Archive for the ‘security’ Category

Understanding the Spreading Patterns of Mobile Phone Viruses

Monday, August 10th, 2009

this science paper is very interesting. however, as pointed out here, it shows two major problems:

1) The paper more or less ignores the effects of technical safeguards built into modern smartphones operating systems.

2) the paper mentions that the reason why there hasn’t been more mobile outbreaks is that no smartphone operating system is dominating enough. Then in the next paragraph it mentions that Symbian has, oh, 65% market share of all smartphones.


We model the mobility of mobile phone users to study the fundamental spreading patterns characterizing a mobile virus outbreak. We find that while Bluetooth viruses can reach all susceptible handsets with time, they spread slowly due to human mobility, offering ample opportunities to deploy antiviral software. In contrast, viruses utilizing multimedia messaging services could infect all users
in hours, but currently a phase transition on the underlying call graph limits them to only a small fraction of the susceptible users. These results explain the lack of a major mobile virus breakout so far and predict that once a mobile operating system´s market share reaches the phase transition point, viruses will pose a serious threat to mobile communications.

8 friends are enough

Wednesday, May 20th, 2009

New article by Ross Anderson’s group. It’s beautiful in its simplicity. “Eight Friends are Enough: Social Graph Approximation via Public Listings shows how easy it is for an outsider to work out the structure of friendships on Facebook. (For more, see our blog on Facebook’s technical privacy and its democracy theatre.) ”

In short: Having

  • G: undirected graph (e.g., Facebook social net)
  • Gk: publicly available portion of G (one in which k outgoing friendship edges have been randomly chosen from G),

they show that the results of applying a certain function f (e.g., centrality, shortest paths, community structure) on Gk are simlar to those of  applying f on the entire G! That is, by using the public view (Gk), one is able to infer node centralities, shortest paths, and community structures of the whole G! Scary result for privacy-conscius people! But good news for researchers who need to handle big networks ;-) On the scary side, from a partial (public) view of a social network, one is able to guess

  • which nodes are central – e.g., 1) marketing companies are able to  identify influential individuals and virally spread products through them; or 2) during protests that are self-orginized via text messages, repressive governments are able to identify influential individuals and intercept  their text traffic.
  • communities – the authors “were ableto divide the [partial] graph into communities nearly as well as using complete graph knowledge.” (Sect 3.5)

Sybils in RecSys

Friday, February 6th, 2009

SybilGuard’s authors will present a paper on how to defend recommender systems from the Sybil Attack.
DSybil: Optimal Sybil-Resistance for Recommendation Systems

I’m waiting to read the paper to see which real data they’ve used and how it would possibly work on typical social networks of recsys websites, which aren’t that big and may well not be  fast mixing (controversial SybilGuard’s assumptions)

Internet Identity and Conspiracy 101

Tuesday, January 27th, 2009

Recently, I’ve started to work on the problem of sybil attacks in mobile nets, and I came across this old discussion on identities in the Internet. The Snakes of Medusa and Cyberspace: Internet identity subversion.

Enabling New Mobile Applications with Location Proofs

Tuesday, January 27th, 2009

Idea of this paper: Any device can request a location proof from the infrastructure when it is within communication range; the recipient device can then transmit the proof obtained from the infrastructure to any application that wishes to verify the device’s location.

Applications: store discounts for loyal customers (frequent visitors), green commuting proof, location-restricted content delivery, reducing fraud on auction websites, and police investigations (alibis producing).

“Making Mobile Raters Stick to their Word ” @ Ubicomp

Monday, September 22nd, 2008

In few hours I will present MobiRate. Fortunately, the slides are ready ! See them next. A short description follows.

P.S. I’ll blog about Ubicomp shortly. For now, look at the great coverage by Albrecht Schmidt  ;-)


View SlideShare presentation or Upload your own. (tags: trust systems)

Q&A Session (at the conference):

Q> You have shown that MobiRate effectively protects against *indepedent* malicious individuals. What if  malicious individuals collude?
A> Colluding malicious peole will not be able to tweak  ratings because they cannot produce fake crypto material. However, if malicious people collude, one may well run into updating problems. Phones update their ratings  while they move and, consequently, there are   time windows in which ratings are not up-to-date. During those time-windows, colluding people may succeed in attacking the communities they are in  (e.g., in flooding the system with spam content).

Q>  Phones that run MobiRate audit each other. Are their users aware of that?
A> We have assumed that, in downloading and running MobiRate, people silently agree with  the possibility of their phones being “auditors”. However, people should be able to step back and refuse to be auditors at times; for example, whenever they are running out of battery. This feature should be definetely
included in the next version of MobiRate.

Q> Your solution is general, in that, it is able to collect and store not only user ratings but also user activities!
True.  Instead of monitoring ratings, one could force people in keeping a record of their activities. Before deploying MobiRate, we should carefully think about its misuses and try to prevent them. A good starting point could be to understand how “historical misuses of technology can be studied to be avoided in the future” (link)

Short Description of MobiRate:


Semantic- Social Networks

Friday, September 5th, 2008

Here is a very interesting talk (Slides+Audio) by Story Henry a researcher at Sun Microsystems interested in the Semantic Web and Social Networks.

