There is a case currently (early 2018) pending before the Supreme Court of the United States (SCOTUS) addressing if/how a US warrant applies to data held in a cloud service outside the US but run by a US entity.

The case is United States vs. Microsoft, and is related to interpretation of 18 U.S.C. § 2703 — part of the Stored Communications Act.

The case originated when US authorities attempted to serve a warrant on Microsoft to retrieve email of a user whose email was serviced by MS cloud servers in Ireland. Microsoft asserted the data resided in Ireland and the US warrant did not extend outside the US. The US contends that the warrant can be fully served inside the US by Microsoft and no foreign location is involved. Microsoft sued to vacate. The district court upheld the government, and found Microsoft in contempt for not complying. On appeal, the 2nd Circuit Court of Appeals overturned that decision (and the contempt citation), and remanded the case for reconsideration. The US government sought and obtained a writ of certiorari (basically, sought a hearing before SCOTUS to consider that appellate ruling). The oral arguments will be heard the last week in February.

The decision in the case has some far-reaching consequences, not least of which is that if the warrant is allowed, it is likely to drive business away from US service providers of cloud services — clients outside the US will be concerned that the US could compel production of their data. At the same time, if the warrant is not allowed, it could mean that service providers could spring up serving data out of one or more locations that routinely ignore US attempts to cooperate on computer crime/terrorism investigations. (Think of the cloud equivalent of banking havens such as the Caymen Islands, Vanuatu, and the Seychelles.) Neither result is particular appealing, but it seems (to me) that under current law the warrant cannot be enforced.

I signed on to an amicus (friend of the court) brief, along with 50 other computing faculty. Our brief is not explicitly in favor of either side in the dispute, but is intended to help educate the court about how cloud services operate, and that data does actually have a physical location.

If you are interested in reading the other briefs — including several from other amici ("friends of the court”) there are links from the SCOTUS blog about the case. It is interesting to note the perspectives of the EU and Irish governments, trade associations, former law enforcement and government officials, and more. The general consensus of the ones I read seems to me to favor Microsoft in this case. We shall have to see if the SCOTUS agrees, and whether Congress then acts to set new law in the area, if so.

This case is an example of one of the difficulties when we have few barriers in network communications, and the data flows across political borders. It is, in some sense, analogous to the “going dark” concerns of the FBI. How do we maintain privacy in an arena where bad actors use the technology to “hide” what they do, potentially forever beyond reach of law enforcement? Furthermore, how do we enforce the rules of law in an environment where some of the legal authorities are ideologically opposed to privacy rights or rule of law as envisioned by other authorities? It is also related to searches of computing devices carried across borders (including cell phones), and similar instances where the attempt has been made to equate the presence of end points or corporate operators as somehow including the data accessible via those end points. All of these are problems that the technology aggravates but are unlikely — if not impossible — to solve by technology alone.

Interesting times, no matter which side of these matters one is normally likely to support.

This is the 3rd amicus brief before the SCOTUS to which I have been a signatory, and one of 10 overalll. This is very different from publishing academic papers!)

Today, I attended the funeral in Illinois of another good friend in infosec: Ken Olthoff. Ken was my friend for over 25 years, and his death was a surprise to me and to everyone who knew him. It was also a significant loss to the field, and another sad reminder that each of us needs to live our goals sooner rather than later. The funeral included a great set of remembrances of some aspects of Ken’s life and contributions, with the service conducted by his cousin, Pastor Diane Maodush-Pitzer.

Kenneth George Olthoff was born November 18, 1959. He grew up outside Chicago in Thornton, and received a degree from Purdue Calumet. His family remembers him exhibiting, at a young age, great curiosity about how things worked and clear engineering aptitude. Around three decades ago, he joined the NSA, where he worked until his untimely passing.

Ken was on leave to visit family in Illinois in early October, as he did twice each year. Along with visiting his relatives, he engaged in some repairs to his childhood home — where he planned to retire in a small number of years, using it as a base for travel. On this most recent visit, he worked his way through his “to do” list, with the last being his annual long distance bike ride of 60+ miles (Ken did a lot of recumbent bicycling all year round). He then had dinner with his brother, Jack, and sister-in-law, Sue. Jack tried to reach him by phone Sunday, October 15, and when he did not get an answer, Jack went to check on him. Jack found Ken sitting in a recliner, in front of the TV. He had died, peacefully, during the night. The medical examiner listed cause of death as cardiaovascular-related. Ken would have been 58 next month.

