IEEE T&S Magazine: Undergoing Transformation

Our magazine is in a transformative period, not only because we are “Going Green” in 2013 but because we are experiencing tremendous growth in quality international submissions. This means that we are increasingly appealing to an international audience with transdisciplinary interests. This has not gone unnoticed by the media, nor by our SSIT readership or wider engineering community.

To those who have sent me personal messages of support, or have noted papers they have enjoyed reading, I thank you. The downside to the success we are experiencing means we have ended up with a slight backlog of papers awaiting publication. We also need more people to put up their hand to review papers from diverse areas of expertise, we have had to increase our overall rejection rate, sporadically increase our page count, and reduce the word count of some papers that have been accepted. We are looking into various ways that we can overcome some of these issues as we go online next year, especially by using the power Web 2.0 can offer to integrate various facets of our outreach activities. For instance, we are seeking the ability to use a single portal for SSIT news and events, ISTAS conferences, T&S Magazine (with full manuscript registration), SSIT-related social media, and an SSIT blog.

In this Winter (December) 2012 issue we also say thank you to our outgoing Associate Editors, Professor Ming Ivory of James Madison University and Professor Reza Djavanshir of Johns Hopkins University for their contribution to the Magazine over the years. Professor Ivory is now the Director of the Graduate Integrated Science and Technology program at JMU and Professor Djavanshir continues his work in the Innovation for Humanity course at JHU taking students to do research and help with underprivileged societies in Kenya, Rwanda, Peru, and India. I know their link to the Magazine will remain an important one.

 Professor Jeremy Pitt

Professor Jeremy Pitt

It is my pleasure to announce that our incoming Associate Editors beginning January 1, 2013, are Professor Steve Mann of the University of Toronto, Canada, and Dr Jeremy Pitt of Imperial College London, England. Recruiting both Steve and Jeremy was a strategic decision for several reasons.

 Professor Steve Mann

Professor Steve Mann

The first and foremost reason for their election has to do with their international standing in the engineering community. Steve who was an instrumental force at the M.I.T. Media Labs at the time that Nicholas Negroponte was director, has had an awesome impact on the field of wearable computing internationally, and Jeremy has been instrumental in key EU-wide activities on pervasive adaptation responsible for bringing thought leaders together from across the world. As a prolific inventor, Steve, has integrated his science, technology, engineering, and mathematics work with that of design and art (DASTEM), and has never shied away from speaking of the social implications of emerging technologies, especially those stemming from his own inventions. Jeremy’s current research focuses on the logical representation of computational justice in self-organizing networks and infrastructures, and the impact of ubiquitous and adaptive computing on society, commerce, and culture. In his latest edited book, This Pervasive Day (2012), he demonstrates the importance of continually asking the right questions in our quest for advancing humanity.

The second reason for getting Steve and Jeremy on board has to do with their physical locations and online presence. Steve is based in Toronto, Canada, and is well-known in the United States (in fact globally) for his work in DASTEM. Jeremy is based in the U.K. and has a large network into the EU in particular. We need to cultivate and encourage our global presence more broadly commensurate to the submissions we are receiving from authors residing internationally.  Another growth market is in India, China and Japan and I look forward to introducing one more Associate Editor from one of these countries into the future. For now, please join me in welcoming both Steve and Jeremy to T&S Magazine. I know they will have a tremendous impact on the Magazine by their ongoing support and counsel.

I would also like to take this opportunity to thank Terri Bookman for being such a tireless Managing Editor for many years. While SSIT has been around for 40 years, Terri has been Managing Editor of the Magazine for 22 years! She has remained our single constant throughout. I feel extremely fortunate to be surrounded by such a great team, past and present, as I head into my second year as Editor.

Citation: Katina Michael, IEEE T&S Magazine: Undergoing Transformation [Editorial], IEEE Technology and Society Magazine, Year: 2012, Volume: 31, Issue: 4, pp. 5 - 6, DOI: 10.1109/MTS.2012.2230072

Privacy - The times they are a-changin'

Introduction

This special section is dedicated to privacy in the information age. In particular, since the rise of mobile social media and the advent of cloud computing, few can dispute that the times have indeed changed. Privacy is now understood “in context” and within a framework that is completely different from what it once was. The right to be let alone physically seems to have been up turned by the right to give away virtually as much information as we like.

What kind of inherent safeguards can be introduced into the data driven society? We cannot argue for privacy as a natural right if we ourselves do not respect the laws that govern the use of personal information - except for those instances when we become the victims of our own folly (or otherwise through security breaches). We cannot ask for the application of law only on those occasions when we find ourselves on the wrong side of the new openness, so as to escape the consequences of being defrauded or having our identity stolen, or when we are the subjects of blackmail or cyber bullying.

Police services must also be held accountable when there are surveillance laws that are not being enforced as a consequence of new technologies. These laws do not suit the new range of high-tech policing capabilities - everything from body worn video recorders for “always on” surveillance of the citizenry to the use of opinion net monitors on social media such as Facebook. For the most part we are struggling with out-of-date and outmoded listening and surveillance device acts, privacy acts, telecommunications acts and interception acts, and we are moving toward data retention legislation that will make audit and compliance of every transaction mandatory in business and government. And if the laws are not outdated then they will often contradict one another or overwrite each other, providing those chartered with authority the continued ability to engage in mass surveillance.

Commercial entities create privacy policies that are seldom read - more a shortcoming of the trust and indifference of some subscribers and complete ignorance of others about the collection and use of personal information. Internet search giants are now joining numerous product-focused policies into a single policy, and in so doing limiting their liability while increasing that of their subscribers. It is evident enough that consumers cannot win, they go with the flow to keep au courant of the constant change, never quite being in control even if they believe themselves to be. The network increases in stealth and size as more and more personal data is fed into it.

