Today at 5pm I’ll be giving the Bellwether Lecture at the Oxford Internet Institute. My topic is Big Conflicts: the ethics and economics of privacy in a world of Big Data.
I’ll be discussing a recent Nuffield Bioethics Council report of which I was one of the authors. In it, we asked what medical ethics should look like in a world of ‘Big Data’ and pervasive genomics. It will take the law some time to catch up with what’s going on, so how should researchers behave meanwhile so that the people whose data we use don’t get annoyed or surprised, and so that we can defend our actions if challenged? We came up with four principles, which I’ll discuss. I’ll also talk about how they might apply more generally, for example to my own field of security research.
Many people assume that quantum mechanics cannot emerge from classical phenomena, because no-one has so far been able to think of a classical model of light that is consistent with Maxwell’s equations and reproduces the Bell test results quantitatively.
Today Robert Brady and I unveil just such a model. It turns out that the solution was almost in plain sight, in James Clerk Maxwell’s 1861 paper On Phyiscal Lines of Force in which he derived Maxwell’s equations, on the assumption that magnetic lines of force were vortices in a fluid. Updating this with modern knowledge of quantised magnetic flux, we show that if you model a flux tube as a phase vortex in an inviscid compressible fluid, then wavepackets sent down this vortex obey Maxwell’s equations to first order; that they can have linear or circular polarisation; and that the correlation measured between the polarisation of two cogenerated wavepackets is exactly the same as is predicted by quantum mechanics and measured in the Bell tests.
This follows work last year in which we explained Yves Couder’s beautiful bouncing-droplet experiments. There, a completely classical system is able to exhibit quantum-mechanical behaviour as the wavefunction ψ appears as a modulation on the driving oscillation, which provides coherence across the system. Similarly, in the phase vortex model, the magnetic field provides the long-range order and the photon is a modulation of it.
We presented this work yesterday at the 2015 Symposium of the Trinity Mathematical Society. Our talk slides are here and there is an audio recording here.
If our sums add up, the consequences could be profound. First, it will explain why quantum computers don’t work, and blow away the security ‘proofs’ for entanglement-based quantum cryptosystems (we already wrote about that here and here). Second, if the fundamental particles are just quasiparticles in a superfluid quantum vacuum, there is real hope that we can eventually work out where all the mysterious constants in the Standard Model come from. And third, there is no longer any reason to believe in multiple universes, or effects that propagate faster than light or backward in time – indeed the whole ‘spooky action at a distance’ to which Einstein took such exception. He believed that action in physics was local and causal, as most people do; our paper shows that the main empirical argument against classical models of reality is unsound.
Today Robert Brady and I will be giving a seminar in Cambridge where we will explain Yves Couder’s beautiful bouncing droplet experiments. Droplets bouncing on a vibrating fluid bath show many of the weird phenomena of quantum mechanics including tunneling, diffraction and quantized orbits.
We published a paper on this in January and blogged it at the time, but now we have more complete results. The two-dimensional model of electromagnetism that we see in bouncing droplets goes over to three dimensions too, giving us a better model of transverse sound in superfluids and a better explanation of the Bell test results. Here are the slides.
The talk will be at 4pm in the Centre for Mathematical Sciences.
In a seminar today, we will unveil Rendezvous, a search engine for code. Built by Wei-Ming Khoo, it will analyse an unknown binary, parse it into functions, index them, and compare them with a library of code harvested from open-source projects.
As time goes on, the programs we need to reverse engineer get ever larger, so we need better tools. Yet most code nowadays is not written from scratch, but cut and pasted. Programmers are not an order of magnitude more efficient than a generation ago; it’s just that we have more and better libraries to draw on nowadays, and a growing shared heritage of open software. So our idea is to reframe the decompilation problem as a search problem, and harness search-engine technology to the task.
As with a text search engine, Rendezvous uses a number of different techniques to index a target binary, some of which are described in this paper, along with the main engineering problems. As well as reverse engineering suspicious binaries, code search engines could be used for many other purposes such as monitoring GPL compliance, plagiarism detection, and quality control. On the dark side, code search can be used to find new instances of disclosed vulnerabilities. Every responsible software vendor or security auditor should build one. If you’re curious, here is the demo.
With some delay here is the second and final part on our impressions of David Birch’s Tomorrow’s Transactions Forum (TTF13), which we attended thanks to Dave’s generosity (See full agenda and PowerPoint presentations here). See part 1 here.
NOTE: Although written in first person, what follows results from a combination of Laurent Simon’s and my notes.
The theme of day 2 at TTF13 was social inclusion. The kick off question was “How to develop tools to help people deal with money?” (people with no financial culture and based on a transactional account).
