Friday, October 2, 2009

GHC09: Susan Landau: Bits and Bytes: Explaining Communications Security (and Insecurity) in Washington and Brussels

Susan Landau started out giving us her history about how she went from a theoretical computer science faculty member at a university to someone working at Sun Microsystems on public policy. A path she said she wasn't working towards, but feel she must've been just a little bit, or she wouldn't have ended up where she is.

The US first started doing wire tapping during the Civil War! Wow! Apparently we didn't slow down - not only did the US use wire tapping to watch criminals, but they were also doing it on congress people and supreme court judges! In particular, a congress person could be talking about the FBI budget and the FBI would be listening in! Clearly a conflict of interest!

Congress didn't like this and put in a law to regulate this - requiring wire taps to only be for a specific person at a specific number

In 1994 a US law was passed that required all digitally switched telephones to be built wire tapped enabled! The equipment was to be designed by the FBI, much to the chagrin of telephony providers.

This is problematic - in 2004-2005, it was discovered that some non US diplomats had been wiretapped - but not by a government entity! (at least not officially.) This was discovered when there was some problems with text messaging on one of these phones. They found the switch in Greece, which had been bought from a US company with the wire tapping software disabled - so no auditing software was enabled. Someone very knowledgeable with the switch used a rootkit to get in, turn on the wire tapping software and then targeted these diplomats! With no auditing software enabled, the Greek phone company had no idea this was happening until there were problems with the text messages! Once this illegal wire tap was discovered, the phones that were listening in suddenly went dark and the perpetrators were never found. Very scary stuff!

This is a clear example of how software made to "protect" us can actually be used to spy on innocent people - terrifying indeed!

All of this gets much more complicated with technology like VoIP (Voice over Internet Protocol) where people do not have a set phone number, it is done with the IP address which will vary every time you reconnect your laptop or mobile device to the network. What this means is it is very hard to pinpoint the caller - one of the risks here is that the wrong person will be eavesdropped upon.

Landau knows it is very important for society to have secure communications - to enable conversations with first responders, for example, and we need to have the technology to do this.

Landau continues on about how much more devastating natural disasters are than terrorist attacks, yet for some reason they don't get nearly as much news and political coverage than a terrorist attack. I wonder if we all feel we're more protected from a random natural disaster? Or if we are fascinated with how evil someone would have to be to purposefully hurt another human? hrm.

President Bush apparently authorized warrantless wire tapping in 2001 - and this was relatively unknown and undiscovered until 2007. She wrote an op-ed for the Washington Post on this topic, and next thing she knew, she was the expert on privacy. This is good, in that she now has Washington's ears, but she realized she needed to find more people to help support her in this and she was happy to find many intelligent, bright and like minded folks.

Now she's been working on reviewing public policy - basically doing law reviews. Landau jokes that she feels she's in training to be a lawyer.

If you want to get into public policy, you need to learn their stuff: "laws, policies, motives", to speak well, write well and have great courage. She believes these are all the traits that a good engineer should have as well, so perhaps it's a career path after all. :-)

Valerie Fenwick

No comments: