Posts filed under 'Academic papers

Oct 28, '13

Britain has just been hit by a storm; two people have been killed by falling trees, and one swept out to sea. The rail network is in chaos and over 100,000 homes lost electric power. What can security engineering teach about such events?

Risk communication could be very much better. The storm had been forecast for several days but the instructions and advice from authority have almost all been framed in vague and general terms. Our research on browser warnings shows that people mostly ignore vague warnings (“Warning – visiting this web site may harm your computer!”) but pay much more attention to concrete ones (such as “The site you are about to visit has been confirmed to contain software that poses a significant risk to you, with no tangible benefit. It would try to infect your computer with malware designed to steal your bank account and credit card details in order to defraud you”). In fact, making warnings more concrete is the only thing that works here – nudge favourites such as appealing to social norms, or authority, or even putting a cartoon face on the page to activate social cognition, don’t seem to have a significant effect in this context.

So how should the Met Office and the emergency services deal with the next storm?

(more…)

Sep 25, '13

ICANN have now published a draft for public comment of “A Study of Whois Privacy and Proxy Service Abuse“. I am the primary author of this report — the work being done whilst I was collaborating with the National Physical Laboratory (NPL) under EPSRC Grant EP/H018298/1.

This particular study was originally proposed by ICANN in 2010, one of several that were to examine the impact of domain registrants using privacy services (where the name of a domain registrant is published, but contact details are kept private) and proxy services (where even the domain licensee’s name is not made available on the public database).

ICANN wanted to know if a significant percentage of the domain names used to conduct illegal or harmful Internet activities are registered via privacy or proxy services to obscure the perpetrator’s identity? No surprises in our results: they are!

However, it’s more interesting to ask whether this percentage is somewhat higher than the usage of privacy or proxy services for entirely lawful and harmless Internet activities? This turned out NOT to be the case — for example banks use privacy and proxy services almost as often as the registrants of domains used in the hosting of child sexual abuse images; and the registrants of domains used to host (legal) adult pornography use privacy and proxy services more often than most (but not all) of the different types of malicious activity that we studied.

It’s also relevant to consider what other methods might be chosen by those involved in criminal activity to obscure their identities, because in the event of changes to privacy and proxy services, it is likely that they will turn to these alternatives.

Accordingly, we determined experimentally whether a significant percentage of the domain names we examined have been registered with incorrect Whois contact information – and specifically whether or not we could reach the domain registrant using a phone number from the Whois information. We asked them a single question in their native language “did you register this domain”?

We got somewhat variable results from our phone survey — but the pattern becomes clear if we consider whether there is any a priori hope at all of ringing up the domain registrant?

If we sum up the likelihoods:

  • uses privacy or proxy service
  • no (apparently valid) phone number in whois
  • number is apparently valid, but fails to connect
  • number reaches someone other than the registrant

then we find that for legal and harmless activities the probability of a phone call not being possible ranges between 24% (legal pharmacies on the Legitscript list) and 62% (owners of lawful websites that someone has broken into and installed phishing pages). For malicious activities the probability of failure is 88% or more, with typosquatting (which is a civil matter, rather than a criminal one) sitting at 68% (some of the typosquatters want to hide, some do not).

There’s lots of detail and supporting statistics in the report… and an executive summary for the time-challenged. It will provide real data, rather than just speculative anecdotes, to inform the debate around reforming Whois — and the difficulties of doing so.

Jul 24, '13

I’m at SOUPS 2013, including the Workshop on Risk Perception in IT Security and Privacy, and will be liveblogging them in followups to this post.

Jul 19, '13

Yesterday I received the NSA award for the Best Scientific Cybersecurity Paper of 2012 for my IEEE Oakland paper “The science of guessing.” I’m honored to have been recognised by the distinguished academic panel assembled by the NSA. I’d like to again thank Henry Watts, Elizabeth Zwicky, and everybody else at Yahoo! who helped me with this research while I interned there, as well as Richard Clayton and Ross Anderson for their support and supervision throughout.

On a personal note, I’d be remiss not to mention my conflicted feelings about winning the award given what we know about the NSA’s widespread collection of private communications and what remains unknown about oversight over the agency’s operations. Like many in the community of cryptographers and security engineers, I’m sad that we haven’t better informed the public about the inherent dangers and questionable utility of mass surveillance. And like many American citizens I’m ashamed we’ve let our politicians sneak the country down this path.

In accepting the award I don’t condone the NSA’s surveillance. Simply put, I don’t think a free society is compatible with an organisation like the NSA in its current form. Yet I’m glad I got the rare opportunity to visit with the NSA and I’m grateful for my hosts’ genuine hospitality. A large group of engineers turned up to hear my presentation, asked sharp questions, understood and cared about the privacy implications of studying password data. It affirmed my feeling that America’s core problems are in Washington and not in Fort Meade. Our focus must remain on winning the public debate around surveillance and developing privacy-enhancing technology. But I hope that this award program, established to increase engagement with academic researchers, can be a small but positive step.

