My first interaction with Ross was through his work. In my second year at university a PhD student (David Simner) suggested that reading Ross’ textbook “Security Engineering” was good preparation, and so over the course of a few weeks that autumn I read it cover to cover. Now I am a Senior Lecturer in cybersecurity, and one of the places that began was there. I still recommend that anyone involved in security read the latest edition of that book, because of the way it so clearly and accessibly explains and systematises such a huge breadth of important topics in cybersecurity.

Later Ross was my lecturer, explaining so much, so clearly and engagingly. In those days I still found Ross a little intimidating, but as I got to know him better I discovered how warm, friendly, and caring he was. He became my great grand PhD supervisor (Alastair Beresford <- Frank Stajano <- Ross Anderson), my co-lecturer, my PI, my co-author, my co-conspirator, and my friend.

So many people owe so much to Ross. His broad understanding of cybersecurity that proactively drew in other disciplines and created fields like security economics. His commitment to civil society through the cryptowars, patient privacy, government IT, and civil liberties. His commitment to his family and friends, and his support for disadvantaged people. While much of what he did was very public, some of the most important things were only visible if you got close to him.

He made a huge difference to the careers of many people (including my own), with many of his PhD students and postdocs going on to obtain faculty positions internationally, or other senior roles where they have in turn had a huge impact. He supported a diversity of thought and brought people into the department from a range of disciplines, helping to redefine what computer science is.

He had a huge impact on the University of Cambridge (once named the “most powerful person”) through a range of campaigns and several terms on the University Council. He was ever a critical friend of the Vice Chancellor and played an important role in uncovering various kinds of corruption, mismanagement and discrimination. I learnt a lot from him through that. For a while he chaired the Cycling and Walking Sub Group of the Transport Working Group of which I was secretary. I think our first formal joint work was our proposed policy on cycling and walking, which was completely ignored by the University. He fought with me for the rights of postdocs to continue to be allowed to vote in University democracy (we lost). He was always someone you wanted by your side in a fight.

Ever one to have a memorable turn of phrase, one of the things he achieved in his battles with the central administrators was to plant a little ghost of himself in their heads so that every time they thought of doing something silly (e.g. on IP) the ghost would remind them of what response that would get and so put them off. This saved him a lot of time.

Another memorable description was of the zombie government policies on cryptography, or ID cards, or NHS IT. Ross and others would keep killing these policies off, carrying them away with great fanfare and burying them deep under the ground. Only for the policies to claw their way back out again after the next election.

One of our many great losses is that we will no longer have Ross in our ranks as we fight these good fights. However, many of us carry the memory of Ross, and a model of what he might do. Not that we should necessarily do the same thing, but it is often a helpful starting point.

One of his last battles with the central administrators was over Cambridge’s mandatory retirement age. He didn’t want to retire as he had so much left to do. While he was forced to partially retire in 2023 he had not given up on returning to full time pay (he was still doing full time work). That injustice remains for others to right.

I had hoped that the next government would live to regret appointing Ross to the House of Lords, he would have been good at that and caused some good trouble.

He was not perfect, like all of us he made mistakes, and sometimes enemies, but he was our friend and we loved him. We will miss him. He leaves both a void and a great many people who he trained to fill it.

There is much more I could say and much worth saying that I do not know. He did a lot. He was a giant and he helped us stand on his shoulders. He showed us that humans could be heroes.

For the last couple of days I have been at the Security Protocols Workshop which was conveniently located a short cycle ride away. I thoroughly enjoyed it and will definitely be coming back next year (hopefully with a short paper to present). I want to mention some of my  favourite new (to me) ideas which were presented. I am only covering them briefly so if it looks interesting go and read the paper (when it comes out at some unspecified point in the future or find someone with a copy of the pre-proceedings).

