Combining behavioural types with security analysis

Today's software systems are highly distributed and interconnected, and they increasingly rely on communication to achieve their goals; due to their societal importance, security and trustworthiness are crucial aspects for the correctness of these systems. Behavioural types, which extend data types by describing also the structured behaviour of programs, are a widely studied approach to the enforcement of correctness properties in communicating systems. This paper offers a unified overview of proposals based on behavioural types which are aimed at the analysis of security properties

Contracts Ex Machina

Smart contracts are self-executing digital transactions using decentralized cryptographic mechanisms for enforcement. They were theorized more than twenty years ago, but the recent development of Bitcoin and blockchain technologies has rekindled excitement about their potential among technologists and industry. Startup companies and major enterprises alike are now developing smart contract solutions for an array of markets, purporting to offer a digital bypass around traditional contract law. For legal scholars, smart contracts pose a significant question: Do smart contracts offer a superior solution to the problems that contract law addresses? In this article, we aim to understand both the potential and the limitations of smart contracts. We conclude that smart contracts offer novel possibilities, may significantly alter the commercial world, and will demand new legal responses. But smart contracts will not displace contract law. Understanding why not brings into focus the essential role of contract law as a remedial institution. In this way, smart contracts actually illuminate the role of contract law more than they obviate it

Power battles in ICT standards-setting process : lessons from mobile payments

Standards play an important role in ICT innovation to ensure the interoperability and interconnectivity. However, standardisation is a complex process that involves actors with different interests. Various studies, which are mainly economics, have tried to develop the standards-setting process models. One of the models proposes that standardisation can be distinguished into two main stages, i.e., the pre-standardisation stage and the standardisation stage (Smits, 1993). The distinction is based on the different players involved in each stage. The pre-standardisation stage is the period when the players involved are mostly the firms who have developed a new technological specification or requirement, which they want to become the standard. In this period, they draft proposals or recommendations for submission to a formal standards body. If accepted, the proposal or recommendation becomes a working item within the Technical Committee or Working Group of the standards body. This marks the beginning of the standardisation stage. The outcome of the pre-standardisation stage may, on the other hand, be made publicly available and become the market standard. If this is happens, there is no standardisation stage, and the process becomes de facto standardisation. The early stage of standardisation is considered to be the most important period in the standards-setting process for a number of reasons, the main one being that the dynamics and the interactions among actors during the early period may influence the process and the outcome. Various activities take place in this period, such as information gathering, lobbying, and informal meetings. These initial actions reveal the interactions among involved actors that have a substantial impact on the entire standards-setting process. Power is a factor that shapes the dynamics of these interactions. However, little research has been undertaken to explore this dynamics. This study, thus represents an effort to redress this, by exploring the mechanism of standardisation and the interactions that take place among the parties involved. To be precise, this study explores the power battles among the negotiating parties during the standards-setting process. The main research question of this study can be formulated as: How do the power battles shape the process of standards-setting in ICT industry? Qualitative case study research has been chosen as the research methodology. The qualitative case study consists of case selection and data collection, which includes interviews and documentation from technical report, white papers, news, to company profiles. Prior to the case study activities, literature survey on standardisation and negotiation, which is a part of desk research, has been conducted and serves as the knowledge source and the theoretical framework of this study. In addition, literature survey can also be used as a secondary source of data. Negotiation theory has been used to deliberate the concept of power. For the empirical part, the aspect of the ICT industry that has been chosen is Mobile Payments. The development of Mobile Payments, defined as an activity that occurs between two parties utilising a combination platform Power Battles 222 in ICT Standards-Setting Process between financial and mobile communications, is still in the conceptual and trial period, which means that as yet no standards have been defined. This provides an ideal context in which to track the process of standardisation and all it involves. Moreover, different sectors are involved in this emerging technology, which means a variety of power based negotiations are likely to occur. Therefore, five Mobile Payments developing organisations are revealed as the arena and discussed as the case studies. They are the Mobile Payment Forum, Mobey Forum, Simpay, PayCircle, and ECBS. Mobile Payments can be seen as a result of an innovation in a service industry. By definition, Mobile Payments is an incremental innovation, that is, a new technology that offers improved performance in payment method offered by payment institutions through mobile devices and networks. Mobile Payments is an improved service and a new method of payment, which involves services from the financial and mobile communications industries. Mobile Payments involves the telecommunications and the financial industries. Both industries have several existing standards, supported by powerful parties, and both industries are themselves powerful parties. As a result, standards development for Mobile Payments is being shaped by two powerful parties from different industries. Standards-setting for Mobile Payments thus is an inter-industry battleground, hence the current absence of standards for Mobile Payments. Various actors have made attempts to set standards for Mobile Payments. Mobile Payments is in the beginning and early period of the standards-setting process, in which only related firms are involved. Negotiation and informal meetings between parties occur during this stage, and an agreement among actors about certain solutions would be generated to proceed to the next level. For de facto standardisation, the agreement would be standards launched on the market. In the case of de jure standardisation, the agreement takes the form of a proposal, which