Verifying Authenticity of Currency and Tracking Duplicates

To enable merchants and other persons to verify the validity and/or authenticity of paper currency notes, a digital signature can be applied to the currency notes. The digital signature is generated based on a serial number included on the note and a private key. Persons can verify the authenticity of the notes by sending either the serial number and signature, or a photograph of the note, to a server. The server can indicate whether the signature is valid for the serial number, indicating the authenticity of the note. In case of counterfeit notes that duplicate the serial numbers and signatures of valid notes, the server can track the verifications of notes, and if the same note is verified at remote locations within a short time span, the note, locations, and time can be flagged to follow up for a possible duplicated, counterfeit note

Organizational productivity metrics from document collaboration

Research has identified many characteristics of productive teams, e.g., initiative, helpfulness, time efficiency, work quality, etc. A metric for productivity that provides a measure of team productivity can help teams identify specific areas of improvement. Techniques disclosed herein identify different aspects of productivity that can be observed in online communication and document creation/management systems. For example, such aspects can include creation of documents, collaborative editing of documents, and communication between users. Further, these aspects are measured to compute a productivity metric. A multigraph is constructed with nodes representing users and edges representing the weight (quality) of creation, collaboration, and communication events. The productivity metric is computed based on the connectivity of the multigraph, the quality of the edges, and the individual nodes

DoubleCheck: Multi-path Verification Against Man-in-the-Middle Attacks

Self signed certificates for SSL and self generated hosts keys for SSH are popular zero cost, simple alternatives to public key infrastructure (PKI). They provide security against man in the middle attacks, as long as the the client connecting to those services knows the certificates or host keys a priori. A simple solution used in practice is to trust the certificate or the host key when the client connects to a server for the first time. This approach is susceptible to man in the middle attacks, a fact exploited by adversaries in a variety of attacks against unsuspecting users. We develop a simple and scalable solution named DoubleCheck to protect against such attacks. Our solution is achieved by retrieving the certificate from a remote host using multiple alternate paths. Our scheme does not require any new infrastructure; we make use of the Tor anonymity system to reach the destination using multiple independent paths. Hence our solution is easy to deploy in practice. Our solution does not introduce any privacy concerns. We have implemented DoubleCheck as SSH and Firefox extensions, demonstrating its practicality. Our experimental evaluation shows that the impact of DoubleCheck on performance is minimal, since the Tor network is used only for retrieving the certificate for the first time, while the data transfer and subsequent connection establishment follow normal routing rules. Our scheme is an effective way of mitigating the impact of man in the middle attacks without requiring new infrastructure and at low overhead

Distributed Firewall For MANETs

Mobile Ad-hoc Networks (MANETs) are increasingly used in military tactical situations and in civil rapid-deployment networks, including emergency rescue operations and {\it ad hoc} disaster-relief networks. The flexibility of MANETs comes at a price, when compared to wired and basestation-based wireless networks: MANETs are susceptible to both insider (compromised node) and outsider attacks due to the lack of a well-defined perimeter in which to deploy firewalls, intrusion detection systems, and other mechanisms commonly used for network access and admission control. In this paper, we define a distributed firewall architecture that is designed specifically for MANETs. Our approach harnesses and extends the concept of a {\it network capability}, and is especially suited for environments where the communicating nodes have different roles and hence different communication requirements, such as in tactical networks. Our model enforces communication restrictions among MANET nodes and services, allowing hop-by-hop policy enforcement in a distributed manner. We use a ''deny-by-default'' model where compromised nodes have access only to authorized services, without the ability to disrupt or interfere with end-to-end service connectivity and nodes beyond their local communication radius. Our simulations show that our solution has minimal overhead in terms of bandwidth and latency, works well even in the presence of routing changes due to mobile nodes, and is effective in containing misbehaving nodes

Predictable Management of System Resources for Linux

In current operating systems, a process acts both as a protection domain and as a resource principal. This may not be the right model as a user may like to see a set of processes or a sub activity in a process as a resource principal. Another problem is that much of the processing may happen in the interrupt context, and they will not be accounted for properly. Resource Containers[1] have been introduced to solve such problems in the large-scale server systems context by separating out the protection domain from the resource principal by associating and charging all the processing to the correct container. This paper tries to investigate how this model fits into a Linux framework, especially, in the soft real time context. We show that this model allows us to allocate resources in a predictable manner and hence can be used for scheduling soft real-time tasks like multimedia. We also provide a framework in Linux which allows privileged users to have their own schedulers for scheduling a group of activities so that they can make use of the domain knowledge about the applications. We also extend this model to allow multiple scheduling classes

DIPLOMA: Distributed Policy Enforcement Architecture for MANETs

Lack of well-defined defense perimeter in MANETs prevents the use traditional firewalls, and requires the security to be implemented in a distributed manner. We recently introduced a novel deny-by-default distributed security policy enforcement architecture for MANETs by harnessing and extending the concept of network capabilities. The deny-by-default principle allows compromised nodes to access only authorized services, limiting their ability to disrupt or even interfere with end-to-end connectivity and nodes beyond their local communication radius. The enforcement of policies is done hop-by-hop, in a distributed manner. In this paper, we present the implementation of this architecture, called DIPLOMA, on Linux. Our implementation works at the network layer, and does not require any changes to existing applications. We identify the bottlenecks of the original architecture and propose improvements, including a signature optimization, so that it works well in practice. We present the results of evaluating the architecture in a realistic MANET testbed Orbit. The results show that the architecture incurs minimal overhead in throughput, latency and jitter. We also show that the system protects network bandwidth and the endhosts in the presence of attackers. To that end, we identify ways of creating multi-hop topologies in indoor environments so that a bad node cannot interfere with every other node. We also show that existing applications are not impacted by the new architecture, achieving good performance