Posts in General
Barack Obama, National Security and Me, Take II
Over the last month or so, many people who read my first post on Senator Obama’s “security summit” at Purdue have asked me about followup, I’ve been asked “Did you ever hear back from the Senator?”, “Has the McCain campaign contacted you?”, and “What do you think about the candidates?” I’ve also been asked by a couple of my colleagues (really!) “Why would they bother to contact you?”
So, let me respond to these, with the last one first.
Why would someone talk with you about policy?
So, I haven’t been elected or served in a cabinet-level position in DC. I haven’t won a Nobel prize (there isn’t one in IT), I’m not in the National Academies (and unlikely to be—few non-crypto security people are), and I don’t have a faculty appointment in a policy program (Purdue doesn’t have one). I also don’t write a lot of policy papers—or any other papers, anymore: I have a persistent RSI problem that has limited my written output for years. However, those aren’t the only indicators that someone has something of value to say.
As I’ve noted in an earlier post, I’ve had some involvement in cyber security policy issues at the Federal level. There’s more than my involvement with the origins of the SfS and Cyber Trust, certainly. I’ve been in an advising role (technology and policy) for nearly 20 years with a wide range of agencies, including the FBI, Air Force, GAO, NSA, NSF, DOE, OSTP, ODNI and more. I’ve served on the PITAC. I’ve testified before Congressional committees a half-dozen times, and met with staff (officially and unofficially) of the Senate and House many times more than that. Most people seem to think I have some good insight into Federal policy in cyber, but additionally, in more general issues of science and technology, and in defense and intelligence.
From another angle, I’ve also been deeply involved in policy. I served on the CRA Board of Directors for 9 years, and have been involved with its government affairs committee for a decade. I’ve been chair or co-chair of the ACM’s US Public Policy committee for a dozen years. From these vantage points I have gained additional insights into technology policy and challenges in a broad array of issues related to cyber, education, and technology.
And I continue to read a lot about these topics and more, including material in a number of the other sciences. And I’ve been involved in the practice and study of cyber security for over 30 years.
I can, without stretching things, say that I probably know more about policy in these areas than about 99.995% of the US population, with some people claiming that I’m in the top 10 or so with respect to broad issues of cyber security policy. That may be why I keep being asked to serve in advisory positions. A lot of people tend to ask me things, and seem to value the advice.
One would hope that at least some of the candidates would be interested in such advice, even if not all of my colleagues (or my family 
are interested in what I have to say.
Have any of the other candidates contacted you?
Simply put—no. I have gotten a lot of mailings from the Republican (and Democratic) campaigns asking me to donate money, but that’s it.
I’m registered as an independent, so that may or may not have played a role. For instance, I can’t volunteer to serve as a poll worker in Indiana because I’m not registered in one of the two main parties! I don’t show up in most of the databases (and that may be a blessing of sorts).
To digress a moment.... I don’t believe either party has a lock on the best ideas—or the worst. I’m not one of those people who votes a straight-ticket no matter what happens. I have friends who would vote for anyone so long as the candidate got the endorsement of “their” party. It reminds me of the drunken football fans with their shirts off in -20F weather cheering insanely for “their” team and willing to fight with a stranger who is wearing the wrong color. Sad. Having read the Constitution and taken the oath to defend it, I don’t recall any mention of political parties or red vs. blue....
That said, I would be happy to talk with any serious candidate (or elected official) about the issues around cyber, security, education, and the IT industry. They are important, and impact the future of our country...and of much of the world.
So, has anyone with the Obama campaign contacted you since his appearance at Purdue?
Well, the answer to this is “yes and no.”
I was told, twice, by a campaign worker that “Someone will call you—we definitely want more advice.” I never got that phone call. No message or explanation why. Nothing.
A few weeks after the second call I did get a strange email message. It was from someone associated with the campaign, welcoming me to some mailing list (that I had not asked to join) and including several Microsoft Word format documents. As my correspondents know, I view sending email with Word documents to be a bad thing. I also view being added to mailing lists without my permission to be a hostile act. I responded to the maintainer of the list and his reply was (paraphrased) “I don’t know why you were added. Someone must have had a reason. I’ll check and get back to you.” Well, I have received no more email from the list, and I never got any followup from that person.
So, in summary, I never got any follow-up from the campaign. I don’t think it is an issue with the Senator (who wouldn’t have been the one to contact me anyhow) but a decision by his staff.
So, depending your level of cynicism, the mentions of my name, of CERIAS, and of follow-up was either (a) a blown opportunity caused by an oversight, or (b) a cynical political ploy to curry local favor.
(My daughter suggested that they are waiting until after the election to appoint me to a lofty position in government. Uh, yeah. That probably explains why I haven’t gotten that MacArthur “genius grant” yet and why Adriana Lima hasn’t called asking me to run away with her—the timing just isn’t right yet.
What are your opinions on the Presidential candidates?
I’m not allowed to be partisan in official Purdue outlets. So, in some further posts here over the next week or two I will provide some analysis of both major candidates (NB. Yes, I know there are over 300 candidates for President on the ballots across the country. However, I don’t think there is much chance of Baldwin, Barr, McKinney, Nader, Paul or the rest getting into office. So, I’ll limit my comments to the two main candidates.
If you really want to know who I’m probably voting for, you can see my Facebook page or send me email.
Overloaded Return Values Cause Bugs
In my secure programming class I have denounced the overloading of return values as a bad practice, and recently I discovered a new, concrete example of a bug (possibly a vulnerability) that results from this widespread practice. A search in the NVD and some googling didn’t reveal any mention of similar issues anywhere, but I probably just have missed them (I have trouble imagining that nobody else pointed that out before). In any case it may be worth repeating with this example.
The practice is to return a negative value to indicate an error, whereas a positive value has meaning, e.g., a length. Imagine a function looking like this:
int bad_idea(char *buf, unsigned int size) {
int length;
if (<some_error_condition>) {
length = -ERROR_CODE;
} else {
length = size; // substitute any operations that could overflow the signed int
}
return length;
}
This function could return random error values. Under the right conditions this could result in at least a DoS (imagine that this is a security-related function, e.g., for authentication). I suggest using separate channels to return error codes and meaningful values. Doing this lowers complexity in the assignment and meaning of that return value by removing the multiplexing. As a result:
- There is an increased complexity in the function prototype, but the decreased ambiguity inside the function is beneficial. When the rest of the code uses unsigned integers, the likelihood of a signed/unsigned integer conversion mistake or an overflow is high. In the above example, the function is also defective because it is unable to process correctly some allowed inputs (because the input is unsigned and the output needs to be able to return the same range), so in reality there is no choice but to decouple the error codes from the semantic results (length). This discrepancy is easier to catch when the ambiguity of the code is decreased.
- It does away with the bad practice of keeping the same variable for two uses: assigning error codes and negative values to a “length” is jarring;
- It disambiguates the purpose and meaning of checking the “returned” values (I’m including the ones passed by reference, loosely using the word “returned"). Is it to check for an error or is it a semantic check that’s part of the business logic?
Integer overflows are a well-known problem; however in this case they are more a symptom of conflicting requirements. The incompatible constraints of having to return a negative integer for errors and an unsigned integer otherwise are really to blame; the type mismatch ("overflow") is inevitable given those. My point is that the likelihood of developers getting confused and having bugs in their code, for example not realizing that they have incompatible constraints, is higher when the return value has a dual purpose.
Cassandra Lost Its Feed From Secunia
I discovered that our XML feed from Secunia had been disabled, coinciding with a re-organization their web site. So, the information contained in Cassandra from Secunia is now out of date. Hopefully it can be re-established soon, but I didn’t get an answer from Secunia over the weekend.
An IPMI House of Cards
We’ve recently added features using IPMI to our ReAssure testbed, for example to support reimaging of our Sun experimental PCs and rebooting into a Live CD, so that researchers can run any OS they want on our testbed. IPMI stands for the “Intelligent Platform Management Interface”, so we have a dedicated, isolated network on which commands are sent to cards in the experimental PCs. An OS running in these cards can provide status responses and can perform power management actions, for example a power cycle that will reboot the computer. This is supposed to be useful if the OS running in the computer locks up, for example. So, we were hoping that we’d need fewer trips to the facility where the experimental PCs are hosted, have greater reliability and that we’d have more convenient management capabilities.
However, what we got was more headaches. Some IPMI cards failed entirely; as we had daisy-chained them, the IPMI cards of the other PCs became inaccessible. Others simply locked up, requiring a trip to the facility even though the OS on the computer was fine… One of them sometimes responds to status commands and sometimes not at all, seemingly at random. The result is that using the IPMI cards actually made ReAssure less reliable and require more maintenance, because the reliability-enhancing component was so unreliable! The irony. I don’t know if we’ve just been unlucky, but now I’m keeping an eye out for a way to make that more reliable or an alternative, hoping that it doesn’t introduce even more problems. That is rather unlikely, as I’ve discovered that even though the LAN interface is standard, the physical side of those cards isn’t; AFAIK you can’t take a generic IPMI card and install it, it needs to be a proprietary solution by the hardware vendor (e.g., you need a Tyan card for a Tyan motherboard, a Sun IPMI card for a Sun computer, etc...). So if the IPMI solution provided by your hardware vendor has flaws, you’re stuck with it; it’s not like a NIC card that you can replace from any vendor. I don’t know of any way to replace the software on the IPMI cards either, in a manner similar to how you can replace the bad firmware of consumer routers with better open source software. I suppose that the lessons from this story are that:
- You can’t make something more reliable by adding low-quality components in a “backup” role, because then you need to maintain them as well and make sure that they’ll work when they’ll be needed;
- It’s not because something is on a separate card that it is more reliable;
- IPMI is a weak standard—only the exposed interfaces are standardized, for example enabling the development of OpenIPMI (from the managed OS side) and IPMItools (LAN interface), but the middle of the “sandwich” isn’t—the implementations and parts are proprietary, incompatible between vendors, inflexible and fragile;
- Proprietary, non-standard solutions prevent choosing better components.
Take 5 Minutes to Help Privacy Research!
This is from our colleagues at NCSU, and is time-critical. Please take 5 minutes to fill out this (simple) survey. It will help an NSF-funded privacy project.. And “Thank you” from CERIAS, too!
ThePrivacyPlace.Org Privacy Survey is Underway!
Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and was first offered in 2002. We are offering the survey again in 2008 to reveal how user values have changed over the intervening years. The survey results will help organizations ensure their website privacy practices are aligned with current consumer values.
The URL is: http://theprivacyplace.org/currentsurvey
We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey, which takes about 5 to 10 minutes to complete. The results will be made available via our project website (http://www.theprivacyplace.org/).
Prizes include
$100 Amazon.com gift certificates sponsored by Intel Co.
and
IBM gifts
On behalf of the research staff at ThePrivacyPlace.Org, thank you!
Who ya gonna call?
This morning I received an email, sent to a list of people (I assume). The subject of the email was “Computer Hacker’s service needed” and the contents indicated that the sender was seeking someone to trace back to the sender of some enclosed email. The email in question? The pernicious spam email purporting to be from someone who has been given a contract to murder the recipient, but on reflection will not do the deed if offered a sum of money.
This form of spam is well-known in most of the security and law enforcement communities, and there have been repeated advisories and warnings issued to the public. For instance, Snopes has an article on it because it is so widespread as to have urban legend status. The scam dates back at least to 2006, and is sometimes made to seem more authentic by including some personalized information (usually taken from online sources). A search using the terms “hitman scam spammer” returns over 200,000 links, most of the top ones being stories in news media and user alert sites. The FBI has published several alerts about this family of frauds, too. This is not a rare event.
However, it is not that the author of the email missed those stories that prompts this post. After all, it is not the case that each of us can be aware of everything being done online.
Rather, I am troubled that someone would ostensibly take the threat seriously, and as a follow-up, seek a “hacker” to trace the email back to its sender rather than report it to law enforcement authorities.
