Friday, September 15, 2017

Using truly secure passwords: 6 essential reads

File 20170914 8971 1bvg0di.jpg?ixlib=rb 1.1
Scholars have ideas about how to help solve our password problems. vladwei/Shutterstock.com
Jeff Inglis, The Conversation

Editor’s note: the following is roundup of previously published articles.

Passwords are everywhere – and they present an impossible puzzle. Social media profiles, financial records, personal correspondence and vital work documents are all protected by passwords. To keep all that information safe, the rules sound simple: Passwords need to be long, different for every site, easy to remember, hard to guess and never written down. But we’re only human! What is to be done about our need for secure passwords?

Get good advice

Sadly, much of the password advice people have been given over the past decade-plus is wrong, and in part that’s because the real threat is not an individual hacker targeting you specifically, write five scholars who are part of the Carnegie Mellon University passwords research group:

“People who are trying to break into online accounts don’t just sit down at a computer and make a few guesses…. [C]omputer programs let them make millions or billions of guesses in just a few hours…. [So] users need to go beyond choosing passwords that are hard for a human to guess: Passwords need to be difficult for a computer to figure out.”

To help, those researchers have developed a system that checks passwords as users create them, and offers immediate advice about how to make each password stronger.

Use a password manager

All that computing power can work to our advantage too, writes Elon University computer scientist Megan Squire:

“The average internet user has 19 different passwords. It’s easy to see why people write them down on sticky notes or just click the ‘I forgot my password’ link. Software can help! The job of password management software is to take care of generating and remembering unique, hard-to-crack passwords for each website and application.”

That sounds like a good start.

Getting emoji – 🐱💦🎆🎌 – into the act

Then again, it might be even better not to use any regular characters. A group of emoji could improve security, writes Florian Schaub, an assistant professor of information and of electrical engineering and computer science at the University of Michigan:

“We found that emoji passcodes consisting of six randomly selected emojis were hardest to steal over a user’s shoulder. Other types of passcodes, such as four or six emojis in a pattern, or four or six numeric digits, were easier to observe and recall correctly.”

Still, emoji are – like letters and numbers – drawn from a finite library of options. So they’re vulnerable to being guessed by powerful computers.

Drawing toward a solution

To add even more potential variation to the mix, consider making a quick doodle-like drawing to serve as a password. Janne Lindqvist from Rutgers University calls that sort of motion a “gesture,” and is working on a system to do just that:

“We have explored the potential for people to use doodles instead of passwords on several websites. It appeared to be no more difficult to remember multiple gestures than it is to recall different passwords for each site. In fact, it was faster: Logging in with a gesture took two to six seconds less time than doing so with a text password. It’s faster to generate a gesture than a password, too: People spent 42 percent less time generating gesture credentials than people we studied who had to make up new passwords. We also found that people could successfully enter gestures without spending as much attention on them as they had to with text passwords.”

Easier to make, faster to enter, and not any more difficult to remember? That’s progress.

A world without passwords

Any type of password is inherently vulnerable, though, because it is an heir to centuries of tradition in writing, writes literature scholar Brian Lennon of Pennsylvania State University:

“[E]ven the strongest password … can be used anywhere and at any time once it has been separated from its assigned user. It is for this reason that both security professionals and knowledgeable users have been calling for the abandonment of password security altogether.”

What would be left then? Only attributes about who we are as living beings.

The unknowable password

Identifying people based not on what they know, but rather their actual biology, is perhaps the ultimate goal. This goes well beyond fingerprints and retina scans, Elon’s Squire explains:

“[A] computer game similar to ‘Guitar Hero’ [can] train the subconscious brain to learn a series of keystrokes. When a musician memorizes how to play a piece of music, she doesn’t need to think about each note or sequence. It becomes an ingrained, trained reaction usable as a password but nearly impossible even for the musician to spell out note by note, or for the user to disclose letter by letter.”

That might just do away with passwords altogether. And yet if you’re really just longing for the days of deadbolts, padlocks and keys, you’re not alone.

Don’t just leave things to a password

User authentication using an electronic key is here, as Penn State-Altoona information sciences and technology professor Jungwoo Ryoo writes:

“A new, even more secure method is gaining popularity, and it’s a lot like an old-fashioned metal key. It’s a computer chip in a small portable physical form that makes it easy to carry around. (It even typically has a hole to fit on a keychain.) The chip itself contains a method of authenticating itself … And it has USB or wireless connections so it can either plug into any computer easily or communicate wirelessly with a mobile device.”

The ConversationJust don’t leave your keys on the table at home.

Jeff Inglis, Science + Technology Editor, The Conversation

This article was originally published on The Conversation. Read the original article.

