The Evolving Landscape of Internet Control

Over the past two years, we have undertaken several studies at the Berkman Center designed to better understand the control of the Internet in less open societies. During the years we've been engaged in this research, we have seen many incidents that have highlighted the continuing role of the Internet as a battleground for political control, including partial or total Internet shutdowns in China, Iran, Egypt, Libya, and Syria; many hundreds of documented DDoS, hacking, and other cyber attacks against political sites; continued growth in the number of countries that filter the Internet; and dozens of well documented cases of on- and offline persecution of online dissidents. The energy dedicated to these battles for control of the Internet on both the government and dissident sides indicated, if nothing else, that both sides think that the Internet is a critical space for political action. In this paper, we offer an overview of our research in the context of these changes in the methods used to control online speech, and some thoughts on the challenges to online speech in the immediate future

Making defeating CAPTCHAs harder for bots

For a number of years, many websites have used CAPTCHAs to filter out interactions by bots. However, attackers have found ways to circumvent CAPTCHAs by programming bots to solve or bypass them, or even relay them for humans to solve. In order to reduce the chances of success of such attacks, CAPTCHAs can be strengthened by the addition of certain safeguards. In this paper, we discuss seven existing safeguards as well as five novel safeguards designed to make circumventing CAPTCHAs harder. These safeguards are not mutually exclusive and can add multiple layers of protection to a CAPTCHA. We further provide a high-level comparison of their effectiveness in addressing the threat posed by CAPTCHA-defeating techniques. In order to focus on safeguards that are usable, we restrict our attention to those which have minimal adverse effect on the user experience

Bankrupting DoS Attackers

To defend against denial-of-service (DoS) attacks, we employ a technique called resource burning (RB). RB is the verifiable expenditure of a resource, such as computational power, required from clients before receiving service from the server. To the best of our knowledge, we present the first DoS defense algorithms where the algorithmic cost -- the cost to both the server and the honest clients -- is bounded as a function of the attacker's cost. We model an omniscient, Byzantine attacker, and a server with access to an estimator that estimates the number of jobs from honest clients in any time interval. We examine two communication models: an idealized zero-latency model and a partially synchronous model. Notably, our algorithms for both models have asymptotically lower costs than the attacker's, as the attacker's costs grow large. Both algorithms use a simple rule to set required RB fees per job. We assume no prior knowledge of the number of jobs, the adversary's costs, or even the estimator's accuracy. However, these quantities parameterize the algorithms' costs. We also prove a lower bound on the cost of any randomized algorithm. This lower bound shows that our algorithms achieve asymptotically tight costs as the number of jobs grows unbounded, whenever the estimator output is accurate to within a constant factor

Exploiting cloud utility models for profit and ruin

A key characteristic that has led to the early adoption of public cloud computing is the utility pricing model that governs the cost of compute resources consumed. Similar to public utilities like gas and electricity, cloud consumers only pay for the resources they consume and only for the time they are utilized. As a result and pursuant to a Cloud Service Provider\u27s (CSP) Terms of Agreement, cloud consumers are responsible for all computational costs incurred within and in support of their rented computing environments whether these resources were consumed in good faith or not. While initial threat modeling and security research on the public cloud model has primarily focused on the confidentiality and integrity of data transferred, processed, and stored in the cloud, little attention has been paid to the external threat sources that have the capability to affect the financial viability of cloud-hosted services. Bounded by a utility pricing model, Internet-facing web resources hosted in the cloud are vulnerable to Fraudulent Resource Consumption (FRC) attacks. Unlike an application-layer DDoS attack that consumes resources with the goal of disrupting short-term availability, a FRC attack is a considerably more subtle attack that instead targets the utility model over an extended time period. By fraudulently consuming web resources in sufficient volume (i.e. data transferred out of the cloud), an attacker is able to inflict significant fraudulent charges to the victim. This work introduces and thoroughly describes the FRC attack and discusses why current application-layer DDoS mitigation schemes are not applicable to a more subtle attack. The work goes on to propose three detection metrics that together form the criteria for detecting a FRC attack from that of normal web activity and an attribution methodology capable of accurately identifying FRC attack clients. Experimental results based on plausible and challenging attack scenarios show that an attacker, without knowledge of the training web log, has a difficult time mimicking the self-similar and consistent request semantics of normal web activity necessary to carryout a successful FRC attack

