Jean Camp

Followers

Following

Co-author

Public Views

Interests

Uploads

Papers by Jean Camp

Criteria and Analysis for Human-Centered Browser Fingerprinting Countermeasures

Proceedings of the Annual Hawaii International Conference on System Sciences, 2022

Download

Anonymous Atomic Transactions

We show here an example of a protocol that satisfies anonymity properties while providing strong ... more We show here an example of a protocol that satisfies anonymity properties while providing strong ACID (atomic, consistent, isolated, durable) transactional properties, resolving an open question. This allows us to provide electronic commerce protocols that are robust even in the event of message loss and communication failures. We use blind signature tokens to control values. We use a separate transaction log to reduce trust assumptions between the merchant,the consumer, and the bank.

Using bursty announcements for detecting BGP routing anomalies

Computer Networks, 2021

Despite the robust structure of the Internet, it is still susceptible to disruptive routing updat... more Despite the robust structure of the Internet, it is still susceptible to disruptive routing updates that prevent network traffic from reaching its destination. Our research shows that BGP announcements that are associated with disruptive updates tend to occur in groups of relatively high frequency, followed by periods of infrequent activity. We hypothesize that we may use these bursty characteristics to detect anomalous routing incidents. In this work, we use manually verified ground truth metadata and volume of announcements as a baseline measure, and propose a burstiness measure that detects prior anomalous incidents with high recall and better precision than the volume baseline. We quantify the burstiness of inter-arrival times around the date and times of four large-scale incidents: the Indosat hijacking event in April 2014, the Telecom Malaysia leak in June 2015, the Bharti Airtel Ltd. hijack in November 2015, and the MainOne leak in November 2018; and three smaller scale incidents that led to traffic interception: the Belarusian traffic direction in February 2013, the Icelandic traffic direction in July 2013, and the Russian telecom that hijacked financial services in April 2017. Our method leverages the burstiness of disruptive update messages to detect these incidents. We describe limitations, open challenges, and how this method can be used for routing anomaly detection.

Download

Non-Inclusive Online Security: Older Adults' Experience with Two-Factor Authentication

Older adults access critical resources online, including bank, retirement, and health insurance a... more Older adults access critical resources online, including bank, retirement, and health insurance accounts. Thus, it is necessary to protect their accounts so they can confidently use these services that are increasingly being moved online. Two-factor authentication (2FA) protects online assets through efficient and robust authentication, but adoption and usability remain a challenge. Our in-depth qualitative research focuses on ten older adults’ ( 60 years) sustained (non)usage of 2FA for thirty days. Participants’ limited adoption of the security keys stemmed from keys’ non-inclusive design, lack of tangible benefits, inconsistent instructions, and device dependencies. We propose appropriate assistance, risk communication, registration process changes, and alignment of security-focused requirements to encourage 2FA adoption among older adults and institutions entrusted with their data. We also introduce the concept of ‘Security Caregivers,’ who can ensure security and digital indepe...

Download

Protecting IoT Devices through Localized Detection of BGP Hijacks for Individual Things

2021 IEEE Security and Privacy Workshops (SPW), 2021

In this paper, we leverage the limited functionality of IoT devices and the homophily of a single... more In this paper, we leverage the limited functionality of IoT devices and the homophily of a single home network to identify control plane attacks. We illustrate the use of privacy-preserving data analysis in machine learning to evaluate the leptokurtic distributions of routes from a single device in an individual home in a specific geographic location. Previously, route hijacking has been approached as a large-scale systems problem, requiring network service providers to take action. Route information from the edge has traditionally been considered inactionable, however, small enterprises and homeowners may be targeted for such attacks for reasons ranging from nations attacking suppliers in critical systems to simple monetization of e-crime. We describe how a single small entity can leverage large-scale historical data with their individual histories to identify these attacks. We implement our proposed method in the form of a local agent that monitors the IoT devices and services for detecting BGP hijacking as well as an agent server that utilizes global history in initializing the local agents.

