TRUST in the News

Dr. Ruzena Bajcsy to receive HP Innovation Award

2009-06-15T14:38:00.000-07:00

Dr. Ruzena Bajcsy, EECS Professor at the University of California, Berkeley, was among Professors selected from around the world to receive an award as part of the second annual HP Labs Innovation Research Program.

The Program is designed to create opportunities for colleges, universities and research institutes for conducting breakthrough collaborative research with HP. Given the significant contributions achieved in last year's program, which includes 61 published papers and 13 invention disclosures, HP extended a second year of funding to 31 professors in 2009.

Awardees will work with HP Labs' researchers on fundamental research areas like intelligent infrastructure, immersive interaction and cloud computing, which includes social computing.

See complete article at TRADINGMARKETS.COM.

National cyber security: Cornell's Fred Schneider will testify before Congress

2009-06-09T09:29:00.000-07:00

Cornell University Computer Science Professor Fred Schneider, a noted expert on cyber security, will testify at the Hearing on Cyber Security Research and Development on Wednesday, June 10, organized by the Committee on Science and Technology, U.S. House of Representatives.

See announcement in Media Newswire,

Stanford's Dawson Engler Receives 2008 Grace Hopper Award

2009-05-28T16:37:00.000-07:00

TRUST researcher and Stanford University Professor Dawson Engler was awarded the
Association for Computing Machinery Grace Murray Hopper Award for 2008.

This prestigious award is given annually to the "outstanding young computer professional of the year" who is selected based on a "single recent major technical or service contribution". Prof. Engler was cited for his groundbreaking work in developing advanced tools and techniques that automate program checking to identify software errors. His approaches based on static analysis, model checking, and symbolic execution have proven very successful at finding bugs in large and complex applications.

Technical papers describing this research are available on Prof. Engler's homepage.

Personal information of thousands of UC Berkeley students, alumni hacked

2009-05-11T08:49:00.000-07:00

Approximately a decade's worth of information on current and former UC Berkeley students was stolen by hackers, as announced by the University last Friday. The infractions concerned records dating back to 1999 at the school's health center that included Social Security numbers, health insurance information, immunization history and the names of treating physicians.

The thefts were initially discovered about a month ago, but system administrators did not realize the scope of the attack until April 21.

University Associate Vice Chancellor for Information Technology Shelton Waggener said the hackers disguised their work as routine operations and then left taunting messages for UC Berkeley employees. Waggener says that the thieves accessed the information through the University web site.

Stanford University Professor of Computer Science John Mitchell said that thieves worldwide have set up black markets to sell stolen data, adding that Asia, Eastern Europe and Nigeria have particularly active hackers. Mitchell also stated that the taunting messages left by the Berkeley thieves may indicate they are amateurs.

"If your intent is to steal information and sell it on the black market, you're probably not going to call attention to yourself like that," he said. "It could be that these are kids."

See more in The Daily Review.

Momentum Shifts Against Google in Old Books Controversy

2009-04-29T14:28:00.000-07:00

BNET media relates several new developments in the class action suit between Google and some authors over who will control publishing rights of millions of out-of-print books.

One of the leading legal experts on issues of intellectual property rights, UC Berkeley Professor Pamela Samuelson has written a powerful argument to the presiding judge in the case, U.S. District Judge Denny Chin. Judge Chin himself has also announced that he is extending the deadline for those wishing to oppose the settlement by four months, from May 4 to September 4.

The Justice Department is checking out the antitrust implications of the arrangements made between Google and groups representing publishers and authors, where it would be possible for millions more books to be included in Google Book Search unless the copyright holders take steps to opt out.
A larger issue to those who were not party to the deal concerns the large number of "orphan works", those whose rights holders cannot be identified.

“The proposed settlement of this lawsuit is a privately negotiated compulsory license primarily designed to monetize millions of orphan works,” wrote Professor Samuelson. “[It] would give Google a monopoly on the largest digital library of books in the world. It and BRR, which will also be a monopoly, will have considerable freedom to set prices and terms and conditions for Book Search’s commercial services. … Google will also be the only service lawfully able to sell orphan books and monetize them through subscriptions.”

