Posts filed under 'Seminars

May 14, '13

In a seminar today, we will unveil Rendezvous, a search engine for code. Built by Wei-Ming Khoo, it will analyse an unknown binary, parse it into functions, index them, and compare them with a library of code harvested from open-source projects.

As time goes on, the programs we need to reverse engineer get ever larger, so we need better tools. Yet most code nowadays is not written from scratch, but cut and pasted. Programmers are not an order of magnitude more efficient than a generation ago; it’s just that we have more and better libraries to draw on nowadays, and a growing shared heritage of open software. So our idea is to reframe the decompilation problem as a search problem, and harness search-engine technology to the task.

As with a text search engine, Rendezvous uses a number of different techniques to index a target binary, some of which are described in this paper, along with the main engineering problems. As well as reverse engineering suspicious binaries, code search engines could be used for many other purposes such as monitoring GPL compliance, plagiarism detection, and quality control. On the dark side, code search can be used to find new instances of disclosed vulnerabilities. Every responsible software vendor or security auditor should build one. If you’re curious, here is the demo.

Apr 15, '13

With some delay here is the second and final part on our impressions of David Birch’s Tomorrow’s Transactions Forum (TTF13), which we attended thanks to Dave’s generosity (See full agenda and PowerPoint presentations here). See part 1 here.

NOTE: Although written in first person, what follows results from a combination of Laurent Simon’s and my notes.

The theme of day 2 at TTF13 was social inclusion. The kick off question was “How to develop tools to help people deal with money?” (people with no financial culture and based on a transactional account).

This was followed by presentations on “Comic Relief” (the day before ‘the big day’), “Universal Credit” and expert panel on financial inclusion.
(more…)

Jun 12, '12

I was a guest the annual meeting of the European branch of ATM Industry Association. This was a two day event in London (May 22–23, 2012). I was there thanks to Tom Harper, founder of ATM Marketplace, that is, a B2B website for ancillary cash machine equipment (established circa 1997). Although my interest was to meet Tom to finalise an outline for a forthcoming history of the ATM, the almost ethnographic experience of attending a practitioner conference was refreshing. What follows are some of my impressions of the first day (as I had an overseas engagement the rest of the week).

The conference was jointly organised by ATMIA and Dominic Hirsh’s Retail Banking Research. I have used some of RBR’s data in the past and it is indeed one of the most authoritative sources of information on cash machines, cards and payments. During one of the presentations it was shown how estimates of ATM deployed in Sweden were more accurate than those the Riksbank.

Of greater interest for this blog, is that RBR also organises an annual conference on security. That was a bit disappointing since I was looking to hear on it. Other topics off the agenda included SEPA, regulation enabling independent ATM deployers (IAD) and pressures to reduce interchange fees. I was told they had been addressed in the recent past. In this sense and surprising for a meeting of some 70+ presenters and 500 attendees, the conference was much more ‘on theme’ than an academic gathering of similar size.

So what were the themes? The main theme was self service kiosks, while sub-themes included the cashless society and EMV (interoperation standard for Europay, Visa and Mastercard chip cards).

(more…)

Apr 12, '12

On the first of April, the Sunday Times carried a story that the Home Secretary planned to expand the scope of the Regulation of Investigatory Powers Act. Some thought this was an April Fool, but no: security minister James Brokenshire confirmed the next day that it was for real. This led to much media coverage; here is a more detailed historical timeline.

There have been eight previous Scrambling for Safety conferences organised while the UK government was considering the RIP Act and the regulations that followed it. The goal is to bring together different stakeholders interested in surveillance policy for an open exchange of views. The conference is open to the public, but you have to register here.

Here is the programme and the event website.

Oct 13, '11

In the evening of Thursday 27 October, I will be participating in a debate at the Cambridge Festival of Ideas, on Internet Freedom. Other speakers include Jim Killock, executive director of the Open Rights Group, Herbert Snorsson, founder of Openleaks.org and David Clemente, Chatham House. Further details can be found on the festival website.

Attendance is free, but booking is required.

Mar 12, '10

The annual Cambridge Science Festival is running during 8–21 March, where there are over 150 talks, demonstrations and other events, open to the public.

On Saturday 13th March (16:00–16:45), I will be talking about my recent work on Chip and PIN security. In the same session, there will also be presentations from Leila Luheshi on Alzheimer’s Disease, and Adrian Owen discussing his research on the awareness of brain-damage victims. The session will be hosted by The Naked Scientists.

For more details, see the event page — science research now!. The talk is free and no booking is required. It will be held in the Cockcroft Lecture Theatre.

Nov 16, '09

This, which started as a contribution to Ross’s Security and Psychology initiative, is probably my most entertaining piece of research this year and it’s certainly getting its bit of attention.

I’ve been a great fan of The Real Hustle since 2006, which I recommend to anyone with an interest in security, and it has been good fun to work with the TV show’s coauthor Paul Wilson on this paper. We analyze the scams reproduced in the show, we extract general principles from them that describe typical behavioural patterns exploited by hustlers and then we show how an awareness of these principles can also strengthen systems security.

In a few months I have given versions of this talk around the world: Boston, London, Athens, London, Cambridge, Munich—to the security and psychology crowd, to computer researchers, to professional programmers—and it never failed to attract interest. This is what Yahoo’s Chris Heilmann wrote in his blog when I gave the talk at StackOverflow to an audience of 250 programmers:

The other talk I was able to attend was Frank Stajano, a resident lecturer and security expert (and mighty sword-bearer). His talk revolved around application security but instead of doing the classic “prevent yourself from XSS/SQL injection/CSRF” spiel, Frank took a different route. BBC TV in the UK has a program called The Real Hustle which shows how people are scammed by tricksters and gamblers and the psychology behind these successful scams. Despite the abysmal Guy Ritchie style presentation of the show, it is full of great information: Frank and a colleague conducted a detailed research and analysis of all the attacks and the reasons why they work. The paper on the research is available: Seven principles for systems security (PDF). A thoroughly entertaining and fascinating presentation and a great example of how security can be explained without sounding condescending or drowning the audience in jargon. I really hope that there is a recording of the talk.

I´m giving the talk again at the Computer Laboratory on Tuesday 17 November in the Security Seminars series. The full write-up is available for download as a tech report.

May 18, '09

Here is a video of a talk I gave at DMU on security economics (and the slides). I’ve given variants of this survey talk at various conferences over the past two or three years; at last one of them recorded the talk and put the video online. There’s also a survey paper that covers much of the same material. If you find this interesting, you might enjoy coming along to WEIS (the Workshop on the Economics of Information Security) on June 24-25.

May 11, '06

The Security Group organizes a series of seminars. They are open to anyone interested in security research, not just to staff and students of the Computer Laboratory. Travel directions are available for anyone wishing to attend, and an outline of the programme for this term is below.

If you would like to receive email announcements of forthcoming seminars, please contact me.


Calendar

April 2014
M T W T F S S
« Mar    
 123456
78910111213
14151617181920
21222324252627
282930  

Posts by Month

Posts by Category