Jan 262016
 

My 2016 started off with issues dealing with my personal electronics gadgets – iPhone 4s and my MacBook Pro. iPhone 4s issues still unresolved as Three Mobile is unable and unwilling to sort my ‘blocked’ iPhone 4s.

Two good news…

Just sorted out my MacBook Pro yesterday, and luckily my research ‘data’ was recovered intact from my external hard disk and also from Dropbox.

Data Privacy Day event at City! Together with a City colleague, Dr David Haynes, we got our planned event into the City news page;

http://www.city.ac.uk/news/2016/jan/data-privacy-day-discussion

Headlines and content extracted and posted here;

City experts to discuss data privacy

The European Union (EU) General Data Protection Regulation (GDPR) and the recent European Court of Human Rights (ECHR) judgement are among several issues to be addressed by data privacy researchers.
The latest European Union (EU) General Data Protection Regulation (GDPR) and the recent European Court of Human Rights (ECHR) judgement are among several issues which will be discussed by City University London researchers on Data Privacy Day, 28th January 2016. The event will take place in Room AG07a from Noon to 1pm.

The wording of the General Data Protection Regulation (GDPR) was agreed in December 2015.

The new Regulation began life as a draft document in 2012 and after being debated in the European Parliament and a trilogue between the three EU institutions (the European Council, the European Commission and the European Parliament) the final wording has been agreed. The GDPR will take effect from 2018 and strengthens the protection offered to individuals within the EU.

Among its new provisions are:

1. Better control of personal data by individuals.

2. Better access by individuals to their own data.

3. Data portability.

4. The right to be forgotten.

5. The right to know about serious data breaches.

Following active lobbying the new Regulation also aims to be more business-friendly by cutting out the red tape. SMEs that handle personal data (such as employee records) will no longer be required to register with the data protection authorities, so long as processing personal data is not their main business. Unlike the current Data Protection Directive, the new Regulation will automatically apply across all EU states – it does not have to be passed into national law, such as the UK’s Data Protection Act 1998. Businesses working across Europe will only have to deal with one authority, rather than the regulatory body in each state that it operates in.

A recent judgement by the European Court of Human Rights (ECHR) has highlighted some of these issues by ruling that employers are entitled to monitor employee communications when they are using the Internet during work hours. A Romanian worker sacked in 2007 for use of personal e-mail during work hours had appealed against a ruling by the Romanian courts that upheld his dismissal.

However the ECHR upheld a ruling by the Romanian Court, stating that it was not ‘unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours’. This raises important issues for employees throughout the EU.

Definition Data Privacy Day
Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the 28th January 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is now a celebration for everyone, observed annually on 28th January.

Nov 202015
 

I only seriously took an interest in the Systematic Literature Review (SLR) method this summer – yup! only this summer. I was too busy reading and exploring interesting Chinese wuxing stuff with the view to do research on this subject matter.

As highlighted in my October post, I had to change my topic.

Now, I’m following the suggested steps outlined in the SLR to get to the TRUTH of whatever I’m conducting for my research, and off course to define/describe that ever elusive research question.

I’m following the normal route of conducting a piece of ‘academic’ PhD research, instead of following my heart to embark on digging deep into something as ancient and profound as in the Chinese wuxing. Perhaps one day I will get to do this topic.

I realised after my presentation (yesterday) to my supervisors on my new topic and motivation, that I’ve lost my motivation in coming up with a new topic to continue with my research.

I’m in deep trouble – as posted under reflection day – not on my research question, really…the trouble is my motivation behind doing a PhD. I just need to motivate myself, and come up with something the general public, researchers and my supervisors will also be motivated or interested in the chosen topic. This is what I now realised is what constitutes ‘academic’ ( unlike ‘professional’) PhD research, i.e. a research path not following one’s dream or one’s own madness into the deep unknown, just do what researchers have done but add a bit more or extend it somehow, and most importantly it is a ‘safe’ topic.

I was approached yesterday by my University Library staff to join a case study project, and one question is around advice for other researchers. My answer : ‘Have good supervisors and have perseverance’.

Perhaps I should also add – have luck in finding and working with supervisors who are kind, supportive and open minded to stretch boundaries with you on your dream PhD journey.

Oct 262015
 

Back posting on an event in September 2015…

In reviewing literature, I came across a Conference – the ICG3S – that was due to be hosted just in my neighbourhood on 15th September 2015. I signed up at the very last minute and attended the Conference.

