Maître de conférences) in Cryptography at King’s College London

As you may or may not have heard, I will join the Department of Informatics at King’s College London from 2023. Specifically, I will join the Cybersecurity Group there with the aim to build a cryptography lab. As part of that plan, we are going to hire for four staff positions (three at the lecturer level, one at the senior lecturer level). The first of these is now on the market:

https://jobs.kcl.ac.uk/gb/en/job/054515/Lecturer-in-Cryptography

Note that the plan here is not to build an exclusive lattice-based cryptography, mathematical cryptography, post-quantum cryptography or a cryptanalysis lab, but our ambition is to build a lab with expertise across cryptography. I think this creates a fun and interesting research environment. So consider applying if you consider FSE, CHES, PKC, TCC or RWC your home venue or any other area of cryptography.

Normally, in this genre of blog posts I’d now go on talking about how amazing the department and everybody in it is but I’ve yet to start at KCL myself. However, everything I’ve seen so far makes me really quite optimistic, the department is strong and the people are nice.

The application deadline is somewhat far into the future (1 March 2023). So, if you like, there’s plenty of time to reach out to discuss or even to come visit us to check us out.

We’d appreciate any help in spreading the word. Happy to answer any questions I can answer or to direct to you to someone who can.

Continue reading “Lecturer (≅ Assistant Professor/Juniorprofessor/Maître de conférences) in Cryptography at King’s College London” →

Lecturer (≅ Assistant Professor/Juniorprofessor/Maître de conférences) in Computer Science (Quantum Computing)

Our colleagues in Computer Science (I am a computer scientist by training but I sit in the Department of Information Security aka the “Information Security Group”) are looking to hire a lecturer (roughly equivalent to assistant professor, Juniorprofessor or maître de conférences) with a focus on quantum algorithms. I’m reproducing the full ad below, but here’s why I think that’s rather exciting and you should apply if that’s your jam.

As you may know, several of us in the ISG work in the area of post-quantum cryptography, an area adjacent to quantum computing. To give some examples, Simon and co-authors showed that there are regimes where subexponential quantum attacks on SIDH exist; Eamonn, me and co-authors gave resource estimates for running quantum sieving attacks on lattice-based schemes; Carlos and co-authors gave polynomial-time quantum attacks (i.e. with superposition queries) against the CPA security of contracting Feistel structures; Chris discussed the impact of quantum computing on 5G; Fernando and co-authors gave resource estimates (and Q# code!) for breaking AES on a quantum computer; Eamonn and co-authors improved “low-memory” sieving in a quantum setting. We have a lively research community of PhD students, postdocs and staff. Speaking of PhD students, due to our CDT in Cyber Security of the Everyday, we are currently recruiting 10 students per year across the field of information security, including the “quantum threat”. Moreover, as mentioned in the ad, the College considers quantum a key priority. Some of our physicists work in various areas of quantum, some of our mathematicians work on quantum dynamics.

Feel free to reach out to me if you want to discuss what it is like working at Royal Holloway. For specifics about this post, reach out to Magnus (HoD of CS). Also feel encouraged to disseminate this ad through your networks.

Continue reading “Lecturer (≅ Assistant Professor/Juniorprofessor/Maître de conférences) in Computer Science (Quantum Computing)” →

32nd HP/HPE (Virtual) Colloquium On Information Security

We got some great speakers lined up for the 32nd HP/HPE (Virtual) Colloquium On Information Security on 16/17 December 2021. Details below.

Continue reading “32nd HP/HPE (Virtual) Colloquium On Information Security” →

We’re hiring!

The ISG is recruiting two lecturers (≡ assistant professor in the US system/Juniorprofessor in Germany/Maître de conférences in France). These are full-time, permanent research and teaching positions.

