Junade Ali

Last updated

Junade Ali
CEng FIET
Junade Ali and Troy Hunt.jpg
Junade Ali (left) with Troy Hunt
Born1996 (age 2728) [1]
NationalityBritish
Citizenship United Kingdom
Known for Cybersecurity research
Scientific career
Thesis Cryptographic Hash-Based Anonymisation of Wireless Unique Identifiers  (2022)
Doctoral advisor Vladimir Dyo

Junade Ali CEng FIET is a British computer scientist known for research in cybersecurity. [2] [1] [3] [4] [5] [6] [7]

Contents

Education & Regulatory Registration

Ali studied for a Master of Science degree aged 17, was awarded Chartered Engineer status at 23 and became the youngest ever Fellow of the IET at 27. [2] [8] [9] [10] [11] He holds a PhD in cryptography. [12] [13]

Career

He started his research career working on the UK's Motorway Incident Detection and Automatic Signalling network and working on the maximum coverage problem in road traffic sensor placement. [14] [15] [16] [17]

Ali later worked for cybersecurity firm Cloudflare as an engineering manager where he worked on developing network diagnostic tooling, a security operations center and safety-engineered natural language processing. [18] [19] [20] [21] [22]

In February 2018, Ali created the first Compromised Credential Checking protocol (using k-anonymity and cryptographic hashing) to anonymously verify whether a password was in a data breach without fully disclosing the searched password. [23] [24] This protocol was implemented as a public API and is now consumed by multiple websites and services, including password managers [25] [26] and browser extensions. [27] [28] This approach was later replicated by Google's Password Checkup feature and by Apple iOS. [29] [30] [31] [32] Ali worked with academics at Cornell University to develop new versions of the protocol known as Frequency Smoothing Bucketization (FSB) and Identifier-Based Bucketization (IDB). [33] In March 2020, cryptographic padding was added to the protocol. [34] Ali's research was praised in Canadian cryptographer Carlisle Adams book, Introduction to Privacy Enhancing Technologies. [35]

Ali conducts cybersecurity research on North Korea and provides expert commentary to journalists at NK News. [36] [37] [38] [39]

In January 2022, Ali told journalists at NK News and Reuters that he had observed North Korea's internet being taken offline in a second major outage that month following a missile test, Ali told journalists that data he collected was consistent with a DDoS attack. [40] [41] [42] [43] [44] South Korean Government officials responded by saying "we are monitoring the situation under coordination with relevant government agencies," without elaborating further. [45] Wired journalist, Andy Greenberg, later confirmed the downtime resulted from an attack and reported that a single American hacker by the pseudonym P4x had shared evidence of his responsibility. [46] In November 2022, news outlets reported that Ali had said that North Korea's internet was hit by the largest outages in months amid increased missile launches and other military activity, with Ali saying he'd "be surprised if this wasn’t an attack". [47] [48] In 2023, Ali told reporters at NK News that North Korea faced another 'total internet outage' in advance of the reported Malligyong-1 satellite launch. [49]

Ali's consultancy clients have included cybersecurity firm Risk Ledger and engineering productivity company Haystack Analytics. [8] [50] In July 2021, Ali commissioned a study by Survation for Haystack Analytics which found that 83% of software developers were suffering from burnout. [51] [52] [53] The poll also found 57% of software engineers agreed "to a great extent" or "to a moderate extent" with the phrase "Software reliability at my workplace concerns me". [54] [55] Ali claimed this was "the first time representative opinion polling was used to understand software engineers." [56]

In November 2023, Ali served as principal investigator for an investigation by the software auditing firm Engprax, which identified that 53% of software engineers in the UK have suspected wrongdoing at work with 75% reporting they faced retaliation the last time they reported wrongdoing to their employers. [57] [58] The research also found that Worldpay had used a gagging clause banned by the Financial Conduct Authority and shed new light on gagging clauses by Post Office Limited during the British Post Office scandal. [59] [60] [61] [62] The research also found that "industry-standard" DORA metrics used for evaluating the DevOps performance of engineering teams were solely measuring factors that both software engineers and the wider public thought were least important when using computer systems. [63]

During the COVID-19 pandemic, Ali worked on security improvements to the (Google/Apple) Exposure Notification system used to create public health contact tracing apps. [64] [7]

Selected publications

Related Research Articles

<span class="mw-page-title-main">Programmer</span> Person who writes computer software

A programmer, computer programmer or coder is an author of computer source code – someone with skill in computer programming.

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands or millions of likely possibilities often obtained from lists of past security breaches.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system in scrambled form. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Replay attacks are usually passive in nature.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage.

