@steven.murdoch.is
Professor of Security Engineering; Head of UCL Information Security Research Group @sec.cs.ucl.ac.uk; Director Open Rights Group. ๐ย https://mastodon.social/@sjmurdoch ๐ฆย @sjmurdoch ๐ย https://murdoch.is/
Reuters were accused of acting illegally in guessing the URL of an unreleased report in 2002. I didnโt hear anything after the initial reports so presume it was quietly dropped or settled. blog.citp.princeton.edu/2002/10/31/i...
UCL Computer Science are hiring Section Managers to support the development and delivery of teaching, research, and strategy within their section. Iโll be leading the Foundational Computer Science section, where the InfoSec group is based. www.ucl.ac.uk/work-at-ucl/...
Actual actual reality: nobody cares about his secrets. (Also, I would be hard-pressed to find that wrench for $5.)
โ$5 Wrench Attacks: When Cryptocurrency Crime Get Physicalโ, a post on Benthamโs Gaze by Marilyne Ordekian discussing when XKCD comics become reality โ www.benthamsgaze.org/2025/07/22/5...
I am recruiting mental-health experts (clinical psychologists and psychiatrists) for an in-person workshop in London to discuss a mobile app for mental health care. Participants will receive ยฃ500+expenses for their time. If you might be interested please email s.murdoch@ucl.ac.uk
On our new paper published at IEEE Security and Privacy โ โA Privacy Framework for Research Using Social Media Dataโ, a summary by Kyle Beadle. www.benthamsgaze.org/2025/05/15/a...
If it needs to interoperate with Signal I would think it would be easier to modify Signal to include the new audit-friendly protocol than add audit to Signal. A lot of what Signal includes (P2P key verification, PFS, post-compromise security, deniable) are contrary to the goal of universal logging.
The major selling points of these companies is self-hosting the key management server, and sometimes even more of the infrastructure. This would need to be part of the product offering too.
I can see the idea but thatโs a hard market to get into. Youโd need a security cleared technical sales team, FIPS certifications, etc. it would be a major departure for the company culture. These companies also often value having ex- military/intelligence staff. I can see conflicts there.
In terms of UX I think thatโs achievable, e.g. the UK app in this space looks pretty much like WhatsApp. For ecosystem, indeed thatโs a problem because government requirements are anti-requirements for pretty much everyone else. apps.apple.com/gb/app/armou...
Itโs just a bizarre situation. When I was looking into MIKEY-SAKKE I found a whole ecosystem of government messengers with NATO security certifications and clearances. The protocol is (for better or worse) very amenable to centralised logging. And yet they picked a hacked-up Signal.
Nationwide offers the only service Iโm aware of that backs up their advice with a guarantee. I donโt know how it works but I suspect that if AI is involved, thereโs human verification of decisions. www.nationwide.co.uk/help/fraud-a...
13.7. The AI-generated content and information is provided for general information purposes only and is not intended to constitute or substitute legal or other professional advice of any kind whatsoever. The AI-generated content and information is not intended or implied to be a substitute for professional advice. 13.8. You are encouraged to confirm any information obtained from or through Silver with other sources and review all information provided. Please do not disregard professional advice or delay seeking advice because of something you have read on our website or in the AI-generated content and information. 13.9. We make no representations about the suitability, reliability, timeliness, comprehensiveness, and accuracy of the AI-generated content and information, and other content produced by Silver.
AI-based scam checkers are gaining popularity but I would be cautious in following their advice unless the company is willing to stand behind it. For example, Metro Bank makes bold claims but the fine print absolves them of any responsibility for errors. www.metrobankonline.co.uk/ways-to-bank...
I have an open PhD position at @sec.cs.ucl.ac.uk on applying traffic-analysis resistance techniques to protect industrial control systems. Full funding is available for home-fee status students (deadline 15 April). www.ucl.ac.uk/security-cri...
And Iโd add that Telegramโs janky cryptography doesnโt achieve anything normal encryption canโt provide. Signal uses some interesting constructions but did so to offer better security (and largely succeeded).
I'd view the consultation as an opportunity to revisit how electronic evidence should be handled, and disclosure is obviously a critical part of that. Flipping the presumption is just a mechanism to impose disclosure requirements on a party that is reluctant to do so.
You raise a good point. In my experience, the presumption is rarely explicitly mentioned in disputes. And it's not entirely clear whether PACE s69 would worked out better (the Post Office included PACE s69 statements even when they were not needed).
