All posts by Frank Stajano

Two invitations to Cambridge

Two invitations to Cambridge (UK):

2025-03-25: the Rossfest Symposium, in honour of Ross Anderson (1956-2024)
https://www.cl.cam.ac.uk/events/rossfest/

2025-03-26 and 27: the 29th Security Protocols Workshop
https://www.cl.cam.ac.uk/events/spw/2025/

Start writing, and sign up here for updates on either or both:
https://forms.gle/Em9Hy43aRqrdGmd17

The Rossfest Symposium and its posthumous Festschrift is a celebration and remembrance of our friend and colleague Ross Anderson, who passed away suddenly on 28 March 2024, aged 67.

Ross Anderson FRS FRSE FREng was Professor of Security Engineering at the University of Cambridge and lately also at the University of Edinburgh. He was a world-leading figure in security. He had a gift for pulling together the relevant key people and opening up a new subfield of security research by convening a workshop on the topic that would then go on to become an established series, from Fast Software Encryption to Information Hiding, Scrambling for Safety, Workshop on Economics and Information Security, Security and Human Behavior and so forth. He co-authored around 300 papers. His encyclopedic Security Engineering textbook (well over 1000 pages) is dense with both war stories and references to research papers. An inspiring and encouraging supervisor, Ross graduated around thirty PhD students. And as a contagiously enthusiastic public speaker he inspired thousands of researchers around the world.

The Rossfest Symposium is an opportunity for all of us who were touched by Ross to get together and celebrate his legacy.

The Festschrift volume

Scientific papers

We solicit scientific contributions to a posthumous Festschrift volume, in the form of short, punchy papers on any security-related topic. These submissions will undergo a lightweight review process by a Program Committee composed of former PhD students of Ross:

Accepted papers will be published in the Festschrift book and presented at the event. For a subset of the accepted papers, the authors will be invited to submit an expanded version to a special issue of the Journal of Cybersecurity honouring Ross’s scholarly contributions and legacy.

Submissions are limited to five pages in LNCS format (we did say short and punchy!) and will get an equally short presentation slot at the Rossfest. Let’s keep it snappy, as Ross himself would have liked. Five pages excluding bibliography and any appendices, that is, and maximum eight pages total.

Topic-wise, anything related to security, taking the word in its broadest sense, is fair game, from cryptography and systems to economics, psychology, policy and much more, spanning the wide spectrum of fields that Ross himself explored over the course of his career. But make it a scientific contribution rather than just an opinion piece.

Authors will grant us a licence to publish and distribute their articles in the Festschrift but will retain copyright and will be able to put their articles on their web pages or resubmit them wherever else they like. We won’t ask for article charges for publishing in the Festschrift. Bound copies of the Festschrift volume will be available to purchase at cost during the Rossfest Symposium, or later through print-on-demand. A DRM-free PDF will be available online at no charge.

Informal memories

We also solicit informal “cherished memories” contributions along the lines of those collected by Ahn Vu at anderson.love. These too will be collected in the volume and a selection of them will be presented orally at the event.

The Rossfest Symposium

The Rossfest Symposium will last the whole day and will take place at the Computer Laboratory (a.k.a. the Department of Computer Science and Technology of the University of Cambridge), where Ross taught, researched and originally obtained his own PhD. Street address: 15 JJ Thomson Avenue, Cambridge CB3 0FD, UK.

Attendance at the Rossfest Symposium is free and not conditional on the submission of a contribution, but registration will be required for us to manage numbers and catering.

In the evening there shall also be a formal celebration banquet at Trinity College. To attend, please purchase a ticket. Registration and payment links shall appear on this page in due course. Street address: Trinity Street, Cambridge CB2 1TQ, UK.

We have timed the Rossfest to be adjacent in time and space to the Security Protocols Workshop, an event that Ross regularly attended. The SPW will take place in Trinity College Cambridge on 26 and 27 March 2025. This will allow you to attend both events with a single trip to Cambridge. Note that attendance at SPW requires presenting a position paper: unlike the Rossfest, at SPW all attendees must also speak.

Accommodation in Cambridge

The chosen dates are out of term, meaning you might be able to book a room in one of the 31 colleges through www.universityrooms.com. Otherwise, consider www.airbnb.comwww.booking.comwww.expedia.com or your favourite online booking aggregator.

