Monthly Archives: December 2012

Identifying file sharers — the US approach

2012-12-24Legal issues, News coverageRichard Clayton

Last Friday’s successful appeal in the Golden Eye case will mean that significantly more UK-based broadband users will shortly be receiving letters that say that they appear to have been participating in file sharing activity of pornographic films. Recipients of these letters could do worse than to start by consulting this guide as to what to do next.

Although I acted as an expert witness in the original hearing, I was not involved in the appeal since. It was not concerned with technical matters, but was deciding whether Golden Eye could pursue claims for damages on behalf of third party copyright holders (the court says that they may now do so).

Subsequent to the original hearing, I assisted Consumer Focus by producing an expert report on how evidence in file sharing cases should be collected and processed. I wrote about this here in July.

In September, at the request of Consumer Focus, I attended a presentation given by Ms Marianne Grant, Senior Vice President of the Motion Picture Association of America (MPAA) in which she outlined the way in which rights holders in the United States were proposing to monitor unauthorised file sharing of copyright material.

I had a number of concerns about these proposals and I wrote to Consumer Focus to set these out. I have now noted (somewhat belatedly, hence this holiday season blog post) that Consumer Focus have made this letter available online, along with their own letter to the MPAA.

So 2013 looks like being “interesting times” for Internet traceabity — with letters going out in bulk to UK consumer from Golden Eye, and the US “six strikes” process forecast to roll out early next year (albeit it’s been forecast to start in November 2012, July 2012 and many dates before that, so we shall see).

Authentication is machine learning

2012-12-14Authentication, Security economics, Security engineeringJoseph Bonneau

Last week, I gave a talk at the Center for Information Technology Policy at Princeton. My goal was to expand my usual research talk on passwords with broader predictions about where authentication is going. From the reaction and discussion afterwards one point I made stood out: authenticating humans is becoming a machine learning problem.

Problems with passwords are well-documented. They’re easy to guess, they can be sniffed in transit, stolen by malware, phished or leaked. This has led to loads of academic research seeking to replace passwords with something, anything, that fixes these “obvious” problems. There’s also a smaller sub-field of papers attempting to explain why passwords have survived. We’ve made the point well that network economics heavily favor passwords as the incumbent, but underestimated how effectively the risks of passwords can be managed in practice by good machine learning.

From my brief time at Google, my internship at Yahoo!, and conversations with other companies doing web authentication at scale, I’ve observed that as authentication systems develop they gradually merge with other abuse-fighting systems dealing with various forms of spam (email, account creation, link, etc.) and phishing. Authentication eventually loses its binary nature and becomes a fuzzy classification problem. Continue reading Authentication is machine learning →

History of security economics

2012-12-13Academic papers, Awards, Security economics, Security psychologyRoss Anderson

I’m just back from ACSAC where I gave an invited paper. Security
Economics – A Personal Perspective tells the story of how security economics got going as a subject. This is often credited to a paper I gave at ACSAC 2001 but the real story is more complex.

CFP: Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2013)

2012-12-10Call for papers, Operating systems, Processors, Programming languagesRobert N. M. Watson

This year, we presented two papers at RESoLVE 2012 relating to the structure of operating systems and hardware, one focused on CPU instruction set security features out of our CTSRD project, and another on efficient and reconfigurable communications in data centres out of our MRC2 project.

I’m pleased to announce the Call for Papers for RESoLVE 2013, a workshop (co-located with ASPLOS 2013) that brings together researchers in both the OS and language level virtual machine communities to exchange ideas and experiences, and to discuss how these separate layers can take advantage of each others’ services. This has a particular interest to the security community, who both want to build, and build on, security properties spanning hardware protection (e.g., VMs) and language-level protection.

Runtime Environments, Systems, Layering and Virtualized Environments
(RESoLVE 2013)

ASPLOS 2013 Workshop, Houston, Texas, USA
March 16, 2013

Introduction

Today’s applications typically target high-level runtime systems and frameworks. At the same time, the operating systems on which they run are themselves increasingly being deployed on top of (hardware) virtual machines. These trends are enabling applications to be written, tested, and deployed more quickly, while simplifying tasks such as checkpointing, providing fault-tolerance, enabling data and computation migration, and making better, more power-efficient use of hardware infrastructure.

However, much current work on virtualization still focuses on running unmodified legacy systems and most higher-level runtime systems ignore the fact that they are deployed in virtual environments. The workshop on Runtime Environments, Systems, Layering, and Virtualized Environments (RESoLVE 2013) aims to brings together researchers in both the OS and language level virtual machine communities to exchange ideas and experiences and to discuss how these separate layers can take advantage of each others’ services.

Continue reading CFP: Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2013) →

Virgin Money sends email helping phishers

2012-12-07Authentication, Banking security, Usability, Web securitySteven J. Murdoch

It’s not unusual for banks to send emails which are confusingly similar to phishing, but this recent one I received from Virgin Money is exceptionally bad. It tells customers that the bank (Northern Rock) is changing domain names from their usual one (northernrock.co.uk) to virginmoney.com and customers should use their usual security credentials to log into the new domain name. Mail clients will often be helpful and change the virginmoney.com into a link.

This message is exactly what phishers would like customers to fall for. While this email was legitimate (albeit very unwise), a criminal could follow up with an email saying that savings customers should access their account at virginsavings.net (which is currently available for registration). Virgin Money have trained their customers to accept such emails as legitimate, which is a very dangerous lesson to teach.

It would have been safer to not do the rebranding, but if that’s considered essential for commercial reasons, then customers should have been told to continue accessing the site at their usual domain name, and redirected them (via HTTPS) to the new site. It would mean keeping hold of the Northern Rock domain names for the foreseeable future, but that is almost certainly what Virgin Money are planning anyway.

[larger version]

M	T	W	T	F	S	S
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

Light Blue Touchpaper

Security Research, Computer Laboratory, University of Cambridge