November 15, 2015

the Satoshi effect - Bitcoin paper success against the academic review system

One of the things that has clearly outlined the dilemma for the academic community is that papers that are self-published or "informally published" to borrow a slur from the inclusion market are making some headway, at least if the Bitcoin paper is a guide to go by.

Here's a quick straw poll checking a year's worth of papers. In the narrow field of financial cryptography, I trawled through FC conference proceedings in 2009, WEIS 2009. For Cryptology in general I added Crypto 2009. I used google scholar to report direct citations, and checked what I'd found against Citeseer (I also added the number of citations for the top citer in rightmost column, as an additional check. You can mostly ignore that number.) I came across Wang et al's paper from 2005 on SHA1, and a few others from the early 2000s and added them for comparison - I'm unsure what other crypto papers are as big in the 2000s.

ConfpaperGoogle ScholarCiteseertop derivative citations
jMLR 2003Latent dirichlet allocation12788263426202
NIPS 2004MapReduce: simplified data processing on large clusters15444202314179
CACM 1981Untraceable electronic mail, return addresses, and digital pseudonyms 452113973734
selfSecurity without identification: transaction systems to make Big Brother obsolete17804702217
Crypto 2005Finding collisions in the full SHA-11504196886

SIGKDD 2009 The WEKA data mining software: an update 97267043099
STOC 2009 Fully homomorphic encryption using ideal lattices 1923324770
self Bitcoin: A peer-to-peer electronic cash system80457202
Crypto09 Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions 44559549
Crypto09 Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems 22342485
Crypto09 Distinguisher and Related-Key Attack on the Full AES-256 23229278
FC09 Secure multiparty computation goes live 19125172
WEIS 2009 The privacy jungle: On the market for data protection in social networks 18618221
FC09 Private intersection of certified sets 8424180
FC09Passwords: If We’re So Smart, Why Are We Still Using Them? 8916322
WEIS 2009Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy8224275
FC09Optimised to Fail: Card Readers for Online Banking8024226

What can we conclude? Within the general infosec/security/crypto field in 2009, the Bitcoin paper is the second paper after Fully homomorphic encryption (which is probably not even in use?). If one includes all CS papers in 2009, then it's likely pushed down a 100 or so slots according to citeseer although I didn't run that test.

If we go back in time there are many more influential papers by citations, but there's a clear need for time. There may well be others I've missed, but so far we're looking at one of a very small handful of very significant papers at least in the cryptocurrency world.

It would be curious if we could measure the impact of self-publication on citations - but I don't see a way to do that as yet.

Posted by iang at 11:34 AM | Comments (0)

Ledger - a journal for cryptocurrency papers

"Ledger" was recently announced as a journal for cryptocurrency papers, and the timing was rather spectacular. Everyone agrees this is a good idea.

Today I had a look, because I and some friends have some papers that might be published there. Several things reached out, so I thought I'd put them out here and see if they resonate.

1. The Ledger team seem to have taken on some criticism of the academic process and gone for more openness in several areas:

  • Ledger has created a peer review system where reviews are publishable by authors. What Ledger have done is ensured that reviewers can be published and held accountable for their reviews. This should go some way to stopping academic cliques building up, a fate that I can attest to directly.

  • Papers are CC-licensed so immediately and popularly available. Discourse is well served. I am not sure where the others are now, but I've had my arguments in the past with the proxies of Springer-Verlag wanting to own my mind. Those days are dead.

  • Fast turn arounds promised.

2. Business-wise, Ledger is a direct competitor to existing forums Financial Cryptography (the conference) and to a lesser extent WEIS. Now, this is fine in my view as (a) the space has massively enlarged from the niche it once was, and we can easily support more forums, and (b) Ledger is oriented to the paper distribution process whereas others are primarily presentation-oriented and networking. Also (c) the founder and coiner of Financial Cryptography, Bob Hettinga, always made clear that this was a competitive market ;)

3. It is not immediately clear who the reviewers are. While the core might be its Editorial base, the asset of a peer-reviewed journal is its hardworking reviewers. Specifically, the asset can be attached.

4. And, immediately the attachment begins. If you look at the Editor's page, they have fallen into the same trap as the financial cryptography conference fell into in 1998 - academic control. Of the very long list of fine editors, only a tiny minority are outside the University system by either affiliation or title. Whatever you think of the academic world, it is very clear that it is a discriminatory system, and many fine contributions are squashed or stolen for it.

5. In which world, reputation and cites rule. Which leads to anonymous authorship:

Under extenuating circumstances, the journal may permit authors to publish under a pseudonym. Authors should include a statement describing why they wish to remain anonymous at the time of article submission. Only manuscripts where quality can be judged exclusively from the content presented in the paper, and where the scope of any conflict of interest problems would be limited (should they exist), will be considered for anonymous authorship.

Ledger are clearly skeptical of the notion of anonymous authorship because as academics they are so used to leaning on the reputation of the author. A bad paper by a leading author always trumps a good paper by an unknown, and it is practically the law that the profs must co-author the papers of the candidates so as to cross that barrier.

Ledger are thus clearly skeptical that the paper's words mean much independently of the author's reputation. Leaving it at odds with the Bitcoin community is as it is, as, under those rules, Satoshi's paper would not have been published, and we'd not be having these discussions. Now, it's fine for them to do this, but what I'd point out here is that this is further evidence of 4. above: academics setting themselves up to capture cites.

6. In not charging for papers, nor distribution & access, the Ledger has a clear financial business problem. It (probably) relies entirely on two sources: the volunteer time of reviewers, and the paid salary of academics.