Towards new security primitives based on hard AI problems – Bin B. Zhu, Jeff Yan

The core idea here is that if there are problems which computers can’t solve but humans can (e.g. 2D Captchas) then these can be used to allow humans to input their passwords etc. in such a way that a computer trying to input passwords in has no idea what password it is inputting (CaRP). This means that on each attempt the attacker gains nothing because they don’t know what password they tried as they just sent a random selection of click events which the server then interpreted as a password using information that the attacker does not have without human assistance. This helps against online brute force attacks, particularly distributed attacks which are hard to solve with blacklisting without also locking the legitimate user out. It also helps as part of the ‘authentication is machine learning‘ approach as accounts which are flagged as being used suspiciously can be required to login using a CaRP which requires human input and so mitigates automated attacks in a similar way to requiring the use of a mobile number and sending it a text (though it is less strong than that – it does require less infrastructure). Additionally I think that if a particular Captcha scheme is broken then the process of breaking each one will still be computationally intensive and so this should still rate limit the attacker.

Remote device attestation with bounded leakage of secrets – Jun Zhao, Virgil Gligor, Adrian Perrig, James Newsome

This is a neat idea where if the hardware of a device is controlled such that its output bandwidth is strictly limited then it is still possible to be certain that the software on it has not been compromised even if an attacker can install malware on it and has full control of the network. This works by having a large pool of secrets on the device which are updated in a dependent way each epoch and there is not enough bandwidth in an epoch to leak enough data to construct the pool of secrets outside the device. Then the verifier can send the device a new program to fill its working RAM and request a MAC over the memory and secrets storage and this cannot be computed off the device or on the device without filling the RAM with the requested content and so when the MAC is returned the verifier knows the full contents of the hardware’s volatile state and so if it was compromised it no longer is.

Spraying Diffie-Hellman for secure key exchange in MANETs – Ariel Stulman, Jonathan Lahav, and Avraham Shmueli

This idea is for use in providing confidentiality of communication on mobile ad-hoc networks. Since the network is always changing and comprised of many nodes it is hard for an attacker to compromise all the nodes on all paths between two nodes which wish to communicate confidentiality. The idea is to do Diffie-Hellman but split the message into multiple pieces with a hash and send each message via a different route to the recipient. If any one of those pieces gets through without being man-in-the-middled then the attack has failed. In a random dynamically changing network it is hard for an attacker to ensure that. Though not impossible and so a very careful analysis needs to be done to mitigate those risks in practice.

Layering authentication channels to provide covert communication – Mohammed H. Almeshekah, Mikhail Atallah, Eugene H. Spafford

The idea here is that some additional information can be put in the authentication information such as typing <password> <code word> rather than just <password> in the password field and hence transmitting <code word> to the bank which can have many meanings, e.g. have three different code words for 3 levels of access (read only, transactions, administrative) and one for coercion. I particularly liked the idea of being able to tell the bank ‘help someone is coercing me to do this, make everything look as normal but take steps to reverse things afterwards and please send the police’.

There were also lots of other interesting ideas some of which I had seen before in other contexts. I thought I made some useful contributions to discussions and so maybe this whole PhD in computer security thing might work out. There were some really friendly welcoming people there and I already knew a bunch of them as they were CL Security Group people.

On Wednesday the Computer Science IB students demonstrated the projects that they have been working on for the last term. This is my thoughts on them.

Some of the projects were really quite interesting, some of them even actually useful in real life, some of them didn’t work, were boring and simply gimmicks.

Alpha: “African SMS Radio” was a project to create a pretty GUI to a “byzantine and buggy” backend. It could allow a radio operator to run polls and examine stats of texts sent to a particular number. However it didn’t look particularly interesting and though there might be use cases for such a system I think only as a component of a larger more enterprise system and only after the “buggy” backend they had to use had been fixed up/rewritten.