This was followed by presentations on “Comic Relief” (the day before ‘the big day’), “Universal Credit” and expert panel on financial inclusion.
Continue reading Current issues in payments (part 2)
I was a guest the annual meeting of the European branch of ATM Industry Association. This was a two day event in London (May 22–23, 2012). I was there thanks to Tom Harper, founder of ATM Marketplace, that is, a B2B website for ancillary cash machine equipment (established circa 1997). Although my interest was to meet Tom to finalise an outline for a forthcoming history of the ATM, the almost ethnographic experience of attending a practitioner conference was refreshing. What follows are some of my impressions of the first day (as I had an overseas engagement the rest of the week).
The conference was jointly organised by ATMIA and Dominic Hirsh’s Retail Banking Research. I have used some of RBR’s data in the past and it is indeed one of the most authoritative sources of information on cash machines, cards and payments. During one of the presentations it was shown how estimates of ATM deployed in Sweden were more accurate than those the Riksbank.
Of greater interest for this blog, is that RBR also organises an annual conference on security. That was a bit disappointing since I was looking to hear on it. Other topics off the agenda included SEPA, regulation enabling independent ATM deployers (IAD) and pressures to reduce interchange fees. I was told they had been addressed in the recent past. In this sense and surprising for a meeting of some 70+ presenters and 500 attendees, the conference was much more ‘on theme’ than an academic gathering of similar size.
So what were the themes? The main theme was self service kiosks, while sub-themes included the cashless society and EMV (interoperation standard for Europay, Visa and Mastercard chip cards).
Continue reading European ATM Conference & the Cashless Society
On the first of April, the Sunday Times carried a story that the Home Secretary planned to expand the scope of the Regulation of Investigatory Powers Act. Some thought this was an April Fool, but no: security minister James Brokenshire confirmed the next day that it was for real. This led to much media coverage; here is a more detailed historical timeline.
There have been eight previous Scrambling for Safety conferences organised while the UK government was considering the RIP Act and the regulations that followed it. The goal is to bring together different stakeholders interested in surveillance policy for an open exchange of views. The conference is open to the public, but you have to register here.
Here is the programme and the event website.
In the evening of Thursday 27 October, I will be participating in a debate at the Cambridge Festival of Ideas, on Internet Freedom. Other speakers include Jim Killock, executive director of the Open Rights Group, Herbert Snorsson, founder of Openleaks.org and David Clemente, Chatham House. Further details can be found on the festival website.
Attendance is free, but booking is required.
The annual Cambridge Science Festival is running during 8–21 March, where there are over 150 talks, demonstrations and other events, open to the public.
On Saturday 13th March (16:00–16:45), I will be talking about my recent work on Chip and PIN security. In the same session, there will also be presentations from Leila Luheshi on Alzheimer’s Disease, and Adrian Owen discussing his research on the awareness of brain-damage victims. The session will be hosted by The Naked Scientists.
For more details, see the event page — science research now!. The talk is free and no booking is required. It will be held in the Cockcroft Lecture Theatre.
This, which started as a contribution to Ross’s Security and Psychology initiative, is probably my most entertaining piece of research this year and it’s certainly getting its bit of attention.
I’ve been a great fan of The Real Hustle since 2006, which I recommend to anyone with an interest in security, and it has been good fun to work with the TV show’s coauthor Paul Wilson on this paper. We analyze the scams reproduced in the show, we extract general principles from them that describe typical behavioural patterns exploited by hustlers and then we show how an awareness of these principles can also strengthen systems security.
In a few months I have given versions of this talk around the world: Boston, London, Athens, London, Cambridge, Munich—to the security and psychology crowd, to computer researchers, to professional programmers—and it never failed to attract interest. This is what Yahoo’s Chris Heilmann wrote in his blog when I gave the talk at StackOverflow to an audience of 250 programmers:
The other talk I was able to attend was Frank Stajano, a resident lecturer and security expert (and mighty sword-bearer). His talk revolved around application security but instead of doing the classic “prevent yourself from XSS/SQL injection/CSRF” spiel, Frank took a different route. BBC TV in the UK has a program called The Real Hustle which shows how people are scammed by tricksters and gamblers and the psychology behind these successful scams. Despite the abysmal Guy Ritchie style presentation of the show, it is full of great information: Frank and a colleague conducted a detailed research and analysis of all the attacks and the reasons why they work. The paper on the research is available: Seven principles for systems security (PDF). A thoroughly entertaining and fascinating presentation and a great example of how security can be explained without sounding condescending or drowning the audience in jargon. I really hope that there is a recording of the talk.
I´m giving the talk again at the Computer Laboratory on Tuesday 17 November in the Security Seminars series. The full write-up is available for download as a tech report.