Henry gave this presentation at JavaOne 2008, and at the Internet Identity Workshop and the Data Sharing Summit in Mountain View this May.

The slides cover data portability between Social Networks, linked data, foaf (Friend Of A Friend project), security in distributed social networks, OpenId, they demo a real semantic Address Book written in Java, explain how it works,  SPARQL (a query language for the semantic Web), introduce one to rules, and give some ideas as to what a semantic desktop will look like…

You can view it here:



IFIPTM Monday workshops (CAT, W2Trust)

Monday, June 23rd, 2008

The Monday workshop sessions of IFIPTM 2008 were a combination of the second workshop on Context-awareness and trust (CAT) and first workshop on Web 2.0 trust (W2Trust). See the W2Trust website for the full list of papers. In this post, we summarize what we saw.


Workshop on Trust in Mobile Environments

Friday, February 15th, 2008

Following Daniele’s previous post on workshops at iTrust, another workshop is doing its own round of advertisement: the iTrust Workshop on Trust in Mobile Environments. Abstracts are due the 28th of March. Here is a short description:

Trust is a vital issue in mobile computing if applications are to support interactions which will carry data of any significance. Consider, for instance, exploring a market place: which vendors should one prefer, and why; how can a user establish the provenance of an item, etc. Various trust models have been developed in recent years to enable the construction of trust-aware applications. However, it is still not clear how robust these models are, and against what types of attacks; how accurate they are in capturing human characteristics and dynamics of trust; how suitable they are to the mobile setting. Mobility brings in orthogonal complexities to the problem of trust management: for example, the transient relationships with the environment and other users calls for an investigation of the dependency between trust and context; the lack of a clear shared control authority makes it difficult to verify identities, and to follow-up problems later; the limited network capability and ad-hoc connectivity require the investigation of novel protocols for content sharing and dissemination, and so on.

Spam Dataset

Monday, January 21st, 2008

WEBSPAM-UK2007 ” is a large collection of annotated spam/nonspam hosts labeled by a group of volunteers. The base data is a set of 105,896,555 pages in 114,529 hosts in the .UK domain downloaded by the Laboratory of Web Algorithmics of the University of Milano. The assessment was done by a group of volunteers.

For the purpose of the Web Spam Challenge 2008, the labels are being released in two sets. SET1, containing roughly 2/3 of the assessed hosts will be given for training, while SET2 containing the remaining 1/3, will be held for testing. More information about the Web Spam Challenge 2008, co-located with AIRWeb 2008 will be available soon” here and here.

Netflix Prize dataset de-anonymised

Wednesday, December 19th, 2007

Two researchers at the University of Texas have de-anonymised (re-nymised? nymified?) the Netflix Prize dataset.

Modelling Conflict. 6th of Dec ’07

Wednesday, December 5th, 2007

Where: 57-58 De Morgan House – Russell Square. Central London.
When: 5:00pm – 7.00 pm
Who: Professor Timothy Hackworth & Philip Treleaven (Computer Science UCL)

What: Computational Science has already had an immense impact on the life sciences. We now try to assess its effectiveness on social and political modelling and, in particular, in thwarting terrorism (pdf).

Privacy in Ubicomp: Devices that Tell on You

Wednesday, June 6th, 2007

At USENIX Security, a paper will show how three consumer devices leak personal information.

We analyze three new consumer electronic gadgets in order to gauge the privacy and security trends in mass-market UbiComp devices. Our study of the Slingbox Pro uncovers a new information leakage vector for encrypted streaming multimedia. By exploiting properties of variable bitrate encoding schemes, we show that a passive adversary can determine with high probability the movie that a user is watching via her Slingbox, even when the Slingbox uses encryption. We experimentally evaluated our method against a database of over 100 hours of network traces for 26 distinct movies.
Despite an opportunity to provide significantly more location privacy than existing devices, like RFIDs, we find that an attacker can trivially exploit the Nike+iPod Sport Kit’s design to track users; we demonstrate this with a GoogleMaps-based distributed surveillance system. We also uncover security issues with the way Microsoft Zunes manage their social relationships.
We show how these products’ designers could have significantly raised the bar against some of our attacks. We also use some of our attacks to motivate fundamental security and privacy challenges for future UbiComp devices.

Vehicular nets: a promising application of reputation models

Monday, May 7th, 2007

In Italy, hackers have introduced erroneous messages into the traffic signal sent to GPS devices (article). This exemplifies the need of security for vehicular networks. Part of the needed security mechanims may be offered by reputation (trust) models as two recent papers show:

A Data Intensive Reputation Management Scheme for Vehicular Ad Hoc Networks (pdf)
On the Benefits of Cheating by Self-Interested Agents in Vehicular Networks (pdf)

Thinking creatively about crime

Thursday, May 3rd, 2007

A talk by Prof. Gloria Laycock on 22nd May 2007 at 18.00 hrs in room G08 of the Roberts Building, UCL

Prof. Laycock is director of the UCL Jill Dando Institute of Crime Science, with over 30 years research experience in the policing and crime prevention field.

If you wish to attend this event please register on-line .

*There is a £3.00 registration fee for non-club members (payable on the night). The deadline for registration is 18th May 2007.