We are told there are a number of solutions to the current privacy problems - 1) build in privacy to the design of new technologies at the engineering and commercialization stages, 2) ensure that appropriate crimes legislation and provisions are in place so that there are harsher penalties for people who breach the privacy rights of others, and/or 3) leave it to commerce itself to deal with using a number of ways to protect consumer privacy through technical standards and industry codes of conduct.

Some of the articles in this special section address these issues from a variety of stakeholder perspectives including government, non-government organizations, industry, and consumers. If we have privacy problems then we remain hopeful there must be solutions. But clearly the solutions are limited, if only because of the insatiable nature of the beast.

There is also a discernible movement between what was once considered a brave new world, to the open innovation model that is heralding an even “braver new world.” We are correspondingly doing away with the familiar George Orwell motifs and sentiments, and moving toward that of the Big Data “all you can eat and stomach” model. This new practice is supposed to give rise to a collective intelligence never before seen, a global brain of purposive inflows and outflows of knowledge to accelerate discoveries and increase productivity. Anyone still stuck on the existential and privacy concerns raised by 1984 might as well give up on the debate. at least this is what we are being pushed to believe by the transnationalist capitalist class which has globalized at unprecedented speeds. Recently G.T. Marx has again reminded us of the technique of normalization. And so for those gloomy students of Thomas Hobbes, for their numbers have also been increasing, Leviathan will take on newer and more sinister connotations.

There is for sure much to be gained from Big Data, from open innovation, from sharing our knowledge as one global community. Yet sharing openly might be the utilitarian approach that serves the greater good at the expense of the individual. In terms of consumerism, this is and will in all probability forever remain one of the great paradoxes of our post-industrial society. Making certain individual claims about health and disease for example will inevitably help communities overcome or become more resilient to them, but they will also impact the individual asymmetrically by lending them to even more detailed forms of scrutiny such as social sorting and potential insurance typecasting. Our online searches reveal more about us than what we might like to think - we could to some large degree be determining our own destiny by what we enter into that little space we call the search box.

So what are we supposed to do then? We cannot simply give up the battle for maintaining our right to privacy. This special section is not about giving it up without a good fight. It is about finding inspiration in how we can offer something that works for all parties - but mostly for citizens if we are to embrace user-centered engineering approaches that are secure and long lasting. There is indeed much to gain from new and imaginative online business models if they are used for the right purposes and in the right way. Conversely, we are headed for dangerous waters if these models are abused and mismanaged by those who are in charge.

We have endeavoured here to offer an international Special Section with a wide range of perspectives. Some articles digress on viewpoints, but all of our expert authors are willing to have open dialogue and to seriously engage in the public forum. We must capture these and other consonant opportunities to speak now while we can, that we might together come up with a global approach to arrest alarming developments that threaten to turn privacy into a thing of the past. Privacy does matter. It is both the stuff of dreams and of identity.

IEEE Keywords: Privacy, Data privacy, Security, Social network services

Citation: Katina Michael, 2012, Privacy- the times are a changin', IEEE Technology and Society Magazine, 31(4),

Securing Cyber-Physical Critical Infrastructure (Book Review)

Handbook on Securing Cyber-Physical Critical Infrastructure: Foundations and Challenges

Das, Kant and Zhang have done a brilliant job editing Securing Cyber-Physical Critical Infrastructure, bringing together a who's who list of researchers and practitioners. Das is a University distinguished Scholar Professor of Computer Science and Engineering at the University of Texas Arlington with more than 500 published papers, three books and the editorship at Elsevier's Pervasive and Mobile Computing journal. Kant is a research professor at the Center for Secure Information Systems at George Mason University, Fairfax, VA. Kant comes equipped with many years of academic experience and industry exposure at Bell Labs, Telcordia and Intel, as well as government positions including at the National Science Foundation (NSF). Finally, Zhang, the third editor, was an assistant professor of Computer Science and Engineering at the University of Texas at Arlington from 2006 to 2008 and is currently researching databases and information security/privacy. Zhang received the prestigious NSF CAREER award in 2008.

This 800+ page handbook is divided into eight parts and contains thirty chapters, ideal for either an advanced undergraduate or graduate course in security. At the heart of this handbook is how we might go about managing both physical and cyber infrastructures, as they continue to become embedded and enmeshed, through advanced control systems, and new computing and communications paradigms.

Part I provides theoretical foundations in the area of control theory, game theory and epidemic theory as applied to cyber-physical infrastructure management. Part II focuses on security for wireless mobile networks. Robert Brammer who wrote the foreword of the handbook, emphasized the successes of the New York City Wireless Network (NYCWiN), motivated partly by the events of 9/11. NYCWiN became operational in 2009 and its cyber-physical systems architecture has addressed issues in the control of transport, public health, environmental quality and communications during critical emergencies. Part III covers security for sensor networks which are fast becoming integral for monitoring and controlling cyber-physical systems. These systems provide much of the feedback mechanism, forewarning or alerting to subsystems when things go wrong. As we increasingly become reliant on sensor networks, we need to ensure that they are as secure and reliable.

Parts IV and V position the importance of platform security, and address cloud computing and data security. The section on platform security includes chapters on traditional hardware and software vulnerabilities and presents solutions that could be employed to make it even more difficult for large-scale systems to be penetrated. The section on cloud computing makes sure to emphasize how systems are changing in terms of outsourcing to companies whose core competency is information technology infrastructure, platforms and services. The cloud, mobile devices, and online social networks are particularly creating opportunities for hackers toward data breaches, and this is discussed in detail.

Part VI and VII are on event monitoring and situation awareness, as well as policy issues in security management. These chapters provide approaches to systems monitoring, discovery and tracking patterns of interest in security data streams, discontinuous clustering, sequencing, geo-spatial temporal correlations and other event detections mechanisms. For those seeking examples of how such systems monitoring occur, there are equations, algorithms, proofs, process flows, physical infrastructure layout maps, pictorial evidence, graphs, tables, and example simulation outputs to spend hours and hours exploring further. Finally, policies, access control and formal analysis methods for overseeing security in cyber-physical critical infrastructure are also shown.

