Search Results for: weis

Passwords in the wild, part II: failures in the market

Academic papers, Authentication, Security economics, Security engineering

This is the second part in a series on password implementations at real websites, based on my paper at WEIS 2010 with Sören Preibusch. As we discussed yesterday, dubious practices abound within real sites’ password implementations. Password insecurity isn’t only due to random implementation mistakes, though. When we scored sites’ passwords implementations on a 10-point … Continue reading Passwords in the wild, part II: failures in the market

Passwords in the wild, part I: the gap between theory and implementation

Academic papers, Authentication, Protocols, Security economics, Security engineering

Sören Preibusch and I have finalised our in-depth report on password practices in the wild, The password thicket: technical and market failures in human authentication on the web, presented in Boston last month for WEIS 2010. The motivation for our report was a lack of technical research into real password deployments. Passwords have been studied … Continue reading Passwords in the wild, part I: the gap between theory and implementation

Who controls the off switch?

Academic papers, Politics, Protocols, Security economics, Security engineering

We have a new paper on the strategic vulnerability created by the plan to replace Britain’s 47 million meters with smart meters that can be turned off remotely. The energy companies are demanding this facility so that customers who don’t pay their bills can be switched to prepayment tariffs without the hassle of getting court … Continue reading Who controls the off switch?

Workshop on the economics of information security 2010

Academic papers, Security economics

Here is a liveblog of WEIS which is being held today and tomorrow at Harvard. It has 125 attendees: 59% academic, 15% govt/NGO, and 26% industry; the split of backgrounds of 47% CS, 35% econ/management and 18% policy/law. The paper acceptance rate was 24/72: 10 empirical papers, 8 theory and 6 on policy. The workshop … Continue reading Workshop on the economics of information security 2010

The Economics of Privacy in Social Networks

Academic papers, Privacy technology, Security economics, Social networks

We often think of social networking to Facebook, MySpace, and the also-rans, but in reality there are there are tons of social networks out there, dozens which have membership in the millions. Around the world it’s quite a competitive market. Sören Preibusch and I decided to study the whole ecosystem to analyse how free-market competition … Continue reading The Economics of Privacy in Social Networks

Static Consent and the Dynamic Web

Legal issues, Meta, Social networks

Last week Facebook announced the end of regional networks for access control. The move makes sense: regional networks had no authentication so information available to them was easy to get with a fake account. Still, silently making millions of weakly-restricted profiles globally viewable raises some disturbing questions. If Terms of Service promise to only share … Continue reading Static Consent and the Dynamic Web

Slow removal of child sexual abuse image websites

Academic papers, Banking security, Legal issues, News coverage, Security economics

On Friday last week The Guardian ran a story on an upcoming research paper by Tyler Moore and myself which will be presented at the WEIS conference later this month. We had determined that child sexual abuse image websites were removed from the Internet far slower than any other category of content we looked at, … Continue reading Slow removal of child sexual abuse image websites

Phishing and the gaining of "clue"

Banking security, Security economics

Tyler Moore and I are in the final throes of creating a heavily revised version of our WEIS paper on phishing site take-down for the APWG eCrime Researchers Summit in early October in Pittsburgh. One of the new results that we’ve generated, is that we’ve looked at take-down times for phishing sites hosted at alice.it, … Continue reading Phishing and the gaining of "clue"