Jul 15, '13

Privacy activists have complained for years that the Information Commissioner is useless, and compared him with captured regulators like the FSA and the Financial Ombudsman. However I’ve come across a paper by a well-known anthropologist that gives a different take on the problem.

Alan Fiske did fieldwork among a tribe in northern Nigeria that has different boundaries for which activities are regulated by communal sharing, authority, tit-for-tat or monetary exchange. For example,labour within the village is always communal; you expect your neighbours to help you fix your house, and you later help them fix theirs. (This exasperated colonialists who couldn’t get the locals to work for cash; the locals for their part imagined that Europeans must present their children with an itemised bill for child-rearing when they reached adulthood.) He has since written several papers on how many of the tensions in human society arise on the boundaries of these domains of sharing, authority, tit-for-tat and the market. The boundaries can vary by culture, by generation and by politics; libertarians are happy to buy and sell organs for transplant, where many people prefer communal sharing, while radical socialists object to some routine market transactions. Indeed regulatory preferences may drive political views.

So far so good. Where it gets interesting is his extensive discussion of taboo transactions across a variety of cultures, and the institutions created to mitigate the discomfort that people feel when something affects more than one sphere of regulation: from extreme cases such as selling a child into slavery so you can feed your other children, through bride-price and blood money, to such everyday things as alimony and deconsecrating a cemetery for development. It turns out there’s a hierarchy of spheres, with sharing generally taking precedence over authority and authority over tit-for-tat, and market pricing following along last. This ordering makes “downhill” transactions easier. Alimony works (you once loved me, so pay me money!) but buying love doesn’t. (more…)

Jun 27, '13

I’m at SARMAC, a conference with a number of research papers on the psychology of lying and lie detection. I’ll liveblog the relevant sessions in followups.

Jun 19, '13

The Internet is and has always been a space where participants battle for control. The two core protocols that define the Internet – TCP and IP – are both designed to allow separate networks to connect to each other easily, so that networks that differ not only in hardware implementation (wired vs. satellite vs. radio networks) but also in their politics of control (consumer vs. research vs. military networks) can interoperate easily. It is a feature of the Internet, not a bug, that China – with its extensive, explicit censorship infrastructure – can interact with the rest of the Internet.

Today we have released an open-access collection (also published as a special issue of IEEE Internet Computing), of five peer reviewed papers on the topic of Internet censorship and control, edited by Hal Roberts and myself (Steven Murdoch). The topics of the papers include a broad look at information controls, censorship of microblogs in China, new modes of online censorship, the balance of power in Internet governance, and control in the certificate authority model.

These papers make it clear that there is no global consensus on what mechanisms of control are best suited for managing conflicts on the Internet, just as there is none for other fields of human endeavour. That said, there is optimism that with vigilance and continuing efforts to maintain transparency the Internet can stay as a force for increasing freedom than a tool for more efficient repression.

Jun 11, '13

I’m liveblogging WEIS 2013, as I did in 2012, 2011, 2010 and 2009. This is the twelfth workshop on the economics of information security, and the sessions are being held today and tomorrow at Georgetown University. The panels and refereed paper sessions will be blogged in comments below this post (and there’s another liveblog by Vaibhav Garg).

Jun 3, '13

I’m liveblogging the Workshop on Security and Human Behaviour which is being held at USC in Los Angeles. The participants’ papers are here; for background, see the liveblogs for SHB 2008-12 which are linked here and here. Blog posts summarising the talks at the workshop sessions will appear as followups below. (Added: there is another liveblog by Vaibhav Garg.)

May 30, '13

Today we’ve published a paper showing that Bell’s inequality is violated in fluid mechanics. What has this to do with computing or security? Well, when we posted a paper back in February pointing out that hydrodynamic models of quantum physics raise questions about the scalability of quantum computing, a number of people asked for a better explanation of how this squares with the Bell tests. John Bell proved an inequality in 1964 that applies to classical particles but that is broken by quantum mechanical ones. In today’s paper we show that Bell’s inequality does not hold in classical fluid dynamics, as angular momentum and energy are delocalised in the fluid.

This may have implications for engineering, science and philosophy. On the engineering front, nine-figure sums have been poured into developing quantum computers, but even advocates of quantum computing admit they don’t really work. As our February paper argued, a hydrodynamic interpretation of quantum mechanics may suggest reasons why.

On the scientific front, the Bell tests are commonly seen as excluding not just local hidden-variable models of quantum mechanics, but local realism too. Our paper shows that the two are distinct, and thus leaves more room for research on quantum foundations. It also shows that we should be more careful in our use of terms such as ‘local’ – which might be of interest to the philosophers; the Bell tests do not draw quite as clear a dividing line between the quantum and classical worlds as many have believed.


Calendar

April 2014
M T W T F S S
« Mar    
 123456
78910111213
14151617181920
21222324252627
282930  

Posts by Month

Posts by Category