The biggest highlight for me personally was the coming together of Parts I–VII in the security issues in real-world systems presented in Part VIII which brings home the relevance and timeliness of this handbook today. Chapters 25–30 could have been a book in their own right for their depth of insight into emerging smart infrastructures – including smart grids, automotive information technology, mobile health care systems, internet infrastructure, emergency vehicular networks, and more broadly unified telecommunications infrastructure using Voice over Internet Protocol (VoIP). It is not too difficult to see the complexities of these big systems needing to interact with each other and the security and privacy concerns this might raise.

As noted by the authors, the handbook could be used to cover courses on security and robustness of computer networks, the security in physical infrastructure, or even the security in cyber infrastructure. Today, we are witnessing a paradigm shift toward autonomous systems, and despite most physical infrastructure being considered legacy, even the old wires and cables are becoming “switched onto” the cyber. An understanding of both these elements is crucial in engineering and maintaining better working and resilient systems for the future.

Citation: Katina Michael, [Book Review]: Handbook on Securing Cyber-Physical Critical Infrastructure: Foundations and Challenges, by S.K. Das, K. Kant, N. Zhang. Elsevier|Morgan Kaufmann, Volume 31, Issue 8, November 2012, p. 1013: DOI: https://doi.org/10.1016/j.cose.2012.07.007

Social Implications of Technology: "Il buono, il brutto, il cattivo"

Late last year, IEEE SSIT was invited to put together a paper for the centennial edition of the Proceedings of the IEEE for publication in May 2012 [1]. The article, “Social Implications of Technology: Past, Present, and Future,” brought together five members of SSIT with varying backgrounds, and involved two intense months of collaboration and exchange of ideas. I personally felt privileged to be working with Karl D. Stephan, Emily Anesta, Laura Jacobs, and M.G. Michael on this project.

While it is important to go on record as saying that while there was harmony in the final paper delivered to The Proceedings, there was certainly some tug-of-war related to themes and perspectives addressed in the paper. We carefully critiqued each other's writing and some twenty-three drafts later came out with the final product, some thirty pages in length. The paper included 29 telling photographs and about 180 references, many sourced from IEEE T&S Magazine.

Controversy, conflict, disagreement, discord, disharmony makes for a good plot joining together once disparate ideas. Without this cross-disciplinary dialogue and dichotomy there cannot be a holistic analysis of the observable facts. In the the Proceedings paper, we attempted to write a balanced article, at times oscillating between positive and negative social implications of technology, externalities and advances as a result of technology, and the risks versus rewards of technology's trajectory.

IEEE-SSIT is clearly not just about the adverse effects of technical change but indeed concerned with how technology can be harnessed toward optimistic ends. IEEE Technology and Society Magazine especially has a duty to its community of engineers and practitioners to publish at both ends of the spectrum, the successes and failures of technology in terms of social implications.

But more than that, T&S Magazine has a responsibility to capture what is happening, has happened, will happen. Our publication needs to move away from the mentality that says “this paper” or “this author” is for technology or against technology. This is to oversimplify many of the cases that have been published thus far in T&S. In some of the strongest articles I have read, what emerges after my reading is a depiction of a phenomenon that just “is what it is.” What makes good research is usually a good story that can capture the good, the bad, and the ugly.

As editor in chief, I will make it my goal to attract papers of all kinds — on the use and misuse of technology. You simply cannot have one without the other because the human factor is prevalent in design and deployment. I would be doing the Magazine a disservice if suddenly I were to put blinkers on to claim that technique can do no wrong, independent of whose hands it is in. This is simply not the case. If the number of papers about the negative social implications of technology seem to dominate over those on positive social implications, it has only to do with the types of papers the Magazine receives as submissions.

We cannot print articles that demonstrate benefits of technology if they have not been written and submitted for consideration. I urge you to think about writing something we can publish that reflect positive impacts of technology. I am thinking of topics such as: how affective computing can help autistic kids, the use of high frequency data streams to improve outcomes for premature infants, the advantages of using wearable technologies to do remote vocational training and assessment, the benefits to the global community of data visualization techniques for online museums, electronic methods for reducing an individual's carbon emissions footprint, historical articles that show how indigenous communities have attempted to preserve aspects of their culture through technology, using assistive social robots to care for the elderly and the young, and so forth.

As editor, however, I will not ignore articles that demonstrate that technology can be misused. I welcome papers on technology-related addictions and health risks, on consumer resistance to new technologies, on citizen rights to use technologies for counter-surveillance, on the complications of data custodianship and cloud computing, on the increasing pervasiveness of geomatics engineering, and on the rise of cyberbullying and offenses against the person committed online.

What I am most concerned with is that T&S Magazine - at least in mindspace - keep pace with the times. Let us see more papers on how engineering will advance humanity but let us also question whether or not technology will always advance humanity.

In this case, the problem was with the District of Columbia Water and Sewer Authority (WASA), and with two U.S. federal agencies that are supposed to protect the public against hazardous substances and processes: the Environmental Protection Agency (EPA), and the Centers for Disease Control (CDC). Much of the problem (which is quite complex) was due to a change in the chemicals used by WASA for protection against bacterial contamination. An important consequence of this was a great increase in the leaching into the water of lead from brass pipes.

WASA and the EPA rejected the analysis by Edwards, despite its being supported by substantial real world data. The CDC issued a report that downgraded the importance to health of lead in drinking water. Both WASA and the EPA withdrew financial backing for Edwards' work, putting him in a difficult position. But he persisted, at one point, paying his student assistants out of his own pocket. Ultimately all three agencies conceded that his position was valid, and steps to alleviate the problem were initiated.

