Driving and Monitoring Provisional Trust Negotiation with
Download
Report
Transcript Driving and Monitoring Provisional Trust Negotiation with
Trust, Security and Privacy
in Learning Networks
Daniel Olmedilla
L3S Research Center / Hannover University
Learning Networks in Practice
10th May, 2007
About this presentation
The intention is to show the security-related
implications of using standard internet
technology
Not-specific to learning scenarios
User awareness and control are crucial
when considering network- or social-based
interactions
Encourage discussion
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
2
Outline
Did you know …?
What it is?
Learning Network Interaction
Some Research Directions
Conclusions
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
3
Did you know …?
that every time you use your browser your privacy is
compromised?
that information apparently not sensitive may
attempt your privacy?
that a security failure on any system may have
strong consequences for you?
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
4
Did you know …?
Using Search Engines
Each search query is only some keywords
You may believe they are harmless
What if you link them?
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
5
Did you know … ?
The AOL scandal
AOL released in 2006 data about 3 months of use
20 million web queries
from 650,000 AOL users
AOL username was changed to an ID number
Users search for their own name, those from relatives or
friends, addresses, social security numbers (SSN), etc.
What if you link
own name + porn query embarrassment
name + “buy ecstasy” evidence of crime
name + address + SSN identity theft waiting to happen
address + “how to kill your wife” possible future crime
http://www.techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-usersearch-data/
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
6
Did you know … ?
Google Toolbar or Personalized Search
Several queries are normally linked only if they
are within the same session or same IP
Google Toolbar and Personalized Search
Collects information about your internet surfing
behavior
Have your bookmarks
Have your interests
Know what you buy
Etc.
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
7
Did you know … ?
Information Linkage
Medical Data released as Anonymous
SSN Name Ethn
DOB
Sex ZIP
Problem
…
…
…
…
…
…
…
…
White 09.16.61 F
94142 Obesity
…
…
…
…
…
…
…
…
Voter List
Name
Address
City
ZIP
DOB
Sex Party
…
…
…
…
…
…
…
…
…
Sue Carlson 900 Market St. San Fran. 94142 09.16.61 F
Democrat …
…
…
Daniel Olmedilla
…
…
…
Learning Networks in Practice
…
…
May. 10th, 2007
…
8
Did you know … ?
Is your disclosed information safe?
It may be stolen online because of security
failures
Human intervention is an extra risk in the loop
Complete security does not exist !!!
http://www.usatoday.com/tech/news/computersecurity/2003-03-06-texas-hack_x.htm
http://www.foxnews.com/story/0,2933,196492,00.html
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
9
What is it?
Security, Trust and Privacy
Security: if you already know an entity, how do you
decide what she is or is not allowed to do?
Trust: if you do not know an entity, how do you decide
whether to continue with the interaction or not?
Privacy: if you are requested data, how do you decide
what, to when and to whom you disclose it? How do you
ensure it is not further redistributed afterwards?
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
10
Learning Network Interaction
A possible scenario
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
11
Some Research Directions
Two main approaches
Soft/Social: based on previous behavior or experience,
either direct or inferred
e-bay, Amazon, etc.
Hard/Verifiable: based on the disclosure of credentials
or certificates
SSN, credit card, etc.
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
12
Some Research Directions
Social Approach – Trust Propagation
trust – 0.6
0.2
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
13
Some Research Directions
Policies
Policy: statement specifying the behavior of a system
Some examples:
Credit card required for a book purchase
Discount to students
My pictures can be access by my friends
Typically, only the server specifies the policies
Take-it-or-leave-it fashion
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
14
Some Research Directions
Trust Negotiation
Alice
Bob
Step 1: Alice requests a service from Bob
Step 2: Bob discloses his policy for the service
Step 3: Alice discloses her policy for VISA
Step 4: Bob discloses his BBB credential
Step 5: Alice discloses her VISA card credential
Service
Daniel Olmedilla
Step 6: Bob grants access to the service
Learning Networks in Practice
May. 10th, 2007
15
Conclusions
Be aware of the implications of your computer
usage
Malicious entities are always watching
Key issue: user awareness and control
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
16
Conclusions
User Awareness and Control (I)
Most security/privacy violations caused by
Lack of awareness
Users ignore security threats and vulnerabilities
Users ignore the policies applied by the systems they use
Lack of control
Users don't know how to personalize their policies
A social problem
Everybody's machine is on the internet
Millions of computers can be exploited for attacks
By taking advantage of the users' lack of technical
competence
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
17
Conclusions
User Awareness and Control (&II)
A recent experiment:
Several computers connected to the network
Different platforms and configurations
With default policies: intrusion in <5 min.
Bias towards functionality
With personalized policies: safe for 2 weeks
Till the end of the experiment
Avantgarde. http://www.avantgarde.com/xxxxttln.pdf
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
18
Thanks!
Questions?
[email protected] - http://www.L3S.de/~olmedilla/
Daniel Olmedilla
Learning Networks in Practice
May. 10th, 2007
19