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

<span class="mw-page-title-main">KWallet</span> Password manager

KDE Wallet Manager (KWallet) is free and open-source password management software written in C++ for UNIX-style operating systems. KDE Wallet Manager runs on a Linux-based OS and Its main feature is storing encrypted passwords in KDE Wallets. The main feature of KDE wallet manager (KWallet) is to collect user's credentials such as passwords or IDs and encrypt them through Blowfish symmetric block cipher algorithm or GNU Privacy Guard encryption.

<span class="mw-page-title-main">VeraCrypt</span> Free and open-source disk encryption utility

VeraCrypt is a free and open-source utility for on-the-fly encryption (OTFE). The software can create a virtual encrypted disk that works just like a regular disk but within a file. It can also encrypt a partition or the entire storage device with pre-boot authentication.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

<span class="mw-page-title-main">Troy Hunt</span> Australian web security expert

Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites.

MAC address anonymization performs a one-way function on a MAC address so that the result may be used in tracking systems for reporting and the general public, while making it nearly impossible to obtain the original MAC address from the result. The idea is that this process allows companies like Google, Apple and CrowdVision - which track users movements via computer hardware to simultaneously preserve the identities of the people they are tracking, as well as the hardware itself.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

Nervos Network is a proof-of-work blockchain platform which consists of multiple blockchain layers that are designed for different functions. The native cryptocurrency of this layer is called CKB. Smart contracts and decentralized applications can be deployed on the Nervos blockchain. The Nervos Network was founded in 2018.

An oblivious pseudorandom function (OPRF) is a cryptographic function, similar to a keyed-hash function, but with the distinction that in an OPRF two parties cooperate to securely compute a pseudorandom function (PRF).

