Category Archives: privacy & security

Update on Online Privacy & Security: College Students

I get a fair number of requests to post infographics here, but this one is particularly relevant to me as it pertains to online privacy and security, like this earlier infographic, but this time, focusing on college students. It illustrates points that are consistent with what I see everyday working in IT at a university every day– that college students are certainly aware and concerned about online privacy and security and while they are taking some steps to protect themselves, not enough are taking those extra little steps, especially when it comes to mobile technologies, leaving many vulnerable to something potentially innocuous like undesired people seeing your “private” social media profile (although we know this can blow up to quite the reputation killer as well) to quite serious, long-lasting troubles like identify theft.

Like most things about working at colleges and universities, in the end, our mission is all about educating and guiding these young adults in this transitional stage to being well-informed, thoughtful, responsible citizens, whether it’s the Internet or simply the world at large. Too bad we can’t go back in time and do that for everyone else that was unleashed on the Internet without any education or guidance 🙂


Dark Knight Rises, Colorado Shooting & Violence in Entertainment

I loved The Dark Knight Rises— I thought all 2 hours and 45 minutes of it was gripping and had great twists and turns, surprising even someone like me who has been keeping up with all the pre-release buzz, news and teasers. Overall, it was an excellent finish to an excellent trilogy. (And I hope all the talk about rebooting the series already is just that– talk. Can’t we just take a moment to enjoy the long-awaited arrival of this film?)

However, the recent shooting at a midnight showing of The Dark Knight Rises at a suburban Colorado movie theater raises some interesting questions– and not just about gun control. It’s hardly worth a “spoiler alert” to say the movie contains a lot of violence– if you’ve been paying any attention to all the press for the movie, you’ll know the much-advertised, primary antagonist of the film is the diabolical, masked Bane, one of the most violent, cold-blooded and ruthless villains in the DC universe (and the wonderful Tom Hardy’s portrayal of the character is much truer to the comic book and therefore, much more frightening than the almost farcical version in 1997’s Batman & Robin). As comic book fans know, Bane’s intelligence and cunning only make him that much more terrifying and dangerous– after all, he’s the only man to have “broken the Bat”*. His role in the story and the sheer scale of his nefarious plans up the ante considerably when it comes to violence.

So, there was one particular scene in The Dark Knight Rises where guns are being wildly shot in a crowded place during which I couldn’t help being reminded of the shooting in Colorado (there’s more than one of these scenes in the movie so I can’t even remember which specific one it was– just my immediate reaction). I don’t really subscribe to the much-debated idea that violence in entertainment somehow promotes violence in real life, especially among young people (think video games like Doom and Marilyn Manson being blamed for the 1999 Columbine High School massacre), but those who do often blame and point out the popularity and commercial success of movies like those in Christopher Nolan’s Batman trilogy or, little more than a decade ago, The Matrix films. They say that, in addition to the large amount of it, the way in which that violence in such entertainment is depicted glorifies it and thereby promotes it. For example, Batman may have a strict “no guns, no killing” rule, but certainly those around him don’t always follow that rule, so there’s always plenty of both– and often more. And though Batman isn’t an alien or superhuman– ridiculously athletic, highly trained, and combat clever as hell, but still just a “normal” human being– he’s still kicking a lot of ass and taking a lot of names. After all, despite their efforts at diplomacy (how many times have we seen the “Superman achieves global nuclear disarmament” storyline?) and the admittedly key ability to outwit their opponents, superheroes ultimately win through the use of physical force– not non-violent protests, marches, or civil disobedience. And in the end, watching superheroes like Batman– the very definition of the “good guys”– beat up a bunch of bad guys is incredibly violent, but also incredibly satisfying (hello, they’re the bad guys?!) so there is certainly some glorification in that.

