I signed up today for a conference in Spain. They are using PayPal for taking registration. I’m trying to avoid PayPal, but as the only alternative (bank transfer) is a real pain to do from Japan, I bite the bullet when the other party only offers PayPal as a sensible option. So, I was directed to a PayPal site to process the payment, having given them all the registration details they demanded (including them requiring a landline phone number! I just re-entered my mobile number, which they had already also required). The initial PayPal page was all in Spanish. There was no visible button for changing the language. An understandable (to me) bit asked for my country, so I selected Japan and the page renewed into English. Odd, but useful to me. So, I gave them my credit card details including the billing address and submitted them. The “review and confirm payment” page then came up in Japanese. These days I know enough Japanese to have been able to figure this one out.

So, PayPal displayed itself in three different languages during one transaction, with at no point that I could see a visible button to select a language I can definitely use, and with some apparently random selections of which language to display a particular page in. This is not good internationalisation.

I know at least one of my LJ friends will have sympathy with this one. I’ve received the proofs for a new journal article(*). While most of the comments are reasonable there’s a pair that are rather stupid when taken together. In the paper we reference this paper:

Dick , A . R . and Brooks , M . J . ( 2003 ) Issues in automated visual surveillance . In: Sun e t al (eds .) .

which as anyone who udnerstands referencing can see then cross-references:

Sun , C . , Talbot , H . , Ourselin , S . and Adriaansen , T . (eds). ( 2003 ) Proceedings of the Seventh International Conference on Digital Image Computing: Techniques and Applications, DICTA 2003, 10 – 12 December 2003, Macquarie University, Sydney, Australia . CSIRO Publishing .

The copy editors have separately asked:

Please provide further publication details in the reference Dick and Brooks (2003).


Reference Sun et al (2003) not cited in the text. Please cite in the text, else delete from the reference list.



(*) From my web page “News” section about this paper: A joint paper with Dr James Ferryman of the School of Systems Engineering, University of Reading has just been accepted by Security Journal. The pre-print of The Future of Video Analystics for Surveillance and Its Ethical Implications is available from the The Open Depot.

Ross Anderson, Cambridge

Deception: Would personalising payment pages reduce small scale fraud?

How is being watched by humans different to being watched by software?

Blackstone: The law is the long march from status to contract. Are we now towards the end of the long march from honour codes to ubiquitous technical surveillance?

Dave Clark, MIT
Reactions to Prior Talks

A lot of the stories we tell are move/counter-move systems? Why are we in an equilibrium and it’s not that one side won? Perhaps it’s just that if one side won, the question is not interesting.

The way to reduce crime is not to build perfect systems, but to make sure crime doesn’t pay.

Peter Robinson, Cambridge
The Eyes Have It

There is something that can be done with eye gaze in detecting speakers’ state of mind.

Identifying people who are cognitively overloaded (e,.g. while driving, to reduce interupptions from navigation systems or the like).

Peter Swire, Ohio State
Tour of Projects

Encryption and globalisation paper, particularly the attempts by China and India to repeat the US mistakes.

Going Dark v. the Golden Access of Surveillance. Help judges by suggesting usable doctrine.

Are Hackers Inefficient?

The Right to Data Portability

Pretty Good De-identification

The Second Wave of Global Privacy Protection (Ohio State, Nov 2012) conference

Rahul Telang, Carnegie Mellon
Competition and Security

Does (can) competition increase security and/or privacy?

Hospitals are under incrasing pressure to invest in patient security and privacy.

In a more competitive healthcare market, there is evidence of more data breaches.

On most other measures, more competition increases quality.

Alma Whitten, Google
When is the Future?

The future is at most ten years from now. Meaningfully, five or ten years from now is the future, because things move so fast.

Technologists have a fair amount of power to build the future. But technologists are often taking their subtle direction from artists: particularly from science fiction.

Shows the “Expo” sequence from Iron Man 2. “I really want that interface”.

Some questions: Where are the boundaries? Who maintains it? Who pays for it?

Easy answers in the fiction (an eccentric techno-genius billionnaire), but if we want those tools for everyone these questions become more difficult to answer.

William Burns, Decision Research, CSUSM
Resilience in the Face of Terrorism: Risk Communication as Inoculation

Ratio of behavioural component of response to terrorist events (mostly incorrect) compared to the actual direct impact is approx 15:1. So while reducing loss of life is a good goal, minimisation of the over-reaction in the aftermath is also very important. Pre-emptive risk communication is the sensible approach.