Sunday, March 12, 2017

3.14 essential reads about π for Pi Day

Image 20170303 29012 1as5kmn.jpg?ixlib=rb 1.1
We need just a little more party hat… Yelp/Flickr, CC BY-NC-ND
Jeff Inglis, The Conversation

Editor’s note: The following is a roundup of archival stories.

On March 14, or 3/14, mathematicians and other obscure-holiday aficionados celebrate Pi Day, honoring π, the Greek symbol representing an irrational number that begins with 3.14. Pi, as schoolteachers everywhere repeat, represents the ratio of a circle’s circumference to its diameter.

What is Pi Day, and what, really, do we know about π anyway? Here are three-and-bit-more articles to round out your Pi Day festivities.

A silly holiday

First off, a reflection on this “holiday” construct. Pi itself is very important, writes mathematics professor Daniel Ullman of George Washington University, but celebrating it is absurd:

The Gregorian calendar, the decimal system, the Greek alphabet, and pies are relatively modern, human-made inventions, chosen arbitrarily among many equivalent choices. Of course a mood-boosting piece of lemon meringue could be just what many math lovers need in the middle of March at the end of a long winter. But there’s an element of absurdity to celebrating π by noting its connections with these ephemera, which have themselves no connection to π at all, just as absurd as it would be to celebrate Earth Day by eating foods that start with the letter “E.”

And yet, here we are, looking at the calendar and getting goofily giddy about the sequence of numbers it shows us.

There’s never enough

In fact, as Jon Borwein of the University of Newcastle and David H. Bailey of the University of California, Davis, document, π is having a sustained cultural moment, popping up in literature, film and song:

Sometimes the attention given to pi is annoying. On 14 August 2012, the U.S. Census Office announced the population of the country had passed exactly 314,159,265. Such precision was, of course, completely unwarranted. But sometimes the attention is breathtakingly pleasurable.

Come to think of it, pi can indeed be a source of great pleasure. Apple’s always comforting, and cherry packs a tart pop. Chocolate cream, though, might just be where it’s at.

Strange connections

Of course π appears in all kinds of places that relate to circles. But it crops up in other places, too – often where circles are hiding in plain sight. Lorenzo Sadun, a professor of mathematics at the University of Texas at Austin, explores surprising appearances:

Pi also crops up in probability. The function f(x)=e-x², where e=2.71828… is Euler’s number, describes the most common probability distribution seen in the real world, governing everything from SAT scores to locations of darts thrown at a target. The area under this curve is exactly the square root of π.

It’s enough to make your head spin.

Historical pi

If you want to engage with π more directly, follow the lead of Georgia State University mathematician Xiaojing Ye, whose guide starts thousands of years ago:

The earliest written approximations of pi are 3.125 in Babylon (1900-1600 B.C.) and 3.1605 in ancient Egypt (1650 B.C.). Both approximations start with 3.1 – pretty close to the actual value, but still relatively far off.

By the end of his article, you’ll find a method to calculate π for yourself. You can even try it at home!

An irrational bonus

And because π is irrational, we’ll irrationally give you even one more, from education professor Gareth Ffowc Roberts at Bangor University in Wales, who highlights the very humble beginnings of the symbol π:

After attending a charity school, William Jones of the parish of Llanfihangel Tre’r Beirdd landed a job as a merchant’s accountant and then as a maths teacher on a warship, before publishing A New Compendium of the Whole Art of Navigation, his first book in 1702 on the mathematics of navigation. On his return to Britain he began to teach maths in London, possibly starting by holding classes in coffee shops for a small fee.

Shortly afterwards he published “Synopsis palmariorum matheseos,” a summary of the current state of the art developments in mathematics which reflected his own particular interests. In it is the first recorded use of the symbol π as the number that gives the ratio of a circle’s circumference to its diameter.

The ConversationWhat made him realize that this ratio needed a symbol to represent a numeric value? And why did he choose π? It’s all Greek to us.

Jeff Inglis, Science + Technology Editor, The Conversation

This article was originally published on The Conversation. Read the original article.

Tuesday, January 24, 2017

Understanding net neutrality: 10 essential reads

Image 20170124 16094 16yxnfh.jpg?ixlib=rb 1.1
Via shutterstock.com
Jeff Inglis, The Conversation

Editor’s note: The following is a roundup of archival stories, and is an updated version of an article previously published Jan. 24, 2017.

Ajit Pai. Federal Communications Commission

Ajit Pai, President Trump’s chairman of the Federal Communications Commission, is a longtime foe of net neutrality. He has proposed completely repealing the Obama administration’s 2015 Open Internet Order, a decision the commission will likely vote to confirm on Dec. 14.

