Edward Felten

Last updated
Edward William Felten
Edward-Felten-at-Princeton-CITP.jpg
Edward Felten at Princeton University
Born (1963-03-25) March 25, 1963 (age 61)
Citizenship American
Education California Institute of Technology (BS)
University of Washington (MS, PhD)
Known for Secure Digital Music Initiative
Awards EFF Pioneer Award [1]
Scientific career
Fields Computer Science
public affairs
Institutions Princeton University, Federal Trade Commission
Doctoral advisor Edward D. Lazowska and John Zahorjan

Edward William Felten (born March 25, 1963) is the Robert E. Kahn Professor of Computer Science and Public Affairs at Princeton University, where he was also the director of the Center for Information Technology Policy from 2007 to 2015 and from 2017 to 2019. [2] On November 4, 2010, he was named Chief Technologist for the Federal Trade Commission, [3] a position he officially assumed January 3, 2011. On May 11, 2015, he was named the Deputy U.S. Chief Technology Officer. [4] In 2018, he was nominated to and began a term as Board Member of PCLOB. [5] [6]

Contents

Felten has done a variety of computer security research, including groundbreaking work on proof-carrying authentication and work on security related to the Java programming language, but he is perhaps best known for his paper on the Secure Digital Music Initiative (SDMI) challenge.

Biography

Felten attended the California Institute of Technology and graduated with a degree in physics in 1985. He worked as a staff programmer at Caltech from 1986 to 1989 on a parallel supercomputer project at Caltech. He then enrolled as a graduate student in computer science at the University of Washington. He was awarded a Master of Science degree in 1991 and a Ph.D. in 1993. His Ph.D. thesis was on developing an automated protocol for communication between parallel processors.

In 1993, he joined the faculty of Princeton University in the department of computer science as an assistant professor. He was promoted to associate professor in 1999 and to professor in 2003. In 2006, he joined the Woodrow Wilson School of Public and International Affairs, but computer science remains his home department. In 2005, he became the director of the Center for Information and Technology Policy at Princeton. He has served as a consultant to law firms, corporations, private foundations, and government agencies. His research involves computer security, and technology policy. [7]

He lives in Princeton, New Jersey with his family. From 2006 to 2010, he was a member of the board of the Electronic Frontier Foundation (EFF). In 2007, he was inducted as a Fellow of the Association for Computing Machinery.

In November 2010, he was named Chief Technologist of the Federal Trade Commission. [8]

In 2013, Felton was elected a member of the National Academy of Engineering for contributions to security of computer systems, and for impact on public policy.

On May 11, 2015, he was named Deputy U.S. Chief Technology Officer for The White House. [9]

United States v. Microsoft

Felten was a witness for the United States government in United States v. Microsoft , where the software company was charged with committing a variety of antitrust crimes. During the trial, Microsoft's attorneys denied that it was possible to remove the Internet Explorer web browser from a Windows 98 equipped computer without significantly impairing the operation of Windows.

Citing research he had undertaken with Christian Hicks and Peter Creath, two of his former students, [10] Felten testified that it was possible to remove Internet Explorer functionality from Windows without causing any problems with the operating system. He demonstrated his team's tool in court, showing 19 ways in which it is normally possible to access the web browser from the Windows platform that his team's tool rendered inaccessible.

Microsoft argued that Felten's changes did not truly remove Internet Explorer but only made its functionality inaccessible to the end user by removing icons, shortcuts and the iexplore.exe executable file, and making changes to the system registry. This led to a debate as to what exactly constitutes the "web browser," since much of the core functionality of Internet Explorer is stored in a shared dynamic-link library, accessible to any program running under Windows.

Microsoft also argued that Felten's tool did not even completely remove web-browsing capability from the system since it was still possible to access the web through other Windows executables besides iexplore.exe, such as the Windows help system.

The SDMI challenge

As part of a contest in 2000, SDMI (Secure Digital Music Initiative) invited researchers and others to try to break the digital audio watermark technologies that they had devised. In a series of individual challenges, the participants were given a sample audio piece, with one of the watermarks embedded. If the participants sent back the sample with the watermark removed (and with less than an acceptable amount of signal loss, though this condition was not stated by SDMI), they would win that particular challenge.

