Department of Computer Science and Technology

Security Group

2024 seminars

Expand all Collapse all

View original page

13 December 14:00A detailed analysis of how locks and physical security become vulnerable to attack / Marc Weber Tobias, Investigative Law Offices

Webinar & LT1, Computer Laboratory, William Gates Building.

“Tobias on Locks and Insecurity Engineering” is a 700-page treatise on what can go wrong in the design of locks and security hardware. Ross Anderson’s primary work, “Security Engineering", was one of the impetuses for the book.

Marc is a lawyer and physical security expert in the United States who has lectured at Cambridge for the past twenty years. He works for the largest lock manufacturers in the U.S., Europe, and the Middle East and analyzes security vulnerabilities in their products. He has written eight books and received over thirty United States patents.

Marc will discuss several cases he has worked on, the design vulnerabilities in locks, and how these issues can be identified and prevented.

View original page

03 December 14:00Beyond Whack-A-Mole: Disrupting Online Crime and Harms through Law Enforcement and Industry Efforts / Anh V. Vu, University of Cambridge

Webinar & LT2, Computer Laboratory, William Gates Building.

Disrupting online crime and harms often feels like playing a never-ending game of whack-a-mole. Shut down one malicious website, and another pops up; arrest one cybercriminal, and a few more may emerge in the shadows. This talk discusses in detail what has recently happened as law enforcement and tech firms have taken concerted actions to disrupt online crime and harms, with two special case studies: the coordinated global takedowns of DDoS-for-hire services and the industry-wide effort to dismantle Kiwi Farms, the largest forum facilitating online hate and harassment.

Bio: Anh is a final-year PhD candidate at the University of Cambridge. His research offers timely empirical measurements to explore cyberspace and its societal impact at scale, with a focus on underground subcultures that foster online crime and harms. The resulting insights contribute to a better understanding of online threats and help inform policy decisions for safety and security.

Zoom link:

Meeting ID: 864 4449 0818
Passcode: 713844

View original page

26 November 14:00Cyber security and privacy issues raised by mobile data extraction for evidential purposes.  / Anna-Maria Piskopani, Chris Hargreaves

Webinar, Computer Laboratory, William Gates Building.

Please note this talk is online only.

The focus of this lecture will be on privacy and cyber-security issues raised by extracting mobile data for evidential purposes. Firstly, we will provide an overview of our TAS funded project “Trustworthy and useful tools for mobile extraction” led by Helena Webb. We will also describe in short how the UK criminal justice system uses digital data and the impact it had to all the actors of the criminal system. Secondly, we will discuss the key issues and challenges in this context from the digital forensics’ perspective. Finally, we will analyse the current legal framework regarding mobile extraction phone data for evidential purposes. Emphasis will be given to the data protection and human rights framework and the challenges of new UK law (Police, Crime, Sentencing Courts Act).

Zoom link:

View original pageRecording

22 November 14:00Bluesky and the AT Protocol: Usable Decentralized Social Media / Martin Kleppmann (University of Cambridge)

Webinar & FW11, Computer Laboratory, William Gates Building.

Bluesky is a new social network built upon the AT Protocol, a decentralized foundation for public social media. It was launched in private beta in February 2023, and has grown to over 16 million registered users by November 2024. In this talk I introduce the architecture of Bluesky and the AT Protocol, and explain how the technical design of Bluesky is informed by our goals: to enable decentralization by having multiple interoperable providers for every part of the system; to make it easy for users to switch providers; to give users agency over the content they see; and to provide a simple user experience that does not burden users with complexity arising from the system's decentralized nature. The system's openness allows anybody to contribute to content moderation and community management, and we invite the research community to use Bluesky as a dataset and testing ground for new approaches in social media moderation.

View original pageRecording

19 November 14:00On the critical path to implant backdoors and the effectiveness of potential mitigation techniques: Learnings from XZ / Mario Lins, Johannes Kepler University Linz

Webinar & LT2, Computer Laboratory, William Gates Building.

