Category Archives: Awards

Inter-ACE cyberchallenge at Cambridge

The best student hackers from the UK’s 13 Academic Centres of Excellence in Cyber Security Research are coming to Cambridge for the first Inter-ACE Cyberchallenge tomorrow, Saturday 23 April 2016.

inter-ace-logo4
The event is organized by the University of Cambridge in partnership with Facebook. It is loosely patterned on other inter-university sport competitions, in that each university enters a team of four students and the winning team takes home a trophy that gets engraved with the name of their university and is then passed on to the next winning team the following year.
trophies
Participation in the Inter-ACE cyberchallenge is open only to Universities accredited as ACEs under the EPSRC/GCHQ scheme. 10 of the 13 ACEs have entered this inaugural edition: alphabetically, Imperial College, Queens University Belfast, Royal Holloway University of London, University College London, University of Birmingham, University of Cambridge (hosting), University of Kent, University of Oxford, University of Southampton, University of Surrey. The challenges are set and administered by Facebook, but five of the ten competing insitutions have also sent Facebook an optional “guest challenge” for others to solve.
The players compete in a CTF involving both “Jeopardy-style” and “attack-defense-style” aspects. Game progress is visualized on a world map somewhat reminiscent of Risk, where teams attempt to conquer and re-conquer world countries by solving associated challenges.
We designed the Inter-ACE cyberchallenge riding on the success of the Cambridge2Cambridge cybersecurity challenge we ran in collaboration with MIT last March. In that event, originally planned following a January 2015 joint announcement by US President Barack Obama and UK Prime Minister David Cameron, six teams of students took part in a 24-hour Capture-The-Flag involving several rounds and spin-out individual events such as “rapid fire” (where challengers had to break into four different vulnerable binaries under time pressure) and “lock picking”, also against the clock and against each other. The challenges were expertly set and administered by ForAllSecure, a cybersecurity spin-off from Carnegie Mellon University.
C2C Updated Header- 3.7.16-1
With generous support from the UK consulate in Boston we were able to fly 10 Cambridge students to MIT. By design, we mixed people from both universities in each team, to promote C2C as an international cooperation and a bridge-building exercise. Thanks to the generosity of the many sponsors of the event, particularly Microsoft who funded the cash prizes, the winning team “Johnny Cached”, consisting of two MIT and two Cambridge students, walked away with 15,000 USD. Many other medals were awarded for various achievements throughout the event. Everyone came back with a sense of accomplishement and with connections with new like-minded and highly skilled friends across the pond.
9-2-with-medals
In both the C2C and the Inter-ACE I strived to design the rules in a way that would encourage participation not just from the already-experienced but also from interested inexperienced students who wanted to learn more. So, in C2C I designed a scheme where (following a pre-selection to rank the candidates) each team would necessarily include both experienced players and novices; whereas in Inter-ACE, where each University clearly had the incentive of picking their best players to send to Cambridge to represent them, I asked our technical partners Facebook to provide a parallel online competition that could be entered into remotely by individual students who were not on their ACE’s team. This way nobody who wanted to play is left out.
Industry and government (ours, but probably also those of whatever other country you’re reading this blog post from) concur that we need more cybersecurity experts. They can’t hire the good ones fast enough. A recent Washington post article lamented that “Universities aren’t doing enough to train the cyberdefenders America desperately needs”. Well, some of us are, and are taking the long term view.
As an educator, I believe the role of a university is to teach the solid foundations, the timeless principles, and especially “learning how to learn”, rather than the trick of the day; so I would not think highly of a hacking-oriented university course that primarily taught techniques destined to become obsolete in a couple of years. On the other hand, a total disconnect between theory and practice is also inappropriate. I’ve always introduced my students to lockpicking at the end of my undergraduate security course, both as a metaphor for the attack-defense interplay that is at the core of security (a person unskilled at picking locks has no hope of building a new lock that can withstand determined attacks; you can only beat the bad guys if you’re better than them) and to underline that the practical aspects of security are also relevant, and even fun. It has always been enthusiastically received, and has contributed to make more students interested in security.
I originally accepted to get involved in organizing Cambridge 2 Cambridge, with my esteemed MIT colleague Dr Howie Shrobe, precisely because I believe in the educational value of exposing our students to practical hands-on security. The C2C competition was run as a purely vocational event for our students, something they did during evenings and weekends if they were interested, and on condition it would not interfere with their coursework. However, taking on the role of co-organizing C2C allowed me, with thanks to the UK Cabinet Office, to recruit a precious full time collaborator, experienced ethical hacker Graham Rymer, who has since been developing a wealth of up-to-date training material for C2C. My long term plan, already blessed by the department, is to migrate some of this material into practical exercises for our official undergraduate curriculum, starting from next year. I think it will be extremely beneficial for students to get out of University with a greater understanding of the kind of adversaries they’re up against when they become security professionals and are tasked to defend the infrastructure of the organization that employs them.
Another side benefit of these competitions, as already remarked, is the community building, the forging of links between students. We don’t want merely to train individuals: we want to create a new generation of security professionals, a strong community of “good guys”. And if they met each other at the Inter-ACE when they were little, they’re going to have a much stronger chance of actively collaborating ten years later when they’re grown-ups and have become security consultants, CISOs or heads of homeland security back wherever they came from. Sometimes I have to fight with narrow-minded regulations that would only, say, offer scholarships in security to students who could pass security clearance. Well, playing by such rules makes the pool too small. For as long as I have been at Cambridge, the majority of the graduates and faculty in our security research group have been “foreigners” (myself included, of course). A university that only worked with students (and staff, for that matter) from its own country would be at a severe disadvantage compared to those, like Cambridge, that accept and train the best in the whole world. I believe we can only nurture and bring out the best student hackers in the UK in a stimulating environment where their peers are the best student hackers from anywhere else in the world. We need to take the long term view and understand that we cannot reach critical mass without this openness. We must show how exciting cybersecurity is to those clever students who don’t know it yet, whatever their gender, prior education, social class, background, even (heaven forbid) those scary foreigners, hoo hoo, because it’s only by building a sufficiently large ecosystem of skilled, competent and ethically trained good guys that employers will have enough good applicants “of their preferred profile” in the pool they want to fish in for recruitment purposes.
My warmest thanks to my academic colleagues leading the other ACE-CSRs who have responded so enthusiastically to this call at very short notice, and to the students who have been so keen to come to Cambridge for this Inter-ACE despite it being so close to their exam season. Let’s celebrate this diversity of backgrounds tomorrow and forge links between the best of the good guys, wherever they’re from. Going forward, let’s attract more and more brilliant young students to cybersecurity, to join us in the fight to make the digital society safe for all, within and across borders.

