Category Archives: Academic papers

Largest ever civil government IT disaster

Academic papers, Awards, News coverage, Politics

Last year I taught a systems course to students on the university’s Masters of Public Policy course (this is like an MBA but for civil servants). For their project work, I divided them into teams of three or four and got them to write a case history of a public-sector IT project that went wrong.

The class prize was won by Oliver Campion-Awwad, Alexander Hayton, Leila Smith and Mark Vuaran for The National Programme for IT in the NHS – A Case History. It’s now online, not just to acknowledge their excellent work and to inspire future MPP students, but also as a resource for people interested in what goes wrong with large public-sector IT projects, and how to do better in future.

Regular readers of this blog will recall a series of posts on this topic and related ones; yet despite the huge losses the government doesn’t seem to have learned much at all.

There is more information on our MPP course here, while my teaching materials are available here. With luck, the next generation of civil servants won’t be quite as clueless.

First Global Deception Conference

Academic papers, Politics, Security psychology

Global Deception conference, Oxford, 17–19th of July 2014

Conference introduction

This deception conference, as part of Hostility and Violence, was organized by interdisciplinary net. Interdisciplinary net runs about 75 conferences a year and was set up by Rob Fisher in 1999 to facilitate international dialogue between disciplines. Conferences are organized on a range of topics, such as gaming, empathycyber cultures, violence and communication and conflict. Not just the topics of the different conferences are interdisciplinary, this is the case within each conference as well. During our deception conference we approached deception from very different angles; from optical illusions in art and architecture via literary hoaxes, fiction and spy novels to the role of the media in creating false beliefs amongst society and ending with a more experimental approach to detecting deception. Even a magic trick was part of the (informal) program, and somehow I ended up being the magician’s assistant. You can find my notes and abstracts below.

Finally, if you (also) have an interest in more experimental deception research with a high practical applicability, then we have good news. Aldert Vrij, Ross Anderson and I are hosting a deception conference to bring together deception researchers and law enforcement people from all over the world. This event will take place at Cambridge University on August 22-24, 2015.

Session 1 – Hoaxes

John Laurence Busch: Deceit without, deceit within: The British Government behavior in the secret race to claim steam-powered superiority at sea. Lord Liverpool became prime minister in 1812 and wanted to catch up with the Americans regarding steam-powered boats. The problem however was that the Royal Navy did not know how to build those vessels, so they joined the British Post in 1820 who wanted to build steam powered boats to deliver post to Ireland more quickly. The post was glad the navy wants to collaborate, although the navy was deceptive; they kept quiet, both to the post, the public and other countries, that they did not know how to build those vessels, and that were hoping to learn how to build a steam boat from them, which succeeded, importantly whilst successfully masking/hiding from the French and the Americans that the British Navy was working on steam vessels to catch up with the US. So the Navy was hiding something questionable (military activity) behind something innocent (post); deceptive public face.

Catelijne Coopmans & Brian Rappert: Revealing deception and its discontents: Scrutinizing belief and skepticism about the moon landing. The moon landing in the 60s is a possible deceptive situation in which the stakes are high and is of high symbolic value. A 2001 documentary by Fox “Conspiracy theory: Did we land on the moon or not?” The documentary bases their suspicions mainly on photographic and visual evidence, such as showing shadows where they shouldn’t be, a “c” shape on a stone, a flag moving in a breeze and pictures with exactly the same background but with different foregrounds. As a response, several people have explained these inconsistencies (e.g., the C was a hair). The current authors focus more on the paradoxes that surround and maybe even fuel these conspiracy theories, such as disclosure vs. non-disclosure, secrecy that fuels suspicion. Like the US governments secrecy around Area 51. Can you trust and at the same time not trust the visual proof of the moan landing presented by NASA? Although the quality of the pictures was really bad, the framing was really well done. Apollo 11 tried to debunk this conspiracy theory by showing a picture of the flag currently still standing on the moon. But then, that could be photoshopped…

Discussion: How can you trust a visual image, especially when used to proof something, when we live in a world where technology makes it possible to fake anything with a high standard? Continue reading First Global Deception Conference

European Association of Psychology and Law Conference 2014

Academic papers, Security psychology

The European Association of Psychology and Law (EAPL) annually organises a conference to bring together researchers and practitioners operating in a forensic context. Combining different disciplines, such as psychology, criminology and law leads to a multidisciplinary conference with presentations on topics like detecting deception, false memories, presenting forensic evidence in court, investigative interviewing, risk assessment, offenders, victims and eyewitness identification (see program). This year’s conference took place during the 24-27th of June in St. Petersburg and I summarised a selection of talks given during this conference.