But what is net neutrality, this policy Pai has spent years criticizing? Here are some highlights of The Conversation’s coverage of the controversy around the concept of keeping the internet open:

1. Public interest versus private profit

The basic conflict is a result of the history of the internet, and the telecommunications industry more generally, writes internet law scholar Allen Hammond at Santa Clara University:

Like the telephone, broadcast and cable predecessors from which they evolved, the wire and mobile broadband networks that carry internet traffic travel over public property. The spectrum and land over which these broadband networks travel are known as rights of way. Congress allowed each network technology to be privately owned. However, the explicit arrangement has been that private owner access to the publicly owned spectrum and rights of way necessary to exploit the technology is exchanged for public access and speech rights.

The government is trying to balance competing interests in how the benefits of those network services. Should people have unfiltered access to any and all data services, or should some internet providers be allowed to charge a premium to let companies reach audiences more widely and more quickly?

2. Media is the basis of democracy

Pai’s move against net neutrality, media scholar Christopher Ali at the University of Virginia writes, is just part of a larger effort at the FCC to accelerate the deregulation trend of the past 30 years. The stakes are high:

Media is more than just our window on the world. It’s how we talk to each other, how we engage with our society and our government. Without a media environment that serves the public’s need to be informed, connected and involved, our democracy and our society will suffer….

If only a few wealthy companies control how Americans communicate with each other, it will be harder for people to talk among ourselves about the kind of society we want to build.

3. Pushing back against corporate control

Competition is already fairly limited, it turns out. Across America, most people have very little – if any – choice in who their internet provider is. Communication studies professor Amanda Lotz at the University of Michigan explains the concerns raised by a monopoly marketplace and the potential effects of turning back the current policy of net neutrality:

The rules were created out of concern internet service providers would reserve high-speed internet lanes for content providers who could pay for it, while relegating to slower speeds those that didn’t – or couldn’t, such as libraries, local governments and universities. Net neutrality is also important for innovation, because it protects small and start-up companies’ access to the massive online marketplace of internet users.

In this view, the internet is a public utility that should be preserved and protected for all to access freely.

4. Getting around the rules

Even with net neutrality rules in place, companies were pushing the boundaries of what is legal. In recent years, many mobile internet providers have been simultaneously imposing and creating exemptions from limits on how much data their customers can use in a given month. Called “zero rating policies,” these exemptions omit from the monthly cap certain types of data, or certain companies’ data. For example, T-Mobile customers can listen endlessly to Spotify internet radio regardless of how much high-speed data they use for other purposes. Information systems scholars Liangfei Qiu, Soohyun Cho and Subhajyoti Bandyopadhyay at the University of Florida examined the effects of those policies on the marketplace:

At first glance, zero rating plans would seem to be good for consumers because they allow users to consume traffic for free. But our research suggests the variety of content may be reduced, which in the long run harms consumers.

Their findings suggest that keeping the internet open would be best for the public.

5. Regulation isn’t always a good solution

However, regulating with that sort of goal could be risky because of the fast-changing nature of the internet, writes technology policy scholar Scott Wallsten at Georgetown:

Today’s business models may not be viable in the future. Net neutrality rules run counter to that reality by freezing in place a particular industry structure, making it difficult for firms to respond to underlying changes in technology and consumer demand over time.

6. A vestige of the 20th century

Whether net neutrality rises or falls, however, the debate will continue. The rules and frameworks the government uses to try to regulate the internet are long out of date, and were written to address a very different time, when landline telephone service was not yet ubiquitous. Boston University communication and law professor T. Barton Carter explained what the real solution is:

The laws governing the internet were written in the early 20th century, decades before the companies that dominate the internet like Google and YouTube even existed. The only solution is a complete rewrite of the 80-year-old Communications Act – unfortunately a fool’s errand in today’s Washington.

7. Can net neutrality even happen?

And maintaining net neutrality itself could be a major challenge, if not a fool’s errand, thanks to important technical details that could make the ideal impossible, writes University of Michigan computer scientist Harsha Madhyastha:

If one user is streaming video and another is backing up data to the cloud, should both of them have their data slowed down? Or would users’ collective experience be best if those watching videos were given priority? That would mean slightly slowing down the data backup, freeing up bandwidth to minimize video delays and keep the picture quality high.

8. Check for yourself

What it looks like when an internet provider throttles content. Screenshot of Northeastern University Wehe app, CC BY-ND

Northeastern University computer scientist David Choffnes describes how his team built an app that can measure exactly how internet service providers handle different types of traffic:

The methods we used and the tools we developed investigate how internet service providers manage your traffic and demonstrate how open the internet really is – or isn’t – as a result of evolving internet service plans, as well as political and regulatory changes. Regular people can explore their own services with our mobile app for Android, which is out now; an iOS version is coming soon.