An emerging supply-chain attack due to a backdoor in XZ Utils has been identified. The backdoor allows an attacker to run commands remotely on vulnerable servers utilizing SSH without prior authentication. We have analyzed the critical attack path to discuss current mitigation strategies for such kinds of supply-chain attacks.
Meeting ID: 829 3057 3803
Passcode: 130354

View original page

15 November 14:00Design and Verification of Byzantine Fault Tolerant CRDTs / Liangrun Da, Technical University of Munich

Webinar & FW11, Computer Laboratory, William Gates Building.

Decentralized collaboration systems offer powerful solutions for various applications. For instance, Wikipedia currently requires significant operational costs to maintain its servers, but a decentralized alternative could run without such constraints. However, maintaining data consistency across peers remains challenging in such decentralized systems. While Conflict-free Replicated Data Types (СRDTs) can maintain consistency without central server, they lack resilience against Byzantine faults. This project introduces a framework for designing and verifying Byzantine Fault Tolerant (BFT) CRDTs in Isabelle/HOL. It requires modest modifications to existing CRDTs, and relies on minimal assumptions on the system.

View original pageRecording

12 November 14:00Federated Deep Learning for Intrusion Detection in Smart Critical Infrastructure / Segun Popoola, Anglia Ruskin University

Webinar & LT2, Computer Laboratory, William Gates Building.

The integration of the Internet of Things (IoT) into smart critical infrastructure has significantly enhanced monitoring, control, and efficiency. However, this integration introduces new cybersecurity risks, as IoT devices can become vulnerable points for attackers targeting essential services such as electricity, water, and transportation. Addressing these risks requires robust intrusion detection systems to monitor and mitigate potential cyber threats. This talk explores the application of deep learning and federated learning techniques to enhance intrusion detection in IoT-enabled smart critical infrastructure. It will also cover the challenges and security implications of using Artificial Intelligence (AI) in the cybersecurity of smart critical infrastructure and discuss current solutions to ensure AI systems remain safe, secure, and resilient against cyber-attacks.

Zoom link:

View original pageRecording

08 November 14:00Tracking the Takes and Trajectories of News Narratives from Trustworthy and Worrisome Websites / Hans Hanley, Stanford University

Webinar & FW26, Computer Laboratory, William Gates Building.

Uncovering and understanding how influence networks push propaganda and disinformation within the wider news ecosystem remains a difficult challenge that requires tracking and characterizing how narratives spread across thousands of fringe and mainstream news websites. Using 18 months of daily news article scrapes from 1,003 unreliable news (e.g., 1,012 mixed-reliability websites (e.g.,, and 2,061 reliable news websites (e.g.,, the finetuned Matryoshka embedding, hierarchical Reciprocal Nearest Neighboring clustering, and zero-shot stance detection, we isolate and quantify the relationships between unreliable, mixed-reliability, and reliable news outlets. We show that by utilizing the stances of website articles toward particular entities and network inference-based tools, we can track slanted propaganda networks and identify the most influential websites in spreading particular attitudes, not only on fringe websites but within the broader media ecosystem, helping the reporting and fact-checking of propaganda and disinformation.

Bio: Hans is a rising 5th year Ph.D. student at Stanford University supervised by Professor Zakir Durumeric and researching in the Empirical Security Research Group. His research focuses on natural language processing, computer security, and the spread of misinformation online. His research is supported by the Meta/Facebook Ph.D. Research Fellowship and the National Science Foundation Graduate Research Fellowship. Hans completed two Masters’ degrees in Computer Science and in Statistics with the Daniel M. Sachs Scholarship at the University of Oxford. Hans completed his undergraduate degree in Electrical Engineering at Princeton University.

Zoom link:

View original page

05 November 14:00Decision-making in cybercriminal underground spaces. Where to go, and why? / Luca Allodi, Eindhoven University of Technology

Webinar & LT2, Computer Laboratory, William Gates Building.

