Are you over 18 and want to see adult content?
More Annotations
![A complete backup of maeckweddings.com](https://www.archivebay.com/archive2/7138139d-ff55-4335-b14f-6ae0a334cf82.png)
A complete backup of maeckweddings.com
Are you over 18 and want to see adult content?
![A complete backup of comoorganizarlacasa.com](https://www.archivebay.com/archive2/1d18e981-1bd4-48ab-9d7c-e44b7830502d.png)
A complete backup of comoorganizarlacasa.com
Are you over 18 and want to see adult content?
![A complete backup of materiel-velo.com](https://www.archivebay.com/archive2/d07f060c-942a-4cda-bb96-9bcf4fa323af.png)
A complete backup of materiel-velo.com
Are you over 18 and want to see adult content?
Favourite Annotations
![A complete backup of benjaminstone.nyc](https://www.archivebay.com/archive2/b39e91b3-e00e-4a0d-8fc9-b587589cac25.png)
A complete backup of benjaminstone.nyc
Are you over 18 and want to see adult content?
![A complete backup of worksheetworks.com](https://www.archivebay.com/archive2/a5b3a2d6-6e9b-4bf8-b66d-b44bc2e68bb9.png)
A complete backup of worksheetworks.com
Are you over 18 and want to see adult content?
![A complete backup of vistaoutdoor.com](https://www.archivebay.com/archive2/c2cd7f1a-d542-46ec-b996-a4803b64c48b.png)
A complete backup of vistaoutdoor.com
Are you over 18 and want to see adult content?
Text
BENTHAM’S GAZE
At present, based on a 1997 paper by the Law Commission, it is assumed that a computer operated correctly unless there is explicit evidence to the contrary. The recent Post Office trial ( previously mentioned on Bentham’s Gaze) has made clear, if previous cases had not, that this assumption is flawed. EVIDENCE CRITICAL SYSTEMS: DESIGNING FOR DISPUTE Evidence Critical Systems: Designing for Dispute Resolution. On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created byFujitsu.
APRIL 2021 – BENTHAM’S GAZE On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created by Fujitsu. Horizon’s evidence was asserted to be reliable by the Post TRACING TRANSACTIONS ACROSS CRYPTOCURRENCY LEDGERSSEE MORE ONBENTHAMSGAZE.ORG
RESOLVING DISPUTES THROUGH COMPUTER EVIDENCE: LESSONS FROM Resolving disputes through computer evidence: lessons from the Post Office Trial. On Monday, the final judgement in the Post Office trial was handed down, finding in favour of the claimants on all counts. The outcome will be of particular interest to the group of 587 claimants who brought the case against Post Office Limited, but the judgement A MARLIN IS ONE OF THE FASTEST SNARKS IN THE OCEANSEE MORE ONBENTHAMSGAZE.ORG
FORCED AUTHORISATION CHIP AND PIN SCAM HITTING HIGH-END Chip and PIN was designed to prevent fraud, but it also created a new opportunity for criminals that is taking retailers by surprise. Known as “forced authorisation”, committing the fraud requires no special equipment and when it works, it works big: in one transaction a jewellers store lost £20,500.This type of fraud is already a problem in the UK, and now that US retailers have made it MEASURING INTERNET CENSORSHIP Measuring Internet Censorship. Norwegian writer Mette Newth once wrote that: “censorship has followed the free expressions of men and women like a shadow throughout history.”. Indeed, as we develop innovative and more effective tools to gather and create information, new means to control, erase and censor that information evolve alongside it. SHOULD YOU PHISH YOUR OWN EMPLOYEES? PROTECTING HUMAN RIGHTS BY AVOIDING REGULATORY CAPTURE Regulation is in the news again as a result of the Home Office blocking surveillance expert Eric Kind from taking up his role as Head of Investigation at the Investigatory Powers Commissioner’s Office (IPCO) – the newly created agency responsible for regulating organisations managing surveillance, including the Home Office. Ordinarily, it would be unheard of for a regulated organisation toBENTHAM’S GAZE
At present, based on a 1997 paper by the Law Commission, it is assumed that a computer operated correctly unless there is explicit evidence to the contrary. The recent Post Office trial ( previously mentioned on Bentham’s Gaze) has made clear, if previous cases had not, that this assumption is flawed. EVIDENCE CRITICAL SYSTEMS: DESIGNING FOR DISPUTE Evidence Critical Systems: Designing for Dispute Resolution. On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created byFujitsu.
APRIL 2021 – BENTHAM’S GAZE On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created by Fujitsu. Horizon’s evidence was asserted to be reliable by the Post TRACING TRANSACTIONS ACROSS CRYPTOCURRENCY LEDGERSSEE MORE ONBENTHAMSGAZE.ORG
RESOLVING DISPUTES THROUGH COMPUTER EVIDENCE: LESSONS FROM Resolving disputes through computer evidence: lessons from the Post Office Trial. On Monday, the final judgement in the Post Office trial was handed down, finding in favour of the claimants on all counts. The outcome will be of particular interest to the group of 587 claimants who brought the case against Post Office Limited, but the judgement A MARLIN IS ONE OF THE FASTEST SNARKS IN THE OCEANSEE MORE ONBENTHAMSGAZE.ORG
FORCED AUTHORISATION CHIP AND PIN SCAM HITTING HIGH-END Chip and PIN was designed to prevent fraud, but it also created a new opportunity for criminals that is taking retailers by surprise. Known as “forced authorisation”, committing the fraud requires no special equipment and when it works, it works big: in one transaction a jewellers store lost £20,500.This type of fraud is already a problem in the UK, and now that US retailers have made it MEASURING INTERNET CENSORSHIP Measuring Internet Censorship. Norwegian writer Mette Newth once wrote that: “censorship has followed the free expressions of men and women like a shadow throughout history.”. Indeed, as we develop innovative and more effective tools to gather and create information, new means to control, erase and censor that information evolve alongside it. SHOULD YOU PHISH YOUR OWN EMPLOYEES? PROTECTING HUMAN RIGHTS BY AVOIDING REGULATORY CAPTURE Regulation is in the news again as a result of the Home Office blocking surveillance expert Eric Kind from taking up his role as Head of Investigation at the Investigatory Powers Commissioner’s Office (IPCO) – the newly created agency responsible for regulating organisations managing surveillance, including the Home Office. Ordinarily, it would be unheard of for a regulated organisation toBENTHAM’S GAZE
At present, based on a 1997 paper by the Law Commission, it is assumed that a computer operated correctly unless there is explicit evidence to the contrary. The recent Post Office trial ( previously mentioned on Bentham’s Gaze) has made clear, if previous cases had not, that this assumption is flawed.ABOUT THIS SITE
About this site. “Bentham’s Gaze” is a blog written by Information Security researchers in University College London (UCL). The origin of the blog name is explained in the post “Why Bentham’s Gaze”. Powered by WordPress with Apache HTTPD, on CentOS Linux. UCL photo is copyright UCL Media Services, University CollegeLondon.
EVIDENCE CRITICAL SYSTEMS: DESIGNING FOR DISPUTE Evidence Critical Systems: Designing for Dispute Resolution. On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created byFujitsu.
MARCH 2021 – BENTHAM’S GAZE Aggregatable Distributed Key Generation. We present our work on designing an aggregatable distributed key generation algorithm, which will appear at Eurocrypt 2021. This is joint work with Kobi Gurkan, Philipp Jovanovic, Mary Maller, Sarah Meiklejohn, Gilad Stern, andAlin Tomescu.
STILL TREATING USERS AS THE ENEMY: ENTRAPMENT AND THE Three years ago, we made the case against phishing your own employees through simulated phishing campaigns. They do little to improve security: click rates tend to be reduced (temporarily) but not to zero – and each remaining click can enable an attack. They also have a hidden cost in terms of produ RESOLVING DISPUTES THROUGH COMPUTER EVIDENCE: LESSONS FROM Resolving disputes through computer evidence: lessons from the Post Office Trial. On Monday, the final judgement in the Post Office trial was handed down, finding in favour of the claimants on all counts. The outcome will be of particular interest to the group of 587 claimants who brought the case against Post Office Limited, but the judgement FORCED AUTHORISATION CHIP AND PIN SCAM HITTING HIGH-END Chip and PIN was designed to prevent fraud, but it also created a new opportunity for criminals that is taking retailers by surprise. Known as “forced authorisation”, committing the fraud requires no special equipment and when it works, it works big: in one transaction a jewellers store lost £20,500.This type of fraud is already a problem in the UK, and now that US retailers have made it CONFIRMATION OF PAYEE IS COMING, BUT WILL IT PROTECT BANK The new proposal, known as Confirmation of Payee, also only covers the six largest banking groups, but this should cover 90% of transfers. Its goal is to defend against criminals who trick victims into transferring funds under the false pretence that the money is going to the victim’s new account, whereas it is really going to thecriminal.
EFFICIENT CRYPTOGRAPHIC ARGUMENTS AND PROOFS In 2008, unfortunate investors found their life savings in Bernie Madoff’s hedge fund swindled away in a $65 billion Ponzi scheme. Imagine yourself back in time with an opportunity to invest in his fund that had for years delivered stable returns and MANAGING CONFLICTS BETWEEN ETHICAL PRINCIPLES AND JOB Managing conflicts between ethical principles and job duties. Despite its international context, discussion of the social implications of technology is surprisingly parochial. For example, the idea that individuals should have control over how their data is used is considered radical and innovative in the US, despite it being commonlyaccepted
BENTHAM’S GAZE
At present, based on a 1997 paper by the Law Commission, it is assumed that a computer operated correctly unless there is explicit evidence to the contrary. The recent Post Office trial ( previously mentioned on Bentham’s Gaze) has made clear, if previous cases had not, that this assumption is flawed. APRIL 2021 – BENTHAM’S GAZE On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created by Fujitsu. Horizon’s evidence was asserted to be reliable by the Post EVIDENCE CRITICAL SYSTEMS: DESIGNING FOR DISPUTE Evidence Critical Systems: Designing for Dispute Resolution. On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created byFujitsu.
RESOLVING DISPUTES THROUGH COMPUTER EVIDENCE: LESSONS FROM Resolving disputes through computer evidence: lessons from the Post Office Trial. On Monday, the final judgement in the Post Office trial was handed down, finding in favour of the claimants on all counts. The outcome will be of particular interest to the group of 587 claimants who brought the case against Post Office Limited, but the judgement FORCED AUTHORISATION CHIP AND PIN SCAM HITTING HIGH-END Chip and PIN was designed to prevent fraud, but it also created a new opportunity for criminals that is taking retailers by surprise. Known as “forced authorisation”, committing the fraud requires no special equipment and when it works, it works big: in one transaction a jewellers store lost £20,500.This type of fraud is already a problem in the UK, and now that US retailers have made it TRACING TRANSACTIONS ACROSS CRYPTOCURRENCY LEDGERSSEE MORE ONBENTHAMSGAZE.ORG
SHOULD YOU PHISH YOUR OWN EMPLOYEES? MAMADROID: DETECTING ANDROID MALWARE BY BUILDING MARKOVSEE MORE ONBENTHAMSGAZE.ORG
AN INVESTIGATION OF ONLINE CENSORSHIP IN CYPRUS An investigation of online censorship in Cyprus. The island of Cyprus, situated in the east of the Mediterranean sea, has always been an important commercial and information exchange hub. Today, this is reflected on the l arge number of submarine cables that facilitate telecommunications with neighboring countries (Greece, Turkey, Egypt,Israel
PROTECTING HUMAN RIGHTS BY AVOIDING REGULATORY CAPTURE Regulation is in the news again as a result of the Home Office blocking surveillance expert Eric Kind from taking up his role as Head of Investigation at the Investigatory Powers Commissioner’s Office (IPCO) – the newly created agency responsible for regulating organisations managing surveillance, including the Home Office. Ordinarily, it would be unheard of for a regulated organisation toBENTHAM’S GAZE
At present, based on a 1997 paper by the Law Commission, it is assumed that a computer operated correctly unless there is explicit evidence to the contrary. The recent Post Office trial ( previously mentioned on Bentham’s Gaze) has made clear, if previous cases had not, that this assumption is flawed. APRIL 2021 – BENTHAM’S GAZE On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created by Fujitsu. Horizon’s evidence was asserted to be reliable by the Post EVIDENCE CRITICAL SYSTEMS: DESIGNING FOR DISPUTE Evidence Critical Systems: Designing for Dispute Resolution. On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created byFujitsu.
RESOLVING DISPUTES THROUGH COMPUTER EVIDENCE: LESSONS FROM Resolving disputes through computer evidence: lessons from the Post Office Trial. On Monday, the final judgement in the Post Office trial was handed down, finding in favour of the claimants on all counts. The outcome will be of particular interest to the group of 587 claimants who brought the case against Post Office Limited, but the judgement FORCED AUTHORISATION CHIP AND PIN SCAM HITTING HIGH-END Chip and PIN was designed to prevent fraud, but it also created a new opportunity for criminals that is taking retailers by surprise. Known as “forced authorisation”, committing the fraud requires no special equipment and when it works, it works big: in one transaction a jewellers store lost £20,500.This type of fraud is already a problem in the UK, and now that US retailers have made it TRACING TRANSACTIONS ACROSS CRYPTOCURRENCY LEDGERSSEE MORE ONBENTHAMSGAZE.ORG
SHOULD YOU PHISH YOUR OWN EMPLOYEES? MAMADROID: DETECTING ANDROID MALWARE BY BUILDING MARKOVSEE MORE ONBENTHAMSGAZE.ORG
AN INVESTIGATION OF ONLINE CENSORSHIP IN CYPRUS An investigation of online censorship in Cyprus. The island of Cyprus, situated in the east of the Mediterranean sea, has always been an important commercial and information exchange hub. Today, this is reflected on the l arge number of submarine cables that facilitate telecommunications with neighboring countries (Greece, Turkey, Egypt,Israel
PROTECTING HUMAN RIGHTS BY AVOIDING REGULATORY CAPTURE Regulation is in the news again as a result of the Home Office blocking surveillance expert Eric Kind from taking up his role as Head of Investigation at the Investigatory Powers Commissioner’s Office (IPCO) – the newly created agency responsible for regulating organisations managing surveillance, including the Home Office. Ordinarily, it would be unheard of for a regulated organisation toABOUT THIS SITE
About this site. “Bentham’s Gaze” is a blog written by Information Security researchers in University College London (UCL). The origin of the blog name is explained in the post “Why Bentham’s Gaze”. Powered by WordPress with Apache HTTPD, on CentOS Linux. UCL photo is copyright UCL Media Services, University CollegeLondon.
