University of Cambridge Computer Laboratory foto

Ross Anderson's Web Log

Until the beginning of 2004, I put new items at the top of my web page. Now that blogs have become fashionable, I'm experimenting with the format. I'm unlikely to post as often as some bloggers, so I'll generally keep the most recent few posts at the top of my web page as well.

19th December 2004 - There has been growing media interest in the security of the chip cards being introduced by UK banks. There are many problems. First, the banks are using the exercise to dump liability for fraud on to merchants and customers. This will undermine security by removing the incentives for banks to maintain the system properly. Next, there are technical security problems, both with the chip cards and with the back-end systems that support them. Finally, the transition from mag strip to chip is being poorly managed. The banks are training their customers to use PINs everywhere, so rogue merchants can use false terminals to harvest PIN and mag-strip data - cloned cards can then be used in ATMs overseas. This is a regulatory failure; the government must hold banks liable for their system security failures..

17th December 2004 - I have refreshed the Economics and Security Web Page, which I maintain.

15th December 2004 - I have put up several old recordings of the uilleann pipes, by Seamus Ennis, Patsy Touhey, Richard O'Mealy and others. Recordings over 50 years old are now out of copyright and can legally be republished by anyone (unless there is also a surviving songwriter's copyright). One of my research projects is developing a peer-to-peer technology to support this. If you have music you'd like hosted, please get in touch.

5th November 2004 - I have put up three old cylinder recordings of the uilleann pipes. There are two from Bernard Delaney from 1898, plus the recording of Cumbaw O'Sullivan playing fragments of Alasdrum's March.

26th October 2004 - I have put up another dozen MP3s of Willie Ross, from 1910-1937. These were taken from test disks he got from the record companies and which are now the property of his graddaughter. There's more to follow when I get round to it!

11th October 2004 - I have put up five MP3s of Willie Ross - four recordings of his playing, from 1910-1937, and an interview from 1950.

7th October 2004 - I gave a paper at ICNP 2004 on a radically new approach to key management in sensor networks, called key infection. Here are the slides. Key infection can be useful in other distributed systems, including peer-to-peer networks, and our work challenges the assumption that authentication is largely a bootstrapping problem.

1st October 2004 - I am helping organise a workshop on Copyright in Europe here in Cambridge on 9-10 October, whose aim is to help people make informed responses to the current EU consultation on copyright. It follows on from the FIPR response to the previous EU consultation on digital rights management. (See also the FIPR press release.)

20th September 2004 - I have written FIPR's response to the EU consultation on digital rights management. DRM is sometimes seen as just a means of cutting back on music piracy - but this is very far from the case. It has vast potential to harm consumers and competition by creating new monopolies and extending existing ones. Affected sectors range from pharmaceuticals through cars to clothing and even food. (See also the FIPR press release.)

13th August 2004 - I have put up a scanned copy of an important old book - Geoghegan's Compleat Tutor. This was the first book published on the bagpipe, back in 1746. It's of great interest to folk musicians but has long been out of print and is very rare. I hope that the peer-to-peer technology with which we work can be used to host lots of other important public domain works.

27th July 2004 - we have invented a radically new approach to key management in sensor networks, called key infection. It can also be useful in many other distributed systems, including peer-to-peer networks. This paper will appear at ICNP 2004 in October.

22nd June 2004 - I have written a response to the EU's consultation on the management of copyright and related rights. This initiative is important for people who care about music.

16th June 2004 - I am giving a seminar tomorrow at the University of Birmingham on API security. Here are the slides and here is a background paper. There is a more detailed paper here, and still more information on Mike Bond's site.

14th June 2004 - here are the slides I used at a keynote talk I gave at WOS, and for a talk on Trusted Computing at a FIPR workshop on copyright, both of which took place in Berlin at the weekend. (The research papers I mentioned in my keynote are here and here.)

2nd June 2004 - here is a paper entitled The Dancing Bear - A New Way of Composing Ciphers which I gave at the Protocols Workshop this Easter. I also gave a rump session talk on the subject at FSE in February. I present a new construction for combining crypto primitives; inter alia, we can use it to extend threshold decryption from public-key to shared-key and even heterogeneous primitives.