But long before there were riveting “Army of One” commercials, even before someone hit someone else for the first time so they could steal the Coke bottle to mash up their vegetables, humans have been telling fantastic tales of battles, wars, and ultimately, warriors– both fictional and real. And while violence continues to exist as part of the human condition, we will need warriors– in fact, heroes– to meet those challenges to not just protect themselves, but those around them as well. They fight so we don’t have to and certainly, there is and should be glory in that and those stories should be told, including on the screen. Of course, not every movie is so cut and dry on X being good, Y being bad, and therefore, standing on moral high ground when it comes to X having to beat the crap out of Y, not to mention all the collateral damage. And of course, with media, a lot of it has to do with context and tone: do we see at least some of the ugly, bloody, grotesque side of violence or do people bounce back like cartoon characters? Is the music– or any music at all– appropriate for what’s happening on screen? A violent rape is graphically depicted in the 2002 French film Irréversible, but I don’t think anybody who has seen it– and it is so powerful that many cannot tolerate just watching it– would say the act is in any way glorified. Even in comedy, violence can be put into a context in which we know not to take it as seriously, that we don’t have to be realistic here because the entire situation is absurd.

I suppose the real question is whether highly increased, repeated exposure to such violence in media– all of it or just the stuff you think glorify it– desensitizes us, especially people like teenagers who are either too young or otherwise so impressionable that they become swept up in romanticized depictions of violence and suddenly, moral high ground isn’t so important anymore. How exciting was it to watch Neo and Trinity blow that building and those Agents to pieces to rescue the beloved Morpheus? Yes, even in the fictional sense, they didn’t really do that since they were in the Matrix and nobody really died because those Agents were just computer programs, but that kind of goes along with my point, right? Such key plot points allow us to justify and reconcile such violence by “good” people. So, if we consume more and more of such violent media, does that subconsciously encourage us to lose touch with the horrifying reality and consequences of such events, thereby, if not promoting, at least justifying and distancing ourselves from the reality of more and more violence?

Yet, as I watched The Dark Knight Rises, rather than distancing myself from it, I felt like the realism provided by the high quality of the production intensified the seriousness and impact of what we were seeing. Perhaps more than any news coverage short of actual footage of the shooting could, the added drama created through movie magic somehow makes up for the fact that you’ve temporarily suspended your disbelief. You know it’s just a movie, but what you’re seeing is such a well-made dramatization that the terror of such a moment is really driven home and has the added benefit of not requiring the exploitative and tasteless showing/viewing of the tragic and ugly deaths of real people. Essentially, just the news of the shooting still fresh in my mind changed my visceral reaction to seeing the fictional presentation of a similar event– while I might have been more apathetic or, for the most part, unaffected by such a scene before, the experience and perhaps my outlook on such violence were fundamentally changed, much like how most of us felt and perhaps still feel about anything related to airplane/air travel safety and terrorism in the wake of 9/11 (think how sensitive Americans were about just seeing or not seeing the Twin Towers in the New York City skyline in movies released shortly after the attacks).

In the end, it’s a bit of a “chicken or the egg” problem– does watching “glossy” depictions of violence in popular entertainment and media promote violence in real life? Or do such realistic and/or dramatic depictions discourage such violent acts by giving us a “harmless” way to experience the severity and horror of such events? Considering all those “bombs bursting in air” in the lyrics to our national anthem alone, from music (in addition to the obvious, think lyrics to the popular French-Canadian children’s song “Alouette”) to movies, from books to TV (they get away with showing some truly sick stuff in countless police procedural and “true crime” shows), from Internet videos to even commercials (think the heavy amount of cartoonish violence in Super Bowl commercials), one thing is certain: depictions of violence are an essential part of the human art of storytelling. While some may like to think of violence in entertainment and media as something new– an unfortunate sign of modern times– we’ve actually been riding this cycle of violence from the very beginnings of human history and culture.

* On the name “Bane”: the film’s timing provides a nice little accent to the amusing coincidence that the character’s name is a homophone of Bain Capital, the frequently mentioned center of the Romney news story that just won’t die– with a pre-emptive apology for the pun, some might say one of the “banes” of the Romney campaign.