Let me give you a personal pitch of why you should apply:

It’s a big group. We got 23 permanent members of staff working across the field of information security: cryptography, systems and social foundations. Check out our seminar programme and our publications to get a sense of what is going on in the group.
More specific perhaps to this audience: We have a big cryptography group with 9 permanent members of staff, several postdocs and many PhD students. Check out our website, publications and our joint seminar series with ENS Lyon and CWI Amsterdam to get a sense.
It’s a group with a good mix of areas and lots of interaction. UK universities don’t work like German ones where professors have their little empires which don’t interact all that much. Rather, the hierarchies are pretty flat within a department (everybody is line managed by the Head of Department, Chris Mitchell, who is great) which facilitates more interaction; at least within the ISG that’s true. For example, I doubt the sort of collaboration that led to our HK paper would have come about if we didn’t attend the same meetings, taught the same modules, went to lunch and the pub together etc. Interdisciplinarity from above is annoying, when it emerges spontaneously it can be great.
It’s a nice group. People are genuinely friendly and we help each other out. It will be easy to find someone to proof read your grant applications or share previously successfully funded ones etc. I don’t know any official numbers but the unionisation level seems to be relatively high, which I also take as an indication that people don’t adopt a “everyone for themselves” approach.
We got funding for our Centre for Doctoral Training for the next few years (then we have to reapply). This means 10 PhD positions per year. Also, our CDT attracts strong students. My research career really took off after getting a chance to work with our amazing students.
The ISG is its own department (in a school with Physics, EE, Mathematics and Computer Science). All of our teaching is on information security with a focus on our Information Security MSc (which is huge). So you’ll get to teach information security.
The ISG has strong industry links. Thus, if that’s your cup of tea, it will be easy to get introductions etc. A side effect of these strong links is that consulting opportunities tend to pop up. Consulting is not only permitted by the employer but encouraged (they take a cut if you do it through them).
The ISG is a large group but Royal Holloway is a relatively small university. That means getting things done by speaking to the person in charge is often possible, i.e. it’s not some massive bureaucracy and exceptions can be negotiated.
It’s within one standard deviation from London. This means UCL and Surrey, and thus the researchers there, aren’t too far away. Also, you get to live in London (or near Egham if that’s your thing, no judgement).

We’d appreciate any help in spreading the word. Happy to answer questions, just get in touch.

Continue reading “We’re hiring!” →

Reader/Senior Lecturer/Associate Professor in the ISG

The ISG is recruiting a senior lecturer/reader (≡ associate professor in the US system). This is a full-time, permanent research and teaching position.

Look, I know this is post-Brexit England but let me give you a personal pitch of why you should apply:

It’s a big group. We got ~20 permanent members of staff working across the field of information security: cryptography, systems and social. Check out our seminar programme and our publications to get a sense of what is going on in the group.
It’s a group with a good mix of areas and lots of interaction. UK universities don’t work like German ones where professors have their little empires which don’t interact all too much. Rather, the hierarchies are pretty flat within a department (everybody is line managed by the Head of Department) which facilitates more interaction; at least within the ISG that’s true. For example, I’m currently working on a project with someone from the systems and software security lab and one of our social scientists. I doubt this sort of collaboration would have come about if we didn’t attend the same meetings, taught the same modules, went to lunch and the pub together etc. Interdisciplinarity from above is annoying, when it emerges spontaneously it can be great.
It’s a nice group. People are genuinely friendly and we help each other out. It will be easy to find someone to proof read your grant applications or share previously successfully funded ones etc. I don’t know any official numbers but the unionisation level seems to be relatively high, which I also take as an indication that people don’t adopt a “everyone for themselves” approach.
We got funding for our Centre for Doctoral Training for the next few years (then we have to reapply). This means 10 PhD positions per year. Also, our CDT attracts strong students. My research career really took off after getting a chance to work with our amazing students.
The ISG is its own department (in a school with Physics, EE, Mathematics and Computer Science). All of our teaching is on information security with a focus on our Information Security MSc (which is huge). So you’ll get to teach information security.
The ISG has strong industry links. Thus, if that’s your cup of tea, it will be easy to get introductions etc. A side effect of these strong links is that consulting opportunities tend to pop up. Consulting is not only permitted by the employer but encouraged (they take a cut if you do it through them).
The ISG is a large group but Royal Holloway is a relatively small university. That means getting things done by speaking to the person in charge is often possible, i.e. it’s not some massive bureaucracy and exceptions can be negotiated.
It’s within one standard deviation from London. This means UCL and Surrey, and thus the researchers there, aren’t too far away. Also, you get to live in London (or near Egham if that’s your thing, no judgement).

