Jeff Yan's Home Page

University of Newcastle, Computing Science

Jeff Yan

I did my Ph.D. with Ross Anderson in the Security Group at Cambridge University, and now lecture at Newcastle University in the UK. I am the founding research director for the Centre for Cybercrime and Computer Security at Newcastle. I used to coordinate a weekly Informal Security Meetings and manage cs-security, a local emailing list for discussing all security-related issues.

I serve on the editorial board of Springer's International Journal of Information Security (IJIS) and IEEE Transactions on Information Forensics and Security (TIFS). Welcome to submit good papers!

Other organisations I was affiliated with in one way or another include:

Microsoft Research, Asia (Visiting Researcher)
Chinese University of Hong Kong
Trusted Systems Lab, Hewlett-Packard Labs, Bristol, UK
Computer Security Lab, DSO National Laboratories, Singapore
My Lab of Security Engineering (LSE).

I enjoy, among other hobbies, reading, photography, badminton and table tennis.

What's New

I'm hiring 3 postdocs for security and cybercrime research. Two will work on NIFTy, an EU funded project on image forensics (keywords: digital camera fingerprint, fast search algorithm, forensic tools, law enforcement); one will work on the EPSRC-funded "Deterrence of deception in Socio-Technical Systems" (keywords: game cheating, natural experiment, big data analytics, psychology of deception, Ross Anderson (PI)). Idealy, the "Deception" project looks for a psychologist who can program! More details to follow up -- stay tuned.

Our paper The Robustness of Google CAPTCHAs has been held in private for long, and finally we have released it now. Google were informed the results in advance. Coverage by Bruce Schneier and The Economist . An improved version was lately submitted to Oakland, and rejected with an interesting set of 6 reviews: four 4s/5s (weak accept/accept), one 3 (borderline) but with pretty positive comments, and one 2 (weak reject). It's amazing that this 'weak reject' review was about 4-5 pages in length -- some top researchers advise us to regard it as a compliment.

CAPTCHA design: colour, usability and security apears in the March-April 2012 issue of IEEE Internet Computing.

Captcha Robustness: A Security Engineering Perspective appears in the Feb. 2011 issue of IEEE Computer.

Our paper on shoulder-surfing resistant DAS graphical passwords appears at SOUPS'11. Thanks to Sacha Brostoff, who did almost the entire data analysis for the paper.

Attacks and Design of Image Recognition CAPTCHAs appears at CCS'10. We report: novel attacks on two representative image recognition CAPTHCAs: IMAGINATION (designed at Penn State around 2005) and ARTiFACIAL (designed at MSR Redmond around 2004); a theoretical explanation why well-known schemes such as IMAGINATION, ARTiFACIAL and Assira (another MSR design) have all failed; a simple framework for guiding the design of robust image recognition CAPTHCAs; and a new image recognition CAPTHCA, which we call Cortcha (Context-based Object Recognition to Tell Computers and Humans Apart). Coverage by Slashdot and Bruce Schneier.

Mary Ellen Zurko and I gave a full-day tutorial on usable security at ACSAC'10 (Austin, Texas) on Dec 7, 2010.

Collusion Detection in Online Bridge appears at AAAI-10 (slides).

My student Ahmad and I were a finalist for the Times Higher Education award in the category of the Outstanding Engineering Research Team of the Year, 2009.

My tutorial on usable security, given at ACM CCS'09 in Chicago, was pretty well attended and received.

I gave an invited talk on CAPTCHA robustness (slides) to the Messaging Anti-Abuse Working Group (MAAWG). Longer versions were given at Cambridge, Cisco, Google, Microsoft, Yahoo, Royal Holloway and other organisations.

We have released a computer game, Magic Bullet, which is a spin-off from our CAPTCHA robustness project. Our paper about this game appears at IJCAI'09 in Pasadena, CA. Coverage by CACM, Science Daily, Phys.Org.

A Low-cost Attack on a Microsoft CAPTCHA (with Ahmad El Ahmad). This paper reports a novel attack that can break, with a success rate of higher than 60%, a CAPTCHA that was desinged by Microsoft and has been deployed for their Hotmail, MSN and Windows Live for years. Microsoft was notified our results in Sept, 2007. Responding to their request, we held this paper confidential until 10 April, 2008. Here are some frequently asked questions, and coverage in PC World, Network World, InfoWorld, Yahoo! News, ABC News, ACM Tech News, Register, Wikipedia, Times Higher Education and MIT Technology Review (also here). Also have a look at The Economist. A peer-reviewed version appears at ACM CCS'08.

A related paper, "Is cheap labour behind the scene? - Low-cost automated attacks on Yahoo CAPTCHAs", is not released yet (an abstract is here), but has been reviewed by Yahoo! Engineering in Sunnyvale, California.

