[powerpoint]
TRANSCRIPT
![Page 1: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/1.jpg)
Week 13
LIS 7008
Information Technologies
Policy
LSU/SLIS
![Page 2: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/2.jpg)
Policy
• Tech changes society; society shapes tech
• Good things using computers and IT
• Threats– Technical, non-technical
• Defense– Technical, non-technical
![Page 3: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/3.jpg)
Agenda
• Questions
• Ownership
• Identity
• Privacy and anonymity
• Information integrity
![Page 4: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/4.jpg)
Questions
• Projects?
• Digital libraries? – Digital Librarianship– http://grad-schools.usnews.rankingsandreviews.com/grad/library.html
• XML with CSS
![Page 5: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/5.jpg)
Equitable Access
• Computing facilities– Hardware, software
• Networks– Speed, continuity, access points
• Information sources– Who owns info– Per-use fee vs. subscription vs. advertising– Language
• Skills– System, access strategies, information use; – Digital divide
![Page 6: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/6.jpg)
Ownership
• Who has the right to use a computer?– Remote access; firewall
• Who establishes this policy? How?– What equity considerations are raised?
• Can someone else deny access?– Denial of service attacks– Intention?
• How can denial of service be prevented?– Who can gain access and what can they do?– Balance b/t law and tech means
![Page 7: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/7.jpg)
Justifications for Limiting Use• Parental control
– Web browsing software, time limits
• Intellectual property protection– Copyright, trade secrets, privilege
• National security– Classified material
• Censorship– Decide limited use: what/who
• Relationship
![Page 8: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/8.jpg)
Techniques for Limiting Use
• Access control– Monolithic, multilevel access right
• Copy protection– Hardware, software
• Licensing– Shrinkwrap, shareware, GPL, creative commons
• Digital watermarks– Provide a basis for prosecution
![Page 9: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/9.jpg)
Fair Use Doctrine• Fair Use exceptions to US copyright laws
– http://en.wikipedia.org/wiki/Fair_use
• Balance two desirable characteristics– Financial incentives to produce content– Desirable uses of existing information
• Safe harbor agreement (1976 legislative history)– Book chapter, magazine article, picture, …
• Developed in an era of physical documents– Perfect copies/instant delivery alter the balance
![Page 10: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/10.jpg)
Recent Copyright Laws
• Copyright Term Extension Act (CTEA)– Ruled constitutional (Jan 2003, Supreme Court)– http://en.wikipedia.org/wiki/Sonny_Bono_Copyright_Term_Extension_Act
• Digital Millennium Copyright Act (DMCA)– Prohibits circumvention of technical measures– Implements WIPO treaty database protection
![Page 11: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/11.jpg)
The Pornography Debate
• Communications Decency Act (CDA)– 1996 Web: bookstore; backroom for adults– Ruled unconstitutional (1997, Supreme Court)
• Child Online Protection Act (COPA)– Cannot transfer– Enforcement blocked (March 2007, 3rd Circuit)
• Children’s Internet Protection Act (CIPA)– Ruled constitutional (June 2003, Supreme Court) – Applies only to E-Rate and LSTA funds– Can transfer, but must filter
![Page 12: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/12.jpg)
Filtering Technology• Any individual approach is imperfect• Term-based techniques
– Recall/precision tradeoff– Not as useful for audio (e.g., podcasts)
• Image-based techniques– Bikini vs. porn
• Whitelists and blacklists– Expensive to create manually– Differing opinions, time lag
• Religious belief, partisan …
– Australia Gov blocks up to 10,000 ‘unwanted’ sites• http://www.news.com.au/technology/story/0,25642,24645568-5014239,00.html
• Parental control? Censorship?