Sign up

To receive notifications (e.g. “the registration and payment links are now up”), sign up on this Google form. Self-service unsubscribe at any time.

Dates

25 November 2024: Deadline for submission of Festschrift articles
23 December 2024: Invitations to authors to present orally
13 January 2025: Early bird (discounted) registration deadline for banquet
10 February 2025: Final registration deadline for banquet and symposium
25 March 2025: Rossfest Symposium (and optional banquet)
26-27 March 2025: Security Protocols Workshop (unrelated but possibly of interest)

The Twenty-ninth International Workshop on Security Protocols will take place from Wednesday 26 March to Thursday 27 March 2025 in Cambridge, United Kingdom. It will be dedicated to the memory of Ross Anderson and preceded by the Rossfest Symposium, which will take place on Tuesday 25 March 2025, also in Cambridge, UK. Come to both!

As in previous years, attendance at the International Workshop on Security Protocols is by invitation only.  (How do I get invited? Submit a position paper.)

Theme

The theme of the 2025 workshop is: “Controversial Security – In honour of Ross Anderson”. In other words, “any security topic that Ross Anderson might have wanted to debate with you”, which leaves you with plenty of leeway.

This is a workshop for discussion of novel ideas, rather than a conference for finished work. We seek papers that are likely to stimulate an interesting discussion. New authors are encouraged to browse through past volumes of post-proceedings (search for Security Protocols Workshop in the Springer LNCS series) to get a flavour for the variety and diversity of topics that have been accepted in past years, as well as the lively discussion that has accompanied them.

Details

The long-running Security Protocols Workshop has hosted lively debates with many security luminaries (the late Robert Morris, chief scientist at the NSA and well known for his pioneering work on Unix passwords, used to be a regular) and continues to provide a formative event for young researchers. The post-proceedings, published in LNCS, contain not only the refereed papers but the curated transcripts of the ensuing discussions (see the website for pointers to past volumes).

Attendance is by invitation only. To be considered for invitation you must submit a position paper: it will not be possible to come along as just a member of the audience. Start writing now! “Writing the paper is how you develop the idea in the first place”, in the wise words of Simon Peyton-Jones.

The Security Protocols Workshop is, and has always been, highly interactive. We actively encourage participants to interrupt and challenge the speaker. The presented position papers will be revised and enhanced before publication as a consequence of such debates. We believe the interactive debates during the presentations, and the spontaneous technical discussions during breaks, meals and the formal dinner, are part of the DNA of our workshop. We encourage you to present stimulating and disruptive ideas that are still at an initial stage, rather than “done and dusted” completed papers of the kind that a top-tier conference would expect. We are interested in eliciting interesting discussion rather than collecting archival material.

Submissions

Short indicative submissions are preferred. You will have the opportunity to extend and revise your paper both before the pre-proceedings are issued, and again after the workshop. At the workshop, you will be expected to spend a few minutes introducing the idea of your paper, in a way that facilitates a longer more general discussion. Pre-proceedings will be provided at the workshop. See the Submission page for more details.

Committee

• Fabio Massacci (Program Chair), University of Trento / Vrije Universiteit Amsterdam
• Frank Stajano (General Chair), University of Cambridge
• Vashek (Vaclav) Matyas, Masaryk University
• Jonathan Anderson, Memorial University
• Mark Lomas, Capgemini

Accommodation in Cambridge

The chosen dates are out of term, meaning you might be able to book a room in one of the 31 colleges through www.universityrooms.com. Otherwise, consider www.airbnb.comwww.booking.comwww.expedia.com or your favourite online booking aggregator.

Dates

25 November 2024: Submission of position papers
23 December 2024: Invitations to authors
13 January 2025: Early bird (discounted) registration deadline
3 February 2025: Revised papers due
10 February 2025: Final registration deadline
25 March 2025: Rossfest Symposium (unrelated but possibly of interest)
26-27 March 2025: Security Protocols Workshop

For further details visit the web page at the top of this message. To be notified when the registration and paper submission pages open, , sign up on this Google form. Self-service unsubscribe at any time.

Security and Human Behavior 2024

The seventeenth Security and Human Behavior workshop was hosted by Bruce Schneier at Harvard University in Cambridge, Massachusetts on the 4th and 5th of June 2024 (Schneier blog).