21st May 2004 - today I made available three more detailed pages of errata for my book, Security Engineering. In addition to the existing top-level errata page, I have made available more detailed, pages of errata and new material for part 1, part 2, and part 3. The reason for this is that I've decided not to do a second edition of the book soon (i.e., certainly not this year).

19th May 2004 - I spoke today in a discussion at the LSE on identity cards. The current government proposals seem set to cause considerable inconvenience for the Queen's subjects, without quite causing significant inconvenience for her enemies. See also my written and oral evidence to the Home Affairs Committee, and the FIPR website.

10th May 2004 - coverage in the Independent for tomorrow's Discussion on Intellectual Property.

10th May 2004 - here are the slides from my talk at Ubinet 2004.

6th May2004 - No we're not cancelling it, says Microsoft (see below). Unfolding ...

4th May 2004 - Microsoft cancels Palladium, a course of action which I've been recommending for about two years now. See my paper on cryptography and competition policy which led eventually, via the German government, to an EU position on open standards and interoperability for DRM.

1st May 2004 - here are two new papers on economics and security that will appear at WEIS later this month. The first, The Economics of Censorship Resistance, examines when it is better for defenders to aggregate or disperse. Should file-sharers build one huge system like gnutella and hope for safety in numbers, or would a loose federation of fan clubs for different bands work better? More generally, what are the tradeoffs between diversity and solidarity in social policy? (This is a live topic at the moment - see David Goodhart's essay, and a response in the Economist.) The second paper, On Dealing with Adversaries Fairly, applies election theory to the problem of shared control in distributed systems. It shows how a number of reputation systems proposed for use in peer-to-peer applications might be improved.

27th April 2004 - following the government's announcement that Britain will introduce compulsory identity cards, I've had a lot of enquiries about security and policy issues. FIPR, which I chair, made a response to the entitlement card consultation; see also my written evidence to the Home Affairs Committee, and my oral testimony before them. (There is also a detailed and reasonably up-to-date survey of biometric technology in chapter 13 of my book.) I fear this project has all the classic symptoms of another huge government IT disaster, while it will do little to combat fraud or terrorism, and is likely to undermine trust between some sections of the population and the authorities. FIPR is jointly sponsoring a public meeting in London on 19th May at which both supporters and opponents of the card have been invited to talk.

25th April 2004 - The EU has come out in favour of open standards and interoperability for DRM. This follows a similar pronouncement by the German government, which in turn was helped along by my paper on cryptography and competition policy - given last year at WEIS and at workshops in Berlin and Brussels. For more, see the TC FAQ.

9th April 2004 - fame at last! A project of ours is the lead story in the technology section of the BBC website. We are adapting some of the ideas I floated in my paper on the Eternity Service to making usenet news distribution more efficient. Watch this space...

31st March 2004 - today sees the publication of a draconian intellectual property policy in the Reporter. The administration of the university has failed us, and the issue will now be decided by our democratic process: a Discussion in the Regent House on the 11th May, followed by a vote.

26th March 2004 - Cambridge University's Council has unfortunately approved a draconian intellectual property policy, which will be published in the Reporter on the 31st March. A respectable minority of us opposed it. The issue will now be decided by our larger democratic process: a Discussion in the Regent House on the 11th May, followed by a vote. If you want to know why this is really important, you could read Larry Lessig's latest book, or my detailed analysis of the 2002 IP proposal. Even if you don't, you really ought to read the account by Mike Clark of how our research bureaucrats agreed, without his knowledge or consent, that he would submit all his relevant publications for vetting by a drug company that had licensed one of the University's patents.

18th March 2004 - there is a nice article by Neil MacCormick MEP on the IPR Enforcement Directive which rather sums up the state of play. We achieved quite a lot (see below) but not as much as we'd have liked.

