Category Archives: Security economics

Social-science angles of security

Cambridge Cybercrime Conference 2025 – Liveblog

The Cambridge Cybercrime Centre‘s eight one day conference on cybercrime was held on Monday, 23rd June 2025, which marked 10 years of the Centre.

Similar to previous “liveblog” coverage of conferences and workshops on Light Blue Touchpaper, here is a “liveblog”-style overview of the talks at this year’s conference.

Sunoo Park — Legal Risks of Security Research

Sunoo discussed researchers receiving restrictive TOS clauses, and risk around adversarial scrutiny. Noting that it’s difficult to distinguish from malicious hacking, and we need to understand the risks. Sunoo highlights particular US laws that creates risk for researchers, sharing a guide they wrote for highlighting these risks. This project grew from colleagues receiving legal threats, as well as clients, wanting to enable informed decisions on how to seek advice, and also try to nudge public discussion on law reforms.

The CFAA was passed a long time ago, around the time of the Wargames film. Computer crime has changed a lot since then. They define computer to be pretty much any computer, where access is unauthorized or exceeds authorized access. One early case was United States vs McDanel, who found a bug in customer software and reported this to customers. This resulted in a legal case where customers were informed of a security flaw, due to the cost of fixing the flaw, but the government later requested the case be overturned. More recently, there was a case of a police database being accessed for a bribe, which was also under the CFAA.

Another law is the DMCA, which states that “no person shall circumvent a technological measure that effectively controls access to work”, and this may apply to captchas, anti-bot, etc.

Sunoo is starting a new study looking at researchers’ lived experiences of legal risk under US/UK law. It can be hard for researchers to talk openly about these, which results in little evidence to counter laws. Furthermore, there’s a lot of anecdotal information. Sunoo would like to hear from US/UK researchers relating to law and researchers.

Alice Hutchings — Ten years of the Cambridge Cybercrime Centre

The Centre was established in 2015, to collect and share cybercrime data internationally. They collect lots of data at scale: forums, chat channels, extremist platforms, DDoS attacks, modded apps, defacements, spam, and more. They share datasets with academics, not for commercial purposes, through agreements to set out ethical and legal constraints. The aim was to help researchers with collecting data at scale, and overcome challenges with working on large datasets. They don’t just collect data, but they do their own research too, around crime types, offenders, places, and responses.

Session 1: Trust, Identity, and Communication in Cybercriminal Ecosystems

Roy Ricaldi— From trust to trade: Uncovering the trust-building mechanisms supporting cybercrime markets on Telegram

Roy is researching trust and cybercrime, and how this is built on Telegram. Cybercrime markets rely on trust to function, and there is existing literature on this topic for forums. Forums have structured systems, such as reputation and escrow, whereas Telegram is more ephemeral, but still used for trading. Roy asks how trust established in this volatile, high-risk environment? Economic theory states without trust, markets can fail.

Roy starts by exploring the market segments found, looking at trust signals, and how frequently users are exposed to these trust systems. Roy notes chat channels can have significant history, and while trust signals exists, users may not be likely to find older trust signals easily. They built a snowballing and classification pipeline, to collect over 1 million messages from 167 telegram communities. Later, they developed a framework, for measuring and simulating trust signals. Findings showed market segments were highly thematic within communities, and trust signals. They used DeepseekV3 for classification, which detected trust signals and market segments with highest accuracy. They found an uneven distribution of trust signals across market segments. For example, piracy content is free so trust signals were low.

They find messages asking for use of escrow, or asking other to “vouch” for sellers. Some of these communities have moderators which would set rules around types of messages. After looking at the distribution, they ran a simulation to see how many signals the users were exposed to. Setup profiles of market segments, communities visited and messages read. They found 70% of users see 5 or less trust signals in their simulation, and all users see at least 1. Over time, these do evolve with digital infrastructure forming a larger peak. They note the importance of understanding how trust works on Telegram, to help find the markets that matter and can cause harm.