EVIDENCE CRITICAL SYSTEMS: DESIGNING FOR DISPUTE Evidence Critical Systems: Designing for Dispute Resolution. On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created byFujitsu.
MARCH 2021 – BENTHAM’S GAZE Aggregatable Distributed Key Generation. We present our work on designing an aggregatable distributed key generation algorithm, which will appear at Eurocrypt 2021. This is joint work with Kobi Gurkan, Philipp Jovanovic, Mary Maller, Sarah Meiklejohn, Gilad Stern, andAlin Tomescu.
BY REVISITING SECURITY TRAINING THROUGH ECONOMICS Here I describe analysis by myself and colleagues Albesë Demjaha and David Pym at UCL, which originally appeared at the STAST workshop in late 2019 (where it was awarded best paper). The work was the basis for a talk I gave at Cambridge Computer Laboratory earlier this week (I thank Alice Hutchings and the Security Group for hosting the talk, as it was also an opportunity to consider this FORCING PHONE COMPANIES TO SECURE SMS AUTHENTICATION WOULD Food-writer and campaigner, Jack Monroe, has become the latest high-profile victim of a SIM-swap scam, losing over £5,000 from both her PayPal and bank accounts to a criminal who intercepted SMS authentication codes. The Payment Services Directive requires that fraud victims get their money back, but banks act slowly and sometimes push the blame onto the victims. DIGITAL EXCLUSION AND FRAUD The result is the “SIM-swap” fraud, where a criminal obtains a SIM card linked to a customer’s phone number and then can receive security codes for accounts linked to this number. Sometimes criminals pull off this scam by contacting the phone company and impersonating the victim, claiming to have lost their phone. AN INVESTIGATION OF ONLINE CENSORSHIP IN CYPRUS An investigation of online censorship in Cyprus. The island of Cyprus, situated in the east of the Mediterranean sea, has always been an important commercial and information exchange hub. Today, this is reflected on the l arge number of submarine cables that facilitate telecommunications with neighboring countries (Greece, Turkey, Egypt,Israel
SECURE VOICE AT OFFICIAL OFFICIAL Secure Voice at OFFICIAL Page 6 of 7 OFFICIAL 2.4 Developing scalable, secure voice When we performed a survey of the technologies that were available in 2010, it became clear that MANAGING CONFLICTS BETWEEN ETHICAL PRINCIPLES AND JOB Managing conflicts between ethical principles and job duties. Despite its international context, discussion of the social implications of technology is surprisingly parochial. For example, the idea that individuals should have control over how their data is used is considered radical and innovative in the US, despite it being commonlyaccepted
LIABILITY FOR PUSH PAYMENT FRAUD PUSHED ONTO THE VICTIMS Liability for push payment fraud pushed onto the victims. This morning, BBC Rip Off Britain focused on push payment fraud, featuring an interview with me (starts at 34:20). The distinction between push and pull payments should be a matter for payment system geeks, and certainly isn’t at the front of customers’ minds when they make apayment.
BENTHAM’S GAZE
At present, based on a 1997 paper by the Law Commission, it is assumed that a computer operated correctly unless there is explicit evidence to the contrary. The recent Post Office trial ( previously mentioned on Bentham’s Gaze) has made clear, if previous cases had not, that this assumption is flawed. APRIL 2021 – BENTHAM’S GAZE On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created by Fujitsu. Horizon’s evidence was asserted to be reliable by the Post EVIDENCE CRITICAL SYSTEMS: DESIGNING FOR DISPUTE Evidence Critical Systems: Designing for Dispute Resolution. On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created byFujitsu.
RESOLVING DISPUTES THROUGH COMPUTER EVIDENCE: LESSONS FROM Resolving disputes through computer evidence: lessons from the Post Office Trial. On Monday, the final judgement in the Post Office trial was handed down, finding in favour of the claimants on all counts. The outcome will be of particular interest to the group of 587 claimants who brought the case against Post Office Limited, but the judgement FORCED AUTHORISATION CHIP AND PIN SCAM HITTING HIGH-END Chip and PIN was designed to prevent fraud, but it also created a new opportunity for criminals that is taking retailers by surprise. Known as “forced authorisation”, committing the fraud requires no special equipment and when it works, it works big: in one transaction a jewellers store lost £20,500.This type of fraud is already a problem in the UK, and now that US retailers have made it TRACING TRANSACTIONS ACROSS CRYPTOCURRENCY LEDGERSSEE MORE ONBENTHAMSGAZE.ORG
SHOULD YOU PHISH YOUR OWN EMPLOYEES? MAMADROID: DETECTING ANDROID MALWARE BY BUILDING MARKOVSEE MORE ONBENTHAMSGAZE.ORG
AN INVESTIGATION OF ONLINE CENSORSHIP IN CYPRUS An investigation of online censorship in Cyprus. The island of Cyprus, situated in the east of the Mediterranean sea, has always been an important commercial and information exchange hub. Today, this is reflected on the l arge number of submarine cables that facilitate telecommunications with neighboring countries (Greece, Turkey, Egypt,Israel
PROTECTING HUMAN RIGHTS BY AVOIDING REGULATORY CAPTURE Regulation is in the news again as a result of the Home Office blocking surveillance expert Eric Kind from taking up his role as Head of Investigation at the Investigatory Powers Commissioner’s Office (IPCO) – the newly created agency responsible for regulating organisations managing surveillance, including the Home Office. Ordinarily, it would be unheard of for a regulated organisation toBENTHAM’S GAZE
At present, based on a 1997 paper by the Law Commission, it is assumed that a computer operated correctly unless there is explicit evidence to the contrary. The recent Post Office trial ( previously mentioned on Bentham’s Gaze) has made clear, if previous cases had not, that this assumption is flawed. APRIL 2021 – BENTHAM’S GAZE On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created by Fujitsu. Horizon’s evidence was asserted to be reliable by the Post EVIDENCE CRITICAL SYSTEMS: DESIGNING FOR DISPUTE Evidence Critical Systems: Designing for Dispute Resolution. On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created byFujitsu.