![Page 13: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/13.jpg)
Security
• Used to be simple…• Not so in a networked environment• Viruses and other nasty stuff
– 1988: Less than 10 known viruses– 1990: New virus found every day– 1993: 10-30 new viruses per week– 1999: 45,000 viruses and variants– Today: >180,000
![Page 14: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/14.jpg)
Viruses
• Computer programs able to attach to files– No independent life (not self-living)
• Replicates repeatedly– Typically without user knowledge or
permission
• Sometimes performs malicious acts
• Some not harmful
![Page 15: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/15.jpg)
Worms
• Self-reproducing program that sends itself across a network– Virus is dependent upon the transfer of files – Worm spreads itself
• SQL slammer worm (January 25, 2003) claimed 75,000 victims within 10 minutes
![Page 16: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/16.jpg)
Trojan Horse
• Malicious program with undesired capabilities– Log key strokes and sends them somewhere– Create a “back door” administrator logon
• Spyware: reports information about your activity without your knowledge
• Doesn’t (necessarily) replicate
![Page 17: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/17.jpg)
Spyware and Adware
• Spyware: software that sits on your machine and reports information about your activity to a third party without your knowledge– How does spyware get onto your computer?
• Adware: software that display annoying advertisement
![Page 18: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/18.jpg)
Denial of Service Attacks
• An attack on a computer network that causes a loss of service to users
• Typical perpetrated by flooding the host with an overwhelming number of packets– Consumption of resources: CPU, bandwidth, etc.
security
![Page 19: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/19.jpg)
Denial of Service Attacks
• Viruses– Platform dependent– Typically binary
• Flooding– Worms– Zombies– Chain letters
![Page 20: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/20.jpg)
Practical Tips
• Be wary of anything free
• Always have updated anti-virus software
• Change default settings
• Choose good passwords
• Keep software patched
security
![Page 21: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/21.jpg)
Symmetric Key Encryption
Alice Bob
Plain text EncryptCipher text
Decrypt Plain textInsecure channel
eavesdroppereavesdroppereavesdropper
key key
Same key used both for encryption and decryption
Encryption: HTTPS: secure http. F-secure SSH: secure ssh. sftp: secure ftp
![Page 22: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/22.jpg)
Asymmetric Key Encryption -1
Alice Bob
Plain text EncryptCipher text
Decrypt Plain textInsecure channel
eavesdroppereavesdroppereavesdropper
Allice’s private key(digital signature) Allice’s public key
Different keys used for encryption and decryption
![Page 23: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/23.jpg)
Asymmetric Key Encryption -2
Alice Bob
Plain text EncryptCipher text
Decrypt Plain textInsecure channel
eavesdroppereavesdroppereavesdropper
Bob’s public key Bob’s private key
Different keys used for encryption and decryption
![Page 24: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/24.jpg)
Asymmetric Key Encryption• Key = a large number (> 1024 bits)
– Public key: known by all authorized decoders
– Private key: known only by encoder
• One-way mathematical functions – “Trapdoor functions”
• Like mixing paint (easy to do, hard to undo)
– Large numbers are easy to multiply, hard to factor
• Importance of longer keys– Keys < 256 bits can be cracked in a few hours
– Keys > 1024 bits presently effectively unbreakable
![Page 25: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/25.jpg)
How does encryption work?
• One-way mathematical functions – “trapdoor functions”
– Large numbers are easy to multiply, but hard to factor
– Like mixing paint: easy to do, hard to undo
• Want more security? Pick longer keys– Keys less than 256 bits can be cracked within a few
hours by a personal computer
– Keys greater than 1024 bits practically unbreakable
encryption
![Page 26: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/26.jpg)
RSA “Public Key” Encryption
print pack"C*", split/\D+/,`echo "16iII*o\U@{$/=$z; [(pop,pop,unpack"H*",<>)]} \EsMsKsN0[lN*1lK[d2%Sa2/d0 <X+d*lMLa^*lN%0]dsXx++lMlN /dsM0<J]dsJxp"|dc`
Until 1997 – Illegal to show
this slide to non-US citizens!