Felten was an initial participant of the contest. He chose to opt out of confidentiality agreements that would have made his team eligible for the cash prize. Despite being given very little or no information about the watermarking technologies other than the audio samples and having only three weeks to work with them, Felten and his team managed to modify the files sufficiently that SDMI's automated judging system declared the watermark removed.

SDMI did not accept that Felten had successfully broken the watermark according to the rules of the contest, noting that there was a requirement for files to lose no sound quality. SDMI claimed that the automated judging result was inconclusive, as a submission which simply wiped all the sounds off the file would have successfully removed the watermark but would not meet the quality requirement.

SDMI lawsuits

Felten's team developed a scientific paper explaining the methods used by his team in defeating the SDMI watermarks. Planning to present the paper at the Fourth International Information Hiding Workshop of 2001 in Pittsburgh, Felten was threatened with legal action by SDMI, [11] the Recording Industry Association of America (RIAA), and Verance Corporation, under the terms of the DMCA, on the argument that one of the technologies his team had broken was currently in use in the market. Felten withdrew the presentation from the workshop, reading a brief statement about the threats instead. SDMI and other copyright holders denied that they had ever threatened to sue Felten. However, SDMI appears to have threatened legal action when spokesman Matt Oppenheim warned Felten in a letter that "any disclosure of information gained from participating in the Public Challenge....could subject you and your research team to actions under the Digital Millennium Copyright Act.". [12] This has been described as a case of censorship by copyright. [13]

Felten, with help from the Electronic Frontier Foundation, sued the groups, requesting a declaratory judgement ruling that their publication of the paper would be legal. The case was dismissed for a lack of standing. [14]

Felten presented his paper at the USENIX security conference in 2001. [15] The United States Department of Justice has offered Felten and other researchers assurances that the DMCA does not threaten their work and stated that the legal threats against them were invalid.[ citation needed ]

Sony rootkit investigation

The 2005 Sony BMG CD copy protection scandal started when security researcher Mark Russinovich revealed on October 31, 2005 that Sony's Extended Copy Protection ("XCP") copy protection software on the CD Get Right with the Man by Van Zant contained hidden files that could damage the operating system, install spyware and make the user's computer vulnerable to attack when the CD was played on a Microsoft Windows-based PC. Sony then released a software patch to remove XCP.

On November 15, 2005, Felten and J. Alex Halderman showed that Sony's method for removing XCP copy protection software from the computer makes it more vulnerable to attack, as it essentially installed a rootkit, in the form of an Active X control used by the uninstaller, and left it on the user's machine and set so as to allow any web page visited by the user to execute arbitrary code. Felten and Halderman described the problem in a blog post:

The consequences of the flaw are severe, it allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get. [16]

Diebold voting machine analysis

On September 13, 2006, Felten and graduate students Ariel Feldman and Alex Halderman discovered severe security flaws in a Diebold Election Systems (now Premier Election Solutions) voting machine. Their findings claimed, "Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss." [17] [18] [19] [20] [21]

Sequoia voting machine analysis

In early 2008, New Jersey election officials announced that they planned to send one or more Sequoia Advantage voting machines to Ed Felten and Andrew Appel (also of Princeton University) for analysis. In March 2008, Sequoia sent an e-mail to Professor Felten asserting that allowing him to examine Sequoia voting machines would violate the license agreement between Sequoia and the county which bought them, and also that Sequoia would take legal action "to stop [...] any non-compliant analysis, [...] publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property." [22] This action sparked outrage among computer technology activists. [23] [24]

After examining Sequoia's machines, Felten and Appel indeed discovered grave problems with the accuracy of the machines. [25] They also demonstrated that the machines can be hacked and compromised within minutes. [26]

Shortly after that, Sequoia's corporate Web site was hacked. The hack was first discovered by Ed Felten. Sequoia took its Web site down on 20 March and removed the "intrusive content." [27]

Cold boot attack

In February 2008, Felten and his students were part of the team that discovered the cold boot attack, which allows someone with physical access to a computer to bypass operating system protections and extract the contents of its memory. [28]

Federal Trade Commission

In November 2010, Felten was named the first Chief Technologist of the Federal Trade Commission, [29] for which he took a one-year leave of absence from Princeton University. [30]

Awards

Related Research Articles

Premier Election Solutions, formerly Diebold Election Systems, Inc. (DESI), was a subsidiary of Diebold that made and sold voting machines.