One wonders if the same person were to receive the same note on paper, in surface email, whether he would seek the services of someone adept at breaking into mail boxes to seek out the author? Even if he did that, what would it accomplish? Purportedly, the author of the note is a criminal with some experience and compatriots (these emails, and this one in particular, always refer to a gang that is watching the recipient). What the heck is the recipient going to do with someone—and his gang—who probably doesn’t live anywhere nearby?
Perhaps the “victim” might know (or suspect) it is a scam, but is trying to aid the authorities by tracing the email? But why spend your own money to do something that law enforcement is perhaps better equipped to do? Plus, a “hacker” is not necessarily going to use legal methods that will allow the authorities to use the results. Perhaps even more to the point, the “hacker” may not want to be exposed to the authorities—especially if they regularly break the law to find people!
Perhaps the victim already consulted law enforcement and was told it was a scam, but doesn’t believe it? Well, some additional research should be convincing. Plus, the whole story simply isn’t credible. However, if the victim really does have a streak of paranoia and a guilty conscience, then perhaps this is plausible. However, in this case, whoever is hired would likewise be viewed with suspicion, and any report made is going to be doubted by the victim. So, there is no real closure here.
Even worse, if a “hacker” is found who is willing to break the rules and the laws to trace back email, what is to say that he (or she) isn’t going to claim to have found the purported assassin, he’s real, and the price has gone up but the “hacker” is willing to serve as an intermediary? Once the money is paid, the problem is pronounced “fixed,” This is a form of classic scam too—usually played on the gullible by “mystics” who claim that the victim is cursed and can only be cured by a complicated ritual involving a lot of money offered to “the spirits.”
Most important—if someone is hired, and that person breaks the law, then the person hiring that “hacker” can also be charged under the law. Hiring someone to break the law is illegal. And having announced his intentions to this mailing list, the victim has very limited claims of ignorance at this point.
At the heart of this, I am simply bewildered how someone would attempt to find a “hacker”—whose skill set would be unknown, whose honesty is probably already in question, and whose allegiances are uncertain—to track down the source of a threat rather than go to legitimate law enforcement. I can’t imagine a reasonable person (outside of the movies) receiving a threatening letter or phone call then seeking to hire a stranger to trace it back rather than calling in the authorities.
Of course, that is why these online scams—and other scams such as the ”419 scams” continue to work: people don’t think to contact appropriate authorities. And when some fall for it, it encourages the spammers to keep on—increasing the pool of victims.
(And yes, I am ignoring the difficulty of actually tracing email back to a source: that isn’t the point of this particular post.)
Security Through Obscurity
This was originally written for Dave Farber’s IP list.
I take some of the blame for helping to spread “no security through obscurity,” first with some talks on COPS (developed with Dan Farmer) in 1990, and then in the first edition of “Practical Unix Security” (with Simson Garfinkel) in 1991. None of us originated the term, but I know we helped popularize it with those items.
The origin of the phrase is arguably from one of Kerckhoff’s principles for strong cryptography: that there should be no need for the cryptographic algorithm to be secret, and it can be safely disclosed to your enemy. The point there is that the strength of a cryptographic mechanism that depends on the secrecy of the algorithm is poor; to use Schneier’s term, it is “brittle”: Once the algorithm is discovered, there is no protection (or minimal) left, and once broken it cannot be repaired. Worse, if an attacker manages to discover the algorithm without disclosing that discovery then she can exploit it over time before it can be fixed.
The mapping to OS vulnerabilities is somewhat analogous: if your security depends only (or primarily) on keeping a vulnerability secret, then that security is brittle—once the vulnerability is disclosed, the system becomes more vulnerable. And, analogously, if an attacker knows the vulnerability and hides that discovery, he can exploit it when desired.
However, the usual intent behind the current use of the phrase “security through obscurity” is not correct. One goal of securing a system is to increase the work factor for the opponent, with a secondary goal of increasing the likelihood of detecting when an attack is undertaken. By that definition, obscurity and secrecy do provide some security because they increase the work factor an opponent must expend to successfully attack your system. The obscurity may also help expose an attacker because it will require some probing to penetrate the obscurity, thus allowing some instrumentation and advanced warning.
