Tuesday, September 17, 2019

Interesting Articles From Usenix

Unless you're a member of Usenix (why aren't you?) you'll have to wait a year to read two of three interesting preservation-related articles in the Fall 2019 issue of ;login:. Below the fold is a little taste of each of them, with links to the full papers if you don't want to wait a year:

  1. Source
    Dan Geer and Wade Baker's For Good Measure: Is the Cloud Less Secure than On-Prem? is the one ;login: article anyone can read now, and you should. It asks a question that is very relevant to the discussion in my Cloud for Preservation post. They analyze data from RiskRecon covering 18,000 organizations, 5,000,000 hosts and 32,000,000 security findings of varying severity. One of their findings is "a statistically significant but very low positive correlation" between the rate of high and critical security findings in the cloud and the percentage of an organization's hosts in the cloud. Their graphs are fascinating. For example, Figure 2 suggests that you need to be either very small or very big for on-premise to be safer, but also that the difference isn't large.
  2. A topic in my report Emulation and Virtualization as Preservation Strategies was how the advent of JavaScript made it possible to run emulations in the browser, and how the advent of WebAssembly (wasm) made even running entire operating systems such as Linux in the browser possible. In Not So Fast: Analyzing the Performance of WebAssembly vs. Native Code, Abhinav Jangda and co-authors describe building a special Linux kernel in wasm, and using it to run the standard SPEC performance benchmarks. They conclude that JavaScript is slower than wasm is slower than native code, and provide interesting suggestions for areas in which wasm performance might be improved. Thanks to the admirable Usenix open access policy for conference papers, you can read the full paper here.
  3. There is a conflict between the needs of preservationists to ensure future researchers access to someone's e-mail, and the someone's need to prevent access now to avoid the kind of public embarrassment that has befallen John Podesta, Sarah Palin, and the clients and staff of Mossack Fonseca among many others. End-to-end encryption is the only way to satisfy the someone's need, but twenty years ago Alma Whitten and J.D. Tygar's Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 explained why people found end-to-end encryption too hard to use. What has changed in the two decades since is that communication between the mail client and the mail agent is now typically encrypted, preventing eavesdropping. But the more common and devastating threat is compromise of credentials, perhaps by phishing or by warrant, allowing the attacker unrestricted access to the mail stored in plaintext on the mail server (not to mention the advertisment placement system). In Making It Easier to Encrypt Your Emails John S. Koh, Steven M. Bellovin, and Jason Nieh describe:
    E3, a client-side system that encrypts email at rest on mail servers to mitigate the most common cases of attacks today. E3 also demonstrates techniques for making key management simple enough for most users, including those who use email on multiple devices.
    I would love to try this, but it would certainly make the task of preserving my e-mail for my future biographer to study much harder, if not impossible. For the full details you'll need to read the paper behind the ACM's paywall (or here).
Go read!

No comments: