CyLab hosts panel discussion on cybersecurity issues

Benjamin Madueme Oct 15, 2012

Jeremy Zerechak, an award-winning filmmaker from Pittsburgh, stopped by Carnegie Mellon CyLab last Friday to talk about his new documentary Code 2600. As part of a panel discussion led by Lorrie Cranor, associate professor of computer science and engineering and public policy, Zerechak talked about the major themes of the film, which mostly revolve around hacking, cybersecurity, and privacy. Two screenings of Code 2600, also sponsored by CyLab, were shown at McConomy Auditorium later that day.

After garnering success with his critically acclaimed 2008 war documentary Land of Confusion, Zerechak explained how a later encounter with an intrusion detection specialist sparked his interest about hacking and cybersecurity.

“I decided to go ahead and do extensive research into that story,” Zerechak said. “What I found was a history that was rich and untold, and a story of an expansive world that I felt was very underrepresented.”

Zerechak’s documentary begins by touching on the “phone phreaks” of the ’60s and ’70s, who would employ various techniques to leverage the telecommunications systems in place at the time. Among the most popular of these techniques was one that involved using a hobbyist contraption called a blue box to make free long-distance phone calls.

A phone phreak would place the blue box next to the mouthpiece of a telephone and dial a long-distance telephone number on the blue box’s keypad. The blue box would then generate corresponding 2600 Hertz tones — hence the film’s name — and trick the long-distance dialing systems into routing the call. With a 10-minute phone call from San Francisco to New York costing the equivalent of $55 today, these widespread “phreaking” techniques cost telecommunications companies fortunes at the time.

As this was one of the earliest struggles between tech corporations and hackers, panel member Nicolas Christin, associate director of the Information Networking Institute and CyLab senior systems scientist, drew some comparisons between that scenario and the piracy issues plaguing the digital entertainment industry today.

“In the ’60s, phone calls were expensive and people didn’t want to spend money, [so] they developed early ingenious technology to circumvent that,” he said. “Now if you fast-forward to, say, today, movies, movie rentals are very expensive, and people don’t want to spend that money.... The root of the problem is still the same today. The technology has changed, but ultimately it’s about economics.”

The film also described many current cybersecurity issues. It featured a few “white hats” — hackers who exploit systems for benign purposes, such as revealing security flaws to a company — explaining various methods they’ve used to obtain confidential information.

Some were able to extract account passwords, credit card numbers, social security numbers, and other types of sensitive data by cracking poor wireless encryption schemes or by inconspicuously acquiring such data at public wireless access points. Others tricked unsuspecting users into plugging flash drives full of hidden, harmful programs into their computers.

Jeff Moss, founder of the hacking conferences Black Hat and DEFCON, demonstrated a terminal program called Metasploit that he was able to use to gain access to the core system files on a Windows machine. The punch line this time? He was doing it all wirelessly from his jailbroken iPhone.
Obviously, tools like these falling into the hands of “black hats” — those who exploit systems for malicious purposes — make them powerful opponents to the financial security of the typically unprepared consumer engaging in online transactions.

“Cyber crime is really taking over,” said panel member Norman Sadeh, professor of computer science at Carnegie Mellon. “From people identifying exploits, to people enabling these exploits, to people controlling botnets and making these botnets available, there’s an entire black economy that has developed.... It has made it easier for people to launch attacks on a much larger scale than what was previously possible.”

Yet another dimension that Code 2600 ambitiously tries to address is the question, “Is privacy dead?” In an age where people seem willing to publicize more of their private information to social networks like Twitter and Facebook to promote their social status, some like world-class cryptographer and security commentator Bruce Schneier are questioning whether this really is the best course of action for our society.

“There’s a common myth that privacy is about something to hide,” Schneier says in the documentary. “ ‘I don’t have anything to hide, so I don’t need privacy.’ But you know that’s not true. You don’t have any[thing] to hide when you sing in the shower or write a love letter and then tear it up. Privacy is about us as individuals; it’s about our ability to be who we are, without necessarily telling everybody.... It’s not about hiding, it’s about personal dignity.”

“When you use a bookseller like Amazon.com,” adds Jennifer Granick, director of civil liberties at Stanford University, in the film, “they’re keeping information about not only books you buy and where your house is that they have to ship the books to, but about what books you brag [about]. All of that information gets collected and stored.... This is some of the most private kinds of information: what books you’re interested in [and] what you search on Google.... Think about how you would feel if someone could get access to what you were searching for. It’s basically what you’re thinking ... some of the most intimate, personal information that’s out there.”