ER&L 2010: Opening Keynote – Librarians in the Wild: Thinking About Security, Privacy, and Digital Information

Speaker: Lance Hayden, Assistant Instructor, School of Information – University of Texas

He spent six years with the CIA, after that he attended the UT iSchool, which was followed by working with Cisco Systems on computer security issues. The team he works with does “ethical hacking” – companies hire them to break into their systems to find the holes that need to be filled so that the real bad guys can’t get in.

Many of us are not scared enough. We do things online that we wouldn’t do in the real world. We should be more aware of our digital surroundings and security.

In computer security, “the wild” refers to things that happen in the real world (as opposed to the lab). In cyberspace, the wild and civilization are not separate – the are co-located. Civilization is confidentiality, integrity, and availability. We think that our online communities are entirely civilized, but we are too trusting.

The point is, if you’re not careful about keeping your virtual houses secure, then you’re leaving yourself open to anyone coming in through the windows or the basement door you never lock.

Large herds attract big predators. As more people are connected to a network or virtual house, the motivation to hit it goes up. Part of why Macs seem more secure than Windows machines is because there is a higher ROI for attacking Windows due to the higher number of users. Hacking has gone from kids leaving graffiti to organized crime exploiting users.

Structures decay quickly. The online houses we have built out of software that lives on real-world machines. There are people every day finding vulnerabilities they can exploit. Sometimes they tell the manufacturers/vendors, sometimes they don’t. We keep adding more things to the infrastructure that increases the possibility of exposing more. The software or systems that we use are not monolithic entities – they are constructed with millions of lines of code. Trying to find the mistake in the line of code is like trying to find a misplaced semicolon in War and Peace. It’s more complex than “XYZ program has a problem.”

Protective spells can backfire. Your protective programs and security systems need to be kept up to date or they can backfire. Make sure that your magic is tight. Online shopping isn’t any less safe, because the vulnerabilities are more about what the vendor has in their system (which can be hacked) than about the connection. Your physical vendor has the same information, often on computer systems that can be hacked.

Knowledge is the best survival trait (or, ignorance can get you eaten). Passwords have been the bane of security professionals since the invention of the computer. When every single person in an institution has a password that is a variation on a template, it’s easy to hack. [side note: The Help Desk manager at MPOW recommends using a personalized template and just increasing the number at the end every time they have the required password change. D’oh!] The nature of passwords is that you can’t pick one that is completely secure. What you’re trying to do is to have secure enough of a password to dissuade most people except the most persistent. Hayden suggests phrases and then replace characters with numbers, and make it longer because it increases the number of possible characters required to hack it.

Zuckerberg says that people don’t care about privacy anymore, so don’t blame Facebook, but to a certain extent, Facebook is responsible for changing those norms. Do companies like Google have any responsibility to protect your information? Hayden’s students think that because Google gives them things for free, they don’t care about the privacy of their information and in fact expect that Google will use it for whatever they want.

not all proxies are the same

No, I don’t know everything there is to know about proxy servers.

A while back, I panned a book on e-serials collection management. One of the contributors found my review and wrote a response, which I will quote here:

As the person who wrote the essay regarding IP versus proxy access for the E-Serials Collection Management book that you reviewed on your website, I feel the need to respond. First of all, I agree that the amount of time it took between the writing of the chapters and actual publication was a serious concern, particularly since the focus of this book was technology. However, I should point out that the problems encountered using proxy servers have not become a moot point because of the presence of EZproxy and similar products. We have had EZproxy access and an alternative proxy method available on our website (the University of South Florida Libraries) for several years. Unfortunately, this has NOT meant the end of proxy-user problems. With multiple campuses and users in several cities, many problems are still reported each week by users having difficulty connecting. The reasons for the problems are as varied as our users. Personally, I prefer this type of IP access to the use of ID/password but, as with most things, ONLY when it works. Keeping this in mind, I now have a second self-created job title – Cyberjanitor.

My apologies to the author. I was not aware of the difficulties with proxy servers and multiple campuses. My former place of work (EKU) has only one IP range for the main campus and all of the extended campuses, so setting up IP access with vendors is very easy. They use the same login and password required for campus email to authenticate our users, and everyone gets an email account, with the exception perhaps of some adjunct faculty. For that campus, EZProxy works 99.5% of the time, which is far better than having to hand out new passwords to everyone each semester.