Monthly Archives: September 2016

UT Seminars on Blockchain Technology

university_of_tartu_logo

bitcoin_logo

The course will consist of a number of seminars given by invited lecturers. Lecturers will be both from the University and from the industry companies. They will present the research results along with the practice best experiences and examples of the application of the blockchain and smart contract technology.

Kick-off seminar:
3.October, 10:15-12:00: Smart contracts and identity on blockchain – using e-Residency in Ethereum, Speaker: Thomas Bertani, Oraclize.it

Regular seminars (Tuesdays 18.15-20.00, Liivi 2-404, Tartu):

25.October: Introduction to Smart Contracts and Applications
Speaker: Kristo Käärmann, TransferWise

1.November: Blockchain as an Enabling Technology for Businesses
Speaker: Frederik Payman Milani, University of Tartu

8.November: Lightweight BPMN engine on ethereum
Speaker: Luciano Garcia Banuelos, University of Tartu

15.November: Cryptographic Foundations of Bitcoin
Speaker: Michal Zajac, University of Tartu

29.November: Introduction to KSI blockchain
Speaker: Andreas Sisask, Guardtime

6.December: Creation of Smart-Contracting Collaborations for Decentralized Autonomous Organizations
Speaker: Alex Norta, Tallinn Technical University

Links:
https://courses.cs.ut.ee/2016/blockchain/fall/Main/Seminars

CERT-EE is looking for a monitoring specialist

RIA

Duties:
• information security incident monitoring and defense 24/7;
• state network (ASO) and RIA service monitoring;
• RIA service and state network incident monitoring and defense.

Requirements:
• at least year IT work experience;
• at least secondary education;
• computer skills on average level (MS Windows and UNIX work experience);
• interest towards information security;
• willingness to work in shifts.

Desired:
• international work experience;
• knowledge in administration of Estonian public information systems;
• clearance for access to state secrets (classification – ‘secret’).

If you believe that  you are the right person we are looking for, please send your CV along with a latter of motivation to klaid@cert.ee. For additional questions, please call 6630243 or send them to klaid@cert.ee

In 2015 CERT-EE had 5 monitoring specialist positions.

Links:
https://cybersec.ee/wp-content/uploads/2016/09/CERT-seirespetsialisti-kuulutus.pdf

Checking who has accessed your personal data is a challenge in practice

digilugu_peremeditsiin-debug

Peeter Marvet dispels the myth of transparency in finding out who has accessed your data in state databases:

For the past 20 years or so Estonian e-government and the X-Road backbone has been promoted with the promise of transparency. Yes, we keep a lot of data, but it is stored securely and you can always check who has accessed it. This means transparency and trust. Or “trust”, as in this The Guardian interview with Toomas Henrik Ilves.

Problem is, there is no such transparency – no notifications, no place to log in and see who has accessed your data. There was one system with such functionality, but it was shut down like 10 years ago (added: there is one system – E-Health’s Digilugu.ee “patient portal”). And even when it worked, it displayed only trivial amount of accesses [..].

The rest of the databases? I recall a meeting (in the government residence, no less) where the topic was discussed, possibly on a roundtable arranged by the National Audit Office. After some serious googling I found a contact address where to submit a request to get information about who has accessed my data in the Population Registry. It took some months to get the answer, it supposedly had information about who had requested my data available only in the “comments field” and had to be assembled manually. Promoting the idea to requesting such transparency is a good start for denial-of-service attack on Estonian e-government.

Then there was a case when somebody from the Ministry of the Interior was to promote some new legislation mandating more data storage with the argument, that everybody is able to see who has been accessing the data, so it is not a privacy violation. Our correspondence with her ended after couple of rounds, after she was unable to find any proof of solution where I could view the access log.

And don’t get me started on the question of who can purchase the data from our Population Registry or from Business Register. Want to get contacts of unemployed pensioners? Give us your monies! Want to spam every e-resident who has created a company? Sure, all addresses in registry must be business contacts so spam away (and give us some monies)!

Interesting research to conduct would be to submit bunch of requests for personal data access reports to various state database holders and analyze the response time and the detailedness level of the answers.

Links:
https://tehnokratt.net/2016/05/meme-based-trust-lockean-contract-la-e-stonia/