RESOLVING DISPUTES THROUGH COMPUTER EVIDENCE: LESSONS FROM Resolving disputes through computer evidence: lessons from the Post Office Trial. On Monday, the final judgement in the Post Office trial was handed down, finding in favour of the claimants on all counts. The outcome will be of particular interest to the group of 587 claimants who brought the case against Post Office Limited, but the judgement FORCED AUTHORISATION CHIP AND PIN SCAM HITTING HIGH-END Chip and PIN was designed to prevent fraud, but it also created a new opportunity for criminals that is taking retailers by surprise. Known as “forced authorisation”, committing the fraud requires no special equipment and when it works, it works big: in one transaction a jewellers store lost £20,500.This type of fraud is already a problem in the UK, and now that US retailers have made it TRACING TRANSACTIONS ACROSS CRYPTOCURRENCY LEDGERSSEE MORE ONBENTHAMSGAZE.ORG
SHOULD YOU PHISH YOUR OWN EMPLOYEES? MAMADROID: DETECTING ANDROID MALWARE BY BUILDING MARKOVSEE MORE ONBENTHAMSGAZE.ORG
AN INVESTIGATION OF ONLINE CENSORSHIP IN CYPRUS An investigation of online censorship in Cyprus. The island of Cyprus, situated in the east of the Mediterranean sea, has always been an important commercial and information exchange hub. Today, this is reflected on the l arge number of submarine cables that facilitate telecommunications with neighboring countries (Greece, Turkey, Egypt,Israel
PROTECTING HUMAN RIGHTS BY AVOIDING REGULATORY CAPTURE Regulation is in the news again as a result of the Home Office blocking surveillance expert Eric Kind from taking up his role as Head of Investigation at the Investigatory Powers Commissioner’s Office (IPCO) – the newly created agency responsible for regulating organisations managing surveillance, including the Home Office. Ordinarily, it would be unheard of for a regulated organisation toABOUT THIS SITE
About this site. “Bentham’s Gaze” is a blog written by Information Security researchers in University College London (UCL). The origin of the blog name is explained in the post “Why Bentham’s Gaze”. Powered by WordPress with Apache HTTPD, on CentOS Linux. UCL photo is copyright UCL Media Services, University CollegeLondon.
EVIDENCE CRITICAL SYSTEMS: DESIGNING FOR DISPUTE Evidence Critical Systems: Designing for Dispute Resolution. On Friday, 39 subpostmasters had their criminal convictions overturned by the Court of Appeal. These individuals ran post office branches and were prosecuted for theft, fraud and false accounting based on evidence from Horizon, the Post Office computer system created byFujitsu.
MARCH 2021 – BENTHAM’S GAZE Aggregatable Distributed Key Generation. We present our work on designing an aggregatable distributed key generation algorithm, which will appear at Eurocrypt 2021. This is joint work with Kobi Gurkan, Philipp Jovanovic, Mary Maller, Sarah Meiklejohn, Gilad Stern, andAlin Tomescu.
BY REVISITING SECURITY TRAINING THROUGH ECONOMICS Here I describe analysis by myself and colleagues Albesë Demjaha and David Pym at UCL, which originally appeared at the STAST workshop in late 2019 (where it was awarded best paper). The work was the basis for a talk I gave at Cambridge Computer Laboratory earlier this week (I thank Alice Hutchings and the Security Group for hosting the talk, as it was also an opportunity to consider this FORCING PHONE COMPANIES TO SECURE SMS AUTHENTICATION WOULD Food-writer and campaigner, Jack Monroe, has become the latest high-profile victim of a SIM-swap scam, losing over £5,000 from both her PayPal and bank accounts to a criminal who intercepted SMS authentication codes. The Payment Services Directive requires that fraud victims get their money back, but banks act slowly and sometimes push the blame onto the victims. DIGITAL EXCLUSION AND FRAUD The result is the “SIM-swap” fraud, where a criminal obtains a SIM card linked to a customer’s phone number and then can receive security codes for accounts linked to this number. Sometimes criminals pull off this scam by contacting the phone company and impersonating the victim, claiming to have lost their phone. AN INVESTIGATION OF ONLINE CENSORSHIP IN CYPRUS An investigation of online censorship in Cyprus. The island of Cyprus, situated in the east of the Mediterranean sea, has always been an important commercial and information exchange hub. Today, this is reflected on the l arge number of submarine cables that facilitate telecommunications with neighboring countries (Greece, Turkey, Egypt,Israel
SECURE VOICE AT OFFICIAL OFFICIAL Secure Voice at OFFICIAL Page 6 of 7 OFFICIAL 2.4 Developing scalable, secure voice When we performed a survey of the technologies that were available in 2010, it became clear that MANAGING CONFLICTS BETWEEN ETHICAL PRINCIPLES AND JOB Managing conflicts between ethical principles and job duties. Despite its international context, discussion of the social implications of technology is surprisingly parochial. For example, the idea that individuals should have control over how their data is used is considered radical and innovative in the US, despite it being commonlyaccepted
LIABILITY FOR PUSH PAYMENT FRAUD PUSHED ONTO THE VICTIMS Liability for push payment fraud pushed onto the victims. This morning, BBC Rip Off Britain focused on push payment fraud, featuring an interview with me (starts at 34:20). The distinction between push and pull payments should be a matter for payment system geeks, and certainly isn’t at the front of customers’ minds when they make apayment.
Skip to content
BENTHAM’S GAZE
Information Security Research & Education, University College London(UCL)
Menu and widgets
* About this site
* Subscribing to Bentham’s Gaze * Information Security Research Group @ UCL* ACE-CSR @ UCL
* MSc Information Security * Contribution policy* Privacy Policy
* Follow us on Twitter * Follow us on Facebook * Follow us on LinkedInSearch for:
RECENT POSTS
* Transparency, evidence and dispute resolution * By revisiting security training through economics principles, organisations can navigate how to support effective security behaviourchange
* Consider unintended harms of cybersecurity controls, as they might harm the people you are trying to protect * Resolving disputes through computer evidence: lessons from thePost Office Trial
* We’re fighting the good fight, but are we making full use of thearmoury?
May 2020
M
T
W
T
F
S
S
Apr
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
ARCHIVES
* April 2020
* January 2020
* December 2019
* November 2019
* October 2019
* September 2019
* August 2019
* July 2019
* June 2019
* May 2019
* April 2019
* March 2019
* February 2019
* January 2019
* December 2018
* November 2018
* October 2018
* September 2018
* August 2018
* July 2018
* June 2018
* May 2018
* April 2018
* March 2018
* February 2018
* January 2018
* December 2017
* November 2017
* October 2017
* August 2017
* July 2017
* June 2017
* May 2017
* April 2017
* March 2017
* February 2017
* January 2017
* December 2016
* November 2016
* October 2016
* September 2016
* August 2016
* July 2016
* June 2016
* May 2016
* April 2016
* March 2016
* February 2016
* January 2016
* December 2015
* November 2015
* October 2015
* September 2015
* August 2015
* July 2015
* June 2015
* May 2015
* April 2015
* March 2015
* February 2015
* January 2015
RECENT COMMENTS
* Steven J. Murdoch on Confirmation of Payee is coming, but will it protect bank customers from fraud? * John C on Confirmation of Payee is coming, but will it protect bank customers from fraud? * Steven J. Murdoch on Confirmation of Payee is coming, but will it protect bank customers from fraud? * Kenneth Ord on Confirmation of Payee is coming, but will it protect bank customers from fraud? * Peter Sommer on Resolving disputes through computer evidence: lessons from the Post Office TrialCATEGORIES
* Advertising
* Authentication
* Banking security
* Biometrics
* Blockchain
* Censorship resistance* Crime science
* Cryptocurrencies
* Cryptography
* Cyber crime
* Education
* Genomics
* Hardware
* InfoSec group
* Inside Infosec
* Internet security
* Law enforcement
* Legal issues
* Malware
* Measurement
* Meta
* Mobile
* Modelling
* Networking
* Operating systems
* Philosophy of science* Privacy
* Public policy
* Research projects
* Security economics * Security usability* Social networks
* Talks and panels
* The Conversation
* Voting
META
* Log in
* Entries feed
* Comments feed
TRANSPARENCY, EVIDENCE AND DISPUTE RESOLUTION Despite the ubiquity of computers in everyday life, resolving a dispute regarding the misuse or malfunction of a system remains hard to do well. A recent example of this is the, now concluded,
Post Office trial about the dispute between Post Office Limited and subpostmasters who operate some Post Office branches on their behalf. Subpostmasters offer more than postal services, namely savings accounts, payment facilities, identity verification, professional accreditation, and lottery services. These services can involve large amounts of money, and subpostmasters were held liable for losses at their branch. The issue is that the accounting is done by the Horizonaccounting system,
a centralised system operated by Post Office Limited, and subpostmasters claim that their losses are not the result of errors or fraud on their part but rather a malfunction or malicious access toHorizon.
