COVID Down Under: where did Australia's pandemic apps go wrong?

Governments and businesses worldwide deployed a variety of technological measures to help prevent and track the spread of COVID-19. In Australia, these applications contained usability, accessibility, and security flaws that hindered their effectiveness and adoption. Australia, like most countries, has transitioned to treating COVID as endemic. However it is yet to absorb lessons from the technological issues with its approach to the pandemic. In this short paper we provide a systematization of the most notable events; identify and review different failure modes of these applications; and develop recommendations for developing apps in the face of future crises. Our work focuses on a single country. However, Australia's issues are particularly instructive as they highlight surprisingly pitfalls that countries should address in the face of a future pandemic

Transactional Scripts in Contract Stacks

Deals accomplished through software persistently residing on computer networks—sometimes called smart contracts, but better termed transactional scripts—embody a potentially revolutionary contracting innovation. Ours is the first precise account in the legal literature of how such scripts are created, and when they produce errors of legal significance.Scripts’ most celebrated use case is for transactions operating exclusively on public, permissionless, blockchains: such exchanges eliminate the need for trusted intermediaries and seem to permit parties to commit ex ante to automated performance. But public transactional scripts are costly both to develop and execute, with significant fees imposed for data storage. Worse, bugs practically can’t be eliminated. The result is that many scripts will terminate in misunderstanding, frustrated intent and failure.When code misdelivers, disappointed parties will seek legal recourse. We argue that jurists should situate scripts within other legally operative statements and disclosures, or contract stacks. Precision about the relationship between script and stack sustains a novel framework, rooted in old doctrines of interpretation, parol evidence and equity, that will help jurists compile answers to the private law problems that digitized exchange entails

Thrombotic microangiopathy and associated renal disorders

Thrombotic microangiopathy (TMA) is a pathological process involving thrombocytopenia, microangiopathic haemolytic anaemia and microvascular occlusion. TMA is common to haemolytic uraemic syndrome (HUS) associated with shiga toxin or invasive pneumococcal infection, atypical HUS (aHUS), thrombotic thrombocytopenic purpura (TTP) and other disorders including malignant hypertension. HUS complicating infection with shiga toxin-producing Escherichia coli (STEC) is a significant cause of acute renal failure in children worldwide, occurring sporadically or in epidemics. Studies in aHUS have revealed genetic and acquired factors leading to dysregulation of the alternative complement pathway. TTP has been linked to reduced activity of the ADAMTS13 cleaving protease (typically with an autoantibody to ADAMTS13) with consequent disruption of von Willebrand factor multimer processing. However, the convergence of pathogenic pathways and clinical overlap create diagnostic uncertainty, especially at initial presentation. Furthermore, recent developments are challenging established management protocols. This review addresses the current understanding of molecular mechanisms underlying TMA, relating these to clinical presentation with an emphasis on renal manifestations. A diagnostic and therapeutic approach is presented, based on international guidelines, disease registries and published trials. Early treatment remains largely empirical, consisting of plasma replacement/exchange with the exception of childhood STEC-HUS or pneumococcal sepsis. Emerging therapies such as the complement C5 inhibitor eculizumab for aHUS and rituximab for TTP are discussed, as is renal transplantation for those patients who become dialysis-dependent as a result of aHUS

Detecting Excessive Data Exposures in Web Server Responses with Metamorphic Fuzzing

APIs often transmit far more data to client applications than they need, and in the context of web applications, often do so over public channels. This issue, termed Excessive Data Exposure (EDE), was OWASP's third most significant API vulnerability of 2019. However, there are few automated tools -- either in research or industry -- to effectively find and remediate such issues. This is unsurprising as the problem lacks an explicit test oracle: the vulnerability does not manifest through explicit abnormal behaviours (e.g., program crashes or memory access violations). In this work, we develop a metamorphic relation to tackle that challenge and build the first fuzzing tool -- that we call EDEFuzz -- to systematically detect EDEs. EDEFuzz can significantly reduce false negatives that occur during manual inspection and ad-hoc text-matching techniques, the current most-used approaches. We tested EDEFuzz against the sixty-nine applicable targets from the Alexa Top-200 and found 33,365 potential leaks -- illustrating our tool's broad applicability and scalability. In a more-tightly controlled experiment of eight popular websites in Australia, EDEFuzz achieved a high true positive rate of 98.65% with minimal configuration, illustrating our tool's accuracy and efficiency

Coin-Operated Capitalism

This Article presents the legal literature’s first detailed analysis of the inner workings of Initial Coin Offerings. We characterize the ICO as an example of financial innovation, placing it in kinship with venture capital contracting, asset securitization, and (obviously) the IPO. We also take the form seriously as an example of technological innovation, where promoters are beginning to effectuate their promises to investors through computer code, rather than traditional contract. To understand the dynamics of this shift, we first collect contracts, “white papers,” and other contract-like documents for the fifty top-grossing ICOs of 2017. We then analyze how such projects’ software code reflected (or failed to reflect) their contractual promises. Our inquiry reveals that many ICOs failed even to promise that they would protect investors against insider self-dealing. Fewer still manifested such contracts in code. Surprisingly, in a community known for espousing a technolibertarian belief in the power of “trustless trust” built with carefully designed code, a significant fraction of issuers retained centralized control through previously undisclosed code permitting modification of the entities’ governing structures. These findings offer valuable lessons to legal scholars, economists, and policymakers about the roles played by gatekeepers; about the value of regulation; and the possibilities for socially valuable private ordering in a relatively anonymous, decentralized environment

A Gentle Tutorial for Lattice-Based Cryptanalysis

The applicability of lattice reduction to a wide variety of cryptographic situations makes it an important part of the cryptanalyst\u27s toolbox. Despite this, the construction of lattices and use of lattice reduction algorithms for cryptanalysis continue to be somewhat difficult to understand for beginners. This tutorial aims to be a gentle but detailed introduction to lattice-based cryptanalysis targeted towards the novice cryptanalyst with little to no background in lattices. We explain some popular attacks through a conceptual model that simplifies the various components of a lattice attack

NOTRY: deniable messaging with retroactive avowal

Modern secure messaging protocols typically aim to provide deniability. Achieving this requires that convincing cryptographic transcripts can be forged without the involvement of genuine users. In this work, we observe that parties may wish to revoke deniability and avow a conversation after it has taken place. We propose a new protocol called Not-on-the-Record-Yet (NOTRY) which enables users to prove a prior conversation transcript is genuine. As a key building block we propose avowable designated verifier proofs which may be of independent interest. Our implementation incurs roughly 8× communication and computation overhead over the standard Signal protocol during regular operation. We find it is nonetheless deployable in a realistic setting as key exchanges (the source of the overhead) still complete in just over 1ms on a modern computer. The avowal protocol induces only constant computation and communication performance for the communicating parties and scales linearly in the number of messages avowed for the verifier—in the tens of milliseconds per avowal