John McAlaneyPower, identity and group dynamics in hacking forums

John discussed work in progress around power structures and group dynamics in the CrimeBB dataset. He attended Defcon as a social psychologist, observing the interaction dynamics and how people see themselves within the large size of the conference.

Previous work in identity asked if hacking forums members considered themselves to be a “hacker” and resulted in discussions around the term and labelling. Other previous work looked at themes of what was spoken about in forums, such as legality, honesty, skill acquisition, knowledge, and risk. Through interviews, they found people had contradictory ideas around trust. They note existing hierarchies of power within forums, and evidence of social psychological phenomenon.

Within existing research literature, John found a gap where theories had not been explored necessarily in the online forum setting. They ask if there are groups forming on hacking forums in the same way as other online forums? Also, how does the structure of these groups differ? Are group dynamics different?

He was initially working with a deductive approach for thematic analysis. “Themes do not emerge from thematic analysis”, rather they are exploring what is currently discussed. He is not looking to generalise from thematic analysis, but rather looking into BERT next to see if they are missing any themes from the dataset.

He suggests the main impact will aim to contribute back to sociological literature, and also try to improve threat detection.

Haitao ShiEvaluating the impact of anonymity on emotional expression in drug-related discussions: a comparative study of the dark web and mainstream social media

Haitao looked at self-disclosure, emotional disclosure, and environmental influence on cybercrime forums. They ask how different models of anonymity across chat channels and forums vary, and which different communications styles emerge? They identified drug-related channels and discussions for their analysis, and took steps to clean and check dataset quality. The project used BERTopic, for embedding messages to be used in clustering, then plotted these to visually identify similar topics. To further explore the topics, Haitao used an emotion classifier to detect intent. They found high levels of disgust, anger, and anticipation in their dataset.

Session 2: Technical Threats and Exploitation Tactics

Taro TsuchiyaBlockchain address poisoning

Taro introduces a scenario of sending rent, where the victim seems to make an error selecting a cryptocurrency address. This turns out to have been a poisoned address. Taro aims to identify address poisoning, to see how prevalent this is, and measure the payoff. They identify attack attempts with an algorithm to match transfers with similar addresses in a given time range.

They detect 270M attack transfers on 17M victims, estimating a $84M USD loss. They found loss was much higher on Ethereum, and this lookalike attack is easily generalisable and scalable.

They bundled these into groups, considering two are the same if, they are launched in the same transaction, and they use the same address to pay the transaction fees, or they use the same lookalike address. Clustering found “copying bots”, who copy other transactions for front-running. The attack groups identified are large but heterogenous, and the attack itself is profitable for large groups. Furthermore, larger groups tend to win over smaller groups. Finally, they model lookalike address generation, finding one large group is using GPUs to generate these addresses.

They give suggestions for mitigating these attacks, by adding latency for address generation, disallow zero-value transfers, and increase wallet lengths. They also want to alert users to this risk of this attack.

Marre SlikkerThe human attack surface: understanding hacker techniques in exploiting human elements

Marre is looking at human factors in security, as this is commonly the weakest link in security. Marre asks what do hackers on underground forums discuss regarding the exploitation of human factors in cybercrime? They look at CrimeBB data to analyse topics discussed, identify lexicon used, and give a literature review of how these factors are conceptualised.

They create a bridge between academic human factor language (“demographics”) to hacker language (“target dumb boomers”), and use topic modelling to identify distribution of words used in forum messages.

What were their results? A literature review found a lot of inconsistencies in human factors research terminology. Following this, they asked cybersecurity experts about human factors, and created a list of 328 keywords to help filter the dataset. Topic modelling was then used, however the results were quite superficial, with lots of noise and general chatter.