Ken had many “families” in which he was connected. I think Vonnegut’s concept of the “karass” may be more a more accurate characterization. Ken had a wide-ranging curiosity and set of interests that created bridges to all sorts of people. Notably, Ken was a hardworking, creative, and valued contributor to national information security solutions. He wasn’t always acknowledged (or even known outside where he worked) for what he did, but many of the people who worked with him treasured his positive contributions. Ken’s commitment to “speak truth to power” sometimes grated on a few, but more often was valued within a community that sometimes has been too quick to buy into the “emperor’s new wardrobe.” I know a little of what Ken did at the Agency, and I have heard from others who knew his work better than I do (because some of it was classified and on a need-to-know basis); more than one of these people have commented that there were many in military service who made it home — alive, to their families — because of things Ken designed or built.

Ken was notable in the broader cybersecurity community, too, although not as well-known as many others. Whether it was as the first person ever identified in the “Spot-the-Fed” at DefCon, or writing outrageous plays about security foibles for performance at NSPW, or any of a number of other activities, Ken also had many admirers and friends outside of where he worked.

Ken was also, in the words of a friend, “… an avid disc golfer and recumbent bike rider, collector of Japanese prints and wood turnings, fan of authentic ethnic cuisines, aficionado of the Chicago music scene (particularly loyal to Pezband), fan and supporter of dirt track racing and youth hockey, and patron and production crew member for Charm City Roller Girls, and the AXIS Theatre and Rapid Lemon Productions companies in Baltimore.” He ran several mailing lists on these topics (and more), with eclectic and interesting memberships that evidenced a broad set of interests beyond even these. I learned today that he held at least five patents, on topics ranging from cyber security mechanisms to accessories for musical instruments!

Anyone who knew Ken also remembers his amazing sense of humor (and/or puns), his humility, his generosity, and his (frequent) lack of awareness of pop culture items. Ken was too busy living life to be a regular on social media!

Ken had posted at some point on his LinkedIn profile: “Goals: make positive use of the skills I have, save lives, leave the world a slightly better place than I found it, be a loyal friend, be honest, live my life in a way that gives others something to be thankful for.” I think those of us who knew him will agree that he lived those goals, achieved all of them, and often exceeded them. I am sad that I didn’t have an opportunity to tell him roughly that — I had resolved to do so after our mutual close friend, Becky Bace (who introduced Ken to me), died suddenly earlier this year, but our schedules did not align soon enough.

You are invited to visit Ken's (brief) online obituary and guest book. The family has indicated that memorial contributions may be given to the American Heart Association.

(I hope the rest of the infosec community remains hale and hearty for a while — we’ve had too many losses recently.)

---

[I will add to this post if I get other information. In particular, I hope to be able to provide links to his NPSW plays.]

In December of 1988, I was invited to speak at Bell Communications Research (Bellcore) about the Morris Internet Worm that had been released about six weeks before. The invitation was to speak on computer security in general, malicious software more specifically, and particularly “The Worm."

At the time, I was a new assistant professor — I had joined the faculty at Purdue in August of 1987. This was only my second ever presentation on computing security issues, although I had been working in the area for years. Note, that this was well before I had coauthored either the Computer Virus book or Practical Unix Security.

The title of the talk was Worms, Viruses, and Other Programmed Pests. I went on to give a variant of this presentation about 2 dozen times in the year following this talk.

I had forgotten that I had a copy of this video stored away. I’m sharing it now for historical purposes (and for some of my friends, hysterical purposes).

I think that this talk has aged very well, considering it was given nearly 30 years ago. Most of what I talk about here (but not all) is still relevant. Clearly, a number of the examples and numbers have changed drastically since then, but some of the most significant aspects have remained unchanged. Much of the advice I gave then could be given today because it still applies….and still is largely ignored. Especially, check out the Q&A at the end.

You can tell this video is really old, not only because of the video artifacts, but because:

1. I am wearing a normal tie (I switched to bow ties exclusively a few years later)
2. I am making the presentation using acetates instead of from a computer
3. I have almost a full head of hair
4. I only had a waistline in double digits.

You'll also note that I had the odd sense of humor even then. Oh, and I used the Oxford comma in the title.

Enjoy.

(Direct link to YouTube page here.)

[Note: update added March 15, 2017]

2017 has gotten off to a bad start for the security community…and to me, personally.