The underground cybercriminal space is very fragmented. Dozens of forums and hundreds if not thousands of groups and channels on Telegram (not to mention `deep-web' websites, Discord servers, and others) make a cybercriminal's life more complicated than not: which community(ies) to join, when, and what for? The decision is riddled with uncertainties: law enforcement presence, risk of exit scams, trustworthiness of buyers and sellers, quality of products, transaction assurances, short and mid-term economic prospects and associated costs; the list goes on.

In this talk we discuss preliminary evidence that criminals may, in the aggregate, prefer communities with a certain set of characteristics for the trade of highly-effective technology. Further, we explore the role of Telegram in this ecosystem and compare it to the mainly forum-based model of the past. If time allows, we then zoom out and discuss what economic theory can tell us about `migration' decisions across (in our case, criminal) communities, and how to possibly approach the evaluation of cybercriminal spaces from that angle.

Zoom link:

Meeting ID: 872 7261 4363
Passcode: 925499

View original pageRecording

29 October 14:00Developing Technical Interventions for Technical Abuse / Kieron Ivy Turk, University of Cambridge

Webinar & LT2, Computer Laboratory, William Gates Building.

Technology-facilitated domestic abuse is an evolving and widespread issue that has lasting effects on its victims and survivors. With nearly all modern domestic abuse cases involving some form of "tech-abuse", it is vital to develop new safety mechanisms and countermeasures to reduce harms to victim-survivors. In this talk, Ivy describes their PhD research evaluating a wide range of technology safety mechanisms, including safety mechanisms such as quick exit buttons on websites, domestic-abuse sensitive Police contact systems, and evidence collection tools, in addition to mitigations for misuses of technology such as preventing stalking through Airtags and similar devices.

Bio: Kieron Ivy (Either name, they/she) is a final year PhD student at the University of Cambridge exploring the interactions between technology and domestic abuse. Their research has explored many areas within this interdisciplinary field, influencing academic research, support service and policing responses, and industry design.

Zoom link:

View original page

08 October 14:00The Curious Case of Big Phishes in The Netherlands / Hugo Bijmans, TNO & TU Delft

Webinar & LT2, Computer Laboratory, William Gates Building.

In this talk, I will share a story of how scientific research can contribute to enhancing cybercrime policing – and where it may fall short. Drawing on a 2021 USENIX paper, we explored the phishing landscape in the Netherlands. This research has since led to several follow-up initiatives in both the scientific community and law enforcement, which I will delve into further during the seminar.

Zoom link:
Meeting ID: 856 6423 9885
Passcode: 889746

View original pageRecording

20 September 14:00Latency-aware routing in mix networks / Mahdi Rahimi, KU Leuven

Webinar & FW11, Computer Laboratory, William Gates Building.

Anonymous communication systems, such as mix networks, achieve anonymity at the expense of latency, which is introduced to alter the flow of packets and hinder their tracing. However, high latency has a negative impact on usability. In this talk, I present some recent works proposing novel latency-aware routing schemes for mixnets that reduce propagation latency with a limited impact on anonymity. They can achieve this while also balancing traffic load in the network. Additionally, I will discuss how a network can be configured to maximize anonymity while meeting an average end-to-end latency constraint, along with a security analysis studying various adversarial strategies, suggesting that these approaches will not provide a considerable advantage to adversaries.

View original pageRecording

16 July 14:00Data-Agnostic Model Poisoning to Manipulating Federated Learning / Kai (Lukas) Li, CISTER research centre, Portugal

Webinar & LT2, Computer Laboratory, William Gates Building.

In this presentation, a data-agnostic model poisoning attack targeting federated learning systems will be explored. The proposed attack leverages a new adversarial graph autoencoder (GAE)-based framework that operates independently of training data access, thereby ensuring both its efficacy and stealth. The proposed attack allows the adversary to reconstruct the graph's structural correlations adversarially, optimizing the disruption of federated learning performance. This is achieved by generating malicious local models that incorporate the adversarial graph structure alongside the benign features of training data. Furthermore, an algorithm has been developed to iteratively refine the malicious models using GAE with sub-gradient descent. Numerical results demonstrate a progressive decline in the accuracy of federated learning systems subjected to this attack, which notably eludes detection by existing defensive measures. Consequently, this attack presents a formidable risk, potentially compromising all benign devices within the network.