Our graphical password project has been selected by the Royal Society for its 2008 Summer Science Exhibition. Drop by our exhibit in London to try out our leading graphical password system on Monday 30 June - Thursday 3 July 2008.

Breaking Visual CAPTCHAs with Naive Pattern Recognition Algorithms (with A El Ahmad), ACSAC'07. This paper reports a "pixel count" attack that works very well on quite some CAPTCHAs. In spirit, this is an interesting "side channel" attack.

Graphical passwords: "Background Draw a Secret (BDAS)", ACM CCS'07. Featured by BBC News, ACM Tech News, London Science Museum, Slashdot, and many others. Details see our BDAS page.

Previous highlights include Enhancing collaborative spam detection with Bloom filters (ACSAC'06), Bot, Cyborg and Automated Turing Test (Cambridge Security Protocols Workshop 2006) and Phishing mitigation (patent pending).

Selected Professional Activities

PC member, 1st International Workshop on Games for Knowledge Acquisition (PlayIT'11) , co-located with WWW 2011
Program committee member, 24th BCS Conference on Human Computer Interaction (HCI 2010), UK
Program committee member, 1st Symposium On Usable Privacy and Security (SOUPS), CMU, USA, 2005
Program committee member, First International Workshop on Network and System Support for Games (NetGames), Germany, 2002
Expert panel member, NetCrime and Policy Study, Home Office, UK, 2002 - 2003

Research Summary

I am interested in most aspects of computer and network security, both theoretical and practical, and my recent work focuses on systems security, including human aspects of security (e.g. usable security). My previous contributions illustrate both my view of security and research methodology. Namely, security fails not only because of the lack or failure of technical mechanisms, but also because of failures of other issues such as usability and motivation, and therefore an interdisciplinary approach is needed to tackle (many) security problems.

Below you will find brief descriptions of some of my previous work and pointers to selected papers where you can find out more.

Usable Security
Incentive-Compatible Security Design
- XenoService
Traditional Security Design
- Security for network games
- Proactive password checking and password protocols
- Denial of Service
- Others (vulnerability analysis, code obfuscation for software protection)
Applied Cryptography
- Traitor tracing

Human Aspects of Information Security

Usable Security

Password memorability and security

Passwords are one good example of the importance of the human factors and usability in security. In this work, carried out in collaboration with a psychologist, we tackled an old but fundamental security problem - how do you train users to choose passwords that are easy to remember but hard to guess? There's a lot of "folk wisdom" on this subject but little that would pass muster by the standards of applied psychology. We did a randomized controlled trial with four hundred of our first year science students, and produced solid empirical results. While confirming some widely held folk beliefs about passwords, we observed a number of phenomena which run counter to the established wisdom.

J. Yan, A. Blackwell, R. Anderson and A. Grant. The memorability and security of passwords -- some empirical results. University of Cambridge, Computer Laboratory Technical Report No. 500, 2000. (see also Hungarian translation).
J. Yan, A. Blackwell, R. Anderson and A. Grant. Password Memorability and Security: Empirical Results. IEEE Security & Privacy, Vol. 2 No. 5, 2004.
Also reprinted with more clarifications as:

J. Yan, A. Blackwell, R. Anderson and A. Grant. The Memorability and Security of Passwords. Refereed book chapter in Security and Usability: Designing Secure Systems that People Can Use (ed. by Lorrie Cranor and Simson Garfinkel), OReilly & Associates, USA, 2005. (This is the first ever book on the emerging interdisciplinary field, "usable security".)

Graphical passwords

Shoulder Surfing Defence for Recall-based Graphical Passwords (with H Zakaria et al). SOUPS'11.
Do background images improve "draw a secret" graphical passwords? (with P Dunphy). ACM CCS'07.
Is FacePIN Secure and Usable? (with P Dunphy), SOUPS'07.
Graphical Passwords and Qualitative Spatial Relations (with D Lin et al), SOUPS'07.