10th March 2004 - unfortunately we did not manage to push through any final amendments to the EU IPR Enforcement Directive. This was not a disaster for FIPR - we got significant changes to the Directive in committee, and these were reflected in the final version. For example we removed criminal sanctions, and the new substantive provisions on technical protection mechanisms. We were somewhat disappointed that we couldn't take it to a second reading and do more. But we'd have only needed to get another 50 MEPs to change their minds - much much closer than previous battles in the copyright wars, which the music industry used to win by a mile. See press coverage by the BBC, the Scotsman, the Independent, the Register, the EU Reporter, Liberation, Spiegel and c't; a list of which MEPs voted for freedom, and which for the music industry; and the transcript of the plenary debate. One good thing to have come out of this is that we now have a permanent EU office, which FIPR funded for the first six months and George Soros for the rest of the first year. It is a collaborative venture between FIPR and a number of NGOs in other European countries. It will now be much harder for the music industry to erode digital rights much further - at least using the EU.

5th March 2004 - there is a nice article in the Times about the IP Enforcement Directive. FIPR is organising a mass lobby of the European Parliament at Strasbourg on the evening of Monday 8th March to try to amend the Directive.

25th February 2004 - Adobe has produced a disturbing press release about new features that will enable pdf documents to be controlled in various ways - restricted within a firewall, expired, or even revoked. There was much concern in the past when Microsoft and its partners in the Trusted Computing Group proposed such mechanisms as they could enable remote censorship of documents. I feel uneasy at the idea that code in my browser can, by remote control, stop me reading a document that I could read perfectly well yesterday. Politicians will get court orders suppressing leaked documents they find embarrassing; judges will even retrospectively rewrite newspaper archives; the scientologists might go back to war over the Fishman affidavit; the whole business could get really rather sinister. It was to stop this sort of thing that I invented the Eternity Service, which helped kick off the world of peer-to-peer systems. (BTW, the German government has just arrived on a policy position on Trusted Computing, and its interaction with competition policy, to which Adobe ought to pay attention.) One way of resisting might be to support the PDF/A project, which aims to develop a draft preservation standard for archives, compliance with which requires avoiding certain problematic features of PDF.

20th February 2004 - Slashdot has picked up the forthcoming vote on the IP Enforcement Directive, which is also getting more attention in the conventional media and in European discussion groups. For the latest draft of the Directive, see here.

19th February 2004 - the EU IP Enforcement Directive is moving towards the endgame, and the last lobbying effort is now underway. FIPR remains seriously concerned about the current draft. There is also a thought-provoking analysis by Georg Jakob; a press release and some other material from FFII; and an article in (in German).

19th February 2004 - there's a call for papers for a session at SIGCOMM on incentives and game theory in networked systems.

16th February 2004 - I am speaking at the Irish infosec event, NITES, on the morning of the 18th February and again in a panel session in the afternoon. I will be talking about security economics, Trusted Computing and the IP Enforcement Directive. Here are the slides for my talk.

10th February 2004 - FIPR is helping to organise a meeting at the European Parliament in Strasbourg for 11th February 1500-1700, room 2.3, to lobby for amendments to the IP Enforcement Directive. The latest draft of this is not as awful as the original, thanks to last year's lobbying by FIPR and others, but there are still some serious problems that need fixing. Without further amendments, the Directive would act as a Euro-DMCA and allow the content companies to indulge in large-scale harrassment of internet users.

31st January 2004 - a new web page on the economics of privacy has been launched by Alessandro Acquisti. It nicely complements my own page on the economics of security. Cross-disciplinary research between computer scientists and economists is really fizzing and sparkling right now!

28th January 2004 - there are now only three days left to respond to the Department of Health's latest consultation on patient confidentiality. They propose a rule-change that will finally remove the impediment of patient consent to government collection of personal health information. The context is a long history of creeping government acquisition of hospital data, and a program that will shortly start moving GPs' records from the macines in their practices to servers at Primary Care Trusts. By 2008, all your medical records will be browsable online by the Secretary of State, and by everyone to whom he decides to grant access - the police, social work departments, favoured researchers, DoH officials, you name it. When people realise that their medical secrets are not secret any more, there may be outrage. Just as abuse of animals in the 1970s fostered animal rights terrorism, and a cavalier approach to body parts caused the Alder Hey scandal which damaged research in pathology, so also the Whitehall attitude that it's OK to do anything with anyone's data in the name of research is just asking for serious trouble in the future.