A sensible risk message (terrorists aim to succeed in making you afraid, don’t let them win) has a significant impact on people’s responses to terrorist activity.

Chris Hoofnagle, UC Berkeley
Mobile Payments : Consumer Benefits & New Privacy Concerns

On Teror: I am terrified of motivational speakers, flying coach class on United and children’s products from China.

In a credit card, no party to the transaction has a complete view of the sale.  Merchants know what was bought but not exactly who you are. The CC issuer knows where and how much you spent, but does not know what you spent. This drives loyalty cards.

Mobile payments means that everyone in the chain can see all of the information.


Richard John, USC
Games Terrorists Play

Talking today about the non-rational terrorist.

Stackelberg competition game model.

Defender (leader) chooses counter-measures; attacker (follower) chooses attack.

Can we benefit from the irrationality of our adversaries? Terrorists often do not maximise their expected value – they follow irrational strategies which do not lead to their apparent goals. Reference: Predictably Irrational by Dan Ariely. We can do better than a strong Stackelberg equilibirum if we understand our opponents’ irrationality.

Persuading protection forces to act rationally and use these random approaches is a hard problem in itself.

Steven LeBlanc, Harvard
Constant Battles

The myth of the peaceful, Noble Savage. Humans have always had warfare and high death rates. There is a tendency to wish away prehistoric warfare by calling it something else or pretending it never existed. THe evolutionary pressures on surviving warfare are significant in the human genome?

Where data is good 15-25% of males die from warfare and 5% of females.

Death rates decrease with incrased social complexity. You are safer if you pay taxes. The more taxes you pay, the safer you are.

Mark Levine, Exeter
The Psychology of Violence Prevention

How to enroll the support of collective psychology to suppress violent action.

The action of third parties is seen in traditional psychology is seen as mostly negative: mob violence, mass hysteria, peer group pressure.

Looking at CCTV records of third party interventions (or lack of intervention) in violence.

Larger groups are less violent. How do third parties coordinate successfully.

Identity and eye-gaze: 52 participants, asked to view the same video with different priming questions about their identification with the subjects.

Ingroup bias: men look more at the men, women look more at the women. Men look more at the “perpetrator”, women look less at the “perpetrator”.

When people are primed in terms of their gender identity, they look at the third parties more than just the participants in the violence.

When primed to think of themselves are part of the group rather than as an individual, the women look more widely, whereas the men look more focussed. When primed as individuals, men and women look equally focussed/broadly.

John Mueller, OSU
Terrorism Since 9/11 – the American Cases

Only one occurrence in the US since 9/11 where a muslim terrorist killed anyone in the US, and almost no injuries. Hal of the cases appear to have been partly instigated by agent provocateurs of the government and all of the attemtped terrorists have been incompetent and mostly highly unbalanced.

David Livingstone-Smith, New England

The camera obscura description of ideology as an accidental inversion of reality. The Conspiracy Model of ideology as a purposive distortion of reality in pursuit of some goal.

There is a perfectly good model of non-intentional purposiveness available: the notion of biological purpose, e.g. the orhid that simulates a wasp for the “purpose” of seducing male wasps to use them as a pollenation vector.

Millikan’s theory of proper function provides analysis of non-intentional purposes. The thing that caused a reproduction of an item is the proper function of the item.

Ideologies are collective misrepresentations of the social world that:

perpetuate the power of dominant groups, creating the circumstances allowing their reproduction and the reproduction of that power.


Rachel Greenstadt, Drexel
Anonymouth: How to make machine learning for security usable

Long term anonymity is challenging, as shown in the case of “A Gay Girl in Damascus”. It’s particularly difficult to re-write an existing document in a new style.

Anonymouth provides a suggestion set of ideas for how to make your documents less recognisable as your own.

Luke Church, Cambridge
“tracking” for societal benefit

Users don’t understand derived sales models.

Asking programmers to allow the researchers to record and analyse their every keystroke and mouse click leads to refusal because they are afraid of the usage of that data.

Please can we slow down the process of restricting scientists access to data.

Bruce Schneier, BT
Profiling and Airports

Why profiling makes no sense in security, even if you have a differential threat. Arguing against intuition, “common sense” and “obviousness” with clear (security) engineering principles is hard.

Public policy has important characteristics which divorce it from individual common sense about security.