This case is interesting not only because of its scale (a settlement agreement worth close to £58 million was reached) but also because it highlights the difficulty in reasoning about issues related to computer systems in court. The case motivated us to write a shortpaper
presented at the Security Protocols Workshop earlier this year – “Transparency Enhancing Technologies to Make Security Protocols Work for Humans”. This work focused on how the liability of a party could be determined when something goes wrong, i.e., whether a customer is a victim of a flaw in the service provider’s system or whether the customer has tried to defraud the service provider. APPLYING BAYESIAN THINKING TO DISPUTE RESOLUTION An intuitive way of thinking about this problem is to apply Bayesianreasoning. Jaynes
makes a good argument that any logically consistent form of reasoning will lead to taking this approach. Following this approach, we can consider the odd’s form of Bayes’ theorem expressed in thefollowing way.
There is a good reason for considering the odd’s form of Bayes’ theorem over its standard form – it doesn’t just tell you if someone is likely to be liable, but whether they are more likely to be liable than not: a key consideration in civil litigation. If a party is liable, the probability that there is evidence is high so what matters is the probability that if the party is not liable there would be the same evidence. Useful evidence is, therefore, evidence that is unlikely to exist for a party that is not liable. Continue reading Transparency, evidence and dispute resolution Posted on 2020-04-21Author
Alexander Hicks
Categories Legal issues, Public policy
, Security
economics
Leave a
comment on Transparency, evidence and dispute resolution BY REVISITING SECURITY TRAINING THROUGH ECONOMICS PRINCIPLES, ORGANISATIONS CAN NAVIGATE HOW TO SUPPORT EFFECTIVE SECURITY BEHAVIOURCHANGE
Here I describe analysisby
myself and colleagues Albesë Demjaha and David Pym at UCL, which originally appeared at the STAST workshop in late 2019 (where it was awarded best paper). The work was the basis for a talk I gave at Cambridge Computer Laboratory earlier this week (I thank Alice Hutchings and the Security Group for hosting the talk, as it was also an opportunity to consider this work alongside themes raised in our recent eCrime 2019 paper).
SECURE BEHAVIOUR IN ORGANISATIONS Both research and practice have shown that security behaviours, encapsulated in policy and advised in organisations, may not be adopted by employees. Employeesmay not see how
advice applies to them, find it difficult to follow, or regard the expectations as unrealistic. Employees may, as a consequence, create their own alternative behavioursas an effort to
approximate secure working (rather than totally abandoning security). Organisational supportcan then
be critical to whether secure practices persist. Economics principles can be applied to explain how complex systems such as these behave the way they do, and so here we focus on informing an overarching goal to: > _Provide better support for ‘good enough’ security-related > decisions, by individuals within an organization, that best > approximate secure behaviours under constraints, such as limited > time or knowledge._ Traditional economics assumes decision-makers are rational, and that they are equipped with the capabilities and resources to make the decision which will be most beneficial for them. However, people have reasons, motivations, and goals when deciding to do something — whether they do it well or badly, they do engage in thinking and reasoning when making a decision. We must capture how the decision-making process looks for the employee, as a _bounded agent _with limited resources and knowledge to make the best choice. This process is more realistically represented in behavioural economics. And yet, behaviour intervention programmes mix elements of both of these areas of economics. It is by considering these principles in tandem that we explore a more constructive approach to decision-support in organisations. CONTRADICTIONS IN CURRENT PRACTICE A bounded agent often settles for a satisfactory decision, by satisficing rather than optimising. For example, the agent can turn to ‘rules of thumb’ and make ad-hoc decisions, based on a quick evaluation of perceived probability, costs, gains, and losses. We can already imagine how these restrictions may play out in a busy workplace. This leads us toward identifying those points of engagement at which employees ought to be supported, in order to avoid poorchoices.
Continue reading By revisiting security training through economics principles, organisations can navigate how to support effective security behaviour change Posted on 2020-01-302020-01-30Author
Simon Parkin CategoriesSecurity economics
, Security
usability
Leave a
comment on By revisiting security training through economics principles, organisations can navigate how to support effective security behaviour change CONSIDER UNINTENDED HARMS OF CYBERSECURITY CONTROLS, AS THEY MIGHT HARM THE PEOPLE YOU ARE TRYING TO PROTECT Well-meaning cybersecurity risk owners will deploy countermeasures in an effort to manage the risks they see affecting their services or systems. What is not often considered is that those countermeasures may produce unintended, negative consequences themselves. These unintended consequences can potentially be harmful, adversely affecting user behaviour, user inclusion, or the infrastructure itself (including services of others). Here, I describe a framework co-developed with several international researchers at a Dagstuhl seminar in mid-2019,
resulting in an eCrime 2019 paper later in the year. We were drawn together by an interest in understanding unintended harms of cybersecurity countermeasures, and encouraging efforts to preemptively identify and avoid these harms. Our collaboration on this theme drew on our varied and multidisciplinary backgrounds and interests, including not only risk management and cybercrime, but also security usability, systems engineering, andsecurity economics.
We saw it as necessary to focus on situations where there is often an urgency to counter threats, but where efforts to manage threats have the potential to introduce harms. As documented in the recently published seminar report, we explored
specific situations in which potential harms may make resolving the overarching problems more difficult, and as such cannot be ignored – especially where potentially harmful countermeasures ought to be avoided. Example case studies of particular importance include tech-abuse by an intimate partner, online disinformation campaigns, combating CEO fraud and phishing emails in organisations, and onlinedating fraud.
