Jefferson's Wheel

I’m quoted in this USA Today article: The power of computing, USA Today, 4 June 2012.

“To understand the world, you need to understand computing and programming,” Evans, who is also a computer science professor at University of Virginia, said in an email. “Without understanding computers and how they are programmed, much of the world will increasingly seem like magic.”

…

While Steve Jobs famously talked about computers as bicycles for the mind 20 years ago, computers today are far more powerful and connected worldwide as “super-tanker-sized, hypersonic spaceships of the mind,” said Evans.

“Without learning to program, you can still ride them if you are willing to remove your shoes at the security checkpoint and go where the pilot wants to go,” said Evans, “but if you want to be the one flying, you need to learn about computing.”

I was interviewed on Gary McGraw’s Silver Bullet podcast.

Gary and Dave discuss the founding of the Interdisciplinary Major in Computer Science (BA) at UVa and why a broad approach to Computer Science and Computer Security is a good idea, why data privacy gets short shrift in the United States, why people think (for no apparent reason) that their mobile devices are secure, groceries, David’s research on Secure Computation, and the Udacity project. They close out their discussion with a story about David’s trip to the World Cup in Korea and a choice between GEB and scheme.

You can download the podcast from http://www.cigital.com/silver-bullet/show-076/.

My favorite article about Udacity so far is Professors without Borders, Prospect Magazine, 28 June 2012.

Not long ago, on a rainy Saturday morning, Professor Dave Evans and I hung out in bed while he tried to explain recursive functions (for the fourth time) and I worked on my homework. Or rather, I hung out in bed, and Evans, a computer science professor at the University of Virginia, hung out on my laptop screen, where I could—click—pause him midsentence and pour myself another cup of coffee.

“Computer Science 101: Building a Search Engine” was one of Udacity’s first offerings, and for seven weeks this spring, Evans was teaching me and 30,000 others to write enough Python—a basic programming language—to create a mini Google. We started with basics, including the difference between a computer and a toaster, and “bits” versus “bytes.” Then we went back in time for a little nerd history, from Augusta Ada King, Lord Byron’s daughter and the world’s first “programmer,” to PageRank, the search algorithm that powers Google.

Evans is the kind of nerdy savant whose gap-tooth smile and Monty Python humour attract a cult following on campus. (As an academic, he’s also a world-class cryptographer.) Thrun and Stavens found him in November 2011, flew him to Palo Alto in December, and by January he was crammed in a makeshift recording studio—still in Thrun’s guesthouse—rejigging his standard university curriculum into a Udacity one.

Austin DeVinney, who worked with us on GuardRails last summer and presented a poster at USENIX Security Symposium, was featured in Radford’s College of Science and Technology newsletter.

Information technology student Austin DeVinney’s interest and curiosity has paid off with a summer internship opportunity with cybersecurity expert and Associate Professor of Computer Science at the University of Virginia David Evans.

The full article is here:
IT Student Presents Research at Prestigious Conference [PDF].

The New York Times has a new article about Karsten Nohl’s studies of mobile phone carrier security: Lax Security Exposes Voice Mail to Hacking, Study Says (the title is very misleading, since there is nothing really specific to voice mail here, it is about intercepting actual calls), New York Times, 25 December 2011.

In a study of 31 mobile operators in Europe, Morocco and Thailand, Karsten Nohl, a Berlin hacker and mobile security expert, found that many operators provided poor or weak defenses to protect consumers from illicit surveillance and identity theft.

Mr. Nohl said he was able to hack into mobile conversations and text messages and could impersonate the account identities of cellphone users in 11 countries using an inexpensive, 7-year-old Motorola cellphone and free decryption software available on the Internet. He has tested each mobile operator more than 100 times, he said, and has ranked the quality of their defenses.

…

“This is a major vulnerability in most networks we tested, and the irony is that it costs very little, if nothing, to repair,” Mr. Nohl said. “Often it is just a question of inertia on the part of operators, or they have other priorities, such as building their networks.” …

While the research was limited mostly to Europe, Mr. Nohl, a German citizen who received a doctorate in computer science at the University of Virginia, said the level of security provided by U.S. network operators was on a par with European operators, meaning there was also room for improvement.