Over the past three decades, somewhat more attention has been paid to ethics in engineering curricula, but no meaningful progress has been made to provide real support for engineers, such as Edwards and DeKort, who take such teaching seriously. While, several decades ago, the IEEE took some steps toward helping ethical engineers, it later backed out of this area completely. The IEEE Ethics and Member Conduct Committee and its members are now not allowed to give advice to engineers on ethical matters.

References

1. K. D. Stephan, K. Michael, M. G. Michael, L. Jacob, E. Anesta, "Social implications of technology: Past present and future", Proc. IEEE, vol. 100, no. 13, pp. 1752-1781, 2012.

Citation: Katina Michael, Social Implications of Technology: "Il buono, il brutto, il cattivo", IEEE Technology and Society Magazine, Volume: 31, Issue: 3, Fall 2012, pp. 4 - 5, Date of Publication: 26 September 2012, DOI: 10.1109/MTS.2012.221139

Hacking: The Next Generation (book review)

Hacking: The Next Generation demonstrates just how hackers continue to exploit “back doors”. New ways of working and new ways of communicating have meant that the number of attack vectors continue to rise rapidly. This provides hackers with a greater number of opportunities to penetrate systems using blended approaches while organizations struggle to come up to speed with the latest technology developments and commensurate security capabilities. Dealing with anticipated threats is a lot harder than dealing with known threats.

Dhanjani, Rios and Hardin are skillful in their analysis of hacking in the next generation, providing coverage of classic traditional attacks, as well as emerging threats in the cloud, mobile devices, and social networking. Emphasis is placed on phishing attacks, targeted attacks versus opportunistic attacks, and the well-known but increasingly troublesome insider attacks. The threesome are especially equipped with security-related knowledge – Dhanjani now a senior manager at Ernst & Young was previously the senior director of Application Security and Assessments at Equifax, Rios is a security engineer with Microsoft, and Hardin a security research Lead with McAfee.

On June 6, LinkedIn, the largest professional social network was hacked and 6.5 million unique hashed passwords appeared on a Russian cybercrime forum. Within the first 24 h, it was purported that more than 200,000 passwords had been cracked. And not long after that, dating agency eHarmony and music site Lastfm.com also discovered that passwords of a small fraction of its user base had been compromised. As individuals scramble to remember passwords for a diverse array of online applications, the possibility that anyone having access to the leaked passwords could penetrate personal accounts of other online applications was very high. This book does not shy away from dealing with potential security breaches of this magnitude, and demonstrates how hackers might go about orchestrating such an attack.

Beyond a doubt, all the technical know-how proliferating in the hacker community is cause for concern but the traditional art of social engineering is developing just as fast in complexity and methodological rigor, as shown in this book. Coercion, manipulation and influence are just some of the tools of persuasion used by hackers against employees of organizations. But even more brazen has been the efforts of hackers against executives who may have a wealth of strategic business knowledge but little in the way of street sense when it comes to technology and more specifically non-technical security attacks. In fact, most executives today feel overwhelmed by the amount of organizational communications (and spam) they receive and happily grant their personal assistants access to a number of collaborative applications, including web conferencing, email and social media.

Critical data is also being leaked outside the organization using non-traditional tools, meaning that perimeter-based defense models are just not effective. These data leaks, while difficult to quantify unless penetration testing is regularly conducted, cost organizations significant losses annually. But it is the “unknown” component of these losses which is especially worrying to organizations whose business models dictate an agile workforce through mobile and cloud solutions, connectivity between stakeholders for relationship management, and similar extensions.

What you can expect from this book is to learn new things about hacking that you were not aware of. I personally tested some of the scenarios and cases described in this book with an executive who initially did not believe that these were realistic hacking techniques that hackers would perform but who soon admitted to their possibility and potentiality.

The book is armored with excellent freely available online reference sources, commands that can be literally typed into an operating system, including programming source code, and typical scenarios and role play dialogues, and many supporting illustrations. It is bound to make you think differently about hacking as you might understand it in the new threat landscape.

Citation: Katina Michael, [Book Review] "Hacking: The Next Generation", by N. Dhanjani, B. Rios, B. Hardin. O'Reilly, Computers and Security, Vol. 31, No. 6, Sept 2012, p. 79, https://doi.org/10.1016/j.cose.2012.06.005

    The Idio-Technopolis

    The rapid rise of social media has brought with it an emphasis on the distinct dimensions of the whole person. Social media recognizes that the individual has a personal network of extensions - a home life, a work life, a social life, a study life, a hobbyist life, and much more-some of these identities even hidden from full view. Each of these online value networks are now accessible by big business, where opinion leaders and early adopters are easily distinguishable, and where brand commentary between consumers matters manifold more than any form of targeted advertising.

    When I started out as a pre-sales network engineer I would dimension traffic based on parameters such as the number of homes passed as in the case of cable television networks, or the amount of upstream and downstream data traffic going between the head office and the remote office branches typically measured in T1s. These measures while still important in the realm of availability, redundancy, optimization, expansion, and unification of networks can be for the greater part now considered legacy thinking.

    The next generation of networks will not be about the number of homes and businesses passed or about the school, bank, hospital, or government building that need services-these will be all catered to by fiber-to-the-curb technologies and high-speed mobile broadband. Rather, the next generation of networks are about the “you” in the equation. The “you” encapsulates your mind space and your bodily space, everything that constitutes your life and every other life or thing it touches. In computing speak, it is about the person-to-person relationships, person-to-system relationships, and person-to-object relationships. The “you” becomes an integral component in the web of things and people (WoTaP).