Consider disinformation campaigns, for example. Efforts to
counter disinformation on social media platforms can include fact-checking and automated detection algorithms behind the scenes. These can reduce the burden on users to address the problem. However, automation can also reduce users’ scepticism towards the information they see; fact-checking can be appropriated as a tool by any one group to challenge viewpoints of dissimilar groups. We then see how unintended harms can shift the burden of managing cybersecurity to others in the ecosystem without them necessarily expecting it or being prepared for it. There can be vulnerable populations which are disadvantaged by the effects of a control more than others. An example may be legitimate users of social media who are removed – or have their content removed – from a platform, due to traits shared with malicious actors or behaviour, e.g., referring to some of the same topics, irrespective of sentiment – an example of ‘Misclassification’, in the list below. If a user, user group, or their online activity are removed from the system, the risk owner for that system may not notice that problems have been created for users in this way – they simply will not see them, as their actions have excluded them. Anticipating and avoiding unintended harms is then crucial before any such outcomes can occur. Continue reading Consider unintended harms of cybersecurity controls, as they might harm the people you are trying to protect Posted on 2020-01-142020-01-13Author
Simon Parkin CategoriesCrime science ,
Cyber crime ,
Internet security
, Public
policy , Social
networks Leave
a comment on Consider unintended harms of cybersecurity controls, as they might harm the people you are trying to protect RESOLVING DISPUTES THROUGH COMPUTER EVIDENCE: LESSONS FROM THE POSTOFFICE TRIAL
On Monday, the final judgementin the Post
Office trial was handed down, finding in favour of the claimants on all counts. The outcome will be of particular interest to the group of 587 claimants who brought the case against Post Office Limited, but the judgement also illustrates problems handling evidence generated by computers that have much broader applicability. I think this trial demonstrates that the way such disputes are resolved is not fit for purpose and that changes are needed in both in how computers generate evidence and how such evidence is reasoned about in litigation. This case centres around disputes between Post Office Limited and sub-postmasters who operate Post Office branches on its behalf. Post Office Limited supplies these sub-postmasters with products to sell, and the computer accounting system – Horizon – for managing the branch. The claimants contend that shortfalls between the money that was in their branch and what Horizon says result from bugs in Horizon or someone maliciously accessing it. The Post Office instead claims that the shortfalls are real, and it is the responsibility of the sub-postmaster to reimburse the Post Office. Such disputes have resulted in sub-postmasters being bankrupted,
and others have even been jailed because the Post Office contends that evidence produced by Horizon demonstrates fraud by the sub-postmaster. The judgement vindicates the sub-postmasters, concluding that Horizon “was not remotelyrobust”.
This trial is actually the second in this case, with the prior one also finding in favour of the sub-postmasters– that the
contractual terms set by Post Office regarding how they investigate and handle shortfalls are unfair. There would have been at least two more trials, had the parties not settled last week with Post Office Limited offering an apology and £58m in compensation. Of this, the vast majority will go towards legal costs and to the fund which bankrolled the litigation – leaving claimants lucky to get much more than £10k on average. Disappointing, sure, but better than nothing and that is what they could have got had the trials and inevitable appeals continued. As would be expected for a trial depending on highly technical arguments, expert evidence featured heavily. The Post Office expert took a quantitative approach,
presenting a statistical argument that claimant’s losses were implausibly high. This argument went by making a rough approximation as to the total losses of all sub-postmasters resulting from bugs in Horizon. Then, by assuming that these losses were spread over all sub-postmasters equally, losses by the 587 claimants would be no more than £25,000 – far less than the £18.7 million claimed. On this basis, the Post Office said that it is implausible for Horizon bugs to be the cause of the losses, and instead they are the fault of the affected sub-postmasters. This argument is fundamentally flawed; I said so at the time, as did
others
.
The claimant group was selected specifically as people who thought they were victims of Horizon bugs so it’s quite reasonable to think this group might indeed be disproportionally affected by Horizon bugs. The judge agreed, saying, “The group has a bias, in statistical terms. They plainly cannot be treated, in statistical terms, as though they are a random group of 587 ”. This error can be corrected, but the argument becomes circular and a statistical approach adds little new information. As the
judgement concludes, “probability theory only takes one so far in this case, and that is not very far”. Continue reading Resolving disputes through computer evidence: lessons from the Post Office Trial Posted on 2019-12-192019-12-19Author
Steven J. Murdoch
Categories Banking
security ,
Legal issues ,
Modelling , Public
policy ,
Security economics
1 Comment
on Resolving disputes through computer evidence: lessons from the PostOffice Trial
WE’RE FIGHTING THE GOOD FIGHT, BUT ARE WE MAKING FULL USE OF THEARMOURY?
_In this post, we reflect on the current state of cybersecurity and the fight against cybercrime, and identify, we believe, one of the most significant drawbacks Information Security is facing. We argue that what is needed is a new, complementary research direction towards improving systems security and cybercrime mitigation, which combines the technical knowledge and insights gained from Information Security with the theoretical models and systematic frameworks from Environmental Criminology. For the full details, you can read our paper – “Bridging Information Security and Environmental Criminology Research to Better Mitigate Cybercrime.”_
The fight against cybercrime is a long and arduous one. Not a day goes by without us hearing (at an increasingly alarming rate) the latest flurry of cyber attacks, malware operations, (not so) newly discovered vulnerabilities being exploited, and the odd sprinkling of ahigh-profile victim
or a widely-used service being compromised by cybercriminals. A BURDEN BORNE FOR TOO LONG? Today, the topic of security and cybercrime is one that is prominent in a number of circles and fields of research (e.g., crime science and criminology, law, sociology, economics, policy, policing), not to talk of wider society. However, for the best part of the last half-century, the burden of understanding and mitigating cybercrime, and improving systems security has been predominantly borne by information security researchers and computer engineers. Of course, this is entirely reasonable. As circumstances had long dictated, the exponential penetration and growth in the capability of digital technologies co-dependently brought the opportunity for malicious exploitation, and, alongside it, the need to combat and prevent such malicious activities. Enter the _arms race_. However, and potentially the biggest downside to holding this solitary responsibility for so long, the traditional, _InfoSec_ approach to security and cybercrime prevention has leaned heavily towards the technical side of this mantle: discovering vulnerabilities, creating patches, redefining secure software design (e.g., STRIDE), conceptualising threat models for technical systems, and developing technologies to detect, prevent, and/or counter these threats. But, with the threat landscape of today, is this enough?TAKING STOCK
Make no mistake, it is clear that such technical skill-sets and innovations that abound and are produced from information security are invaluable in keeping up with similarly skilled and innovative cybercriminals. Unfortunately, however, one may find that such approaches to security and preventing cybercrime are generally applied in an _ad hoc_ manner and lacking systemic structure, with, on the other hand, focus being constantly drawn towards the “top” vulnerabilities (e.g., OWASP’s Top 10) as opposed to “less important” ones (which are just as capable in enabling a compromise), or focus on the most recent wave of cyber threats as opposed to those only occurring a few years ago (e.g., the Mirai botnet and its variants, which have been active as far back as 2016, but are seemingly now on the back burner of priorities). How much thought, can we say, is being directed towards understanding the operational aspects of cybercrime – the journey of the cybercriminal, so to speak, and their opportunity framework? Patching vulnerabilities and taking down botnets are indeed important, but how much attention is placed on understanding criminal _displacement_ and _adaptation_: the shift of criminal activity from one form to another, or the adaptation of cybercriminals (and even the victims, targets, and other stakeholders), in reaction to new countermeasures? Are system designers taking the necessary steps to minimise the attack surfaces effectively, considering all techniques available to them? Is it enough to look a problem at face value, develop a state-of-the-art detection system, and move on to the next one? We believe much more can and should be done. Continue reading We’re fighting the good fight, but are we making full use of the armoury? Posted on 2019-11-12Author
Colin C. Ife CategoriesCrime science ,
Cyber crime , Law
enforcement ,
Legal issues ,
Public policy ,
Security economics
Leave a
comment on We’re fighting the good fight, but are we making full useof the armoury?
