ER&L 2010: Opening Keynote – Librarians in the Wild: Thinking About Security, Privacy, and Digital Information

Speaker: Lance Hayden, Assistant Instructor, School of Information – University of Texas

He spent six years with the CIA, after that he attended the UT iSchool, which was followed by working with Cisco Systems on computer security issues. The team he works with does “ethical hacking” – companies hire them to break into their systems to find the holes that need to be filled so that the real bad guys can’t get in.

Many of us are not scared enough. We do things online that we wouldn’t do in the real world. We should be more aware of our digital surroundings and security.

In computer security, “the wild” refers to things that happen in the real world (as opposed to the lab). In cyberspace, the wild and civilization are not separate – the are co-located. Civilization is confidentiality, integrity, and availability. We think that our online communities are entirely civilized, but we are too trusting.

The point is, if you’re not careful about keeping your virtual houses secure, then you’re leaving yourself open to anyone coming in through the windows or the basement door you never lock.

Large herds attract big predators. As more people are connected to a network or virtual house, the motivation to hit it goes up. Part of why Macs seem more secure than Windows machines is because there is a higher ROI for attacking Windows due to the higher number of users. Hacking has gone from kids leaving graffiti to organized crime exploiting users.

Structures decay quickly. The online houses we have built out of software that lives on real-world machines. There are people every day finding vulnerabilities they can exploit. Sometimes they tell the manufacturers/vendors, sometimes they don’t. We keep adding more things to the infrastructure that increases the possibility of exposing more. The software or systems that we use are not monolithic entities – they are constructed with millions of lines of code. Trying to find the mistake in the line of code is like trying to find a misplaced semicolon in War and Peace. It’s more complex than “XYZ program has a problem.”

Protective spells can backfire. Your protective programs and security systems need to be kept up to date or they can backfire. Make sure that your magic is tight. Online shopping isn’t any less safe, because the vulnerabilities are more about what the vendor has in their system (which can be hacked) than about the connection. Your physical vendor has the same information, often on computer systems that can be hacked.

Knowledge is the best survival trait (or, ignorance can get you eaten). Passwords have been the bane of security professionals since the invention of the computer. When every single person in an institution has a password that is a variation on a template, it’s easy to hack. [side note: The Help Desk manager at MPOW recommends using a personalized template and just increasing the number at the end every time they have the required password change. D’oh!] The nature of passwords is that you can’t pick one that is completely secure. What you’re trying to do is to have secure enough of a password to dissuade most people except the most persistent. Hayden suggests phrases and then replace characters with numbers, and make it longer because it increases the number of possible characters required to hack it.

Zuckerberg says that people don’t care about privacy anymore, so don’t blame Facebook, but to a certain extent, Facebook is responsible for changing those norms. Do companies like Google have any responsibility to protect your information? Hayden’s students think that because Google gives them things for free, they don’t care about the privacy of their information and in fact expect that Google will use it for whatever they want.

not all proxies are the same

No, I don’t know everything there is to know about proxy servers.

A while back, I panned a book on e-serials collection management. One of the contributors found my review and wrote a response, which I will quote here:

As the person who wrote the essay regarding IP versus proxy access for the E-Serials Collection Management book that you reviewed on your website, I feel the need to respond. First of all, I agree that the amount of time it took between the writing of the chapters and actual publication was a serious concern, particularly since the focus of this book was technology. However, I should point out that the problems encountered using proxy servers have not become a moot point because of the presence of EZproxy and similar products. We have had EZproxy access and an alternative proxy method available on our website (the University of South Florida Libraries) for several years. Unfortunately, this has NOT meant the end of proxy-user problems. With multiple campuses and users in several cities, many problems are still reported each week by users having difficulty connecting. The reasons for the problems are as varied as our users. Personally, I prefer this type of IP access to the use of ID/password but, as with most things, ONLY when it works. Keeping this in mind, I now have a second self-created job title – Cyberjanitor.

My apologies to the author. I was not aware of the difficulties with proxy servers and multiple campuses. My former place of work (EKU) has only one IP range for the main campus and all of the extended campuses, so setting up IP access with vendors is very easy. They use the same login and password required for campus email to authenticate our users, and everyone gets an email account, with the exception perhaps of some adjunct faculty. For that campus, EZProxy works 99.5% of the time, which is far better than having to hand out new passwords to everyone each semester.

e-serials collection management

Thinking about acquiring your own copy of the book “E-serials Collection Management: Transitions, Trends, and Technicalities”? Don’t bother.

I just finished reading E-serials Collection Management: Transitions, Trends, and Technicalities edited by David C. Fowler. It sounded like a great piece of professional literature that would help me with my job, and probably it would have, had it been published in 2002 instead of 2004. Most of the essays were from the 2001-2002 era of electronic journal management, and with the way the technology and access methods have changed in recent years, most of the essays had become irrelevant before they were even published in this book.

I was particularly bemused by one essay that spent some time discussing the disadvantage of IP access over password access because of off-campus users. The author explained that proxy servers were cumbersome because they required the off-campus user to re-configure their browser settings. Yeah, sure, if you’re not running something like EZproxy, which has been around since 1999.

I feel cheated by the time I spent reading/skimming through this book, and I am sorry that my institution spent time and money in acquiring it for our collection. There is very little in this book that is still useful, and I expect even that will fade away in a few short years. If you feel you must purchase this book, at least do yourself a favor and get a paperback copy.

a light at the end of the tunnel

When I returned to work on Monday, I had recovered from the frustration and stress of the previous Friday, so fixing all of the problems I had encountered with SFX was a much more feasible task than it had seemed before the weekend. In fact, with a clear head and a few MySQL passwords, I was able to get most everything done that wasn’t working for me before. As it stands now, pretty much everything is working as it should be. There are still a few more bugs, but I expect those will be cleared up within the next week or two.

Ever since I discovered the joys of keeping up with several weblogs through my RSS aggregator, I have been doing a lot of reading, but not so much writing. Not that I did all that much writing before, but for instance, this week I didn’t write anything at all, and that was mainly because after reading blogs, email, books, and journals, I didn’t have the energy to think of something of my own to say. So, here I am at 1:30am on Saturday, typing away.

ebay fraud warning

Apparently, this isn’t the first time some bozo has attempted to obtain username/password combinations from unsuspecting victims, but this morning’s email was the first one of these that I have received. I wisely checked with eBay after noticing that the mailing headers on this message looked a little odd:

Received: from amiras-station6.minisat.ro (HELO eatmydick2000) (eatmydick2000@80.96.134.37 with login) by smtp.mail.vip.sc5.yahoo.com with SMTP; 29 Jul 2003 23:37:18 -0000

Never, never, never, never assume that just because the visible From address looks valid and the body of the email looks valid that any email requesting your username/password combination for anything is legitimate. Always do your homework before giving that information to anyone. Thank you. This message brought to you by your local friendly cybrarian.