must be examined and accepted as the working project by the formal standards body. The two major industry groups involved in Mobile Payments initiated various organisations. Financial industry initiatives resulted in the Mobile Payment Forum, the Mobey Forum and the European Committee for Banking Standards (ECBS). Initiatives from the telecommunications industry resulted in the establishment of what eventually became known as Simpay. In addition to these initiatives from the two major industries, the IT industry group representing manufacturers and vendors – launched PayCircle. Although competing to each other, these groups are inter-related. A number of firms join more than one group, playing a different role in each. For instance, in one group, a firm might be a Board member whilst it might only be an Associate member of another. Grindley (1995) calls these types of alliances cross-membership. It represents a strategic movement, designed to monitor the activities of others in the various fora. In Mobile Payments standardisation, four power types can be identified. These types of power are exercised by the different categories of actors in negotiating standards-setting process; they are legitimate power, expert power, referent power, and informational power. Legitimate power is possessed by the founder of consortia, and reflected from the leadership privilege in decision-making. Expert power is characterised by the expertise in particular area and technological know-how mostly possessed by the manufacturers. The expert power provides them to propose the preferred architecture of Mobile Payments. Referent power is acquired through reputation and influential individual, which is performed well by service oriented organisations. Related Summary 223 information, for instance on the current development on Mobile Payments, provides knowledge to the information possessor, and leads to the informational power. In this case, the typical possessors of informational power are network operators and credit-card companies. The existence of different Mobile Payments developing groups introduces competition at consortium level. The competition between groups affects the power battles among them. Each organisation has different power types, which produce different power dominance. The differences lie in the different membership composition. Mobile Payment Forum is a business and policy oriented consortium, which is reflected in the variety of its membership composition. Mobey Forum is a technically oriented consortium, whose concern is to implement mobile technologies for financial services. Simpay is a commercial and profit oriented group, and is registered as a UK-based company. PayCircle is a technically oriented consortium as exemplified by its membership. And ECBS is a policy-oriented organisation, which is evident from its membership composition and structure. Moreover, ECBS acts as regulator in the banking sector. The power battles among these organisations reveal certain characteristics. Although all Mobile Payments organisations possess expert power, this varies in type depending on the expertise of their members. For instance, although Mobey Forum and PayCirlce are both technically oriented, they have different approaches and different expertise. Although the Mobile Payment Forum and ECBS are both policy-oriented organisations, ECBS has more legitimate power than Mobile Payment Forum because the Mobile Payment Forum is a business-oriented group, which implements its legitimate power within the organisation, while ECBS has legitimate power over external organisations. The result of these power battles is the multiple types of Mobile Payments being developed by the various organisations. The first type is a bank-account-based system, which is also known as wallet-based Mobile Payments. Mobey Forum is the developer of this system, which reflects the expert power of its founders. This payment system is also supported by PayCircle and ECBS, which indicates referent power among these three organisations. The second type is a telco-billing-based system, which is being developed by Simpay. Simpay’s persistence in pursuing this system demonstrates its expert power; its founders are the leading mobile network operators. In addition, this development shows the legitimate power of Simpay’s founder. When developing this system, Simpay demonstrates its informational power in approaching banks to become members. Simpay’s informational power is based on its understanding of the importance of payment systems to banks. However, the commission rate in Simpay’s proposed architecture is too high, which makes it difficult for them to accept the architectures being proposed by the banks. Simpay’s proposed architecture is similarly not supported by other organisations. The third type is credit-card-based, and is being developed by the Mobile Payment Forum. This type of development by the Mobile Payment Forum demonstrates the legitimate power of its founders. Moreover, it also exemplifies the expert power of the founders, which are the leading credit-card institutions. The fact that the Mobile Power Battles 224 in ICT Standards-Setting Process Payment Forum is the most heterogeneous Mobile Payments developing organisation, demonstrates that it has referent power. From the three different types of Mobile Payments being developed, it is obvious that there is a conflict of interests among the involved parties. Each of them would like to gain the maximum outcome by becoming the technological leader through dominant design in the market. As a result, different technologies compete and create the power battles among them. Therefore, one may conclude that the power battles in standardssetting process cause technology variation and lead to the uncertainty of the standards for the technology in question

Implementing the Payment Card Industry (PCI) Data Security Standard (DSS)

Underpinned by the rise in online criminality, the payment card industry (PCI) data security standards (DSS) were introduced which outlines a subset of the core principals and requirements that must be followed, including precautions relating to the software that processes credit card data. The necessity to implement these requirements in existing software applications can present software owners and developers with a range of issues. We present here a generic solution to the sensitive issue of PCI compliance where aspect orientated programming (AOP) can be applied to meet the requirement of masking the primary account number (PAN).  Our architecture allows a definite amount of code to be added which intercepts all the methods specified in the aspect, regardless of future additions to the system thus reducing the amount of work required to the maintain aspect. We believe that the concepts here will provide an insight into how to approach the PCI requirements to undertake the task. The software artefact should also serve as a guide to developers attempting to implement new applications, where security and design are fundamental elements that should be considered through each phase of the software development lifecycle and not as an afterthought