UK PARLIAMENT ON PROTECTING CONSUMERS FROM ECONOMIC CRIME On Friday, the UK House of Commons Treasury Committee published their report on the consumer perspective of economic crime.
I’ve frequently addressed this topic in my research, as well as here on Bentham’s Gaze, so I’m pleased to see several recommendations of the committee match what myself and colleagues have proposed. In other respects, the report could have gone further, so as well as discussing the positive aspects of the report, I would also like to suggest what more could be done to reduce economic crime and protectits victims.
IRREVOCABLE PAYMENTS ARE THE WRONG DEFAULT Transfers between UK bank accounts will generally use the Faster Payment System (FPS), where money will immediately show up in the recipient account. FPS transfers cannot be revoked, even in the case of fraud. This characteristic protects banks because if fraudulently obtained funds leave the banking system, the bank receiving the transfer has no obligation to reimburse the victim. In contrast, the clearing system for paper cheques permits payments to be revoked for a few days after the funds appeared in the recipient account, should there have been a fraud. This period allows customers to quickly make use of funds they receive, while still giving a window of opportunity for banks and customers to identify and prevent fraud. There’s no reason why this same revocation window could not be applied to fully electronic payment systems like FPS. In my submissions to consultations on how to prevent push paymentscams
,
I argued that irrevocable payments are the wrong default, and transfers should be possible to reverse in cases of fraud. The same argument applies to consumer-oriented cryptocurrencies like Libra.
I’m pleased to see that the Treasury Committee agrees and they have recommended that when a customer sends money to an account for the first time, that transfer be revocable for 24 hours. INTRODUCING CONFIRMATION OF PAYEE, FINALLY The banking industry has been planning on launching the Confirmation of Payee system to check if the name of the recipient of a transfer matches what the customer sending money thinks. The committee is clearly frustrated with delays on deploying this system, first promised for September 2018 but since slipped to March 2020. Confirmation of Payee will be a helpful tool for customers to help avoid certain frauds. Still, I’m pleased the committee also recognise it’s limitations and that the “onus will always be on financial firms to develop further methods and technologies to keep up with fraudsters.” It is for this reason that I argued that a bank showing a customer a Confirmation of Payee mismatch should not be a sufficient condition to hold customers liable for fraud,
and the push-payment scam reimbursement scheme is wrong to do so. It doesn’t look like the committee is asking for the situation to bechanged though.
Continue reading UK Parliament on protecting consumers from economiccrime
Posted on 2019-11-052019-11-05Author
Steven J. Murdoch
Categories
Authentication
, Banking
security ,
Cyber crime , Law
enforcement ,
Legal issues ,
Measurement ,
Public policy ,
Security economics
, Security
usability
Leave a
comment on UK Parliament on protecting consumers from economic crime FORCING PHONE COMPANIES TO SECURE SMS AUTHENTICATION WOULD CAUSE MOREHARM THAN GOOD
Food-writer and campaigner, Jack Monroe, has become the latesthigh-profile victim
of a SIM-swap scam, losing over £5,000 from both her PayPal and bank accounts to a criminal who intercepted SMS authentication codes. The Payment Services Directive requires that fraud victims get their money back, but banks act slowly and sometimes push the blame onto thevictims
. When
(as I hope it will) the money does eventually get reimbursed, she’s still unlikely to get compensation for any consequential losses,
nor for the upset caused. It’s no surprise that this experience hasbeen stressful
for Jack, as it would be for most people in her situation. I am, of course, very sympathetic to victims of SIM-swap fraud and recognise the substantial financial costs, as well as the sense of violation that results. Naturally, fingers are being pointed at the phone companies and followed up with calls for them to do betteridentity checks
before transferring a phone number to a new SIM card. I think this isn’t entirely fair. The real problem is that banks and other payment service providers have outsourced authentication to phonecompanies
,
without ensuring that the level of security is appropriate for the sums of money at risk. Banks could have chosen to distribute authentication devices and find a secure way to re-issue ones that are lost. Instead, they have pushed this task to unwitting phone companies, and leave their customers to pick up the pieces when things go wrong, so don’t have an incentiveto do better.
MORE SECURE SMS AUTHENTICATION But what if phone companies did do a better job at handing out replacement SIM cards? Maybe the government could push them into doing so, or the phone companies might just get fed up with the bad press. Phone companies could, in principle, set up a process for re-issuing SIM cards which would meet the highest standards of the banking industry. Let’s put aside the issue that SMS was never designed tobe secure , and
that these processes would put up the cost of phone bills – would it fix the problem? I would argue that it does not. Processes good enough for banking authentication could lock people out of receiving phone calls, and disproportionately harm the most vulnerable members ofsociety.
Continue reading Forcing phone companies to secure SMS authentication would cause more harm than good Posted on 2019-10-142019-10-15Author
Steven J. Murdoch
Categories
Authentication
, Banking
security ,
Legal issues ,
Mobile , Public policy, Security
economics
Leave a
comment on Forcing phone companies to secure SMS authentication would cause more harm than good A MARLIN IS ONE OF THE FASTEST SNARKS IN THE OCEAN In this post, we discuss our new zero-knowledge proving system, Marlin , by Chiesa, Hu, Maller, Mishra, Vesely, and Ward. This year has been the year of the universal SNARK, with Sonic , Libra, and Plonk
all bidding for attention. Marlin is yet another competitor, one which we recommend using when you require fast verification time without the use of batching. WHY UNIVERSAL SNARKS? A universal SNARK is a proving system in which a single trusted setup suffices to prove anything that we know how to prove. That means that the same setup could be used across all applications and that parameters could be stored in a general-purpose library. Additionally, these universal SNARKs typically have relatively easy to coordinate setup procedures, which makes it easier to convince users that the procedure has been carried out correctly and securely. Some SNARKs avoid setup procedures altogether. Such works includeSpartan , Halo
, and Hyrax
. However, the cost of avoiding a trusted setup can generally be seen in the proof sizes andverification time.
MARLIN OR SONIC?
In this authors’ humble opinion, Sonic is fabulous. The proofs are small, the provers are fast, and the verification is fast _provided one is verifying many proofs at the same time_. For applications that use batched verifications, Sonic currently remains the state-of-the-art. Cryptocurrency transactions are a classic example of this – nodes can verify all the transactions in a new block simultaneously (provided the miner aggregates the transactions). However, this setting in which Sonic excels, i.e. the setting in which the verifier is not just given a single proof but many, many proofs of the same thing, is not always a given. For an example where Sonic’s batched proofs would not suffice, consider a randomness beacon. Here verification of the beacons outputs is only done once in a while. Therefore it would be a setting where batching is totallyinappropriate.