In point of fact, most of our current systems *have* “security through obscurity” and it works! Every potential vulnerability in the codebase that has yet to be discovered by (or revealed to) someone who might exploit it is not yet a realized vulnerability. Thus, our security (protection, actually) is better because of that “obscurity”! In many (most?) cases, there is little or no danger to the general public UNTIL some yahoo publishes the vulnerability and an exploit far and wide.
Passwords are a form of secret (obscurity) that provide protection. Classifying or obfuscating a codebase can increase the work factor for an attacker, thus providing additional security. This is commonly used in military systems and commercial trade secrets, whereby details are kept hidden to limit access and increase workfactor for an attacker.
The problem occurs when a flaw is discovered and the owners/operators attempt to maintain (indefinitely) the sanctity of the system by stopping disclosure of the flaw. That is not generally going to work for long, especially in the face of determined foes. The owners/operators should realize that there is no (indefinite) security in keeping the flaw secret.
The solution is to design the system from the start so it is highly robust, with multiple levels of protection. That way, a discovered flaw can be tolerated even is disclosed until it is fixed or otherwise protected. Few consumer systems are built this way.
Bottom line: “security through obscurity” actually works in many cases and is not, in itself, a bad thing. Security for the population at large is often damaged by the people who claim to be defending the systems by publishing the flaws and exploits trying to “force” fixes. But vendors and operators (and lawyers) should not depend on secrecy as primary protection.
ReAssure 1.10 Released
This new release of our testbed software provides users with full control of experimental PCs instead of being limited to running VMware images:
- Experimental PCs can be rebooted at will
- There is a LiveCD in the experimental PCs, which will take a root password that you specify before rebooting the PC
- Users are now able to replace the operating system installed by default on experimental PCs, and gain full control
- The host operating system for VMware is restored after an experiment.
This facilitates experiments with other virtualization technologies (e.g, Xen), or with operating systems or software that don’t interact in the desired manner with VMware.
When compared with other testbeds such as Deter, the differences are that:
- You should be able to run anything on ReAssure, that is compatible with the hardware;
- You may try to attack the ReAssure testbed itself;
- Malicious software should have great difficulty escaping the testbed (if not using exp01 and exp02, the computers set aside for updating images);
- Your experiments using VMware images are portable;
- You can take VMware snapshots;
As before, you can still:
- Use complex network topographies for your experiments, with high bandwidth utilization on each (Gbit ethernet)
- Extend reservations or stop experiments at will;
- Use ISO images and VMware appliances;
- Share image files
- Cooperate remotely with other people, and give them access to the PCs in one of your experiments
- Update your images from two of our experimental PCs that allow connections to the outside (exp01 and exp02)
Under the hood changes:
- The switch management now uses a UNIX domain server instead of a script started by cron. This increases the responsiveness of the system, allows checking the state of the switch directly in real time, and allows self-test results to be displayed on the web interface (for administrators).
- The upload mechanism now uses a UNIX domain server instead of a script started by cron. This increases the responsiveness of the system and allows self-test results to be displayed on the web interface (for administrators).
- The power state of the experimental PCs is controlled via IPMI (Intelligent Platform Management Interface) on an isolated network
Visit the project home page, the testbed management interface itself, or download the open source software. The ReAssure testbed was developed using an MRI grant from NSF (No. 0420906).
US Travel Tips for New Faculty…and for Not-so-New
The academic year is beginning, and I have already been asked by new faculty about travel. I also recently heard about a problem from a more senior colleague. As I have traveled a lot for my work in the last 20 years, I have built up some experience as an academic “road-warrior.” My assistant, Marlene, has also helped out with some great ideas as she has observed my difficulties getting from point A to B and back again. Here are some general tips for lower-stress travel as you travel to conferences and speaking engagements around the U.S.
General
Familiarize yourself with your university’s travel rules. Most have specific rules about advance notice, forms to file, etc. Know the rules before you travel so you don’t do the wrong things.