Short bio: Dr. Kai Li received the B.E. degree from Shandong University, China, in 2009, the M.S. degree from The Hong Kong University of Science and Technology, Hong Kong, in 2010, and the Ph.D. degree in computer science from The University of New South Wales, Sydney, NSW, Australia, in 2014. Currently, he is a Visiting Research Scientist with the Division of Electrical Engineering, Department of Engineering, University of Cambridge, U.K., and a Senior Research Scientist with the CISTER Research Centre, Porto, Portugal. He is also a CMU-Portugal Research Fellow, jointly supported by Carnegie Mellon University (CMU), Pittsburgh, PA, USA, and the Foundation for Science and Technology (FCT), Lisbon, Portugal. In 2022, he was a Visiting Research Scholar with the CyLab Security and Privacy Institute, CMU. Prior to this, he was a Post-Doctoral Research Fellow with the SUTD-MIT International Design Centre, Singapore University of Technology and Design, Singapore, from 2014 to 2016. He has also held positions as a Visiting Research Assistant with the ICT Centre, CSIRO, Brisbane, QLD, Australia, from 2012 to 2013, and a full-time Research Assistant with the Mobile Technologies Centre, The Chinese University of Hong Kong, Hong Kong, from 2010 to 2011. He has been an Associate Editor of journals, such as Internet of Things (Elsevier) since 2024, Nature Computer Science (Springer) since 2023, Computer Communications (Elsevier) and Ad Hoc Networks (Elsevier) since 2021, and IEEE ACCESS from 2018 to 2024.

Meeting ID: 845 7141 6210
Passcode: 916045

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

NOTE : Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

View original pageRecording

11 June 14:00How Misinformation Creators (Ab)use Generative AI Tools / Amelia (Mia) Hassoun, University of Cambridge

Computer Lab, FW11

Advances in generative AI (GenAI) have raised concerns about detecting and discerning AI-generated content from human-generated content. Existing work often uses a paradigm where ‘expert' organized disinformation creators and flawed AI models deceive 'ordinary' users. Based on longitudinal ethnographic research with misinformation creators and consumers, we instead find that GenAI supports ‘bricolage work’, where non-experts increasingly use GenAI to (re)produce content to meet individual needs.

Participants primarily used GenAI for creation rather than truth-seeking. A spreading 'influencer millionaire' narrative drove participants to become content creators, using GenAI as a productivity tool to generate volumes of (often misinformative) content. GenAI lowered the barrier to entry for content creation, enticing consumers to become creators and significantly increasing existing creators’ output. Participants used Gen AI to learn and deploy tactics to expand engagement and monetize their content. In this talk, I argue for shifting analysis from the public as consumers of AI content to bricoleurs who use GenAI creatively, often without a detailed understanding of its underlying technology. This talk discusses how these understudied emergent uses of GenAI produce new or accelerated misinformation harms and their implications for abuse mitigation.

Meeting ID: 867 3738 0431
Passcode: 810284

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

NOTE : Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

View original pageRecording

07 June 13:00The end of world as we know it / Arturo Bejar

GS15, Computer Laboratory, William Gates Building

It turns out that 0.02% of harmful experiences people have on social media today are addressed by the current approach to Integrity and Safety. Why is that? Think of how many ways there are to be racist, threaten someone (or any other issue), and then multiply by culture, sub-culture, age, and humans. I'll be discussing some directions that can help one of the most challenging of today's problems.

