Light Blue Touchpaper

Those of us who love America and have many friends there were delighted at President Obama’s initial reaction to the Boston bombings. He said if whoever attacked the city sought to intimidate victims or shake American values, “it should be pretty clear by now that they picked the wrong city to do it.” It seemed that sanity had at last returned, after all the scaremongering of the “War on terror”, and the ghost of 9/11 was finally being laid to rest.

One day later, a million people were under virtual house arrest; the 19-year-old fugitive from justice happened to be a Muslim. Whatever happened to the doctrine that infringements of one liberty to protect another should be necessary and proportionate?

In the London bombings, four idiots killed themselves in the first incident with a few dozen bystanders, but the second four failed and ran for it when their bombs didn’t go off. It didn’t occur to anyone to lock down London. They were eventually tracked down and arrested, together with their support team. Digital forensics played a big role; the last bomber to be caught left the country and changed his SIM, but not his IMEI. It’s next to impossible for anyone to escape nowadays if the authorities try hard.

Last weekend, my wife and I were in Milton Keynes where we bought a cradle as a present for our new granddaughter. They had only the demo model in the shop, but sold us one to pick up from their store in Cambridge. So yesterday I went into John Lewis with the receipt, to be told by the official that as I couldn’t show the card with which the purchase was made, they needed photo-id. I told him that along with over a million others I’d resisted the previous government’s ID card proposals, the last government had lost the election, and I didn’t carry ID on principle. The response was the usual nonsense: that I should have read the terms and conditions (but when I studied the receipt later it said nothing about ID) and that he was just doing his job (but John Lewis prides itself on being employee-owned, so in theory at least he is a partner in the firm). I won’t be shopping there again anytime soon.

We get harassed more and more by security theatre, by snooping and by bullying. What’s the best way to push back? Why can businesses be so pointlessly annoying?

Perhaps John Lewis are consciously pro-Labour given their history as a co-op; but it’s not prudent to advertise that in a three-way marginal like Cambridge, let alone in the leafy southern suburbs where they make most of their money. Or perhaps it’s just incompetence. When my wife phoned later to complain, the customer services people apologised and said we should have been told when we bought the thing that we’d need to show ID. She offered to post the cradle to our daughter, but then rung back later to say they’d lost the order and would need our paperwork. So that’s another 30-mile round-trip to their depot. But if they’re incompetent, why should I trust them enough to buy their food?

I invite the chairman, Charlie Mayfield, to explain by means of a follow-up to this post whether this was policy or cockup. Will he continue to demand photo-id even from customers who have a principled objection? Will he tell us who in the firm imposed this policy, and show us the training material that was prepared to ensure that counter staff would explain it properly to customers?

I’m delighted to announce that my book Security Engineering – A Guide to Building Dependable Distributed Systems is now available free online in its entirety. You may download any or all of the chapters from the book’s web page.

I’ve long been an advocate of open science and open publishing; all my scientific papers go online and I no longer even referee for publications that sit behind a paywall. But some people think books are different. I don’t agree.

The first edition of my book was also put online four years after publication by agreement with the publishers. That took some argument but we found that sales actually increased; for serious books, free online copies and paid-for paper copies can be complements, not substitutes. We are all grateful to authors like David MacKay for pioneering this. So when I wrote the second edition I agreed with Wiley that we’d treat it the same way, and here it is. Enjoy!

I’m just back from ACSAC where I gave an invited paper. Security
Economics – A Personal Perspective tells the story of how security economics got going as a subject. This is often credited to a paper I gave at ACSAC 2001 but the real story is more complex.

(post UPDATED with new job opening)

I am delighted to announce a job opening in the Cambridge Security Group. Thanks to generous funding from the European Research Council I am in a position to recruit several post-doc research associates to work with me on the Pico project, whose ambitious aim is ultimately to liberate the world from the annoyance and insecurity of passwords, which everyone hates.

In previous posts I hinted at why it’s going to be quite difficult (Oakland paper) and what my vision for Pico is (SPW paper, USENIX invited talk). What I want to do, now that I have the investment to back my idea, is to assemble an interdisciplinary team of the best possible people, with backgrounds not just in security and software but crucially in psychology, interaction design and embedded hardware. We’ll design and build a prototype, build a batch of them and then have real people (not geeks) try them out and tell us why they’re all wrong. And then design and build a better one and try it out again. And iterate as necessary, always driven by what works for real humans, not technologists. I expect that the final Pico will be rather different, and a lot better, than the one I envisaged in 2011. Oh, and by the way, to encourage universal uptake, I already promised I won’t patent any of it.

As I wrote in the papers above, I don’t expect we’ll see the end of passwords anytime soon, nor that Pico will displace passwords as soon as it exists. But I do want to be ready with a fully worked out solution for when we finally collectively decide that we’ve had enough.

Imagine we could restart from zero and do things right. Have you got a relevant PhD or are about to get one? Are you keen to use it to change the world for the better? Are you best of the best, and have the track record to prove it? Are you willing to the first member of my brilliant interdisciplinary team? Are you ready for the intellectually challenging and stimulating environment of one of the top research universities in the world? Are you ready to be given your own real challenges and responsibilities, and the authority to be in charge of your work? Then great, I want to hear from you and here’s what you need to do to apply (post UPDATED with new opening).