When you meet people at conferences, or when speaking, or otherwise on business, write the date on the back of the card, along with info that will help you identify why/where you met the person. If you promise to send them a copy of your recent results, then write that on the card, too. I have over 3000 entries in my online address book and card collection, and I no longer remember who half of them are, where I met them, or why....a note would have helped me in trimming the collection some.
Note on your itinerary what the next and previous departures of the plane, train, etc might be. If your business finishes early or runs late you have some idea of alternatives. In many cases, for a small free, you can switch to a different departure time on the same day. You can usually get that fee reimbursed by the same source of funds that pays for your ticket.
Take paper copies of articles, theses, or other items you need to read or review. If you are stuck in an airport waiting area with a delayed flight, you can put your time to use without running down laptop batteries. Furthermore, you can read the papers when on the plane during times that no electronic devices can be used, and you can write comments in the margin when you have a small fold-down seat tray that isn’t large enough to hold an open laptop.
Keep business cards with you. At least once a year I find someone sitting on a long flight next to me to be worth a follow-up contact. Several times these have led to industry grants for my research or internships for my students. Be prepared for opportunities!
Always pack an extra day’s worth of critical items in the event your flight is cancelled or too badly delayed. Also, you are prepared when the airline asks for volunteers to be bumped to the next day in return for a free ticket—that means you can save money on your grants for the next conference, or else use the free ticket to have a spouse/SO accompany you on a trip.
If you are going someplace interesting, investigate staying an extra day or two to sight-see, or simply relax. Depending on timing, you may actually save money by flying on a weekend day instead of a weekday evening and staying the extra night in the hotel!
Consider joining frequent traveler programs for the airlines and hotels. You may not collect enough for a free trip any time soon—and if you do travel enough to do so, another trip is not likely your idea of a reward. However, most of those programs have some small perks for members—free Internet service or breakfast at the hotel, priority on better seats, etc.
Airline clubs can be valuable places to unwind between long flights or during delays. You can buy day passes or full-year memberships. Some cover multiple airlines. Consider the expense of Internet access and several cups of coffee each time you need to spend more than an hour at a major airport in a waiting area. At a certain point, the airline club fee comes out to be a win. Plus, their front desk staff can often fix a scheduling snafu on your ticket faster (and with more options) than the personnel out at the desks.
Try to always be cheerful with travel personnel, even if you’re having a bad day. Airline check-in people can give you a better seat or waive a change fee if you are nice, flight attendants will sometimes comp a drink or give you the last blanket, and hotel clerks can put you in a better room—all if you are nice. Be grumpy or curt, and TSA will make your life miserable, you’ll get checked into the non-reclining seat in the last row next to the lav, and at the hotel you’ll get the room next to the elevator.
I have a single sheet with all my flight itinerary, hotel address, confirmation numbers, important telephone numbers, and so on. This turns out to be incredibly useful for all sorts of reasons.
Take along a small bottle of hand sanitizer, and use it before every meal or break. If you are meeting people, shaking hands, and using doorknobs handled by thousands of others, it is not a contributor to good health. Frequent hand washing and use of a sanitizer can really help. I get small bottles in the “travel size” section at my neighborhood pharmacy.
Finances
Keep all of your receipts, boarding passes, etc. I have a poly-plastic envelope with an elastic cord into which I put all my receipts while traveling. At the end of the trip, the receipts get sorted into three piles: those that go to the university or sponsor for reimbursement purposes, those that go into my file for income taxes (all meal receipts, for example), and a pile I keep until I have been reimbursed and my frequent flier miles credited. This last pile is normally where stubs from boarding passes go, unless your sponsor/university requires them.
Never leave a hotel without a paper statement showing a zero balance! Some hotels will run a statement of all expenses and slip it under your room door the night before you leave. You then do an express checkout an don’t stop at the desk. However, without evidence you paid the bill (the zero balance part), some agencies won’t reimburse you! You can probably get a corrected copy from the hotel, but the process delays your reimbursement by weeks (or longer).
Need to send in the original receipts for reimbursement? Make sure you have legible copies to keep on file in the event there is a mixup or loss of items.
Don’t forget to ask for mileage reimbursement to drive to/from the airport. The current IRS rate is commonly used.