Arturo Béjar started working on capability security, cryptographic systems, and web application security in the 90s, ending up as Yahoo!'s head of information security. From 2009-2015, Arturo was the Director for Protect And Care for Facebook managing the teams responsible for engineering, product, data, design, and research for: Integrity (including all the infrastructure to protect against spam and other attacks), Security Engineering, Product Infrastructure (the team that created React), Safety, and Care. From 2019-2021, Arturo returned to Meta/Facebook as a consultant which resulted in his whistleblowing about harms experienced by teens on Instagram.

Meeting ID: 858 1641 5543
Passcode: 273455

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

NOTE : Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

View original pageRecording

07 May 14:00Automated detection of cryptocurrency investment scams at scale / Jose Gilberto Atondo Siu (University of Cambridge)

Webinar & LT2, Computer Laboratory, William Gates Building.

The ecosystem of cryptocurrencies has grown and changed significantly since Bitcoin's inception in 2008. This expansion, however, has opened opportunities for cybercriminals, leading to an increase in cryptocurrency-related scams. Although extensive research has been carried out in relation to this type of scam, there is limited research that analyses the textual content from online forums and social media to identify cryptocurrency investment scams at scale in an automated manner. This talk presents applications of machine learning models to detect cryptocurrency investment scams through the analysis of textual conversations, offering insights into the evolution of scam luring tactics and the monetary impact these fraudulent schemes have in society.

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

Meeting ID: 845 8903 4432
Passcode: 206709

NOTE : Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

View original pageRecording

26 April 17:00A biography of Tor - a cultural and technological history of power, privacy, and global politics at the internet's core / Ben Collier, University of Edinburgh

Online & LT2, Computer Laboratory, William Gates Building.

In the seminar, Dr Ben Collier will introduce the new book, Tor: From the Dark Web to the Future of Privacy (MIT Press, 2024).

* Chair: Prof Alice Hutchings
* Speaker 1: Dr Ben Collier
* Speaker 2: Professor Steven Murdoch

5:00pm, 26th April 2024
LT2 - William Gates Building
15 JJ Thomson Avenue, Cambridge, CB3 0FD

A biography of Tor - a cultural and technological history of power, privacy, and global politics at the internet's core.
Tor, one of the most important and misunderstood technologies of the digital age, is best known as the infrastructure underpinning the so-called Dark Web. But the real 'dark web,' when it comes to Tor, is the hidden history brought to light in this book: where this complex and contested infrastructure came from, why it exists, and how it connects with global power in intricate and intimate ways. In Tor: From the Dark Web to the Future of Privacy, Ben Collier has written, in essence, a biography of Tor - a cultural and technological history of power, privacy, politics, and empire in the deepest reaches of the internet.

The story of Tor begins in the 1990s with its creation by the US Navy's Naval Research Lab, from a convergence of different cultural worlds. Drawing on in-depth interviews with designers, developers, activists, and users, along with twenty years of mailing lists, design documents, reporting, and legal papers, Collier traces Tor's evolution from those early days to its current operation on the frontlines of global digital power - including the strange collaboration between US military scientists and a group of freewheeling hackers called the Cypherpunks. As Collier charts the rise and fall of three different cultures in Tor's diverse community - the engineers, the maintainers, and the activists, each with a distinct understanding of and vision for Tor - he reckons with Tor's complicated, changing relationship with contemporary US empire. Ultimately, the book reveals how different groups of users have repurposed Tor and built new technologies and worlds of their own around it, with profound implications for the future of the Internet.

The link for registration is (essential for those attending online) is:

Zoom link:

View original page

23 April 14:00Applications of proofs to network security / Joseph Bonneau, New York University

Webinar & LT2, Computer Laboratory, William Gates Building.

Blockchains have motivated a surge of research and development into succinct probabilistic proofs. As proof constructions have gotten dramatically more efficient, entirely new applications have become feasible in other areas as well. This talk will discuss two proposed applications in the area of network security. First, zero-knowledge middleboxes (ZKMBs), which enable network users to prove that their packets comply with a network usage policy (e.g. a domain blocklist) without revealing their actual data to the middlebox. Second, replacing certificate authorities (CAs) with proofs in a new protocol called DOVE, removing the massive trust placed in the current CA ecosystem.