Kieron Ivy Turk — Technical Tactics Targeting Tech-Abuse

Ivy discussed a project on personal item tracking devices, which have been misused for stalking, domestic abuse, and theft. Companies have developed anti-stalking features to try to mitigate these issues. They ran a study with the Assassins Guild, provided students with trackers to test the efficacy of these features. Their study found nobody used the anti-stalking features, despite everyone in the study knowing there was a possibility they were being stalked. At the time of the study, the scanning apps only tended to detect a subset of tracker brands. Apple and Google have since created an RFC to try to standardise trackers and anti-stalking measures.

Ivy has also been working on IoT security to understand the associated risks. They present a HARMS model to help analyse IoT device security failings. Ivy ran a study to identify harms with IoT devices, asking participants to misuse these. They ask how do attackers discover abusive features? They found participants used and explored the UI to find features available to them. They suggest the idea of a “UI-bounded” adversary is limiting, and rather attackers are “functionality-enabled”.

Ivy asks how can we create technical improvements in future with IoT?

Session 3: Disruption and Resilience in Illicit Online Activities

Anh V. VuAssessing the aftermath: the effects of a global takedown against DDoS-for-hire services

Anh has been following DDoS takedowns by law enforcement. DDoS for hire services provide a platform for taking control of botnets to be used in flooding servers with fake traffic. There is little technical skill needed, and is cheap. These services publicly advertise statistics of daily attacks they contribute to.

Law enforcement continues to takedown DDoS infrastructure, focusing on domain takedowns. Statistics of visitors following the takedowns found 20M visitors, and 34k messages were collected from DDoS support Telegram channels. They also have DDoS UDP amplification data, and collected self-reported DDoS attack data.

Domain takedowns showed that domains returned quickly, 52% returned after the first takedown, and in the second takedown all returned. Domain takedown appears to now have limited effect. Visitor statistics showed large booters operate a franchise business, offering API access to resellers.

Following the first takedown, activity and chat channel messages declined, but this had less impact in the second wave. Operators gave away free extensions to plans, and a few seemed to leave the market.

Their main takeaway is the overall intervention impact is short lived, and suppressing the supply side alone is not enough as the demand continues to persist in the long run. He asks what can be done better for interventions in the future?

Dalya ManatovaModeling organizational resilience: a network-based simulation for analyzing recovery and disruption of ransomware operations

Dalya studies the organisational dynamics and resilience of cybercrime, tracking the evolution and rebranding of ransomware operators. To carry out ransomware, they need infrastructure. This includes selecting targets, executing, ransom negotiation, payment processing, and victim support, and creating leak websites. They break this down further into a complex model, showing the steps of ransomware attacks. They use this to model the task duration involved in attacks, estimating how long it takes to complete a ransomware attack when learning. Following this, they create infrastructure disruption and observe how this process changes. They also model the disruption of members: what happens if they reassign tasks to others or hire a new person?

Marco WähnerThe prevalence and use of conspiracy theories in anonymity networks

Marco first asks what is a conspiracy theory? These all appear to have right-wing extremism, antisemitism, and misinformation. There are a lot of challenges around researching conspiracy theories: the language is often indirect and coded, however this is not a new phenomenon.

What is the influence of environmental and structural of conspiracy theories in anonymised networks? Marco notes this can be for strengthening social ties, and fosters a sense of belonging. Also, this may be used with ideological or social incentives.

Marco asks how we can identify these theories circulating in anonymised networks, and if these are used to promote illicit activities or drive sales? This could then be used to formulate intervention strategies. They took a data-driven approach looking at CrimeBB and ExtremeBB data to find conspiracies, using dictionary keyword searches and topic modelling. Preliminary research found prevalence of conspiracies was very low. ExtremeBB is a bit higher, but still rare.

They provide explanations for the low level of distribution. Keywords are indirect, and can be out of context when searching. Also, conspiratorial communications are not always needed to sell products. They are aiming to strengthen the study design, by coding a subsample to check for false positives, and use classical ML models. They find a dictionary approach may not be a good starting point, and conspiracies are not always used to sell products.