10th January 2004 - see the call for papers for the third international Workshop on Economics and Information Security (WEIS 04), May 13-14, 2004, University of Minnesota

16th December 2003 - FIPR extracts assurances from Lord Sainsbury about the interpretation of regulations made under the Export Control Act. This may seem boring and technical, but is of considerable importance to British science and to academic freedom in general. The saga started five years ago when the UK government was persuaded by Bill Clinton to bring in export controls on intangibles, as the Americans have. The DTI came up with gold-plated laws that would have made it an offence to send an email about science to a foreigner, or even to talk to a foreign student in the UK, without a licence. Scientific collaboration would have become an offence. We've been hammering away at this idiocy for several years as various proposals went through green paper stage, were criticised by parliamentary committees, reappeared as European regulations, turned up as UK primary legislation, and finally became law. In the process, FIPR organised a defeat of the government in the Lords, and many of the nastiest proposals have been trimmed away. This is one of our significant lobbying achievements. We were not alone, of course; much credit goes to the Conservative frontbencher Doreen Miller, Liberal Democrat frontbencher Margaret Sharp, and President of the Royal Society Bob May, who marshalled the crossbenchers in the Lords. We are very grateful to them for their efforts.

10th December 2003 - here at last is the text of the amendments made by the legal affairs committee of the European Parliament to the IPR enforcement directive, which has been succinctly described as `DMCA on steroids'. Thanks to lobbying by FIPR and others, there are amendments with a positive effect - notably, by limiting the potential for anti-competitive practices - but other amendments extend its scope still further. Previously, it would have forced Member States to criminalise any serious commercial infringement of intellectual property; now it will only apply vigorous civil remedies, but will cover all infringements. So it looks like in future all Member States will have to make it easy for record companies to harrass children who swap a tune or a mobile phone ring-tone. This is already a contentious issue in the USA.: it will now come here too. Here is a critical article on the original proposal by a number of distinguished lawyers. This Directive will, if passed, also have unpleasant effects on the communications industry, on universities, on libraries, on software compatibility, and even on the single market - the right to free trade within Europe, which is the very reason for the EU's existence. It is the latest round in the `copyright war', with an interesting line-up: it's supported by Microsoft (which is about to be convicted by the EU of anticompetitive behaviour), the music industry and the owners of luxury brands such as Yves Saint Laurent, while it's opposed by phone companies, supermarkets, smaller software firms and the free software community. Lawyers are sceptical, as is the press - in Britain, France and even America. Civil liberties organisations are opposed, and the issue is linked to a boycott of Gillette. The Directive has now been considered by both the European Parliament's industry committee, whose response was weak, and the legal affairs committee, whose rapportuer is married to the chief executive of Vivendi. This sort of thing will bring the law into disrepute.

21st October 2003 saw a truly shocking speech by Mike Clark at the discussion on IPR. Mike tells how our administration promised a research sponsor that he would submit all his relevant papers to them for prior review - without even asking him! It was to prevent abuses like this that we founded the Campaign for Cambridge Freedoms. Its proximate goal was to defeat a proposal by the emeritus Vice Chancellor that most of the intellectual property generated by faculty members - from patents on bright ideas to books written up from lecture notes - would belong to the university rather than to the person who created them. If this had passed, Cambridge would have swapped one of the most liberal rules on intellectual property of any British university, for one of the most oppressive anywhere. There are grave implications for academic freedom, and for faculty recruitment and retention. We were told that this change was instigated by the Department of Trade and Industry; yet the consequences for industry will be dire. The incentives that led to the creation of hundreds of high-tech companies in the area will be destroyed. Perhaps civil servants view us not as the goose that lays the golden eggs, but as a nail that sticks out and needs to be hammered down. See also coverage in the Observer, the Telegraph, the Independent and ZDNET. There's also the BBC, to whom the then Vice Chancellor said "The university has a right to a share because I think there are very few true individuals. Most people have to rely on others". (If he is asserting that the median Cambridge faculty member has never published a significant single-author paper, I'd like to see his statistics.) There was a well-attended Discussion in the Regent House which brought out many of these issues. The Vice Chancellor then set up a committee to advise him how to proceed, and on the 6th August 2003 it published its report. This suggested, as I predicted here, that the University take only patent rights now, as it won't be politically possible to do any more for the time being. This is unacceptable, as it will merely set the stage for further depradations in the future.