Tuesday the 24th of June, 2014 Symposium 16.30-18.00 – Allegation: True or false

Van Koppen: I don’t know why I did it: motives for filing false allegations of rape. The first in a series of three talks (see Horselenberg & de Zutter). Explained the basis of the false allegations of rape in a Dutch & Belgian research project. Their conclusions are that the existing data (Viclas) and models are insufficient. Researchers on the current project went through rape cases between 1997-2011 and found more than 50 false allegations. Subsequently, they investigated the reasons why these people made false allegations and found in addition to the already known factors (especially emotional reasons and the alibi factor were often present; on the other hand, mental issues and vigilance were not) that in a substantial amount of cases it was unknown why this person made a false allegation of sexual abuse. Some people reported not knowing why they made the false allegation (even when pressured by the interviewer to provide a reason), and in other cases the researchers couldn’t find out because the police hadn’t asked or did not write down the reasons down, so it wasn’t in the case file. In conclusion, false allegations of rape happen, they cause problems, and it is not always clear why people make these false allegations.

Continue reading European Association of Psychology and Law Conference 2014

The CHERI capability model: Revisiting RISC in an age of risk (ISCA 2014)

Academic papers, Open-source security, Operating systems, Processors, Programmable logic

Last week, Jonathan Woodruff presented our joint paper on the CHERI memory model, The CHERI capability model: Revisiting RISC in an age of risk, at the 2014 International Symposium on Computer Architecture (ISCA) in Minneapolis (video, slides). This is our first full paper on Capability Hardware Enhanced RISC Instructions (CHERI), collaborative work between Simon Moore’s and my team composed of members of the Security, Computer Architecture, and Systems Research Groups at the University of Cambridge Computer Laboratory, Peter G. Neumann’s group at the Computer Science Laboratory at SRI International, and Ben Laurie at Google.

CHERI is an instruction-set extension, prototyped via an FPGA-based soft processor core named BERI, that integrates a capability-system model with a conventional memory-management unit (MMU)-based pipeline. Unlike conventional OS-facing MMU-based protection, the CHERI protection and security models are aimed at compilers and applications. CHERI provides efficient, robust, compiler-driven, hardware-supported, and fine-grained memory protection and software compartmentalisation (sandboxing) within, rather than between, addresses spaces. We run a version of FreeBSD that has been adapted to support the hardware capability model (CheriBSD) compiled with a CHERI-aware Clang/LLVM that supports C pointer integrity, bounds checking, and capability-based protection and delegation. CheriBSD also supports a higher-level hardware-software security model permitting sandboxing of application components within an address space based on capabilities and a Call/Return mechanism supporting mutual distrust.

The approach draws inspiration from Capsicum, our OS-facing hybrid capability-system model now shipping in FreeBSD and available as a patch for Linux courtesy Google. We found that capability-system approaches matched extremely well with least-privilege oriented software compartmentalisation, in which programs are broken up into sandboxed components to mitigate the effects of exploited vulnerabilities. CHERI similarly merges research capability-system ideas with a conventional RISC processor design, making accessible the security and robustness benefits of the former, while retaining software compatibility with the latter. In the paper, we contrast our approach with a number of others including Intel’s forthcoming Memory Protection eXtensions (MPX), but in particular pursue a RISC-oriented design instantiated against the 64-bit MIPS ISA, but the ideas should be portable to other RISC ISAs such as ARMv8 and RISC-V.

Our hardware prototype is implemented in Bluespec System Verilog, a high-level hardware description language (HDL) that makes it easier to perform design-space exploration. To facilitate both reproducibility for this work, and also future hardware-software research, we’ve open sourced the underlying Bluespec Extensible RISC Implementation (BERI), our CHERI extensions, and a complete software stack: operating system, compiler, and so on. In fact, support for the underlying 64-bit RISC platform, which implements a version of the 64-bit MIPS ISA, was upstreamed to FreeBSD 10.0, which shipped earlier this year. Our capability-enhanced versions of FreeBSD (CheriBSD) and Clang/LLVM are distributed via GitHub.

You can learn more about CHERI, BERI, and our larger clean-slate hardware-software agenda on the CTSRD Project Website. There, you will find copies of our prior workshop papers, full Bluespec source code for the FPGA processor design, hardware build instructions for our FPGA-based tablet, downloadable CheriBSD images, software source code, and also our recent technical report, Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture, and Jon Woodruff’s PhD dissertation on CHERI.

Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The CHERI capability model: Revisiting RISC in an age of risk, Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), Minneapolis, MN, USA, June 14–16, 2014.

EMV: Why Payment Systems Fail

Academic papers, Banking security, Legal issues, Politics, Protocols, Security economics, Security engineering

In the latest edition of Communications of the ACM, Ross Anderson and I have an article in the Inside Risks column: “EMV: Why Payment Systems Fail” (DOI 10.1145/2602321).