Award-winning case history of the care.data health privacy scandal

Each year we divide our masters of public policy students into teams and get them to write case studies of public policy failures. The winning team this year wrote a case study of the care.data fiasco. The UK government collected personal health information on tens of millions of people who had had hospital treatment in England and then sold it off to researchers, drug companies and even marketing firms, with only a token gesture of anonymisation. In practice patients were easy to identify. The resulting scandal stalled plans to centralise GP data as well, at least for a while.

Congratulations to Lizzie Presser, Maia Hruskova, Helen Rowbottom and Jesse Kancir, who tell the story of how mismanagement, conflicts and miscommunication led to a failure of patient privacy on an industrial scale, and discuss the lessons that might be learned. Their case study has just appeared today in Technology Science, a new open-access journal for people studying conflicts that arise between technology and society. LBT readers will recall several posts reporting the problem, but it’s great to have a proper, peer-reviewed case study that we can give to future generations of students. (Incidentally, the previous year’s winning case study was on a related topic, the failure of the NHS National Programme for IT.)

Largest ever civil government IT disaster

Last year I taught a systems course to students on the university’s Masters of Public Policy course (this is like an MBA but for civil servants). For their project work, I divided them into teams of three or four and got them to write a case history of a public-sector IT project that went wrong.

The class prize was won by Oliver Campion-Awwad, Alexander Hayton, Leila Smith and Mark Vuaran for The National Programme for IT in the NHS – A Case History. It’s now online, not just to acknowledge their excellent work and to inspire future MPP students, but also as a resource for people interested in what goes wrong with large public-sector IT projects, and how to do better in future.

Regular readers of this blog will recall a series of posts on this topic and related ones; yet despite the huge losses the government doesn’t seem to have learned much at all.

There is more information on our MPP course here, while my teaching materials are available here. With luck, the next generation of civil servants won’t be quite as clueless.

NSA Award for Best Scientific Cybersecurity Paper

Yesterday I received the NSA award for the Best Scientific Cybersecurity Paper of 2012 for my IEEE Oakland paper “The science of guessing.” I’m honored to have been recognised by the distinguished academic panel assembled by the NSA. I’d like to again thank Henry Watts, Elizabeth Zwicky, and everybody else at Yahoo! who helped me with this research while I interned there, as well as Richard Clayton and Ross Anderson for their support and supervision throughout.

On a personal note, I’d be remiss not to mention my conflicted feelings about winning the award given what we know about the NSA’s widespread collection of private communications and what remains unknown about oversight over the agency’s operations. Like many in the community of cryptographers and security engineers, I’m sad that we haven’t better informed the public about the inherent dangers and questionable utility of mass surveillance. And like many American citizens I’m ashamed we’ve let our politicians sneak the country down this path.

In accepting the award I don’t condone the NSA’s surveillance. Simply put, I don’t think a free society is compatible with an organisation like the NSA in its current form. Yet I’m glad I got the rare opportunity to visit with the NSA and I’m grateful for my hosts’ genuine hospitality. A large group of engineers turned up to hear my presentation, asked sharp questions, understood and cared about the privacy implications of studying password data. It affirmed my feeling that America’s core problems are in Washington and not in Fort Meade. Our focus must remain on winning the public debate around surveillance and developing privacy-enhancing technology. But I hope that this award program, established to increase engagement with academic researchers, can be a small but positive step.

Call for Nominations: 2013 PET Award

I am on the award committee for the 2013 PET Award and we are looking for nominations of papers which have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology.