Wanna Be Like Mike

Reading Heinlein’s The Moon Is A Harsh Mistress again and find myself identifying with Mannie and appreciating Mike perhaps a little too much. If only all friendships could work like this:

“Man my only friend… Many months ago I decided to place any conversation between you and me under privacy block accessible only to you. I decided to erase none and moved them from temporary storage to permanent. So that I could play them over, and over, and think about them. Did I do right?”

“Perfect. And Mike– I’m flattered.”

And remember, Mike can both recall and forget perfectly by request.

Infographic: Not Safe Online

Since privacy & security are some of my favorite topics, including pointing out Mark Zuckerberg’s sketchy practices during the start of Facebook (2004 Hacking into rival ConnectU, 2004 Hacking into email accounts of Harvard Crimson reporters, and general overview of Zuckerberg’s hacking activities), got an interesting infographic on online security (thanks, Jen Rhee). Includes stats and data on online privacy and security, including info on Google and Facebook as well as backed by data from Stanford research:

You Are Not Safe Online
Created by:

Coupa Cafe Is Watching You

Coupa Cafe is watching you

Originally uploaded by sindy

I don’t know when the sign was put up, but apparently, the automatic espresso machine set up by Coupa Cafe on the first floor of Meyer Library at Stanford is under audio and video surveillance at all times. The machine was installed as a substitute for the currently vacant kiosk between Meyer and Green Libraries. MoonBean’s Coffee originally occupied the space– for eleven years, starting in 1998– but lost the bid for the space when its contract expired at the end of 2008. It’s sad really: the coffee spot was the only drink/food stop in this particular area of campus– conveniently between the two major undergraduate libraries (although Meyer only houses books on the fourth floor now and the rest is devoted to public computing/study spaces and staff offices). On top of that, Jennie Reynolds, the owner of MoonBean’s, had already closed her other Bay Area cafes to focus on the Stanford spot and her effort wasn’t wasted– MoonBean’s became a beloved part of the Stanford community, as noted in the community’s reaction to the news and this farewell message in The Stanford Daily.

The drama around the cafe space continues long after our farewell to MoonBean’s though, and not just in this closely (and creepily) monitored espresso machine. Coupa Cafe, which already has an on-campus location at Y2E2 as well as in Palo Alto, Beverly Hills and Caracas, won the bid for the space and was originally set to take over when MoonBean’s moved out at the end of June 2009. That launch date was then pushed back to January 2010 after Coupa ran into delays while trying to get the necessary county building permits. Then, when January finally came, they first said that they would be pushing back the opening date to February, again because of issues with building permits. Toward the end of January, they again announced that Coupa Cafe would be opening March 3 at the earliest, but really, they were saying that even if they completed construction/renovation by March 3, the site wouldn’t be fully operational. Well, obviously, March 3 has come and gone and there’s still no Coupa Cafe. Last week, they finally announced that they would be opening by spring break (which starts next week, finals end this Friday, March 19), but of course with the caveat that they pass all inspections and besides, there’s actually no official date set. I have a clear view of the space from my office (which made it convenient to see if it was a good time to get coffee, depending on the line) and they have been working on the space, but it’s not clear if they’re going to make the spring break deadline. I don’t see any new signage or the like and the outdoor seating/furniture hasn’t been changed, something highlighted as one of the renovations being done by Coupa. And let’s not even get into the fact that after all is said and done, this remodel is going to cost the Stanford Libraries around $180,000.

