Sasha Romanosky

Common Vulnerability Scoring System

Historically, vendors have used their own methods for scoring software vulnerabilities, usually without detailing their criteria or processes. This creates a major problem for users, particularly those who manage disparate IT systems and applications. The Common Vulnerability Scoring System (CVSS) is a public initiative designed to address this issue by presenting a framework for assessing and quantifying the impact of software vulnerabilities. Organizations currently generating CVSS scores include Cisco, US National Institute of Standards and Technology (through the US National Vulnerability Database; NVD), Qualys, Oracle, and Tenable Network Security. CVSS offers the following benefits: 1) standardized vulnerability scores, 2) contextual scoring and 3) open framework. The goal is for CVSS to facilitate the generation of consistent scores that accurately represent the impact of vulnerabilities

Human selection of mnemonic phrase-based passwords

Textual passwords are often the only mechanism used to authenticate users of a networked system. Unfortunately, many passwords are easily guessed or cracked. In an attempt to strengthen passwords, some systems instruct users to create mnemonic phrase-based passwords. A mnemonic password is one where a user chooses a memorable phrase and uses a character (often the first letter) to represent each word in the phrase.In this paper, we hypothesize that users will select mnemonic phrases that are commonly available on the Internet, and that it is possible to build a dictionary to crack mnemonic phrase-based passwords. We conduct a survey to gather user-generated passwords. We show the majority of survey respondents based their mnemonic passwords on phrases that can be found on the Internet, and we generate a mnemonic password dictionary as a proof of concept. Our 400,000-entry dictionary cracked 4% of mnemonic passwords; in comparison, a standard dictionary with 1.2 million entries cracked 11% of control passwords. The user-generated mnemonic passwords were also slightly more resistant to brute force attacks than control passwords. These results suggest that mnemonic passwords may be appropriate for some uses today. However, mnemonic passwords could become more vulnerable in the future and should not be treated as a panacea.

Privacy Costs and Personal Data Protection: Economic and Legal Perspectives

We analyze personal data protection laws in the United States through the lenses of the economic theories of ex ante safety regulation, ex post liability and information disclosure. Specifically, we consider and contrast how legal and economic theories interpret privacy costs and the remedies to those costs. First, we introduce the general economic theories of ex ante regulation, ex post liability and information disclosure. Then, we present their causal relationships and show how they attempt to reduce possible privacy harms caused by a firm’s activity. We then scrutinize their impact by contrasting legal and economic doctrines. Finally, we provide deeper economic analysis of the three legal mechanisms and highlight conditions under which they may become socially inefficient.