On the Unreasonable Ineffectiveness of Security Engineering: Adverse Selection of Trust CertificatesDate: 2016-01-14 Add to Google Calendar
Time: 11am – 12pm
Location: Holmes Hall 389
Speaker: Professor Dusko Pavlovic, UH Department of Information and Computer Sciences
In his famous 1960 essay, Eugene Wigner raised the question of “the unreasonable effectiveness of mathematics in natural sciences”. After several decades of security research, we are able to ask similar questions about security: Do the security technologies make us more secure? Is security engineering not unreasonably ineffective?
As a case to the point, I describe the phenomenon of adverse selection of trust certificates. According to several empiric studies, a web merchant with a trust certificate is roughly twice as likely to be a scammer as a web merchant without a trust certificate. While the phenomenon could be attributed to a lack of diligence, and even to conflicts of interest in trust authorities, a model that I shall present suggests that public trust networks would remain attractive targets for spoofing even if trust authorities were perfectly diligent. The reason is that trust is like money: the rich get richer. The methods to mitigate the resulting vulnerability are analyzed in the extensions of the model.
Bio: Dusko Pavlovic was born in Sarajevo, studied mathematics in Utrecht and Cambridge, and worked at McGill, before turning to computer science at Imperial College London. He left academia in 1999 and worked in Silicon Valley for 10 years. He gradually returned to academia, first as a Visiting Professor at Oxford 2007-2012, then as Professor of Security at Twente 2010-2013. He held a Chair in Information Security at Royal Holloway University of London 2010-2014, where graduate degrees in security have been given since 1992. There he founded the Adaptive Security and Economics Lab (ASECOLab), hosting joint projects with some of the founders and luminaries of modern cryptography. Since 2014, Dusko and several members of ASECOLab have been at University of Hawaii at Manoa, where they launched the Security Science (SecSci) Focus Area, while initiating 4 new research projects in cyber security strategies.