It is time to standardize principles and practices for software memory safety

In an article in the February, 2025 issue of Communications of the ACM, I join 20 coauthors from across academia and industry in writing about the remarkable opportunity for universal strong memory safety in low-level Trusted Computing Bases (TCBs) enabled by recent advances in type- and memory-safe systems programming languages (e.g., the Rust language), hardware memory protection (e.g., our work on CHERI), formal methods, and software compartmentalisation. These technologies are seeing increasing early deployment in critical software TCBs, but struggle to make headway at scale given real costs and potential disruption stemming from their adoption combined with unclear market demand despite widespread recognition of the criticality of this issue. As a result, billions of lines of memory-unsafe C/C++ systems code continue to make up essential TCBs across the industry – including Windows, Linux, Android, iOS, Chromium, OpenJDK, FreeRTOS, vxWorks, and others. We argue that a set of economic factors such as high opportunity costs, negative security impact as an externality, and two-sided incomplete information regarding memory safety lead to limited and slow adoption despite the huge potential security benefit: It is widely believed that these techniques would have deterministically eliminated an estimated 70% of critical security vulnerabilities in these and other C/C++ TCBs over the last decade.

In our article, we describe how developing standards for memory-safe systems may be able to help enable remedies by making potential benefit more clear (and hence facilitating clear signalling of demand) as well as permitting interventions such as:

  • Improving actual industrial practice
  • Enabling acquisition requirements that incorporate memory-safety expectations
  • Enabling subsidies or tax incentives
  • Informing international discussions around software liability
  • Informing policy interventions for specific, critical classes of products/use cases
Continue reading It is time to standardize principles and practices for software memory safety

Join Our 3-Course Series on Cybersecurity Economics

On 2 October, TU Delft are starting a new online three course series on cybersecurity economics. I am co-teaching this course with Michel van Eeten (TU Delft), Daniel Woods (University of Edinburgh), Simon Parkin (TU Delft), Rolf van Wegberg (TU Delft), Tyler Moore (Tulsa Uni) and Rainer Böhme (Innsbruck Uni). The course also features content from Ross Anderson (University of Cambridge), recorded before his passing. Ross was passionate about teaching, and was deeply involved in the design of this MOOC.

The first course on Foundation and Measurement provides you with foundational micro-economic concepts to explain security behavior of various actors involved securing the organization – internally, like IT and business units, and externally, like suppliers, customers and regulators. Next, it equips you with a causal framework to understand how to measure the effectiveness of security controls, as well as what measurements are currently available.

The second course on Users and Attackers presents a wealth of insights on the individuals involved in security: from user behavior to the strategies of attackers. Contrary to popular opinion, users are not the weakest link. If you want to know why do users not follow company security policies, you need to look at the costs imposed on them. On the side of the attackers, there are also clear incentives at work. The course covers the latest insights on attacker behavior.

The third course on Solutions covers answers to overcome the incentive misalignment and information problems at the level of organizations and at the level of markets. Starting with the standard framework of risk management, the course unpacks how to identify solutions in risk mitigation and risk transfer and where risk acceptance might be more rational. Finally, we need to address market failures, since they end up undermining the security of firms and society at large.

Hacktivism, in Ukraine and Gaza

People who write about cyber-conflict often talk of hacktivists and other civilian volunteers who contribute in various ways to a cause. Might the tools and techniques of cybercrime enable its practitioners to be effective auxiliaries in a real conflict? Might they fall foul of the laws of war, and become unlawful combatants?

We have now measured hacktivism in two wars – in Ukraine and Gaza – and found that its effects appear to be minor and transient in both cases.

In the case of Ukraine, hackers supporting Ukraine attacked Russian websites after the invasion, followed by Russian hackers returning the compliment. The tools they use, such as web defacement and DDoS, can be measured reasonably well using resources we have developed at the Cambridge Cybercrime Centre. The effects were largely trivial, expressing solidarity and sympathy rather than making any persistent contribution to the conflict. Their interest in the conflict dropped off rapidly.

