Web Exclusives: More

January 24, 2001:

Breaking and entering

Professor Edward Felten's specialty is exposing security flaws on the Internet

by Matt Golden '94

Five years ago, professor of computer science Edward Felten was presented with a challenge. Sun Microsystems had just released Java, a software system used by Internet web browsers to embed animated or active elements into web pages. The company was making some extravagant claims about Java's capabilities and the security it offered users. Two Princeton graduate students skeptical of the company's boastings enlisted Professor Felten's help in trying to flush out Java's bugs.

For Felten, what started as a project for his spare time, quickly became the focus of his research. Today, he is arguably the world's foremost expert on Internet and software security. The professor says, "I like working in this area because it involves the use of many different computer science methods, and it connects to the real world in interesting ways. I like the fact that this matters to people, and you can explain to the person on the street what it's all about."

As a member of the Secure Internet Programming Laboratory at Princeton, Felten examines the security and privacy aspects of software that many people use every day. He says, "We look at things in the short term: What products are out there? What are the security and privacy problems that they have? Then we work with the vendors to fix those problems." The SIPL also considers the longer-term question of how to build software that is more reliable and secure.

Felten explains, "One of the biggest problems we face is how to build high-quality software. With today's methods, people really don't know how to make software that is reliable and free of bugs. Those bugs cause annoying problems like your computer crashing and you losing your work. They also manifest themselves as security problems which someone could exploit to break into your computer to spread a virus or access private information."

Microsoft moment

Last year, Felten testified as the lead computer science expert witness for the Department of Justice in the U.S. government's case against software giant Microsoft. In his testimony, Felten asserted that the Internet Explorer web browser could be removed from Windows 95 and 98 systems. He also said that Microsoft could have produced a version of Windows 98 that did not include Internet Explorer. Thanks in part to Felten's testimony, the government won its antitrust case against Microsoft.

Felten says of his role in the trial, "That was a really interesting experience for me. Working with top-notch lawyers (like David Boise, lead attorney for Vice President Al Gore during the presidential election controversy) and economists allowed me to see how the law and economics and computer science come together in the consumer market."

When the Secure Digital Music Initiative - a consortium of companies in the music and consumer electronics industries that aims to curb the pirating of digital music - issued a challenge to crack its six-tiered security system, Felten and a team of researchers from Princeton, Rice University, and Xerox PARC answered the call. Felten says, "We analyzed the six technologies that SDMI put forward. The four most interesting had to do with watermarking (a technology that places a very faint sound into the background of recorded music, marking the music as copyrighted). The theory is that recording devices will listen for the watermark and, if they hear the watermark, refuse to copy the music. For the technology to work, it has to be impossible for someone to erase the watermark."

Felten's team used advanced signal processing to pinpoint the watermarks and then removed them without ruining the quality of the music. Though the group appears to have circumvented the security measures, Felten and his colleagues are not eligible for the $10,000 prize offered by SDMI because they plan to publish their results in a trade journal.

Of late, Felten has focused his interest on privacy issues and how the technology that is used for the Internet and e-mail can be exploited. He and a group of Princeton computer scientists have discovered a flaw in Internet technology that allows Web sites to extract information about the recent browsing history of visitors to the site. The technique, named a "timing attack" by Felten's group, allows the Web site to view the cache (a log of recently visited sites) of a visitor's computer. The Web site then queries the computer about other sites (a competitor, for example) and can determine, based on response time to its queries, if you have recently visited those sites.

Felten specializes in cracking security measures, but he believes the Internet is a relatively safe means of transmitting information if used carefully. He warns, "The Internet is like most things in life, there is no absolute protection. You have to be prudent about what you do. The bigger risk is not that your information will be intercepted in transit, but that you may encounter merchants who will misuse the information you are giving them. So, always be conscious of who you are dealing with."

by Matt Golden '94