Mitigating man-in-the-middle attacks on mobile devices by blocking insecure http traffic without using vpn

Mobile devices are constantly connected to the Internet, making countless connections with remote services. Unfortunately, many of these connections are in cleartext, visible to third-parties while in transit. This is insecure and opens up the possibility for man-in-the-middle attacks. While there is little control over what kind of connection running apps can make, this paper presents a solution in blocking insecure HTTP packets from leaving the device. Specifically, the proposed solution works on the device, without the need to tunnel packets to a remote VPN server, and without special privileges such as root access. Speed tests were performed to quantify how much network speed is being impacted while filtering. To investigate how blocking HTTP traffic can affect day-to-day usage, common tasks were put to the tests, tasks such as browsing, searching, emailing, instant messaging, social networking, consuming streaming content, and gaming. The results from the tests are interesting, websites that do not support HTTPS were exposed, apps that do not fully support HTTPS were also being uncovered. One surprisingly, and arguably pleasant, side effect was discovered – the filtering solution blocks out advertisements in all of the games being tested, hence contributing to an improved gaming experience

India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities

India\u27s Aadhaar is the largest biometric identity system in history, designed to help deliver subsidies, benefits, and services to India\u27s 1.4 billion residents. The Unique Identification Authority of India (UIDAI) is responsible for providing each resident (not each citizen) with a distinct identity - a 12-digit Aadhaar number - using their biometric and demographic details. We provide the first comprehensive description of the Aadhaar infrastructure, collating information across thousands of pages of public documents and releases, as well as direct discussions with Aadhaar developers. Critically, we describe the first known cryptographic issue within the system, and discuss how a workaround prevents it from being exploitable at scale. Further, we categorize and rate various security and privacy limitations and the corresponding threat actors, examine the legitimacy of alleged security breaches, and discuss improvements and mitigation strategies

Survey of smart parking systems

The large number of vehicles constantly seeking access to congested areas in cities means that finding a public parking place is often difficult and causes problems for drivers and citizens alike. In this context, strategies that guide vehicles from one point to another, looking for the most optimal path, are needed. Most contributions in the literature are routing strategies that take into account different criteria to select the optimal route required to find a parking space. This paper aims to identify the types of smart parking systems (SPS) that are available today, as well as investigate the kinds of vehicle detection techniques (VDT) they have and the algorithms or other methods they employ, in order to analyze where the development of these systems is at today. To do this, a survey of 274 publications from January 2012 to December 2019 was conducted. The survey considered four principal features: SPS types reported in the literature, the kinds of VDT used in these SPS, the algorithms or methods they implement, and the stage of development at which they are. Based on a search and extraction of results methodology, this work was able to effectively obtain the current state of the research area. In addition, the exhaustive study of the studies analyzed allowed for a discussion to be established concerning the main difficulties, as well as the gaps and open problems detected for the SPS. The results shown in this study may provide a base for future research on the subject.Fil: Diaz Ogás, Mathias Gabriel. Universidad Nacional de San Juan. Facultad de Ciencias Exactas, Físicas y Naturales; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - San Juan; ArgentinaFil: Fabregat Gesa, Ramon. Universidad de Girona; EspañaFil: Aciar, Silvana Vanesa. Universidad Nacional de San Juan. Facultad de Ciencias Exactas, Físicas y Naturales; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - San Juan; Argentin

Computing homomorphic program invariants

Program invariants are properties that are true at a particular program point or points. Program invariants are often undocumented assertions made by a programmer that hold the key to reasoning correctly about a software verification task. Unlike the contemporary research in which program invariants are defined to hold for all control flow paths, we propose \textit{homomorphic program invariants}, which hold with respect to a relevant equivalence class of control flow paths. For a problem-specific task, homomorphic program invariants can form stricter assertions. This work demonstrates that the novelty of computing homomorphic program invariants is both useful and practical. Towards our goal of computing homomorphic program invariants, we deal with the challenge of the astronomical number of paths in programs. Since reasoning about a class of program paths must be efficient in order to scale to real-world programs, we extend prior work to efficiently divide program paths into equivalence classes with respect to control flow events of interest. Our technique reasons about inter-procedural paths, which we then use to determine how to modify a program binary to abort execution at the start of an irrelevant program path. With off-the-shelf components, we employ the state-of-the-art in fuzzing and dynamic invariant detection tools to mine homomorphic program invariants. To aid in the task of identifying likely software anomalies, we develop human-in-the-loop analysis methodologies and a toolbox of human-centric static analysis tools. We present work to perform a statically-informed dynamic analysis to efficiently transition from static analysis to dynamic analysis and leverage the strengths of each approach. To evaluate our approach, we apply our techniques to three case study audits of challenge applications from DARPA\u27s Space/Time Analysis for Cybersecurity (STAC) program. In the final case study, we discover an unintentional vulnerability that causes a denial of service (DoS) in space and time, despite the challenge application having been hardened against static and dynamic analysis techniques

