Crypto War 3 – From the DMA to Chatcontrol gives an overview of several attempts to undermine privacy by sidelining cryptography in the EU, from the interoperability mandate in the DMA to Chatcontrol – the CSA Regulation.
Client-side scanning, or child protecton? discusses the hot policy topic of 2023: whether lawmakers should compel the providers of end-to-end encrypted messaging services to build in backdoors for the convenience of the intelligence agencies, under the pretext of protecting children. It was given at Digitalize in Stockholm.
This No Name Podcast was done for Ukraine, whose cyber command uses my security economics course in their boot camp.
If it's provably secure, it probably isn't discusses the use and abuse of proof in security. Many system components come with security proofs, yet often break; I discuss a number of examples, from block ciphers through OAEP and SSH to HSM APIs and quantum security proofs based on entanglement. What's going on?
Trojan Source and Bad Characters: Invisible Hacks and Reluctant Patching was a keynote talk at LangSec 22 describing a vulnerability that affected a large number of computer languages and natural-language processing systems – and how it was mainly the former that got patched.
Security engineering of machine learning is a talk I gave at Stanford in May 2022 to an audience of biomedical engineers, about the likely effects of machine learning on the safety and privacy of medical devices and the implications for regulation. An earlier version discusses half-a-dozen attacks on neural networks that we've discovered over the past three years and was my inaugural lecture as a professor in Edinburgh.
Adversarial Usability was a keynote at USEC 2022; much of the adversarial behaviour nowadays is by large companies trying to exploit users. What will be the implications for "AI"?
My security engineering course consists of fifteen videos, taught as lectures to fourth-year undergrads and masters students at Edinburgh, along with Sam Ainsworth. They're based on my security engineering textbook.
Infrastructure – the Good, the Bad and the Ugly analyses the security economics of platforms and services. Infrastructure used to be boring and regulated; now it's dynamic and a scene of constant tussles. This was a Dertouzos Distinguished Lecture at MIT in March 2021 (blog).
Situational Awareness – Robots, Manners and Stress discusses how, in a world of tussles between humans and machine-learning systems, it will be ever more important for both humans and machines to be aware of whether they're under attack. Humans can't live in castles and drive around in tanks; the same goes for AIs.
Our cyber security economics course was recorded in 2015 and is widely used to teach the subject, not just in universities but in industry and government. We're currently working on an update.
What price the upload filter? looks at the EU's proposals for government access to end-to-end encrypted chat clients to censor objectionable content, in the context of the Crypto Wars and the collateral damage they caused. This talk was given at the Remote Chaos Experience in December 2020 (German press).
Cybersecurity: safety, privacy, sustainability and liberty was a talk at a policy conference on what the EU should try to achieve on cybersecurity in its talks with the incoming Biden administration on a new transatlantic partnership.
Inference control has washed through the research community in four waves. The first three dealt with the census in the 1980s, the complexity of medical records in the 1990s and the scale of web search in the 2000s. Now we're dealing with social networks, location data and machine learning, and the privacy problems combine both complexity and scale.
The sustainability of safety, security and privacy sets out the new Grand Challenge for computer scientists: creating the tools needed for long-term maintenance of the software in durable goods such as cars and medical devices. This version of the talk was given at 36C3 in Leipzig in December 2019; it's a topic I've been writing and speaking about for some time. The latest, shorter version was given in October 2020.
Privacy for Tigers explores the information warfare aspects of the fight to protect endangered species from poachers. This is joint work with Tanya Berger-Wolf of Wildbook.
My most recent Computerphile videos are on tracing stolen bitcoin and on why bitcoin isn't cash; they explains how the law and computer science can come together to, hopefully, tame the cryptocurrency wild west. There's more here.
Keys Under Doormats is a talk I gave to the Ethics in Mathematics Society on the history of the Crypto Wars over the past 25 years. It's also a paper that colleagues and I wrote on the implications of demands by various governments for all online systems to facilitate covert access by intelligence agencies and the police.
An interview on Edge discusses the last thirty years of progress (of lack of it) in information security, from the early beginnings, through the crypto wars and crime moving online, to the economics of security.