In Gaza, we see the same pattern. After Hamas attacked Israel and Israel declared war, there was a surge of attacks that peaked after a few days, with most targets being strategically unimportant. In both cases, discussion on underground cybercrime forums tailed off after a week. The main difference is that the hacktivism against Israel is one-sided; supporters of Palestine have attacked Israeli websites, but the number of attacks on Palestinian websites has been trivial.

Extending transparency, and happy birthday to the archive

I was delighted by two essays by Anton Howes on The Replication Crisis in History Open History. We computerists have long had an open culture: we make our publications open, as well as sharing the software we write and the data we analyse. My work on security economics and security psychology has taught me that this culture is not yet as well-developed in the social sciences. Yet we do what we can. Although we can’t have official conference proceedings for the Workshop on the Economics of Information Security – as then the economists would not be able to publish their papers in journals afterwards – we found a workable compromise by linking preprints from the website and from a liveblog. Economists and psychologists with whom we work have found their citation counts and h-indices boosted by our publicity mechanisms; they have incentives to learn.

A second benefit of transparency is reproducibility, the focus of Anton’s essay. Scholars are exposed to many temptations, which vary by subject matter, but are more tempting when it’s hard for others to check your work. Mathematical proofs should be clear and elegant but are all too often opaque or misleading; software should be open-sourced for others to play with; and we do what we can to share the data we collect for research on cybercrime and abuse.

Anton describes how more and more history books are found to have weak foundations, where historians quote things out of context, ignore contrary evidence, and elaborate myths and false facts into misleading stories that persist for decades. How can history correct itself more quickly? The answer, he argues, is Open History: making as many sources publicly available as possible, just like we computerists do.

As it happens, I scanned a number of old music manuscripts years ago to help other traditional music enthusiasts, but how can this be done at scale? One way forward comes from my college’s Archives Centre, which holds the personal papers of Sir Winston Churchill as well as other politicians and a number of eminent scientists. There the algorithm is that when someone requests a document, it’s also scanned and put online; so anything Alice looked at, Bob can look at too. This has raised some interesting technical problems around indexing and long-term archiving which I believe we have under control now, and I’m pleased to say that the Archives Centre is now celebrating its 50th anniversary.

It would also be helpful if old history books were as available online as they are in our library. Given that the purpose of copyright law is to maximise the amount of material that’s eventually available to all, I believe we should change the law to make continued copyright conditional on open access after an initial commercial period. Otherwise our historians’ output vanishes from the time that their books come off sale, to the time copyright expires maybe a century later.

My own Security Engineering book may show the way. With both the first edition in 2001 and the second edition in 2008, I put six chapters online for free at once, then released the others four years after publication. For the third edition, I negotiated an agreement with the publishers to put the chapters online for review as I wrote them. So the book came out by instalments, like Dickens’ novels, from April 2019 to September 2020. On the first of November 2020, all except seven sample chapters disappeared from this page for a period of 42 months; I’m afraid Wiley insisted on that. But after that, the whole book will be free online forever.

This also makes commercial sense. For both the 2001 and 2008 editions, paid-for sales of paper copies increased significantly after the whole book went online. People found my book online, liked what they saw, and then bought a paper copy rather than just downloading it all and printing out a thousand-odd pages. Open access after an exclusive period works for authors, for publishers and for history. It should be the norm.

The Pre-play Attack in Real Life

Recently I was contacted by a Falklands veteran who was a victim of what appears to have been a classic pre-play attack; his story is told here.

Almost ten years ago, after we wrote a paper on the pre-play attack, we were contacted by a Scottish sailor who’d bought a drink in a bar in Las Ramblas in Barcelona for €33, and found the following morning that he’d been charged €33,000 instead. The bar had submitted ten transactions an hour apart for €3,300 each, and when we got the transaction logs it turned out that these transactions had been submitted through three different banks. What’s more, although the transactions came from the same terminal ID, they had different terminal characteristics. When the sailor’s lawyer pointed this out to Lloyds Bank, they grudgingly accepted that it had been technical fraud and refunded the money.

