Markus Jakobsson
Dr. Markus Jakobsson is Principal Scientist at Palo Alto Research Center. He is a founder of the security startup RavenWhite, which addresses security problems associated with authentication, malware and click-fraud. He is also one of the founders of SecurityCartoon, an educational approach targeting typical Internet users. He is a firm believer in technology to address security problems, but believes that a holistic view that includes the end user and his/her behavior is crucial. Unexpected user behavior can thwart the best security measures, and any security measure must be designed with social engineering and human failure in mind. Dr. Jakobsson's recent books Phishing and Countermeasures (Wiley, 2006) and Crimeware: Understanding New Attacks and Defenses (Symantec Press, 2008) chart new territory in online security. He received his PhD from University of California at San Diego in 1997.
- Company: Xerox PARC
- Industry: Tech: Computer/Network Consultant
- Job title: Principal Scientist
- Country: United States
What I know:
How to analyze and solve Internet security problems and wireless security problems. I do not believe it is reasonable to study security in a manner that does not take everything into consideration. You need the holistic view. Will the system fail because people cannot use it? Because they do not want to? Because the incentives are misaligned? Is it vulnerable to fraud? Will current trends impose vulnerabilities? How can you develop cryptographic protocols that address real-life problems, while avoiding the common pitfall of not realizing how the protocols might be deployed and used?
What I've done:
I work for Palo Alto Research Center as a Principal Scientist, and as a member of the eminent security group. Much of my work involves development of intellectual property, and some of it review and analysis.
I also spend some limited amount of time on the side doing consulting, developing my start-up RavenWhite, and working on Internet security education. (My employer is very generous when it comes to permitting me to carry on this on the side, and I truly appreciate their flexibility.)
See www.markus-jakobsson.com for many of my publications and a detailed bio. Feel free to drop me an email if you want to talk about some common interests.
What I'm working on now:
I am addressing large-scale security problems that often involve the end user. A good example is password reset -- see I-forgot-my-password.com for an example, and www.blue-moon-authentication.com for a demo.
I am also analyzing likely trends in online fraud, starting with assumptions on human behavior, changes in law enforcement efficiency, technology changes, and more. This often leads to insights of how to prioritize efforts onwards, given some basic sets of assumptions.
This strategy works until
This strategy works until you forget the answers to these questions, too. Why would you forget the "real" password, but not these "new passwords"?
Here are two papers you can
Here are two papers you can read for more details on preference-based authentication:
http://www.ravenwhite.com/files/quantifying.pdf (to appear in DIM '08)
http://www.ravenwhite.com/files/chi08JSWY.pdf (appeared in CHI '08)
Cheers,
Markus
James, From what you are
James,
From what you are writing, you are more knowledgeable than the average user. Most people do not know how to evaluate a URL (for a 30-second tutorial, see http://www.securitycartoon.com/index.php?comic=20070621)
But as for the URLs I listed ... one of them is legitimate. The accountonline.com. The other two could have belonged to phishers. They actually do not, they belong to me. I registered them to demonstrate how a phisher could have taken them.
Cheers,
Markus
Liu, I do not see this as
Liu,
I do not see this as an educational issue. This is about industry preparedness, and a willingness to deal with problems that have not arisen. It is a matter of how to anticipate trends, and the importance of doing it.
Markus
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
The thing is, you are not
The thing is, you are not likely to change ALL your preferences next week, are you? As long as you remain 70% what you used to be, the system will say it is you. Less than that and you are considered an impostor.
The problem with social security number is that it is not too secret. A lot of sites already have it, and maybe you do not want more of them to know it. Especially if it is a site that is not a financial service provider.
And other common questions today have the same problem. My CryptoBytes article of last year (http://www.rsa.com/rsalabs/cryptobytes/CryptoBytes-Winter07.pdf) shows how easy it is to get mothers maiden names from public records, for example.
Password reset is not an easy problem, and what people do today really is not all that secure.