This playlist contains audio recordings of most of the presentations, curated with timestamps to the start of each presentation. Click the descriptions to see them.

On the lunch of the first day, several attendees remembered the recently departed Ross Anderson, who co-founded this workshop with Bruce Schneier and Alessandro Acquisti in 2008. That recording is in the playlist too.

Kami Vaniea kept up Ross’s tradition by liveblogging most of the event.

I’ll be hosting next year’s SHB at the University of Cambridge.

RIP Ross Anderson

Someone else will undoubtedly say it much better than I will here but one of us has to break the very sad news: Ross Anderson died yesterday.

His enthusiasm, his wide-spectrum intellectual curiosity and his engaging prose were unmatched. He stood up vigorously for the causes he believed in. He formed communities around the new topics he engaged with, from information hiding to fast software encryption, security economics, security and human behaviour and more. He served as an inspiring mentor for generations of graduate students at Cambridge—I know first hand, as I was fortunate enough to be admitted as his PhD student when he was still a freshly minted lecturer and had not graduated any students yet. I learnt my trade as a Cambridge Professor from him and will be forever grateful, as will dozens of my “academic brothers” who were also supervised by him, several of whom post regularly on this blog.

Ross, thank you so much for your lively, insightful and stimulating contributions to every subfield of security. You leave a big void that no one will be able to fill. I will miss you.

RIP

Security course at Cambridge

I have taken over the second-year Security course at Cambridge, which is traditionally taught in Easter term. From the end of April onwards I will be teaching three lectures per week. Taking advantage of the fact that Cambridge academics own the copyright and performance rights on their lectures, I am making all my undergraduate lectures available at no charge on my YouTube channel frankstajanoexplains.com. My lecture courses on Algorithms and on Discrete Mathematics are already up and I’ll be uploading videos of the Security lectures as I produce them, ahead of the official lecturing dates. I have uploaded the opening lecture this morning. You are welcome to join the class virtually and you will receive exactly the same tuition as my Cambridge students, at no charge. 


The philosophy of the course is to lead students to learn the fundamentals of security by “studying the classics” and gaining practical hands-on security experience by recreating and replicating actual attacks. (Of course the full benefits of the course are only reaped by those who do the exercises, as opposed to just watching the videos.)


This is my small contribution to raising a new generation of cyber-defenders, alongside the parallel thread of letting young bright minds realise that security is challenging and exciting by organising CTFs (Capture-The-Flag competitions) for them to take part in, which I have been doing since 2015 and continue to do. On that note, any students (undergraduate, master or PhD) currently studying in a university in UK, Israel, USA, Japan, Australia and France still have a couple more days to sign up for our 2022 Country to Country CTF, a follow-up to the Cambridge to Cambridge CTF that I co-founded with Howie Shrobe and Lori Glover at MIT in 2015. The teams will mix people at different levels so no prior experience is required. Go for it!

Towards greater ecological validity in security usability

When you are a medical doctor, friends and family invariably ask you about their aches and pains. When you are a computer specialist, they ask you to fix their computer. About ten years ago, most of the questions I was getting from friends and family as a security techie had to do with frustration over passwords. I observed that what techies had done to the rest of humanity was not just wrong but fundamentally unethical: asking people to do something impossible and then, if they got hacked, blaming them for not doing it.



So in 2011, years before the Fido Alliance was formed (2013) and Apple announced its smartwatch (2014), I published my detailed design for a clean-slate password replacement I called Pico, an alternative system intended to be easier to use and more secure than passwords. The European Research Council was generous enough to fund my vision with a grant that allowed me to recruit and lead a team of brilliant researchers over a period of five years. We built a number of prototypes, wrote a bunch of papers, offered projects to a number of students and even launched a start-up and thereby learnt a few first-hand lessons about business, venture capital, markets, sales and the difficult process of transitioning from academic research to a profitable commercial product. During all those years we changed our minds a few times about what ought to be done and we came to understand a lot better both the problem space and the mindset of the users.

Continue reading Towards greater ecological validity in security usability

Raising a new generation of cyber defenders

 

Over the past few years we launched and ran two university-level hacking competitions in  order to attract bright students to our field, with the long term goal of addressing the skills gap in cyber security.

Analysts estimate that, globally, over the next few years, in the field of cyber security there will be a gap of over a million people between the positions that need filling and the people with the skills to fill those positions.

In 2015 we founded the international Cambridge2Cambridge cyber security challenge, in collaboration with MIT CSAIL, which first took place at MIT, and then in 2016 the UK-level Inter-ACE among the UK ACE-CSRs, which first took place at the University of Cambridge. The Inter-ACE has now expanded beyond the ACEs and the C2C admits university students from anywhere in the world. None of this would have been possible without strong cooperation between academia, government and industry. We are grateful to our many supporters, who are all credited in the report.

After three years, my precious collaborators Graham Rymer and Michelle Houghton have moved on to new jobs and it is time for someone else to pick up the torch. To help our successors, today we publish a comprehensive technical report distilling our experience running these events for the past three years. We wrote it for all those who share
our vision and goals and who wish to take these competitions forward: we hope they will find it useful and it will help them make future editions even better. It contains a detailed chronicle of what we did and an extensive list of lessons learnt. Attendees of the Security and Human Behavior 2018 workshop will have heard me speak about some of the associated challenges, from fostering cooperation to redressing gender balance to preventing cheating, with detours into Japanese swordsmanship and Plato.

The extensive appendices contain a wealth of training material including write-ups of our practice CTFs and of the Inter-ACE 2018 for which we developed the problems in-house, as well as the latest course notes for the binary reverse engineering training seminar that we ran in Cambridge several times over the years, initially for our own students and then for hundreds of ACE-CSR participants.

We hope you will enjoy our report and that it will inspire you to contribute to future events in this series, whether as a participant, host or supporting institution, and keep the momentum going.

Frank Stajano, Graham Rymer, Michelle Houghton. “Raising a new generation of cyber defenders—The first three years of the Cambridge2Cambridge and Inter-ACE cyber security competitions”. University of Cambridge Technical Report UCAM-CL-TR-922, June 2018, 307 pages. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-922.pdf

 

Cambridge2Cambridge 2017

Following on from various other similar events we organised over the past few years, last week we hosted our largest ethical hacking competition yet, Cambridge2Cambridge 2017, with over 100 students from some of the best universities in the US and UK working together over three days. Cambridge2Cambridge was founded jointly by MIT CSAIL (in Cambridge Massachusetts) and the University of Cambridge Computer Laboratory (in the original Cambridge) and was first run at MIT in 2016 as a competition involving only students from these two universities. This year it was hosted in Cambridge UK and we broadened the participation to many more universities in the two countries. We hope in the future to broaden participation to more countries as well.

Cambridge 2 Cambridge 2017 from Frank Stajano Explains on Vimeo.

We assigned the competitors to teams that were mixed in terms of both provenance and experience. Each team had competitors from US and UK, and no two people from the same university; and each team also mixed experienced and less experienced players, based on the qualifier scores. We did so to ensure that even those who only started learning about ethical hacking when they heard about this competition would have an equal chance of being in the team that wins the gold. We then also mixed provenance to ensure that, during these three days, students collaborated with people they didn’t already know.

Despite their different backgrounds, what the attendees had in common was that they were all pretty smart and had an interest in cyber security. It’s a safe bet that, ten or twenty years from now, a number of them will probably be Security Specialists, Licensed Ethical Hackers, Chief Security Officers, National Security Advisors or other high calibre security professionals. When their institution or country is under attack, they will be able to get in touch with the other smart people they met here in Cambridge in 2017, and they’ll be in a position to help each other. That’s why the defining feature of the event was collaboration, making new friends and having fun together. Unlike your standard one-day hacking contest, the ambitious three-day programme of C2C 2017 allowed for social activities including punting on the river Cam, pub crawling and a Harry Potter style gala dinner in Trinity College.

In between competition sessions we had a lively and inspirational “women in cyber” panel, another panel on “securing the future digital society”, one on “real world pentesting” and a careers advice session. On the second day we hosted several groups of bright teenagers who had been finalists in the national CyberFirst Girls Competition. We hope to inspire many more women to take up a career path that has so far been very male-dominated. More broadly, we wish to inspire many young kids, girls or boys, to engage in the thrilling challenge of unravelling how computers work (and how they fail to work) in a high-stakes mental chess game of adversarial attack and defense.