Continue reading A Marlin is One of the Fastest SNARKs in the Ocean Posted on 2019-09-192019-09-19Author
Mary Maller CategoriesBlockchain ,
Cryptocurrencies
,
Cryptography
Leave a comment
on A Marlin is One of the Fastest SNARKs in the Ocean MEASURING MOBILITY WITHOUT VIOLATING PRIVACY – A CASE STUDY OF THELONDON UNDERGROUND
In the run-up to this year’s Privacy Enhancing Technologies Symposium (PETS 2019), I noticed some decidedly non-privacy-enhancing behaviour. Transport
for London (TfL) announced they will be tracking the wifi MAC addresses of devices being carried on London Underground stations. Before storing a MAC address it will be hashed with a key,
but since this key will remain unchanged for an extended period (2 years), it will be possible to track the movements of an individual over this period through this pseudonymous ID. These traces are likely enough to link records back to the individual with some knowledge of that person’s distinctive travel plans. Also, for as long as the key is retained it would be trivial for TfL (or someone who stole the key) to convert the someone’s MAC address into its pseudonymised form and indisputably learn that that person’s movements. TfL argues that under the General Data Protection Regulations (GDPR), they don’t need the consent of individualsthey monitor
because they are acting in the public interest.
Indeed, others have pointed outthe value
to society of knowing how people typically move through underground stations. But the GDPR also requires that organisations minimise the amount of personal data they collect. Could the same goal be achieved if TfL irreversibly anonymised wifi MAC addresses rather than just pseudonymising them? For example, they could truncate the hashed MACaddress so
that many devices all have the same truncated anonymous ID. How would this affect the calculation of statistics of movement patterns within underground stations? I posed these questions in a presentation at the PETS 2019 rump session, and in this
article, I’ll explain why a set of algorithms designed to violate people’s privacy can be applied to collect wifi mobility information while protecting passenger privacy. It’s important to emphasise that TfL’s goal is not to track past Underground customers but to predict the behaviour of future passengers. Inferring past behaviours from the traces of wifi records may be one means to this end, but it is not the end in itself, and TfL creates legal risk for itself by holding this data. The inferences from this approach aren’t even going to be correct: wifi users are unlikely to be typical passengers and behaviour will change over time. TfL’s hope is the inferred profiles will be useful enough to inform business decisions. Privacy-preserving measurement techniques should be judged by the business value of the passenger models they create, not against how accurate they are at following individual passengers around underground stations in the past. As the saying goes, “all models are wrong, but some are useful”.
SIMULATING PRIVACY-PRESERVING MOBILITY MEASUREMENT To explore this space, I built a simple simulation of Euston Station inspired by one of the TfL case studies. In my
simulation, there are two platforms (A and B) and six types of passengers. Some travel from platform A to B; some from B to A; others enter and leave the station at one platform (A or B). Of the passengers that travel between platforms, they can take either the fast route (taking 2 minutes on average) or the slow route (taking 4 minutes on average). Passengers enter the station at a Poisson arrival rate averaging one per second. The probabilities that each new passenger is of a particular type are shown in the figure below. The goal of the simulation is to infer the number of passengers of each type from observations of wifi measurements taken at platforms A andB.
Continue reading Measuring mobility without violating privacy – a case study of the London Underground Posted on 2019-09-172019-09-17Author
Steven J. Murdoch
Categories Legal issues, Measurement
, Mobile
, Modelling
, Networking
, Privacy
, Public policy
Leave a comment
on Measuring mobility without violating privacy – a case study of the London Underground A REFLECTION ON THE WAVES OF MALICE: MALICIOUS FILE DISTRIBUTION ONTHE WEB (PART 2)
_The first part of this article introduced the malicious file download dataset and the delivery network structure. This final part explores the types of files delivered, discusses how the network varies over time, and concludes with challenges for the research community._ THE GREAT DIVIDE: A PUP ECOSYSTEM AND A MALWARE ECOSYSTEM We found a notable divide in the delivery of PUP and malware. First, there is much more PUP than malware in the wild: we found PUP-to-malware ratios of 5:1 by number of SHA-2s, and 17:2 by number of raw downloads. Second, we found that mixed delivery mechanisms of PUP and malware are not uncommon (e.g., see our Opencandy case studyin the paper ).
Third, the highly connected Giant Component is predominantly a PUP Ecosystem (8:1 PUP-to-malware by number of SHA-2s), while the many “islands” of download activity outside of this component are predominantly a Malware Ecosystem (1.78:1 malware-to-PUP by number ofSHA-2s).
Comparing the structures of the two ecosystems,we found that the PUP Ecosystem leverages a higher degree of IP address and autonomous system (AS) usage per domain and per dropper than the Malware Ecosystem, possibly indicating higher CDN usage or the use of evasive fast-flux techniques to change IP addresses (though, given earlier results, the former is the more likely). On the other hand, the Malware Ecosystem was attributed with fewer SHA-2s being delivered per domain than the PUP Ecosystem with the overall numbers in raw downloads remaining the same, which could again be indicative of a disparity in the use of CDNs between the two ecosystems (i.e., CDNs typically deliver a wide range of content). At the same time, fewer suspicious SHA-2s being delivered per domain could also be attributable to evasive techniques being employed (e.g., malicious sites delivering a few types of files before changing domain) or distributors in this ecosystem dealing with fewer clients and smalleroperations.
We tried to estimate the number of PPIs in the wild by defining a PPI service as a network-only component (or group of components aggregated by e2LD) that delivered more than one type of malware or PUP family. Using this heuristic, we estimated a lower bound of 394 PPIs operating on the day, 215 of which were in the PUP Ecosystem. In terms of proportions, we found that the largest, individual PPIs in the PUP and Malware Ecosystems involved about 99% and 24% of all e2LDs and IPs in their ecosystems, respectively. _With there being a number of possible explanations for these structural differences between ecosystems, and such a high degree of potential PPI usage in the wild (especially within the PUP Ecosystem), this is clearly an area in which further research is required._ KEEPING TRACK OF THE WAVES The final part of the study involved tracking these infrastructures and their activities over time. Firstly, we generated tracking signatures of the network-only (server-side) and file-only (client-side) delivery infrastructures. In essence, this involved tracking the root and trunk nodes in a component, which typically had the highest node degrees, and thus, were more likely to be stable, as opposed to the leaf nodes, which were more likely to be ephemeral. Continue reading A Reflection on the Waves Of Malice: Malicious File Distribution on the Web (part 2) Posted on 2019-09-052019-09-05Author
Colin C. Ife CategoriesCrime science ,
Cyber crime ,
Internet security
, Malware
, Measurement
Leave a comment on
A Reflection on the Waves Of Malice: Malicious File Distribution onthe Web (part 2)
POSTS NAVIGATION
Page 1 Page 2 … Page 16Next page
Privacy Policy Proudly powered by WordPressDetails
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0