FOCUS TALK:
Susan Nulsen's professional interests are physics and language. She is very lucky to have been paid to work in subjects which interested her! After nine years of experimental solid state physics research she moved onto speech science research and somehow acquired a PhD in Computer Science on the way. After a detour into the study of welding as a research fellow in mechanical engineering and a period of unemployment following her move to this country she is now employed in astrophysics using the Pleiades supercomputer of NASA's Advanced Supercomputing Division to model the merging of galaxies. (It is named after the Seven Sisters constellation, which is a loose cluster of hundreds of stars, just as the supercomputer is a cluster of hundreds of processors.)
Her hobbies are WomenExplore and painting. Except for her husband, her much loved family, including her 17 month old grandson she has never met, is now inaccessible in Australia.
********************
Hello.
I always avoid telling people that I have a PhD in Computer Science because it might give them the mistaken impression that I know any more about computers than they do. My PhD research was studying spoken language. Computers were merely the tool I used to that end. All the same I have a long history of playing with programming computers as a pastime – I wrote my first computer program in 1969 when I was in high school and we have had a family computer since 1983, although we weren't connected to the internet until the 90s when we had a dedicated phone line.
In this talk I feel that I am speaking for everyone.
Society has become evermore dependent on computers and networks to handle all of our data. Nowadays, except perhaps for a handwritten journal, most of our new data exists in digital format. Many people even keep their shopping lists on their phones. As computers became more common so did hackers, viruses and other malware.
It has become a battle between those trying to attack our computers to gain access to people's private data and those trying to keep the data safe. Passwords are one way to help maintain privacy. Initially I was taught not use dictionary words in my passwords and instead use a complex mixture of letters, numbers and special characters. This was because a hacker could scan through all the words in the dictionary to find a match to a password. Now that computers are much more powerful, we are taught that that is not good enough. We should use very long “pass phrases” which may include some numbers or other characters. In many cases we also need to back that up with “dual factor authentication”. For example, to fill out my time sheet, once I have logged in to a virtual private network, I need to sign in with a long password and then receive a notification on my phone to check my identity by facial recognition. I just have to confirm with one click that I am indeed the one trying to sign in.
To get to the Pleiades supercomputer it is even more complicated. When I request access I sign in with a long “pass phrase”. Then I enter an eight digit pin number into an app on my phone and am given an eight digit token, only valid for 30 seconds at most, to enter into my computer. The fourth and final “password” is my NASA one. This must be changed every couple of months. A new password cannot be very similar to the previous one, and it cannot be identical to any of the previous twelve passwords.
Like most of you, I imagine, I have hundreds of passwords. Because I don't trust storing them in electronic format I have written then, in pencil so that I can change them, on a sheet of card. Unfortunately it has become rather full and I will need to make another one soon.
Since I started work at the Center for Astrophysics I have had to do an annual training course on Computer Security Awareness. This mainly warns us of the different ways bad actors can gain access to private digital information. Sad to say, I have encountered many of these ways in real life.
In April last year I received an email, sent to my old email address which I no longer use, with one of my very old weak passwords as the subject heading. It was a blackmail attempt. The sender claimed to have complete access to my computer – which was where, they said, they had obtained the password – and to have made a pornographic recording of me through my computer camera. Fortunately I knew that the most pornographic thing they could have seen was me in my very staid nightgown, and that password was not anywhere on the computer. They wanted me to deposit a couple of thousand in bitcoin in the bitcoin account given or they would distribute the video to my contacts.
I changed the password to something a bit stronger, covered my camera with a piece of post-it note when I wasn't using it, and otherwise ignored the email. In the next few days I received three more almost identical emails, with different bitcoin accounts, from three different people, and two more blank ones in the next couple of weeks. I don't know what those last two were trying to achieve – saying “I know your password” to prime me for something further? I have no idea where they all got the password and my email address from. Perhaps someone is selling a list of them with accompanying blackmail letters.
The next story involves my mother. She was living on a farm far from any cable so her internet connection was via satellite. She had some problems so she phoned her internet provider and eventually a serviceman came out and fixed them. All was well and good, until the next day when she received a phone call from another man who said that there were a few things that still needed to be fixed on her computer before her connection was fully operational. He guided her through installing some software requiring her name and phone number which she supplied. (he already had those, in any case.) It was when he made the mistake of asking her for her bank account details that my mother realized he was not who he claimed to be, and she ended the call and shut down her computer. A friend took the computer into town where the local computer repairman was able to remove a number of items of malware. So any harm was narrowly averted.
I belong to a Harvard Spouses group called HSSPA. One day I received an urgent email from one of the organizers of this group. She said she needed $200 worth of gift cards, asking me to purchase them immediately and email back the numbers on the cards. I got in touch with her via a Facebook message, since I didn't have her phone number to ask about this. Of course it was a scam and she was able to let others on her email address list know that was the case.
More recently I received a text message from Fedex on my phone. It warned me that a gift package was on its way to me and sent a link so that I could track the package. I was suspicious so I googled the text message and was taken to the Consumer Information site of the Federal Trade Commission (https://www.consumer.ftc.gov/blog/2020/02/text-message-about-your-fedex-package-really-scam) where this and other similar scams were described with Fedex and other delivery services, including even the US Postal Service. The advice is, if you think it might be legitimate contact the company using a website or phone number that you know is real. Otherwise you could just delete it. I have also noticed some similar emails apparently from Amazon in my spam folder. I have deleted all of those. I use gmail and I must say that I find it does quite a good, but not perfect, job of recognizing spam.