If you work at a public university you can sometimes get the government rate at hotels. You need to ask about that when you reserve the room, and you show your faculty ID when arriving. Be sure you only do this when traveling on university business.
Be aware of your credit limit. If you are doing a lot of travel and charging it all to one credit card, you may hit your limit without knowing it. Hotels often put a hold charge on your card when you check in and do not remove it when you pay your bill, so your card takes double the hit. It can be very uncomfortable to arrive at your destination, 3 time zones away, only to be told that your card has been refused. American Express cards have no such pre-set limit, but you also have to pay them when the blll arrives, and this can be a stretch if your reimbursements aren’t timely.
Speaking of reimbursements, some companies that may ask you to come visit to speak at their expense can be extremely slow to pay reimbursements because their internal processes are so complex. My worst experiences have been with big companies, for some reason. Intel is one example—over a 3 year period with 5 trips they never paid an invoice in less than 6 months, one took 10 months to reimburse, and I had to file as a business supplier to even get into their system! In situations like this you either need to dip into savings then wait for the payment, or carry the charge on credit. Be prepared for this if you have no experience with a host offering to reimburse you.
Actually, this brings up a worst-case scenario: You are asked to visit an institution in a foreign country to speak, at their expense. You buy non-refundable tickets (that is all they will reimburse) and then they cancel the visit or you fall ill or..... Nothing like having $2000 in non-refundable tickets and the bill coming due! There are solutions here—demand to buy refundable tickets, have them buy the tickets for you, or consider having them authorize buying travel insurance through the airline or travel service where you get the tickets. Even reputable places may have scheduling problems.
Don’t fly sick! If you are really ill, don’t feel you have to travel because you bought non-refundable tickets, or because they are expecting you to talk at the other end. Flying while ill can make you worse (I’ve had a perforated ear drum from the pressure change on the plane, once, flying with a terrible cold), can spread germs, and you end up not making a very good presentation. Ask to reschedule if it is a presentation. Most airline tickets can be used, for a small change fee, up to a year after the date of purchase. If you are flying to a conference on grant money, check on university policy—most will cover the change fee or even the cost of the ticket so long as you commit to buying non-refundable tickets to keep costs low.
Check the interest rate on your credit cards. Yeah, maybe you collect frequent flier miles by using that card, but it also may have an 18%-25% effective annual rate. if you are delayed getting a reimbursement, or it crosses the due date of the bill, you may be paying a hefty penalty for those miles.
Many places will ask for your SSN# on a W-4 before they will reimburse you. If you are a compensated speaker, you can’t get your honorarium without this. This poses two problems: taxes and possible exposure of your SSN. The taxes part is easiest—keep the receipts and if your reimbursement gets included in a form 1099-MISC filed by your host, then you list the amounts as deductible business expenses (talk to a tax advisor for specifics—don’t depend on this blog!). As for protecting yourself against identity theft, come up with a “dba” name (doing business as) for consulting, then get an IRS EIN (employer identity number). Use that in place of your SSN. It is all perfectly legal (although you may need to educate the clerks at the other end), has the same number of digits as your SSN, but it compromised it won’t contribute to fraud committed with your identity.
I may do a follow-up post with some specific hints on international travel. If you have suggestions for academic travelers, please post them in the comments.
Privacy Survey
I am an advisor to ThePrivacyPlace. They do great work on privacy issues, and this annual survey is valuable—but only with a lot of responses. So, please respond and share the link with others.
The following is their survey announcement.
ThePrivacyPlace.Org Privacy Survey is Underway!
Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and was first offered in 2002. We are offering the survey again in 2008 to reveal how user values have changed over the intervening years. The survey results will help organizations ensure their website privacy practices are aligned with current consumer values.
The URL is: http://theprivacyplace.org/currentsurveyWe need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey, which takes about 5 to 10 minutes to complete. The results will be made available via our project website (http://www.theprivacyplace.org/).
Prizes include
$100 Amazon.com gift certificates sponsored by Intel Co.
and
IBM giftsOn behalf of the research staff at ThePrivacyPlace.Org, thank you!