References

  1. 1 2 CEng registration number 673221. https://www.engc.org.uk/regcheck
  2. 1 2 "From apprentice to Chartered Engineer: at just 24". theiet.org. Retrieved 29 January 2022.
  3. Hollister, Sean (7 August 2020). "Have I Been Pwned – which tells you if passwords were breached – is going open source". The Verge. Retrieved 29 January 2022.
  4. Oshin, Olafimihan (26 January 2022). "Cyberattack suspected in North Korean internet outage". The Hill.
  5. Marks, Joseph (27 January 2022). "Analysis | The administration wants to prevent an attack on water supplies". The Washington Post. Retrieved 29 January 2022.
  6. Saran, Cliff. "Team leaders urged to address developer mental health". Computer Weekly. Retrieved 29 January 2022.
  7. 1 2 Dodds, Io (22 January 2023). "How faulty software has left society on the edge of disaster". The Independent. Retrieved 29 January 2023.
  8. 1 2 "Junade Ali". leaddev.com. Retrieved 29 January 2022.
  9. "Computer scientist from Rugby named the youngest ever Fellow of the Institution of Engineering and Technology". Rugby Observer. Retrieved 27 June 2023.
  10. Newmond, Jeff (26 June 2023). "IET Fellow Junade Ali Becomes Youngest Member Ever - BusinessMole" . Retrieved 27 June 2023.
  11. "Dr Junade Ali newly named youngest IET Fellow". www.theiet.org. Retrieved 4 July 2023.
  12. Saran, Cliff. "A non-conventional career journey into IT security | Computer Weekly". ComputerWeekly.com. Retrieved 27 August 2023.
  13. Ali, Junade (2022). "Cryptographic hash-based anonymisation of wireless unique identifiers". British Library EThOS. British Library. Retrieved 27 August 2023.
  14. Smedley, Peggy (8 April 2021). "Are Software Engineers Burned Out? - Connected World". Archived from the original on 1 September 2021. Retrieved 8 April 2021.
  15. Velisavljevic, Vladan; Cano, Eduardo; Dyo, Vladimir; Allen, Ben (December 2016). "Wireless Magnetic Sensor Network for Road Traffic Monitoring and Vehicle Classification". Transport and Telecommunication Journal. 17 (4): 274–288. doi: 10.1515/ttj-2016-0024 . hdl: 10547/622026 . S2CID   113767695.
  16. 1 2 Ali, Junade; Dyo, Vladimir (2017). "Coverage and Mobile Sensor Placement for Vehicles on Predetermined Routes: A Greedy Heuristic Approach". Proceedings of the 14th International Joint Conference on e-Business and Telecommunications. pp. 83–88. doi: 10.5220/0006469800830088 . hdl: 10547/622159 . ISBN   978-989-758-261-5.
  17. Ali, Junade; Dyo, Vladimir; Zhang, Sijing (October 2020). "Battery-assisted Electric Vehicle Charging: Data Driven Performance Analysis". 2020 IEEE PES Innovative Smart Grid Technologies Europe (ISGT-Europe). pp. 429–433. arXiv: 2010.14455 . doi:10.1109/ISGT-Europe47291.2020.9248941. ISBN   978-1-7281-7100-5. S2CID   225075890.
  18. Ali, Junade (2019). "Support Operations Engineering: Scaling Developer Products to the Millions". SRECon 2019. Usenix. Retrieved 29 January 2022.
  19. 1 2 Pikies, Malgorzata; Ali, Junade (April 2019). "String similarity algorithms for a ticket classification system". 2019 6th International Conference on Control, Decision and Information Technologies (CoDIT). pp. 36–41. doi:10.1109/CoDIT.2019.8820497. ISBN   978-1-7281-0521-5. S2CID   201832895 . Retrieved 29 January 2022.
  20. Pikies, Malgorzata; Ali, Junade (1 July 2021). "Analysis and safety engineering of fuzzy string matching algorithms". ISA Transactions. 113: 1–8. doi:10.1016/j.isatra.2020.10.014. ISSN   0019-0578. PMID   33092862. S2CID   225051510 . Retrieved 29 January 2022.
  21. Pikies, Malgorzata; Riyono, Andronicus; Ali, Junade (24 September 2020). "Novel Keyword Extraction and Language Detection Approaches". arXiv: 2009.11832 [cs.CL].
  22. 1 2 Ali, Junade; Pikies, Malgorzata (2021). "Password Authentication Attacks at Scale". AETA 2019 - Recent Advances in Electrical Engineering and Related Sciences: Theory and Application. Lecture Notes in Electrical Engineering. Vol. 685. Springer International Publishing. pp. 394–403. doi:10.1007/978-3-030-53021-1_40. ISBN   978-3-030-53020-4. S2CID   224838150 . Retrieved 29 January 2022.
  23. "Find out if your password has been pwned—without sending it to a server". Ars Technica. Retrieved 24 May 2018.
  24. "1Password bolts on a 'pwned password' check – TechCrunch". techcrunch.com. 23 February 2018. Retrieved 24 May 2018.
  25. "1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online" . Retrieved 24 May 2018.
  26. Conger, Kate. "1Password Helps You Find Out if Your Password Is Pwned". Gizmodo. Retrieved 24 May 2018.
  27. Condon, Stephanie. "Okta offers free multi-factor authentication with new product, One App | ZDNet". ZDNet. Retrieved 24 May 2018.
  28. Coren, Michael J. "The world's biggest database of hacked passwords is now a Chrome extension that checks yours automatically". Quartz. Retrieved 24 May 2018.
  29. Wagenseil I, Paul (5 February 2019). "Google's New Chrome Extension Finds Your Hacked Passwords". laptopmag.com.
  30. "Google Launches Password Checkup Extension to Alert Users of Data Breaches". BleepingComputer.
  31. Dsouza, Melisha (6 February 2019). "Google's new Chrome extension 'Password CheckUp' checks if your username or password has been exposed to a third party breach". Packt Hub.
  32. Hunt, Troy (7 August 2020). "I'm Open Sourcing the Have I Been Pwned Code Base". Troy Hunt. Retrieved 29 January 2022.
