Jefferson’s Wheel

British Prime Minister Gordon Brown has issued a long overdue apology to Alan Turing on behalf of the British government. The full text is here.

Turing was a quite brilliant mathematician, most famous for his work on breaking the German Enigma codes. It is no exaggeration to say that, without his outstanding contribution, the history of World War Two could well have been very different. He truly was one of those individuals we can point to whose unique contribution helped to turn the tide of war. The debt of gratitude he is owed makes it all the more horrifying, therefore, that he was treated so inhumanely. In 1952, he was convicted of ‘gross indecency’ – in effect, tried for being gay. His sentence – and he was faced with the miserable choice of this or prison – was chemical castration by a series of injections of female hormones. He took his own life just two years later.

… But even more than that, Alan deserves recognition for his contribution to humankind. For those of us born after 1945, into a Europe which is united, democratic and at peace, it is hard to imagine that our continent was once the theatre of mankind’s darkest hour. It is difficult to believe that in living memory, people could become so consumed by hate – by anti-Semitism, by homophobia, by xenophobia and other murderous prejudices – that the gas chambers and crematoria became a piece of the European landscape as surely as the galleries and universities and concert halls which had marked out the European civilisation for hundreds of years. It is thanks to men and women who were totally committed to fighting fascism, people like Alan Turing, that the horrors of the Holocaust and of total war are part of Europe’s history and not Europe’s present.

So on behalf of the British government, and all those who live freely thanks to Alan’s work I am very proud to say: we’re sorry, you deserved so much better.

The apology grew out of an online petition initiated by John Graham-Cumming (also known for writing the Geek Atlas travel guide). Britain has a long tradition of citizens being able to petition the government, which is now supported by an e-petitions website. The petition asking for an apology to Alan Turing is currently the fourth-most signed petition with 31,349 signatures (all of whom must be British citizens).

Some news coverage:

• BBC: PM apology after Turing petition
• The Guardian: No 10 apologises for “appalling” treatment of Alan Turing
• John Graham-Cumming’s blog: “Hello John, It’s Gordon Brown”

The Call for Papers for the 2010 IEEE Symposium on Security and Privacy is now available: oakland10.cs.virginia.edu/cfp.html.

The first three deadlines are:

Workshop proposals due: Friday, 21 August 2009
Research papers due: Wednesday, 18 November 2009
Systematization of Knowledge papers due: Tuesday, 24 November

The Examiner has an article on Facebook privacy issues: To Facebook or not to Facebook, 29 June 2009.

The second approach is even scarier, a feature of Facebook which allows outside developers to create small programs called “applications” for members to do things like playing poker, getting daily horoscopes, and sending each other virtual fantasies. With the younger set, the latter must cause parents a lot of consternation over their kids. Word is there are about 24,000 applications that have been built by 400,000 developers.

And here’s the kicker. Once these developers have your personal data, there is nothing Facebook can do. Adrienne Felt of the University of Virginia investigated the procedure in her thesis and found out that 90 out of 150 of Facebook’s most popular applications (that’s 60 percent) have unnecessary access to your private information.

Jake Widman has written an interesting article about the impact of “oversharing” on Facebook: How Facebook mucks up office life: Managing a workforce is already a challenging job; now Facebook and other social networks raise a host of sticky new situations., ComputerWorld, 30 April 2009.

The key observation is the way social networks mix different social circles that would rarely intersect in real life, along with people’s willingness to accept friend requests from unknown or unvalidated individuals.

Separate from the social challenge is the issue of people, particularly younger Facebook users, becoming friends with people they don’t know well, or even at all. “Facebook doesn’t have our normal social mechanisms for validating someone,” Argast points out — and many users, especially people who use Facebook to network, are reluctant to turn down a friend request.

The article mentions studies that indicate both that a significant fraction (23%) of hiring managers check social networking sites on potential hires, and that the majority of Facebook users do not understand how visible their “private” information is.

The article also highlights the additional risks of applications.

A further issue is the fact Facebook applications gain access to — as the warning screen tells you — “your profile information, photos, your friends’ info, and other content that it requires to work,” whether they need it or not.

In 2007, Adrienne Porter Felt, then a computer science student at the University of Virginia and now a student at U.C. Berkeley, and David Evans, an Associate Professor of Computer Science at the University of Virginia, did a survey of the top 150 Facebook applications and found that “90.7% of applications are being given more privileges than they need” to perform their intended functions.

The researchers haven’t updated those earlier findings, but Evans says he suspects the results would be pretty similar. “If anything, the applications are getting more complex,” he says. “And there is also an emerging model for third-party advertising networks embedded in applications, which has further privacy risks.”

In summary,

Bottom line? Facebook doesn’t call for new principles, Selvas says, just smart application of the old ones. And the constant reminder that you and your employees are in public when you’re on Facebook. As Selvas sums up, “Don’t do anything on Facebook you wouldn’t do in an airport.”

Congratulations to Adrienne Felt (BSCS 2008, now a PhD student at Berkeley) who won an NSF Graduate Research Fellowship! The award provides 3 years of funding along with lots of prestige and glory.

Four other UVa students one NSF Graduate fellowships in Computer Science this year (two of whom are BACS students):

• Sara Alspaugh, BACS 2009
• Erika Chin, BSCS 2007 (now at Berkeley)
• Linda Yang Liu, BS Biology 2008 (now at Stanford doing bioinformatics)
• Rachel Miller, BACS 2009

No other school had 5 of its graduates win CS NSF Graduate fellowships — Princeton was second with 4, followed by MIT and UC Berkeley with 3 each.