Electronic voting is voting that uses electronic means to either aid or take care of casting and counting ballots.

Secure Digital Music Initiative (SDMI) was a forum formed in late 1998, composed of more than 200 IT, consumer electronics, security technology, ISP and recording industry companies, as well as authors, composers and publishing rightsholders, ostensibly with the purpose of developing technology and rights management systems specifications that will protect once developed and installed, the playing, storing, distributing and performing of digital music.

An electronic voting machine is a voting machine based on electronics. Two main technologies exist: optical scanning and direct recording (DRE).

Voter verifiable paper audit trail (VVPAT) or verified paper record (VPR) is a method of providing feedback to voters using a ballotless voting system. A VVPAT is intended as an independent verification system for voting machines designed to allow voters to verify that their vote was cast correctly, to detect possible election fraud or malfunction, and to provide a means to audit the stored electronic results. It contains the name of the candidate and symbol of the party/individual candidate. While it has gained in use in the United States compared with ballotless voting systems without it, it looks unlikely to overtake hand-marked ballots.

A DRE voting machine, or direct-recording electronic voting machine, records votes by means of a ballot display provided with mechanical or electro-optical components that can be activated by the voter. These are typically buttons or a touchscreen; and they process data using a computer program to record voting data and ballot images in memory components. After the election, it produces a tabulation of the voting data stored in a removable memory component and as printed copy. The system may also provide a means for transmitting individual ballots or vote totals to a central location for consolidating and reporting results from precincts at the central location. The device started to be massively used in 1996 in Brazil where 100% of the elections voting system is carried out using machines.

<span class="mw-page-title-main">MediaMax CD-3</span>

MediaMax CD-3 is a software package created by SunnComm which was sold as a form of copy protection for compact discs. It was used by the record label RCA Records/BMG, and targets both Microsoft Windows and Mac OS X. Elected officials and computer security experts regard the software as a form of malware since its purpose is to intercept and inhibit normal computer operation without the user's authorization. MediaMax received media attention in late 2005 in fallout from the Sony XCP copy protection scandal.

<span class="mw-page-title-main">Steven M. Bellovin</span>

Steven M. Bellovin is a researcher on computer networking and security who has been a professor in the computer science department at Columbia University since 2005. Previously, Bellovin was a fellow at AT&T Labs Research in Florham Park, New Jersey.

<span class="mw-page-title-main">Extended Copy Protection</span>

Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet and sold as a copy protection or digital rights management (DRM) scheme for Compact Discs. It was used on some CDs distributed by Sony BMG and sparked the 2005 Sony BMG CD copy protection scandal; in that context it is also known as the Sony rootkit.

<span class="mw-page-title-main">Sony BMG copy protection rootkit scandal</span> Sony BMGs implementation of copy protection measures

The Sony BMG CD copy protection rootkit scandal was a scandal focused on the implementation of copy protection measures on about 22 million CDs distributed by Sony BMG in 2005. When inserted into a computer, the CDs installed one of two pieces of software that provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits, even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits.

Sequoia Voting Systems was a California-based company that was one of the largest providers of electronic voting systems in the U.S., having offices in Oakland, Denver and New York City. Some of its major competitors were Premier Election Solutions and Election Systems & Software.

<span class="mw-page-title-main">Avi Rubin</span> American scientist (born 1967)

Aviel David "Avi" Rubin is an expert in systems and networking security. He is a graduate of the University of Michigan and Professor of Computer Science at Johns Hopkins University, Technical Director of the Information Security Institute at Johns Hopkins, Director of ACCURATE, and President and co-founder of Independent Security Evaluators. In 2002, he was elected to the Board of Directors of the USENIX Association for a two-year term.