Just for my own record, the URLs for the live broadcast:

http://bit.ly/icgs3-2015-dayone

http://bit.ly/icgs3-2015-daytwo

http://bit.ly/icgs3-2015-daythree

 Posted by on October 26, 2015 at 7:26 pm
Oct 262015
 

Someone told me long time ago that learning boring stuff is what makes life ‘easy’ and/or a ‘safe’ bet.

My PhD is focusing on pretty boring stuff which I will have to somehow find a novel way of looking at the problem and solution domains.

Here’s a site – TERENA Incident Taxonomy and Description Working Group which has tons of ‘boring stuff’, but I guess they are damn important for folks who are into such matters. The problem is there are so many such ‘boring stuff’ and I will have to navigate my way through all these ‘important, boring stuff’ to do my PhD (groan!).

 Posted by on October 26, 2015 at 7:07 pm
Oct 262015
 

I am now into the start of my 3rd year of PhD, and I’m still reviewing literature and discussing my research aims/objectives etc. with yet another lot of new supervisors.

To keep it short, I nearly ‘quit’ (and/or forced out from!) the PhD due to circumstances, which could have been avoided with regular and ‘keen’ interaction with the supervisor. Another contributing factor was that my research topic, involving Eastern Theory and approaches, was totally ‘alien’ and was viewed as ‘high risk’.
Some collected information at jollyvip.com/wuxing

So here I’m re-starting on a new topic, which hopefully is considered ‘safe’ enough for Westerners.
I could write a Thesis just on my PhD experience so far!

 Posted by on October 26, 2015 at 6:55 pm
Jul 232015
 

My research is not directly on ‘secure system design and development’. Still..it is worth posting the Saltzer-Schroeder principles here to remind myself that there are principles that all software engineers and cybersecurity researchers are embracing. Are they embracing these principles?

The following texts are extracted from this report,’Towards a Safer and More Secure Cyberspace‘ issued by the National Academy of Sciences, US.

Box 4.1 summarizes the classic Saltzer-Schroeder principles, first published in 1975, that have been widely embraced by cybersecurity researchers. (my italic)

BOX 4.1
The Saltzer-Schroeder Principles of Secure System Design and Development
Saltzer and Schroeder articulate eight design principles that can guide system design and contribute to an implementation without security flaws:

• Economy of mechanism: The design should be kept as simple and small as possible. Design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential.

• Fail-safe defaults: Access decisions should be based on permission rather than exclusion. The default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify conditions under which access should be refused, presents the wrong psychological base for secure system design. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation.

• Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary under- pinning of the protection system. It forces a system-wide view of access control, which, in addition to normal operation, includes initialization, recovery, shutdown, and maintenance. It implies that a foolproof method of identifying the source of every request must be devised. It also requires that proposals to gain performance by remembering the result of an authority check be examined skeptically. If a change in authority occurs, such remembered results must be systematically updated.

• Open design: The design should not be secret. The mechanisms should not depend on the ignorance of potential attackers, but rather on the possession of specific, more easily protected, keys or passwords. This decoupling of protection mechanisms from protection keys permits the mechanisms to be examined by many reviewers without concern that the review may itself compromise the safeguards. In addition, any skeptical users may be allowed to convince themselves that the system they are about to use is adequate for their individual purposes. Finally, it is simply not realistic to attempt to maintain secrecy for any system that receives wide distribution.

• Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key. The reason for this greater robustness and flexibility is that, once the mechanism is locked, the two keys can be physically separated and distinct programs, organizations, or individuals can be made responsible for them. From then on, no single accident, deception, or breach of trust is sufficient to compromise the protected information.

• Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. This principle reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to the possible misuse of a privilege, the number of programs that must be audited is minimized.

• Least common mechanism: The amount of mechanism common to more than one user and depended on by all users should be minimized. Every shared mechanism (especially one involving shared variables) represents a potential information path between users and must be designed with great care to ensure that it does not unintentionally compromise security. Further, any mechanism serving all users must be certified to the satisfaction of every user, a job presumably harder than satisfying only one or a few users.

• Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. More generally, the use of protection mechanisms should not impose burdens on users that might lead users to avoid or circumvent them—when possible, the use of such mechanisms should confer a benefit that makes users want to use them. Thus, if the protection mechanisms make the system slower or cause the user to do more work—even if that extra work is “easy”—they are arguably flawed.

 Posted by on July 23, 2015 at 10:07 pm