  33. 1 2 Li, Lucy; Pal, Bijeeta; Ali, Junade; Sullivan, Nick; Chatterjee, Rahul; Ristenpart, Thomas (6 November 2019). "Protocols for Checking Compromised Credentials". Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: ACM. pp. 1387–1403. arXiv: 1905.13737 . Bibcode:2019arXiv190513737L. doi:10.1145/3319535.3354229. ISBN   978-1-4503-6747-9. S2CID   173188856.
  34. Ali, Junade (4 March 2020). "Pwned Passwords Padding (ft. Lava Lamps and Workers)". The Cloudflare Blog. Retrieved 12 May 2020.
  35. Adams, Carlisle (2021). Introduction to Privacy Enhancing Technologies. Springer. doi:10.1007/978-3-030-81043-6. ISBN   978-3-030-81042-9. S2CID   240157551 . Retrieved 29 January 2022.
  36. Choy, Min Chao (26 February 2021). "North Korean hackers breached sensitive defense network at Russian firm". NK PRO. Retrieved 29 January 2022.
  37. Weisensee, Nils (2 April 2021). "North Koreans sharpen their cyberskills at online coding competitions". NK PRO.
  38. Weisensee, Nils (25 May 2021). "North Korean websites go dark after botched server upgrade - NK News". NK News - North Korea News. Retrieved 29 January 2022.
  39. Referenced in 13 articles from February 2021 to January 2022: https://www.nknews.org/?s=Junade+Ali
  40. Weisensee, Nils (26 January 2022). "DDOS attack cuts off North Korea's internet after fifth missile test". NK PRO. Retrieved 29 January 2022.
  41. Shull, Abbie. "North Korea recently disappeared from the internet for a little while, and it looks like it has happened again". Business Insider.
  42. "North Korean Internet downed by suspected cyber attacks: Researchers". CNA.
  43. Ward, Er; Thompson, Alex; Forgey, Quint. "The NSC's weekly Ukraine crisis club". Politico.
  44. Smith, Josh (26 January 2022). "N.Korean internet downed by suspected cyber attacks -researchers". Reuters. Retrieved 2 February 2022.
  45. "Seoul monitoring situation after N. Korea hit by suspected cyber attack". The Korea Herald. Yonhap. 27 January 2022. Retrieved 29 January 2022.
  46. Greenberg, Andy. "North Korea Hacked Him. So He Took Down Its Internet". Wired. Retrieved 2 February 2022.
  47. Smith, Josh (17 November 2022). "North Korea's internet temporarily knocked offline, researcher says". Reuters. Retrieved 29 January 2023.
  48. Jowitt, Tom (17 November 2022). "North Korea's Internet Knocked Offline | Silicon UK Tech News". Silicon UK. Retrieved 29 January 2023.
  49. Reddy, Shreyas (29 May 2023). "'Total internet outage' hits North Korea in possible attack, expert says". NK PRO. Retrieved 27 June 2023.
  50. "Junade Ali" . Retrieved 29 January 2022.
  51. Anderson, Tim. "Report: 83% of UK software engineers suffer burnout, COVID-19 made it worse". The Register. Retrieved 29 January 2022.
  52. Hughes, Owen. "Developers are exhausted. Here's what needs to change". ZDNet. Retrieved 29 January 2022.
  53. Millman, Rene. "83% of developers suffer from burnout". IT PRO. Retrieved 29 January 2022.
  54. Farrell, Nick. "Software reliability a key problem during 2021". fudzilla.com. Retrieved 29 January 2022.
  55. Fadilpašić, Sead (1 October 2021). "Software reliability has become a bigger issue for developers". ITProPortal. Retrieved 29 January 2022.
  56. Ali, Junade. "How to prevent developer burnout". Computer Weekly. Retrieved 29 January 2022.
  57. Clark, Lindsay. "Three quarters of software engineers face retaliation for whistleblowing". The Register. Situation Publishing. Retrieved 5 December 2023.
  58. Collins, Benedict (20 November 2023). "Retaliation, gagging, flawed oversight - Software engineers face backlash if they report wrongdoing". TechRadar. Retrieved 5 December 2023.
  59. Woollacott, Emma (21 November 2023). "Workplace retaliation is stopping software engineers from speaking out over malpractice". ITPro. Retrieved 5 December 2023.
  60. Mitchell, Sean. "Unethical activities found prevalent in UK software engineering industry". IT Brief UK. Retrieved 5 December 2023.
  61. Turner, Graham (20 November 2023). "Report: Software Engineers Face Backlash for Reporting Wrongdoing". DIGIT. Retrieved 5 December 2023.
  62. Carr, Mathew (1 December 2023). "More than half of software developers suspect wrongdoing at work; 75% receive retaliation for speaking out". CarrZee Carbon. Retrieved 5 December 2023.
  63. Saran, Cliff. "Software engineers worry about speaking out - Computer Weekly". ComputerWeekly.com. Retrieved 5 December 2023.
  64. 1 2 Ali, Junade; Dyo, Vladimir (January 2021). "Cross Hashing: Anonymizing encounters in Decentralised Contact Tracing Protocols". 2021 International Conference on Information Networking (ICOIN). pp. 181–185. doi: 10.1109/ICOIN50884.2021.9333939 . ISBN   978-1-7281-9101-0. S2CID   218889457.
  65. Ali, Junade; Dyo, Vladimir (2020). "Practical Hash-based Anonymity for MAC Addresses". Proceedings of the 17th International Joint Conference on e-Business and Telecommunications. pp. 572–579. arXiv: 2005.06580 . doi:10.5220/0009825105720579. ISBN   978-989-758-446-6. S2CID   218629946 . Retrieved 29 January 2022.
  66. Ali, Junade (2016). Mastering PHP design patterns : develop robust and reusable code using a multitude of design patterns for PHP 7. Packt Publishing, Limited. ISBN   9781785887130 . Retrieved 29 January 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.