Post on 15-Dec-2015
Trust, Security and Privacyin Learning Networks
Daniel OlmedillaL3S Research Center / Hannover University
Learning Networks in Practice10th May, 2007
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 2
About this presentation
The intention is to show the security-related implications of using standard internet technology
Not-specific to learning scenarios
User awareness and control are crucial when considering network- or social-based interactions
Encourage discussion
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 3
Outline
Did you know …?
What it is?
Learning Network Interaction
Some Research Directions
Conclusions
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 4
Did you know …?
that every time you use your browser your privacy is compromised?
that information apparently not sensitive may attempt your privacy?
that a security failure on any system may have strong consequences for you?
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 5
Did you know …?Using Search Engines
Each search query is only some keywords
You may believe they are harmless
What if you link them?
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 6
Did you know … ? The AOL scandal
AOL released in 2006 data about 3 months of use 20 million web queries from 650,000 AOL users AOL username was changed to an ID number
Users search for their own name, those from relatives or friends, addresses, social security numbers (SSN), etc.
What if you link own name + porn query embarrassment name + “buy ecstasy” evidence of crime name + address + SSN identity theft waiting to happen address + “how to kill your wife” possible future crime
http://www.techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data/
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 7
Did you know … ? Google Toolbar or Personalized Search
Several queries are normally linked only if they are within the same session or same IP
Google Toolbar and Personalized Search Collects information about your internet
surfing behavior Have your bookmarks Have your interests Know what you buy Etc.
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 8
Did you know … ? Information Linkage
SSN Name
Ethn DOB Sex ZIP Problem
… … … … … … …
… … White
09.16.61 F 94142 Obesity
… … … … … … …
Name Address City ZIP DOB Sex Party …
… … … … … … … …
Sue Carlson 900 Market St. San Fran. 94142 09.16.61 F Democrat
…
… … … … … … … …
Voter List
Medical Data released as Anonymous
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 9
Did you know … ? Is your disclosed information safe?
It may be stolen online because of security failures
Human intervention is an extra risk in the loop
Complete security does not exist !!!
http://www.usatoday.com/tech/news/computersecurity/2003-03-06-texas-hack_x.htmhttp://www.foxnews.com/story/0,2933,196492,00.html
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 10
What is it?Security, Trust and Privacy
Security: if you already know an entity, how do you decide what she is or is not allowed to do?
Trust: if you do not know an entity, how do you decide whether to continue with the interaction or not?
Privacy: if you are requested data, how do you decide what, to when and to whom you disclose it? How do you ensure it is not further redistributed afterwards?
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 11
Learning Network InteractionA possible scenario
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 12
Some Research DirectionsTwo main approaches
Soft/Social: based on previous behavior or experience, either direct or inferred e-bay, Amazon, etc.
Hard/Verifiable: based on the disclosure of credentials or certificates SSN, credit card, etc.
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 13
Some Research DirectionsSocial Approach – Trust Propagation
trust – 0.6
0.2??
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 14
Some Research DirectionsPolicies
Policy: statement specifying the behavior of a system
Some examples: Credit card required for a book purchase Discount to students My pictures can be access by my friends
Typically, only the server specifies the policies Take-it-or-leave-it fashion
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 15
Some Research DirectionsTrust Negotiation
Step 1: Alice requests a service from Bob
Step 5: Alice discloses her VISA card credential
Step 4: Bob discloses his BBB credential
Step 6: Bob grants access to the serviceService
BobAlice
Step 2: Bob discloses his policy for the service
Step 3: Alice discloses her policy for VISA
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 16
Conclusions
Be aware of the implications of your computer usage
Malicious entities are always watching
Key issue: user awareness and control
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 17
ConclusionsUser Awareness and Control (I)
Most security/privacy violations caused by
Lack of awareness Users ignore security threats and vulnerabilities
Users ignore the policies applied by the systems they use
Lack of control Users don't know how to personalize their policies
A social problem Everybody's machine is on the internet
Millions of computers can be exploited for attacks
By taking advantage of the users' lack of technical competence
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 18
ConclusionsUser Awareness and Control (&II)
A recent experiment:
Several computers connected to the network
Different platforms and configurations
With default policies: intrusion in <5 min.
Bias towards functionality
With personalized policies: safe for 2 weeks
Till the end of the experimentAvantgarde. http://www.avantgarde.com/xxxxttln.pdf
Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 19
Questions?
olmedilla@L3S.de - http://www.L3S.de/~olmedilla/
Thanks!