PhD Position on Privacy Enhancing Technologies and Anonymous Communications

Jobs, Meta, Privacy technology

Applications are invited for one PhD position in the Security Group at the Computer Laboratory to work with Dr Steven Murdoch. Funding for this position is provided by the Engineering and Physical Sciences Research Council (EPSRC) in collaboration with the Royal Society.

The successful candidate will undertake research on methods to analyse the security of anonymous communication systems and privacy enhancing technologies. This broad research topic falls within an EPSRC priority area and provides considerable scope for the PhD candidate to find his or her own research direction.

Further details can be found in the advertisement (NR27372). The closing date for applications is 31 May 2013.

Dangerous Blogs Act

Legal issues, News coverage, Politics

The UK Government are currently in a tremendous rush to legislate (and create a Royal Charter) before the political consensus around “implementing Leveson” evaporates. Their proposals catch not just the print media, but also online publications. That’s only proper — a newspaper should meet the same integrity standards for their journalism whether it appears in ink and paper, or on their website.

However, the Governments approach has not been to describe the activity that they wish to regulate, but to describe the various media involved and then try to write exceptions to avoid regulating the whole Internet. Those exceptions are poorly thought out and will have all sorts of unintended consequences. They might even include this blog!
Continue reading Dangerous Blogs Act

Call for Nominations: 2013 PET Award

Academic papers, Awards, Call for papers, Privacy technology

I am on the award committee for the 2013 PET Award and we are looking for nominations of papers which have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology.

The 2013 award will be presented at Privacy Enhancing Technologies Symposium (PETS) and carries a prize of $3,000 USD thanks to the generous support of Microsoft. The crystal prize itself is offered by the Office of the Information and Privacy Commissioner of Ontario, Canada.

Any paper by any author written in the area of privacy enhancing technologies is eligible for nomination. However, the paper must have appeared in a refereed journal, conference, or workshop with proceedings published in the period from 16 April 2011 until 31 March 2013.

To submit a nomination, please see the instructions on the award page.

UK bank fraud up by 11% in 2012, but how much do customers lose?

Banking security, News coverage, Security economics

Today, the UK Cards Association (UKCA) published their summary of bank fraud for 2012. This provides an important insight into banking fraud, and the level of detail which the UK banks provide is very welcome. The UKCA figures go back to 2007, but I’ve collected the figures from previous releases going back to 2004. This data reveals some interesting trends, especially related to the deployment of new security technologies.

UK Cards Association fraud statistics 2012
larger version (PDF)

The overall fraud losses in 2012 are £475.3m, up 11% from the 2011 level, but for the purposes of comparison it is helpful to exclude the losses from phone banking since these figures were only available since 2009 (and are only 2.7% of the total). If we look at the resulting trend in total fraud  (£462.7m) we can see that while there was an increase in 2012, that is from a starting position of a 10-year low in 2011 so isn’t a reason to panic. We are still far from the peak in 2008 of £704.3m.

[You may have noticed the miniaturised graph in line with the text above, which an an example of a sparkline and I’ll be using these throughout this post to more clearly show trends in the data. Each graph shows the change in a single value over the 2004–2012 period, and is followed by the figure for 2012 in red.]

However, there is a large omission in the UKCA data – it records losses of the banks and merchants but not customers. If a customer is a victim of fraud, but the bank refuses to refund them (because the bank claims the customer was negligent), we won’t see it in these figures – as confirmed by a UKCA representative in an interview on BBC Radio Merseyside on 2007-02-19. We don’t know how much is missing from the fraud statistics as a result, but from the Financial Services Authority statistics we can see that there were 483,666 complaints in the first half of 2012 against firms regarding disputed charges, so the sums in question could be substantial. But despite this limitation, the statistics from the UKCA are valuable, especially in that it gives a break down of fraud by type.

Continue reading UK bank fraud up by 11% in 2012, but how much do customers lose?

Health record privacy in Scotland

Legal issues, News coverage, Politics, Privacy technology, Security economics

Last week I spoke at a conference on digital health at the Scottish parliament. The talks are now online; my talk is here, and my slides here. At present, medical records in Scotland are organised differently under its fourteen different health boards, with wide variations in privacy, safety and functionality. Needless to say, officials in Edinburgh see this as an opportunity for centralisation; they want to follow the sad story in England. The political dynamic north of the border is much the same: officials want to grab all the data, GPs are not keen, but the public’s not paying attention.

If you’re interested in these issues, save April 24th in your diary; there will be a big medical privacy event in London organised by a number of NGOs.

Fixing popping/clicking audio on Raspberry Pi

Hardware & signals, Operating systems, Useful software

I’m working on a security-related project with the Raspberry Pi and have encountered an annoying problem with the on-board sound output. I’ve managed to work around this, so thought it might be helpful the share my experiences with others in the same situation.

The problem manifests itself as a loud pop or click, just before sound is output and just after sound output is stopped. This is because a PWM output of the BCM2835 CPU is being used, rather than a standard DAC. When the PWM function is activated, there’s a jump in output voltage which results in the popping sound.

Until there’s a driver modification, the work-around suggested (other than using the HDMI sound output or an external USB sound card) is to run PulseAudio on top of ALSA and keep the driver active even when no sound is being output. This is achieved by disabling the module-suspend-on-idle PulseAudio module, then configuring applications to use PulseAudio rather than ALSA. Daniel Bader describes this work-around and how to configure MPD, in a blog post. However, when I tried this approach, the work-around didn’t work.