![Page 27: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/27.jpg)
Digital Signatures• Alice “signs” (encrypts) with her private key
– Bob checks (decrypts) with her public key
• Bob knows it was from Alice– Since only Alice knows Alice’s private key
• Non-repudiation: Alice can’t deny signing message– Except by claiming her private key was stolen!
• Integrity: Bob can’t revise the message– Doesn’t know Alice’s Private Key
![Page 28: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/28.jpg)
Key Management
• Public announcement of public key– e.g., append public key to the end of each email– But I can forge the announcement
• Establish a trusted “certificate authority”– Leverage “web of trust” to authenticate authority– Register public key with certificate authority
![Page 29: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/29.jpg)
Certificate Authority
Alice Bob
Plain text EncryptCipher text
Decrypt Plain textInsecure channel
eavesdroppereavesdroppereavesdropper
Bob’s public key Bob’s private key
Bob’s public key
Certificate Authority
![Page 30: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/30.jpg)
Certificates: Example
![Page 31: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/31.jpg)
Different Types of Attacks
• Brute force
• False identity
• Social attacks– “Phishing”
encryption
![Page 32: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/32.jpg)
The Dark Side of Encryption
• Encryption is a double-edged sword– The ability to keep secrets facilitates secure
commercial transactions– But bad guys can use encryption to keep secrets…
• Illegal to use encryption unknown to government
• Can be cracked by “authorized parties”?– How should that ability be controlled?
encryption
![Page 33: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/33.jpg)
Identity, Privacy, Anonymity
![Page 34: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/34.jpg)
Identity
• Establishing identity permits access control• What is identity in cyberspace?
– Attribution• When is it desirable?
– Impersonation• How can it be prevented?
• Forgery is remarkably easy– Just set up your mailer with bogus name and email
![Page 35: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/35.jpg)
Authentication
• Used to establish identity• Two types
– Physical (Keys, badges, cardkeys, thumbprints)– Electronic (Passwords, digital signatures)
• Protected with social structures– Report lost keys– Don’t tell anyone your password
• Use SSH to defeat password sniffers
![Page 36: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/36.jpg)
Authentication Attacks
• Guessing
• Brute force
• Impersonation
• “Phishing”
• Theft
![Page 37: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/37.jpg)
Good Passwords• Long enough not to be guessed
– Programs can try every combination of 5 letters
• Not in the dictionary– Programs can try every word in a dictionary– every proper name, pair of words, date, every …
• Mix upper case, lower case, numbers• Change it often• Reuse creates risks
– Abuse, multiple compromise
![Page 38: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/38.jpg)
Access Control Issues
• Protect system administrator access– Greater potential for damaging acts– What about nefarious system administrators?
• Firewalls– Prevent unfamiliar packets from passing through– Makes it harder for hackers to hurt your system
![Page 39: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/39.jpg)
Ideals in Tension
• Establishing identity permits access control
• Yet people don’t want to be tracked
• How do you provide accountability?– People’s behavior change when no one is watching
Whenever a conflict arises between privacy and accountability, people demand the former for themselves and the latter for everybody else.
The Transparent Society by David Brin
![Page 40: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/40.jpg)
Privacy vs. Anonymity
![Page 41: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/41.jpg)
Are you being watched?
• Where?– At home?– At work?– In a shopping mall?– In a parking garage?– In the library?