Political rhetoric focusses on folk belief, common sense and intuition, rather than solid engineering principles. Non-security issues are driving security decisions (including corporate interest, law enforcement interests, military interests).

The four horsemen of the cyber apocalypse used for two decades to justify intrusion.

Persuasion and security questions. How to teach people not to have their security fear buttons pushed.

Matt Blaze, University of Pennsylvania

Why (Special Agent) Johnny (Still) Can’t Encrypt (redux)

APCO Project 25 (P25) cryptographic system for first responders.

Serious vulnerabilities in multiple ways, in theory. How often do they cause problems in practice?

Rule #1 of cryptanalysis – look for cleartext.

Ridiculous amount and high security content of cleartext. About 30 minutes of cleartext per day per city.

The problem exists because radio encryption is harder than we think.

After discussions with various agencies there was often a short term drop in cleartext but then a reversion and even an increase.

The act of paying attention to problems like this can lead to a reduction of security because of misunderstanding.

Institutional memory of the previous generation of analogue radios (encryption reduces quality) is still maintained even though it is completely incorrect for the current systems.

Pam Briggs, Northumbria
A “Family and Friends” Perspective on Privacy and Security

Prevailing rhetoric is that privacy and security operate at a personal level – with individual decisions.

Too little attention paid to inadvertent disclosure in social or family networks.

Location-based services – one of the potentially most disruptive applications for privacy in the next few years.

Ubicomp in a family setting.

Facebook account hacked – three facebook friends to provide re-authentication.


Jaeyon Jung, Microsoft
Tools to Analyse Personal Data Exposure Through Apps & Developing UIs for Control

Problem is that access to information by Apps is often “all or nothing” for classes and without certain classes the app cannot be used at all – even if the app does not need it, depending on how it is programmed.

Some participants in a study of smartphone app data transfer were unsurprised – this is the price you pay for “free” apps. Others were surprised at things like the collection and transfer of location data when the app did not need it. Others felt they were not bothered by the collection per se, but wanted to know who had the data.

Some participants planned to uninstall particular apps (e.g. Angry Birds) because of their data collection. Some felt that the option of disclose or don’t use was not a good situation.

We need better user experiences for users in knowing about and controlling the information their smartphones give out.


Rob Reeder, Microsoft
NEAT guidance for usable software security

RSA data release started with a spear phishing attack based on an XL.

Security guidance to users in MS products should now follow NEAT: Necessary, Explained, Actionable, Tested.


Christoph Paar, Ruhr University
Real World Hacks

How do attackers learn their trade? With better information about how attackers develop their approaches, then we can potentially improve the defences. Obfuscation may be more use than its reputation (security by obscurity) gives it credit for.


Frank Stajano, Cambridge
The quest to replace passwords

Passwords have really poor usability. Does this mean we get good security? No.

Predictions of the demise of the password have ben greatly exaggereated. We use more and more passwords every year.

Make sense of what has been done – those who fail to study history are doomed to repeat it.

Evaluation framework for authentication systems.

Passwords are not going to die any time soon. Many schemes are better than passwords on security. Some schemes are better on usability than passwords, but most are worse. All are worse on deployability.


Jeff Yan, Newcastle University
Does psychological profiling predict MMORPG cheaters

There are many technical solutions to analysing in-game behaviour to identify cheating. Is it possible to identify likely cheaters with a psychological test. What about the issue of potential cheaters cheating on the questionnaire.

Sandy Clark, University of Pennsylvania
The Honeymoon Period and Secuity Development

Bug identification models don’t work for vulnerability identification.

Casinos have developed good approaches to patching exploits in their systems (general systems, not just computer-based systems).

Scams are the “buffer overflow errors” of human consciousness.

Attackers adapt, so defenders must adapt.

Evolutionary Biology model for Parasite/Host competing evolution (the Red Queen Hypothesis everyone must run in place to maintain the best outcome, which is not a perfect system).

Modelling the defender is not enough. We need to model the attacker. More importantly, we need to model the interaction and the violation of assumptions is one of the key eleents of this.


Richard Clayton, Cambridge
Devo estar falando Portugues? (Should I speak Portugese)

IM Worms.

Portuguese-specific short IMs for infection have significanly higher numbers of click at peak than “language-independent” ones.


Cormac Herley, Microsoft

Anything I do with a password can be repudiable.

We should be teaching check(cheque)-clearing rules instead of Byzantine security tips.


Markus Jacobsson, PayPal
What are password strength checkers actually doing?