     By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=29289503

    By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=29289503

    You cannot explicitly share ownership of the new applications. It is individuals who own Twitter accounts and LinkedIn profiles and Facebook pages and Skype contacts. And more often than not, technologies also belong to the individual-it is the “I” that maintains his/her own ipod, digital camera, smart phone, laptop, television, and more.

    Social media like location -based services have micronized the technopolis (i.e., the science park) to embody that which is distinct, separate, and different in the anthropos (the human). Yet the paradox of servicing the idio-technopolis has meant that everyone is seemingly on the same level playing field. Everyone is theoretically a “friend,” or a “contact,” or a “member,” despite that they might actually be your own father or mother, brother or sister, best friend or acquaintance, employer or work colleague, or even total stranger. In this flat hierarchy there is a great opportunity for expression but there is also the possibility of the complete loss of respect and potential for abuse. Social media allows for the externalization of the personal and at the very same time the monetization of the human being. Thus, the “member” becomes the product that is “for sale.”

    The paradox is that “one's own” connections while “private” and “personal” (i.e., idio) are being made quite “public” and “common.” Not just in terms of accessibility by anyone/anywhere but in terms of becoming explicit. New mashups and data aggregation engines can tell you things about yourself that you didn't even know, let alone knew existed. The risk in this type of profiling is that you are ranked and rated for just being “you.” The greater your online activity, the greater importance you are to the network in all its forms. What does this idio-technopolis mean for the individual? For the family? For society?

    I am excited about this special issue for the reason that the benefits and concerns of the new technologies are highlighted. I would like to thank Professor Michael Loui for guest editing this special issue. I know first-hand the many hours he took to put the papers through a rigorous two-stage review process seeking feedback from experts in the field and ensuring the papers met all the expected requirements. May I take this opportunity to ask you to place ISTAS'12 on your calendar. It promises to be a great gathering. (See announcement on p. 4.) I hope to see you there.

    Citation: Katina Michael, The Idio-Technopolis, IEEE Technology and Society Magazine, Year: 2012, Volume: 31, Issue: 2, pp. 5 - 12, DOI: 10.1109/MTS.2012.2202011

    Securing the Cloud (book review)

    Securing the Cloud: Cloud Computer Security Techniques and Tactics

      With so much buzz around Cloud Computing, books like this one written by Winkler are much in demand. Winkler's experience in the computing business shines through and as readers we are spoiled with a great deal of useful strategic information – a jam packed almost 300 page volume on securing the cloud.

      Winkler, presently a senior associate at Booz Allen Hamilton has had more than 30 years of experience servicing U.S. Government clients, and as Chief Technologist for Security for the Sun Microsystems Public Cloud, in applications engineering, and IT operations and management in a number of organizations. Winkler has numerous technical conference publications, and among his many achievements, he was a visiting cyber security expert authoring the Information Security policy for the Government of Malaysia.

      The book begins with a well-needed introduction for those who are new to cloud computing. Winkler describes how the cloud works, the importance of securing the cloud, and its fundamental architecture.

      Chapter 2 goes into greater detail on the cloud reference architecture, introducing cloud service and deployment models and differentiating between public, private, community and hybrid clouds, and the cloud software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) models.

      To be commended, before entering an in-depth discussion on how to architecture a secure cloud, Winkler spends chapter 3 discussing security concerns, risk issues, and legal aspects. As a privacy specialist myself, it is very heartening to see that Winkler addresses those very difficult questions that every client asks about privacy and confidentiality concerns, data ownership and locale concerns, and other aspects like emerging threats, third parties, data privacy and litigation.

      Chapters 4–6 are all about ways in which we can secure the cloud – the underlying architecture, data security, and key strategies and best practices. These chapters are at the heart of the book as we are taken on a guided tour about standards and policies, honeypots, sandboxes, network and cabling patterns and the like. For the important area of data security within the cloud we are introduced to the idea of control over data and public cloud economics, ownership and custodianship, data encryption and its limitations, and access control techniques for data categorization. The deletion of data within the cloud is also discussed, something that is becoming vital from the lessons learnt in the social media environment. Key strategies and best practices in securing the cloud are presented in chapter 6 from first principals. NIST definitions are given in security controls and unclassified and classified models are compared. Security monitoring by the CIA is addressed and the emphasis is placed on reliable streams of data – a notion introduced as MaaS – Monitoring as a Service.

      Chapter 7 and 8 look at security criteria with respect to building an internal cloud (i.e. private cloud) versus selecting an external cloud provider. The internal cloud choice is based on the security implications offset between a shared versus dedicated resources solution. Criteria for ensuring a secure private cloud include: network considerations, data center considerations, operational security considerations, and regulation. For the selection of an external cloud provider a discussion is given on assurance and how to verify independently the claims made by a given vendor.

      Chapter 9 is about evaluating your cloud security using an information security framework. Checklists are provided to help cloud personnel evaluate the stealth of their given solution, including a manner for placing metrics against the checklists.

      Chapter 10 is about operating a cloud and is very much intended for the manager who is in charge of the business case toward a cloud solution. Processes, efficiency and cost are all covered aspects as well as security operations activities that typically are related to business continuity and recovery.

      As a former pre-sales engineer, what I loved most about this book was the obvious hands-on strategic and technical experience that Winkler bought to every aspect of it. It is really a practitioner's guide to cloud computing security. I appreciated the descriptive figures, the tips, the warnings, the notes, the tools, the stories of failures and successes but most of all the comprehensive nature of the real world descriptions.

      Citation: Katina Michael, [Book Review] "Securing the Cloud: Cloud Computer Security Techniques and Tactics" by Vic (J.R.) Winkler. Computers & Security,  Vol. 31, No. 4, June 2012, Page 633, Syngress|Elsevier, https://doi.org/10.1016/j.cose.2012.03.006

      The Basics of Information Security (book review)

      Dr Jason Andress (ISSAP, CISSP, GPEN, CEH) has written a timely book on Information Security. Andress who is a seasoned security professional with experience in both the academic and business worlds, categorically demonstrates through his book that underlying the operation of any successful business today is how to protect your most valuable asset – “information”. Andress completed his doctorate in computer science in the area of data protection, and presently works for a major software company, providing global information security oversight and performing penetration testing and risks assessment.

