The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

CERIAS Blog

Page Content

Spaf videos, blasts from the past, future thoughts

Share:

I created a YouTube channel a while back, and began uploading my videos and linking in videos of me that were online. Yes, it’s a dedicated Spaf channel! However, I’m not on camera eating Tide pods, or doing odd skateboard stunts. This is a set of videos with my research and views over the years on information (cyber) security, research, education, and policies.

There are two playlists under the channel — one for interviews that people have conducted with me over the years, and the other being various conference and seminar talks.

One of the seminar talks was one I did at Bellcore on the Internet Worm — about 6 weeks after it occurred (yes, that’s 1988)! Many of my observations and recommendations in that talk seem remarkably current — which I don’t think is necessarily a good observation about how current practice has (not) evolved.

My most recent talk/video is a redo of my keynote address at the 2017 CISSE conference held in June, 2017 in Las Vegas. The talk specifically addresses what I see as the needs in current information security education. CISSE was unable to record it at the time, so I redid it for posterity based on the speaker notes. It only runs about 35 minutes long (there were no introductions or Q&A to field) so it is a quicker watch than being at the conference!

I think there are some other goodies in all of those videos, including views of my bow ties over the years, plus some of my predictions (most of which seem to have been pretty good). However, I am putting these out without having carefully reviewed them — there may be some embarrassing goofs among the (few) pearls of wisdom. It is almost certain that many things changed away from the operational environment that existed at the time I gave some of these talks, so I’m sure some comments will appear “quaint” in retrospect. However, I decided that I would share what I could because someone, somewhere, might find these of value.

If you know of a recording I don’t have linked in to one of the lists, please let me know.

Comments appreciated. Give it a look!

How far do warrants reach in “The Cloud”?

Share:

There is a case currently (early 2018) pending before the Supreme Court of the United States (SCOTUS) addressing if/how a US warrant applies to data held in a cloud service outside the US but run by a US entity.

The case is United States vs. Microsoft, and is related to interpretation of 18 U.S.C. § 2703 — part of the Stored Communications Act.

The case originated when US authorities attempted to serve a warrant on Microsoft to retrieve email of a user whose email was serviced by MS cloud servers in Ireland. Microsoft asserted the data resided in Ireland and the US warrant did not extend outside the US. The US contends that the warrant can be fully served inside the US by Microsoft and no foreign location is involved. Microsoft sued to vacate. The district court upheld the government, and found Microsoft in contempt for not complying. On appeal, the 2nd Circuit Court of Appeals overturned that decision (and the contempt citation), and remanded the case for reconsideration. The US government sought and obtained a writ of certiorari (basically, sought a hearing before SCOTUS to consider that appellate ruling). The oral arguments will be heard the last week in February.

The decision in the case has some far-reaching consequences, not least of which is that if the warrant is allowed, it is likely to drive business away from US service providers of cloud services — clients outside the US will be concerned that the US could compel production of their data. At the same time, if the warrant is not allowed, it could mean that service providers could spring up serving data out of one or more locations that routinely ignore US attempts to cooperate on computer crime/terrorism investigations. (Think of the cloud equivalent of banking havens such as the Caymen Islands, Vanuatu, and the Seychelles.) Neither result is particular appealing, but it seems (to me) that under current law the warrant cannot be enforced.

I signed on to an amicus (friend of the court) brief, along with 50 other computing faculty. Our brief is not explicitly in favor of either side in the dispute, but is intended to help educate the court about how cloud services operate, and that data does actually have a physical location.

If you are interested in reading the other briefs — including several from other amici ("friends of the court”) there are links from the SCOTUS blog about the case. It is interesting to note the perspectives of the EU and Irish governments, trade associations, former law enforcement and government officials, and more. The general consensus of the ones I read seems to me to favor Microsoft in this case. We shall have to see if the SCOTUS agrees, and whether Congress then acts to set new law in the area, if so.

This case is an example of one of the difficulties when we have few barriers in network communications, and the data flows across political borders. It is, in some sense, analogous to the “going dark” concerns of the FBI. How do we maintain privacy in an arena where bad actors use the technology to “hide” what they do, potentially forever beyond reach of law enforcement? Furthermore, how do we enforce the rules of law in an environment where some of the legal authorities are ideologically opposed to privacy rights or rule of law as envisioned by other authorities? It is also related to searches of computing devices carried across borders (including cell phones), and similar instances where the attempt has been made to equate the presence of end points or corporate operators as somehow including the data accessible via those end points. All of these are problems that the technology aggravates but are unlikely — if not impossible — to solve by technology alone.

Interesting times, no matter which side of these matters one is normally likely to support.

This is the 3rd amicus brief before the SCOTUS to which I have been a signatory, and one of 10 overalll. This is very different from publishing academic papers!)