Secure and usable CAPTCHAs

Captcha Robustness: A Security Engineering Perspective (with Ahmad El Ahmad). IEEE Computer, vol. 44, no. 2, pp. 54-60, Feb. 2011. (A preliminary version appears as CS-TR-1180 in November, 2009)
Attacks and Design of Image Recognition CAPTCHAs (with Bin Zhu et al). ACM CCS'10.
CAPTCHA design: colour, usability and security (with A El Ahmad et al). IEEE Internet Computing. (A preliminary version appears as CS-TR-1203, School of Computing Science, Newcastle University, UK, 2010.)
The Robustness of a New CAPTCHA (with A El Ahmad et al). ACM EuroSec 2010, Paris, France.
CAPTCHA security: a case study (with A El Ahmad), IEEE Security & Privacy, vol. 7, no. 4, July/Aug. 2009. pp. 22-28. (cover feature article).
A Low-cost Attack on a Microsoft CAPTCHA (with Ahmad El Ahmad). ACM CCS'08. peer-reviewed version.
Usability of CAPTCHAs - Or "usability issues in CAPTCHA design" (with A El Ahmad) (also available at here), SOUPS'08.
Is cheap labour behind the scene? - Low-cost automated attacks on Yahoo CAPTCHAs (with Ahmad El Ahmad).
Breaking Visual CAPTCHAs with Naive Pattern Recognition Algorithms (with A El Ahmad), ACSAC'07.
J Yan. Bot, Cyborg and Automated Turing Test, Cambridge Security Protocols Workshop 2006.

Recent Talks

J. Yan. The Robustness of CAPTCHAs. Computer Laboratory Security Seminar, Cambridge University, Nov 21, 2008.
J. Yan. User Authentication, Theory Meets Reality. HCI Seminar, Department of Computer Science, Bath University, Nov 18, 2008.
J. Yan. The Robustness of CAPTCHAs. Google tech talk, Pittsburgh, Nov 4, 2008.
J. Yan. Graphical Passwords: Some Recent Results. Computer Science and Engineering Departmental Seminar, Polytechnic Institute of New York University, New York City, October 27, 2008.
J. Yan. Graphical passwords: some recent results. Computer Laboratory Security Seminar, Cambridge University, December 7, 2007.
J. Yan. Do Background Images Improve "Draw a Secret" Graphical Passwords? 14th ACM Conf. on Computer and Communications Security (CCS'07), Washington DC, USA. Oct 30, 2007.
J. Yan. Usable security research at Newcastle. CMU Usable Privacy and Security Laboratory, Carnegie Mellon University, Oct 26, 2007.
J. Yan. Enhancing Signature-based Collaborative Spam Detection, Computer Laboratory Security Seminar, Cambridge University, March 31, 2006.

Incentive-compatible security

Failure of motivation also leads to security failure. Incentive compatible security design, as an emerging research topic, appears to be essential in an autonomous network environment like the Internet where many parties (or agents) involved are selfish.

XenoService

Distributed Denial of Service (DDoS) is at heart a manifestation of what economists call the "tragedy of the commons": while everyone may have an interest in protecting a shared resource (Internet security), individuals have a stronger motive to cheat (connecting insecure computers). Most of the proposed technical countermeasures would not work, as they didn't consider the incentive issue. We propose the XenoService as a distributed remedy to DDoS attacks which can be deployed in such a way as to provide effective economic incentives for the principals to behave properly.

J. Yan, S. Early and R. Anderson. The XenoService - A Distributed Defeat for Distributed Denial of Service. In Proceedings of the 3rd Information Survivability Workshop (ISW 2000), Boston, USA, October 2000. Also available from CERT. Slides.

For more information on this line of research, as well as security economics, a highly related topic, and its applications, refer to the Economics and Security Resource Page maintained by Ross Anderson.

Traditional Security Design

The design of technical mechanisms has been the traditional focus of security research. My main contribution in this aspect is the design of new techniques addressing emerging security threats, and improvement of existing security techniques.

Security for network games

The emergence of online games has fundamentally changed the traditional security requirement for computer games, which was mainly copy protection. Although online games share many security issues that other networked E-commerce applications concern, e.g., payment security and service availability, some unique characteristics of online game systems impose interesting and challenging new security requirements, which call for the novel use of existing technology and the invention of new techniques. While online games are developing into a multi-billion dollar business, their security has recently started to attract researchers' attention.

J Yan. Collusion Detection in Online Bridge , AAAI-10, Atlanta, USA. ( slides)
J. Yan and B Randell. An Investigation of Cheating in Online Games. IEEE Security & Privacy, vol. 7, no. 3, May/June 2009.
J Yan. Bot, Cyborg and Automated Turing Test, Cambridge Security Protocols Workshop 2006.
Detecting Cheaters for Multiplayer Games: Theory, Design and Implementation (with S.F. Yueng et al), IEEE NIME'06.
J. Yan and Brian Randell. A Systematic Classification of Cheating in Online Games. 4th Workshop on Network & System Support for Games (NetGames'05), IBM TJ Watson Research Center, New York, U.S.A., Oct 10-11, 2005. ACM Press.
J Yan and B Randell. Security in Computer Games: from Pong to Online Poker, CS-TR-889, School of Computing Science, Newcastle University, UK. February 2005.
J. Yan. Security Design in Online Games. In Proc. of the 19th Annual Computer Security Applications Conference (ACSAC'03), IEEE Computer Society, Las Vegas, U.S.A., December, 2003.
J. Yan and H-J Choi. Security Issues in Online Games. The Electronic Library: International Journal for the application of technology in information environments, Vol. 20 No.2, 2002, Emerald, UK. A preliminary version appears in Proceedings of the International Conference on Application and Development of Computer Games, City University of Hong Kong, HK, November 2001.