<i>Online Policy Group v. Diebold, Inc.</i>

Online Policy Group v. Diebold, Inc., 337 F. Supp. 2d 1195, was a lawsuit involving an archive of Diebold's internal company e-mails and Diebold's contested copyright claims over them. The Electronic Frontier Foundation and the Stanford Cyberlaw Clinic provided pro bono legal support for the non-profit ISP and the Swarthmore College students, respectively.

<i>Hacking Democracy</i> 2006 film by Simon Ardizzone

Hacking Democracy is a 2006 Emmy nominated documentary film broadcast on HBO and created by producer / directors Russell Michaels and Simon Ardizzone, with producer Robert Carrillo Cohen, and executive producers Sarah Teale, Sian Edwards & Earl Katz. Filmed over three years it documents American citizens investigating anomalies and irregularities with 'e-voting' systems that occurred during the 2000 and 2004 elections in the United States, especially in Volusia County, Florida. The film investigates the flawed integrity of electronic voting machines, particularly those made by Diebold Election Systems, exposing previously unknown backdoors in the Diebold trade secret computer software. The film culminates dramatically in the on-camera hacking of the in-use / working Diebold election system in Leon County, Florida - the same computer voting system which has been used in actual American elections across thirty-three states, and which still counts tens of millions of America's votes today.

The Hursti Hack was a successful attempt to alter the votes recorded on a Diebold optical scan voting machine. The hack is named after Harri Hursti.

The Electronic Frontier Foundation (EFF) is an international non-profit advocacy and legal organization based in the United States.

<span class="mw-page-title-main">Center for Information Technology Policy</span> Princeton University research center

The Center for Information Technology Policy (CITP) at Princeton University is a leading interdisciplinary research center, dedicated to exploring the intersection of technology, engineering, public policy, and the social sciences. Faculty, students, and other researchers come from a variety of disciplines, including Computer Science, Economics, Politics, Engineering, Sociology, and the Princeton School of Public and International Affairs.

<span class="mw-page-title-main">J. Alex Halderman</span> American computer scientist

J. Alex Halderman is professor of computer science and engineering at the University of Michigan, where he is also director of the Center for Computer Security & Society. Halderman's research focuses on computer security and privacy, with an emphasis on problems that broadly impact society and public policy.

<span class="mw-page-title-main">Electronic voting in the United States</span> Facet of American elections

Electronic voting in the United States involves several types of machines: touchscreens for voters to mark choices, scanners to read paper ballots, scanners to verify signatures on envelopes of absentee ballots, and web servers to display tallies to the public. Aside from voting, there are also computer systems to maintain voter registrations and display these electoral rolls to polling place staff.

Aggelos Kiayias FRSE is a Greek cryptographer and computer scientist, currently a professor at the University of Edinburgh and the Chief Science Officer at Input Output Global, the company behind Cardano.

