Analysing the Security of Google's implementation of OpenID Connect

Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems

Image database system for glaucoma diagnosis support

Tato práce popisuje přehled standardních a pokročilých metod používaných k diagnose glaukomu v ranném stádiu. Na základě teoretických poznatků je implementován internetově orientovaný informační systém pro oční lékaře, který má tři hlavní cíle. Prvním cílem je možnost sdílení osobních dat konkrétního pacienta bez nutnosti posílat tato data internetem. Druhým cílem je vytvořit účet pacienta založený na kompletním očním vyšetření. Posledním cílem je aplikovat algoritmus pro registraci intenzitního a barevného fundus obrazu a na jeho základě vytvořit internetově orientovanou tři-dimenzionální vizualizaci optického disku. Tato práce je součásti DAAD spolupráce mezi Ústavem Biomedicínského Inženýrství, Vysokého Učení Technického v Brně, Oční klinikou v Erlangenu a Ústavem Informačních Technologií, Friedrich-Alexander University, Erlangen-Nurnberg.This master thesis describes a conception of standard and advanced eye examination methods used for glaucoma diagnosis in its early stage. According to the theoretical knowledge, a web based information system for ophthalmologists with three main aims is implemented. The first aim is the possibility to share medical data of a concrete patient without sending his personal data through the Internet. The second aim is to create a patient account based on a complete eye examination procedure. The last aim is to improve the HRT diagnostic method with an image registration algorithm for the fundus and intensity images and create an optic nerve head web based 3D visualization. This master thesis is a part of project based on DAAD co-operation between Department of Biomedical Engineering, Brno University of Technology, Eye Clinic in Erlangen and Department of Computer Science, Friedrich-Alexander University, Erlangen-Nurnberg.

The Failed Promise of User Fees: Empirical Evidence from the United States Patent and Trademark Office

In an attempt to shed light on the impact of user-fee financing structures on the behavior of administrative agencies, we explore the relationship between the funding structure of the Patent and Trademark Office (PTO) and its examination practices. We suggest that the PTO’s reliance on prior grantees to subsidize current applicants exposes the Agency to a risk that its obligatory costs will surpass incoming fee collections. When such risks materialize, we hypothesize, and thereafter document, that the PTO will restore financial balance by extending preferential examination treatment—i.e., higher granting propensities and/or shorter wait times—to some technologies over others

The Failed Promise of User Fees: Empirical Evidence from the United States Patent and Trademark Office

In an attempt to shed light on the impact of user-fee financing structures on the behavior of administrative agencies, we explore the relationship between the funding structure of the Patent and Trademark Office (PTO) and its examination practices. We suggest that the PTO’s reliance on prior grantees to subsidize current applicants exposes the Agency to a risk that its obligatory costs will surpass incoming fee collections. When such risks materialize, we hypothesize, and thereafter document, that the PTO will restore financial balance by extending preferential examination treatment—i.e., higher granting propensities and/or shorter wait times—to some technologies over others

Using Counts as Heuristics for the Analysis of Static Models

The upstream activities of software development are often viewed as both the most important, in terms of cost, and the yet the least understood, and most problematic, particularly in terms of satisfying customer requirements. Business process modelling is one solution that is being increasingly used in conjunction with traditional software development, often feeding in to requirements and analysis activities. In addition, research in Systems Engineering for Business Process Change, highlights the importance of modelling business processes in evolving and maintaining the legacy systems that support those processes. However, the major use of business process modelling, is to attempt to restructure the business process, in order to improve some given aspect, e.g., cost or time. This restructuring may be seen either as separate activity or as a pre-cursor to the development of systems to support the new or improved process. Hence, the analysis of these business models is vital to the improvement of the process, and as a consequence to the development of supporting software systems. Supporting this analysis is the focus of this paper. Business processes are typically described with static (diagrammatic) models. This paper proposes the use of measures (counts) to aid analysis and comparison of these static process descriptions. The proposition is illustrated by showing how measures can be applied to a commonly used process-modelling notation, Role Activity Diagrams (RADs). Heuristics for RADs are described and measures suggested which support those heuristics. An example process is used to show how a coupling measure can be used to highlight features in RADs useful to the process modeller. To fully illustrate the proposition the paper describes and applies a framework for the theoretical validation of the coupling measure. An empirical evaluation follows. This is illustrated by two case studies; the first based on the bidding process of a large telecommunications systems supplier, and the second a study of ten prototyping processes across a number of organisations. These studies found that roles of the same type exhibited similar levels of coupling across processes. Where roles did not adhere to tentative threshold values, further investigation revealed unusual circumstances or hidden behaviour. Notably, study of the prototyping roles, which exhibited the greatest variation in coupling, found that coupling was highly correlated with the size of the development team. This suggests that prototyping in large projects had a different process to that for small projects, using more mechanisms for communication. Hence, the empirical studies support the view that counts (measures) may be useful in the analysis of static process models

The Effect of Incorporating End-User Customization into Additive Manufacturing Designs

In the realm of additive manufacturing there is an increasing trend among makers to create designs that allow for end-users to alter them prior to printing an artifact. Online design repositories have tools that facilitate the creation of such artifacts. There are currently no rules for how to create a good customizable design or a way to measure the degree of customization within a design. This work defines three types of customizations found in additive manufacturing and presents three metrics to measure the degree of customization within designs based on the three types of customization. The goal of this work is to ultimately provide a consistent basis for which a customizable design can be evaluated in order to assist makers in the creation of new customizable designs that can better serve end-user. The types of customization were defined by doing a search of Thingiverse’s online data base of customizable designs and evaluating commonalities between designs. The three types of customization defined by this work are surface, structure, and personal customization. The associated metrics are used to quantify the adjustability of a set of online designs which are then plot against the daily use rate and each other on separate graphs. The use rate data used in this study is naturally biased towards hobbyists due to where the designs used to create the data resides. A preliminary analysis is done on the metrics to evaluate their correlation with design use rate as well as the dependency of the metrics in relation to each other. The trends between the metrics are examined for an idea of how best to provide customizable designs. This work provides a basis for measuring the degree of customization within additive manufacturing design and provides an initial framework for evaluating the usability of designs based on the measured degree of customization relative to the three types of defined customizations