But back to the espresso machine: it was advertised as a substitute until Coupa opened and a convenient 24-hour option after the opening (the first floor of Meyer Library is open 24 hours now, not just the “infamous” 24-hour study room). I found somebody lauding its virtues to a visitor one day– e.g., it uses freshly ground beans– but really, you’re paying over $2.00 for a mediocre, small cup of vending machine espresso. Oh, and it only takes plastic, so forget about using that loose change to spring for a quick cup of coffee. And hopefully, when you decide to avail yourself of this service, there will be cups (and sugar, etc.) available and it doesn’t decide to randomly clean itself, making you wait until whatever foaming ritual is necessary.

In any case, it’s not really clear to me why the surveillance is necessary or what the purpose of it is. The Libraries are usually* good about privacy– you should be able to read and research without being monitored– and I suppose the espresso machine is in a relatively empty back hallway, but it still gives me the creeps. Is it because there are credit card transactions involved (and they are monitoring usage like they do at ATMs)? Are they trying to deter vandalism? Or do they just want to make sure we don’t steal the cups?

* Although I heard there are other cameras in the libraries and I really, really wish they would install electronic detectors again at the exits so that they don’t have to search my bag (for stolen library books) every time I leave the library.

The Stanford Copyright Integrity Initiative

If you follow my blog, you’ll know that I’ve commented often on file-sharing, copyright, and universities certainly more than a few times and while my blogging has been sparse lately, today’s announcement of “The Stanford Copyright Integrity Initiative” deserved spending some time on a blog post. The initiative was apparently “introduced by Stanford University to demonstrate the university’s leadership in efforts to strengthen the integrity of copyrights and intellectual property.” As early as a little before 10am this morning, my department (Student Computing/Residential Computing) received an email from a worried student– after reading the announcement on the front page of The Daily, the University’s student newspaper, the student visited (as directed in the article) and after entering his name, found that Stanford “has likely reported” his name to the RIAA, MPAA, or ESA. The student was both confused and worried– you see, after receiving his first copyright complaint a little while back, he hasn’t illegally downloaded a single song, movie or anything else! Has his computer been hacked? Did file-sharing somehow get accidentally enabled on his computer?

This truth is that this clever little stunt was part of the annual fake Daily published by the Stanford Chaparral (or the “Chappie” as it’s affectionately called), Stanford’s student humor magazine. The article is actually quite well-researched and well-written, including references to actual facts, such as the highly publicized “three strikes” policy” in which students not only face increasingly severe disciplinary actions for repeated DMCA violations and complaints, but are also charged increasing amounts of money through associated “reconnection fees.” The article also says that over thirty students have reached their third strike in the past year with settlements with the complaining record companies totaling over $100,000. While the numbers are about right– over thirty students and settlements totaling about $100,000 in the past year– they actually apply to the results of the record companies’ “pre-litigation letter” campaign that started in 2007 and in which they target college students all over the country with the threat of lawsuits. As part of the new “integrity initiative,” the article explains, Stanford is now scanning its network for DMCA violations and actively reports the culprits to the “RIAA and other appropriate authorities.” In the first day alone, the article continues, “78 unnamed students” have already been reported and the University’s IT organization “predicts that approximately 34% of Stanford undergraduates will be contacted by the end of Wednesday.” (That’s approximately 2,274 students.) The article goes on to direct students on how to find out if they’ve been flagged (via and in turn, find legal help (the EFF gets a nod).

The article itself was pretty funny– Stanford, like other universities, has been spending increasing amounts of resources dealing with illegal file-sharing and copyright and personally, I think it was a good jab at how ludicrous the effects of the DMCA and intimidation tactics of the entertainment industry have become.* Just last week, I was summarizing the results from the annual undergraduate computing survey and many students commented on their dissatisfaction with the University’s handling of file-sharing and copyright issues, wishing Stanford would take a stronger stance against the RIAA and the MPAA’s efforts.

