Andrew Patrick

One of the benefits of changing jobs and offices is digging through old files and messages. I still have warm memories of the work with did with CBC in the early 90′s creating the first on-line radio programs. This article describes some of that history, although there never was a thesis, just a research project.

CBC.ca – 10th Anniversary

Williamson told the group about an Ottawa scientist named Andrew Patrick, who was writing a thesis about audio on the internet. Patrick, who worked for the Communications Research Council, was a CBC listener and fan. He approached CBC about putting some CBC Radio programming online. It seemed like a natural pairing.

Cormac Herley, Paul van Oorschot and I recently led a panel discussion session at the Financial Cryptography and Data Security conference. The topic was passwords, which everyone agrees are problematic forms of authentication, but nobody seems to be doing much about it. We wrote up a summary of the issues and discussion at the conference and the paper is now available. Here is the Abstract:

While a lot has changed in Internet security in the last 10 years, a lot has stayed the same — such as the use of alphanumeric passwords. Passwords remain the dominant means of authentication on the Internet, even in the face of significant problems related to password forgetting and theft. In fact, despite large numbers of proposed alternatives, we must remember more passwords than ever before. Why is this? Will alphanumeric passwords still be ubiquitous in 2019, or will adoption of alternative proposals be commonplace? What must happen in order to move beyond passwords? This note pursues these questions, following a panel discussion at Financial Cryptography and Data Security 2009.

Citation: C. Herley, P.C. van Oorschot, A.S. Patrick. Passwords: If We’re So Smart, Why Are We Still Using Them? Financial Cryptography and Data Security (FC 2009), 13th International Conference, Rockley, Christ Church, Barbados, Feb. 2009 (post-proceedings to appear, Springer LNCS).

Financial Cryptography & Data Security was held in Barbados recently. I have posted a few photos from the island on Flickr. Next year…. the Canary Islands!

Geek time (also known as Unix epoch time) is about to reach a cool milestone: 1234567890 seconds. Watch the fun at

http://coolepochcountdown.com/

Trust 2009

2nd International Conference on Trusted Computing:
Socioeconomic Strand

http://www.trust2009.org

6th – 8th April 2009
St. Hugh’s College, University of Oxford, UK

Building on the success of Trust 2008 (held in Villach, Austria, in March 2008), this conference focuses on trusted and trustworthy computing, both from the technical and social perspectives. The conference itself will have two main strands, one devoted to technical aspects and one devoted to the socioeconomic aspects of trusted computing.

This call for papers is for contributions to the socioeconomic strand. The conference solicits original papers on any aspect of the social and economic aspects of the design and application of trusted computing. Topics of interest include, but are not limited to:

* Usability and user perceptions of trustworthy systems and risk
* Effects of trustworthy systems upon user, corporate and governmental behaviour
* The adequacy of guarantees provided by trustworthy systems for systems critically dependent upon trust, such as elections and government oversight
* The impact of trustworthy systems upon digital forensics, police investigations and court proceedings
* Economic drivers for trustworthy systems
* Group and organisational behaviour with trustworthy systems
* The impact of trustworthy systems upon user autonomy, social capital and power relationships
* Cross-cultural definitions of trustworthiness
* Can systems be truly “trustworthy” without any capacity for moral reasoning?
* Trustworthy systems and precursors of trust such as honesty, benevolence, value similarity or competence
* Trustworthiness, regret and forgiveness
* Trustworthy systems as enhancements or constraints on government power
* The role of independence from vested interests as a driver of trust
* The game theory of trustworthy systems: prisoner’s dilemmas, chicken and other game theoretic concepts of trust, reputation and risk
* Experimental economics studies and their limitations in studying trustworthiness
* The interplay between privacy, Privacy Enhancing Technologies and trustworthiness
* Regulatory vs peer-produced trustworthiness, including reputation systems
* Global governance initiatives to manage trust

Submissions should take the form of extended abstracts, no more than two pages in length, which will be blind peer-reviewed by the Programme Committee.  Abstracts should include the main research question(s) addressed and methodologies employed, with up to five key citations. Do not include within the abstract any affiliations or information that would identify the authors. The submission deadline is 1st February 2009.

Please go to the submissions page and use the iChair system to submit your abstract:
https://www.isg.rhul.ac.uk/iChair/Trust2009-SE/index.php

Successful applicants will be asked to produce a short paper of 5,000 words to be presented at the conference.

Important Dates

Submission due: 1 Feb 2009
Notification: 1 Mar 2009
Conference: 6-8 April 2009

General Chair: Andrew Martin, Computer Laboratory, University of Oxford, UK
Programme Chair (socioeconomic strand): Ian Brown, Oxford Internet Institute, University of Oxford, UK

Programme Committee
Dr. Andrew A. Adams, Reading University, UK
Dr. Johann Cas, Austrian Academy of Science
Prof. Lorrie Faith Cranor, Carnegie-Mellon University, USA
Dr. William Drake, Graduate Institute of International Studies, Switzerland
Dr. Peter Gutmann, University of Auckland, New Zealand
Dr. Tristan Henderson, St Andrews University, UK
Dr. Adam Joinson, Bath University, UK
Eleni Kosta, Katholieke Universiteit Leuven, Belgium
Dr. Meryem Marzouki, French National Scientific Research Center (CNRS)
Dr. Tyler Moore, Harvard University, USA
Prof. John Mueller, Ohio State University, USA
Dr. Anne-Marie Oostveen, Oxford University, UK
Dr. Andrew Patrick, National Research Council, Canada
Prof. Jonathan Zittrain, Harvard University, USA