See more on this story at Good Morning Silicon Valley, Los Angeles Times, and Silicon Beat.

Google Books Rival Objects to Settlement

2009-04-20T08:27:00.000-07:00

San Francisco's digital library Internet Archive opposes the current 125 million dollar Google settlement with authors and publishers that gives Google the rights to scan and sell books on the Internet.

Dismay at the fate of orphan works, estimated at some 70 percent of books being scanned, is mounting as the May 5 deadline for objections to the settlement nears.

UC-Berkeley School of Law professor Pamela Samuelson said the issue of orphaned works should be handled by legislators, not as a settlement in a class action.

"Usually if you want a compulsory license you have to go to Congress," she said.

Professor Samuelson favors a scenario in which the Internet Archieve as well as other digital libraries in addition to Google, would get a license to scan the boks and make them available online.

"I hadn't expected them to intervene," she said. "It's an interesting development -- it's going to be interesting to see how it turns out."

See more at Law.com .

Copyright Scholar Challenges RIAA/DOJ Position

2009-04-10T20:56:00.000-07:00

Slashdot refers to an article in New York Country Lawyer about UC Berkeley Professor Pamela Samuelson, leading copyright law scholar, publishing a 'working paper' that argues directly against the stand taken by the US Department of Justice in RIAA cases on the constitutionality of the RIAA's statutory damages theories. The Department of Justice has argued that the Court should follow a 1919 United States Supreme Court case upholding the constitutionality of a statutory damages award that was 116 times the actual damages borne, under a statute that gave consumers a right of action against railway companies.

The paper discusses, in depth, a number of issues regarding statutory damages under the Copyright Act and also concludes that the State Farm/Gore due process test is applicable to statutory damage awards under the Copyright Act.

This position is consistent with that taken in the amicus curiae filed by the Free Software Foundation in earlier RIAA case defending the defendant's Due Process defense to the RIAA's claim for statutory damages and contradicts the Department of Justice briefs, arguing that the Gore due process test applies.

See the complete working paper, Statutory Damages in Copyright Law: A Remedy in Need of Reform, by Pamela Samuelson and Tara Wheatland .

The DOJ's intervention last month on behalf of the RIAA was covered in a Slashdot posting Obama DOJ Sides with RIAA.

Google’s Plan for Out-of-Print Books Is Challenged

2009-04-07T17:38:00.000-07:00

Slashdot mentions an article in the New York Times about a growing tide of complaints against Google in response to an extensive settlement that some feel will grant the mammoth company too much control over the "orphan books" they have been scanning into digital format. The settlement could give Google near-exclusivity with respect to the copyright of books that the author and publisher have basically abandoned. They may be out of print but while they remain under copyright, the rights holders are unknown or cannot be found.

“No other company can realistically get an equivalent license,” said Pamela Samuelson, a professor at the University of California, Berkeley, and co-director of the Berkeley Center for Law and Technology.

Critics say that without the orphan books, no competitor will ever be able to compile the comprehensive online library Google intends to create. Without competition, Google will be able to charge universities and others a high price for access to its database.

While most of the critics, including copyright specialists, antitrust scholars and some librarians, agree that the public will benefit, they say others should also have rights to orphan works.

See complete article in the New York Times.

Do Breach Notification Laws Work?

2009-03-09T16:21:00.000-07:00

Deirdre Mulligan, professor of information technology law and policy at UC Berkeley's School of Information was one of several speakers at a Security Breach Notification symposium held in Berkeley last Friday. The symposium's directive was to try to answer the question of whether breach notification laws are actually working.

California passed the first data breach notification law in 2003, which quickly became the standard for the rest of the country. While it is clear that the laws have made the public more aware of the vulnerability of their data and have exposed poor security practices at many a business, it is unclear what other benefits the laws have had. Breach notifications should, in theory, reduce incidence of identity theft or fraudulent charges to credit cards if consumers take proper precautions when they receive a notification, as with a fraud alert or a freeze on their credit account because of suspicious transactions.

There are also other questions to ask about what effect breach notifications have on the relationship between the customer and the breached organization. While consumers often express anger and mistrust toward companies that lose their data, it is unclear how often that mistrust actually translates to action.