Our platinum sponsors Leidos and NCC Group endowed the competition with over £20,000 of cash prizes, awarded to the best 3 teams and the best 3 individuals. Besides the main attack-defense CTF, fought on the Leidos CyberNEXS cyber range, our other sponsors offered additional competitions, the results of which were combined to generate the overall teams and individual scores. Here is the leaderboard, showing how our contestants performed. Special congratulations to Bo Robert Xiao of Carnegie Mellon University who, besides winning first place in both team and individuals, also went on to win at DEF CON in team PPP a couple of days later.

We are grateful to our supporters, our sponsors, our panelists, our guests, our staff and, above all, our 110 competitors for making this event a success. It was particularly pleasing to see several students who had already taken part in some of our previous competitions (special mention for Luke Granger-Brown from Imperial who earned medals at every visit). Chase Lucas from Dakota State University, having passed the qualifier but not having picked in the initial random selection, was on the reserve list in case we got funding to fly additional students; he then promptly offered to pay for his own airfare in order to be able to attend! Inter-ACE 2017 winner Io Swift Wolf from Southampton deserted her own graduation ceremony in order to participate in C2C (!), and then donated precious time during the competition to the CyberFirst girls who listened to her rapturously. Accumulating all that good karma could not go unrewarded, and indeed you can once again find her name in the leaderboard above. And I’ve only singled out a few, out of many amazing, dynamic and enthusiastic young people. Watch out for them: they are the ones who will defend the future digital society, including you and your family, from the cyber attacks we keep reading about in the media. We need many more like them, and we need to put them in touch with each other. The bad guys are organised, so we have to be organised too.

The event was covered by Sky News, ITV, BBC World Service and a variety of other media, which the official website and twitter page will undoubtedly collect in due course.

Inter-ACE national hacking competition today

Over 100 of the best students in cyber from the UK Academic Centres of Excellence in Cyber Security Research are gathered here at the University of Cambridge Computer Laboratory today for the second edition of our annual “Inter-ACE” hacking contest.

The competition is hosted on the CyberNEXS cyber-range of our sponsor Leidos, and involves earning points for hacking into each other’s machines while defending one’s own.   The competition has grown substantially from last year’s: you can follow it live on Twitter (@InterACEcyber) At the time of writing, we still don’t know who is going to take home the trophy. Can you guess who will?

The event has been made possible thanks to generous support from the National Cyber Security Centre, the Cabinet Office, Leidos and NCC Group.

CFP: Passwords 2016

====================================================================
Call for Papers
The 11th International Conference on Passwords
PASSWORDS 2016

5-7 December 2016
Ruhr-University Bochum, Germany

https://passwords2016.rub.de/
https://passwordscon.org/
====================================================================

The Passwords conference was launched in 2010 as a response to
the lack of robustness and usability of current personal
authentication practices and solutions. Annual participation has
doubled over the past three years. Since 2014, the conference
accepts peer-reviewed papers.

* IMPORTANT DATES *

Research papers and short papers:
– Title and abstract submission: EXTENDED TO 2016-08-22 2016-07-04  (23:59 UTC-11)
– Paper submission: EXTENDED TO 2016-08-29 2016-07-11 (23:59 UTC-11)
– Notification of acceptance: 2016-10-17 2016-09-05
– Camera-ready from authors: 2016-10-31 2016-09-19

Hacker Talks:
– Talk proposal submission: 2016-09-15 (23:59 UTC-11)
– Notification of acceptance: 2016-09-30

* CONFERENCE AIM *

More than half a billion user passwords have been compromised
over the last five years, including breaches at internet
companies such as Target, Adobe, Heartland, Forbes, LinkedIn,
Yahoo, and LivingSocial. Yet passwords, PIN codes, and similar
remain the most prevalent method of personal
authentication. Clearly, we have a systemic problem.

This conference gathers researchers, password crackers, and
enthusiastic experts from around the globe, aiming to better
understand the challenges surrounding the methods personal
authentication and passwords, and how to adequately solve these
problems. The Passwords conference series seek to provide a
friendly environment for participants with plenty opportunity to
communicate with the speakers before, during, and after their
presentations.

