Is sending shoppers ads by Bluetooth just a bit creepy?

Using Bluetooth wireless networking to send information to nearby smartphones, beacon technology could transform how retailers engage with their customers. But customers will notice how their information is used to personalise these unsolicited adverts, and companies that fail to respect their privacy may get burned.

UK retailer House of Fraser is to introduce beacon-equipped mannequins to its Aberdeen store, which will deliver details about the clothes and accessories the mannequin is wearing to the smartphones of customers within 50 metres. In London’s Regent Street, around 100 stores have installed Apple’s iBeacons, able to send adverts to smartphones to entice passers-by to come inside.

A sort of precursor to the “internet of things”, beacon technology has great potential to enhance consumer experience: providing access to relevant information more quickly, or offering rewards and discounts for loyal shoppers. Some retailers may rearrange their store based on analysing data from customers’ shopping habits. It has uses outside of marketing too, such as providing contactless payments, tourist information at museums, or gate information at airports.

Continue reading Is sending shoppers ads by Bluetooth just a bit creepy?

On-line lecture: DP5 Private Presence @ 31C3

During the break I attended the 31st Chaos Communications Congress (31C3) in Hamburg, Germany. There I had the pleasure of giving a presentation on “DP5: PIR for Privacy-preserving Presence” along with my colleague from Waterloo, Ian Goldberg. The Audio/Video Chaos Angels did a nice job of capturing the event, and making it available for all to view (I come in at 26:23).

Other resources around DP5 include:

  • Technical Report (pdf)
  • Talk Slides (pdf)
  • Event Page (html)
  • Git code repository (git)

Sequencing your genome is becoming an affordable reality – but at what personal cost?

Genomics is increasingly hailed by many as the turning point in modern medicine. Advances in technology now mean we’re able to make out the full DNA sequence of an organism and decipher its entire hereditary information, bringing us closer to discovering the causes of particular diseases and disorders and drugs that can be targeted to the individual.

Buzzwords like “whole genome sequencing” and “personalised medicine” are everywhere – but how are they enabling a powerful medical and societal revolution?

It all started in the 1990’s with the Human Genome Project – a very ambitious venture involving 20 international partners and an investment of US$3 billion. In 2003, 13 years after it began, the project yielded the first complete human genome. Today, the cost of sequencing whole genomes is plummeting fast and it is now possible to do the job for less than US$1,000, meaning a whole host of applications both in research and in treatments.

Variants and mutations

Genetic mutations are often linked to disorders, predisposition to diseases and response to treatment. For instance, inherited genetic variants can cause blood disorders such as thalassaemia or others such as cystic fibrosis or sickle cell anaemia.

Genome sequencing is being used today in diagnostic and clinical settings to find rare variants in a patient’s genome, or to sequence cancers’ genomes (to point out genomic differences between solid tumours and develop a more effective therapeutic strategy). It is also possible to test for known simple mutations via a process called genotyping, which can find genetic differences through a set of biomarkers. In the case of thalassemia, for example, there are mutations in the HBB gene on chromosome 11.

A number of drugs, including blood-thinners like warfarin, have already been commercialised with genetic markers (such as a known location on a chromosome) linked to effectiveness and correct dosage.

Continue reading Sequencing your genome is becoming an affordable reality – but at what personal cost?

Tor: the last bastion of online anonymity, but is it still secure after Silk Road?

The Silk Road trial has concluded, with Ross Ulbricht found guilty of running the anonymous online marketplace for illegal goods. But questions remain over how the FBI found its way through Tor, the software that allows anonymous, untraceable use of the web, to gather the evidence against him.

The development of anonymising software such as Tor and Bitcoin has forced law enforcement to develop the expertise needed to identify those using them. But if anything, what we know about the FBI’s case suggests it was tip-offs, inside men, confessions, and Ulbricht’s own errors that were responsible for his conviction.

This is the main problem with these systems: breaking or circumventing anonymity software is hard, but it’s easy to build up evidence against an individual once you can target surveillance, and wait for them to slip up.

The problem

A design decision in the early days of the internet led to a problem: every message sent is tagged with the numerical Internet Protocol (IP) addresses that identify the source and destination computers. The network address indicates how and where to route the message, but there is no equivalent indicating the identity of the sender or intended recipient.

This conflation of addressing and identity is bad for privacy. Any internet traffic you send or receive will have your IP address attached to it. Typically a computer will only have one public IP address at a time, which means your online activity can be linked together using that address. Whether you like it or not, marketers, criminals or investigators use this sort of profiling without consent all the time. The way IP addresses are allocated is geographically and on a per-organisation basis, so it’s even possible to pinpoint a surprisingly accurate location.

This conflation of addressing and identity is also bad for security. The routing protocols which establish the best route between two points on the internet are not secure, and have been exploited by attackers to take control of (hijack) IP addresses they don’t legitimately own. Such attackers then have access to network traffic destined for the hijacked IP addresses, and also to anything the legitimate owner of the IP addresses should have access to.

Continue reading Tor: the last bastion of online anonymity, but is it still secure after Silk Road?

Introducing the expanded UCL Information Security Group

It takes quite a bit of institutional commitment and vision to build a strong computer security group. For this reason I am delighted to share here that UCL computer science has in 2014 hired three amazing new faculty members into the Information Security group, bringing the total to nine. Here is the line-up of the UCL Information Security group and teaching the MSc in Information Security:

  • Prof. M. Angela Sasse is the head of the Information Security Group and a world expert on usable security and privacy. Her research touches upon the intersection of security mechanisms or security policies and humans — mental models they have, the mistakes they make, and their accurate or false perceptions that lead to security systems working or failing.
  • Dr Jens Groth is a cryptographer renowned for his work on novel zero-knowledge proof systems (affectionately known as Groth-Sahai), robust mix systems for anonymous communications and electronic voting and succinct proofs of knowledge. These are crucial building blocks of modern privacy-friendly authentication and private computation protocols.
  • Dr Nicolas Courtois is a symmetric key cryptographer, known for pioneering work on algebraic cryptanalysis, extraordinary hacker of real-world cryptographic embedded systems, who has recently developed a keen interest in digital distributed currencies such as Bitcoin.
  • Prof. David Pym is both an expert on logic and verification, and also applies methods from economics to understand complex security systems and the decision making in organizations that deploy them. He uses stochastic processes, modeling and utility theory to understand the macro-economics of information security.
  • Dr Emiliano de Cristofaro researches privacy and applied cryptography. He has worked on very fast secure set intersection protocols, that are key ingredients of privacy technologies, and is one of the leading experts on protocols for privacy friendly genomics.
  • Dr George Danezis (me) researches privacy technologies, anonymous communications, traffic analysis, peer-to-peer security and smart metering security. I have lately developed an interest in applying machine learning techniques to problems in security such as anomaly detection and malware analysis.
  • Dr Steven Murdoch (new!) is an world expert on anonymous communications, through his association with the Tor project, banking security and designer of fielded banking authentication mechanisms. He is a media darling when it comes to explaining the problems of real-world deployed cryptographic systems in banking.
  • Dr Gianluca Stringhini (new!) is a rising star in network security, with a focus on the technical aspects of cyber-crime and cyber-criminal operations. He studies honest and malicious uses of major online services, such as social networks, email services and blogs, and develops techniques to detect and suppress malicious behavior.
  • Dr Sarah Meiklejohn (new!) has an amazing dual expertise in theoretical cryptography on the one hand, and digital currencies and security measurements on the other. She has developed techniques to trace stolen bitcoins, built cryptographic compilers, and contributed to fundamental advances in cryptography such as malleable proof systems.

One key difficulty when building a security group is balancing cohesion, to achieve critical mass, with diversity to cover a broad range of areas and ensuring wide expertise to benefit our students and research. I updated an interactive graph illustrating the structure of collaborations amongst the members of the Information Security Group, as well as their joint collaborators and publication venues. It is clear that all nine faculty members both share enough interest, and are complementary enough, to support each other.

Besides the nine full-time faculty members with a core focus on security, a number of other excellent colleagues at UCL have a track record of contributions in security, supporting teaching and research. Here is just a handful:

  • Prof. Brad Karp is an expert in networking and systems and has made seminal contributions to automatic worm detection and containment.
  • Dr David Clark specializes in software engineering with a core interest in information flow techniques for confidentiality, software security and lately malware.
  • Dr Earl Barr researches software engineering, and has researched security bugs, and malware as well as ideas for simple key management.
  • Prof. Ingemar Cox (part-time at UCL) is a world expert in multimedia security, watermarking and information hiding.
  • Prof. Yvo Desmedt (part-time at UCL) is a renowned cryptographer with key contributions in group key exchange, zero-knowledge and all fields of symmetric and asymmetric cryptography.

The full list of other colleagues working in security, including visiting researchers, post-doctoral researchers and research students list many more people – making UCL one of the largest research groups in Information Security in Europe.

 

This post originally appeared on Conspicuous Chatter, the blog of George Danezis.