research papers

The security of modern password expiration: an algorithmic framework and empirical analysis, by Yingian Zhang, Fabian Monrose and Michael Reiter. (ACM DOI link) This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account’s…

Read More Paper: The Security of Password Expiration

In “Close Look at a Flu Outbreak Upends Some Common Wisdom,” Nicholas Bakalar writes: If you or your child came down with influenza during the H1N1, or swine flu, outbreak in 2009, it may not have happened the way you thought it did. A new study of a 2009 epidemic at a school in Pennsylvania…

Read More Infosec's Flu

There has been a disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals. No one seems to be able to mobilize any signficant research into breakthrough cyber security solutions. It’s been very frustrating to see so much talk and so little action. This post proposes one possible solution: Information Security Pioneers Fellowship Program (ISPFP), similar to Gene Spafford’s proposal for a Information Security and Privacy Extended Grant (ISPEG) for academic researchers.

Read More Everybody complains about lack of information security research, but nobody does anything about it

In his ongoing role of “person who finds things that I will find interesting,” Adam recently sent me a link to a paper titled “THE HUMAN FACTORS ANALYSIS AND CLASSIFICATION SYSTEM–HFACS,” which discusses the role of people in aviation accidents.  From the abstract: Human error has been implicated in 70 to 80% of all civil…

Read More Human Error

I’ve recently read “Quantified Security is a Weak Hypothesis,” a paper which Vilhelm Verendel published at NSPW09. We’re discussing it in email, and I think it deserves some broader attention. My initial note was along these lines: I think the paper’s key hypothesis “securtity can be correctly represented with quantitative information” is overly broad. Can…

Read More Is Quantified Security a Weak Hypothesis?

What’s the biggest problem with quantum cryptography? That it’s too expensive, of course. Quantum anything is inherently cool, just as certain things are inherently funny. Ducks, for example. However, it’s hard to justify a point-to-point quantum crypto link that starts at one-hundred grand just for the encryptors (fiber link not included, some assembly required), when…

Read More Quanta In Space!