The nature of scientific enquiry has moved on since the days of the controlled paper distribution. All papers from now on must be free of economic control, or we get the Satoshi effect - the most important paper in the field was never published in a forum, because under the rules of all the forums, it could not be published. The old forums out there had economic controls, and those controls were captured by the very people who could benefit from the controls - cites are promotions are money, and paper is trees is subscriptions.

Ledger presents the disturbing academic dilemma in a nutshell. The Internet has solved the paper-subscription economic barrier, but not the citation-peer-review circle. And, it leans very heavily on academics on salary, which is the other side of the same coin - what is the economic model that both sustains the machine, and rewards the quality?

If you're thinking I'm arguing both sides of this - you're right. I can see the problem. I don't have the answers - unless you want something superficial like "publish papers on the blockchain!" But we won't find the answers until we understand the problems.

Posted by iang at 10:38 AM | Comments (2)

November 04, 2015

FC wordcloud

Courtesy of statistical analysis over this site by Uyen Ng.

Posted by iang at 02:39 PM | Comments (0)

October 25, 2015

When the security community eats its own...

If you've ever wondered what that Market for Silver Bullets paper was about, here's Pete Herzog with the easy version:

When the Security Community Eats Its Own


The CEO of a Major Corp. asks the CISO if the new exploit discovered in the wild, Shizzam, could affect their production systems. He said he didn't think so, but just to be sure he said they will analyze all the systems for the vulnerability.

So his staff is told to drop everything, learn all they can about this new exploit and analyze all systems for vulnerabilities. They go through logs, run scans with FOSS tools, and even buy a Shizzam plugin from their vendor for their AV scanner. They find nothing.

A day later the CEO comes and tells him that the news says Shizzam likely is affecting their systems. So the CISO goes back to his staff to have them analyze it all over again. And again they tell him they don’t find anything.

Again the CEO calls him and says he’s seeing now in the news that his company certainly has some kind of cybersecurity problem.

So, now the CISO panics and brings on a whole incident response team from a major security consultancy to go through each and every system with great care. But after hundreds of man hours spent doing the same things they themselves did, they find nothing.

He contacts the CEO and tells him the good news. But the CEO tells him that he just got a call from a journalist looking to confirm that they’ve been hacked. The CISO starts freaking out.

The CISO tells his security guys to prepare for a full security upgrade. He pushes the CIO to authorize an emergency budget to buy more firewalls and secondary intrusion detection systems. The CEO pushes the budget to the board who approves the budget in record time. And almost immediately the equipment starts arriving. The team works through the nights to get it all in place.

The CEO calls the CISO on his mobile – rarely a good sign. He tells the CISO that the NY Times just published that their company allegedly is getting hacked Sony-style.

They point to the newly discovered exploit as the likely cause. They point to blogs discussing the horrors the new exploit could cause, and what it means for the rest of the smaller companies out there who can’t defend themselves with the same financial alacrity as Major Corp.

The CEO tells the CISO that it's time they bring in the FBI. So he needs him to come explain himself and the situation to the board that evening.

The CISO feels sick to his stomach. He goes through the weeks of reports, findings, and security upgrades. Hundreds of thousands spent and - nothing! There's NOTHING to indicate a hack or even a problem from this exploit.

So wondering if he’s misunderstood Shizzam and how it could have caused this, he decides to reach out to the security community. He makes a new Twitter account so people don’t know who he is. He jumps into the trending #MajorCorpFail stream and tweets, "How bad is the Major Corp hack anyway?"

A few seconds later a penetration tester replies, "Nobody knows xactly but it’s really bad b/c vendors and consultants say that Major Corp has been throwing money at it for weeks."

Continue reading "When the security community eats its own..."
Posted by iang at 06:04 AM | Comments (0)

October 22, 2015

Iceland puts more bankers in jail... what's your solution to the financial crisis?

In the crisis that just won't go away - we're effectively in depression but no politician can stay elected on that platform - one of the most watched countries is Iceland.

Iceland sentences 26 bankers to a combined 74 years in prison James Woods October 21, 2015 Unlike the Obama administration, Iceland is focusing on prosecuting the CEOs rather than the low-level traders.

In a move that would make many capitalists' head explode if it ever happened here, Iceland just sentenced their 26th banker to prison for their part in the 2008 financial collapse.

In two separate Icelandic Supreme Court and Reykjavik District Court rulings, five top bankers from Landsbankinn and Kaupping — the two largest banks in the country — were found guilty of market manipulation, embezzlement, and breach of fiduciary duties. Most of those convicted have been sentenced to prison for two to five years. The maximum penalty for financial crimes in Iceland is six years, although their Supreme Court is currently hearing arguments to consider expanding sentences beyond the six year maximum.

Now, my argument here is the same as with the audit cycle: if so much was so wrong, surely some bankers in USA and Europe should have been prosecuted and put in jail even by accident?

But, no, nothing. A few desultory insider trading hits, but on the whole, a completely clean pass for the major banks. Coupled with direct bankrupcy bailouts, and the follow-on enormous bailout of QE* which transferred capital into the banks under deception plan of "re-inflating industry", we have a rather unfortunate situation:

No punishment means no sin, right?

It is no wonder that the public at large are unhappy with banking in general and are willing to entertain such way out ideas as blockchain. Credibility is a huge issue:

When Iceland's President, Olafur Ragnar Grimmson was asked how the country managed to recover from the global financial disaster, he famously replied,

"We were wise enough not to follow the traditional prevailing orthodoxies of the Western financial world in the last 30 years. We introduced currency controls, we let the banks fail, we provided support for the poor, and we didn’t introduce austerity measures like you're seeing in Europe."

A great time to be an economic historian. A middling time to be an economist. Terrible time to be a regulator?

Posted by iang at 06:54 AM | Comments (0)