Meeting ID: 829 9210 3686
Passcode: 357389

View original page

02 April 14:00Legal Concepts in Cybersecurity and Privacy for Digital & Smart Environments / Raj Sachdev, Cornell University & Plymouth State

Webinar & LT2, Computer Laboratory, William Gates Building.

This talk will cover trends in the current cybersecurity and privacy legal environment that apply to digital, marketing, & smart settings. As technologists and organizations work on digital & smart innovations using emerging technologies that are poised to change the way we interact with goods and each other, legal concepts must be considered. U.S., UK, and EU perspectives will be covered alongside strategies. No legal advice is provided in this seminar.

Meeting ID: 844 1522 5730
Passcode: 271381

NOTE: The talk will not be recorded.

View original pageRecording

19 March 14:00 Data Poisoning and Fakes in Mobile, Web and Cyber Physical Systems / Soteris Demetriou, Imperial College London

Webinar & LT2, Computer Laboratory, William Gates Building.

In this talk I will focus on analysing the robustness of systems which depend on crowdsourced and sensor data. I will showcase vulnerabilities on mobile crowdsourcing services which can be exploited to launch data poisoning attacks successful in faking online posts for robberies, gunshots, and other dangerous incidents, faking fitness activities with supernatural speeds and distances. I will then show how data poisoning can impact 3D object detection in sensor-rich autonomous vehicles and discuss strategies for detecting such issues.

Meeting ID: 819 8279 1343
Passcode: 079963

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

NOTE: Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

View original pageRecording

12 March 14:00Mysticeti: Low-Latency DAG Consensus with Fast Commit Path / Alberto Sonnino, Mysten Labs

Webinar & FW11, Computer Laboratory, William Gates Building.

This talk introduces Mysticeti a byzantine consensus protocol with low-latency and high resource efficiency. It leverages a DAG based on Threshold Clocks and incorporates innovations in pipelining and multiple leaders to reduce latency in the steady state and under crash failures. Mysticeti is the first byzantine protocol to achieve WAN latency of 0.5s for consensus commit, at a throughput of over 50k TPS that matches the state-of-the-art. Additionally, and if time permits, this talk describes a variant of Mysticeti, called Mysticeti-FPC, that incorporates a fast commit path that has even lower latency by forgoing consensus whenever possible.
Meeting ID: 863 6861 5412
Passcode: 160590

RECORDING: Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

Note: Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

View original pageRecording

05 March 14:00How to Catch an AI Liar: Lie Detection in Black-Box LLMs by Asking Unrelated Questions / Lorenzo Pacchiardi, University of Cambridge

Webinar & FW11, Computer Laboratory, William Gates Building.

Large language models (LLMs) can "lie", which we define as outputting false statements despite "knowing" the truth in a demonstrable sense. LLMs might "lie", for example, when instructed to output misinformation. Here, we develop a simple lie detector that requires neither access to the LLM's activations (black-box) nor ground-truth knowledge of the fact in question. The detector works by asking a predefined set of unrelated follow-up questions after a suspected lie, and feeding the LLM's yes/no answers into a logistic regression classifier. Despite its simplicity, this lie detector is highly accurate and surprisingly general. When trained on examples from a single setting -- prompting GPT-3.5 to lie about factual questions -- the detector generalises out-of-distribution to (1) other LLM architectures, (2) LLMs fine-tuned to lie, (3) sycophantic lies, and (4) lies emerging in real-life scenarios such as sales. These results indicate that LLMs have distinctive lie-related behavioural patterns, consistent across architectures and contexts, which could enable general-purpose lie detection.

Meeting ID: 880 5365 2228
Passcode: 081966

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

NOTE : Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

View original pageRecording

29 February 14:00Characterizing Machine Unlearning through Definitions and Implementations / Nicolas Papernot, University of Toronto and Vector Institute

Webinar & FW11, Computer Laboratory, William Gates Building.