According to Professor Mulligan, a Ponemon study found that about 20 percent of respondents claimed to have terminated their relationship with a company after discovering the company experienced a breach. But a separate survey of companies found that the percentage of customers who actually do terminate their relationship is less than 7 percent. Both numbers need to be taken with a grain of salt.

"Consumers have a tendency to say they're going to do one thing when they actually do another," says Mulligan, "and companies also can't be relied on to honestly report the numbers of customers they lose from a breach."

See full article in Wired.

Shankar Sastry interviewed on Federal News Radio

2009-03-02T14:07:00.000-08:00

Dr. Shankar Sastry, Dean of of the College of Engineering at the University of California, Berkeley, was interviewed by Tom Temin for 'Federal Security Spotlight' on Federal News Radio in his role as director of the Team for Research in Ubiquitous Secure Technologies (TRUST).

Sastry described how TRUST, funded by the National Science Foundation and housed at the University of California at Berkeley, as a team of some of the best minds from UC Berkeley, Vanderbilt, Cornell, Carnegie-Mellon, and Stanford Universities with Smith, San Jose State University and Mills College as outreach partners, was formed to examine the interconnection between cyber infrastructure and physical infrastructure. The complex interplay of component technology, policy, law, privacy issues and economic considerations are the motivations for putting together the TRUST Center.

Prof. Sastry described how initially it was the internet that was the primary security concern with various worms and viruses emerging, but as time went on, power, water, telecommmunications and other physical infrastructures also became implicated in security concerns.

Temin raised the issue of security and health-care concerns with electronic medical records/personal health records. The issues, according to Prof. Sastry, are about trying to make sure that (a) we can collect this information and (b) we can make the information available without all the paperwork. Having the data available to the patient is also an objective.

"The issues of privacy and selective disclosure is a subject of some debate", says Sastry. "I think there are legitimate needs for the medical industry to learn about, say, the efficacy of certain drugs", but there is also a tension between personal and medical records that are seen by many entities, billing, pharmaceuticals, different kinds of doctors, he says. Sastry observed the need to stop any 'mining' of this information and a need to be able to stop a 'fishing expedition' in this area.

Trust research is focusing on both the security and the privacy of patients as well as the possibility of a patient 'customizing' their records to make some records available to their doctors only.

Another area of research involves wireless networking vulnerabilities. Sastry describes a scenario where we will literally have a 1000 radios around people, controlling the physical environment by means of embedded rfid's and wireless sensor networks, evolving to a future of computation on wireless devices. Dr. Sastry says we need a reliable and secure medium for a wireless network. Wireless airwaves are not as reliable as a wired infrastructure because they are susceptible to jamming, to retransmission, etc.

A secure communications medium interacts with privacy and security. The privacy agenda enters in subtle ways in that by anonymizing the data, for example with real-time traffic monitoring via cellphone, it is not subverted as a means of tracking someone as they are driving in traffic. Cellphones will be used more and more as sensor networks.

Sastry described TRUST's mission as deriving security solutions in a principled way that is not reactive, as with the cat-and-mouse pattern of attacks followed by solutions followed by new attacks as has been the case thus far.

To listen to the complete interview (in 3 parts), go to Federal News Radio.

D.A. considers 211 cases of possible voter fraud

2009-02-11T08:00:00.000-08:00

The Orange County, California District Attorney's Office is investigating 211 possible cases of voter fraud in the November 4th presidential election. Registrar of Voters Neal Kelley sent the list after his office used computer databases to search for cases where one person submitted more than one ballot. Kelley says that history shows that most instances of double voting are unintentional as with a voter that submits two absentee ballots, or an absentee ballot in addition to voting at the polls.

UC Berkeley Professor David Wagner, who studies electronic voting security says that post-election audits across the state have improved recently under the heightened scrutiny of state and local officials.

"It's important for transparency because it gives voters more confidence that the right person won," Wagner said. "The big picture is the whole state of California is in good shape."

Wagner stated that these registration errors should be fixed for future elections but that it is not someting that's going to affect the outcome of an election since it is an issue of such small scale.

See complete article in OC Register.

Phone security is much better, says UC Berkeley Professor

2009-01-26T08:17:00.000-08:00

The Akron Beacon Journal relayed comments by UC Berkeley Professor David Wagner, regarding current telephone security. When asked if there were any difference in security between using a corded phone and a cell phone, Wagner replied

"Assuming your cell phone is digital, there's not enough difference to worry about. Back when cell phones were analog, eavesdropping was easy." However today most cell phones are digital and while eavesdropping with a digital cell phone is possible, "it's pretty much out of the reach of casual interception," he said.

Wagner notes that wired phones aren't completely secure either, but said both digital cell phones and wired phones are secure enough for most people to use for everyday business. In truth, the weakest aspect of cell-phone use is the frequency of having sensitive conversations in public places without thinking about being overheard.

See more at Ohio.com.

Experts debate: Is DRM good or bad for consumers?

2008-12-19T10:18:00.000-08:00

COMPUTERWORLD ran a story about the FTC's discussion about the controversial DRM (digital rights management) technology possibly benefiting consumers because it could give them more choices for downloading or buying copyrighted content. Others on a panel discussion about new technology products are not convinced however.

Until DRM matured, consumers had control over how they used digital content, noted Deirdre Mulligan, director of the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley, Law School. DRM is creating a "permission culture" where consumers have to ask the copyright owner's permission to play a piece of music on both a home computer and a car stereo, she said.

Until DRM, "there was a lot of breathing space in copyright law," she added.

In addition, many consumers don't understand DRM restrictions, and they're surprised when a CD that works on a home stereo can't be played somewhere else, she said. Vendors offer "little disclosure about how consumers can use" DRM-protected content, she said.

See full article at COMPUTERWORLD.

Shankar Sastry to discuss UC Berkeley's intiatives at its first Global Technology Leaders Conference

2008-11-14T15:10:00.000-08:00

A press release came out yesterday in the Wall Street Journal's online MarketWatch announcing UC Berkeley as host of the inaugural A. Richard Newton Global Technology Leaders Conference on Thursday, November 20th.

The conference will bring together notable entrepreneurs, scientists and researchers to discuss the world's most overarching challenges and ascertain pathways to solution in the health sciences, energy and technology fields. Dean of UC Berkeley's College of Engineering, Shankar Sastry, will discuss Berkeley's initiatives in these areas. Alberto Sangiovanni-Vincentelli, professor in Electrical Engineering and Computer Sciences at Berkeley, will deliver the keynote address, "The Future of the Future."

The conference is being held during Global Entrepreneurship Week and is sponsored by the Ewing Marion Kauffman Foundation and the goal for the group is to develop a roadmap leading to new industries in energy, technology and health care.

"It is fitting to launch this annual series during a week that seeks to inspire young people to be innovative and entrepreneurial," said Lesa Mitchell, vice president, Advancing Innovation, Kauffman Foundation.

See complete story in MarketWatch.

Improving the Count; Prof. David Wagner, others pose solutions for better election system

2008-11-13T08:34:00.000-08:00

The Boulder Daily Camera ran an article Sunday regarding problems with voting systems in general and in Boulder County specifically. Although Boulder County Commissioners agreed to spend $1.4 million on optical scanning equipment in 2004, in didn't take long for problems that still follow the county's election process showed up. In August 2004, Boulder County lagged hours behind other Colorado counties. Worse, poorly printed ballots delayed election results for 72 hours in November, 2004.

“If the proper maintenance and everything else is being done to (the scanners), this is the voting system we should be using,” said John Gideon, co-director of VotersUnite!, a non-partisan group that has been logging errors on all kinds of voting machines.

Computer scientist David Wagner of the University of California at Berkeley who studies electronic voting machines, agrees.

“Right now, I think optical scan systems are probably the most mature, reliable technology on the market,” he said. “Boulder got the best technology on the market. ... None of the voting systems are perfect, and they all have their limitations.”

See full story in The Boulder Daily Camera.

Profitability of spam finally measured

2008-11-12T15:46:00.000-08:00

ZDNet posted an article about a key paper presented at this year's ACM Conference on Computer and Communication Security. A team of researchers, including UC Berkeley Professor Vern Paxson, used somewhat aggressive tactics to collect data that measures the conversion rate, or the rate at which an advertising impression results in a products sale, for spam. They essentially hijacked a portion of the notorious Storm botnet to inject spam that contained links to domains and storefronts they controlled.

The team's data has shown that generating 28 sales at an average of $100 each of various "male-enhancement" products required 350 million separate spam messages. This provides a yearly revenue rate of the Storm botnet for the sale of pharmaceuticals at around $3.5 million dollars.

See complete article at ZDNet.

What Could Possibly Go Wrong?

2008-11-04T16:16:00.000-08:00

An article came out today in PCWorld regarding the progress of E-voting technology since the 2000 U.S. presidential election, although it has taken a rather zig-zagged path. After Congress passed the 2002 Help America Vote Act (HAVA), counties spent billions of dollars upgrading to new electronic voting machines, many of which were dumped when it was determined that they were either unusable or untrustworthy.

Machine malfunctions, touch-screen calibration errors, training problems with unskilled poll workers or human error on the part of the voter all impact on an election's outcome. All of the above notwithstanding, University of California computer science professor David Wagner states that bad design choices could be ferreted out if the federal government included user-interface testing as part of the certification process.

Proposed next-generation voting standards would require this type of testing, but it is not clear that these standards will be adopted, Wagner said. The Berkeley professor also said he will be watching these voter registration databases closely today.

"I don't know what to expect," he said. "Everything could go smoothly, or we could have a substantial fraction of voters who show up on Election Day, think they're registered and are told that there is some problem with their registration."

See article today in PCWorld.

David Wagner quoted in article on new trend in voting technology

2008-10-29T10:14:00.000-07:00

In an article written by freelance technology journalist Cyrus Farivar, the concept of using cryptography for what is being called end-to-end voter-verifiability is described and analyzed.

In order for public officials to definitively show that the proposed cryptography works as it should, they would have to provide an advanced mathematical proof, or "zero-sum proof" as it is known, whose sheer size would preclude printing it on the ballot.

Among the several academics Farivar interviewed about the new cryptographic approach involved in voter-verifiable systems, Farivar quotes UC Berkeley Professor David Wagner who asks

"Will voters accept something that uses mathematics that they won't understand?"

See details in machinist.

Stephen Maurer quoted in New Scientist on DNA and Terrorism

2008-09-16T09:10:00.000-07:00

Stephen Maurer, Director of the Goldman School Project on Information Technology and Homeland Security ("ITHS") and member of TRUST was quoted in the New Scientist September 14, 2008 article, "DNA firms step up security over bioterrorism threat" that discusses efforts to counter fears that terrorists could make deadly viruses by ordering genetic material from corporations. Maurer is quotes as saying, "The fact that they're going to share their experiences is really important." Maurer helped write the industry guidelines.

UC Berkeley Professor Doug Tygar called in as expert witness for the defense

2008-09-11T15:59:00.000-07:00

Slashdot recounts a story published in NETWORKWORLD about the latest twist in the bizarre story of the rogue network administrator that hijacked the city's network in the last two months. With costs estimated at $1 million, city officials say they are trying to locate a mysterious networking device hidden somewhere in the network.

This device, which is referred to as a "terminal server" in court documents actually appears to be a router that was installed to provide remote access to the city's Fiber WAN network, which connects municipal computer and telecommunication systems throughout the city. The router was discovered on Aug. 28. When investigators tried to log in to the device, they were greeted with what appears to be a router login prompt and warning message saying "This system is the personal property of Terry S. Childs." Childs, a network administrator with DTIS was arrested June 12 on charges of network tampering after he refused to provide his superiors with administrative access to the city of San Francisco's network, which he'd managed for the past five years.

In a report filed before the city disclosed the hidden router, a court-appointed expert witness for the defense wrote that DTIS could easily prevent Childs from accessing the networks.

"I have seen no evidence that Mr. Childs is a 'computer hacker,' and by taking a number of simple steps, DTIS could block access by Mr. Childs to San Francisco networks," wrote Doug Tygar, a University of California, Berkeley computer science professor.

Childs next appearance is set for September 24th, when he'll face up to seven years in prison if convicted.

For complete story, see NETWORKWORLD .

Samuelson quoted about copyright and electronic access to CA laws

2008-09-04T08:10:00.000-07:00

In a September 3, 2008 Santa Rosa Press Democrat article, "He's giving you access, one document at a time," concerning efforts to make California laws more accessible on-line, Professor Pam Samuelson was quoted

"If it's the law, the public should have access to it," she said.

Samuelson points out that the idea of copyright was established to provide people incentive to create. People are given exclusive legal rights to their paintings, writings and other works because by selling those rights they can attempt to make a living.

There is no similar need for financial incentives to establish standards such as building codes, Samuelson said. For the most part, volunteers spend long hours drafting proposed standards for things like plumbing and building. Governments often take those standards and adopt them into law.

Once the standards become law, she doesn't think people can claim copyright protections. But like Malamud, she sees the courts making the final ruling.

"I don't think it's an airtight case for either side. But I think the law favors that if something is a law, it's in the public domain," she said.

9/29/08 Update: This article has been picked up by the San Francisco Chronicle (9/27/08) and the NY Times (9/29/08).

TRUST Supports Undergraduate Security Research Experience

2008-08-29T11:53:00.000-07:00

The Daily Californian ran an article on the UC Berkeley Summer Undergraduate Program in Engineering Research at Berkeley (SUPERB) program, including a group hosted by the TRUST Center. Led by Professor David Wagner and a group of graduate graduate student mentors, the SUPERB-TRUST participants got firsthand experience conducting research into security vulnerabilities of software applications as well as general exposure to working in a university research environment.

Plug-in opens door for self-signed SSL certs in Firefox 3

2008-08-25T10:24:00.000-07:00

An online posting of an article in INFORMATION SECURITY MAGAZINE appeared Friday about the release of a software plugin developed by CMU Professors Adrian Perrig and Dave Anderson along with Ph.D. student Dan Wendlandt. The plugin, as part of a system called Perspectives, was designed to relieve some of the anxiety surrounding Mozilla Corp's decision to not display sites with either self-signed or expired SSL digital certificates in Firefox 3.

The Perspectives system works from a series of servers that monitor website connections recording public encryption keys over time. If the servers can authenticate that the same key has been returned for a requested site for a predetermined period of time, Perspectives will override Firefox 3's default block on the site and allow the user to proceed.

See SearchSecurity.com for details.

University of California, Berkeley Prof. Bajcsy wins Innovation Research Award

2008-08-15T13:06:00.000-07:00

Hewlett Packard announced the 41 professors it has chosen to receive its HP Labs Innovation Research Awards, which fund joint research projects between academic research institutions throughout the world and HP Labs.

Drs. Ruzena Bajcsy and Van P. Carey, of the University of California, Berkeley were among the 41 professors selected.

"Deepening HP Labs' strategic collaboration with those in academia, government and the commercial sector ensures HP's research endeavors result in high-impact research that meets the scientific and business objectives of HP and its partners," said Prith Banerjee, senior vice president, Research, HP, and director, HP Labs. "The professors' deep technical expertise, HP Labs researchers' domain and industry knowledge, and governments' abilities to fund innovative research will come together to address the world's most complex IT challenges."

See complete story at MarketWatch.

Transit agency wants MIT students to stay gagged

2008-08-15T11:02:00.000-07:00

The Electronic Frontier Foundation is providing legal defense for three MIT students prohibited from discussing vulnerabilities they discovered in subway card security by an order given to the Massachusetts Bay Transportation Authority by a District Court Judge.

The EFF has enlisted some high-profile academics, including UC Berkeley's David Wagner, to strengthen the case that the restraining order is antithetical to security research.

Security researchers are watching this case carefully because it could ultimately set a precedent weighing First Amendment rights to publish freely against a vendor's desire to keep embarrassing and potentially explosive details secret.

Prof. Wagner and several other high-profile academics have signed a letter to the judge on Monday that says:

We are concerned that the pall cast by the temporary restraining order will stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure. We urge that you reconsider and remove the temporary restraining order issued on August 10, 2008.

See full story at cnet.news.com