Understanding Saudis' Privacy Concerns When Using WhatsApp

Proceedings 2016 Workshop on Usable Security, 2016

Managing privacy in mobile instant messaging is a challenge for designers and users alike. If too... more Managing privacy in mobile instant messaging is a challenge for designers and users alike. If too many options are provided, the privacy controls can become complex to understand and unwieldy to manipulate. Conversely, providing too few controls leaves users without the ability to adequately express their privacy preferences. Further complicating this, a new class of social networks has emerged where one person can add another without mutual consent (i.e. Tumbler, Twitter, and WhatsApp). We present a survey of 626 Kingdom of Saudi Arabia (Saudi) WhatsApp users to determine their privacy-related behaviors and opinions. We find that Saudi users were aware of the privacy settings and use them especially to limit the visibility of when they were last active. We also find that 83.9% of respondents had been contacted by a stranger through the application. Respondents wanted more control over their membership in groups and the resulting visibility of their private profile information such as phone numbers. We discuss the results in terms of prior privacy and interruptibility awareness literature. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

Download

MFA is A Necessary Chore!: Exploring User Mental Models of Multi-Factor Authentication Technologies

Proceedings of the 53rd Hawaii International Conference on System Sciences, 2020

Download

Implementing Mental Models

2012 IEEE Symposium on Security and Privacy Workshops, 2012

Users' mental models of security, though possibly incorrect, embody patterns of reasoning about s... more Users' mental models of security, though possibly incorrect, embody patterns of reasoning about security that lead to systematic behaviors across tasks and may be shared across populations of users. Researchers have identified widely held mental models of security, usually with the purpose of improving communications and warnings about vulnerabilities. Here, we implement previously identified models in order to explore their use for predicting user behavior. We describe a general approach for implementing the models in agents that simulate human behavior within a network security test bed, and show that the implementations produce behaviors similar to those of users who hold them. The approach is relatively simple for researchers to implement new models within the agent platform to experiment with their effects in a multi-agent setting.

Download

Analysis of Ecrime in Crowd-Sourced Labor Markets: Mechanical Turk vs. Freelancer

The Economics of Information Security and Privacy, 2013

Research in the economics of security has contributed more than a decade of empirical findings to... more Research in the economics of security has contributed more than a decade of empirical findings to the understanding of the microeconomics of (in)security, privacy, and ecrime. Here we build on insights from previous macro-level research on crime, and microeconomic analyses of ecrime to develop a set of hypotheses to predict which variables are correlated with national participation levels in crowd-sourced ecrime. Some hypotheses appear to hold, e.g. Internet penetration, English literacy, size of the labor market, and government policy all are significant indicators of crowd-sourced ecrime market participation. Greater governmental transparency, less corruption, and more consistent rule of law lower the participation rate in ecrime. Other results are counter-intuitive. GDP per person is not significant, and unusually for crime, a greater percentage of women does not correlate to decreased crime. One finding relevant to policymaking is that deterring bidders in crowd-sourced labor markets is an ineffective approach to decreasing demand and in turn market size.

Download

The Economics of Information Security

Science, 2006

The economics of information security has recently become a thriving and fast-moving discipline. ... more The economics of information security has recently become a thriving and fast-moving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, we find that incentives are becoming as important as technical design in achieving dependability. The new field provides valuable insights not just into “security” topics (such as bugs, spam, phishing, and law enforcement strategy) but into more general areas such as the design of peer-to-peer systems, the optimal balance of effort by programmers and testers, why privacy gets eroded, and the politics of digital rights management.

Download

Aging, Privacy, and Home-Based Computing: Developing a Design Framework

IEEE Pervasive Computing, 2012

While the vast majority of information technologies are designed for younger audiences, recently ... more While the vast majority of information technologies are designed for younger audiences, recently more attention has been given to home-based applications that can help older adults "age in place". These designs focus on monitoring and providing support for elders while simultaneously providing caregivers the information needed to keep the elder safe. Relatively little attention has been given to the many ethical issues surrounding these types of pervasive technology. In this paper, we discuss the development of a privacy framework for design that we derived from the literature for the development of home-based computing for seniors. Using data from focus groups with over 60 elders, we address how the needs of elders, the perception of technology as a potential solution for aging in place, and the concept of privacy differ across the prototypes as well as between the researchers and the elders. We refine the framework to reflect the concerns and feedback of our research participants and then examine implications for the design of privacy-sensitive technologies for seniors.

Download

$Research paper thumbnail of Non-Inclusive Online Security: Older Adults\u27 Experience with Two-Factor Authentication$

Non-Inclusive Online Security: Older Adults\u27 Experience with Two-Factor Authentication

Older adults access critical resources online, including bank, retirement, and health insurance a... more Older adults access critical resources online, including bank, retirement, and health insurance accounts. Thus, it is necessary to protect their accounts so they can confidently use these services that are increasingly being moved online. Two-factor authentication (2FA) protects online assets through efficient and robust authentication, but adoption and usability remain a challenge. Our in-depth qualitative research focuses on ten older adults’ (≥ 60 years) sustained (non)usage of 2FA for thirty days. Participants’ limited adoption of the security keys stemmed from its non-inclusive design, lack of tangible benefits, inconsistent instructions, and device dependencies. We propose design modifications, age-friendly instructions, effective risk communication, and appropriate assistance to encourage 2FA adoption among older adults and institutions entrusted with their data. We also introduce the concept of ‘Security Caregivers,’ who can ensure security and digital independence for the a...