We’d appreciate any help in spreading the word. Happy to answer any questions I can answer.

The ad says “senior lecturer” but, speaking for myself, I’d recommend to apply even if you’re going for the lecturer/assistant professor/Juniorprofessor stage in your career. Also, I’d encourage people from all areas of information security to apply.

Continue reading “Reader/Senior Lecturer/Associate Professor in the ISG” →

The 31st HP/HPE (Virtual) Colloquium on Information Security

This year, my colleague Rikke Jensen and I took over coordinating “HP/HPE Day”, our department’s annual flagship event. It will take place as a virtual event this year, which allows us to invite a bit more broadly than we usually do. Registration is free but mandatory – tickets will be allocated on a first come, first served basis.

Continue reading “The 31st HP/HPE (Virtual) Colloquium on Information Security” →

The Vacuity of the Open Source Security Testing Methodology Manual

Our paper – together with Rikke Jensen – on the Open Source Security Testing Methodology Manual has been accepted to the Security Standardisation Research Conference (SSR 2020). Here’s the abstract:

The Open Source Security Testing Methodology Manual (OSSTMM) provides a “scientific methodology for the accurate characterization of operational security”. It is extensively referenced in writings aimed at security testing professionals such as textbooks, standards and academic papers. In this work we offer a fundamental critique of OSSTMM and argue that it fails to deliver on its promise of actual security. Our contribution is threefold and builds on a textual critique of this methodology. First, OSSTMM’s central principle is that security can be understood as a quantity of which an entity has more or less. We show why this is wrong and how OSSTMM’s unified security score, the rav, is an empty abstraction. Second, OSSTMM disregards risk by replacing it with a trust metric which confuses multiple definitions of trust and, as a result, produces a meaningless score. Finally, OSSTMM has been hailed for its attention to human security. Yet it understands all human agency as a security threat that needs to be constantly monitored and controlled. Thus, we argue that OSSTMM is neither fit for purpose nor can it be salvaged, and it should be abandoned by security professionals.

This is most definitely the strangest paper I have ever written. First, the idea for writing this paper came out of teaching IY5610 Security Testing in the Information Security MSc at Royal Holloway. Where my employer likes the tagline “research inspired teaching”, I guess this is a case of “teaching inspired research”.

Second, this paper, bringing together scholarship from many different disciplines has a most eclectic list of references: security testing, cryptography, HCI, ethnography, military field manuals, supreme court decisions, we got it all.

Third, the paper is unusual, at least for information security, in how it proceeds:

While information security research routinely features critiques of security technologies in the form of “attack papers”, analogues of such works for policies, frameworks and conceptions are largely absent from its core venues. This work is a textual critique of OSSTMM based on a close reading of the methodology and pursues two purposes. First, immediately, to show that OSSTMM is inadequate as a security testing methodology, despite being referenced routinely in the security testing literature. Second, more mediated, to show that the ideas at the core of OSSTMM are wrong. As we show [later in the paper], these ideas are not OSSTMM’s privilege. It is for this reason that we chose the form of a textual critique over alternative approaches such as empirical studies to the effectiveness of OSSTMM in practice.