The talk presents open problems in the study of machine unlearning. The need for machine unlearning, i.e., obtaining a model one would get without training on a subset of data, arises from privacy legislation and as a potential solution to data poisoning or copyright claims. The first part of the talk discusses approaches that provide exact unlearning: these approaches output the same distribution of models as would have been obtained by training without the subset of data to be unlearned in the first place. While such approaches can be computationally expensive, we discuss why it is difficult to relax the guarantee they provide to pave the way for more efficient approaches. The second part of the talk asks if we can verify unlearning. Here we show how an entity can claim plausible deniability when challenged about an unlearning request that was claimed to be processed, and conclude that at the level of model weights, being unlearnt is not always a well-defined property. Instead, unlearning is an algorithmic property.

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

Meeting ID: 821 1279 5708
Passcode: 468381

NOTE: Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

View original pageRecording

20 February 14:00Owl - an augmented password-authenticated key exchange protocol / Feng Hao, University of Warwick

Webinar & FW11, Computer Laboratory, William Gates Building.

In this talk, I will first review three decades of research in the field of password-authenticated key exchange (PAKE). PAKE protocols can be categorized into two types: balanced and augmented schemes. I will share my experience of designing a balanced PAKE called J-PAKE in 2008 (joint work with Ryan). Today, J-PAKE has been deployed in many real-world applications, e.g., Google Nest, ARM Mbed, Amazon Fire stick and Thread products.

Next, I will focus on augmented PAKE, which is a different challenge. Today, SRP-6a is the only augmented PAKE that has enjoyed wide use, e.g., in Apple's iCloud, 1Password and Proton mail. Limitations of SRP-6a, such as heuristic security, a lack of efficiency (due to the mandated use of a safe prime) and a lack of support for elliptic curve implementations are well-known, but for the past 25 years, there seems to be no better alternative. In 2020, IETF chose OPAQUE as an augmented PAKE standard, but open issues leave it unclear whether OPAQUE will replace SRP-6a.

Finally, I will present Owl, a new augmented PAKE (joint work with Bag, Chen and van Oorshot; see Owl is obtained by efficiently adapting J-PAKE to an augmented setting. While J-PAKE is symmetric, Owl is asymmetric. Both protocols follow the same design principle but they are suitable for different applications. I will show that Owl is systematically better than SRP-6a in every aspect, including security computation, communication, message sizes and cryptographic agility. Owl is also free from several security and implementation issues faced by OPAQUE.

Meeting ID: 889 5042 2934
Passcode: 853480

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

NOTE: Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

View original page

13 February 14:00Securing the WebPKI in Practice: A tour of the technologies, politics and open problems / Dennis Jackson, Mozilla

Webinar & FW11, Computer Laboratory, William Gates Building.

The public key infrastructure that secures the web has been around for nearly three decades. Since 2012, it has become a critical (albeit unappreciated) aspect of daily life for billions of people. In that short time, a dizzying number of technologies to improve security and privacy on the web have been designed, deployed, and, in many cases, deprecated. We’ll look at those which have become fundamental to online security, those which didn’t work out in practice, and the unsolved research problems remaining. We’ll also peek behind the curtain to see how contemporary realpolitik between countries over their ‘digital sovereignty’, profit incentives of corporate stakeholders and increasingly expansive government regulations threaten the WebPKI as it exists today.

Note: Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

Meeting ID: 814 0386 1657
Passcode: 578528

View original pageRecording

06 February 14:00Dead Code Removal at Meta: Automatically Deleting Millions of Lines of Code and Petabytes of Deprecated Data / Will Shackleton, Meta

Webinar & FW11, Computer Laboratory, William Gates Building.

