The Center for Research on Computation and Society continues its weekly lunch seminar:

CRCS Privacy and Security Lunch Seminar
Date: Wednesday, 31 October 2007
Time: 12:00pm-1:00pm (Lunch Provided)
Place: Maxwell Dworkin119

Speaker: Christopher Thorpe, Harvard University

Topic: Efficient, Secrecy-Preserving Proofs of Correctness for Electronic Commerce

Abstract:

For many electronic commercial protocols, such as sealed- bid auctions, securities exchanges, and large “block” stock trades,
the information revealed and kept secret as part of the protocol is of extreme importance. We will explore recent advances in
cryptography that enable market and mechanism designers to precisely tune the transparency of their protocols to optimal economic requirements. We will consider examples such as sealed-bid auctions where no information is revealed to any bidder other than her own outcome and a stock trading protocol where traders post encrypted prices and/or quantities of their trades, and only information necessary for the efficient operation of the market needs to be revealed.

Joint work with David Parkes, Michael Rabin, and Stuart Shieber.

(more…)

The Center for Research on Computation and Society continues its weekly lunch seminar:

CRCS Privacy and Security Lunch Seminar
Date: Wednesday, 24 October 2007
Time: 12:00pm-1:00pm (Lunch Provided)
Place: Maxwell Dworkin119

Speaker: Sheila Jasanoff, Pforzheimer Professor of Science and Technology Studies

Topic: “Science, Technology, and Society: An Emerging Field at Harvard and Beyond”

Abstract:

STS has emerged out of two broad streams of concern that grew during the
20th century. One is the concern of scientists, policymakers, and the
public with the impacts and control of science and technology, with
particular focus on the risks that S&T pose to peace, security, democracy,
social stability, environmental sustainability, and other human values. The
other is the concern of academic researchers with the nature and practices
of S&T as social activities possessing distinctive goals, structures, and
languages that change over time and vary across cultures. Jasanoff will
discuss how these sets of concerns are represented at Harvard and elsewhere,
and what this implies for the training and careers of future scientists and
engineers. Her talk is based on her extensive experiences as a leading
analyst of the politics of science, frequent participant in policy debates,
and founder-chair of the only Ivy League department of STS (at Cornell).
She will also speak about the STS Program at the Kennedy School and how it
is seeking to bridge two, and more, cultures at Harvard.

(more…)

The Center for Research on Computation and Society continues its weekly lunch seminar:

CRCS Privacy and Security Lunch Seminar
Date: Wednesday, 17 October 2007
Time: 12:00pm-1:00pm (Lunch Provided)
Place: Maxwell Dworkin119

Speaker: Sven Seuken, Harvard University

Topic: Selfishness and Altruism in P2P Networks: A Large-Scale Economics
Field Experiment

Abstract:

We conducted a large-scale economics field experiment over the Internet
with more than 15,000 participants. The primary goal was to analyze the
degree of selfishness and altruism among P2P file-sharing users. For
this purpose, we released two versions of a new P2P file-sharing
software - a cooperative version and a selfish version - and observed
the users’ download decisions.

After a description of important experimental design choices I will
report on our findings regarding how the decision between selfishness
and cooperation changed with varying stimuli and user characteristics.
We found a surprising relation between the decision and the personal
benefit received by the user as well as other factors including a) prior
knowledge about P2P systems, b) age c) country, d) operating system, e)
user online community etc. I will conclude with the implications of this
experiment for our future research agenda in the field of Behavioral
Mechanism Design and describe the potential of new user models for the
design of more robust and efficient decentralized electronic markets.

This is joint work with David Parkes and Johan Pouwelse.

The Center for Research on Computation and Society continues its weekly lunch seminar:

CRCS Privacy and Security Lunch Seminar
Date: Wednesday, 10 October 2007
Time: 12:00pm-1:00pm (Lunch Provided)
Place: Maxwell Dworkin119

Speaker: Rachel Greenstadt Fellow, Center for Research on Computation and Society Harvard University

Topic: Security and Virtualized Environments: An Overview

Abstract:

From rootkits like “blue pill” to protective sandboxes for running untrusted code, virtualization is changing the way people think about security and computing in general. This talk give an overview of a wide variety of research/commercial projects in virtualization and some of their security implications. This talk will be short and hopefully provoke lively discussion among the seminar attendees on this topic.