I found two of our former undergraduate researchers at a seminar at Dagstuhl (Germany) on Web Application Security.

Photo by Anh Nguyen-Tuong

Salvatore Guarnieri (UVa BS 2006, left in the picture) is now a PhD student at the University of Washington. He presented his work on (mostly) statically analyzing JavaScript that he did as an intern at MSR.

William G. J. Halfond (UVa BS 2002, right in the picture) is finishing a PhD at Georgia Tech this year. He presented his work on automatically generating inputs for web application penetration testing.

John Wilander has been blogging the workshop: Dagstuhl Seminar Final (or, if you can’t read Swedish try Google’s translation).

On his recent visit to England, President Obama presented the Queen with an iPod loaded with showtunes. Although one might question the diplomatic and musical judgment behind such a gift, it also raises some interesting questions about copyright law and computer security.

The EFF has an interesting article about the copyright issues: iPods, First Sale, President Obama, and the Queen of England, Fred von Lohmann, 2 April 2009. It starts,

President Obama reportedly gave an iPod, loaded with 40 show tunes, to England’s Queen Elizabeth II as a gift. Did he violate the law when he did so?

You know your copyright laws are broken when there is no easy answer to this question.

The other question this raises is how effective of a malware vector this is when the Queen attaches the iPod to her PC (okay, the Queen probably runs ubuntu). I don’t know if there are any known vulnerabilities in the iPod/iTunes interface, but its a wide enough interface that it would be very unsurprising if there are ways to get malware from an iPod to a host machine. Perhaps, this is all part of a clever strategy to make heads of less friendly states than the Queen expect to receive electronic gadgets from our President and connect them to their systems.

The New York Times has an article on social network privacy issues including the risks of third party applications: When Everyone’s a Friend, Is Anything Private?, New York Times, 7 March 2009 (by Randall Stross, Digital Domain column).

FACEBOOK has a chief privacy officer, but I doubt that the position will exist 10 years from now. That’s not because Facebook is hell-bent on stripping away privacy protections, but because the popularity of Facebook and other social networking sites has promoted the sharing of all things personal, dissolving the line that separates the private from the public.

…

Facebook’s default settings for new accounts protect users in some ways. For instance, the information in one’s profile is restricted to friends only; it is not accessible to friends of friends. But Facebook sets few restrictions by default on what third-party software can see in a network of friends. Members are not likely aware that unless they change the default privacy settings, an application installed by a friend can vacuum up and store many categories of a member’s personal information.

David E. Evans, an associate professor of computer science at the University of Virginia, says he wishes that Facebook would begin with more restrictions on the information that outside software developers can reach. For 15 of 19 information categories, Facebook sets a default setting of “share,” which means the information can be pulled out of Facebook and stored on servers outside its control. These 15 categories include activities, interests, photos and relationship status.

“Facebook could set defaults erring on the side of privacy instead of on the side of giving your information away,” he said.

Chris Kelly, Facebook’s chief privacy officer, defends its current settings, saying it “gives users extensive control over the applications they choose to interact with.” He also said Facebook had removed “thousands” of applications that members deemed untrustworthy.

In Professor Evans’s view, however, banishment of malevolent software comes too late: “Once the application has got the data, it’s got it, stored on someone else’s machine.”

The defaults turn out to be crucially important, because few users go to the trouble of adjusting the settings. Asked how many members ever change a privacy setting, Mr. Kelly said 20 percent.

Randolph Yu Yao is joining our research group and the NSF RFID project. He’s a PhD student in Computer Engineering and will be working on something related to security and privacy for RFID systems that integrates cryptographic requirement with circuit-level designs.

His brief bio is below. Please join me in welcoming Randolph to the group!

I was born in a small city in southeast of China, and traveled from south to north during my high school, undergraduate, half-graduate study. I’m very happy to travel to the other half of the planet for my PhD study here in the end.

I was an EE major and love to deal with various aspects of embedded system. I’ve worked on the RoboCup, which forms a robot team to play “football”; the Mobile Satellite Communication Vehicle, which essentially control the attitude of antenna in dynamic circumstance; the Multi-Agent Cooperation via wireless communication etc. I didn’t realize before that the security issues of the embedded system are very challenge problems and becomes a bottleneck for their ubiquitous deployments, no matter for sensor networks or RFID. My ultimate goal is to enable these smart embedded systems acceptable by common people and put into daily service without concern about the security and reliability in the face of expanding network connection.

I also like sports such as swimming, traveling, exploration, basketball, hiking but no running which I think too boring. I enjoy the weather, the blue sky and fresh air here.

Don Tapscott’s new book, Grown Up Digital: How the Net Generation is Changing Your World, includes a brief description of Adrienne Felt’s work on social network privacy:

I’m still worried, though, and I’m not alone. According to Adrienne Felt, the coauthor of a 2007 study on social networking privacy, the new measures do not fix a key problem. You can decide which of your friends can see what on your profile, and you can stop the applications that your friends install from peering into your Facebook world. But, if you install an application — say, a photo editing application that lets you put Angelina Jolie’s hairdo on your best friend’s high school graduation picture — the maker of that application can see anything you put on your profile, like your dating interest, your summer plans, your political views, your photos, the works. The only way to stop the application developers from peering into your own Facebook world, Felt says, is to not put any applications on your personal profile. The vast majority of applications don’t need your private data to do their thing, she notes, and yet all of them have access to whatever you can see. [footnote that references our Privacy by Proxy paper]

I tried the book’s website http://grownupdigital.com/, but get:

PHP has encountered an Access Violation at 7C81BD02

Perhaps the digital world is not fully grown up yet!