I have upgraded the Trusted Computing FAQ to version 1.1. `Trusted Computing' (TC) is the most controversial issue in computing at present; I present an economic analysis of it in a paper Cryptography and Competition Policy - Issues with `Trusted Computing' which I gave at WEIS2003. TC will build digital rights management hardware in your PC, making music piracy harder - and software piracy too. It will also enable Microsoft to lock in its customers more tightly, so it can charge you more. The proposed mechanisms could also have some disturbing consequences for privacy, censorship, and innovation. There is also a shortened version of the paper that has appeared in a special issue of Upgrade, and a French translation. I spoke about TC recently at the "Trusted Computing Group" Symposium, at PODC, and at the Helsinki IPR workshop. TC is not just an isolated engineering and policy issue; it is related to the IP Enforcement Directive on the policy front, and new content standards such as DTCP, which will be built into consumer electronics and also into PC motherboards.

The Economics and Security Resource Page gives you a guide to the hottest research topic in information security. More and more people are realising that information insecurity is often due to perverse incentives rather than to the lack of technical protection mechanisms. There are also many questions with an economic dimension as well as a technical one. For example, will digital signatures make the Internet more secure? Is so-called `trusted computing' a good idea, or just another way for Microsoft to make money? And what about all the press stories about `Internet hacking' - is this threat serious, or is it mostly just scaremongering by equipment vendors? It's not enough for security engineers to understand ciphers; we have to understand incentives as well. We now (since October 2003) have a regular series of Cambridge seminars on economics, networks and security.

On a New Way to Read Data from Memory describes techniques we have developed that use lasers to read out memory contents directly from a chip, without using the read-out circuits provided by the vendor for the purpose. In this way, we can defeat access controls and even recover data from damaged devices. Our colleagues at Louvain have developed parallel methods to do this using electromagnetic induction, which are also described in the paper. The work builds on methods described in a previous paper, on optical fault induction attacks , which showed how laser pulses could be used to induce faults in smartcards that would leak secret information. That paper got significant press coverage, including in the New York Times, the New Scientist, slashdot and Tech TV. It was presented at CHES 2002. We developed the probing attack in 2000, but kept quiet about it while we developed countermeasures. We believe that our optical attack techniques will catalyse a technology change in the security processor industry. Our proposed solution uses redundant failure-evident logic to thwart attacks based on fault induction, or on power analysis. Our paper on this technology won the best presentation award in April at Async 2002. The latest journal paper on this technology, with recent test results, is here.

My Book on Security Engineering


Now also available in Chinese and Japanese!

Security engineering is about building systems to remain dependable in the face of malice, error or mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves.

Security engineering is not just concerned with `infrastructure' matters such as firewalls and PKI. It's also about specific applications, such as banking and medical record-keeping, and about embedded systems such as automatic teller machines and burglar alarms. It's usually done badly: it often takes several attempts to get a design right. It is also hard to learn: although there are good books on a number of the component technologies, such as cryptography and operating systems security, there's little about how to use them effectively, and even less about how to make them work together. It's hardly surprising that most systems don't fail because the mechanisms are weak, but because they're used wrong.

My book is attempt to help the working engineer to do better. As well as the basic science, it contains details of many typical applications - and lot of case histories of how their protection mechanisms failed. (Some of these are available in the research papers listed below, but I've added many more.) It contains a fair amount of new material, as well as accounts of a number of technologies (such as hardware tamper-resistance) which aren't well described in the accessible literature. There just (Aug 2003) been a very nice review in Information security Magazine, and the other reviews have so far been positive. Even the usually cynical Slashdot crowd liked it. I hope you'll also enjoy it - and find it seriously useful!

More ...

Ross Anderson
University of Cambridge Computer Laboratory
JJ Thomson Avenue
Cambridge CB3 0FD, England

Tel: +44 1223 33 47 33
Fax: +44 1223 33 46 78

I don't execute programs sent to me by strangers unless I have good reason, and then only after appropriate precautions. This means, in particular, that I don't read attachments in formats such as Microsoft Word, unless by prior arrangement. I also discard html-format emails, as the vast majority of them are spam, as well as emails asking for `summer research positions', which we don't do.

If you're contacting me about coming to Cambridge to do a PhD, please read the relevant web pages first.