      In the last 12 months we have all witnessed a variety of large scale attacks on corporations and public sector agencies via hacking groups like Anonymous, who have used SQL injections, distributed denial of service (DDoS) attacks, advanced persistent threats (APT), and zero-day exploits to penetrate systems. Less visible and quantifiable have been insider attacks where data leakage has occurred as a result of industrial espionage.

      Mobile computing, social networking, and cloud computing have all acted to heighten information security concerns prompting chief information officers (CIO) to reflect on their business practices. Of great significance today within an organizational setting, is the knowledge of how information is gathered, stored, and accessed by all staffing levels.

      From the outset Andress offers models for discussing security issues – beginning with the confidentiality, integrity, and availability triad known as CIA. After doing so he describes the various types of attacks including interception, interruption, modification, and fabrication. He also introduces the difference between threats, vulnerabilities, and risk and discusses approaches to mitigating risks such as physical controls, logical controls, and administrative controls. While this is commonplace in most security fundamentals books, it is helpful to get the brief summary version so succinctly.

      Chapter 1 ends with a discussion on a strategy common to military maneuvers known as “defense in depth”. A range of suggestions are made on how to ensure that each layer in defense in depth should be protected. Among these solutions are penetration testing, vulnerability analysis, backup, access control, encryption, content filtering, password hashing, logging, auditing, antivirus, firewalls, intrusion detection and prevention systems, stateful packet inspection, proxy, demilitarized zones and the like. This “defense in depth” approach with corresponding solutions forms the basis for segmentation of the book at large.

      Chapter 2 introduces the reader to the fundamental concept of identification and describes various ways of authenticating a system user, from multifactor authentication to biometrics and hardware tokens. Chapter 3 describes authorization and access control lists (ACLs) with an emphasis on readwrite, and execute permissions. This chapter ends by discussing a variety of ACL models including: discretionary access control, mandatory access control, role-based access control and attribute-based access control. Chapter 4 is a brief chapter focusing on auditing and accountability, touching on the themes of non-repudiation, deterrence, intrusion detection and prevention, and the admissibility of records.

      Chapter 5 covers cryptography and the cryptographic tools that are available for protecting data “at rest”, “in motion” and “in use”. The distinction is made in this chapter between protecting the data itself versus protecting the connection. Symmetric and asymmetric keys are described as well as other cryptographic tools such as hash functions, digital signatures, and certificates.

      Chapters 6 and 7 offer some practical insights into operations security and physical security. In these chapters the reader is introduced to the importance of identifying which data in their corporation is of value. The operations security process begins with the identification of critical information, an analysis of threats and vulnerabilities and risks, and ends with an application of countermeasures. The emphasis is on (1) knowing the threats, (2) knowing what is of value to protect, and (3) the knowledge that if something of value is left unprotected, then inevitably it will be taken. Chapter 7 on physical security is about physical security controls, protecting people/data and equipment. It is mainly about infrastructure and the potential for physical threats and how the threats can be curbed through physical security controls. These controls are divided into three types: deterrent, detective and preventive. The chapter is comprehensive at looking at how businesses should choose appropriate sites for their particular type of work, people, data and equipment.

      Chapters 8 through to Chapter 10 address network security, operating system security, and application security. The latter chapter is focused on how attackers might take advantage of very exposed online applications such as business-to-consumer electronic commerce self-service systems. Software development vulnerabilities, web security, and database security are each described in the final chapter.

      The book includes illustrations and figures demonstrating key information security ideas, alerts to make the reader aware of particular insights, more advanced details for those wishing to do their own research above and beyond the contents of the book, and real world example summaries pertaining to key terms throughout the book. There is also an accessible bibliography mainly made up of online resources. The exercises at the end of each chapter also make this a good book for a first year security college class. It does not however include any practical exercises whatsoever, and so hands-on laboratory sessions would need to be developed to give the prospective student some idea of how some of these information security solutions would actually work in practice. All in all, this book is for those new to information security and for persons who are looking to learn about underlying concepts which underpin what is at the heart of information security in organizations. It is not an overly sophisticated book but it does achieve its purpose.

      Citation: Katina Michael, [Book Review] "The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice, J. Andress. Syngress Elsevier", Computers & Security, Volume 31, Issue 4, June 2012, Pages 634-635 DOI: https://doi.org/10.1016/j.cose.2012.03.005

      Editorial: In Memoriam of Associate Professor Dr Elaine Lawrence

      Katina Michael, Technical Editor, April 2012

       In memory of Elaine Lawrence, Australia

      In memory of Elaine Lawrence, Australia

      Despite being a graduate of the rigorous Bachelor of Information Technology at the University of Technology, Sydney (UTS) in 1996, I was unfortunate in that I missed being taught by Associate Professor Elaine Lawrence who began working at UTS in 1990 as a Lecturer in Computing Science. Dr Lawrence became a senior lecturer in 2000, and subsequently an associate professor in 2006. Our paths crossed in 2002 when I was tasked to deliver a new course entitled “eBusiness Principles” in my first year of lecturing at the University of Wollongong, and after an initial scurry to find an adequate textbook, I came across Dr Lawrence’s ground-breaking text Internet Commerce: Digital Models for Business. Lawrence’s book was a best-seller for Wiley, adopted by almost every course coordinator teaching e-business/e-commerce in Australia, at a time when information technology had burgeoning undergraduate numbers.