Download

Embedding Trust via Social Context in Virtual Spa-ces

Mental models of security risks

In computer security, risk communication refers to informing computer users about the likelihood ... more In computer security, risk communication refers to informing computer users about the likelihood and magnitude of a threat. Efficacy of risk communication depends not only on the nature of the risk, but also on the alignment between the conceptual model embedded in the risk communication and the user's mental model of the risk. The gap between the mental models of security experts and non-experts could lead to ineffective risk communication. Our research shows that for a variety of the security risks self-identified security experts and non-experts have different mental models. We propose that the design of the risk communication methods should be based on the non-expert mental models.

Download

Beyond Consent: Privacy in Ubicomp

Ubiquitous computing, or ubicomp, integrates technology into our everyday environments. Ubicomp f... more Ubiquitous computing, or ubicomp, integrates technology into our everyday environments. Ubicomp fundamentally alters privacy by creating continuous detailed data flows. The privacy challenge is particularly acute in the case of home-based health care where vul-nerable populations risk enforced technological intimacy. The promise of ubicomp is also particularly great in the area of home-based health case with the aging of the population. The combination of a vulnerable population, embedded computing, and inadequate privacy regimes may lead to a digital perfect storm. The ubicomp transformation has the ability to lead us to an Orwellian society where peo-ple will no longer be aware when they are interacting with the network and creating data records. The potential negative implications of this are clear, and frightening. However, ubicomp has immense potential to improve lives, including the lives of vulnerable individ-uals who can leverage the abilities of ubicomp to reach or maintain...

The Governance Of Code: Code As Governance

this article defines the network society by considering the various forms of governance currently... more this article defines the network society by considering the various forms of governance currently applied to code, namely: open code licensing, public domain code, proprietary licenses, and the Uniform Computer Information Transactions Act (UCITA). The open code licenses addressed here are the GNU Public License, the BSD license, the artistic license, and the Mozilla license. We posit that the licenses are alternative viewpoints (or battles) over the nature of the network society, and that each has its own hazards. We describe the concepts of openness: free redistribution, source availability, derivations, integrity, non-discrimination, non-specificity, and non-contamination. We examine how each license meets or conflicts with these conditions. We conclude that each of these dimensions has a parallel in the dimension of governance. Within our conclusions we identify how the concept of code as law, first described by Stallman and popularized by Lessig, fails when the particulars of o...

Download

DRAFT – Do not cite without authors ’ permission Camp and Gideon p. 1 Limits To Certainty in QoS Pricing and Bandwidth

Advanced services require more reliable bandwidth than currently provided by the Internet Protoco... more Advanced services require more reliable bandwidth than currently provided by the Internet Protocol, even with the reliability enhancements provided by TCP. More reliable bandwidth will be provided through QoS (quality of service), as currently discussed widely. Yet QoS has some implications beyond providing ubiquitous access to advance

Download

Pinning & Binning: Real Time Classification of Certificates ∗

The creation of a PKI with trusted roots on a X.509 in-frastructure has solved the problem of key... more The creation of a PKI with trusted roots on a X.509 in-frastructure has solved the problem of key exchange and enabled widespread use of encryption between individuals with no previous contact. However, these certificates are inadequate for making a “trust or do not trust ” decision in web interactions as exemplified by MITM attacks, phishing attacks, and rogue but technically valid certificates. Thus, end users today often rely on constantly updated blacklists and whitelists. While these approaches offer a simple secu-rity solution to the end users, it is often a challenge to con-struct a whitelist or blacklist that simultaneously satisfies three requirements: correctness, timeliness and complete-ness. To complement current approaches, we propose a ma-chine learning based approach using features from TLS cer-tificates that addresses the inherent limitations of whitelists and blacklists. We illustrate improvements in timeliness for blacklist updates and completeness for the whitelis...

Download

Anonymous Atomic Transactions

Download

Providing auditing while protecting privacy

Historically, there has been tension between performance and privacy of information systems becau... more Historically, there has been tension between performance and privacy of information systems because of the crucial role of collection of usage data. In this paper, we examine how a number of different architectures approach this tension. We present both enhancements to traditional software architectures and an architecture that resolves this conflict. We discuss a cryptographic technique called secret counting that

Jean Camp

Uploads

Papers by Jean Camp

Log In