Software constantly evolves in response to user needs: new features are built, deployed, mature and grow old, and eventually their usage drops enough to merit switching them off. In any large codebase, this feature lifecycle can naturally lead to retaining unnecessary code and data. Removing these respects users’ privacy expectations, as well as helping engineers to work efficiently. In prior software engineering research, we have found little evidence of code deprecation or dead-code removal at industrial scale. We describe Systematic Code and Asset Removal Framework (SCARF), a product deprecation system to assist engineers working in large codebases. SCARF identifies unused code and data assets and safely removes them. It operates fully automatically, including committing code and dropping database tables. It also gathers developer input where it cannot take automated actions, leading to further removals. Dead code removal increases the quality and consistency of large codebases, aids with knowledge management and improves reliability. SCARF has had an important impact at Meta. In the last year alone, it has removed petabytes of data across 12.8 million distinct assets, and deleted over 104 million lines of code.

Meeting ID: 874 4573 7656
Passcode: 290144

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

Note: Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

View original page

26 January 16:00One Protocol to Rule Them All? On Securing Interoperable Messaging / Jenny Blessing (University of Cambridge)

Webinar & FW11, Computer Laboratory, William Gates Building.

European lawmakers have ruled through the Digital Markets Act that users on different platforms should be able to exchange messages with each other. Yet messaging interoperability opens up a Pandora’s box of security and privacy challenges. While championed not just as an antitrust measure but as a means of providing a better experience for the end user, interoperability runs the risk of making the user experience worse if poorly executed. There are two fundamental questions: how to enable the actual message exchange, and how to handle the numerous residual challenges arising from encrypted messages passing from one service provider to another—including but certainly not limited to content moderation, user authentication, key management, and metadata sharing between providers.

In this talk, we will survey specific open questions and challenges in interoperable end-to-end encrypted messaging, with a particular focus on key management, user identity, and content moderation. We will outline existing protocols and designs, discuss where current solutions fall short, and explore possible ways of tackling these challenges.

Meeting ID: 835 5368 2797
Passcode: 811133

NOTE: Please do not post URLs for the talk, and especially Zoom links to Twitter because automated systems will pick them up and disrupt our meeting.

View original pageRecording

23 January 14:00A Comprehensive Study of the Extremist Narratives and the Role of Alternative Social Networks that Facilitate Radical Discourse / Antonis Papasavva, University College London

Webinar & SS03, Computer Laboratory, William Gates Building.

Conspiracy theories have become a pervasive and potent force in the digital age, challenging societies and democracies worldwide.
This talk delves into the enigmatic origins of the QAnon conspiracy to offer a comprehensive analysis of the online fringe communities that facilitate such discourse.
We employ a data-driven cross-platform mixed-methods approach to investigate the evolution, behavior, and impact of QAnon across various alternative social networks.

Conspiracy theories, including QAnon, pose significant threats to democracies and individual autonomy.
This is exemplified by their exploitation for political gain, as evidenced by events such as the 2016 US Presidential Elections and the 2021 insurrection at the US Capitol.
Furthermore, these theories have real-world consequences, from public health threats due to COVID-19 misinformation to incidents of violence and radicalization.

Our research transcends QAnon's specific narratives to address critical questions about the movement, including but not limited to the activity of adherents, discussion topics, and community responses to platform shutdowns and online migration.
This talk underscores the imperative of understanding conspiracy theories in a digital world and the urgent need to develop strategies for countering their influence.
We provide unique insights into the dynamics of online communities, the challenges of moderation, and the intricate interplay between conspiracy theories and alternative social networks.
Meeting ID: 864 2107 6573
Passcode: 825423

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

View original page

19 January 16:00Two Sides of the Same Crime / Michael Dewar, Vice President for Data Science at Mastercard

Webinar & LT2, Computer Laboratory, William Gates Building.

2-5% of global GDP – some $2-5T USD – is estimated to be associated with economic crime. Less than 1% of this is seized, while the total cost of compliance is around $274B USD: we are not winning this fight. This talk describes the work we do at Mastercard that seeks to move past the legacy approaches to economic crime, both fraud and money laundering, and questions the dominant theories of change in this space.