      When my PhD supervisors, Professor Joan Cooper and Associate Professor Carole Alcock, suggested to me that Dr Lawrence would be a good choice for an examiner in 2003, I must say I was more than a little nervous. After doing some background research on the web to see the fit, I was in even greater awe noting the impact Dr Lawrence was having on the teaching of industry certifications, and the creation of new courses. Elaine was the Program Leader of the popular Masters of Internetworking degree at UTS and as a qualified Cisco Certified Academic instructor (CAI) she began the CISCO certification courses delivered at UTS, in addition to contributing a plethora of materials to the CISCO Academy that were used by an estimated one million persons globally. Lawrence also tested international teaching materials for CISCO in Ireland and the United States and was the NSW representative for the Educational Council for CISCO. I had spent five years at Nortel Networks, a CISCO competitor, and immediately felt an affinity with her background.

      Dr Lawrence was the first student to complete the Doctor of Technology at Deakin University in 2001. In addition to this, Dr Lawrence had a Masters of Business Information Technology, a Graduate Diploma in Commercial Computing and a Bachelor of Arts (awarded the university prize for Journalism). She was a very active senior member of the Australian Computer Society (ACS) for more than 20 years and also a member of the Institute of Electrical and Electronics Engineers (IEEE).

      In 1994 she began her own company called CyberConsult who had among its customers, Sydney Water, the Australian Institute of Management, Unilink and the Australian Computer Society. I do remember being taken by the fact that her slogan for her consulting business was “The Human Side of Technology.” Given my thesis was all about emerging technologies and their implications, I found peace in the fact that Dr Lawrence was a potential marker.

      After receiving my PhD I corresponded with Dr Lawrence, appreciative of her genuine feedback on my thesis and ways to improve it. She was the perfect academic role model for me, and a wonderful mentor from the outset, although our relationship just developed naturally and we enjoyed corresponding with one another without the labels of mentor and mentee. I remember distinctly that Dr Lawrence had a way with words and she was always armoured with a graceful and tactful way of providing advice. She was reassuring at first, then encouraging, and then quite direct using sentences like “why don’t you consider submitting research to” or “you know this audience would be quite accepting of this perspective”. Amazingly Elaine never seemed in a rush, and yet somehow she did so much! She always made you feel important in her presence and that she had all the time in the world for you.

      In 2003, I had the opportunity to contribute to Dr Lawrence’s best seller, and began work on a number of fresh case studies for the latest edition of Internet Commerce which was in fact Elaine’s second book. Dr Lawrence by then was well aware of the impact of mobile commerce and especially encouraged me to write about this aspect. It was in her text that I published my first ‘academic’ pieces on the chip implantation of humans- I included a full case write-up on Professor Kevin Warwick and the Cyborg 2.0 story. She did not shy away from this research, and had the foresight to see that one day, just maybe, this might directly relate to the way electronic payments were to be conducted. I don’t believe too many others at the time would have accepted to publish such work in the IT world. Elaine would also insist and encourage me to continue to learn how the new ‘electronic commerce’ models might impact society. It did not surprise me to learn later that in 2009 Elaine’s interest into advancements in technology would bring her to the role of Editor-in-Chief for IARIA’s prestigious International Journal of Advanced Life Sciences.

      Elaine worked tirelessly on professional community activities. She was one of the first editorial board members chosen for the Journal of Theoretical and Applied Electronic Commerce Research (JTAER) and was one of the first to guest edit a special issue on Mobile Payments doing so for Elsevier’s acclaimed Electronic Commerce Research and Applications (ECRA). In 2003, she was invited to join the International Committee on Mobile Business in Vienna and in 2005 chaired the highly successful 4th International Conference on Mobile Business (ICMB05) hosted in Sydney. It was an absolutely fantastic occasion where hundreds of delegates from across Australia, New Zealand and Asia (and further) turned out. Mobile business was fresh and new, and many of the papers published in that conference via IEEE Xplore and the hardcopy proceedings went on to be downloaded tens of thousands of times each.

      One of my fondest memories of Elaine is at this wonderful conference. So much hard work went into it to get it off the ground and the grander vision that went with ICMB. Elaine made sure that all the delegates were well looked after. I recall one Chinese delegate having lost his passport and travellers cheques en route to the conference venue, and Elaine seeing to it that he was given enough money for his stay in Australia and reassured that all would be okay… She looked resplendent in her blue dress on that last day luncheon where awards and initiatives were announced by her. She worked tirelessly, and yet always looked like she had had more time. The evening dinner at the Casa di Nico at Darling Harbour was spectacular- and again Elaine chose an absolutely gorgeous outfit to wear. She was glowing, and so very happy at her fruits… she made this conference happen but in typical Elaine style she would always generously distribute the glory. I later discovered a pattern in her genius- always, always talk about others and never talk about yourself and what you have achieved. This was Elaine’s way—I do remember many times that she highlighted her PhD students and amplified their discoveries before her own. Many of Elaine’s students have gone on to be very successful academics and business men and women… some even heads of schools and owners of their own companies, CEOs, CIOs and the like.

      My husband and collaborator, Dr MG Michael presented at ICMB06 in Denmark and had the honour of meeting Dr Lawrence in person and spending some quality time with her. This was again the case at ICMB07 in Toronto, Canada when I was pregnant to my second child. Elaine did not like being photographed very much, but she let Michael take a picture of her because she knew that it would mean a great deal to me. I found this photograph particularly interesting, because it looked identical to those I had seen of Elaine on the Internet- Elaine’s face shows the “human side of humanity”- she always possessed this very honest smile and her eyes were inviting and gentle. One could not feel intimidated in the presence of Dr Lawrence, despite that she had done so very much on the academic side. Not long after ICMB07, Elaine cited uberveillance in a conference paper on pervasive eHealth monitoring systems in a co-authored paper with Frank Kargl, Martin Fischer and Yen Yang Lim. This came as a complete surprise to MG even though the links between us were beginning to emerge strongly over quite some time. Elaine could see how uberveillance would be integral to both wearable and implantable computing for health applications. Despite most people at the time being watchful of uberveillance, Elaine embraced the concept.