In the years since then, I’ve used this as a teaching example both in tutorial talks and in university lectures. A payment card user has no trustworthy user interface, so the PIN entry device can present any transaction, or series of transactions, for authentication, and the customer is none the wiser. The mere fact that a customer’s card authenticated a transaction does not imply that the customer mandated that payment.

Payment by phone should eventually fix this, but meantime the frauds continue. They’re particularly common in nightlife establishments, both here and overseas. In the first big British case, the Spearmint Rhino in Bournemouth had special conditions attached to its license for some time after a series of frauds; a second case affected a similar establishment in Soho; there have been others. Overseas, we’ve seen cases affecting UK cardholders in Poland and the Baltic states. The technical modus operandi can involve a tampered terminal, a man-in-the-middle device or an overlay SIM card.

By now, such attacks are very well-known and there really isn’t any excuse for banks pretending that they don’t exist. Yet, in this case, neither the first responder at Barclays nor the case handler at the Financial Ombudsman Service seemed to understand such frauds at all. Multiple transactions against one cardholder, coming via different merchant accounts, and with delay, should have raised multiple red flags. But the banks have gone back to sleep, repeating the old line that the card was used and the customer PIN was entered, so it must all be the customer’s fault. This is the line they took twenty years ago when chip and pin was first introduced, and indeed thirty years ago when we were suffering ATM fraud at scale from mag-strip copying. The banks have learned nothing, except perhaps that they can often get away with lying about the security of their systems. And the ombudsman continues to claim that it’s independent.

Will GPT models choke on their own exhaust?

Until about now, most of the text online was written by humans. But this text has been used to train GPT3(.5) and GPT4, and these have popped up as writing assistants in our editing tools. So more and more of the text will be written by large language models (LLMs). Where does it all lead? What will happen to GPT-{n} once LLMs contribute most of the language found online?

And it’s not just text. If you train a music model on Mozart, you can expect output that’s a bit like Mozart but without the sparkle – let’s call it ‘Salieri’. And if Salieri now trains the next generation, and so on, what will the fifth or sixth generation sound like?

In our latest paper, we show that using model-generated content in training causes irreversible defects. The tails of the original content distribution disappear. Within a few generations, text becomes garbage, as Gaussian distributions converge and may even become delta functions. We call this effect model collapse.

Just as we’ve strewn the oceans with plastic trash and filled the atmosphere with carbon dioxide, so we’re about to fill the Internet with blah. This will make it harder to train newer models by scraping the web, giving an advantage to firms which already did that, or which control access to human interfaces at scale. Indeed, we already see AI startups hammering the Internet Archive for training data.

After we published this paper, we noticed that Ted Chiang had already commented on the effect in February, noting that ChatGPT is like a blurry jpeg of all the text on the Internet, and that copies of copies get worse. In our paper we work through the math, explain the effect in detail, and show that it is universal.

This does not mean that LLMs have no uses. As one example, we originally called the effect model dementia, but decided to rename it after objections from a colleague whose father had suffered dementia. We couldn’t think of a replacement until we asked Bard, which suggested five titles, of which we went for The Curse of Recursion.

So there we have it. LLMs are like fire – a useful tool, but one that pollutes the environment. How will we cope with it?

2023 Workshop on the Economics of Information Security

WEIS 2023, the 22nd Workshop on the Economics of Information Security, will be held in Geneva from July 5-7, with a theme of Digital Sovereignty. We now have a list of sixteen accepted papers; there will also be three invited speakers, ten posters, and ten challenges for a Digital Sovereignty Hack on July 7-8.

The deadline for early registration is June 10th, and we have discount hotel bookings reserved until then. As Geneva gets busy in summer, we suggest you reserve your room now!