Privacy of User Identities in Cellular Networks

This thesis looks into two privacy threats of cellular networks. For their operations, these networks have to deal with unique permanent user identities called International Mobile Subscriber Identity (IMSI). One of the privacy threats is posed by a device called IMSI catcher. An IMSI catcher can exploit various vulnerabilities. Some of these vulnerabilities are easier to exploit than others. This thesis looks into fixing the most easily exploitable vulnerability, which is in the procedure of identifying the subscriber. This vulnerability exists in all generations of cellular networks prior to 5G. The thesis discusses solutions to fix the vulnerability in several different contexts. One of the solutions proposes a generic approach, which can be applied to any generation of cellular networks, to fix the vulnerability. The generic approach uses temporary user identities, which are called pseudonyms, instead of using the permanent identity IMSI. The thesis also discusses another solution to fix the vulnerability, specifically in the identification procedure of 5G. The solution uses Identity-Based Encryption (IBE), and it is different from the one that has been standardised in 5G. Our IBE-based solution has some additional advantages that can be useful in future works. The thesis also includes a solution to fix the vulnerability in the identification procedure in earlier generations of cellular networks. The solution fixes the vulnerability when a user of a 5G network connects to those earlier generation networks. The solution is a hybridisation of the pseudonym-based generic solution and the standardised solution in 5G. The second of the two threats that this thesis deals with is related to the standards of a delegated authentication system, known as Authentication and Key Management for Applications (AKMA), which has been released in July 2020. The system enables application providers to authenticate their users by leveraging the authentication mechanism between the user and the user's cellular network. This thesis investigates what requirements AKMA should fulfil. The investigation puts a special focus on identifying privacy requirements. It finds two new privacy requirements, which are not yet considered in the standardisation process. The thesis also presents a privacy-preserving AKMA that can co-exist with a normal-mode AKMA.Väitöskirjassa tutkitaan kahta yksityisyyteen kohdistuvaa uhkaa mobiiliverkoissa. Näissä verkoissa käyttäjät tunnistetaan yksikäsitteisen pysyvän identiteetin perusteella. Hyökkääjä voi uhata käyttäjän yksityisyyttä sellaisen radiolähettimen avulla, joka naamioituu mobiiliverkon tukiasemaksi. Tällainen väärä tukiasema voi pyytää lähellä olevia mobiililaitteita kertomaan pysyvän identiteettinsä, jolloin hyökkääjä voi esimerkiksi selvittää, onko tietyn henkilön puhelin lähistöllä vai ei. Väitöskirjassa selvitetään, millaisilla ratkaisuilla tämän tyyppisiltä haavoittuvuuksilta voidaan välttyä. Viidennen sukupolven mobiiliteknologian standardiin on sisällytetty julkisen avaimen salaukseen perustuva suojaus käyttäjän pysyvälle identiteetille. Tällä ratkaisulla voidaan suojautua väärän tukiaseman uhkaa vastaan, mutta se toimii vain 5G-verkoissa. Yksi väitöskirjassa esitetyistä vaihtoehtoisista ratkaisuista soveltuu käytettäväksi myös vanhempien mobiiliteknologian sukupolvien yhteydessä. Ratkaisu perustuu pysyvän identiteetin korvaamiseen pseudonyymillä. Toinen esitetty ratkaisu käyttää identiteettiin pohjautuvaa salausta, ja sillä olisi tiettyjä etuja 5G-standardiin valittuun, julkisen avaimen salaukseen perustuvaan menetelmään verrattuna. Lisäksi väitöskirjassa esitetään 5G-standardiin valitun menetelmän ja pseudonyymeihin perustuvan menetelmän hybridi, joka mahdollistaisi suojauksen laajentamisen myös aiempiin mobiiliteknologian sukupolviin. Toinen väitöskirjassa tutkittu yksityisyyteen kohdistuva uhka liittyy 5G-standardin mukaiseen delegoidun tunnistautumisen järjestelmään. Tämä järjestelmä mahdollistaa käyttäjän vahvan tunnistautumisen automaattisesti mobiiliverkon avulla. Väitöskirjassa tutkitaan järjestelmälle asetettuja tietoturvavaatimuksia erityisesti yksityisyyden suojan näkökulmasta. Työssä on löydetty kaksi vaatimusta, joita ei ole toistaiseksi otettu huomioon standardeja kehitettäessä. Lisäksi työssä esitetään ratkaisu, jolla delegoidun tunnistautumisen järjestelmää voidaan laajentaa paremmin yksityisyyttä suojaavaksi

Loss and Damage from Climate Change: Concepts, Principles and Policy Options.

