Best Infosec-Related Long Reads for the Week of 6/15/24
The world of people who take spreadsheets seriously, The distortions of a leading disinformation researcher, How the EU leads the way in securing software, Protecting prompt privacy in LLM models
Spreadsheet Superstars
In a piece cleverly designed to look like an Excel spreadsheet, the Verge’s David Pierce offers an entertaining look into the Excel World Championship, an event held every year in Las Vegas so that the champion can earn “a trophy and a championship belt and the ability to spend the next 12 months bragging about being officially the world’s best spreadsheeter.”
Competitive Excel has been around for years, but only in a hobbyist way. Most of the people in this room full of actuaries, analysts, accountants, and investors play Excel the way I play Scrabble or do the crossword — exercising your brain using tools you understand. But last year’s competition became a viral hit on ESPN and YouTube, and this year, the organizers are trying to capitalize. After all, someone points out to me, poker is basically just math, and it’s all over TV. Why not spreadsheets? Excel is a tool. It’s a game. Now it hopes to become a sport.
I’ve come to realize in my two days in this ballroom that understanding a spreadsheet is like a superpower. The folks in this room make their living on their ability to take some complex thing — a company’s sales, a person’s lifestyle, a region’s political leanings, a race car — and pull it apart into its many component pieces. If you can reduce the world down to a bunch of rows and columns, you can control it. Manipulate it. Build it and rebuild it in a thousand new ways, with a couple of hotkeys and an undo button at the ready. A good spreadsheet shows you the universe and gives you the ability to create new ones. And the people in this room, in their dad jeans and short-sleeved button-downs, are the gods on Olympus, bending everything to their will.
There is one inescapably weird thing about competitive Excel: spreadsheets are not fun. Spreadsheets are very powerful, very interesting, very important, but they are for work. Most of what happens at the FMWC is, in almost every practical way, indistinguishable from the normal work that millions of people do in spreadsheets every day. You can gussy up the format, shorten the timelines, and raise the stakes all you want — the reality is you’re still asking a bunch of people who make spreadsheets for a living to just make more spreadsheets, even if they’re doing it in Vegas.
The Distortions of Joan Donovan
In the Chronicle of Higher Education, Stephanie M. Lee probes whether famed disinformation researcher Joan Donovan, now at Boston University, is spreading distortions of her own by claiming that her dismissal from Harvard University, where she led the now-disbanded Technology and Social Change Project, was instigated by social media giant Meta, a major donor to the academic institution and, Donovan claims, a corrupt influence on Harvard who sought to meddle in her research.
A series of events in a suspicious order, a handful of well-connected people: This was what Donovan’s allegation boiled down to.
Similar logic was applied to the nuptials of Sheryl Sandberg, Meta’s former chief operating officer, a friend of Elmendorf’s [Douglas W. Elmendorf, the dean of the Kennedy School where Donovan’s project was housed] since he was her undergraduate adviser. When he delivered the bad news to Donovan in August 2022, it was — in her words — “a mere four days” after he had attended Sandberg’s wedding on a Wyoming ranch (where, Donovan has also pointed out, he was photographed by People). The dean told me that he did not discuss the matter with Sandberg and that she “had no bearing whatsoever on the decisions regarding Joan Donovan.”
During that meeting with the dean, Donovan’s declaration says, Elmendorf told her that Harvard would “exercise its ownership of my book,” Meme Wars, because, unlike faculty, “all staff’s research was owned by the University.” Late last year, over dinner in Boston, she told me, “It is what it is: Someone can own my shit. I still know how to work a copy machine.” And in December, she tweeted, “The truth is H took everything from me,” including “my book,” and added, “I truly have nothing left to lose.”
But Harvard does not own the copyright to Meme Wars. By March of last year, the three authors and the provost had signed an agreement that “Harvard hereby irrevocably transfers and assigns to the Authors, in perpetuity and throughout the world, all of its right, title, and interest in the copyright” to Meme Wars, according to documents I obtained. (One exception: Harvard got a royalty-free license to use it “for Harvard’s research, educational, and other scholarly purposes.”) In Donovan’s declaration, the only reference to this agreement is a vague mention of the book being “settled.”
Elmendorf told me that transferring the copyright “seemed the fair thing to do.” And when I asked Donovan if it was misleading to not mention the agreement, she insisted that it was irrelevant because “to me, it is still very true that Harvard laid claim to my book.”
Meme Wars isn’t the only thing Donovan says Harvard took. She has made a series of accusations — at times ambiguous — that her ex-employer is “holding on to my intellectual property,” which the university broadly disputes. She recently asserted to me that Harvard has refused to negotiate with her lawyers over this issue since December (though she declined to put me in touch with them, saying that they do not want to talk to the media). According to Harvard, that is false. “We asked Joan a number of times before she left to tell us what IP she seeks,” a spokesperson told me. “Harvard’s counsel has welcomed conversations with her counsel since then, and has repeated our requests for Joan to identify what she is seeking. We have not heard back.”
Moving Slow and Fixing Things
In Lawfare, university professors Christos Makridis, Iain Nash, Scott J. Shackelford, and Hannibal Travis argue that the Biden administration could learn from Europe how to hold organizations responsible for securing the software they use.
In addition to the proposal to include software within the scope of products liability legislation, the EU has introduced unified cybersecurity requirements for products sold within the common market, which includes pure software products. The Cyber Resilience Act (CRA), a forthcoming EU regulation, combines detailed cybersecurity requirements, such as patch management and secure-by-design principles, with a comprehensive liability regime. The CRA can be considered as more comprehensive than California’s “Internet of Things” (IoT) security law as the CRA’s cybersecurity requirements go far beyond California’s reasonable security features and password requirements, and the CRA applies to both IoT and software products.
Fundamentally, the CRA requires that products be introduced to the market with all known vulnerabilities patched and that they have been developed under a “secure by design” basis. However, developers are also required to conduct and maintain a cybersecurity risk assessment, provide a software bill of materials listing out the third-party software components used in their products, and ensure security updates are available for a period of at least five years. Developers and manufacturers of ordinary products can self-certify conformity with the legislation while “important” and “critical” products will require a more in-depth and an independent conformity assessment, respectively.
Noncompliance with the CRA follows the model used in the GDPR and can result in a fine of up to 15 million euros or 2.5 percent of total revenue (whichever is larger) for breaches of core requirements, while other breaches can result in a fine of up to 10 million euros or 2 percent of total revenue. However, there is no mechanism under the act for a complainant to enforce the CRA directly, and complainants must petition their local regulator if they believe the requirements have not been met.
The Fire Thief Is Also the Keeper: Balancing Usability and Privacy in Prompts
A group of academic researchers at Nanjing University have devised a privacy-protection solution called Privacy Sanitizer, or ProSan, for prompts (questions posed to LLM models) that could inadvertently violate the privacy of the questioner by exposing sensitive information.
We propose ProSan, an end-to-end framework designed to protect privacy in user prompts submitted to online LLMs. ProSan dynamically balances usability and anonymity by evaluating the importance and privacy risk of words within the prompts, subsequently anonymizing sensitive information while retaining essential semantic content for task performance. In addition, ProSan has trained a lightweight anonymized model for ordinary users.
Compared to the baseline, ProSan effectively minimizes privacy leakage across various tasks without significantly impacting usability. Future work will focus on further exploring other privacy-preserving methods based on self-information and expanding the application scope of ProSan to other privacy-sensitive domains.