January 24, 2001:
Breaking and entering
Professor Edward Felten's specialty is exposing security flaws on
by Matt Golden '94
years ago, professor of computer science Edward Felten was presented
with a challenge. Sun Microsystems had just released Java, a software
system used by Internet web browsers to embed animated or active
elements into web pages. The company was making some extravagant
claims about Java's capabilities and the security it offered users.
Two Princeton graduate students skeptical of the company's boastings
enlisted Professor Felten's help in trying to flush out Java's bugs.
For Felten, what started as a project for his spare time, quickly
became the focus of his research. Today, he is arguably the world's
foremost expert on Internet and software security. The professor
says, "I like working in this area because it involves the
use of many different computer science methods, and it connects
to the real world in interesting ways. I like the fact that this
matters to people, and you can explain to the person on the street
what it's all about."
As a member of the Secure Internet Programming Laboratory at Princeton,
Felten examines the security and privacy aspects of software that
many people use every day. He says, "We look at things in the
short term: What products are out there? What are the security and
privacy problems that they have? Then we work with the vendors to
fix those problems." The SIPL also considers the longer-term
question of how to build software that is more reliable and secure.
Felten explains, "One of the biggest problems we face is
how to build high-quality software. With today's methods, people
really don't know how to make software that is reliable and free
of bugs. Those bugs cause annoying problems like your computer crashing
and you losing your work. They also manifest themselves as security
problems which someone could exploit to break into your computer
to spread a virus or access private information."
Last year, Felten testified as the lead computer science expert
witness for the Department of Justice in the U.S. government's case
against software giant Microsoft. In his testimony, Felten asserted
that the Internet Explorer web browser could be removed from Windows
95 and 98 systems. He also said that Microsoft could have produced
a version of Windows 98 that did not include Internet Explorer.
Thanks in part to Felten's testimony, the government won its antitrust
case against Microsoft.
Felten says of his role in the trial, "That was a really
interesting experience for me. Working with top-notch lawyers (like
David Boise, lead attorney for Vice President Al Gore during the
presidential election controversy) and economists allowed me to
see how the law and economics and computer science come together
in the consumer market."
When the Secure Digital Music Initiative - a consortium of companies
in the music and consumer electronics industries that aims to curb
the pirating of digital music - issued a challenge to crack its
six-tiered security system, Felten and a team of researchers from
Princeton, Rice University, and Xerox PARC answered the call. Felten
says, "We analyzed the six technologies that SDMI put forward.
The four most interesting had to do with watermarking (a technology
that places a very faint sound into the background of recorded music,
marking the music as copyrighted). The theory is that recording
devices will listen for the watermark and, if they hear the watermark,
refuse to copy the music. For the technology to work, it has to
be impossible for someone to erase the watermark."
Felten's team used advanced signal processing to pinpoint the
watermarks and then removed them without ruining the quality of
the music. Though the group appears to have circumvented the security
measures, Felten and his colleagues are not eligible for the $10,000
prize offered by SDMI because they plan to publish their results
in a trade journal.
Of late, Felten has focused his interest on privacy issues and
how the technology that is used for the Internet and e-mail can
be exploited. He and a group of Princeton computer scientists have
discovered a flaw in Internet technology that allows Web sites to
extract information about the recent browsing history of visitors
to the site. The technique, named a "timing attack" by
Felten's group, allows the Web site to view the cache (a log of
recently visited sites) of a visitor's computer. The Web site then
queries the computer about other sites (a competitor, for example)
and can determine, based on response time to its queries, if you
have recently visited those sites.
Felten specializes in cracking security measures, but he believes
the Internet is a relatively safe means of transmitting information
if used carefully. He warns, "The Internet is like most things
in life, there is no absolute protection. You have to be prudent
about what you do. The bigger risk is not that your information
will be intercepted in transit, but that you may encounter merchants
who will misuse the information you are giving them. So, always
be conscious of who you are dealing with."
by Matt Golden '94