Bravo: “Crowd control” was a project to simulate evacuations of buildings. It is a nice use of the Open Room Map project to provide the building data. It looked like it was still a little buggy – in particular it was allowing really quite nasty crushes to occur and the resulting edge effects as people were thrown violently across the room as the system tried to deal with multiple people being in the same place at the same time was a little amusing. With a little more work it could become quite useful as an extension in the Open Room Map ecosystem which could help it gain momentum and take off. I think that the Open Room Map project is really quite cool and useful – it is the way that data on the current structure and contents of buildings can be crowd sourced and kept up to date but then it is a project of my supervisor. ;-)

Charlie: “Digit[Ov]al automated cricket commentary” this was a project to use little location transmitters on necklaces and usb receivers plugged into laptops to determine the location of cricketers while they were playing and then automatically construct commentary on that. It won the prize for best technical project but it didn’t actually work. They hadn’t solved the problem of people being between the transmitter and the receiver reducing transmission strength by 1/3 or the fact that placing a hand over it reduced it by 1/3 or the fact that the transmitters were not omnidirectional and so orientation was a major issue. They were also limited to only four receivers due to only having four suitable laptops. They used a square arrangement to try and detect location. It is possible that a double triangle arrangement with three corners at ground level and then the other triangle higher up (using the ‘stadium’ to gain height) and offset so that the upper vertices lined up with the mid point of the lower edges would have given them a better signal. Calibrating and constructing algorithms to deal with the noise and poor data would probably have been quite difficult and required some significant work – which IB students haven’t really been taught enough for yet.

Delta: “Hand Wave, Hand Wave” was a project to use two sensors with gyroscopes and accelerometers to do gesture recognition and control. It didn’t really work in the demo and since it had reimplemented everything it didn’t manage to do anything particularly interesting. I think using such sensors for gesture control is probably a dead end as kinect and the like makes just using a camera so much easier and more interesting.

Echo: “iZoopraxiscope – Interactive Handheld Projector” this project was about using a phone with a build in pico projector as an interface. This was obviously using very prototype technology – using the projector would drain the phones battery very quickly, in some cases even when the phone was plugged in and fitting it in the (slightly clunky) phone clearly was at the expense of providing the normal processing power that is expected in an Android phone resulting in it being somewhat sluggish. Since the sensors were rather noisy and techniques for coping with that were not as advanced as they might have been (they just used an exponential moving average and manually tweaked the parameter) they had some difficulties with sluggishness in the controls of some of the games. However I think they produced several nice arcade style games (I didn’t play any of them) and so did demonstrate a wide range of uses. With better knowledge of how to deal with sensors (not really covered in any of the courses offered at the CL) and better technology this could be really neat. However getting a battery powered projector to compete with normal lighting is going to be quite a challenge.
The thing I really like about small projectors is that it could help make it easier to interact in lectures. Sometimes when asking a question or making a comment in lectures it might be useful to draw a diagram which the lecturer (and the rest of the audience) can see and currently doing so is really quite hard. (I should take to carrying around a laser pointer for use in these circumstances).

Foxtrot: “Lounge Star” this was a android app for making air passenger’s lives a little easier by telling them information such as which gate to use etc. without them having to go anywhere and integrating with various airlines systems. As someone who has ‘given up flying’ (not in an absolute sense but in a ‘while any other option (including not going) still remains’ sense) this was not vastly interesting but it could really work as a product if the airlines like it. So: “Oh it is another nice little Android app” (but then associated short attention span kicks in and “bored now”).

Golf: The Energy Forecast this was a project I really liked (it pushed the right buttons) it is a project to predict the energy production of all the wind farms in the country based on the predicted wind speed. It integrated various sources of wind speeds, power production profiles for different types of wind farm and the locations and types of many different wind farms (they thought all but I found some they were missing) and they had a very pretty GUI using google maps etc to show things geographically and were using a very pretty graph drawing javascript library. So I did the “oh you should use the SRCF to host that” thing (they were using a public IP on one of their own computers) and I am sort of thinking “I would really like to have your code” (Oh wait I know where that is kept, snarfle, snarfle ;-) It is something I would really like to make into a part of the ReadYourMeter ecosystem (I may try and persuade Andy he wants to get something done with it).
I love wind turbines all my (small) investments are in them, we have one in our back garden etc. this could be really useful. [end fanboyism]

Hotel: “Top Tips” this was a project to see whether the comments traders put on their trading tips actually told you anything about how good the trade was. The answer was no, not really, nothing to see here. Which is a little disappointing and not a particularly interesting project “lets do some data analysis!” etc.