Now that US banks are deploying credit and debit cards with chips supporting the EMV protocol, our article explores what lessons the US should learn from the UK experience of having chip cards since 2006. We address questions like whether EMV would have prevented the Target data breach (it wouldn’t have), whether Chip and PIN is safer for customers than Chip and Signature (it isn’t), whether EMV cards can be cloned (in some cases, they can) and whether EMV will protect against online fraud (it won’t).

While the EMV specification is the same across the world, they way each country uses it varies substantially. Even individual banks within a country may make different implementation choices which have an impact on security. The US will prove to be an especially interesting case study because some banks will be choosing Chip and PIN (as the UK has done) while others will choose Chip and Signature (as Singapore did). The US will act as a natural experiment addressing the question of whether Chip and PIN or Chip and Signature is better, and from whose perspective?

The US is also distinctive in that the major tussle over payment card security is over the “interchange” fees paid by merchants to the banks which issue the cards used. Interchange fees are about an order of magnitude higher than losses due to fraud, so while security is one consideration in choosing different sets of EMV features, the question of who pays how much in fees is a more important factor (even if the decision is later claimed to be justified by security). We’re already seeing results of this fight in the courts and through legislation.

EMV is coming to the US, so it is important that banks, customers, merchants and regulators know the likely consequences and how to manage the risks, learning from the lessons of the UK and elsewhere. Discussion of these and further issues can be found in our article.

Don’t shoot the demonstrators

Academic papers, Legal issues, Politics, Security economics, Security psychology

Jim Graves, Alessandro Acquisti and I are giving a paper today at WEIS on Experimental Measurement of Attitudes Regarding Cybercrime, which we hope might nudge courts towards more rational sentencing for cybercrime.

At present, sentencing can seem somewhere between random and vindictive. People who commit a fraud online can get off with a tenth of what they’d get if they’d swindled the same amount of money face-to-face; yet people who indulge in political activism – as the Anonymous crowd did – can get hammered with much harsher sentences than they’d get for a comparable protest on the street.

Is this just the behaviour of courts and prosecutors, or does it reflect public attitudes?

We did a number of surveys of US residents and found convincing evidence that it’s the former. Americans want fraudsters to be punished on two criteria: for the value of the damage they do, with steadily tougher punishments for more damage, and for their motivation, where they want people who hack for profit to be punished more harshly than people who hack for political protest.

So Americans, thankfully, are rational. Let’s hope that legislators and prosecutors start listening to their voters.

A Study of Whois Privacy and Proxy Service Abuse

Academic papers, Security economics

Long time readers will recall that last year ICANN published the draft report of our study into the abuse of privacy and proxy services when registering domain names.
At WEIS 2014 I will present our academic paper summarising what we have found — and the summary (as the slides for the talk indicate) is very straightforward:

  • when criminals register domain names for use in online criminality they don’t provide their names and addresses;
  • we collected substantial data to show that this is generally true;
  • in doing so we found that the way in which contact details are hidden varies somewhat depending upon the criminal activity and this gives new insights;
  • meantime, people calling for changes to domain ‘privacy’ and ‘proxy’ services “because they are used by criminals” must understand:
    • the impact of such a policy change on other registrants
    • the limitations of such a policy change on criminals

To give just one example, the registrants of the domain names used for fake pharmacies are the group that uses privacy and proxy services the most (55%) : that’s because a key way in which such pharmacy domains are suppressed is to draw attention to invalid details having been provided when the domain was registered. Privacy and proxy services hide this fakery. In contrast, the registrants of domains that are used to supply child sexual images turn to privacy and proxy services just 29% of the time (only just higher than banks — 28%)… but drawing attention to fallacious registration details is not the approach that is generally taken for this type of content.

Our work provides considerable amounts of hard data to inform the debates around changing the domain Whois system to significantly improve accuracy and usefulness and to prevent misuse. Abolishing privacy and proxy services, if this was even possible, would affect a substantial amount of lawful activity — while criminals currently using these services might be expected to adopt the methods of their peers and instead provide incomplete and inaccurate data. However, insisting that domain registration data was always complete and accurate would mean a great many lawful registrations would need to be updated.

Why bouncing droplets are a pretty good model of quantum mechanics – seminar

Academic papers, News coverage, Seminars

Today Robert Brady and I will be giving a seminar in Cambridge where we will explain Yves Couder’s beautiful bouncing droplet experiments. Droplets bouncing on a vibrating fluid bath show many of the weird phenomena of quantum mechanics including tunneling, diffraction and quantized orbits.

We published a paper on this in January and blogged it at the time, but now we have more complete results. The two-dimensional model of electromagnetism that we see in bouncing droplets goes over to three dimensions too, giving us a better model of transverse sound in superfluids and a better explanation of the Bell test results. Here are the slides.

The talk will be at 4pm in the Centre for Mathematical Sciences.