Letting people see whether, and how, their data service handles internet traffic may be the best way to show people the importance of an open internet.

9. Very large stakes

If net neutrality is repealed, it could spell disaster for America’s position as an international leader in online innovation, writes global business scholar Bhaskar Chakravorti at Tufts:

Based on our findings, I believe that rolling back net neutrality rules will jeopardize the digital startup ecosystem that has created value for customers, wealth for investors and globally recognized leadership for American technology companies and entrepreneurs. The digital economy in the U.S. is already on the verge of stalling; failing to protect an open internet would further erode the United States’ digital competitiveness, making a troubling situation even worse.

10. Setting clearer guidelines

If Pai’s proposal goes through, it will signal that future changes in partisan control in Washington, D.C., could also lead to major shifts in internet regulation. A key part of this potential problem is lack of clarity in the laws, meaning regulators and courts have to sort through major policy questions that would better be dealt with in Congress, writes Timothy Brennan, a former chief economist at the FCC who is now a public policy scholar at the University of Maryland, Baltimore County. He explains three steps Congress could take to simplify the debate – without even having to agree on the policy itself:

If Congress could enact legislation that removed the distinction between “telecommunication” and “information” services, reinforced the importance of the public interest in communications and restored antitrust enforcement power for regulators, the FCC would be better able to develop net neutrality regulations – whatever they may turn out to be – with solid substantive and legal foundations.

The ConversationThat could go a long way to furthering both public debate and public policy.

Jeff Inglis, Science + Technology Editor, The Conversation

This article was originally published on The Conversation. Read the original article.

Tuesday, October 18, 2016

Securing the voting process: Four essential reads

Image 20160922 22509 1a0uggk.jpg?ixlib=rb 1.1
How secure is your vote? Hands with votes illustration via shutterstock.com
Jeff Inglis, The Conversation

Editor’s note: The following is a roundup of stories related to election cybersecurity.

Every vote counts. It’s the key principle underlying democracy. Through the history of democratic elections, people have created many safeguards to ensure votes are cast and counted fairly: paper ballots, curtains around voting booths, locked ballot boxes, supervised counting, provisions for recounting and more.

With the advent of computer technology has come the prospect of faster counting of votes, and even, some hope, more secure and accurate voting. That’s much harder to achieve than it might seem, though. Here are highlights of The Conversation’s coverage of why that is.

Voting machines are old

After the debacle of the 2000 election’s efforts to count votes, the federal government handed out massive amounts of money to the states to buy newer voting equipment that, everyone hoped, would avoid a repeat of the “hanging chad” mess. But more than a decade later, as Lawrence Norden and Christopher Famighetti at the Brennan Center for Justice at New York University explain, that one-time cash infusion has left a troubling legacy:

Imagine you went to your basement and dusted off the laptop or mobile phone that you used in 2002. What would happen if you tried to turn it on? We don’t have to guess. Around the country this election year, people are going into storage, pulling out computers that date back to 2002 and asking us to vote on them.

They asked election officials around the country about the situation, and report on some worrying findings, including how vulnerable the equipment is to cyberattack, and how voting machine breakdowns lead to long lines that deter voters from participating.

Not everyone can use the devices

Also limiting voter turnout is the fact that most voting machines don’t make accommodations for people with physical disabilities that affect how they vote. Juan Gilbert at the University of Florida quantifies the problem:

“In the 2012 presidential election, … The turnout rate for voters with disabilities was 5.7 percent lower than for people without disabilities. If voters with disabilities had voted at the same rate as those without a disability, there would have been three million more voters weighing in on issues of local, state and national significance.”

To date, most efforts to solve the problems have involved using special voting equipment just for people with particular disabilities. That’s expensive and inefficient – and remember, separate is not equal. Gilbert has invented an open-source (read: inexpensive) voting machine system that can be used by people with many different disabilities, as well as people without disabilities.

With the system, which has been tested and approved in several states, voters can cast their ballots using a keyboard, a joystick, physical buttons, a touchscreen or even their voice.

Machines are not secure

Nearly every voting machine in use, though, is vulnerable to various sorts of cyberattacks. For years, researchers have documented ways to tamper with vote counts, and yet few machines have had their cyberdefenses upgraded.

The fact that the election system is so widespread – with multiple machines in every municipality nationwide – also makes it weaker, writes Richard Forno at the University of Maryland, Baltimore County: There are simply more opportunities for an attacker to find a way in.