India: “True Mobile Coverage” this was a project to crowd source the collection of real mobile signal strength data. It actually serves a useful purpose and could be really helpful. They needed to work on their display a little as it wasn’t very good at distinguishing between areas they didn’t know much about and areas with weak signal and unfortunately as with all projects it started working in a very last minute manner so they didn’t have that much data to show. Nice crowd sourcing data collection android app of the kind that loads of people in the CL love. Of course there will be large quantities they could do to improve it using the kind of research which has been done in the CL but it is a good start.

Juliet: “Twitter Dashboard” this was so obviously going to win from the beginning – a twitter project (yey bandwagon) which looks pretty. They did do a very good job, it looked pretty, it ate 200% of the SRCF’s CPU continuously during the demo (but was niced to 19 so didn’t affect other services) – there are probably efficiency savings to be made here but that isn’t a priority for a Group Project which is mainly about producing something that looks pretty and as if it works all other considerations are secondary. My thoughts were mainly “Oh another project to make it easier for Redgate to do more of their perpetual advertising. meh.” (they have lovely people working for them but I couldn’t write good enough Java for them)

Kilo: “Walk out of the Underground” this was a project to guide you from the moment you stepped out of the underground to your destination using an arrow on the screen of your phone. It was rather hard to demo inside the Intel Lab where there is both poor signal and insufficient scale to see whether it actually works. It might be useful, it might work, it is yet another app for the app store and could probably drum up a few thousand users as a free app.

Lima: “Who is my Customer?” this was a very enterprise project to do some rather basic Information Retrieval to find the same customer in multiple data sets. The use case being $company has a failsome information system and their data is poor quality and not well linked together. Unfortunately the project gave the impression of being something which one person could hack together in a weekend. I may be being overly harsh but I found it a little boring.

So in summary: I liked “The Energy Forcast” most because it pushed the right buttons, “True mobile coverage” is interesting and useful. Charlie could be interesting if it could be made to work but I think that the ‘cricket’ aspect is a little silly – if you want commentary use a human. iZoopraxiscope (what a silly name) points out some cool tech that will perhaps be useful in the future but really is not ready yet (they might need/be using some of the cool holgrams tech that Tim Wilkinson is working on (he gave a CUCaTS talk “Do We Really Need Pixels?” recently).

Idea for next year: have a competition after the end of the presentations to write up the project in a scientific paper style and then publish the ones that actually reach a sufficiently good standard in a IB Group Project ‘journal’ as this would provide some scientific skills to go with all the Software Engineering skills that the Group project is currently supposed to teach. (No this is so not going to happen in reality)

Recently there has been again a lot of media attention on Simon Hughes’ comments that universities should increase the proportion of their intake from state schools to reflect the proportion of pupils in the secondary school education system going to state and private schools.
While I accept it is really important for universities to make a particular effort to ensure pupils from disadvantaged backgrounds who would thrive at university do go to university and go to the university which will stretch them the most. I also hold that each and every person who universities fail in this regard is being really badly let down. I think that it is correct that universities should be considering the quality of the teaching that pupils received when considering admissions as if someone managed to do the same amount with less then they have achieved more even if their grades are identical.

I am however going to say something which is possibly controversial – we are never under any sane system going to end up with representative proportions of people across all sectors of society and all types of school going to university and in particular to the best universities. We shouldn’t even try for that as it fundamentally isn’t going to work. What we should be aiming for is what the proportions would be if universities were doing their job perfectly – which would probably be significantly more representative than is currently the case. However it would not be and should not be completely representative.