References

  1. Electronic Frontier Foundation Announces Pioneer Award Winners Archived 2010-11-11 at the Wayback Machine EFF, 2005
  2. "Edward W. Felten | Center for Information Technology Policy" . Retrieved 2020-05-28.
  3. "FTC Names Edward W. Felten as Agency's Chief Technologist; Eileen Harrington as Executive Director". 4 November 2010.
  4. www.whitehouse.gov
  5. "The White House PCLOB Nominations: A Pleasant Surprise". Lawfare. 2018-03-14. Retrieved 2023-04-01.
  6. "Board Members - PCLOB". www.pclob.gov. Retrieved 2023-04-01.
  7. Felten, Edward. "Edward Felten's Curriculum Vitae" (PDF). Retrieved 2008-05-19.
  8. "FTC Names Edward W. Felten as Agency's Chief Technologist; Eileen Harrington as Executive Director". Federal Trade Commission. 2010-11-04. Retrieved 2010-11-04.
  9. "The White House Names Dr. Ed Felten as Deputy U.S. Chief Technology Officer". whitehouse.gov . 2015-05-11. Retrieved 2015-05-11 via National Archives.
  10. Wasserman, Elizabeth (April 26, 2001). "Security Code-Cracking Professor Pulls 'How-To' Paper". The Industry Standard . Retrieved 2007-05-07.
  11. Oppenheim, Matthew J. (April 9, 2001). "RIAA/SDMI Legal Threat Letter". Electronic Frontier Foundation. Archived from the original on April 14, 2007. Retrieved 2007-05-07.
  12. Greene, Thomas C. (April 23, 2001). "SDMI cracks revealed". Security. The Register . Retrieved 2007-05-07.
  13. Westbrook, Steve (2009-04-09). Composition and Copyright: Perspectives on Teaching, Text-making, and Fair Use. State University of New York Press. pp. 37–38. ISBN   978-1-4384-2599-3.
  14. "Final Hearing Transcript, Felten v. RIAA". Electronic Frontier Foundation. November 28, 2001. Retrieved 2007-05-07.
  15. Craver, Scott A.; Wu, Min; Liu, Bede; Stubbenfield, Adam; Swartzlander, Ben; Wallach, Dan S.; Dean, Drew; Felton, Edward W. (August 13–17, 2001). "Reading Between the Lines: Lessons from the SDMI Challenge" (PDF). Proceedings of the 10th USENIX Security Symposium. 10th USENIX Security Symposium. Washington, D.C., USA: USENIX Association. Archived from the original (PDF) on 21 May 2022. Retrieved 12 July 2022.{{cite conference}}: CS1 maint: date and year (link)
  16. Felten, Edward; Alex Halderman (November 15, 2005). "Sony's Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs". Freedom to Tinker. Retrieved 2007-05-07.
  17. Ariel J. Feldman; J. Alex Halderman; Edward W. Felten (September 13, 2006). "Security Analysis of the Diebold AccuVote-TS Voting Machine" (PDF). Princeton University. Archived from the original (PDF) on May 13, 2007. Retrieved 2007-05-07.{{cite journal}}: Cite journal requires |journal= (help)
  18. Feldman, Ariel J.; Halderman, J. Alex; Felten, Edward W. (September 13, 2006). "Security Analysis of the Diebold AccuVote-TS Voting Machine". Center for Information Technology Policy. Archived from the original on 2017-12-12. Retrieved 6 June 2021. Full research paper [PDF], Workshop version [PDF], Executive summary, Frequently Asked Questions, Our reply to Diebold's response, Demonstration Videos
  19. CITP Princeton (2016-11-30). "Security Demonstration of DieBold AccuVote-TS Electronic Voting Machine". via: YouTube. Archived from the original on 2021-12-12. Retrieved 6 June 2021.
  20. CITP Princeton (2016-12-01). "Access to Diebold AccuVote-TS Electronic Voting Machine - close up". via: YouTube. Archived from the original on 2021-12-12. Retrieved 6 June 2021.
  21. CITP Princeton (2016-12-01). "Access Diebold AccuVote-TS Electronic Voting Machine - angle view". via: YouTube. Archived from the original on 2021-12-12. Retrieved 6 June 2021. No audio
  22. Ed Felten (2008-03-17). "Interesting e-mail by Sequoia".
  23. "E-Voting Firm Threatens Ed Felten If He Reviews Its E-Voting Machine". Techdirt. 2008-03-18.
  24. Cory Doctorow (2008-03-17). "Sequoia Voting Systems threatens Felten's Princeton security research team". BoingBoing.
  25. Ed Felten: NJ Election Discrepancies Worse Than Previously Thought, Contradict Sequoia's Explanation, Freedom To Tinker, April 4th, 2008.
  26. Andrew Appel: Security Seals on AVC Advantage Voting Machines are Easily Defeated, Freedom To Tinker, December 19th, 2008.
  27. Dee Chisamera (2008-03-21). "Sequoia Voting Systems Admits To Hackers Attacking Their Website". eFluxMedia. Archived from the original on 2009-04-06.
  28. J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-02-21). "Lest We Remember: Cold Boot Attacks on Encryption Keys". Princeton University. Archived from the original on July 22, 2011. Retrieved 2008-02-22.{{cite journal}}: Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)
  29. "FTC names Princeton computer security expert as first chief technologist". The Washington Post.
  30. Nagesh, Gautham (4 November 2010). "Princeton prof. Edward Felten named FTC's first chief technologist". The Hill.
  31. "Edward W. Felten". American Academy of Arts & Sciences. Retrieved 2020-05-28.
  32. "Professor Edward W. Felten". NAE Website. Retrieved 2020-05-28.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.