The Center for Research on Computation and Society continues its weekly lunch seminar:

CRCS Privacy and Security Lunch Seminar
Date: Wednesday, 3 October 2007
Time: 12:00pm-1:00pm (Lunch Provided)
Place: Maxwell Dworkin119

Speaker: Pamela Samuelson, Richard M. Sherman Distinguished Professor of Law & Information University of California, Berkeley

Title: A Reverse Notice & Takedown Regime to Enable Public Interest Uses of Technically Protected Content

Abstract:

The WIPO Copyright Treaty (WCT) recognized the need to maintain a balance between the rights of authors and the larger public interest in updating copyright law in light of advances in information and communications technologies. But the translation of this balance into the domestic laws of the United States and European Union has not been fully successful. In the DMCA, Congress achieved a reasonable balance of competing interests in its creation of safe harbors for internet service providers. However, contrary to its apparent intention, Congress failed to achieve a similar balance of interests when establishing new rules forbidding circumvention of technical protection measures (TPMs) used by copyright owners to control access to and use of their works. The EU Copyright Directive spoke of a commitment to ensuring that certain public interest uses can be made of technically protected works but contains limits that seemingly undermine this commitment. As a result, national implementations of the Copyright Directive have not adequately facilitated public interest uses of technically protected content.

We believe that practical judicial and administrative measures can and should be devised to implement the spirit of the WCT in both the U.S. and EU without reopening the contentious debates that engulfed the process leading up to enactment of the DMCA and the EU Copyright Directive. To this end, we propose adoption of a “reverse notice and takedown” procedure to help achieve some of the balance in anti-circumvention rules that the WCT endorsed, but which implementing legislation has thus far failed to deliver. Under this regime, users would be able to give copyright owners notice of their desire to make public interest uses of technically protected copyrighted works, and rights holders would have the responsibility to take down the TPMs or otherwise enable these lawful uses.

A reverse notice and takedown regime would achieve for the anti-circumvention rules a comparable symmetry with the balance embedded in the ISP safe harbor rules. It would also effectuate the nascent, but not fully realized, legislative intent to permit public interest uses of technically protected digital content, while at the same time protecting copyright owners against circumvention of TPMs that would facilitate or lead to massive infringements. In the U.S., the most likely way to achieve this goal is through judicial interpretation of the anti-circumvention rules through case by case adjudication. In the EU, by contrast, member states could implement a reverse notice and takedown regime in the course of fulfilling their obligations under Article 6(4) of the Copyright Directive, which requires them to ensure that users of technically protected works can exercise certain public interest exceptions. Nations that have yet to implement the WCT may find our proposed reverse notice and takedown regime provides a far more balanced way to comply with the treaty than the approach being promoted by U.S. trade negotiators.

(more…)

As the academic year starts, the Harvard Center for Research on Computation and Society will be continuing our weekly lunch seminar. The first meeting, to welcome everyone back, will be Wednesday 9/19 at noon in Maxwell Dworkin 119. Please come to meet old and new CRCS folks and plan the year ahead. As usual, we’ll provide lunch.

Please forward this announcement to others who might be interested. More information about CRCS can be found at , and information about past events at .

Speaker: Zulfikar Ramzan
Date: Wednesday, 25 April
Time: talk 12-1, discussion 1-1:30 (lunch provided)
Place: Maxwell Dworkin 119

Title:
The Current State of Phishing Attacks

Abstract:
Phishing is the act of sending a fake email, to a user, appearing to originate from a legitimate institution with which the user transacts (e.g., their bank, credit card company, etc). The email directs the user to a spoofed web site and asks for sensitive information (e.g., usernames/passwords, credit card numbers, bank account numbers, social security numbers, etc.); in the hands of a malicious party, leaking this sensitive information is very dangerous. While it used to be easy to tell apart a phishing attempt from a legitimate email, phishers have started to using techniques of ever-increasing sophistication. As a result, phishing has catapulted into a major component of the new threat landscape.

