In the evening of Thursday 27 October, I will be participating in a debate at the Cambridge Festival of Ideas, on Internet Freedom. Other speakers include Jim Killock, executive director of the Open Rights Group, Herbert Snorsson, founder of Openleaks.org and David Clemente, Chatham House. Further details can be found on the festival website.

Attendance is free, but booking is required.

The annual Cambridge Science Festival is running during 8–21 March, where there are over 150 talks, demonstrations and other events, open to the public.

On Saturday 13th March (16:00–16:45), I will be talking about my recent work on Chip and PIN security. In the same session, there will also be presentations from Leila Luheshi on Alzheimer’s Disease, and Adrian Owen discussing his research on the awareness of brain-damage victims. The session will be hosted by The Naked Scientists.

For more details, see the event page — science research now!. The talk is free and no booking is required. It will be held in the Cockcroft Lecture Theatre.

This, which started as a contribution to Ross’s Security and Psychology initiative, is probably my most entertaining piece of research this year and it’s certainly getting its bit of attention.

I’ve been a great fan of The Real Hustle since 2006, which I recommend to anyone with an interest in security, and it has been good fun to work with the TV show’s coauthor Paul Wilson on this paper. We analyze the scams reproduced in the show, we extract general principles from them that describe typical behavioural patterns exploited by hustlers and then we show how an awareness of these principles can also strengthen systems security.

In a few months I have given versions of this talk around the world: Boston, London, Athens, London, Cambridge, Munich—to the security and psychology crowd, to computer researchers, to professional programmers—and it never failed to attract interest. This is what Yahoo’s Chris Heilmann wrote in his blog when I gave the talk at StackOverflow to an audience of 250 programmers:

The other talk I was able to attend was Frank Stajano, a resident lecturer and security expert (and mighty sword-bearer). His talk revolved around application security but instead of doing the classic “prevent yourself from XSS/SQL injection/CSRF” spiel, Frank took a different route. BBC TV in the UK has a program called The Real Hustle which shows how people are scammed by tricksters and gamblers and the psychology behind these successful scams. Despite the abysmal Guy Ritchie style presentation of the show, it is full of great information: Frank and a colleague conducted a detailed research and analysis of all the attacks and the reasons why they work. The paper on the research is available: Seven principles for systems security (PDF). A thoroughly entertaining and fascinating presentation and a great example of how security can be explained without sounding condescending or drowning the audience in jargon. I really hope that there is a recording of the talk.

I´m giving the talk again at the Computer Laboratory on Tuesday 17 November in the Security Seminars series. The full write-up is available for download as a tech report.

Here is a video of a talk I gave at DMU on security economics (and the slides). I’ve given variants of this survey talk at various conferences over the past two or three years; at last one of them recorded the talk and put the video online. There’s also a survey paper that covers much of the same material. If you find this interesting, you might enjoy coming along to WEIS (the Workshop on the Economics of Information Security) on June 24-25.

The Security Group organizes a series of seminars. They are open to anyone interested in security research, not just to staff and students of the Computer Laboratory. Travel directions are available for anyone wishing to attend, and an outline of the programme for this term is below.

• An overview of vulnerability research and exploitation — 16 May, 16:15
  (Peter Winter-Smith and Chris Anley, NGS Software)
• CCTV in the UK: A failure of theory or a failure of practice? — 17 May, 14:15
  (Martin Gill, PRCI Ltd)
• Network Security Monitoring – 19 May, 16:00
  (Richard Bejtlich, TaoSecurity)
• Opening locks by bumping in five seconds or less: is it really a threat to physical security? – 23 May, 14:15
  (Marc Weber Tobias, Investigative Law Offices)

If you would like to receive email announcements of forthcoming seminars, please contact me.