(By the way: I’m off to Norway next week for passwords^12, a lively 3-day conference organized by Per Thorsheim and totally devoted to nothing else than passwords.)

Last time I flew through Luton airport it was a Sunday morning, and I went up to screening with a copy of the Sunday Times in my hand; it’s non-metallic after all. The guard by the portal asked me to put it in the tray with my bag and jacket, and I did so. But when the tray came out, the newspaper wasn’t there. I approached the guard and complained. He tried to dismiss me but I was politely insistent. He spoke to the lady sitting at the screen; she picked up something with a guilty look sideways at me, and a few seconds later my paper came down the rollers. As I left the screening area, there were two woman police constables, and I wondered whether I should report the attempted theft of a newspaper. As my flight was leaving in less than an hour, I walked on by. But who will screen the screeners?

This morning I once more flew through Luton, and I started to suspect it wouldn’t be the airport’s management. This time the guard took exception to the size of the clear plastic bag holding my toothpaste, mouthwash and deodorant, showing me with glee that it has half a centimetre wider than the official outline on a card he had right to hand. I should mention that I was using a Sainsbury’s freezer bag, a standard item in our kitchen which we’ve used for travel for years. No matter; the guard gleefully ordered me to buy an approved one for a pound from a slot machine placed conveniently beside the belt. (And we thought Ryanair’s threat to charge us a pound to use the loo was just a marketing gimmick.) But what sort of signal do you give to low-wage security staff if the airport merely sees security as an excuse to shake down the public? And after I got through to the lounge and tried to go online, I found that the old Openzone service (which charged by the minute) is no longer on offer; instead Luton Airport now demands five pounds for an hour’s access. So I’m writing this blog post from Amsterdam, and next time I’ll probably fly from Stansted.

Perhaps one of these days I’ll write a paper on “Why Security Usability is Hard”. Meanwhile, if anyone reading this is near Amsterdam on Monday, may I recommend the Amderdam Privacy Conference? Many interesting people will be talking about the ways in which governments bother us. (I’m talking about how the UK government is trying to nobble the Data Protection Regulation in order to undermine health privacy.)

I have the privilege of serving as co-chair of the program committee for the Anti-Phishing Working Group’s eCrime Researchers Summit, to be held October 23-24 in Las Croabas, Puerto Rico. This has long been one of my favorite conferences to participate in, because it is held in conjunction with the APWG general meeting. This ensures that participation in the conference is evenly split between academia and industry, which leads to in-depth discussions of the latest trends in online crime. It also provides a unique audience for academic researchers to discuss their work, which can foster future collaboration.

Some of my joint work with Richard Clayton appearing at this conference has been discussed on this blog, from measuring the effectiveness of website take-down in fighting phishing to uncovering the frequent lack of cooperation between security firms. As you will see from the call for papers, the conference seeks submissions on all aspects of online crime, not just phishing. Paper submissions are due August 3, so get to work so we can meet up in Puerto Rico this October!
(more…)

I’m liveblogging WEIS 2012, as I did in 2011, 2010 and 2009. The event is being held today and tomorrow at the Academy of Sciences in Berlin. We were welcomed by Nicolas Zimmer, Berlin’s permanent secretary for economics and research who mentioned the “explosive cocktail” of streetview, and of using social media for credit ratings, in he context of very different national privacy cultures; the Swedes put tax returns online and Britain has CCTV everywhere, while neither is on the agenda in Germany. Yet Germany like other countries wants the benefits of public data – and their army has set up a cyber-warfare unit. In short, cyber security is giving rise to multiple policy conflicts, and security economics research might help policymakers navigate them.

The refereed paper sessions will be blogged in comments below this post.

I’m liveblogging the Workshop on Security and Human Behaviour which is being held at Google in New York. The participants’ papers are here, while for background, see the liveblogs for SHB 2008-11 which are linked here. Blog posts on workshop sessions will appear as followups below.

Using a multi-word “passphrase” instead of a password has been suggested for decades as a way to thwart guessing attacks. The idea is now making a comeback, for example with the Fastwords proposal which identifies that mobile phones are optimised for entering dictionary words and not random character strings. Google’s recent password advice suggests condensing a sentence to form a password, while Komanduri et al.’s recent lab study suggests simply requiring longer passwords may be the best security policy. Even xkcd espouses multi-word passwords (albeit with randomly-chosen words). I’ve been advocating through my research though that authentication schemes can only be evaluated by studying large user-chosens distribution in the wild and not the theoretical space of choices. There’s no public data on how people choose passphrases, though Kuo et al.’s 2006 study for mnemonic-phrase passwords found many weak choices. In my recent paper (written with Ekaterina Shutova) presented at USEC last Friday (a workshop co-located with Financial Crypto), we study the problem using data crawled from the now-defunct Amazon PayPhrase system, introduced last year for US users only. Our goal wasn’t to evaluate the security of the scheme as deployed by Amazon, but learn more how people choose passphrases in general. While this is a relatively limited data source, our results suggest some caution on this approach. (more…)