Encouraging Privacy-Aware Smartphone App Installation: Finding out what the Technically-Adept Do

Smartphone apps can harvest very personal details from the phone with ease. This is a particular privacy concern. Unthinking installation of untrustworthy apps constitutes risky behaviour. This could be due to poor awareness or a lack of knowhow: knowledge of how to go about protecting privacy. It seems that Smartphone owners proceed with installation, ignoring any misgivings they might have, and thereby irretrievably sacrifice their privacy

The Good, the Bad, and the Actively Verified

We believe that we can use active probing for compromise recovery. Our intent is to exploit the differences in behavior between compromised and uncompromised systems and use that information to identify those which are not behaving as expected. Those differences may indicate a deviation in either con figuration or implementation from what we expect on the network, either of which suggests that the misbehaving entity might not be trustworthy. In this work, we propose and build a case for a method for using altered behavior directly resulting from or introduced as a side-effect of the compromise of a network service to detect the presence of such a compromise. We use several case studies to illustrate our technique, and demonstrate its feasibility with a software tool developed using our method

The End-to-End Argument and Application Design: The Role of Trust

Symposium: Rough Consensus and Running Code: Integrating Engineering Principles into Internet Policy Debates, held at the University of Pennsylvania\u27s Center for Technology Innovation and Competition on May 6-7, 2010. Policy debates about the evolution of the Internet show varying degrees of understanding about the underlying technology. A fundamental principle of the design of the Internet, from the early 1980s, is the so-called end-to-end argument articulated in a seminal technical paper. Intended to provide guidance for what kind of capability is built into a network as opposed to the devices that use the network, the end-to-end argument has been invoked in discussions about freedom, neutrality, and other qualities that may be associated with the supply and use of the Internet and with related public policy. This Article builds on the technical discussions of end-to-end to address the design of applications that use the Internet. It explores the role of trust as a factor in decisions about the structure of applications and their interaction with the Internet as part of a larger system

A Personalized Framework for Trust Assessment

The number of computational trust models has been increasing quickly in recent years yet their applications for automating trust evaluation are still limited. The main obstacle is the difficulties in selecting a suitable trust model and adapting it for particular trust modeling requirements, which varies greatly due to the subjectivity of human trust. The Personalized Trust Framework (PTF) presented in this paper aims to address this problem by providing a mechanism for human users to capture their trust evaluation process in order for it to be replicated by computers. In more details, a user can specify how he selects a trust model based on information about the subject whose trustworthiness he needs to evaluate and how that trust model is configured. This trust evaluation process is then automated by the PTF making use of the trust models flexibly plugged into the PTF by the user. By so doing, the PTF enable users reuse and personalize existing trust models to suit their requirements without having to reprogram those models

Analysis Of Electronic Voting Schemes In The Real World

Voting is at the heart of a country’s democracy. Assurance in the integrity of the electoral process is pivotal for voters to have any trust in the system. Often, electronic voting schemes proposed in the literature, or even implemented in real world elections do not always consider all issues that may exist in the environment in which they might be deployed. In this paper, we identify some real - world issues and threats to electronic voting schemes. We then use the threats we have identified to present an analysis of schemes recently used in Australia and Estonia and present recommendations to mitigate threats to such schemes when deployed in an untrustworthy environment

Bootstrapping trust in service oriented architecture

Services in a service-oriented architecture are designed to meet desired functional and non-functional requirements. Conformance of a service implementation to its functional requirements can be tested by observing the interface of the service but it is hard to enforce non-functional requirements such as data privacy and safety properties by monitoring the interface alone. Instead the implementation of the service need to be monitored for its conformance to the non-functional properties. A requirement\u27s monitor can be deployed to check this conformance. A key problem is that such monitor must execute in an untrustworthy environment (at the service provider\u27s location).;We argue that the integrity of the reported results of such a monitor crucially depends on the integrity of the monitor itself. Previous research results on trustworthy computing has shown that static properties, such as the checksum, of a remote program can be verified using a hardware-based mechanism called trusted platform module.;This thesis makes two contributions. First, we extend the traditional notion of a service-oriented architecture to accommodate the requirements for trust. Second, we propose a dynamic attestation mechanism that serves to support our extensions. To evaluate our approach, we have conducted a case study using a commercial requirements monitor and a collection of web service implementations available with Apache Axis implementation. Our case study demonstrates the feasibility of verifying the conformance of a web service executing in an untrusted environment with respect to a class of non-functional requirements using our approach. Lack of data privacy during online transactions is a major cause of concern among e-commerce users. By providing a technique to monitor such properties in a decoupled environment our work promises to address the issue of guaranteeing the privacy of confidential client data on the provider\u27s side in a Service Oriented Architecture

Security Support in Continuous Deployment Pipeline

Continuous Deployment (CD) has emerged as a new practice in the software industry to continuously and automatically deploy software changes into production. Continuous Deployment Pipeline (CDP) supports CD practice by transferring the changes from the repository to production. Since most of the CDP components run in an environment that has several interfaces to the Internet, these components are vulnerable to various kinds of malicious attacks. This paper reports our work aimed at designing secure CDP by utilizing security tactics. We have demonstrated the effectiveness of five security tactics in designing a secure pipeline by conducting an experiment on two CDPs - one incorporates security tactics while the other does not. Both CDPs have been analyzed qualitatively and quantitatively. We used assurance cases with goal-structured notations for qualitative analysis. For quantitative analysis, we used penetration tools. Our findings indicate that the applied tactics improve the security of the major components (i.e., repository, continuous integration server, main server) of a CDP by controlling access to the components and establishing secure connections

Blocking Java Applets at the Firewall

This paper explores the problem of protecting a site on the Internet against hostile external Java applets while allowing trusted internal applets to run. With careful implementation, a site can be made resistant to current Java security weaknesses as well as those yet to be discovered. In addition, we describe a new attack on certain sophisticated firewalls that is most effectively realized as a Java applet

Human Beyond the Machine: Challenges and Opportunities of Microtask Crowdsourcing

In the 21st century, where automated systems and artificial intelligence are replacing arduous manual labor by supporting data-intensive tasks, many problems still require human intelligence. Over the last decade, by tapping into human intelligence through microtasks, crowdsourcing has found remarkable applications in a wide range of domains. In this article, the authors discuss the growth of crowdsourcing systems since the term was coined by columnist Jeff Howe in 2006. They shed light on the evolution of crowdsourced microtasks in recent times. Next, they discuss a main challenge that hinders the quality of crowdsourced results: the prevalence of malicious behavior. They reflect on crowdsourcing's advantages and disadvantages. Finally, they leave the reader with interesting avenues for future research