In Asia, the Middle East and Latin America, the level of mobile security varies widely and can be much lower. Operators in India and China, Mr. Nohl said, encrypt digital traffic poorly or not at all, either to save on the network’s operating costs or to allow government censors unfettered access to communications.

UVa Today has a story about our secure computation project: U.Va. Team Awarded $3 Million NSF Secure Computation Grant, Fariss Samarrai, UVa Today, 14 October 2011.

Photo: Cole Geddy

“Secure computation is the idea that you can have two people compute a function that depends on things that each one knows individually and wants to keep private without exposing their private data to the other person, or to anyone else,” Evans said.

The research has applications in everyday life, from private medical information, such as personal genomics, to privacy-preserving face recognition and electronic commerce.

As a simple example of how it works, consider two people who each have smartphones with personal address books. They would like to know if they know any of the same people by comparing their address books. But, they may not want to share their address books, which include potentially sensitive private information. So how can they find the common entries, without revealing anything about their other contacts?

Read More …

Computers will make the world of tomorrow a much safer place. They will do away with cash, so that you need no longer fear being attacked for your money. In addition, you need not worry that your home will be burgled or your car stolen. The computers in your home and car will guard them, allowing only yourself to enter or someone with your permission.

From World of Tomorrow — School, Work and Play, by Neil Ardley, 1981. (Scanned by David Gagnon. Hat tip: Ian Finder, University of Washington)

Muzzammil Zaveri (BACS 2011), who worked in our group 2010-2011, and Ethan Fast (BACS 2011) have launched a new company, Proxino, that provides developers with a way of finding bugs in their site’s JavaScript code, as well as optimizing the loading and performance of scripts. Ethan and Muzzammil were funded by Y Combinator, starting in Summer 2011 (right after finishing their BACS degrees). Here’s an article about Proxino:
YC-Funded Proxino: Automated Error Reporting For Your Client-Side JavaScript, TechCrunch, 22 August 2011.

While he was a student here, Muzzammil worked on the GuardRails secure web application framework. Ethan worked in Westley Weimer‘s group on automated program repair.

The New York Times is covering Karsten Nohl’s work on vulnerabilities in cellular data networks: Hacker to Demonstrate ‘Weak’ Mobile Internet Security, New York Times, 9 August 2011.

Karsten Nohl, who published the algorithms used by mobile operators to encrypt voice conversations on digital phone networks in 2009, said during an interview he planned to demonstrate how he had intercepted and read the data during a presentation Wednesday.

Mr. Nohl said he and a colleague, Luca Melette, intercepted and decrypted wireless data using an inexpensive, modified, 7-year-old Motorola cellphone and several free software applications. The two intercepted and decrypted data traffic in a five-kilometer, or 3.1-mile, radius, Mr. Nohl said.

The interceptor phone was used to test networks in Germany, Italy and other European countries that Mr. Nohl declined to identify. In Germany, Mr. Nohl said he was able to decrypt and read data transmissions on all four mobile networks — T-Mobile, O2 Germany, Vodafone and E-Plus. He described the level of encryption provided by operators as “weak.”

In Italy, Mr. Nohl said his interceptions revealed that two operators, TIM, the mobile unit of the market leader, Telecom Italia, and Wind did not encrypt their mobile data transmissions at all. A third, Vodafone Italia, provided weak encryption, he said.

Technology Review also has an article: Researchers Hack Mobile Data Communications, Technology Review, 10 August 2011.

Phones might be the most familiar devices affected by the research, says Karsten Nohl, founder of Security Research Labs, a Berlin-based research consultancy that conducted the work. But the standard is also used in some cars, automated industrial systems, and electronic tollbooths. “It carries a lot of sensitive data,” Nohl says.

Security researchers haven’t looked at the GPRS standard much in the past, Nohl says, but since more and more devices are using GPRS, he believes the risk posed by poor security is growing.

Nohl’s group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren’t encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication. The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

The Register also has this story: Hackers crack crypto for GPRS mobile networks, The Register, 10 August 2011.

The details will be presented at Chaos Communications Camp today (August 10).