We have just made arrangements for Ross Anderson to give the SOUPS keynote address. I am very please to have him on the program. This is shaping up to be another wonderful conference. (July 23-25, 2008, Pittsburgh, PA)

SOUPS 2008

Ross Anderson is Professor of Security Engineering at Cambridge University. He is one of the founders of a vigorously-growing new discipline: the economics of information security. Many security failures can be traced to wrong incentives rather than technical errors, and the application of microeconomic theory has shed new light on many problems that were previously considered intractable. This work is particularly important for understanding auctions, fraud, and online liability. It is also giving insights into system safety and dependability, and into more traditional security problems of interest to law enforcement and the insurance industry.

I am giving another public talk on practical Internet security. This presentation will be focused on providing specific advice and demonstrations of tools that you can use.

Thursday, January 10, 2008
10:30 to noon

Building M-50, Auditorium
1200 Montreal Road
Ottawa, ON

Attendance is free-of-charge but prior registration is required. Please visit this link for instructions:

http://iit-iti.nrc-cnrc.gc.ca/colloq/0708/08-01-10_e.html

Abstract

It is not safe to connect to the Internet without first learning about security risks and solutions. This presentation offers practical advice on how to protect yourself when using the Internet. This presentation is designed for novice Internet users and people who want to keep up-to-date about security issues. Topics to be covered include:

• understanding the risks;

• developing a security strategy;

• connecting for the first time;

• what to do every day, week, month, and year;

• broadband and dial-up connections;

• hardware and software firewalls;

• anti-virus and anti-spyware solutions;

• free and low-cost security tools;

• updates and patches

• email issues;

• phishing, pharming, and social engineering;

• passwords and tokens;

• fraud and identity theft;

• understanding web encryption;

• safer Internet banking.

The examples and live demonstrations will focus on computers running
Microsoft Windows XP, but most of the advice can also be applied to Vista, MacOS, and Linux systems.

I am giving a presentation later today on “protecting privacy by spying on users.” Here is the talk abstract and the slides I will be using. I am also providing a link to a paper that will be presented at a social network analysis conference in January.

Corporations are facing increasing demands to monitor their compliance with policies and regulations. Using the Enron email corpus as an example of corporate communications, the research explored methods to identify instances of password sharing, a practice that should be a security concern to any organization. Social network analysis was able to identify key creators and sharers of passwords, and an analysis of the passwords themselves showed that quality was clearly a problem. The network analysis was also able to reveal interesting communication patterns, such as sharing passwords with external accounts owned by the same person, which might have been useful as indicators of a problem in corporate systems or practices. The research also uncovered cases of possible policy violations, such as the sharing of internal and external accounts.

Slides

Paper: Monitoring Corporate Password Sharing Using Social Network Analysis

It is time to starting thinking about the Symposium On Usable Privacy and Security (SOUPS).

This is a great conference at the intersection between human factors and security/privacy systems. The Call for Papers is now out, and I am assisting by arranging the in-depth sessions and keynote speakers. Papers are due Feb 29, and posters are due May 28. We also want to hear about your ideas for tutorials, workshops, panels, and keynote speakers.

I will be presenting to the Ottawa IEEE Computer Society on October 17 2007 at 7:30pm. Here are the details…

Date and Time: Wednesday, October 17, 2007, 7:30 PM

Location:
National Research Council, Institute for Information Technology, Building M-50, Room 115, Montreal Road Campus – Free Parking

Directions:
http://iit-iti.nrc-cnrc.gc.ca/locations-bureaux/reach-ottawa-joindre_e.html

Contact: George Yee, Chair, Ottawa IEEE Computer Society (george.yee@nrc.ca)

Free admission but registration is required to comply with security requirements. If you plan to attend, please register by emailing your name and affiliation to: george.yee@nrc.ca

Title: Protecting Privacy by Spying on Users

Abstract

Corporations are facing increasing demands to monitor their compliance with policies and regulations. Using the Enron email corpus as an example of corporate communications, the research explored methods to identify instances of password sharing, a practice that should be a security concern to any organization. Social network analysis was able to identify key creators and sharers of passwords, and an analysis of the passwords themselves showed that quality was clearly a problem. The network analysis was also able to reveal interesting communication patterns, such as sharing passwords with external accounts owned by the same person, which might have been useful as indicators of a problem in corporate systems or practices. The research also uncovered cases of possible policy violations, such as the sharing of internal and external accounts.

About the Speaker

Dr. Andrew Patrick is a Senior Scientist at the National Research Council of Canada and an Adjunct Research Professor of Psychology at Carleton University. He is currently conducting research on new tools for privacy protection, the human factors of security systems, and trust decisions in e-commerce contexts. Prior to joining the NRC, Dr. Patrick worked at Nortel where he managed research and development groups focused on Voice over IP (VoIP) quality, and conducted field research to evaluate new product and service concepts. Dr. Patrick has also worked at the Communications Research Centre, where he conducted research on new multimedia services and natural language interfaces.