Respawn

In Respawn Colin Milburn examines the connections between video games, hacking, and science fiction that galvanize technological activism and technological communities. Discussing a wide range of games, from Portal and Final Fantasy VII to Super Mario Sunshine and Shadow of the Colossus, Milburn illustrates how they impact the lives of gamers and non-gamers alike. They also serve as resources for critique, resistance, and insurgency, offering a space for players and hacktivist groups such as Anonymous to challenge obstinate systems and experiment with alternative futures. Providing an essential walkthrough guide to our digital culture and its high-tech controversies, Milburn shows how games and playable media spawn new modes of engagement in a computerized world

Knowledge acquisition for autonomic network management in emerging self-organizing architectures

Tesis inédita de la Universidad Complutense de Madrid, Facultad de Informática, Departamento de Ingeniería del Software e Inteligencia Artificial, leída el 19/12/2018Los escenarios de red emergentes estan caracterizados por el acceso intensivo a una amplia gama de servicios y aplicaciones que han incrementado las exigencias de las redes de comunicacion. Los modelos de gestion de red tradicionales se han caracterizado a su vez por una alta dependencia del factor humano para llevar a cabo tareas de configuracion y mantenimiento de la red. Esta situacion se ha hecho menos sostenible en las redes moviles no solo por los costes operacionales y de inversion de capital asociados, sino tambien por la complejidad que estas han adquirido ante la inmersion exponencial de dispositivos moviles. Tales aspectos han motivado el surgimiento de la quinta generacion de redes moviles, caracterizadas por indicadores de desempeño ambiciosos que deben cumplirse para satisfacer los niveles de servicio acordados...Emerging network scenarios are characterized by intensive access to a wide range of services and applications that have increased the demands of communication networks. The traditional network management models have been characterized by a high dependence on the human factor to carry out network configuration and maintenance tasks. This situation has become less sustainable in mobile networks not only due to the associated operational (COPEX) and capital investment costs (CAPEX), but also due to the complexity they have acquired when facing the exponential immersion of mobile devices. These aspects have led to the emergence of the fifth generation of mobile networks, characterized by ambitious performance indicators that must be fulfilled to meet the agreed service levels...Fac. de InformáticaTRUEunpu

To Play or Not to Play: Non/Participation in Eve Online

This dissertation addresses a gap in the academic study of digital games whereby investigations remain focused on current players and the experiences of former or non-players are rarely accounted for. Using EVE Online (EVE), a massively multiplayer online game (MMOG) known for its difficult learning curve and homogenous community as a case study, I conducted an investigation of who does/does not play this particular game and their stated reasons for playing or not. I argue that while EVE is positioned in the MMOG market as a sandbox style game where in-game activities are only limited by a players imagination, in reality only a very particular type of play (and player) is publically acknowledged by EVEs developer (CCP Games), the gaming enthusiast press, and academics investigations of this game, emphasizing just how little is known about who plays EVE beyond the stereotypical imagined player. Drawing on literature from leisure studies to articulate a framework for exploring barriers/constraints to gameplay and theoretically informed by feminist theories of technology, I conducted an Internet-based survey to capture the thoughts and experiences of current, former, and non-EVE players. A total of 981 participants completed the survey. In my analysis of open-ended responses, I found that current players described the game in a way that emphasized its exceptionality, relied heavily on jargon, and assumed their reader was already familiar with EVE, its player community, and its surrounding norms and conventions. Non-players who were familiar with the game described their perceptions of EVE being an unwelcoming community meant they had opted out of playing without ever downloading the trial. Former players fell into three groupings: ex-players who had permanently quit EVE, a group who want to play but felt forced to take a temporary break due to external constraints (e.g. exams at school or financial limitations), and a third group would consider returning if changes to their personal circumstances and/or the game happened in future. Ultimately this research complicates what it means to play or not play MMOG, opening up avenues for future research about how access and barriers to digital game play inevitably shift over time

Best Practices and Recommendations for Cybersecurity Service Providers

This chapter outlines some concrete best practices and recommendations for cybersecurity service providers, with a focus on data sharing, data protection and penetration testing. Based on a brief outline of dilemmas that cybersecurity service providers may experience in their daily operations, it discusses data handling policies and practices of cybersecurity vendors along the following five topics: customer data handling; information about breaches; threat intelligence; vulnerability-related information; and data involved when collaborating with peers, CERTs, cybersecurity research groups, etc. There is, furthermore, a discussion of specific issues of penetration testing such as customer recruitment and execution as well as the supervision and governance of penetration testing. The chapter closes with some general recommendations regarding improving the ethical decision-making procedures of private cybersecurity service providers