a-cubed.info

I know at least one of my LJ friends will have sympathy with this one. I’ve received the proofs for a new journal article(*). While most of the comments are reasonable there’s a pair that are rather stupid when taken together. In the paper we reference this paper:

Dick , A . R . and Brooks , M . J . ( 2003 ) Issues in automated visual surveillance . In: Sun e t al (eds .) .

which as anyone who udnerstands referencing can see then cross-references:

Sun , C . , Talbot , H . , Ourselin , S . and Adriaansen , T . (eds). ( 2003 ) Proceedings of the Seventh International Conference on Digital Image Computing: Techniques and Applications, DICTA 2003, 10 – 12 December 2003, Macquarie University, Sydney, Australia . CSIRO Publishing .

The copy editors have separately asked:

Please provide further publication details in the reference Dick and Brooks (2003).

and:

Reference Sun et al (2003) not cited in the text. Please cite in the text, else delete from the reference list.

Argh!

(*) From my web page “News” section about this paper: A joint paper with Dr James Ferryman of the School of Systems Engineering, University of Reading has just been accepted by Security Journal. The pre-print of The Future of Video Analystics for Surveillance and Its Ethical Implications is available from the The Open Depot.

Academia.edu (an academoc networking site) has an interesting alert service whereby they email anyone whose page is accessed with a referrer URL from one of the main search engines, and give the search terms, the search engine and, where available (from the web server log of academia.edu rather than from the search engine), the country from which my page was accessed. It’s interesting to see how people find me and from where. Yesterday I got such an alert where one of my papers was found via a search on a minor paraphrasing of one of the significant sentences (i.e. not a linking piece of text but one of the presentations of the core ideas in the paper). Thinking about how I’ve worked in the past, I suspect this was an academic checking for plagiarism in a piece of student work that has made them suspicious.

Having written far too many emails explaining my views on how academia can best move to toll-free access to the scholarly literature (often abbreviated as Open Access) I have written this up on my web site: How to Achieve OA.

It’s somewhat ironic that Japan’s National Institute of Informatics requires paper submission of job applications. So, ten page application form, three copies of three papers (ranging from eight to 23 pages), covering letter and trwo references hand-submitted (their offices are five minutes walk from my current workplace, so I figured it was better to drop it of in person than run any risk with the post. I’m told they get 150 applicants per year for the one or two posts they appoint, so this is a long shot.

One of my current research projects (DESVALDO, funded by the CIGREF Foundation) involves surveying people about their use of digital data. While our primary target is non-expert computer users, expert users are also welcome to take it. This is the survey.

Ross Anderson, Cambridge

Deception: Would personalising payment pages reduce small scale fraud?

How is being watched by humans different to being watched by software?

Blackstone: The law is the long march from status to contract. Are we now towards the end of the long march from honour codes to ubiquitous technical surveillance?

Dave Clark, MIT
Reactions to Prior Talks

A lot of the stories we tell are move/counter-move systems? Why are we in an equilibrium and it’s not that one side won? Perhaps it’s just that if one side won, the question is not interesting.

The way to reduce crime is not to build perfect systems, but to make sure crime doesn’t pay.

Peter Robinson, Cambridge
The Eyes Have It

There is something that can be done with eye gaze in detecting speakers’ state of mind.

Identifying people who are cognitively overloaded (e,.g. while driving, to reduce interupptions from navigation systems or the like).

Peter Swire, Ohio State
Tour of Projects

Encryption and globalisation paper, particularly the attempts by China and India to repeat the US mistakes.

Going Dark v. the Golden Access of Surveillance.

USvJones.com: Help judges by suggesting usable doctrine.

Are Hackers Inefficient?

The Right to Data Portability

Pretty Good De-identification

The Second Wave of Global Privacy Protection (Ohio State, Nov 2012) conference

Rahul Telang, Carnegie Mellon
Competition and Security

Does (can) competition increase security and/or privacy?

Hospitals are under incrasing pressure to invest in patient security and privacy.

In a more competitive healthcare market, there is evidence of more data breaches.

On most other measures, more competition increases quality.

Alma Whitten, Google
When is the Future?

The future is at most ten years from now. Meaningfully, five or ten years from now is the future, because things move so fast.

Technologists have a fair amount of power to build the future. But technologists are often taking their subtle direction from artists: particularly from science fiction.

Shows the “Expo” sequence from Iron Man 2. “I really want that interface”.

Some questions: Where are the boundaries? Who maintains it? Who pays for it?

Easy answers in the fiction (an eccentric techno-genius billionnaire), but if we want those tools for everyone these questions become more difficult to answer.

William Burns, Decision Research, CSUSM
Resilience in the Face of Terrorism: Risk Communication as Inoculation

Ratio of behavioural component of response to terrorist events (mostly incorrect) compared to the actual direct impact is approx 15:1. So while reducing loss of life is a good goal, minimisation of the over-reaction in the aftermath is also very important. Pre-emptive risk communication is the sensible approach.

A sensible risk message (terrorists aim to succeed in making you afraid, don’t let them win) has a significant impact on people’s responses to terrorist activity.