However I am not immune to malware. In this story I failed to do the right thing and infected my computer. I had been using Adobe Acrobat Reader for many years to read pdfs. When a pop-up appeared on my computer telling me I needed to update it I clicked on the button and downloaded … some malware. My computer then became almost unusable. In my usual fashion I googled what to do and found an Apple Support Community that recommended I scan my computer with some free software called EtreCheck (https://etrecheck.com). This produced a report identifying two groups of malware. I was able to delete these and rerun EtreCheck until my computer was clean. The EtreCheck reports are designed to provide the Support Communities with the information they need to solve your problem. Alternatively you could pay EtreSoft, the very small Canadian company which makes EtreCheck, $18 for an extension which will do the deleting for you. I have had no problem with my computer since. In a final twist, while I was writing this talk I discovered that VirusTotal.com, an anti-malware company recently bought by Google, claims that EtreCheck itself is infected with malware. It is impossible to know who can be trusted!
More and more things are made to include computers these days from your car to your fridge. There is an arms race between malware and the rest of us who are all users of computers in one form or another. It is indeed a “battle for digital rights”.
So far all my examples are cases of malware where data about me, or my mother, was obtained illegally for the purpose of extorting money or obtaining further data that can be used to obtain money. However, frequently when you download a new app or an upgrade to your phone or your computer you are asked to supply a lot of information that is unnecessary for what you want. I recently had to supply my birthdate to Apple. It was a required field and the format was checked to ensure it was a valid date. If I needed to be over 18 or over 21 I could just as well ticked a box. Alternatively I could have supplied a fake date. I don't like lying, but I don't like handing out my information unnecessarily. This reminds me about my Facebook account. When I joined many years ago I gave a birthdate that would have made me a hundred years old at the time. Recently I realized that I was now well on my way to becoming the oldest person in the world, so I changed the birthdate in my Facebook profile to another fake date making me younger than my real age. No problem. Except that when I had finished I got a message saying that I was only allowed to change my age three times! You don't know where all the information you are coerced into supplying ultimately ends up.
A couple of days ago I was required to upgrade the operating system on my phone. Usually I just accept the license agreement without reading it because I have no option if I want to continue to use my phone. However, because of this talk I decided to read it through. I gave up after two hours. I was near the end and just scanned through the remainder. It is very dense and difficult to read. One thing that is clear is that I do not own any of the Apple software on my phone – I am only using it under license – I guess that it is a “license agreement” after all. I am only allowed to make one other copy as a backup. This seems to mean I could not save a map from the Apple Maps app in a file to use when I am not connected to the internet. In other words it limits the usefulness of the maps.
Some of the language like the sentence from the middle of a paragraph that reads: “Unpublished-rights reserved under the copyright laws of the United States.” just didn't make sense. This doesn't even look like a sentence to me. Maybe you could add the word “are” so that it reads “Unpublished-rights are reserved under the copyright laws of the United States.” I still don't know what it means but at least it looks like a sentence. At another place where it is talking about ID cards it says '… presentment may vary by state or location”. “Presentment” didn't look like an English word to me. I was wrong: “A presentment is the act of presenting to an authority a formal statement of a matter to be dealt with” or it is “a formal presentation of information to a court, especially by a sworn jury, regarding an offense or other matter”. I would say that the word was meant to be “presentation”. These two cases, and I am sure much more of the agreement, look like the work of some lazy lawyers.
No company should be allowed to collect more information than they need to provide the service they are offering and they should not be able to use the necessary information for any other purpose. All people should be allowed to use digital devices without being spammed by advertising or scams trying to harvest their data and ultimately part them from their money.
The lockdowns and isolation covid required have highlighted the essential nature of access to high speed internet and phone service and that it has become a human right. Just as we expect to be able to use the roads in our neighborhood without paying we should expect the internet to be free and safe.
I hope politicians at all levels from our local councillors on upwards will now be motivated to work towards this end.
That is all I have to say for now. Thank you for listening.
**********************
MAIN LECTURE:
Josephine Wolff is an associate professor of cybersecurity policy and has been associated with The Fletcher School at Tufts University since 2009. Her research interests include international Internet governance, cyber-insurance, security responsibilities and liability of online intermediaries, government-funded programs for cybersecurity education and workforce development, and the legal, political, and economic consequences of cybersecurity incidents. Her book "You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches" was published by MIT Press in 2018. Her writing on cybersecurity has also appeared in Slate, The New York Times, The Washington Post, The Atlantic, and Wired. Prior to joining Fletcher, she was an assistant professor of public policy at the Rochester Institute of Technology and a fellow at the New America Cybersecurity Initiative and Harvard's Berkman Klein Center for Internet & Society. She received received a Ph.D. in Engineering Systems and M.S. in Technology and Policy from MIT, and an A.B. in mathematics from Princeton. As a student, she also spent time at Microsoft, the Center for Democracy and Technology, the White House Office of Science and Technology Policy, and the Department of Defense.
No comments:
Post a Comment