Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak:
- I’ll be speaking at an Informa event on November 29, 2021. Details to come.
The list is maintained on this page.
Page 140
Recovering Real Faces from Face-Generation ML System
New paper: “This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces.
Abstract: Recently, generative adversarial networks (GANs) have achieved stunning realism, fooling even human observers. Indeed, the popular tongue-in-cheek website http://thispersondoesnotexist.com, taunts users with GAN generated images that seem too real to believe. On the other hand, GANs do leak information about their training data, as evidenced by membership attacks recently demonstrated in the literature. In this work, we challenge the assumption that GAN faces really are novel creations, by constructing a successful membership attack of a new kind. Unlike previous works, our attack can accurately discern samples sharing the same identity as training samples without being the same samples. We demonstrate the interest of our attack across several popular face datasets and GAN training procedures. Notably, we show that even in the presence of significant dataset diversity, an over represented person can pose a privacy concern.
Suing Infrastructure Companies for Copyright Violations
It’s a matter of going after those with deep pockets. From Wired:
Cloudflare was sued in November 2018 by Mon Cheri Bridals and Maggie Sottero Designs, two wedding dress manufacturers and sellers that alleged Cloudflare was guilty of contributory copyright infringement because it didn’t terminate services for websites that infringed on the dressmakers’ copyrighted designs….
[Judge] Chhabria noted that the dressmakers have been harmed “by the proliferation of counterfeit retailers that sell knock-off dresses using the plaintiffs’ copyrighted images” and that they have “gone after the infringers in a range of actions, but to no avail—every time a website is successfully shut down, a new one takes its place.” Chhabria continued, “In an effort to more effectively stamp out infringement, the plaintiffs now go after a service common to many of the infringers: Cloudflare. The plaintiffs claim that Cloudflare contributes to the underlying copyright infringement by providing infringers with caching, content delivery, and security services. Because a reasonable jury could not—at least on this record—conclude that Cloudflare materially contributes to the underlying copyright infringement, the plaintiffs’ motion for summary judgment is denied and Cloudflare’s motion for summary judgment is granted.”
I was an expert witness for Cloudflare in this case, basically explaining to the court how the service works.
Airline Passenger Mistakes Vintage Camera for a Bomb
I feel sorry for the accused:
The “security incident” that forced a New-York bound flight to make an emergency landing at LaGuardia Airport on Saturday turned out to be a misunderstanding—after an airline passenger mistook another traveler’s camera for a bomb, sources said Sunday.
American Airlines Flight 4817 from Indianapolis—operated by Republic Airways—made an emergency landing at LaGuardia just after 3 p.m., and authorities took a suspicious passenger into custody for several hours.
It turns out the would-be “bomber” was just a vintage camera aficionado and the woman who reported him made a mistake, sources said.
Why in the world was the passenger in custody for “several hours”? They didn’t do anything wrong.
Back in 2007, I called this the “war on the unexpected.” It’s why “see something, say something” doesn’t work. If you put amateurs in the front lines of security, don’t be surprised when you get amateur security. I have lots of examples.
The European Parliament Voted to Ban Remote Biometric Surveillance
It’s not actually banned in the EU yet—the legislative process is much more complicated than that—but it’s a step: a total ban on biometric mass surveillance.
To respect “privacy and human dignity,” MEPs said that EU lawmakers should pass a permanent ban on the automated recognition of individuals in public spaces, saying citizens should only be monitored when suspected of a crime.
The parliament has also called for a ban on the use of private facial recognition databases—such as the controversial AI system created by U.S. startup Clearview (also already in use by some police forces in Europe)—and said predictive policing based on behavioural data should also be outlawed.
MEPs also want to ban social scoring systems which seek to rate the trustworthiness of citizens based on their behaviour or personality.
Friday Squid Blogging: Strawberry Squid
Pretty pictures of a strawberry squid (Histioteuthis heteropsis).
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Syniverse Hack
This is interesting:
A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide.
I’ve never heard of the company.
No details about the hack. It could be nothing. It could be a national intelligence service looking for information.
Facebook Is Down
Facebook—along with Instagram and WhatsApp—went down globally today. Basically, someone deleted their BGP records, which made their DNS fall apart.
…at approximately 11:39 a.m. ET today (15:39 UTC), someone at Facebook caused an update to be made to the company’s Border Gateway Protocol (BGP) records. BGP is a mechanism by which Internet service providers of the world share information about which providers are responsible for routing Internet traffic to which specific groups of Internet addresses.
In simpler terms, sometime this morning Facebook took away the map telling the world’s computers how to find its various online properties. As a result, when one types Facebook.com into a web browser, the browser has no idea where to find Facebook.com, and so returns an error page.
In addition to stranding billions of users, the Facebook outage also has stranded its employees from communicating with one another using their internal Facebook tools. That’s because Facebook’s email and tools are all managed in house and via the same domains that are now stranded.
What I heard is that none of the employee keycards work, since they have to ping a now-unreachable server. So people can’t get into buildings and offices.
And every third-party site that relies on “log in with Facebook” is stuck as well.
The fix won’t be quick:
As a former network admin who worked on the internet at this level, I anticipate Facebook will be down for hours more. I suspect it will end up being Facebook’s longest and most severe failure to date before it’s fixed.
We all know the security risks of monocultures.
EDITED TO ADD (10/6): Good explanation of what happened. Shorter from Jonathan Zittrain: “Facebook basically locked its keys in the car.”
Cheating on Tests
Interesting story of test-takers in India using Bluetooth-connected flip-flops to communicate with accomplices while taking a test.
What’s interesting is how this cheating was discovered. It’s not that someone noticed the communication devices. It’s that the proctors noticed that cheating test takers were acting hinky.
Friday Squid Blogging: Squid Game
Netflix has a new series called Squid Game, about people competing in a deadly game for money. It has nothing to do with actual squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Sidebar photo of Bruce Schneier by Joe MacInnis.