First, we lost Kevin Ziese. I met Kevin over two decades ago, when he was involved in computer investigations with the Air Force. I got involved with a couple of investigations, as it was a new field and I had some connections with the Air Force at the time. Kevin later served as a UN Weapons Inspector in Iraq after the first Gulf War. He was at the Pentagon on 9/11. He served in our military with distinction. Later, he was involved with intrusion detection research, and became one of the principals in Wheelgroup, which was acquired by Cisco. He had a significant career in cyber, and made a number of seminal contributions to the field that most current practitioners have never heard about.

Kevin was very creative and an able investigator, but what I remember most about him was his incredible enthusiasm and sense of humor. In all our interactions, I can’t recall him being anything other than upbeat, and with great insight. I regularly crossed paths with him at IDS and computer crime workshops, and in activities for the Air Force. He was also generous with his time, and he found ways to visit Purdue several times to give talks to my students.

I hadn’t seen Kevin for a few years, and was vaguely planning on visiting him in the next year or so. We were overdue to catch up. We had been keeping in touch electronically, and his death was a huge — and sad — surprise to me.

Kevin introduced me, electronically, to Howard Schmidt in the early 1990s, after Howard joined AFOSI. We exchanged email and phone calls for several years until we spoke on a conference panel together and finally met in person. Early on, we discovered we were in sync on a number of things, and continued to enjoy our correspondence and occasional meetings through his time at Microsoft. When he moved to his position at the White House (the first time) in 2002, I visited several times to join in conversations on how to fix some of the cyber security problems of the country. One time, he hosted my family for a Saturday morning breakfast in the West Wing staff dining room, and was so very kind to my young daughter — answering her questions with tremendous patience. Thereafter, we continued to interact in his various roles, and on through his time at the Obama White House. Whenever I’d get to Washington, we’d get together for a conversation, and sometimes a beer.

Twice, Howard came to Purdue to speak in our annual CERIAS Security Symposium. Each time, he told me in confidence that he had decided to leave his position at the White House, and his visit to me each time had cemented his decision. (Thereafter, I got a note from someone who worked with Howard at the WH suggesting that I stop inviting critical personnel to speak at Purdue!)

I have so many stories about my times with Howard and they are all good. He was always supportive and positive, and he was always trying to find a way to make things better for others. He also never let his seniority and distinctions get in the way of helping others. For instance, I fondly recall when the EWF was starting its Women of Influence awards, and they asked Howard and me serve as judges for the first awards. However, to keep with the spirit of the awards (and the restriction on judges), we had to be declared as “honorary women.” Howard and I agreed, even when told that we might need to show up at the awards in skirts and heels as part of the process! We laughed about that in later years — that the reason the awards made it into subsequent years was because we weren’t asked to do that! (And we did view being “honorary women” judges as an honor.)

The last time I saw Howard was in late 2015, when we both appeared on a panel at a meeting at a government agency. For the last 2 years we kept up with occasional social media and email — sort of the reverse of how we met. Howard’s passing was untimely and a shock to many of us, especially so close to Kevin’s.

I attended Howard’s funeral and memorial service last Friday. It was important to many of us to see off an old friend. While there, I got to spend time with one of my oldest and dearest friends, Becky Bace, the “Den Mother of Cyber Security.” Becky was an old friend of Howard’s, too, having met him slightly before I did. (Becky was also a friend of Kevin.) I first met Becky in 1991, at one of the old (now defunct) National Security Conferences. We immediately hit it off, with discussion about mutual interests in security and crazy humor. Becky was the person who got me to move my primary research focus to security, and provided funding for my first security research project in intrusion detection. She involved me in the intrusion detection “guru” workshops she held, and introduced me to others in the field — Becky knew everybody, it seemed.

Over the course of the next 25+ years, Becky and I became good friends, and colleagues in a number of cybersec activities. We served on boards and panels together. We consulted for some of the same companies. She also made sure to introduce some of my students to people working in the field, both to help them enhance their research, and to get researchers to learn about some of the cutting-edge things we were doing in the university. We often called each other to share notes and occasionally gossip that we didn’t want to put in email. Becky regularly visited CERIAS to speak and mentor students. She was especially helpful in mentoring some of our women students and faculty. “Infomom” was bright, funny, and incredibly networked.

I have so many stories about Becky. There was never a time together where we didn’t laugh about something…many things…but also develop some new insight or connection that one of us could use. And every time we were together, we were spinning ideas for how I could find something new to do to break out of the rut I’m often in at the university, and for her to explore as a new career path: I wanted to do more in the commercial world, and she wanted to have an impact in the academic space.