Why? [Begin controversy] There are genetic factors which impact on the ability of students to thrive at university. If someone’s parents went to University then probabilistically they are more likely to have those factors. HOWEVER this does not mean that people whose parents didn’t go to university didn’t have those factors as not everyone wants to or should go to university even if they could. Additionally as humans we are not limited by our genes we may have natural tendencies towards certain things but with enough effort most of these things can be overcome. My argument is not that people whose parents didn’t go to university shouldn’t go – simply that you are not going to get a representative split there is going to be some natural bias and if we are making our assessments correctly we shouldn’t be upset about this. Of course universities should, can and are making an additional effort to reach those whose parents didn’t go to university as they are less likely to know that they can and should.[End controversy]

Additionally it is not the place of universities to make up for all the failings of all the previous educational establishments that students have previously been to – they make a great effort to do so and have great successes but if the Government really wants to make progress on making university education more representative of the population as a whole it really needs to look very hard at other areas first.

The differences in achievement between people from disadvantaged backgrounds and people from privileged backgrounds (like for example me) appears really quite early on in a child’s education and so the additional effort needs to be being put in there – in primary and secondary schools. Additionally people from privileged backgrounds are likely to be able to put time into learning the right kind of parenting methods and into implementing them that would increase the probability of their children going to university. This is not to say that other kinds of parenting are worse university is not that important in the grander scheme of things and there are far more important things for parents to focus on imparting to their children.

However parenting is hard (yes I find the idea slightly scary) and if there are things which can be taught which do help then they should be taught to those who want to learn them – people only get one childhood and it is important to get it right.

So in summary yes we should be doing better than we are but there are limits to how well we can do (and these limits are very hard to calculate and as limits can only be tended towards). It is unhelpful to say “lets just do reverse discrimination and hope this causes the private school system to collapse in a heap” that doesn’t solve the problem of differences in the quality of education provided by different schools it just gives middle class people even more angst about choosing schools for their little darlings. It causes sillyness like children going to state schools to increase their chances of getting into a good university but actually being taught by private tutors “off the record” which just make inequality harder to measure without actually solving this.

Again please bear with the fact that this won’t actually communicate what I want it to and is eminently capable of being misunderstood. Sorry. However I hope you can see through that to what I really mean.

(Yes as a Guardian reading lefty who went to two different private schools for my secondary education there is some ‘guilt’ that I have been given a better start in life than most people and so all I have had to do is make the effort to tuck in to the plate placed in front of me rather than having to go and fill the plate first. I do try and make an effort to help those from disadvantaged backgrounds through various different mechanisms – but that doesn’t stop my private sixth form school from asking me back to help their pupils but then they gave me a scholarship so I owe them something as well.)

The Peterhouse JCR is currently holding a vote on the current occupation of the University Combination Room by students of the University.

In the process of deciding how to vote on that issue I should consider the demands that the occupiers are making and so that follows.

1. That the University completely oppose the increase in fees, fight against it and fight against all cuts to education, and use its influence to oppose the spending review’s threat to education, welfare, health, and other public services.

I think that the issue here is that it is not sufficient to simply oppose increases in fees it is necessary to coherently explain an alternative solution. Now the University does have influence but it is not an overt one – it is a behind the scenes one and so while I expect that the University is working behind the scenes to do what is best for the University and for Universities in general it probably won’t tell us when and how because diplomacy of that sort doesn’t work like that. With the latter points on welfare, health and other public services – the University is not a political entity. Its purpose is education and research not political change. Members of the University should indeed be encouraged to campaign for things which they believe in and to make their voices heard in government but that does not mean that the University itself can express one particular view and support it.

2. That the University use its influence to fight for free education for all.

There are principles here which I agree with but I think this statement too general in that it includes things I would disagree with. For example if students have parents who clearly can and will pay for their children’s university education then they probably should as this means more money available for those who can’t. (I am in the category of people who’s parents could and indeed do pay). Also if this ‘education’ doesn’t involve actually spending >40 hours a week working on said education (during term) then it is rather pointless and should probably not be paid for in full by the government as it it probably counts as an extended holiday. [1]

3. That the University acknowledge and take steps to combat the systemic inequality of access to this elitist institution and the danger of its intensification posed by the scrapping of EMA, a rise in tuition fees and removal of programs such as Aim Higher.

Here I worry as to the definition of elitist being used. Certainly Cambridge only accepts students with the best academic ability and so discriminates on the basis of academic merit and that is what it should do. However I fear that the definition being used here relates to discrimination on the basis of background. Cambridge does not do that. Cambridge is not elitist under that definition. It once was but it is no longer – we have moved on and so I don’t think that Cambridge could now acknowledge that it is an ‘elitist institution’ because that would be a lie. Yes Cambridge is greatly concerned to ensure that no financial hardship prevents or hinders students from studying at Cambridge but anyone at Cambridge knows that it is exemplary in doing so and provides bursaries and financial support better than that available anywhere else. I am confident that the University will maintain these bursaries and other financial support at whatever level is necessary. Hence I think this point is rather pointless in that it asks the University to admit a line and to do what it is already doing.

4. That the University declare it will never privatise.

This is a rather odd point. Yes I can see that there would be large issues which would need to be addressed before the University could privatise (in particular relating to access and funding) but it would be foolish to for the University to state that at no point in the life of the University will it privatise. In the hundreds of years of history which may yet lie in the future of this University circumstances may change such that privatising is the right thing to do. For a large proportion of its past the University was private and outside (at least to an extent) of the influence of government there are many things that the University has gained through being funded by the government but we can’t be sure that all future governments will not try and do something which would be detrimental to the University to the extent that the University was forced to privatise to avoid it.

5. That the University commit to ensure the autonomy of education from corporate interests.

What this means is not well defined. Yes education should not be commercialised – it is of intrinsic value to society quite apart from its standard economic impacts. However not all influence from all companies is necessarily bad just as not all influence from governments is necessarily good. Both can be both good and bad at different times and on different areas and it would be naive to exclude companies from all influence for all time. Yes they should never be allowed to run the University or its courses but they may at times be able to provide things of value and so can’t be ignored completely.

6. That the University recognise UCU (University & College Union). We urge post-graduates, academics and all university staff to unionise.

This seems rather irrelevant to the issue at hand. Yes unions have value and can serve a useful purpose however since the University is (or at least should be) run by the academics in a perfect world there would be no need for them to unionise as they are their own managers. My main concern with this point is that it is offtopic and to an extent partisan – unfortunately not all students like unions and hence making one of the points involve unions is not going to increase support. As far as I know the UCU has been fairly sensible and if I were at some point to be eligible for membership I would probably join. However some unions have done eminently stupid things at various points including the recent past which has unfortunately tarred all unions.

7. That the University ensure that no students who take part in any form of peaceful protest will face disciplinary action.

Here I agree save for that stipulation that I define peaceful to also include not causing damage to property as well as people. Should people commit criminal offences[0] while protesting then they will of course remain liable for the consequences of their actions.

8. That the University urge Gonville and Caius College to open their library, and allow Caius Students full access. (mission accomplished)

Of course I agree with this – I think the Caius rather silly to have closed it in the first place yes the conservative offices were rather badly damaged but Cambridge students are not in that kind a of a rage with Caius or the Caius library and suitable access controls could have been placed on it to prevent anything bad from occurring.

So in conclusion while agree with some of the demands raised and with the right of students to peaceful protest and consider that it is a good thing that they are doing this protest (and would indeed stand in front of tanks that they retain this right) I disagree with a sufficient number of their demands sufficiently strongly that I can’t support this protest. If they were occupying the local Conservative or Lib Dem headquarters then I would come visit, bring cake and ask what their proposals are for an alternative mechanism for funding University properly. (Clearly what we are being given is suboptimal but it is not sufficient to criticise it is also necessary to present an alternative).

[0]: Here I would also specify further that the laws under which these offences are committed are also good laws we have had quite a few rather bad ones in recent years. In the eyes of the law this is of course irrelevant but to my eyes it matters a lot.
[1]: If it doesn’t take three years of working really really hard then it is not a degree and should not be treated as such – instead it should be compressed into a shorter period of time such that that time is spent working really really hard and then it should be called a Diploma and offered by polytechnics – but I digress.

Many of you will have already heard about Firesheep which is essentially a Firefox extension which allows you to login to other people’s Facebook, Amazon etc. accounts if they are on the same (unsecured) network to you. This post is on my initial thoughts on what this means to the people on Cambridge University networks.

