Michael Sonntag

Ajax Security in Groupware

Ajax is a new model for Web applications to provide more responsive and faster user interfaces resembling more closely that of applications. Typical usage areas are user input validation without page submission, integrating small elements from several servers on a single page, and simulating push-services. Especially the latter are promising for enhancing groupware applications and for realizing them directly in browsers without plug-ins or additional software. The Ajax programming model introduces new security issues, which could be especially dangerous as they were not fully accounted for in previous threat models or considered as of less importance. This paper investigates the security implications of Ajax and discusses possible solutions with a special focus on the context of groupware. It explains security issues which are inherent to the Ajax programming model or are exacerbated through it, and which especially affect cooperative application

Mobile agent security based on payment

Mobile agents are autonomous entities that handle tasks for their owner. Agents act on their own by reacting to changes and by planning their course of action. These agents can move from one server to another. In the future, agents will also be supplied with real money in some form to pay for resources or services.In this paper we discuss a dynamic security architecture, in which permissions are assigned in exchange for information (money). The decision as to which permissions are available, as well as how much they cost, is based on the source of the code, the owner/user of the code and what other information the agent is willing (or able) to provide.We discuss the advantages and limitations of assessing permissions in monetary terms, rather than binary granting or denial of permissions according to pre-set classes. A test-framework has been implemented using Java.

Legal Aspects of One-Stop Government: The Case of Applying for a Building Permission

Online one-stop government is a current development of public administrations for offering services and information through a single point of access in cyberspace. Current developments implement initial information and download of forms as well as delivery service and associated payments. Since the legal frame is the basis for governmental activity, legal regulations have to be thoroughly studied for online service delivery. In this paper, we investigate the Austrian laws for the case of online one-stop government service provision in general, especially in the area of electronic service of official documents (when allowed, how, what remedies are available in case of errors, etc.). We detail the legal aspects with the official proceeding of a building permission.

AGENTS AS WEB SERVICE PROVIDERS: SINGLE AGENTS OR MAS?

Agents are good tools for providing Web services. They are usually either single agents, where one agent provides one or multiple services, or multiple individual agents that are discovered using UDDI. But then also a singular recipient is determined for fulfilling actual requests. This is well suited for smaller services, which are provided by a single, but perhaps complex, agent by itself. However, more difficult tasks will usually be solved by a system of agents. There, in some cases, an initial single point of contact will be useful, preventing exposure of individual service agents. Later on communication takes place with the specific agents directly, avoiding the bottleneck of a single “gateway” agent. Some guidelines when a single agent view is desirable and when exposing the system of agents is better suited are presented with the combination of both aspects through a gateway agent. Currently the latter approach is possible only through the application requesting the service itself. In this paper an extension to SOAP is presented, allowing redirection of Web service requests to another recipient by the (initial) service provider. An application is presented where redirection is used to distribute tasks to individual agents.

An Approach to Secure Mobile Agents in Automatic Meter Reading

Mobile agent is a suitable paradigm to collect information from multiple sites in a distributed environment. As compare to other technologies, mobile agents can be used beneficially for Automatic Meter Reading (AMR) and to measure power quality information at each energy meter. Since meter contains embedded system, so the choice of agent platform for such an application is very important. This article investigates different methods from literature that use mobile agent paradigm for AMR process. It proposes a method that reduces the total security computation cost which is incurred in AMR process. In this method, energy meters are organized in the form of a group based upon the geographical location. In such one location energy meters perform their jobs under a security manager. In this method, the concept of local mobile agent is proposed to avoid the visit of external mobile agent to energy meters directly. Local mobile agent carries the acceptable queries from security manager and visits energy meters. This article uses mathematical modeling to represent the security computation cost incurred by each method from literature and compare it with the propose method. It is concluded that the proposed mechanism reduces the security computation cost considerably, compared to other methods.

Interest derivation through keywords

E-learning is often the equivalent of a conventional text-book: Identical for all learners. Instead, it should be more like a classroom, where a teacher adapts some, but not all, elements of teaching for each learner individually. For this, interests of students must be identified. An online learning platform was enhanced through agents to derive keywords from the material contained and identify a sub-set of interesting ones for each learner based on his/her actions. These are then used for automatic notifications on interesting events. Key findings from the first course held with support of this system are presented in this paper and possibilities for further enhancements discussed.

Domain based security for mobile agents

Mobile agent technology has many benefits but it suffers from the possibility of security breaches by agent platforms. In this paper, an infrastructure is proposed to secure mobile agents from the agent platform they reside on, which is especially suited for industrial automation devices having low computational resources. In this infrastructure, a security guider bank (SGB) serves a group of agent platforms (AP), which is called a domain. The SGB maintains information about the domain, which is used by mobile agents to decide whether it is safe to visit the domain or not. This information is represented as vulnerability levels and reputation values. With this domain-based approach the turnaround time of agents is considerably reduced. Instead of collecting reputation information from each platform, the agent can use the cumulative history at the SGB. The SGB also maintains a copy of mobile agents during their visit of a domain, so that they can be renewed if altered by any AP during their journey. It recalculates vulnerability levels and reputation values after a specified amount of time or after the execution of a mobile agent at each agent platform. This scheme is able to detect as well as prevent - to some extent - malicious changes of mobile agents.

Interactivity in Legal Web Courses through Direct Response Systems

A typical difficulty in lectures held over the Web is a lack of interactivity. Although ICT usually provides two-way communication, it is still reduced in modality compared to presence courses. This is problematic in the area of legal teaching, especially in practices where the typical didactic setting is discussing cases. Enhancing the reverse communication direction, from learners to the teacher, is possible through direct response systems, which are known from classroom settings. Transferred to the Web these can be modeled as brief surveys. Through formalized feedback they provide teachers with a summary of the learners understanding, and learners with some self-assessment. Such a didactic tool has been successfully employed in the practice part of a legal course. This paper reports results of the accompanying study, identifies different learner groups and the influence of this approach on their learning, and proposes improvements.

Traffic Statistics of a High-Bandwidth Tor Exit Node.

The Tor anonymization network supports (and is widely used for) circumventing censorship, evading intrusive mass-surveillance, and generally protecting privacy of Internet users. However, it also carries traffic that is illegal in various jurisdictions. It is still an open question how to deal with such illegal traffic in the Tor network, balancing the fundamental human right for privacy with the need for assisting executive forces. By operating and monitoring a high-bandwidth Tor exit node as both a technical and legal experiment, we statistically analyse where popular servers are located and how they are used based on connection metadata of actual exit node usage. Through this we identify inter alia that cooperation only in comparatively few countries would be needed – or any illegal use would be very small. In this paper, we provide more in-depth statistical insight into Tor exit node traffic than previously publicly available.

Voluntariness of permissions required for security measures

Employing security measures is a common practice for companies. However, some security measures intrude upon personal rights of employees e.g. privacy, their personal life, or dignity. In these cases their consent is required. But usually there exists quite an imbalance of power and information between both parties. As fundamental rights in certain cases even protect someone from him/herself, not everywhere giving consent is possible. This work discusses different forms of protections in Austria and a common feature, means, properties and their relation, in more detail. As example, filtering personal e-mail of employees and intrusion detection systems are discussed briefly.