NLUUG spring conference

26 May 08 - 21:03
Area: default - Link to this article

Last week I attended the Dutch NLUUG spring conference about Security. The conference presented 18 talks in several tracks about mainly the technicalimplementations of security measures.

The keynote was done by Vincent Rijmen, professor at the university of Leuven and one of the inventors of the Rijndael encryption algorithm, which is the heart of AES encryption. Mr. Rijmen talked about the past and future of hash functions and about methods to break the MD5 and SHA-1 hashing algorithms.

Then I attended a talk about anonymity systems, where PhD student Matthijs Koot explained how anonymous anonymity systems like Tor, MorphMix and I2P really are.

A very interesting talk was from Carel van Straten from the Spamhaus project. The Spamhaus project tries to find out how spammers work and what to do about it. I will publish a separate article about this intriguing subject later.

Another very interesting talk was by the in The Netherlands famous German hacker Henryk Plotz. He was one of the hackers of the Mifare Classic chip card that is about to be used in The Netherlands as a train ticket system. He talked about how the Mifare card was hacked: a combination of monitoring and analyzing the wireless communications from the card and of physically looking at the chip, by polishing off the various layers of silicon and photographing and analyzing them.

After some other, a bit less interesting talks, I saw Karin Spaink. Karin talked about the security of electronic patient records (EPR's). Karin pointed out that everybody seems to want EPR's, but there is little proof these systems will introduce much better healthcare at all. EPR's bring in their own security issues and concerns. Karin lead a hacker team who broke into two hospitals (with their permission by the way) and was able to see, copy, delete and change(!) millions of patients records.

The NLUUG conference was a very interesting event and was perfectly hosted. Highly recommended.

Personal Information is Personal Property

09 May 08 - 09:20
Area: default - Link to this article

Yesterday I attended a lecture at the Dutch Society of Information Architects (GIA), called "Personal Information is Personal Property". The lecture was given by Paul Jansen and Pieter Wisse.

The main point in the lecture was that information about a person (or a company) which is now stored in many places, should be owned by the person the information relates to.

Today it is not unusual to have (partial) information about persons stored in hundreds of places. It is out of reach for the person the information is about. My name and address are stored at many places, without me knowing, where the information is not necessarily correct and without me being out of control on what happens with this information.

Jansen and Wisse stated that information is always connected to the context in which the information has value. If the information is used without its proper context, problems arise. Fro instance, my salary is different for my employer, for the tax agency and for my wife. The context makes information have a meaning.

People should be much more restrictive in exchanging information about them. If one wants to buy a bottle of liquor, one must identify himself to let the shop owner know his age is above 18. Usually people show their drivers license or a passport. This gives the shop owner much more information than he needs. My passport shows not only my birth date, but also my place of birth, my nationality, my social security number, etc. The shop owner only needs to know my age. It would be much better if there was a way to exchange the information on my age only, without presenting unnecessary information.

Jansen and Wisse want to radically alter the complete system of information exchange, and regulate per law that information about a person can no longer be stored and used by others (just like it is regulated for material possessed by persons). The person must become the owner of his own information (just like he is the owner of his own money) en he should decide every time if-, when- and what information he exchanges in which context.

We are talking about a new information management paradigm, which is stated in the so-called Dot-i Charter.

The lecture raised much discussion and questions in a room with 25 information architects. Paul Jansen is an excellent presenter who answered many questions and started many discussions. It was a very interesting evening and gave me much food for thought.