Chris Hoofnagle, UC Berkeley
Mobile Payments : Consumer Benefits & New Privacy Concerns

On Teror: I am terrified of motivational speakers, flying coach class on United and children’s products from China.

In a credit card, no party to the transaction has a complete view of the sale.  Merchants know what was bought but not exactly who you are. The CC issuer knows where and how much you spent, but does not know what you spent. This drives loyalty cards.

Mobile payments means that everyone in the chain can see all of the information.

Richard John, USC
Games Terrorists Play

Talking today about the non-rational terrorist.

Stackelberg competition game model.

Defender (leader) chooses counter-measures; attacker (follower) chooses attack.

Can we benefit from the irrationality of our adversaries? Terrorists often do not maximise their expected value – they follow irrational strategies which do not lead to their apparent goals. Reference: Predictably Irrational by Dan Ariely. We can do better than a strong Stackelberg equilibirum if we understand our opponents’ irrationality.

Persuading protection forces to act rationally and use these random approaches is a hard problem in itself.

Steven LeBlanc, Harvard
Constant Battles

The myth of the peaceful, Noble Savage. Humans have always had warfare and high death rates. There is a tendency to wish away prehistoric warfare by calling it something else or pretending it never existed. THe evolutionary pressures on surviving warfare are significant in the human genome?

Where data is good 15-25% of males die from warfare and 5% of females.

Death rates decrease with incrased social complexity. You are safer if you pay taxes. The more taxes you pay, the safer you are.

Mark Levine, Exeter
The Psychology of Violence Prevention

How to enroll the support of collective psychology to suppress violent action.

The action of third parties is seen in traditional psychology is seen as mostly negative: mob violence, mass hysteria, peer group pressure.

Looking at CCTV records of third party interventions (or lack of intervention) in violence.

Larger groups are less violent. How do third parties coordinate successfully.

Identity and eye-gaze: 52 participants, asked to view the same video with different priming questions about their identification with the subjects.

Ingroup bias: men look more at the men, women look more at the women. Men look more at the “perpetrator”, women look less at the “perpetrator”.

When people are primed in terms of their gender identity, they look at the third parties more than just the participants in the violence.

When primed to think of themselves are part of the group rather than as an individual, the women look more widely, whereas the men look more focussed. When primed as individuals, men and women look equally focussed/broadly.

John Mueller, OSU
Terrorism Since 9/11 – the American Cases

Only one occurrence in the US since 9/11 where a muslim terrorist killed anyone in the US, and almost no injuries. Hal of the cases appear to have been partly instigated by agent provocateurs of the government and all of the attemtped terrorists have been incompetent and mostly highly unbalanced.

David Livingstone-Smith, New England
Ideology

The camera obscura description of ideology as an accidental inversion of reality. The Conspiracy Model of ideology as a purposive distortion of reality in pursuit of some goal.

There is a perfectly good model of non-intentional purposiveness available: the notion of biological purpose, e.g. the orhid that simulates a wasp for the “purpose” of seducing male wasps to use them as a pollenation vector.

Millikan’s theory of proper function provides analysis of non-intentional purposes. The thing that caused a reproduction of an item is the proper function of the item.

Ideologies are collective misrepresentations of the social world that:

perpetuate the power of dominant groups, creating the circumstances allowing their reproduction and the reproduction of that power.

Rachel Greenstadt, Drexel
Anonymouth: How to make machine learning for security usable

Long term anonymity is challenging, as shown in the case of “A Gay Girl in Damascus”. It’s particularly difficult to re-write an existing document in a new style.

Anonymouth provides a suggestion set of ideas for how to make your documents less recognisable as your own.

Luke Church, Cambridge
“tracking” for societal benefit

Users don’t understand derived sales models.

Asking programmers to allow the researchers to record and analyse their every keystroke and mouse click leads to refusal because they are afraid of the usage of that data.

Please can we slow down the process of restricting scientists access to data.

Bruce Schneier, BT
Profiling and Airports

Why profiling makes no sense in security, even if you have a differential threat. Arguing against intuition, “common sense” and “obviousness” with clear (security) engineering principles is hard.

Public policy has important characteristics which divorce it from individual common sense about security.

Political rhetoric focusses on folk belief, common sense and intuition, rather than solid engineering principles. Non-security issues are driving security decisions (including corporate interest, law enforcement interests, military interests).

The four horsemen of the cyber apocalypse used for two decades to justify intrusion.

Persuasion and security questions. How to teach people not to have their security fear buttons pushed.

Matt Blaze, University of Pennsylvania
Folklore

Why (Special Agent) Johnny (Still) Can’t Encrypt (redux)

APCO Project 25 (P25) cryptographic system for first responders.

Serious vulnerabilities in multiple ways, in theory. How often do they cause problems in practice?

Rule #1 of cryptanalysis – look for cleartext.

Ridiculous amount and high security content of cleartext. About 30 minutes of cleartext per day per city.

The problem exists because radio encryption is harder than we think.

After discussions with various agencies there was often a short term drop in cleartext but then a reversion and even an increase.