“Voter registration and administration systems operated by state and national governments are at risk too. Hacks here could affect voter rosters and citizen databases. Failing to secure these systems and records could result in fraudulent information in the voter database that may lead to improper (or illegal) voter registrations and potentially the casting of fraudulent votes.”

Even without an attack, major concerns

Even if an attack never happens – or if nobody can prove one happened – November’s election is vulnerable to sore losers taking advantage of the fact that cyberweaknesses exist.

There is more than enough evidence that a cyberattack is possible. And just that prospect could destabilize the country, argues Herbert Lin of Stanford University:

Imagine that on Nov. 9, the day after Election Day, the early presidential election returns show that Donald Trump has lost. … Trump could call the electronically tallied vote counts obviously fraudulent. Even without pointing to any internal campaign polling suggesting he would win, he could highlight the indisputable fact that no one knows what is going on inside the voting machines.

The ConversationIt’s enough to make you turn out to vote, and keep you up all night afterward.

Jeff Inglis, Science + Technology Editor, The Conversation

This article was originally published on The Conversation. Read the original article.

Thursday, July 2, 2015

Moving Beyond FracFocus: Bringing Real Transparency to Fracking

Since its launch in 2011, FracFocus, a government- and industry-funded website, has been the only place where Americans could learn the details about chemicals and water used in fracking operations near their homes, schools and businesses. But FracFocus has never lived up to its promise of bringing true transparency to fracking. And now, at least one state is planning to set its own course for fracking disclosure.

Pennsylvania’s Department of Environmental Protection has announced that it is withdrawing from FracFocus. Starting in March 2016, Pennsylvania’s fracking operators will have to report electronically to a state database that will present citizens with a map-based interface with simple one-click summaries of specific wells, in addition to downloadable bulk data.

Pennsylvania officials say this is to counter FracFocus’s lack of user-friendliness, which has long been a source of consternation to researchers attempting to document the impacts and risks of fracking. For many years, FracFocus’s website was populated with individual PDF files, scanned copies of forms filed by fracking companies. Initially, many of those disclosures were voluntary; as the site’s influence grew, states began requiring frackers to file with FracFocus. But the database was always far from complete.

FracFocus could be useful for citizens curious about an individual well, but the database was notoriously unfriendly to those wanting to probe more deeply into fracking. For a long time, searches could not return more than 2,000 records. From those search results, users could not download more than a small number of actual disclosure forms each day. What they were able to download was not machine-readable or searchable in any way.

Those limitations persisted as FracFocus improved its underlying data structure, in 2013 requiring disclosures to be submitted in a machine-readable format to an electronic database.

It was 2015 before the public was allowed to download machine-readable data. This latest improvement in FracFocus transparency is welcome, but still falls short of modern standards for making data available and accessible to the public. In Frontier Group’s work on government spending transparency, we have argued that, to be useful to the public, transparency data must (among other things) be searchable, bulk-downloadable, and “one-stop,” meaning that citizens shouldn’t have to jump through multiple hoops or have specialized knowledge to obtain important information.

By contrast, here’s what the average person would have to do to even look at the bulk-downloadable data from FracFocus:
  • Download, install, configure and operate a major database server system, Microsoft SQL Server Management Studio, as well as SQL Server Configuration Manager. They are free, but hard to find on the Microsoft download website (the latest version is here). They have terribly un-intuitive interfaces once they’re running. They are also PC-specific, so Mac users are out of luck.
  • Purchase Microsoft Access, a database program not included in the regular version of Microsoft Office (the one that includes Word, Excel and PowerPoint). Microsoft charges $109.99; Amazon’s price is $99.99. (You could use a different database program, but the instructions provided by FracFocus are Access-specific.)
  • Follow a complicated series of steps – laid out in a nine-page PDF document provided by FracFocus – to convert the data to a form usable by Microsoft Access.
  • Construct queries in Access – not a simple point-and-click database program by any stretch – and interpret the results.
This process is not for the faint of heart, nor for the computer-inexperienced.

Even then, the data are not presented clearly. Rather than a company simply listing how many gallons of water and how many pounds of which chemicals it pumped deep underground at which well, key numbers are presented as percentages of the final fracking fluid. That requires a significant series of careful database queries and spreadsheet calculations to get actual usable figures.

With luck, Pennsylvania’s reporting system will set a new standard for public disclosure of, and citizen access to, data related to fracking. The creation of separate databases for every state where fracking occurs is not the ideal solution – a high-quality national database would be better. But until FracFocus catches up to the standards of data quality and user-friendliness people expect in the 21st century, citizens will need to look to the states to protect their access to this important information that affects their health and well-being.