Online Decision-Aids and Pricing: An Empirical Analysis of the Airline Industry

A large body of Information Systems research has shown that decision aids can have prominent effects on decision processes. In this respect, there is compelling support for the cost-benefit model, suggesting that cognitive effort can substantially affect decision strategy and outcome. In this paper we examine the implications of the model in the context of the travel industry. In line with the cost-benefit model, when a decision aid facilitates a strategy promoting the choice of lowprice airline tickets, the probability that those tickets would be identified and, thus, purchased increases. This, in turn, should increase demand for the low-priced tickets and balance overall demand across flights. Therefore, we hypothesize that as the decision aid provided by a carrier requires less cognitive effort, variations in prices decrease and average prices increase. We empirically test our hypotheses by analyzing prices offered by US legacy carriers over 54 routes. The results broadly support our hypotheses

A practical attack on the fixed RC4 in the wep mode

Abstract. In this paper we revisit a known but ignored weakness of the RC4 keystream generator, where secret state info leaks to the generated keystream, and show that this leakage, also known as Jenkins’ correlation or the RC4 glimpse, can be used to attack RC4 in several modes. Our main result is a practical key recovery attack on RC4 when an IV modifier is concatenated to the beginning of a secret root key to generate a session key. As opposed to the WEP attack from [FMS01] the new attack is applicable even in the case where the first 256 bytes of the keystream are thrown and its complexity grows only linearly with the length of the key. In an exemplifying parameter setting the attack recoversa16-bytekeyin2 48 steps using 2 17 short keystreams generated from different chosen IVs. A second attacked mode is when the IV succeeds the secret root key. We mount a key recovery attack that recovers the secret root key by analyzing a single word from 2 22 keystreams generated from different IVs, improving the attack from [FMS01] on this mode. A third result is an attack on RC4 that is applicable when the attacker can inject faults to the execution of RC4. The attacker derives the internal state and the secret key by analyzing 2 14 faulted keystreams generated from this key

InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In particular, system aspects and close to hardware protocol layers are mostly uncovered. We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep insights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework---outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform. InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware

Managing Strategic Inventories under Investment in Process Improvement

In supplier-retailer interactions, the retailer may carry inventories strategically as a bargaining mechanism to induce the supplier to drop the future wholesale price. As per Anand, Anupindi, and Bassok (2008), the introduction of strategic inventories always benefits the supplier and possibly also the retailer if the holding cost is sufficiently low (due to the contract-space-expansion effect). Is such a move beneficial for the supply chain agents in the presence of process improvement efforts? Such efforts—initiated by suppliers—ultimately reduce production cost and may translate into lower wholesale prices as well as lower consumer prices. We find that strategic inventories may stimulate investment in process improvement when the holding cost is high (as it encourages the supplier to further reduce future cost to eliminate the need for strategic inventories), but may suppress such investment when the holding cost is low (as strategic inventories are cheap to stock and hence cannot be eliminated). Our key result, contrary to the existing literature, is that strategic inventories may be harmful to both supply chain agents in the presence of process improvement. In that case, the supplier effectively over-invests in process improvement efforts, inducing the retailer to reduce the stock of strategic inventories, while reversing the benefits of the contract-space-expansion effect. We also consider variations to the model, whereby the supplier may delay his investment decision, the holding cost may be a function of the wholesale price set by the supplier, consumers may behave strategically, and the planning horizon may consist of multiple periods

MV3: A new word based stream cipher using rapid mixing and revolving buffers

MV3 is a new word based stream cipher for encrypting long streams of data. A direct adaptation of a byte based cipher such as RC4 into a 32- or 64-bit word version will obviously need vast amounts of memory. This scaling issue necessitates a look for new components and principles, as well as mathematical analysis to justify their use. Our approach, like RC4's, is based on rapidly mixing random walks on directed graphs (that is, walks which reach a random state quickly, from any starting point). We begin with some well understood walks, and then introduce nonlinearity in their steps in order to improve security and show long term statistical correlations are negligible. To minimize the short term correlations, as well as to deter attacks using equations involving successive outputs, we provide a method for sequencing the outputs derived from the walk using three revolving buffers. The cipher is fast -- it runs at a speed of less than 5 cycles per byte on a Pentium IV processor. A word based cipher needs to output more bits per step, which exposes more correlations for attacks. Moreover we seek simplicity of construction and transparent analysis. To meet these requirements, we use a larger state and claim security corresponding to only a fraction of it. Our design is for an adequately secure word-based cipher; our very preliminary estimate puts the security close to exhaustive search for keys of size < 256 bits.Comment: 27 pages, shortened version will appear in "Topics in Cryptology - CT-RSA 2007