Becky and I both were quite devastated by Howard’s passing, and the funeral was both a very sad time, and a chance to share more laughs with each other with stories about our times with Howard. Thus, it was all the more shock to learn, less than 4 days after I last saw her, that Becky had died suddenly.

In the space of four weeks, I have lost three friends and colleagues, each of whom I have known for over two decades, and one of whom was one of my closest friends. Time passes, and we all have finite time here. Nonetheless, it is always too soon for the people we care about. And it is too soon to lose the people who have spent so much time and effort trying to make the world better for the rest of us.

It is also sobering that these three were people my age. It reminds me that time is passing rather than some entity purposely making the stairs steeper for me each year.

It also reminds me of one of the reasons I have spent my career to date in higher education — it is one of the few vocations where there is some real hope of replacing ourselves, and doing so with better quality than what we are ourselves. But as much as we may try, we will not see any like Kevin, Howard, and Becky again. To paraphrase a mutual friend, if there is a heaven it is going to be much more secure and much more fun than it was before.

RIP, friends.

---

Update: March 15, 2017

Kevin

I have learned that some people had not yet heard of Kevin’s passing, although they knew him. If you want to make a donation in his memory, please send it to one or more of:

• Disabled American veterans

• Air Force Memorial Foundation

Howard

If you wish to make a donation in the memory of Howard Schmidt, send it to:

Becky

There will be a memorial service for Becky in Shelby Hall at the University of South Alabama in Mobile, AL on Saturday, March 25th at 1PM. Information on attending and travel are posted here. A memorial webpage will be posted on Becky’s infidel.net website sometime in the next week or so.

A memorial service will also be held in San Jose on April 21. I will post additional details here if I get them.

ACSA's top scholarship in the Scholarship for Women Studying Information Security (SWSIS.org) has been renamed as the Rebecca Gurley Bace Scholarship. Contributions to help support this scholarship are welcomed by sending a check (sorry, no online contributions) to:

All of the above are non-profit, charitable organizations, and your contributions will likely be tax-deductible, depending on your tax circumstances.

2016 has been a year of setbacks and challenges for me, including being ousted as executive director of CERIAS. Rather than dwell on those issues, I have tried to stay focused on the future and move forward. Thankfully, some good things have come along and the year is going to close out on several positive notes. My last blog post noted recounted being informed that I am to receive the 2017 IFIP Kristian Beckman Award as one such positive item.

Today was the announcement of another pleasant surprise — I have been named as a Sagamore of the Wabash. This is the most significant civilian award from the state of Indiana. The award is in recognition of three decades of leadership in cyber security, and service to organizations in the state, including my leadership at CERIAS, work with local companies, and support of government and law enforcement.

As noted in the Purdue press release,I want to thank all the colleagues and students, past and present, who have worked with me over those many years. What we have accomplished only occurred because of our collective efforts; one individual can usually effect only a small amount of change. It is as a group that we have had a tremendous impact. It is gratifying to see their individual successes, too — some of my most gratifying experiences have been when former students tell me that what I helped them to learn was an important component of their success.

Some of my friends may be amused by an irony present in my now having two certificates on my office wall, one signed by George W. Bush and one by Mike Pence, but none from anyone in the Clinton or Obama administrations. (If you don’t understand that irony, move along.) However, irony is not new to me — I’ve repeatedly been recognized internationally for my research and leadership, but actually penalized by some at the university — including within my own department — for those same activities. I haven’t done any of what I do for recognition, though. My goal is to help ensure that the world is a better, safer place as a result of my actions. Even if no one notices, I will continue to do so. For years I had a sign above my desk with a quote by Mark Twain: Always do right. This will gratify some people and surprise the rest. I no longer have the sign, but I still live the words.

I also want to note (as I have several times recently) that as I get these “lifetime achievement” types of recognitions, I don’t want people to think that the problems are solved, or that I am planning on retiring. Far from it! The problem space has gotten larger and more complex, and the threats are more severe and imminent. I certainly am not bored with what I do, and I think I have some good experience and ideas to apply. I’m not sure what I’ll do next (or where) but, I don’t intend to step to the sidelines! Another of my favorite aphorisms was stated by Archimedes: Give me a lever long enough and a place to stand, and I will move the Earth. If I can find the resources (offers?) and the right place to work (suggestions?), I plan on continuing to move things a bit.

Best wishes to you all for a wonderful holiday season, and a great start to 2017!