Whisper it, the showdown over Apple encryption is THIS WEEK โฑ๏ธ
๐ค A secret tribunal will hear the appeal against the governmentโs order to carve a backdoor into Appleโs encrypted services.
๐ Our cybersecurity and privacy shouldnโt be decided in the shadows.
www.computerweekly.com/news/3666203...
I found this video showing the tracking information. The Solong was heading directly towards the tanker for hours before the collision. Iโve no idea what could have caused such a failure. youtu.be/Ex6OpRiuflA?...
Until now, the UK government recommended that individuals at high risk, like legal professionals, enable Apple Advanced Data Protection (ADP). Apple disabled ADP following government pressure, and now the NCSC quietly deleted their guidance recommending ADP.
Thanks, that looks like it. The IPT web page makes no mention of that, but maybe they are focused on what members of the public could bring to them.
The article refers to the Investigatory Powers Tribunal, but I canโt see any description of how this falls into the type of complaints the IPT handles. Can anyone more qualified work out whatโs actually going on?
I remember hearing similar objections when Signal implemented disappearing messages. Iโm glad the pragmatists won, correctly (IMO) arguing that the feature is to encourage good hygiene rather than enforce security against a malicious communication partner.
So hereโs a simple request to Apple. Apple iMessage needs to enable โdisappearing messages.โ And they need to do it soon. blog.cryptographyengineering.com/2025/03/01/d...
This could be followed up by a judicial review, for example arguing that there was a violation of human rights. The existence of this would be public knowledge but not necessarily all the evidence presented.
In case you are curious about the legal route, it is described here. It would not necessarily be public, so I canโt say whether it has happened. www.gov.uk/government/p...
๐จ APPLE WITHDRAWS ENCRYPTION TECH FROM UK ๐จ
The Home Officeโs actions have deprived millions of Britons from accessing a security feature.
UK citizens will be at higher risk of their personal data and family photos falling into the hands of criminals and predators โผ๏ธ
www.bbc.co.uk/news/article...
Encryption IS online safety ๐ก
Keeping data secure is key when hackers are skilled at unpicking accounts.
So why does the UK government want to make us unsafe by ordering a backdoor to Apple encrypted services?
โ๏ธ Sign to save encryption this #SaferInternetDay.
you.38degrees.org.uk/petitions/ke...
We are looking to appoint to one or more posts in IP/IT Law, as Associate Professor or Lecturer in Law. Applications from colleagues who can also teach in other subject areas, including French Law, are most welcome. The closing date for applications is 28 February 2025. Interviews will likely take place in the week(s) commencing 05 and 12 May 2025. About you Successful candidates will be expected to engage in world leading research, and to contribute to the Facultyโs development and advancement of both intellectual property and information technology law and policy, and other areas of law falling within their subject matter expertise. It is also expected that the post-holders will contribute to all aspects of the academic life of the Faculty and University. The Faculty has a particular interest in recruiting scholars with research interests in copyright law, platform regulation, enforcement with and through technology, and the intersection of emerging technologies with other IP rights such as designs. UCL Laws faces growing demand for teaching and engagement on IP and IT issues from other parts of the university, as well as in executive education, and we particularly welcome applicants with interest and experience of teaching contested legal topics to technologists, creatives and other non-lawyers. Reflecting the broad strength of the Faculty, we welcome scholars from a wide array of approaches to these issues โ socio-legal, comparative, doctrinal, empirical, historical and/or theoretical and interdisciplinary approaches. Applicants should, however, pay particular attention to how their work illustrates their capacity for depth and rigour in a fast-moving field prone to superficial analysis.
Now hiring in law & tech @ucllaws.bsky.social!
Lecturer/Assoc Prof in IP & IT law: intersection of platform reg, emerging tech, copyright/designs.
Join me @bernardkeenan.bsky.social Orla Lynskey @alinatrapova.bsky.social Ilanah Fhima, Matt Fisher, Robin Jacob & friends
www.ucl.ac.uk/work-at-ucl/...
That doesnโt seem unreasonable to handle, but as with spell checkers it doesnโt need to be 100% accurate to be useful. There would still be a feature where you could say โacceptโ and ignore the supposed error.
Why is it still possible to write a date where the day of the week doesnโt match the day of the month? This doesnโt need AI; a regular expression would do. I want a big red underline if I ever write โThursday 5 Februaryโ. Has someone patented this and spoiled it for everyone?