That said, the paper says things that I think are worth saying beyond OSSTMM. Both bogus quantification and questionable ideas about social aspects of information security are widespread in the field. Thus, while OSSTMM provides particularly striking examples of these mistakes, we think our points apply more broadly:

While OSSTMM expresses the methodological dogma that scientific knowledge equals quantification particularly crudely this is not its privilege. Rather, this conviction is common across information security, as exemplified, for example, in CVSS which claims to score security vulnerabilities by a single magnitude. Moreover, the somewhat bad reputation of security testing as a “tickbox exercise” speaks of the same limitation: counting rather than understanding. Echoing the critique of CVSS, we thus suggest, too, that security professionals “skip converting qualitative measurements to numbers”. The healthy debates in other disciplines provide material for a debate within information security to examine the correctness and utility of assigning numerical values to various pieces of data.

A mistake we criticise in OSSTMM is the failure to recognise that the moments of a social organisation are different from the moments of a computer network. This, too, is no privilege of OSSTMM as can be easily verified by the prevalence of mantras along the lines of “humans/people/users are the weakest link”. This standpoint, which is as prevalent as it is wrong, offers the curious indictment that people fail to integrate into a piece of technology that does not work for them. In the context of security testing this standpoint has a home under the heading of “social engineering” and its most visible expression: routine but ineffective phishing simulations. It is worth noting, though, that even when the focus is exclusively on technology, not engaging with the social relations that this technology ought to serve may produce undesirable results, for example leading to designs of technological controls with draconian effects where less invasive means would have been adequate.

More broadly, the tendency of information security to rely on psychology, dominated by individualistic and behavioural perspectives and quantitative approaches to understanding social and human aspects of security, may represent an obstacle. Alternative methodological approaches from the social sciences, particularly from sociology and even anthropology, such as semi-structured interviews, participant-led focus groups and ethnography offer promising avenues to deeply understand the security practices and needs in an organisation.

More on those 10 PhD Positions at Royal Holloway’s CDT in Cyber Security

My colleagues who work on the social/cultural side of (information) security together with colleagues from other departments have put together an outline for people who come from disciplines such as Human Geography, Sociology, Criminology, Law, Political Science, International Relations, Classics, Archaeology, Cultural Studies and Media Studies.

Fully Funded 4-year PhD Studentships at the EPSRC funded Royal Holloway Centre for Doctoral Training in Cyber Security for the Everyday

We are pleased to advertise positions for up to 10 PhD studentships to begin in September 2019 at the new Centre for Doctoral Training (CDT) in Cyber Security for the Everyday at Royal Holloway University of London.

We seek applications or informal expressions of interest from students and researchers with an interest in cyber security. In addition to Mathematics and Computer Science, relevant disciplines may include Human Geography, Sociology, Criminology, Law, Political Science, International Relations, Classics, Archaeology, Cultural Studies, Media Studies and more.

Building on two previous Centres for Doctoral Training in Cyber Security based at Royal Holloway, and anchored within the Information Security Group, the new CDT reflects the growth in and need for interdisciplinary research which critically engages with everyday cyber security questions. It does so by combining an understanding of technical systems with social science and humanities approaches to cyber security, personal information and growing datafication. In a broad sense, PhD projects will explore cyber security in the context of societal needs, critically evaluate the contribution cyber security makes to societal and individual securities and place discussions over the ethics, rights, responsibility and fairness of cyber security at the centre rather than at the periphery. Other academic departments involved in the Centre include Computer Science, Geography, Law, Psychology and Politics and IR.

Whilst broad in scope, the CDT is driven by two overarching strands of enquiry:

The technologies deployed in digital systems that people use, sometimes inadvertently, every day; and

Everyday societal experiences of cyber security, including how different societies, communities, groups and individuals conceptualise, materialise, negotiate, and respond to increasingly digitally mediated and technologically driven worlds

A central aspect of the CDT programme is interdisciplinary collaborations as students work on shared projects and other collaborative activities within their PhD cohort. This is encouraged throughout their studies but a key component of the first year, which is devoted to training activities and individual and group projects. Students may not have established project ideas at the time of recruitment but develop these during the first year.

