Sunday, April 16, 2006
Markle Foundation & Electronic Health Records
The full report is here. I was the lead drafter of the report on how to audit, to assure good privacy and security in the use of health records.
House Judiciary Testimony
My testimony is here. Coverage in the Washington Post is here.
Sunday, April 02, 2006
Writing the Call for Action Against Phishing
I was the “reporter” – chief author – for “A Call for Action: Report from the National Consumers League Anti-Phishing Retreat.” The report drew on participation from consumers groups, leading tech companies, and other stakeholders. The report was released in March, with these principal recommendations:
1. Support greater consumer education.
2. The consumer experience must be “secure by design.”
3. There must be better user and site authentication.
4. There must be better tools for effective investigation and enforcement.
5. Learn from the lifecycle of the phisher.
6. ISPs and domain name owners can cooperate on white lists.
7. Use black lists to create a “phishing recall” approach.
Here is my column summarizing the report.
Here is the full report.
Security and Obscurity, for Open Source, Military, and More
One of my principal research projects for the past several years has been to answer the question: “When does disclosure help, or hurt, security?” Open source experts say “there is no security through obscurity.” Military experts say “loose lips sink ships.” My research provides the first theoretical model for answering the question of when disclosure is likely to help security.
The new article adds to the first A Model for When Disclosure Helps Security: What is Different About Computer and Network Security, which was published as a chapter in a book on cybersecurity by Cambridge University Press and in a law review.