A talk to the annual conference on ethics in mathematics explains how we teach economics, law and ethics as an integrated course for computer scientists at Cambridge (my talk starts 1h 51m and 20s into the video).
Another, on problems with the Internet of things, explains the growing costs of software security maintenance as software gets into consumer durables such as cars. How will we patch car software for thirty years, when we can't even patch phones for three? There's also an earlier talk on The Internet of Bad Things that I gave in Prague in 2015, and later talks on software sustainability at AsiaCCS and ICISSP.
In 2016 I won the top UK award in computing, the Lovelace medal; the videos are here. The British Computer Society, which awards the medal, also did biograhical interviews which are here and here.
Is it practical to build a truly distributed payment system? – my keynote talk at CCS 2016 – explores how we can do mobile payments offline in less developed countries.
Chip & PIN Fraud Explained looks at new ways of doing card fraud, including the No-PIN and preplay attacks. This follows on from an earlier Newsnight piece in which we showed how the No-PIN attack works. In The Banking Code, we demonstrated that relay attacks on EMV are practical. There's also a Black Hat talk on how smartcard payment systems fail. Other talks on payments generally include How bitcoin works, which explains cryptocurrency, while Bitcoin problems points out some of its downsides and limitations. Earlier, a keynote from Indocrypt in 2012 surveyed the crypto around payments and the underlying economics.
A 2015 policy keynote discusses what happens to medical ethics, and research ethics more generally, in a world of cloud-based medical records and pervasive genomics. There's also a short talk I gave on medical privacy in 2013, at the launch of medconfidential.org, and a 2013 talk given at the Technion on Safety and privacy of health systems in the age of biodata. This in turn followed my getting a Brandeis Award for patient privacy in 2012.
The Golden Key: FBI vs Apple iPhone was done for Computerphile in the run-up to the UK's 2015 election where David Cameron wanted to grab control of crypto keys. Could We Ban Encryption? was done after he won the election, in the run-up to the Investigatory Powers Bill arriving in parliament. The coalition government from 2010–5 gave us better outcomes: at Scrambling for Safety in 2012 I talked about the vanishing distinction between content and traffic data. This campaign led to the defeat of the coalition's Communications Data Bill.
Should a prudent cryptographer believe all the quantum claims? is a video of a 2015 talk I gave in Darmstadt, at a joint conference of computer scientists and physicists, explaining why I don't believe security proofs based on quantum entanglement – and the angry response from the physicists! The video I showed during the talk, of Yves Couder's bouncing-droplet experiments, can be found here. An earlier talk in Warwick is here in parts 1, 2, 3, 4 and 5.
In 2014 I gave the annual privacy lecture at Berkeley Law; here are the recording, the slides and the paper.
How can we recover from protocol failure? is an invited talk I gave at the Technion in 2013, where I started to discuss the security economics of protocol evolution.
My Logan Symposium talk explores how journalists can protect their sources and themselves; it was followed by a panel discussion. There was a session on this and related topics at the 2013 Crypto Festival; my talk starts at 23 minutes and runs to 45, after a talk by Annie Machon on protecting whistleblowers and journalists, and the panel discussion starts at 1 hour 12.
A talk on How does software change engineering? at the Royal Academy of Engineering in 2012 gives a big-picture view.
The Resilience of the Internet Infrastructure describes some work we did for the European Commission in 2011 on how large-scale attacks on the Internet infrastructure might be carried about, and how they might be prevented.
Three videos on privacy made by Action on Rights for Children – part of a campaign that led to the Contactpoint children's database being abolished in 2010; and a short video on the Blair government's other efforts to extend surveillance powers via ID cards and computerised medical records. And in this talk I discuss why computer science academics nowadays seem to be always opposing the establishment, unlike those of our parents' generation.
There's a talk on the Bring your own device movement and its implications for employers.
Here are some predictions about IoT that I made at the World Economic Forum in November 2008, with a call for engineers and economists to learn a bit about each others' ways of thinking.
The oldest video is Protocol Analysis, Composability and Computation, a talk I gave in 2002 at a conference to celebrate Roger Needham's 50 years at Cambridge. The paper is here.