This talk will survey the current state of phishing attacks, leveraging real-world data obtained through Symantec’s data collection fabric. We will describe:

- The overall magnitude of the threat, including seasonal & day-of-week effects, geographic distinctions, spoofed brand segmentation, and geographic/population targets;
- The latest trends in attacks that have actually been mounted and how
phishers are trying to circumvent existing countermeasures.

The talk will be self contained and assumes no prior knowledge of the phishing threat.

Speaker: Ben Adida, Harvard CRCS
Date: Wednesday, 18 April
Time: talk 12-1, discussion 1-1:30 (lunch provided)
Place: Maxwell Dworkin 119

Title:
Web (2.0) Security

Abstract:
The emergence of complex collaborative web applications, so-called “web
2.0″, presents a number of fascinating security challenges. In the mad rush
to create ever more useful applications, developers walk a very fine line,
tricking browsers and finding ways around existing security constraints
while attempting to protect users’ private data. The mashup trend, where
different web applications are combined on the fly, is of particular
interest here: mashups provide fascinating new features yet present the most
challenging security problems.

In this talk, we’ll review classic and advanced web security issues and
recent application-level exploits. We’ll then discuss some proposals for
improving the state of secure web application development. Discussion is
strongly encouraged, as this talk will not attempt to provide an
all-encompassing solution.

Speaker: Stephen McCamant, MIT
Date: Wednesday, 11 April
Time: talk 12-1, discussion 1-1:30 (lunch provided)
Place: Maxwell Dworkin 2nd floor lounge

Title: Quantitative Information-Flow Tracking for Type-Unsafe Languages

Abstract:
I’ll describe a new technique for determining how much information about a program’s secret inputs is revealed by its public outputs. The technique tracks programs’ use of data through arbitrary calculations using a fine-grained dynamic bit-tracking analysis, and measures the information revealed during a particular execution. The technique accounts for “implicit flows”, situations in which secret data has an indirect influence via branches or pointer operations. Two kinds of untrusted annotation, which mark independent sub-computations and compact data representations, improve the precision of the analysis. We’ve performed case studies on real C, C++, and Objective C programs of up to half a million lines of code. Our tool checked multiple security policies, including one that was violated by a previously unknown bug. I’ll also outline how a new simulation-based proof technique can be used to check that the technique soundly accounts for all flows in an execution.

Speaker: Gary McGraw, Cigital
Date: Wednesday, 4 April
Time: talk 12-1, discussion 1-1:30 (lunch provided)
Place: Maxwell Dworkin 119

Title: Exploiting Online Games

Abstract:
This talk (based on a book of the same title co-authored by Greg Hoglund) frankly describes controversial security issues surrounding MMORPGs such as World of Warcraft. This no-holds-barred approach is fully loaded with code examples, debuggers, bots, and hacks. If you are a gamer, a game developer, a software security person or an interested bystander, this book exposes the inner workings of online game security for all to see. In the talk, I will cover:
* Why online games are a harbinger of software security issues to come
* How millions of gamers have created billion dollar virtual economies
* How game companies invade your privacy
* Why some gamers cheat
* Techniques for breaking online game security
* How to build a bot to play a game for you
* Methods for total conversion and advanced mods
Ultimately, this talk is mostly about security problems associated with advanced massively distributed software. With hundreds of thousands of interacting users, today’s online games are a bellwether of modern software yet to come. The kinds of attack and defense techniques I describe are tomorrow’s security techniques on display today.

BIO
Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of six best selling books on this topic. The latest, Software Security: Building Security In was released in 2006, with Exploiting Online Games slated for release this year. His other titles include Java Security, Building Secure Software, and Exploiting Software; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for darkreading.com, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the School of Informatics. Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine