Friday, July 8, 2016

Which Degree for Me?

“I want to work with computers.”

This statement is made hundreds of times every day by students when they think about career options. The related statement “you should work with computers” is said almost as often by parents who see computing careers as a path to a comfortable, professional life for their children. There are a lot of things that make a career in computing attractive, including the strong demand and number of available jobs, excellent salaries, job satisfaction, the potential for your work to make a difference, and more. While computer science is the first field of study that many people think of when they consider preparing for a computing career, and those of us in computer science benefit from the prominence of our field in many ways, computer science is not the only option for people wanting to work with computers. For many students it may in fact not be the best option. While my computer science Department benefits from high enrollments and student interest, it doesn’t benefit anyone (students or faculty) to have students enrolled in our program that are really more aligned with a different field or approach to computing. In this article I will explain various education or training options when it comes to preparing for a career in computing.

First, understand that there is a big difference between “working with computers” as tools and “working with computers” in the way that I am talking about. These days almost every area of endeavor uses computers as tools, from using office tools and web browsers to using graphics and design tools to doing data entry, but none of those are computing careers. The people who make those tools, from Microsoft Word to Adobe Photoshop to mobile apps and more, are typically computer scientists, but the use those tools has little to do with computer science. If you want to use computers to make digital art, you should be studying in the Art department — the “digital” part of that doesn’t make it computer science!

Furthermore, many computing-based careers are strongly interdisciplinary, and include a mix of computing and non-computing topics. The most popular example of this currently is computer game development. There are certainly some strong computing-based issues in game development, focused on high-performance graphics, algorithms, and data structures, but there are also components of game design that have more to do with art or storytelling than with technology. While many computer science students go on to develop games, and computer science gives a great background for the technology side of things, other students will prefer a program with a more conscious gaming focus, like the RIT’s bachelor’s program in Game Design and Development, or a computer science program with a track or certification in game development, like UNCC’s Undergraduate Certificate in Game Design.

Schools, universities, and degrees

For people who have completed high school, the range of learning options is broader than most people realize, and can be a little overwhelming when you’re looking for the best path for you. Someone fresh out of high school can consider a major in a computing field and really focus on computing and technology. Or if your interest is in another area but you want to use cutting-edge technology to do interesting things in that field, you can consider a minor in computer science. For example, if you are interested in genetics and want to look at technological innovations in that field, you could consider a biology major with a computer science minor. The best path for some people is an IT-focused associate’s degree from a community college. Some community colleges offer faster-paced and more intensive vocational programs such as the one-semester Web Development Certificate from GTCC. Finally, there are a lot of options for privately-run training or technology “boot camps” that have a scope similar to the one-semester community college program but offer more intensive one-on-one support (but charge significantly more for that benefit).

How do you choose? This is a tough question, and the answer depends not only on what you want to do afterwards but also on your personality and approach to learning. Do you want a fast-track to an IT career? Then the community college or private training program might be right for you. Do you have four years to devote to developing a depth of knowledge not only in your desired career field but also other areas of study or interest? Then you want a four year college. Still not sure? Then visit schools and see what you think — talk to faculty and talk to current students and see what the environment is like. If you’re looking at a four-year program rather than a fast track to career training, then consider the college experience as well as the knowledge you’ll gain.

Disciplines

Degrees and areas of study at colleges are generally divided into different fields, or disciplines. Below are the five most common computing-focused disciplines, with a brief description of each.

  • computer science: The science of computing. The goal of Computer Science is to understand the fundamental nature of computing, and like any science there are both basic science and applied science components. The fundamental questions are not tied to any particular technology, and sometimes not even to technology at all. Understanding computing requires a lot of skill in analysis and logic, and so there is a strong mathematics component in computer science. People who study computer science are uniquely qualified to use their knowledge of computing to create new technologies, and are often the people who make the new inventions that are used in the other disciplines listed below. People skilled in computer science create and optimize the database systems that people in information systems use. They design the operating systems, programming languages, and software tools that computer engineers use when building new devices. They invent the technologies that people in information technology use and install. They use their computing knowledge to analyze and make sense out of data generated in many settings, from biology (bioinformatics) to humanities (digital humanities) to healthcare (health informatics) to business (business analytics). As the most fundamental of the computing fields, most colleges and universities will offer a major in computer science — for example, 15 of the 16 universities in the UNC system offer a bachelor’s degree in computer science (all but the UNC School of the Arts).

  • Information Systems: Applying technology and information systems to support business operations for a company or other organization. Information systems sometimes goes by the name of Computer Information Systems (CIS) or Management Information Systems (MIS). The goal of Information Systems is to effectively use technology to support businesses and organizations. Because of the close ties to business objectives, university information systems programs are typically offered through a business school. An IS professional might work on managing the systems that keep track of a company’s customers or prospects, managing “enterprise systems” that track finances or personnel or purchasing, or working with reporting systems that extract data from databases for business executives to understand. A student studying information systems is going to take classes on basic business and finance topics in addition to some technology and simple programming classes. Due to their role in supporting a business, IS professionals usually work closely with management and must be able to communicate about technical issues clearly with non-technical people. Information systems programs are not as common or widespread as computer science programs, and only 6 of the 16 universities in the UNC system offer a bachelor’s degree in information systems.

  • Computer Engineering: Design of computing devices and systems. The goal of computer engineering is to build computing-based systems, which might include everything from cellphones to the microprocessor-based controller in a microwave oven. Computer engineering students typically study a balanced combination of hardware (electronics) and software topics, looking particularly at low-level device functioning. For example, in a smartphone a computer engineer would likely develop the hardware and software to run the cellular radio or wifi radio, but generally would not develop higher-level apps (which would generally be done by someone with a computer science background). Computer engineering programs are offered by universities that have a college of engineering, and so a student who wants to pursue computer engineering must pick their school carefully. Only 3 of the 16 universities in the UNC system offer a bachelor’s degree in computer engineering.

  • Information Technology: Installing and maintaining technology. The goal of information technology (IT) is to support the technology used throughout a business or organization. Traditionally, information technology has been taught at community colleges and vocational programs, and IT professionals often rely heavily on industry-based certifications. Some IT professionals are self-trained with credentials entirely through industry certifications. Within the past decade, some universities have started offering information technology degree programs, for students who want to pair an IT focus with a general four year college experience. Currently, 4 universities in the UNC system offer a bachelor’s degree in information technology.

  • Software Engineering: Managing the process of software development. Software engineering focuses on operation and management of large software development projects, considering everything from technical tools to team and project management. Almost all undergraduate computer science programs will include at least one course in software engineering, but undergraduate programs focused on software engineering are rare. In fact, none of the universities in the UNC system offer a bachelor’s degree in software engineering. Software engineering is more often studied at the graduate level, typically following an undergraduate degree in computer science. One university in the UNC system (ECU) offers a master’s degree in software engineering, and NC State offers a software engineering track in their computer science master’s program.

Finally, let me add a few words on the philosophy behind the most popular two fields. At my university (like many others), computer science is situated in the College of Arts and Sciences, and information systems is in the School of Business. In a way those are just labels, but these two different units at the university really do have different ways of approaching their fields. In the College of Arts and Sciences, the approach is generally knowledge-driven, focused on developing and expanding understanding about fundamental issues. Obviously (or at least we hope), understanding underlying truths will help students tackle challenging problems in a work setting, but the career questions are not what drive the field. By contrast, the School of Business is one of the university’s professional schools, and professional programs are driven by needs of careers rather than fundamental questions and curiosity. Due to that focus, students in professional programs are typically well-prepared for the specific careers that are the focus of their studies. Students in science programs are prepared in a more general way and can apply that knowledge in a broader and more flexible way, but the cost of this is that they may require some additional work learning how to apply their broad knowledge to a specific career.

Further Reading and Information on Linked Resources

There’s a lot of information available for people interested in computing careers and computing education or training. An excellent starting point, which goes into more depth than I have here, is the Association for Computing Machinery’s Computing Degrees and Careers website.

In addition, there are several great resources that talk about how computer science and computing affects so much in the world around us, including a National Science Foundation video “Computer Science can change the world” and a Wired article “How Computers are Changing the Way We Explain the World.” Finally, if you want to really dive into how computing is adding value to scientific discovery, you can read the Computing Research Association’s paper “Accelerating Science: A Computing Research Agenda.”

Posted by at No comments:

Monday, June 13, 2016

Into the Breach — the Password Breach

It seems like there is a “news stories about password stealing” season, where story after story after story comes out in the news about some web site with a zillion passwords being stolen, and we’re deep in that season now. Within the past few weeks we have heard about the attempted sale of 117 million LinkedIn passwords, the discovery of the compromise of over 360 million user records and passwords million passwords from Myspace, and the black-market marketing of 65 million Tumblr account records. In a previous interest surge a year and a half ago, I even helped with a story on the local FOX-8 news on password and email security.

Do you know what it means when a web site has “user records” compromise or when a password database is stolen? The point of this posting is to explain the most common way that systems handle passwords, something you may have never really thought about. Once we’ve seen how passwords are handled, we’ll get to some basic tips on how to protect yourself from password breaches like those in the previous paragraph.

Anatomy of a web site

To talk about how passwords are handled, let’s establish a shared mental picture of how people interact with web sites. Not every interaction works exactly this way, but it’s good enough for our discussion. Here’s the picture:

You, as the user, interact with the web server through your browser, which sends information and requests to the web server by way of the mysterious Internet. The web server then processes the user’s requests, retrieving information from the the database as necessary to process the request. Note that database requests can only come from the web server, and the “as necessary” part in that last sentence is important. The database contains all of the data for the web site, for all users, so is the “crown jewel” for anyone attacking the web site; therefore, a goal of many hackers is to trick the web server into making requests that are broader than necessary.

When you are logging in, what is the information necessary to process the login request? You send your user name and password to the web server, and the web server creates a request for the database server that says something along the lines of “Give me the user record for this user name.” The user record includes information about your password so that the web server can determine whether you provided the correct password, and ideally only the “necessary” information of whether you provided correct login credentials should be revealed. Unfortunately, many web sites are not implemented correctly, and attackers can find some clever way of tricking the web server into providing more information than the system designer intended. For example, what if the attacker could trick the web server into retrieving all user records instead of just the one for the entered user name? A common attack known as SQL Injection can do just this, and is at the heart of most of the password compromises we’re seeing in the news.

What information is in each user record? Does it contain each user’s actual password so that it can compare with what the user sent? While that may be the obvious answer, it’s not true except for really, really poorly designed web sites (more on this below). There’s a reason why I said the user record contains “information about your password” rather than “your password.” The password is typically run through some complex but repeatable transformation before it is stored in the database. Then when you try to log in, the web server takes the password you send and runs it through that same transformation, which is compared to the transformed password in the database. That way, the web site can tell whether you typed the correct password without keeping a copy of your actual password. What does the transformed version look like? Here’s what is stored in the database when the password “password” is run through a standard transformation named bcrypt:

    $2y$05$8G/CcpCKMc4x8MS8DNf6WezoEk/hi/meeLXJUa6tY0HxUkyKmJb/u

This transformation should satisfy certain properties, and to understand those we need to consider what happens if an attacker steals user records with the transformed passwords. What can they do?

First consider the possibility that an attacker can somehow reverse the computation that produced the transformed value, figuring out the password from the transformed version. For example, here’s a (bad) transformation for numerical PINs: take the PIN and add 6315 to it, so a PIN of 1234 is stored as 7549 (that’s 6315+1234). While 7549 looks very different from the PIN, so the PIN seems hidden at first glance, the computation is easily reversible by subtracting 6315 from it to get 1234. For this reason, we want the transformation to be one-way, meaning that it’s not feasible to reverse the transformation and figure out the password that way. While addition is reversible (using subtraction) and multiplication is reversible (using division), there are specially-designed operations called cryptographic hash functions that are not easily reversible.

Next, what if the attacker could just take big lists of common passwords and put them in a big table so they can quickly look them up later like in a dictionary (this is called a "lookup table"). The attacker would then know that whenever she sees “2JyhZl6yG5alFg7I8/vfMqRKUvjRkNn/MrY” (for example), the password is “secret.” If you could calculate 10 of these transformed values per second, then in a month (about 2.5 million seconds) you could make a lookup table containing transformed values for each of the 25 million most common passwords. Then when the attacker steals a bunch of user records containing transformed passwords, looking up stolen values in this table would be very fast, and would probably be very successful. For this reason, a good password transformation is salted — an odd technical term that basically means that the transformation uses some random value (the “salt”) that it stores with the transformed value. Each user’s transformed password will use a different salt, and the attacker can’t know the salts until after the user database is stolen, which means that the attacker can’t precompute the lookup table. In addition, since each stored password on a system uses a different salt, the attacker can’t even work on more than one user’s entry at a time — testing “secret” as a possibility for 1000 user’s passwords now takes 1000 different computations, since each user’s password is transformed with a different salt.

Finally, consider the time it takes to compute the transformation. It should be somewhat quick (you don’t want it be so slow that it makes users wait to log in) but not too quick. Why not too quick? What we described in the previous paragraph is called a “brute force attack,” where the attacker tries password after password after password. The one-way cryptographic hash functions mentioned above are actually designed to be very fast, and a popular one called “SHA-256” takes less than a microsecond (a millionth of a second) to process one 16-character password. That means that a brute force attack can test out a million different passwords every second, which is bad if you want to make things hard for attackers! Therefore, good password transformations are slower than that, taking say one tenth of a second for the transformation. Now it would take the attacker 100,000 seconds (a little over a day) to test a million possible passwords, and it would take over 3 years to test a billion possibilities for a single user.

How does this affect me?

So about now you’re saying “how does any of that affect me?” Let’s consider how this knowledge can help you understand whether the web site you’re using is secure, and how you should pick a password.

Since you now know that any well-designed web site will keep passwords that have been transformed by a one-way function, any web site that can tell you what your password is must be ignoring standard security practices. For example, most web sites have a “forgot password” link you can click, and if this emails your password to you then it’s a big red flag that the web site is not handling your information properly. A properly-designed and run web site will email you a link so that you can reset your password (probably after answering some security questions), since the web site has no way of knowing what your current password is!

Also consider the complexity of your password. A lot of web sites will force you to pick a password that is a combination of letters and numbers, and maybe some symbols as well. That’s all to slow down the brute force attacks that were described above. What if you just picked an actual English word to be your password? There are a little under 100,000 English words (omitting the really obscure ones), so the brute force attack described above (trying 10 passwords per second) could test all of these in 10,000 seconds, or about 3 hours. Your password should definitely not be a word! On the other hand, if your password were 8 randomly chosen letters, then there would be 268 (that’s 26 to the 8th power) possible passwords, or about 209 billion possible passwords. At 10 per second, testing all of those would take about… oh, let’s see…. 6,600 years. Random passwords are very secure! We have two extremes now: a meaningful, easy to remember password (an English word) that is insecure, versus a random, hard to remember password that is very secure. This is why you mix in numbers and symbols to a meaningful password: that can make it difficult to find in a brute force search, but meaningful enough for you to remember.

Some ways to protect yourself.

The first thing to do when considering how to protect yourself is to be paranoid and assume that the user records will be stolen from any web site that you use. Some may in fact be fairly secure, but even some sites run by very smart and professional people get compromised. Furthermore, there’s really nothing you can do about the security of the web server, so concentrate on what you can to protect yourself. Here are some tips:

  • Pick complex, hard-to-guess passwords. As explained above, this slows down brute force attacks and can make it so that even if a hacker steals the database with your transformed password, they won’t be able to find your password in a reasonable amount of time. Don’t use words, and don’t just stick “123” on the end of an English word. Pick a longer phrase and use the initial letter of each word, or turn some words into numbers. For example, “Ally Sheedy was great in the Breakfast Club” might turn into “ASwgr8itBC.” That’s 10 characters long, contains upper and lower case letters as well as a number, won’t appear in any dictionary, and is easy to remember (assuming the phrase is meaningful to you).

  • Use different passwords for different web sites. Again, assume that someone is going to get your password, and further assume that the web site doesn’t properly transform stored passwords like we described above. Then the attacker knows your actual password. That might not be a problem if the password is for a discussion forum for navel lint collectors (which may not be very well protected!), but if you use the same password for your bank then the attacker learns your valuable password by breaking into a poorly-protected but low-value web site. At the very least, use different passwords for important web sites that deal with financial information.

  • Use two-factor authentication. This is hard to describe in a quick bullet point, and might be better as a separate blog post, but the basic idea is this: set up your important accounts or web sites so that they require multiple ways to check your identity. For example, you can set up GMail to require a 6-digit code that is texted to you in addition to your password. For easier use, you can have Google remember your trusted systems (your laptop, home computer, phone, etc.) so that you don’t have to enter the code on every log in. But if some hacker in China steals your password from the web site, they still won’t be able to log in from their computer since they don’t have access to your phone and text messages with the secret code.

The bottom line is that you can secure your accounts very well, if you take a little time to follow these tips. Protect yourself!

Posted by at No comments:

Wednesday, May 18, 2016

On Security, Privacy, and Backdoors

To start off this blog, I will take a look at a topical example of technology intersecting with the everyday world: the recently-proposed Burr-Feinstein Compliance with Court Orders Act of 2016, which has been variously called the “anti-encryption bill,” the “backdoor bill,” and various other names (some not printable in this family-friendly forum!). Ramping up the relevance to me is that Richard Burr, one of the sponsors of this bill, is my senator from North Carolina. Burr and Feinstein proposed this bill as a response to the Apple/FBI argument over breaking into the iPhone of one of the San Bernardino shooters, and the question I’ll look at here is whether this bill matches up with how technology works. To skip to the punch line, from a technical standpoint this bill is about as high on the clueless scale as you can get.

A wide array of technical experts, writers, and pundits have rightly slammed this bill, including Bruce Schneier, a highly prominent security researcher and writer who observed that “The person who wrote this either has no idea how technology works or just doesn’t care,” to Julian Sanchez of the Cato Institute, who wins extra points from me for using an Inigo Montoya meme from The Princess Bride in one of his excellent pieces. Looking at various people’s objections, some are philosophical and some are technical. I’m not sure I can add anything new to the conversation at this point, but I hope that highlighting a few issues will benefit anyone who comes across this article. I will focus on technical aspects of the proposed bill, and leave the philosophical questions of whether the intentions behind it are reasonable to another time. The two main technical questions are “Can legislation effectively control a technology like encryption?” and “If commonly-used products are forced to comply with this proposed law, will we be more secure or less secure?” Unfortunately, the answers that pretty much every technical expert agrees on are “no, it’s impossible to control encryption” and “this would make us less secure.”

What does the bill say?

Before seeing what is in the bill, let’s look at the name: the Compliance with Court Orders Act of 2016. Wow, what a great idea! People should have to comply with court orders, once the judicial systems arrives at a definitive decision (including resolution of any reasonable appeals or challenges). Rule of law! Apple pie! (But not the technology Apple, who Feinstein doesn’t seem to like very much.) But, of course, people already have to comply with court orders — it’s a “court order” after all, not a “court suggestion,” and that’s what the whole contempt of court thing is about, and many people learn the hard way that yes, Virginia, you really do need to obey the court. While hiding behind an apple pie title, what the bill is really about is forcing companies to design their products so that courts can ask for certain things that they might not otherwise be able to ask for.

So what does the bill mandate? It says that any provider of “communication services and products (including software)” must, upon receiving a court order for information or data, “provide such information or data to such government in an intelligible format.” This then presupposes that any such technology must be capable of providing information in an intelligible format. Specifically, Apple must design the iPhone in such a way that they are able to decrypt your communications, so that in the future they can respond to such requests from a court. Simply put, no one can provide you with a tool that the provider can’t break.

The bill is essentially requiring a backdoor in communication products: a way that someone who is not involved in the communication can get access to the content of the conversation. The “front door” for access is what the communication participants use: an account password, phone PIN, decryption key — things that the legitimate user uses. A “backdoor” then is a way for someone else to get access without going through the accepted and visible controls of the front door — you’re sneaking in and around other security measures. That’s what this bill mandates.

Now let’s look at the two main technical issues.

Why legislation can’t control encryption

Non-technical people sometimes think encryption is some highly complex magical incantation that only a privileged few can put into products. Here’s a secret: That’s just not true — some strong encryption algorithms are in fact outrageously simple, using basic math (sure, maybe not math that you use every day, but drop-dead simple for any mathematician). Consider the RSA algorithm, which is widely used in very security-sensitive situations. Don’t take my word for it though, use Firefox to go to https://www.bankofamerica.com (to pick a random example), click on the green padlock indicating a secure connection, drill down into “Bank of America Corporation” and then the “More Information” button. Under “Technical Details” you’ll see something like this:

HTTPS Technical Details

See the “RSA” in there? That’s one of the algorithms that is keeping the information of banking customers safe, and it is in fact a very secure algorithm given appropriately-sized encryption keys. So what sort of wizardry is this? Surely this is a horribly complex use of tricky mathematics that no one would be able to do without purchasing a special product, right? Here’s the RSA encryption algorithm, written in Python, a popular programming language:

         ciphertext = pow(plaintext, 65537, modulus)

Yes, that’s the whole, entire thing. Of course, you have to encode your message (the plaintext) as a number, but everything in a computer is a number anyway, so that’s basically done for you. And you have to pick an appropriate modulus, which is a little trickier, but not much. In fact, going back to the “More Information” window for Bank of America, click on “View Certificate” and then the “Details” tab, and finally click on “Subject’s Public Key.” That should show you the modulus that is Bank of America’s key. If I create a number like that and don’t let you (or the FBI or anyone else) know what the prime factorization of the number is, you won’t be able to break this encryption. It’s backdoor-free and completely immune to any court order.

The code above doesn’t use anything written specifically for cryptography. “pow” performs a basic mathematical operation called modular powering that doesn’t necessarily have anything at all to do with encryption. Every math major learns about this in an undergraduate abstract algebra class, and it’s probably safe to say that there are people in every country on Earth (including Syria, North Korea, and China) that could use this to make a secure encryption system in short order. Al Qaeda has been using its own encryption software called “Mujahideen Secrets” for over a decade. For some odd reason, I don’t believe that Al Qaeda will change their behavior and use products that provide access to “intelligible information” because the Burr-Feinstein bill told them to. So much for this bill foiling the terrorists.

Of course, the U.S. doesn’t control the world’s technology, and you don’t have to use terrorist-produced software to use secure communication technology. This law (or any other law) can do nothing to stop that. Bruce Schneier recently made a list of 546 non-U.S. encryption products, produced in 54 different countries. None of those products would be subject to any U.S. backdoor requirements, and it would be impossible to stop a U.S. citizen (or anyone else) from using these unrestricted products. Unless the enforcers monitor every single Internet communication, police-state style, it would be impossible to tell if someone were installing or using one of these products.

We’ve actually been through very similar arguments, back in the 1990’s. Back then, the government tightly controlled the export of encryption technologies, including software. When you downloaded a web browser, like Netscape, you selected either the “U.S.-only” version or the “International” version, where the International version used weakened cryptography (trivial to crack with 2016 technology, and only slightly less difficult to crack 20 years ago). Eventually sanity prevailed — people pointed out the absurdity of restricting the export of cryptography, when anyone in the world could download very secure encryption software from a server in Finland or some other country. One of the more interesting protests at that time was the “munitions T-shirt,” a T-shirt that included an implementation of the RSA algorithm on it, with the warning message that “This shirt is classified as a munition and may not be exported from the United States, or shown to a foreign national.” In the end, the argument that probably carried the day with politicians in Washington was that U.S. companies were losing business, because foreign countries could (and were) providing technology that U.S. companies were restricted from providing. The U.S. was going to lose out on the economic boom of the digital economy, and there wouldn’t even be any security gain because people were obtaining secure products anyway — from foreign companies. All of those arguments are just as valid today as they were 20 years ago, but somehow there are politicians who still think restrictions are a sensible idea.

Why backdoors make us less secure

Finally, consider a world in which this law is in place in the U.S., and for some reason people keep using U.S. technologies. If the technology includes a way for someone to get an “intelligible” version of encrypted communication, there must some secret information that enables someone to perform this task. How long would such a secret remain secret? There has been speculation that law enforcement and intelligence agencies could submit thousands of decryption requests to Apple every year, which would mean multiple requests every day. How many people would need access to the secret in order to handle these requests? How secure would the integrity of the requests be? Other technologies that similarly rely on secure chains of trust do not inspire trust.

Further consider that if it is possible for the U.S. government to compel a technology provider to decrypt private communications, then it is also possible for any government in any country in which do business to similarly compel this decryption. The U.S. law would put in big bold letters to the world that “we have the technology to break the security of this product.” Even if you trust the U.S. government to only use this power to protect the physical safety of U.S. citizens, there are clearly governments that would use this power to crack down on political dissidents or others that pose a danger not to people but to their regime.

Technological backdoors can’t distinguish who is using them. As far as the technology is concerned, the backdoor will work the same for a good government, a tyrannical government, or a criminal discovers the secret to the backdoor. The FBI’s eventual cracking of the San Bernardino iPhone, without Apple’s help, is disturbing for this same reason: As far as the technology is concerned, there’s no difference between the FBI being able to do this and a criminal being able to do it. A weakness is a weakness is a weakness. And once you weaken a product by including a backdoor, it’s just waiting to be exploited.

Conclusions

The bottom line here is that this law attempts to do something that is impossible, and passage of the law would make everyone less secure. There is simply no way to make a technology that allows just the “good guys” to break the technology of just the “bad guys,” since technology has no notion whatsoever of “good” vs. “bad.”

I want technology companies to focus on securing their products, and not thinking about how to weaken that security in certain situations. Providing strong security is a hard enough technological problem to solve, without having to do it with one hand tied behind your back.

Posted by at No comments:

I think I can, I think I can, I think I can, ...

I am tempted to call this my “blog 2.0,” since I started working on a blog a few years ago and then killed it off when I just didn’t get around to finishing more than a few posts. However, if you include all the times where I started planning a blog in my head, this would be more like my “blog 15.0.” All this takes is a little discipline, right? I think I can, I think I can, I think I can, …

Why blog? Like most academics, I love to explain things. Taking a complex concept, breaking it down, and structuring it so that it is more understandable really is a great joy. There’s beauty in finding a great explanation, and (again like most academics) I like to tell myself that I’m fairly good at it.

So what will I write about? I am acadmemic with a “Computer Science Mind,” both of which influence the way I view the world. I am interested in how technology affects the world (and it touches almost everything these days), how people understand computing and technology, how people learn, how our education system works (or doesn’t work sometimes), how scientists work (computer scientists in particular), and more. Basically if it has to do with computing and thinking and learning, it interests me, and my background gives me what I hope are valuable insights into these topics.

I will try to write something every couple of weeks on a topic that I find interesting. If you find something interesting here, leave a comment or send me a note!
Posted by at No comments:
Subscribe to: Comments (Atom)