The core strategic objectives of the CDT in Cyber Security for the Everyday are:

To develop cohorts of truly multi-disciplinary researchers, with a broad understanding of cyber security and a strong appreciation of the interplay between technical and social questions;

To promote research in cyber security that is original, significant, responsible, of international excellence and responsive to societal needs; and

To engage with stakeholders in the cyber security community and wider society

We are keen to encourage applications from across the Social Sciences and Humanities. Potential areas of interdisciplinary study include but are not limited to:

Conceptualise

The arts and critical discourses of cyber security

Agenda-setting, framing and cyber security

Feminist cyber security

Social difference, intersectionality and cyber security

Intimate spaces of cyber security (including the body, home, etc.)

Everyday/routine violences and cyber security

Solidarity and resistance and alternative forms of cyber security

Narratives of security

Ontological security across disciplines and forms of expression

Materialise

Contemporary archaeologies of cyber security

Cyber security and the city

The materiality of digital mediation in cyber security

Media as data

Resistance through data, memes/gifs/films

Simulation and simulated affect -emotional security data & machines

Negotiate

Sustainable development goals and cyber security

The impact of cyber security and public policy

Territory, diplomacy and cyber security

Regional and international cyber security

Transnational and global governance of cyber security

Cyber security of democratic institutions

Cybersecurity at work

Organisational approaches to and processes of cybersecurity

Cybersecurity profession and professionals

E-surveillance at work

Respond

Mobilities, automated and autonomous mobility systems

Resistance, dissent and cyber security

Hate crimes and affect

Cultural economies, crypto-currencies and piracy

The dark web, visibility and invisibility

Practices of data hacking in media consumption.

Reading Material on Gender Essentialism

In a memo titled Google’s Ideological Echo Chamber James Damore claims that “the distribution of preferences and abilities of men and women differ in part due to biological causes and that these differences may explain why we don’t see equal representation of women in tech and leadership” with the aim to show that “discrimination to reach equal representation is unfair, divisive, and bad for business.” Soon after the memo went viral, tech sites such as Hacker News started to see supportive statements. Motherboard reports that the verdicts expressed in the memo have some traction amongst the author’s former co-workers. It stands to reason that this agreement is not the privilege of Google employees, or as Alice Goldfuss put it:

I’ve read the Google anti-diversity screed and you should, too. You meaning men. Women have heard this shit before. Why should men read it? Because it’s a 10 page essay that eloquently tears away the humanity of women and non-white men. It uses bullet points and proper spelling and sounds very calm and convincing. And it should, because it was written by one of your peers.

— Alice Goldfuss (@alicegoldfuss) August 5, 2017

While I do not work in (US) “tech” (I’m an academic cryptographer at a British university), I guess the fields are close enough. Besides, gender essentialism is a prevalent idea beyond the confines of STEM disciplines. As mentioned above, the memo offers a bullet point list to support its claim:

[The differences between men and women] are universal across human cultures

They often have clear biological causes and links to prenatal testosterone

Biological males that were castrated at birth and raised as females often still identify and act like males

The underlying traits are highly heritable

They’re exactly what we would predict from an evolutionary psychology perspective

The memo and its defenders accuse those who disagree with its claims as being ideologically driven moralists¹, hence the memo’s title. Alas, since I read several good critiques and their source material over the last few days, I figured I might attempt to summarise some of these arguments.² Initially, my plan was to simply dump a list of books and articles here, but reading around as someone not so familiar with this literature, I found this mode of presentation (“well, my meta-study says your meta-study is full of it”) rather unhelpful. Thus, I opted for spelling out in more detail which arguments I found particularly illuminating.³

Continue reading “Reading Material on Gender Essentialism” →

Post-Doctoral Position in Malware Detection at Royal Holloway, University of London

My colleague Lorenzo has a nice post doc position in malware detection. Also, the closing date for the Multilinear Maps postdoc here at Royal Holloway is tomorrow.

Continue reading “Post-Doctoral Position in Malware Detection at Royal Holloway, University of London” →