* SCOPE *

We seek original contributions that present attacks, analyses,
designs, applications, protocols, systems, practical experiences,
and theory. Submitted papers may include, but are not limited to,
the following topics, all related to passwords and
authentication:

– Technical challenges and issues:
– Cryptanalytic attacks
– Formal attack models
– Cryptographic protocols
– Dictionary attacks
– Digital forensics
– Online attacks/Rate-limiting
– Side-channel attacks
– Administrative challenges:
– Account lifecycle management
– User identification
– Password resets
– Cross-domain and multi-enterprise system access
– Hardware token administration
– Password “replacements”:
– 2FA and multifactor authentication
– Risk-based authentication
– Password managers
– Costs and economy
– Biometrics
– Continous authentication
– FIDO – U2F
– Deployed systems:
– Best practice reports
– Incident reports/Lessons learned
– Human factors:
– Usability
– Design & UX
– Social Engineering
– Memorability
– Accessibility
– Pattern predictability
– Gestures and graphical patterns
– Psychology
– Statistics (languages, age, demographics…)
– Ethics

* INSTRUCTIONS FOR AUTHORS *

Papers must be submitted as PDF using the Springer LNCS format
for Latex. Abstract and title must be submitted one week ahead of
the paper deadline.

We seek submissions for review in the following three categories:

– Research Papers
– Short Papers
– “Hacker Talks” (talks without academic papers attached)

RESEARCH PAPERS should describe novel, previously unpublished
technical contributions within the scope of the call. The papers
will be subjected to double-blind peer review by the program
committee. Paper length is limited to 16 pages (LNCS format)
excluding references and well-marked appendices. The paper
submitted for review must be anonymous, hence author names,
affiliations, acknowledgements, or obvious references must be
temporarily edited out for the review process. The program
committee may reject non-anonymized papers without reading
them. The submitted paper (in PDF format) must follow the
template described by Springer at
http://www.springer.de/comp/lncs/authors.html.

SHORT PAPERS will also be subject to peer review, where the
emphasis will be put on work in progress, hacker achievements,
industrial experiences, and incidents explained, aiming at
novelty and promising directions. Short paper submissions should
not be more than 6 pages in standard LNCS format in total. A
short paper must be labeled by the subtitle “Short
Paper”. Accepted short paper submissions may be included in the
conference proceedings. Short papers do not need to be
anonymous. The program committee may accept full research papers
as short papers.

HACKER TALKS are presentations without an academic paper
attached. They will typically explain new methods, techniques,
tools, systems, or services within the Passwords scope. Proposals
for Hacker Talks can be submitted by anybody (“hackers”,
academics, students, enthusiasts, etc.) in any format, but
typically will include a brief (2-3 paragraphs) description of
the talk’s content and the person presenting. They will be
evaluated by a separate subcommittee led by Per Thorsheim,
according to different criteria than those used for the refereed
papers.

At least one of the authors of each accepted paper must register
and present the paper at the workshop. Papers without a full
registration will be withdrawn from the proceedings and from the
workshop programme.

Papers that pass the peer review process and that are presented
at the workshop will be included in the event proceedings,
published by Springer in the Lecture Notes in Computer
Science (LNCS) series.

Papers must be unpublished and not being considered elsewhere for
publication. Plagiarism and self-plagiarism will be treated as a
serious offense.  Program committee members may submit papers but
program chairs may not.  The time frame for each presentation
will be either 30 or 45 minutes, including Q&A. Publication will
be by streaming, video and web.

* ORGANIZERS *

– General chair: Per Thorsheim, God Praksis AS (N)
– Program co-chair and host: Markus Dürmuth, Ruhr-University Bochum (DE)
– Program co-chair: Frank Stajano, University of Cambridge (UK)

* PROGRAM COMMITTEE *

– Adam Aviv, United States Naval Academy (USA)
– Lujo Bauer, Carnegie Mellon University (USA)
– Jeremiah Blocki, Microsoft Research/Purdue University (USA)
– Joseph Bonneau, Stanford University (USA)
– Heather Crawford, Florida Institute of Technology (USA)
– Bruno Crispo, KU Leuven (B) and University of Trento (IT)
– Serge Egelman, ICSI and University of California at Berkeley (USA)
– David Freeman, LinkedIn (USA)
– Simson Garfinkel, NIST (USA)
– Tor Helleseth, University of Bergen (N)
– Cormac Herley, Microsoft Research (USA)
– Graeme Jenkinson, University of Cambridge (UK)
– Mike Just, Heriot-Watt University (UK)
– Stefan Lucks, Bauhaus-University Weimar (D)
– Paul van Oorschot, Carleton University (CA)
– Angela Sasse, University College London (UK)
– Elizabeth Stobert, ETH Zurich (CH)