• Do they have the right?
identity, privacy, and anonymity
![Page 42: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/42.jpg)
We Already Knew a Lot About You• Governments have information about life events
– Birth and death– Marriage and divorce– Licenses (e.g., drivers)– Property and taxes
• Business exchange information about transactions– How you commute to work– What cereal you eat– Where you like to go for vacation– What hobbies you have
![Page 43: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/43.jpg)
Businesses Know
• Business know a lot about you:– How you commute to work– What cereal you eat– Where you like to go for vacation– What hobbies you have
• And they sell each other this information
identity, privacy, and anonymity
![Page 44: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/44.jpg)
Databases
• Many organizations collect information about different facets of your life
• What happens when they start piecing the facets together?– Is anonymity even possible?– “They” are already doing this!
identity, privacy, and anonymity
![Page 45: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/45.jpg)
We Can See Even More Online
• Web tracking– Browser data, clickthrough, cookies, …
• Packet sniffers– Detect passwords, reconstruct packets, …
• Law enforcement– Carnivore (US), RIP (UK), …
• National security– Echelon (US), SORM (Russia), …
![Page 46: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/46.jpg)
Tracking Internet Activity
ISP logsIP addressFirewallsCookiesBrowser historySpywarePacket sniffingIntercepting e-mails Monitoring news groupsMonitoring chat roomsSpoofed web sitesWiretaps
![Page 47: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/47.jpg)
Anonymity
• Serves several purposes– Sensitive issues on discussion groups– Brainstorming– Whistleblowers– Marketing (“Spam”)
• Common techniques– Anonymous remailers– Pseudonyms
![Page 48: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/48.jpg)
Practical Obscurity
• A lot of government-collected information is public record
• Previously shielded by “practical obscurity”– Records were hard to access
• Not so with the Internet
![Page 49: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/49.jpg)
Privacy
• What privacy rights do computer users have?– On email?– When using computers at work? At school?– What about your home computer?
• What about data about you?– In government computers?– Collected by companies and organizations?
• Does obscurity offer any privacy?
![Page 50: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/50.jpg)
Privacy Protection
• Privacy Act of 1974– Applies only to government records
• TrustE certification guidelines– Site-specific privacy policies– Federal Trade Commission enforcement
• Organizational monitoring
![Page 51: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/51.jpg)
Privacy in a Post 9/11 World
The Professional Association of Diving Instructors (PADI), which certifies about 65 percent of the nation's divers, gave the FBI a computer file containing the names of more than 2 million certified divers in May 2002.
Airlines have handed large amounts of passenger data over to the government (most voluntarily).
![Page 52: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/52.jpg)
Continual Erosion of Privacy
• Slippery slope into Big Brother?
• What can you do?
identity, privacy, and anonymity
![Page 53: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/53.jpg)
Surveillance Law
• USA PATRIOT Act– Access to business records– Internet traffic analysis (with a court order)
• Foreign Intelligence Surveillance Act (FISA)– Secret court for monitoring foreign communications– Special protections for citizens/permanent residents
![Page 54: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/54.jpg)
Real-Time Local Surveillance
• Built-in features of standard software– Browser history, outgoing email folders, etc.
• “Parental control” logging software– ChatNANNY, Cyber Snoop, FamilyCAM, …
• Personal firewall software– ZoneAlarm, BlackIce, …
![Page 55: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/55.jpg)
Real-Time Centralized Surveillance
• Proxy server– Set up a Web server and enable proxy function– Configure all browsers to use the proxy server– Store and analyze Web server log files
• Firewall– Can monitor all applications, not just the Web
![Page 56: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/56.jpg)
Forensic Examination
• Scan for files in obscure locations– Find-by-content for text, ACDSee for pictures, …
• Examine “deleted” disk files– Norton DiskDoctor, …
• Decode encrypted files– Possible for many older schemes
![Page 57: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/57.jpg)
Integrity
• How do you know what’s there is correct?– Attribution is invalid if the contents can change
• Access control would be one solution
• Encryption offers an alternative
![Page 58: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/58.jpg)
Acceptable Use Policies
• Establish policies
• Authenticate
• Authorize
• Audit
• Supervise
![Page 59: [Powerpoint]](https://reader036.vdocuments.net/reader036/viewer/2022062418/5549edbeb4c9050d488b50fb/html5/thumbnails/59.jpg)
Practical Tips
• Keep anti-virus software current
• Keep software “patches” current
• Change default settings
• Be wary of anything free