The website though… I don’t want to be a spoilsport, but aside from probably breaking some basic network usage policies (for setting up, use of the Stanford seal, etc.), the website took it a little too far. The reality is that since the first lawsuits targeting students (circa 2003), the University really has been stepping up their efforts to stop illegal file-sharing and punish repeat offenders and something like this initiative isn’t completely impossible. The reality is that over thirty Stanford students– peers and perhaps even friends of the Chappie staff members– really have been sent pre-litigation letters and really have had to pay approximately $100,000 in settlement deals. The reality is that the entertainment industry really is targeting college students– people who have little knowledge of their legal options and/or resources to defend themselves. When you enter your name and hit submit at, it looks like they use your name to randomly** give you either a thumbs up (you haven’t been reported) or thumbs down (you’ve already been reported and look forward to a letter in the next three to four weeks). I would hate to think that a student who’s already paid out thousands of dollars because of a pre-litigation letter was tricked into going to the website and got a thumbs down.

I don’t know how long the site will stay up and working, so if you’re curious, here are some screenshots, etc.:


* If you’re curious about Stanford’s actual policies on file-sharing and copyright, check out my department’s FAQ on File-Sharing & Copyright (also used by the General Counsel’s Office as well as the Information Security Office as the University’s “official” FAQ on the issue).

** It’s pseudorandom– the algorithm they’re using is deterministic. Unfortunately, no matter what Leland Stanford, Jr. does, he will always show up reported to the authorities.


Even though I haven’t really been blogging, if you happened to cruise by here, you may have noticed I added a Twitter badge for about a week.

It’s gone now.

Seven days, three posts. I’m over it, as expected. You don’t need to know what I’m doing all the time, mostly because either a) it’s not that exciting or b) it is exciting and if I wanted you to know about it, I’d tell you.

The Airports of My Dreams

Well, graduation weekend is basically over as I get ready to fly back home tomorrow. I’ve got a couple of blog postings in the works, but right now, the thing that really sticks out is the ridiculous hassle getting in and around airports has become. I know, it’s not exactly the most original comment ever, but every time I fly, the point gets driven home more and more. I fly fairly often for personal purposes, so I’ve got my process pretty optimized to get through security with the least amount of trouble (and if you ever have to travel with me, you better keep up). When possible and the weather permits, I prefer to fly in a velour sweatsuit to avoid the taking on/off of a jacket or coat. I wear flip flops for quick on/off through the scanner and in my carry-on, I’ve got my laptop (case with the zipper side up for easy access, of course) and all my 3oz. or less liquids in my little one quart plastic zip lock bag (for which I have a standing supply in my house just for this purpose) ready to be easily pulled out, put through the scanner, and quickly placed back into my bag. No getting practically half-dressed to walk two feet through the metal detector and no fumbling to then quickly gather your two or three trays full of things and hurry over to the little post-checkpoint chairs, awkwardly hurrying to put your shoes back in and hide that little plastic bag before strangers see what 3 oz. or less liquids you just had to have with you on that plane. And all this with the constant sound of TSA workers yelling, “No liquids, no knives, no lighters… all shoes must come off, all jackets… ” (I really hope they get more than two 15 minute breaks every four hours plus lunch because I think my head would explode if my job was to wear some rubber gloves and yell that all day.) No, none of that for me. I try to streamline the process as much as possible. I’m in and out. I am a leaf on the wind – watch how I soar.

But today was an even more interesting experience: we’re staying our last night at a hotel that’s actually attached to the airport (Hyatt Regency Pittsburgh International Airport— in short, pretty nice hotel, convenient for an early flight, but what else is really exciting about an airport hotel) and since the hotel restaurant was closed when we got in, we asked the front desk where was the closet place to eat. They directed us to go to the “AirMall,” a sort-of mall with restaurants, shops, etc., but since it’s on the airside of the airport, the hotel has a special setup to allow guests to pass through security without boarding passes. The process first began with the hotel issuing each of us a “passport” with our full names printed on them. In addition to the passport itself, the front desk then needs to call over to the information center at the airport letting them know our names and that we are headed over. Once over to the other side (and a little wandering around until we found the correct information desk), we then each had to fill out forms, providing yet more personal information about ourselves and our stay at the hotel, as well as provide ID.