The 2013 award will be presented at Privacy Enhancing Technologies Symposium (PETS) and carries a prize of $3,000 USD thanks to the generous support of Microsoft. The crystal prize itself is offered by the Office of the Information and Privacy Commissioner of Ontario, Canada.

Any paper by any author written in the area of privacy enhancing technologies is eligible for nomination. However, the paper must have appeared in a refereed journal, conference, or workshop with proceedings published in the period from 16 April 2011 until 31 March 2013.

To submit a nomination, please see the instructions on the award page.

Call for nominations for PET Award 2012

Nominations are invited for the 2012 PET Award by 31 March 2012.

The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Symposium (PETS).

The PET Award carries a prize of 3000 USD thanks to the generous support of Microsoft. The crystal prize itself is offered by the Office of the Information and Privacy Commissioner of Ontario, Canada.

Any paper by any author written in the area of privacy enhancing technologies is eligible for nomination. However, the paper must have appeared in a refereed journal, conference, or workshop with proceedings published in the period from 1 June 2010 until 31 March 2012.

For eligibility requirements, refer to the award rules.

Anyone can nominate a paper by sending an email message containing the following to award-chairs12@petsymposium.org:

  • Paper title
  • Author(s)
  • Author(s) contact information
  • Publication venue and full reference
  • Link to an available online version of the paper
  • A nomination statement of no more than 500 words.

All nominations must be submitted by 31 March 2012. The Award Committee will select one or two winners among the nominations received. Winners must be present at the 2012 PET Symposium in order to receive the Award. This requirement can be waived only at the discretion of the PET Advisory board.

More information about the PET award (including past winners) is see the award website.

The PET Award: Nominations wanted for prestigious privacy award

The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Symposium (PETS).

The PET Award carries a prize of 3000 USD thanks to the generous support of Microsoft. The crystal prize itself is offered by the Office of the Information and Privacy Commissioner of Ontario, Canada.

Any paper by any author written in the area of privacy enhancing technologies is eligible for nomination. However, the paper must have appeared in a refereed journal, conference, or workshop with proceedings published in the period from August 8, 2009 until April 15, 2011.

The complete award rules including eligibility requirements can be found under the award rules section of the PET Symposium website.

Anyone can nominate a paper by sending an email message containing the following to award-chair11@petsymposium.org.

  • Paper title
  • Author(s)
  • Author(s) contact information
  • Publication venue and full reference
  • Link to an available online version of the paper
  • A nomination statement of no more than 500 words.

All nominations must be submitted by April 15th, 2011. The Award Committee will select one or two winners among the nominations received. Winners must be present at the PET Symposium in order to receive the Award. This requirement can be waived only at the discretion of the PET Advisory board.

More information about the PET award (including past winners) is available at http://petsymposium.org/award/

More information about the 2011 PET Symposium is available at http://petsymposium.org/2011.

Capsicum: practical capabilities for UNIX

Today, Jonathan Anderson, Ben Laurie, Kris Kennaway, and I presented Capsicum: practical capabilities for UNIX at the 19th USENIX Security Symposium in Washington, DC; the slides can be found on the Capsicum web site. We argue that capability design principles fill a gap left by discretionary access control (DAC) and mandatory access control (MAC) in operating systems when supporting security-critical and security-aware applications.

Capsicum responds to the trend of application compartmentalisation (sometimes called privilege separation) by providing strong and well-defined isolation primitives, and by facilitating rights delegation driven by the application (and eventually, user). These facilities prove invaluable, not just for traditional security-critical programs such as tcpdump and OpenSSH, but also complex security-aware applications that map distributed security policies into local primitives, such as Google’s Chromium web browser, which implement the same-origin policy when sandboxing JavaScript execution.

Capsicum extends POSIX with a new capability mode for processes, and capability file descriptor type, as well as supporting primitives such as process descriptors. Capability mode denies access to global operating system namespaces, such as the file system and IPC namespaces: only delegated rights (typically via file descriptors or more refined capabilities) are available to sandboxes. We prototyped Capsicum on FreeBSD 9.x, and have extended a variety of applications, including Google’s Chromium web browser, to use Capsicum for sandboxing. Our paper discusses design trade-offs, both in Capsicum and in applications, as well as a performance analysis. Capsicum is available under a BSD license.

Capsicum is collaborative research between the University of Cambridge and Google, and has been sponsored by Google, and will be a foundation for future work on application security, sandboxing, and security usability at Cambridge and Google. Capsicum has also been backported to FreeBSD 8.x, and Heradon Douglas at Google has an in-progress port to Linux.

We’re also pleased to report the Capsicum paper won Best Student Paper award at the conference!

IEEE best paper award

Steven Murdoch, Saar Drimer, Mike Bond and I have just won the IEEE Security and Privacy Symposium’s Best Practical Paper award for our paper Chip and PIN is Broken. This was an unexpected pleasure, given the very strong competition this year (especially from this paper). We won this award once before, in 2008, for a paper on a similar topic.

Ross, Mike, Saar, Steven (photo by Joseph Bonneau)

Update (2010-05-28): The photo now includes the full team (original version)