      In 2003/04 Elaine had begun researching motes, smart dust and body area networks for medical purposes. I recollect corresponding with her and asking what had inspired this investigation. She was way way ahead of the game in terms of her thinking of the next generation of technologies for mHealth, that much was obvious. At this time, Elaine was entrusted with the Directorship of the mHealth Laboratory within the iNEXT Research Centre. In typical Elaine fashion, she drew leading research academics and scholars from Germany, Spain, Canada and Vietnam to work with the Faculty on Wireless Sensor Networks and Health applications. She also created important links for the iNEXT Research Centre with Professor Matt Welsh and his team from Harvard University, Associate Professor Frank Kargl from Twente University in the Netherlands, and Professor Nina Ziv at the University of New York. In 2008 Elaine’s PhD student was awarded her doctorate on the well received, “A Heterogeneous Network Management Approach to Wireless Sensor Networks in Personal Healthcare Environments”. In 2008 and 2009 her master’s students produced theses on ReMoteCare: Health Monitoring with Streaming Video and Portable Emergency Medical Information Systems for Elderly Care. During 2009 she was working on five projects predominantly related to wireless sensor development kits such as Crossbow’s Zigbee MicaZs, Sun’s Java Sunspots and Toumaz’s Digital Plaster. In that same year Elaine completed two large scale ARC-Discovery grants she had attained, one valued at $310,000 on the theme of sensors and actor grids for healthcare. Elaine’s competitive research grants exceeded one million dollars, just in the time frame she was director of the mHealth Laboratory with more than 80 peer reviewed journal and conference papers, and several books. Despite her research success, she always considered herself to be a teacher, renowned for her ability to translate research into quality information technology courseware.

      In 2008, despite the very busy workload and pressure she was under as the Head of the newly amalgamated School of Computing and Communications in the Faculty of Engineering and Information Technology at UTS, she agreed to write the foreword of our book on Innovative Automatic Identification and Location Based Services: from bar codes to chip implants. MG and I could think of few people who knew the both of us so well and could additionally trace back the history of our thought as early as 2003. In 2009, when I asked Elaine to be a referee on my promotions application she did so instantaneously being ever so encouraging. In fact, I do not recollect Elaine being someone who said ‘no’ very often…

      At about the same time as our book hit the shelves in 2009, Elaine had been the head of school for two years, during a trying period where several departments at UTS were being reorganised. The emphasis on paperwork at that time and bureaucracy ran deep and Elaine being Elaine, she did not cut any corners. In a tribute by a UTS staff member the following was said about her: “Elaine shone in her role as Head of the School of Computing and Communications, formed from the merging of two pre-existing academic units. Elaine projected charisma, gravitas, authoritativeness, compassion, tolerance and genuine affection for all her staff, academic and non academic. Her personality and leadership allowed the merged School to succeed, overcoming reservations and defusing parochialism, empowering a culture of unity and mutual support. It is thanks to Elaine that the School is such a success today.”

      On the 14th of December 2009, I contacted Elaine to tell her I had received my promotion to Associate Professor and that MG and I were expecting our third child just after we were to host the IEEE International Symposium on Technology and Society (ISTAS) in 2010. Elaine always loved hearing about children and family. I recollect the many many times that she spoke to me of her beautiful husband John who also co-authored with her on many occasions related to taxation and internet commerce. And of course, she would never tire of talking of the achievements of Sue and Michael, their two children whom she was so so proud of... I cannot tell you how inspiring this was for a young academic starting out… It is sometimes inconceivable to consider that Elaine’s higher research degree journey began when her children were mere toddlers. She loved what she did… It was on sharing my news during this time that Elaine told me the devastating news that she had breast cancer. She wrote in reply: “What fabulous new times - an Ass Pro and a new baby - congratulations on both. This is very exciting. Now for some bad news from me - I have breast cancer… I am not at all impressed. Wish me luck - your news has cheered me up completely…”

      After two operations and finally chemotheraphy, she returned to work in April 2010 on a part-time basis and by July was back full-time. The last correspondence she had with MG was one of victory- she was determined not to let this cancer beat her- and she declared herself 100% well. She was still sending conference call for papers at web speed and apologising for the cross-postings as she had thousands of people on her numerous mailing lists. She had brought people together from all over Europe and Asia and Australia and New Zealand and conducted outreach work also in North and South America. In June 2011 she even made it to Slovenia for the annual Bled conference. What many of us did not know however is that in the beginning of that year Elaine had battled a second unrelated cancer, this time ovarian, for which she had to undergo yet another operation and more substantial chemotherapy. On the 18th of September Elaine was admitted to hospital suffering from severe pain, and rested finally on the 18th of October 2011.

      This In Memoriam is meant for all those who knew Elaine, as an opportunity to remember her life and works. Wife, mother, teacher, researcher- someone who epitomised dignity in all its forms- Elaine will be missed deeply. She was not only a fine academic but she possessed all those human qualities that made her stand out.

      The record from the UTS Vice Chancellor’s Report in November 2011 stated: “We are deeply saddened by the passing away on 18 October of Associate Professor Elaine Lawrence, Head of the School of Computing and Communications in the Faculty of Engineering and Information Technology. Elaine has been a committed and valued member of the UTS family since 1990, and a true leader in Females in Engineering and Information Technology (FEIT). She is survived by her husband, John, and children Susie and Michael, and will be greatly missed by her friends at UTS.”

      Citation: Katina Michael, April 1, 2012, "Editorial: In Memoriam of Associate Professor Dr Elaine Lawrence", Journal of Theoretical and Applied Electronic Commerce Research, jtaer.com, April 2012.