Essentially this whole thing is nothing new – in one sense people who know anything about security already knew that this was possible and that programs for doing this existed. The only innovation is an easy to use User Interface and because Human Computer Interaction (HCI) is hard, this means that Eric Butler has won.

In Cambridge we have unsecured wireless networks such as Lapwing and the CLs shared key networks and I think that Firesheep should work fine on these and so for example in lectures where lots of students are checking Facebook et al. (especially in the CL) there is great potential for “pwned with Firesheep” becoming the status of many people. However this would be morally wrong and violate the Terms of Service of the CUDN/JANET etc. If that isn’t sufficient – the UCS has magic scripts that watch network traffic, they know where you live and if you do something really bad they can probably stop you graduating. So while amusing I don’t think that a sudden epidemic of breaking into people’s accounts would be sensible.

So what does that mean for the users of Cambridge networks? Use Eduroam. Eduroam is wonderful and actually provides security in this case (at least as long as you trust the UCS, but we have to do that anyway). If you are using Lapwing and you use a site listed on the handlers page for firesheep (though don’t visit that link on an unsecured network as GitHub is on that list) then you have to accept the risk that someone may steal your cookies and pretend to be you.

What does this mean for people running websites for Cambridge people? Use SSL, if you are using the SRCF then you win as we provide free SSL and it is simply a matter of using a .htaccess file to turn it on. It should also be pointed out that if you are using Raven for authentication (which you should be) then you still need to use SSL for all the pages which you are authenticated on or you lose^[0]. If you are not using the SRCF – then why not? The SRCF is wonderful!^[1] . If you are within *.cam.ac.uk and not using the SRCF then you can also obtain free SSL certificates from the UCS (though I doubt anyone likely to read this is).

So do I fail on this count? Yes I think I have multiple websites on the SRCF which don’t use SSL everywhere they should and I don’t think any uses secure cookies. I also feel slightly responsible for another website which both uses poorly designed cookies and no SSL.

Users – know the risks. Developers – someone is telling us to wake up again, and even though I knew I was sleeping.

[0]: Unfortunately I think that until the SRCF rolls out per user and society subdomains which will be happening RSN if you use raven to login to one site on the SRCF and then visit any non-SSL page on the SRCF then your Raven cookie for the SRCF has just leaked to anyone listening. Oops. Using secure cookies would fix this though I haven’t worked out how to do this yet – I will post a HOWTO later Update: if the original authentication is done to an SSL protected site then the Raven cookie will be set to be secure.
[1]: I may be wearing my SRCF Chairman hat while writing that – though that doesn’t mean it isn’t true.

I am currently considering this question as the Peterhouse JCR is in the process of running a referendum and this is the first and most important question on that referendum the purpose of which is to determine how Peterhouse should vote at the next CUSU Council meeting.
The possible options are:

1. Raised tuition fees
2. A graduate tax
3. Offer fewer university places / close down less well performing Universities
4. Higher universal taxation
5. Cuts to other public services instead
6. Other / Abstain

However there are more fundamental underlying questions which need to be considered:
What are the purposes of University?
Why are those good purposes?
How well does University achieve those purposes?
What value to we place on outcomes beyond the simple increase in potential earnings such as on producing better adjusted individuals with improved support networks who are better able to play their part in society?
Should ‘Universities’ which are ‘rubbish’ and don’t actually provide ‘proper’ degrees be called Universities? (No clearly not: they should be called polytechnics or similar and not offer degrees but rather more flexible qualifications which actually fit the useful things they are there to teach)
Should these polytechnics exist? Should they receive government funding in the way that Universities do?
Is University the best way of teaching people the skills they need for work in areas such as Engineering and Computer Science? Does that matter?

Clearly a graduate tax is a stupid idea because it would mean that anyone we educated and who then left the country to work abroad would not pay for the cost of their education – and that many people would do this, particularly among the highest earners. It also does not provide the money directly to the universities which educated them and would instead go to some general pot and so not reward universities for how good they were at educating their students (from the point of view of earning potential).

