identity management architectures.