The act of paying attention to problems like this can lead to a reduction of security because of misunderstanding.

Institutional memory of the previous generation of analogue radios (encryption reduces quality) is still maintained even though it is completely incorrect for the current systems.

Pam Briggs, Northumbria
A “Family and Friends” Perspective on Privacy and Security

Prevailing rhetoric is that privacy and security operate at a personal level – with individual decisions.

Too little attention paid to inadvertent disclosure in social or family networks.

Location-based services – one of the potentially most disruptive applications for privacy in the next few years.

Ubicomp in a family setting.

Facebook account hacked – three facebook friends to provide re-authentication.

Jaeyon Jung, Microsoft
Tools to Analyse Personal Data Exposure Through Apps & Developing UIs for Control

Problem is that access to information by Apps is often “all or nothing” for classes and without certain classes the app cannot be used at all – even if the app does not need it, depending on how it is programmed.

Some participants in a study of smartphone app data transfer were unsurprised – this is the price you pay for “free” apps. Others were surprised at things like the collection and transfer of location data when the app did not need it. Others felt they were not bothered by the collection per se, but wanted to know who had the data.

Some participants planned to uninstall particular apps (e.g. Angry Birds) because of their data collection. Some felt that the option of disclose or don’t use was not a good situation.

We need better user experiences for users in knowing about and controlling the information their smartphones give out.

Rob Reeder, Microsoft
NEAT guidance for usable software security

RSA data release started with a spear phishing attack based on an XL.

Security guidance to users in MS products should now follow NEAT: Necessary, Explained, Actionable, Tested.

Christoph Paar, Ruhr University
Real World Hacks

How do attackers learn their trade? With better information about how attackers develop their approaches, then we can potentially improve the defences. Obfuscation may be more use than its reputation (security by obscurity) gives it credit for.

Frank Stajano, Cambridge
The quest to replace passwords

Passwords have really poor usability. Does this mean we get good security? No.

Predictions of the demise of the password have ben greatly exaggereated. We use more and more passwords every year.

Make sense of what has been done – those who fail to study history are doomed to repeat it.

Evaluation framework for authentication systems.

Passwords are not going to die any time soon. Many schemes are better than passwords on security. Some schemes are better on usability than passwords, but most are worse. All are worse on deployability.

Jeff Yan, Newcastle University
Does psychological profiling predict MMORPG cheaters

There are many technical solutions to analysing in-game behaviour to identify cheating. Is it possible to identify likely cheaters with a psychological test. What about the issue of potential cheaters cheating on the questionnaire.

Sandy Clark, University of Pennsylvania
The Honeymoon Period and Secuity Development

Bug identification models don’t work for vulnerability identification.

Casinos have developed good approaches to patching exploits in their systems (general systems, not just computer-based systems).

Scams are the “buffer overflow errors” of human consciousness.

Attackers adapt, so defenders must adapt.

Evolutionary Biology model for Parasite/Host competing evolution (the Red Queen Hypothesis everyone must run in place to maintain the best outcome, which is not a perfect system).

Modelling the defender is not enough. We need to model the attacker. More importantly, we need to model the interaction and the violation of assumptions is one of the key eleents of this.

Richard Clayton, Cambridge
Devo estar falando Portugues? (Should I speak Portugese)

IM Worms.

Portuguese-specific short IMs for infection have significanly higher numbers of click at peak than “language-independent” ones.

Cormac Herley, Microsoft
Fraud

Anything I do with a password can be repudiable.

We should be teaching check(cheque)-clearing rules instead of Byzantine security tips.

Markus Jacobsson, PayPal
What are password strength checkers actually doing?

Strength checker? Fast Runner? Has Tail, Has Black marks, Has Yellow surface, Has Dots? Result is a budgie not a leopard.

Determine the user’s mental process for creating (strong) passwords.

Comment by Richard Clayton: passwords for porn sites need to be enterable with only one hand.

Eric Johnson, Dartmouth College
Fraud in Healthcare

US healthcare costs are $2.5T. Farud is estimated at some hundreds of billions of dollars.

Medical Identity Theft?
The US medical system is setup to provide opportunities for fraud. Particularly dueto the pay-and-chase model.
Very easy to join medicare/medicaid as a payee, just a bureaucratic process.

Geting hold of identity ius not hard. The monetisation model is the keydevelopment.

Grainne Kirwin, Inst of Tech, Ireland
Psychology of Cybercrime

Interrested in victims of cybercrime. Why are they targetted, how do they react?

Trait anxiety, rather than state anxiety (Big-5?): how does it compare to susceptibility to fraud?

Victim facilitation and precipitation. Insult someone and they hit you (precipitation). Leave your keys on the bar (facilitation).

Considering how facilitation relates to liability. Most people will indicate that faciltative victims should be more liable.

David Modic, Exeter
Risk and Internet Scams

Ego-depletion, materlialism, marketing (susceptibility to being scammed).

Ego-depletion has no effect on falling for a scam.

No materialism measure has ay impact.

Appeal is very limited effect.

Scammers offer money not goods and intangibles.