Offering fewer university places / close down less well performing Universities… well to Cambridge students that seems like a rather appealing option (and it is the favourite to win the JCR vote). However it is important to ensure that we are not thinking that this is a good plan simply because it means that University funding becomes an issue affecting other people at other Universities rather than us which is easy to do on a subconscious level and to then justify on a concious one. One justification is that we know that our friends and fellow pupils at school did not always work as hard as we did in order to get where we have got and so why should they be supported at our expense? Clearly we put more work in than they did. However the question of what the value of University is to both society and individuals even if the University doesn’t manage to teach the individual anything is one for which I don’t have an answer. Putting concrete values on externalities is not something which we are particularly good at as a society. I should probably study some more economics in order to get better at doing so.
The problem with this point then is that while it seems appealing on a superficial level I worry that in the grander scheme of things it might not be such a good idea. For example how would reducing the number of university places be managed? Remove the same proportion from all universities? Clearly that would be a stupid idea as it places no value on the relative quality of teaching at different universities. We don’t want those who should go to University missing out due to lack of places in good universities while those who probably shouldn’t get in to the lower quality ones. How about making the number of places available on a course be dependent on how many people applied for it? So that for example if 200 people apply then a maximum of 100 places can be funded. However there might be problems with that if there are good courses which only appeal/accept candidates from a small pool of potential applicants and so most of those who apply should get a place as they are sufficiently brilliant.

Higher universal taxation? Well here we have to consider whether the benefit of university is for society as a whole than to the individuals directly as otherwise it is perhaps not fair to make everyone pay more. Here again I think we struggle to be able to make good decisions on what proportion of university funding for teaching should come from the students and what proportion from general taxation due to the lack of a function for determining the value of university and apportioning that to individuals and society as a whole.

Raised tuition fees? Clearly this is controversial for students as it affects us most directly and does cause real problems for students. It is thus perfectly understandable that many students and their representatives vehemently oppose tuition fees in general and their increase in particular. As per one of the CUSU motions “Education is a public good” which is true but to be able to weigh its value against that of other government expenditure we need some way of measuring relative worth of different public goods which I don’t think we have. At least not in a clear manner which allows decisions to be reached which don’t appear to be simply arbitrary. Instead long discussions are had and long articles written which skirt around the edges of issues and are dissatisfying in not being able to deal with these issues directly.[0]
However here it is perhaps useful to consider that compared with private secondary education University is still cheap even with increased tuition fees to £7,000. A private day secondary school could easily be charging in excess of £9,000 a year and at least in comparison to Cambridge not be providing nearly as high a quality of education. A private boarding school could easily be charging £26,000 a year per student. The cost my going to University per year is ~£10,000 including tuition fees, rent etc. this is significantly less than what my parents were paying for my sixth form education even with the 20% scholarship. My parents could still pay for the full costs of my university education if it was ~£14,000 instead and then I walk out with a degree and no debt… This only applies to a small minority of students though and somewhere around University children need to become adults and stop relying on parents for all supplies of funding. I suppose the point I am trying to make here is that there are students who have parents who could easily pay the higher fees (or even higher still fees) and not really be affected by doing so, however it is unfortunately probably not feasible to identify who these students are. Higher levels of debt are likely to put off students, particularly those from disadvantaged backgrounds from applying which is a serious concern as it is very important to find those people from disadvantaged backgrounds who have the ability to perform and give them a helping hand to make sure that they can perform to the best of that ability.

Of the CUSU motions a and c seem reasonable, b is poorly worded and says things which are blatantly wrong and d makes some good points but also some silly ones and some of its action points seem unrelated to solving the issues identified. E which the JCR as a whole is not voting on also appears to be reasonable.

Peterhouse JCR people: Vote. Everyone else: vote early, vote often.

Apologies for the unsystematic and poorly written brain dump, really I should go back through this and rewrite it…

[0]: Here I am thinking back to discussions I had last night relating to the difficulty of expressing and discussing truly important things compared to the ease and simplicity of discussing trivialities.