Invited Talks

J. Yan. How to publish by playing games everyday. Departmental Seminar Talk, Dept. of Computer Science, Hong Kong University of Science and Technology. March 1, 2004.

Proactive password checking and password protocols

In this work, we attack the classical proactive password checking method, which is based on dictionary attack and often fails to prevent some weak passwords with low entropy. A new approach is proposed to deal with this new class of weak passwords by (roughly) measuring entropy. A simple example is given to exploit effective patterns to prevent low-entropy passwords as the first step of entropy-based proactive checking. We also argue why strong password authentication protocols like EKE, SRP cannot replace proactive checking, responding to Wu's proposal in NDSS'99.

J. Yan. A Note on Proactive Password Checking. In Proceedings of the 2001 ACM New Security Paradigms Workshop, New Mexico, USA, September 2001.
Better to read the updated version.

Here is a piece of related work on password security that I contributed.

Denial of Service

Although denial of service (DoS) attack has become a fast-growing concern in security research, previous work focused on a type of classical service denial caused by resource exhaustion. We look into the DoS problem (including distributed DoS) from some new angles.

J. Yan. Denial of Service: Another Example. In Proceedings of the 17th International Conference on Information Security (IFIP/SEC 2002), Cairo, Egypt, May 2002.
J. Yan, S. Early and R. Anderson. The XenoService - A Distributed Defeat for Distributed Denial of Service. In Proceedings of the 3rd Information Survivability Workshop (ISW 2000), Boston, USA, October 2000.

Others: code obfuscation for software protection, and vulnerability analysis

J. Yan. Some Experience in Code Obfuscation Approach to Software Protection. Unpublished manuscript, 1999 (A previous version was presented as a seminar in Cambridge Security Group).
J. Yan. On Buffer Overflow. Unpublished manuscript, 1999.

Applied Cryptography

Traitor tracing

Traitor tracing is an emerging but promising cryptographic method introduced to combat copyright piracy of digital media, e.g. pay-TV. One threat model considered by researchers is that traitors, who are subscribed users in a content distribution system, build pirate decoders with their legitimate decoding keys to bypass the security mechanism of the system. Many schemes were proposed to catch traitors who leak their keys, and some supported a black-box tracing paradigm. In this work, we show that a type of intelligent self-protecting pirate decoder can defeat many black-box traitor-tracing schemes.

J. Yan and Y. Wu. An Attack on A Traitor Tracing Scheme. Technical Report No. 518, Computer Laboratory, University of Cambridge, 2001. Also appears as Cryptology ePrint Archive Report 2001/067.
J. Yan and Y. Wu. An Attack on Black-box Traitor Tracing Schemes. Rump session, IEEE Symposium on Security and Privacy, Oakland, USA, May 2001. ([PS])

Invited Talks

J. Yan. Practical Security Issues in Traitor Tracing Schemes. Pure Math Seminar, Department of Mathematics, Royal Holloway, University of London, UK. Nov 13, 2001.
J. Yan. An Attack on Black-box Traitor Tracing Schemes. Cryptography and Info Security Seminar, Hewlett-Packard Labs, Bristol, UK. June 26, 2001.

Teaching highlights

2006 - : CSC8102 System Security; CSC3102 System and Network Security. Others see the school module page.
2006-07: my student, Ahmad El Ahmad, won the best MSc Dissertation prize (the Philip Merlin Prize) at Newcastle and a highly competitive ORS award.
1999 - 2003: I regularly supervised undergraduate and diploma computer science courses in Cambridge. I supervised Security and Introduction to Security in many colleges including Christ's, Churchill, Jesus and King's from 2000 to 2003, Discrete Mathematics and Programming in Java in Trinity College from 1999 to 2003.
2000: Pablo Arrighi won the best student project award at Imperial College, UK with his final year B.Eng. degree project that I advised (Pablo has now completed his Ph.D. study in Cambridge, and is a university lecturer in France).

How to contact me

Jeff Yan
School of Computing Science
University of Newcastle
Newcastle upon Tyne, NE1 7RU
United Kingdom

Email:  Jeff.Yan at ncl.ac.uk 

Phone:  +44 191 222 8010
Fax:    +44 191 222 8232