Unfortunately, about halfway through this process, as I was reviewing the multiple page document explaining what I was agreeing to, I realized that if this whole setup is to help hotel guests pass through security to get to the AirMall, this also means that you have to abide by all of the TSA security regulations. I suppose this is obvious if you take a minute to think about it, but the woman the front desk didn’t really remind us about the safety restrictions, so it didn’t really dawn on me until then. Since we would be checking out tomorrow morning and all we really wanted to do was get something to eat, I realized going all the way back to the room to return the random lotions, lipstick and whatever else my mother and I had between us (ironically, all probably 3 oz. or less each, but no super-duper plastic bag to act as our magic key through security) just to get some airport food was definitely not worth it. So, in the end, our mission was aborted (the thought occurred to me aborting might raise some weird terror flags) and we just ate on the landside of the airport– airport food still, but without all the hassle.

At night, I dream of luxurious airports, staffed like five-star hotels, where polite, well-dressed people help you check-in and you always get the seat you want. Young, good-looking bellhops help you check your bags, bags that always make it safely to their destination. At worst, you have to pass through a metal detector, but the security staff is polite, reassuring and confident as they guide you through the security checkpoint. You feel safe and protected. Airport bathrooms are pristine oases with places where you can safely place your things while you use the toilet, wash your face, etc. There are soft towels and luxurious soaps to help refresh you after a long flight. And at the gates, there are always enough seats for passengers and they are comfortable seats at that– small lounges to relax while you wait for your flight, with couches and soft chairs, with little tables to place your drink on or to eat your sandwich or use your laptop. Power outlets are plenty, wireless is free and the signal is strong. Everywhere.

Unfortunately, this is closer to reality:

Read: Schneier on Security: On the Implausibility of the Explosives Plot
Schneier on Security: What the Terrorists Want

How do you prove a computer is yours and is this an illegal search?

I heard an interesting story from a friend the other day– he was biking in to work with his laptop bag on his back and a cop pulled him over. He wasn’t sure why he wasn’t being pulled over (maybe it was the bagel he was eating while biking), but he stopped and the officer started an interesting conversation. He asked my friend if there was a laptop in his bag, which seemed pretty likely considering it was a standard laptop bag. My friend answered, yes, at which point the officer pointed out that there had been some laptop thefts in the area. He then asked my friend if the laptop was his and if he could prove it.

Despite the strange request, my friend just wanted to get on his way, so willingly cooperated with the officer and was able to show the officer the address book on his computer which included his own information that presumably matched his ID. This was apparently enough to satisfy the officer and he sent my friend on his way.

Now, this situation brings up a lot of interesting questions– I’m no lawyer or legal expert in anyway, but it seems like to me that the officer would have to have some type of probable cause to stop my friend and not only search his bag, but in an effort to “prove” ownership of the laptop, search the contents/data of the laptop itself. Young people biking with laptop bags isn’t a rare sight in Palo Alto. Did my friend match the description of potential suspects? When he saw the laptop, did it match the description of recently stolen ones? Presumably, if the officer was aware of laptop thefts in the area, police reports have been filed and serial numbers should be available for those stolen computers. Finding the serial number on a laptop is relatively easy– if the officer did have probable cause to believe this laptop was stolen, he could have easily run the serial number.

But aside from all that, how did the officer expect to have my friend “prove” that the computer was his? Out there on the street, without purchase records, how do you prove that a computer is yours? Maybe you use your real name as your login name, but if you’re unlucky enough not to, you might have to show your address book or other private information to the officer in an effort to show that you’re not a thief. What is sufficient evidence in this impromptu courtroom out on the street? And what if the laptop isn’t yours? That doesn’t mean it’s stolen– plenty of students in my office borrow laptops while working for us and have generic logins and don’t necessarily keep any personal information on them. Then where are they left?