This book provides an authoritative insight on the Loss and Damage discourse by highlighting state-of-the-art research and policy linked to this discourse and articulating its multiple concepts, principles and methods. Written by leading researchers and practitioners, it identifies practical and evidence-based policy options to inform the discourse and climate negotiations. With climate-related risks on the rise and impacts being felt around the globe has come the recognition that climate mitigation and adaptation may not be enough to manage the effects from anthropogenic climate change. This recognition led to the creation of the Warsaw International Mechanism on Loss and Damage in 2013, a climate policy mechanism dedicated to dealing with climate-related effects in highly vulnerable countries that face severe constraints and limits to adaptation. Endorsed in 2015 by the Paris Agreement and effectively considered a third pillar of international climate policy, debate and research on Loss and Damage continues to gain enormous traction. Yet, concepts, methods and tools as well as directions for policy and implementation have remained contested and vague. Suitable for researchers, policy-advisors, practitioners and the interested public, the book furthermore: • discusses the political, legal, economic and institutional dimensions of the issue • highlights normative questions central to the discourse • provides a focus on climate risks and climate risk management. • presents salient case studies from around the world

Decoding Legalese Without Borders: Multilingual Evaluation of Language Models on Long Legal Texts

Pretrained transformers have sparked an explosion of research in the field of Natural Language Processing (NLP). Scaling up language models based on the transformer architecture in terms of size, compute, and data led to impressive emergent capabilities that were considered unattainable in such a brief span, a mere three years ago, prior to the launch of GPT-3. These advances catapulted the previously niche field of legal NLP into the mainstream, at the latest, with GPT-4 passing the bar. Many products based on GPT-4 and other large language models are entering the market at an increasing pace, many of those targeting the legal field. This dissertation makes contributions in two key areas within Natural Language Processing (NLP) focused on legal text: resource curation and detailed model analysis. First, we curate an extensive set of multilingual legal datasets, train a variety of language models on these, and establish comprehensive benchmarks for evaluating Large Language Models (LLMs) in the legal domain. Second, we conduct a multidimensional analysis of model performance, focusing on metrics like explainability and calibration in the context of Legal Judgment Prediction. We introduce novel evaluation frameworks and find that while our trained models exhibit high performance and better calibration than human experts, they do not necessarily offer improved explainability. Furthermore, we investigate the feasibility of re-identification in anonymized legal texts, concluding that large-scale re-identification using LLMs is currently unfeasible. For future work, we propose exploring domain adaptation and instruction tuning to enhance language model performance on legal benchmarks, while also advocating for a detailed examination of dataset overlaps and model interpretability. Additionally, we emphasize the need for dataset extension to unexplored legal tasks and underrepresented jurisdictions, aiming for a more comprehensive coverage of the global legal landscape in NLP resources

Emergent powers in the field of peacebuilding: modalities, interactions and impact of Indian and Chinese engagement in the peace processes of Nepal and Myanmar

The global emergence of countries like India and China has given rise to questions about how these emergent powers will engage with the various manifestations of the West-led liberal world order, including fields of humanitarian assistance, human rights, peace processes, and international development. This thesis explores this broader debate in the field of peacebuilding. Using the cases of Nepal and Myanmar, it probes how emergent powers, India and China, engage in the peace processes in countries in their region of influence or their immediate neighbourhood. In doing so, it explores how this engagement of emergent powers interacts with, and impacts, liberal peacebuilding projects on the ground. Finally, it examines how such plural and diverse sources of international engagement impact the political settlements in Nepal and Myanmar, at a precise moment when these countries are undertaking a peace process. Standing at the juncture of the three distinct bodies of scholarship, namely, regional foreign policies of India and China, liberal peacebuilding, and political settlements, this research takes a qualitative and inductive approach. It draws primarily on document analysis and elite interviews in Nepal and Myanmar, both countries having closely witnessed the simultaneous engagement of India and China and of liberal peacebuilders. Empirical evidence from Nepal and Myanmar shows that India and China speak a distinct vernacular of peace that cannot be encapsulated within the domain of liberal peacebuilding. This thesis proposes an alternative framework, conceptualised as Emergent Power Regional Conflict Management (EPRCM). It argues that the key features of EPRCM approach are: stability, development, unevenly applied state-centricity, rejection of the universality of liberal peace, prioritisation of regional actors in conflict resolution, and an underlying pragmatism that disdains the use of templates and policies in conflict-resolution. It contends that though EPRCM co-exists with liberal peacebuilding projects, this co-existence is defined by limited interaction, and a few instances of active contestation between the two, specifically when liberal peacebuilders are thought to be detrimental to the interests of emergent powers. A core area of convergence between them, however, is their joint focus on supporting peace agreements, which attempt to end conflicts. Within this negotiated co-existence between the two forms of international engagement, EPRCM is entrenched and vested, while liberal peacebuilding is weak and compromised, both by the strength of the EPRCM but also through the agency of local elites, who undercut and co-opt liberal peacebuilders. This thesis also argues that plural forms of international engagement, defined by the pragmatism and strength of EPRCM, and the timidity of liberal peacebuilding, with little interaction between the two, enables elites in Nepal and Myanmar to co-opt and hedge against all forms of international pressure. This increased autonomy of domestic elites leads them to renounce international and domestic pressure to make the political settlements inclusive, leading to hybrid peace structures. These structures embody some liberal precepts grounded on the agendas of the peace process, but are largely status quoist and illiberal. These illiberal hybrid peace structures continue to buoy the dominance of the elites and compromise on the key agenda of the peace process: the change of the political settlements