A Conversation with Prof. Diogo Barradas
Written by: E. George McCutcheon
We have all likely heard the saying that curiosity negatively impacts the health of the cat, but in the case of Diogo Barradas, it has fueled his entire career. Sitting down to chat with him about his academic and research journey, he notes that it began with the gift of a Nintendo Game Boy. Instead of simply playing the games, Diogo became fascinated with the various glitches and errors that he noticed within the game code, leading to him exploring the world of programming and computer science. Fast forward to his early university studies, where Diogo’s curiosity is again piqued by the impacts of malware and cybersecurity issues. Reflecting that he was most compelled by the highly detailed problem solving and competitive aspects of cybersecurity and malware, Prof. Barradas was further challenged by capture-the-flag events, ultimately finding network and traffic analysis to be his niche.
Adding further spice to the tea, Diogo’s attention turned to the unfolding Snowden revelations concerning nation state activities and mass surveillance issues, his curiosity again prompting him to investigate anonymity technologies. Partnering with a friend, they attended crypto signing parties that used PGP encryption to protect e-mail communications, later moving to set up their own instant messaging servers that employed extensive cryptographic measures; one such protocol being developed by future CPI co-member Ian Goldberg at UWaterloo.
Inspired by earlier papers on anonymous communication and metadata resistant communication, Barradas broached the idea of working with the Tor platform for his Masters, whereupon his curiosity was again poked by a professor who encouraged Diogo to consider censorship resistance, as Tor was not available everywhere. His advisor shared a paper that centred on the idea of the Panopticon in online surveillance; the idea that people’s online activities are affected by their perception that they are always being monitored, regardless of what degree of surveillance they are actually under.
Having grown up in Portugal, Diogo references the Salazar dictatorship lasting until the mid-1970’s and the stories of censorship and oppression that coloured his perceptions of freedom of speech. He goes on to discuss the various aspects of censorship and data controls that characterize modern society, from parental controls to the limits of free speech and governmental influence, to how much content censorship is appropriate and who should be the arbiter of what is or is not allowed in online content.
Building on this discussion of the ethical limits and pros versus cons of censorship and free speech, he references the Great Firewall of China, expanding on his newfound fixation on building tools that would allow people to circumvent these kinds of restrictions and directly support free speech. Again, he discusses the gray areas of free speech and censorship, acknowledging that such tools can be used by bad actors for negative outcomes as well, stating that in some ways this resembles the debates on encryption; namely, “should we ban encryption because the bad guys are also using it?”
“Should we ban encryption because the bad guys are also using it?”
Ultimately, Diogo feels that while there will never be a concrete answer to these questions, tools to circumvent censorship will be developed regardless, with legislation having to keep pace with ethical monitoring of digital communication and technology.
The process of stress testing the security of privacy-enhancing technologies, like anti-censorship systems, is a significant part of Prof. Barradas’ work, which again raises interesting ethical and legal discussions. Put briefly, stress testing involves aggressively trying to compromise a given set of privacy-enhancing tools on a network infrastructure, in order to determine its weaknesses (e.g., whether they can be detected by a nation-state censor). Diogo explains how this is crucial for improving said defences; if you don’t test something, you do not know how/when it is likely to fail, therefore you cannot improve it. The core idea here is that he attempts to stress test the security of privacy-enhancing technologies (such as anonymity networks and anti-censorship tools) in the same way a network adversary (or a censor) would do.
The issues arise when we focus on who does this testing and what they do with the vulnerabilities they uncover; one can report the problems so that they are solved, one can also exploit them for gains at the personal level, or at an ‘organizational/state’ level. For example, a nation-state censor would not break an anti-censorship tool for personal gain, but potentially for enforcing an agenda or stifling an opposing viewpoint.
Sharing these methods to circumvent surveillance and censorship can promote free speech just as easily as they can support criminal activity. Ultimately, he posits that despite the dangers and potential misuse, stress testing (not unlike encryption, as mentioned earlier) must still be employed and that there is little, if anything, that can be done to fully eliminate unscrupulous use of such methodology by bad actors. Hence, it must be prosecuted and combatted to the best of our abilities by developing stronger defences and responses.
In relation to the intersection of legislation and technology, Barradas discusses another focal point of his curiosity, the field of digital forensics. This is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often for the purposes of investigating crime. As cybercrime has become a staggeringly costly branch of criminal activity globally, being able to investigate and prosecute cybercriminals is a salient area of research, wherein digital forensics plays a key role.
Diogo explains that our legal system moves significantly slower than the pace of technology; hence, creating laws to tackle cybercrime, including the legal frameworks surrounding digital forensic investigation, often lag far behind where they need to be. He posits the example of how judges and juries must be presented with digital evidence in a manner that is admissible and properly vetted, noting that there is a process that must be established and followed for ensuring that pieces of evidence are not tampered with, in line with the same concepts of chain of custody that you would have with non-digital evidence.
Diogo has consulted with legal expert Maura Grossman, also a CPI member, on the subtle intricacies of how digital forensics activities can be conducted in a manner that will address such concerns. He illustrates such a point by outlining how obtaining a warrant to search a laptop must specify just cause, as well as specific components being searched (hard drive, live memory, network connections, etc.,). Then, a ‘hash’ must be created, which is a summarization of collected information that will survive tampering; so, if someone tampers with that evidence, you can detect that that piece of data was tampered with during the chain of custody.
Another legal principle in play that he expands upon is that of accidental disclosure, wherein evidence of a crime is found, but it is not related to the investigation or warrant being served. Diogo offers the example of a forensics team investigating a malware breach at a company, wherein the examination of a hard drive reveals child pornography images; as this was accidental discovery and not the focus of the search, this would typically require a second warrant focused on a more comprehensive and explicit search of this kind of images in the target computer, as in this example.
Discussing his role as a professor, Diogo underlines the importance of creating and facilitating courses that directly engage with his stated interests in order to create similar enthusiasm and awareness in his students. With courses such as CS 458 / 658 — Computer Security and Privacy and CS858 - Internet Censorship and Surveillance, Prof. Barradas stresses the importance of said topics while pairing them with a strong focus on the ethical responsibilities for those who will gain the knowledge to perform high-level activities in these areas.
He goes on to say that interdisciplinarity is crucial for UWaterloo students, maintaining that academia must provide a broad knowledge base for students to be effective in the world; again noting the intersections of digital, legal, social, and ethical concerns in every topic we covered during this lively and informative discussion.
In closing, it bears repeating that the curiosity of Diogo Barradas may have endangered the cat at several points, but he has used that curiosity to relentlessly pursue his research in multiple areas that benefit the world in myriad ways, (cats included).