Continue reading Fixing popping/clicking audio on Raspberry Pi

EU cyber security directive considered harmful

Legal issues, News coverage, Politics, Security economics

Yesterday the European Commission launched its new draft directive on cybersecurity, on a webpage which omits a negative Opinion of the Impact Assessment Board. This directive had already been widely leaked, and I wrote about it in an EDRi Enditorial. There are at least two serious problems with it.

The first is that it will oblige Member States to set up single “competent authorities” for technical expertise, international liasion, security breach reporting and CERT functions. In the UK, these functions are distributed across GCHQ, MI5/CPNI, the new NCA, the ICO and various private-sector bodies. And the UK is relatively centralised; in Germany, for example, there’s a constitutional separation between police and intelligence functions. Centralisation will not just damage the separation of powers essential in any democracy, but will also harm operational effectiveness. Most of our critical infrastructure is in the hands of foreign companies, from O2 through EDF to Google; moving cybersecurity cooperation from the current loose association of private-public partnerships to a centralised, classified system will make it harder for most of them to play.

Second, whereas security-breach notification laws in the USA require firms to report breaches to affected citizens, articles 14 and 15 instead require breach notification to the “competent authority”. Notification requirements can be changed later by order (14.5-7) and the “competent authorities” only have to tell us if they determine it’s in the “public interest” (14.4). So instead of empowering us, it will empower the spooks. But that’s not all. Member States must “ensure that the competent authorities have the power to require market operators and public administrations to: (a) provide information needed to assess the security of their networks and information systems, including documented security policies; and (b) undergo a security audit carried out by a qualified independent body or national authority and make the results thereof available to the competent authority” (15.2). States must also “ensure that competent authorities have the power to issue binding instructions to market operators and public administrations” (15.3) Now as Parliament has just criticised the Home Office’s attempt to take powers to order firms like Google and Facebook to disclose user data by means of the Communications Data Bill, I hope everyone will think long and hard about the implications of passing this Directive as it stands. It’s yet another unfortunate step towards the militarisation of cyberspace.

How Certification Systems Fail: Lessons from the Ware Report

Academic papers, Authentication, Banking security, Cryptology, Legal issues, Security engineering

Research in the Security Group has uncovered various flaws in systems, despite them being certified as secure. Sometimes the certification criteria have been inadequate and sometimes the certification process has been subverted. Not only do these failures affect the owners of the system but when evidence of certification comes up in court, the impact can be much wider.

There’s a variety of approaches to certification, ranging from extremely generic (such as Common Criteria) to highly specific (such as EMV), but all are (at least partially) descendants of a report by Willis H. Ware – “Security Controls for Computer Systems”. There’s much that can be learned from this report, particularly the rationale for why certification systems are set up as the way they are. The differences between how Ware envisaged certification and how certification is now performed is also informative, whether these differences are for good or for ill.

Along with Mike Bond and Ross Anderson, I have written an article for the “Lost Treasures” edition of IEEE Security & Privacy where we discuss what can be learned, about how today’s certifications work and should work, from the Ware report. In particular, we explore how the failure to follow the recommendations in the Ware report can explain why flaws in certified banking systems were not detected earlier. Our article, “How Certification Systems Fail: Lessons from the Ware Report” is available open-access in the version submitted to the IEEE. The edited version, as appearing in the print edition (IEEE Security & Privacy, volume 10, issue 6, pages 40–44, Nov‐Dec 2012. DOI:10.1109/MSP.2012.89) is only available to IEEE subscribers.

"Security Engineering" now available free online

News coverage, Security economics, Security engineering, Security psychology

I’m delighted to announce that my book Security Engineering – A Guide to Building Dependable Distributed Systems is now available free online in its entirety. You may download any or all of the chapters from the book’s web page.

I’ve long been an advocate of open science and open publishing; all my scientific papers go online and I no longer even referee for publications that sit behind a paywall. But some people think books are different. I don’t agree.

The first edition of my book was also put online four years after publication by agreement with the publishers. That took some argument but we found that sales actually increased; for serious books, free online copies and paid-for paper copies can be complements, not substitutes. We are all grateful to authors like David MacKay for pioneering this. So when I wrote the second edition I agreed with Wiley that we’d treat it the same way, and here it is. Enjoy!

Hard questions about quantum crypto and quantum computing

Academic papers

We’ve been assured for 29 years that quantum crypto is secure, and for 19 years that quantum computing is set to make public-key cryptography obsolete. Yet despite immense research funding, attempts to build a quantum computer that scales beyond a few qubits have failed. What’s going on?

In a new paper Why quantum computing is hard – and quantum cryptography is not provably secure, Robert Brady and I try to analyse what’s going on. We argue that quantum entanglement may be modelled by coupled oscillators (as it already is in the study of Josephson junctions) and this could explain why it’s hard to get more than about three qubits. A companion paper of Robert’s on The irrotational motion of a compressible inviscid fluid presents a soliton model of the electron which shows for the first time how spin-1/2 symmetry, and the Dirac equation, can emerge in a completely classical system. There has been a growing amount of work recently on classical models of quantum behaviour; see for example Yves Couder’s beautiful experiments.

The soliton model challenges the Bell tests which purport to show that the wavefunctions of entangled particles are nonlocal. It also challenges the assumption that the physical state of a quantum system is entirely captured by its wavefunction &#936. It follows that local hidden-variable theories of quantum mechanics are not excluded by the Bell tests, and that in consequence we do not have to believe the security proofs offered for EPR-based quantum cryptography. We gave a talk on this at the theoretical physics seminar at Warwick on January 31st; here are the slides and here’s the video, parts 1, 2, 3, 4 and 5.