Strength checker? Fast Runner? Has Tail, Has Black marks, Has Yellow surface, Has Dots? Result is a budgie not a leopard.

Determine the user’s mental process for creating (strong) passwords.

Comment by Richard Clayton: passwords for porn sites need to be enterable with only one hand.


Eric Johnson, Dartmouth College
Fraud in Healthcare

US healthcare costs are $2.5T. Farud is estimated at some hundreds of billions of dollars.

Medical Identity Theft?
The US medical system is setup to provide opportunities for fraud. Particularly dueto the pay-and-chase model.
Very easy to join medicare/medicaid as a payee, just a bureaucratic process.

Geting hold of identity ius not hard. The monetisation model is the keydevelopment.

Grainne Kirwin, Inst of Tech, Ireland
Psychology of Cybercrime

Interrested in victims of cybercrime. Why are they targetted, how do they react?

Trait anxiety, rather than state anxiety (Big-5?): how does it compare to susceptibility to fraud?

Victim facilitation and precipitation. Insult someone and they hit you (precipitation). Leave your keys on the bar (facilitation).

Considering how facilitation relates to liability. Most people will indicate that faciltative victims should be more liable.

David Modic, Exeter
Risk and Internet Scams

Ego-depletion, materlialism, marketing (susceptibility to being scammed).

Ego-depletion has no effect on falling for a scam.

No materialism measure has ay impact.

Appeal is very limited effect.

Scammers offer money not goods and intangibles.

Jeff Hancock, Cornell
Detecting Deceptive Language and Promoting (more) Honest Behaviour

Detection of the difference between purchased reviews of hotels by people who had not stayed there and real reviews by those who had. Automatic detection could identify 90% of the fake reviews – only works for differentiating between those who had stayed there and those who had not.

Lab studies on identifying lying: psychological distancing leads to verbal immediacy, cognitive complexity leads to a different discourse structure, anxiety and guilt lead to emotional leakage. However, various types of situation lead to differences in how the models can be applied.

How to promote more honest behaviour.

Promoting honest behaviour. Triggering a feeling of a face triggers social constraints on lying.

Current research will include graphics to see what can improve honesty.

Tyler Moor, Wellesley College
Why user intent affects how we combat online wickedness

Online crime is mainly fought by private actors rather than state agencies.

Sometimes crime is difficult to distinguish from undesirable behaviour.

What is the distinction between bad behaviour and criminal behaviour?

Distinguishing between phishing and malware installation (which can lead to keylogging and loss of authentication details). Phishing is attacked by the banks. Malware installers are attacked by the search engine.

Transparent redirection by cracked sites depending on the referrer information from Google search pages.

Need to identify the intent of the user.


Robert Trivers, Rutgers
The Folly of Fools: the logic of self-deception.

Lying to others is indivisible from self-deception.

Psychologists tend to study only deception. Philosophers worry too much about self-deception. You need both to understand deception.

Choice of language as well as physiological reactions give clues to deliberate deception. Self-deception could be deliberately practised in order to avoid deception clues.

Interesting data on self-deception: we do believe our deceptive positive self-image.

Self-deception is offensive (aimed at deceiving others), rather than what the psychologists claim: that self-deception is defensive, aimed at making ourselves happier.

We need more evidence on detecting deception in real situations.

80% of accidentsd happen with the pilot instead of the co-pilot in actual charge. Co-pilots are hesitant to correct errors from their more senior colleagues, particularly if they do not have a pre-existing strong relationship.

When considering deception, you must always keep self-deception in mind.


Joseph Bonneau, Cambridge
Guessing human-chosen secrets

What’s easier to guess? Older or younger users’ passwords? Passwords or random 9-digit numbers. PIN or Mother’s Maiden Name?

Showed the cartoon of Jesus having 2512 as his PIN to his father, whose birthday is Christmas Day, and his father promptly went and changed his PIN.

Released files of stolen passwords allowed statistical analysis of password choices.

Gathering data within Yahoo via an encrypted hash to allow for statistical analysis without knowledge of the actual passwords.

Changing user behaviour (such as changing passwords occasionally) is better than just stressing the risk.

Language makes something of a difference, but at most a factor of two in difficulty.


Stuart Schecter, Microsoft
Better Passwords

P@ssword was a “strong” password accroding to Yahoo’s algorithm. P@$$word1 was a “strong password according to Google’s algorithm.

Ban popular passwords!

Important internal passwords for high value propositions (MS, Google) need better approaches.