* STEERING COMMITTEE *

– Per Thorsheim, God Praksis AS (N)
– Stig F. Mjolsnes, Norwegian University of Science and Technology (N)
– Frank Stajano, University of Cambridge (UK)

More and updated information can be found at the conference website
https://passwords2016.rub.de/

And the winners are…

inter-ace-logo4

The Inter-ACE Cyberchallenge on Saturday was fantastic. The event saw nearly twice as many competitors as attended the C2C competition in Boston recently, engaged in solving the most artful challenges. It was great to see so many students interested in cyber security making the effort to travel from the four corners of the UK, a few from as far away as Belfast!

IMG_5373The competition was played out on a “Risk-style” world map, and competing teams had to fight each other for control of several countries, each protected by a fiendish puzzle. A number of universities had also submitted guest challenges, and it was great that so many teams got involved in this creative process too. To give one example; The Cambridge team had designed a challenge based around a historically accurate enigma machine, with this challenge protecting the country of Panama. Competitors had to brute-force the settings of the enigma machine to decode a secret message. Other challenges were based around the core CTF subject areas of web application security, binary reverse engineering and exploitation, forensics, and crypto. Some novice teams may have struggled to compete, but they would have learned a lot, and hopefully developed an appetite for more competition. There were also plenty of teams present with advanced tool sets and a solid plan, with these preparations clearly paying off in the final scores.

IMG_5426

Between the 10 teams, their coaches, the organisers and the reporters, the lab was bustling with excitement and that intense feeling of hackers “in the zone” for the whole afternoon.

IMG_5406

I have nothing but praise for our partners Facebook, who worked hard on setting the challenges and making the CTF game run smoothly, as well as feeding the participants with pizza and endowing the prizes with hacking books and goodie bags.

IMG_5298

The biggest thanks go to the ACE-CSRs who enthusiastically supported this initiative despite the short notice. 40 students came to Cambridge to compete in the live event in teams of 4, and another 40+ competed remotely in the individuals.

 

In retrospect we should have organised a “best T-shirt” competition. I especially liked Facebook t-shirts “Fix more, whine less” and “s/sleep/hack/g” but the one I would have voted overall winner (despite not technically being a T-shirt) was Southampton’s Shakespearian boolean logic.

IMG_5310

It is with a mixture of pride and embarrassment that I announce the winners, as Cambridge won the gold in both the team and individual events.

IMG_5686

Team event:

  • 1st place (Gold): University of Cambridge
    Stella Lau, Will Shackleton, Cheng Sun, Gábor Szarka
  • 2nd place (Silver): Imperial College London
    Matthieu Buffet, Jiarou Fan, Luke Granger-Brown, Antoine Vianey-Liaud
  • 3rd place (Bronze): University of Southampton
    Murray Colpman, Kier Davis, Yordan Ganchev, Mohit Gupta

 

Individual event:

  • 1st place (Gold): Dimitrije Erdeljan, University of Cambridge
  • 2nd place (Silver): Emma Espinosa, University of Oxford
  • 3rd place (Bronze): David Young, University of Southampton

IMG_5346

I shall ignore allegations of having rigged the game except to say that yes, we did train our students rather extensively in preparation for the previously-mentioned Cambridge 2 Cambridge event with MIT. All of our winners are Cambridge undergraduates in computer science who had done well in the qualifiers for C2C. Two of them had actually been to Boston, where Gábor had been on the winning team overall and earned one gold and two silver medals, while Will (also former UK Cyber Security Challenge winner) had earned one gold, one silver and two bronze medals. Well deserved thanks also to my modest but irreplaceable collaborator Graham Rymer who designed and delivered an effective and up-to-date ethical hacking course to our volunteers. The Cambridge success in this weekend’s competition gives promising insights into the effectiveness of this training which we are gearing up to offering to all our undergraduates and potentially to other interested audiences in the future.

IMG_5359

We are once again grateful to everyone who took part. We are also grateful to the Cabinet Office, to EPSRC and to GCHQ for support that will allow us to keep the event running and we hereby invite all the ACEs to sharpen their hacking tools for next year and come back to attempt to reconquer the trophy from us.