Investigators: Tobias Fiebig and Mannat Kaur in collaboration with Simran Munnot

The digital transformation of academia is one of the major technical challenges of our time. However, as all challenges, this transformation is not without risks. Following common industry paradigms, universities now commonly look at infrastructure provided just by a few major cloud operators. In this work, we investigate in how far universities depend on an small set of digital infrastructure providers. We were the first to conduct comprehensive measurements characterizing these developments from 2015 onwards [1], and published further analyses on the organizational implications of these developments [2]. Our work illustrates how the progressing cloudification of academia impacts core-values like academic freedom, and ties differences in cloud adoption between several countries to stark differences in academic cultrue. Furthermore, we provide a clear long-term agenda to presever academic freedom, as well as researchers and students privacy.

Our work provides though-leadership across multiple independent fields, influencing ongoing work in the legal field, privacy, educational technology, and international governance and policy making. Furthermore, see also the project on centralization, did the novel methods for network measurements we used in this influence the networking field, inspiring further work on centralization [3], also see the associated centralization project. Besides expanding our technical measurements to a global university-cloud observatory, we are also pursuing more organizationally focused work to establish why academic institutions migrate to cloud infrastructure, which obstacles they face, and why well-known risks are not considered in these migrations.

References
• [1] T. Fiebig, S. Gürses, C. H. Gañán, E. Kotkamp, F. Kuipers, M. Lindorfer, M. Prisse, and T. Sari. Heads in the clouds? Measuring universities’ migration to public clouds: Implications for privacy & academic freedom. Proceedings on Privacy Enhancing Technologies Symposium (Proc. PETS), 2023(2). Accepted 2022.
• [2] T. Fiebig, M. Lindorfer, and S. Gürses. Position paper: Escaping academic cloudification to preserve academic freedom. Privacy Studies Journal, 1(1):49–66, 2022.
• [3] F. Streibelt, P. Sattler, F. Lichtblau, C. H. Gañán, A. Feldmann, O. Gasser, and T. Fiebig. How ready is DNS for an IPv6-only world? In A. Brunstrom, M. Flores, and M. Fiore, eds., Passive and Active Measurement (PAM 2023), Virtual Event, 2023, LNCS 13882, pp. 525–549. Springer.

Investigators: Tobias Fiebig and Florian Steurer

By now, the Internet–despite often feeling ’new’–is an established technology. Many protocols which are instrumental to its functioning (IPv4, DNS) or basic services used by billions (Email) have been around for several decades. Naturally, during that time, these protocols evolved, reacting to a changing thread-landscape and newfound requirements [1]. In this project, we put a spotlight on the developing complexity of these foundational protocols, especially focusing on email. Originally simple, the protocol suite around email has seen an explosion in additions. Our work measuring email deployments’ implementation of these additions highlights that the technological developments contribute to a centralization of the ecosystem by making it increasingly harder for smaller operators to support all of these requirements [2]. Our work takes a critical look at the foundations of these protocol suites. While, as we demonstrate, necessary research, similar research lines are often neglected in academia as there is an in-balance between the fundamental research effort required to realize research in this sector in comparison to common KPIs in academic institutions in terms of publications and funding; Hence, our work stands out by addressing fundational challenges, making an important contribution to securing and future profing a critical element of our digital society. We are currently expanding the measurement platform developped in this project to capture an even more encompasing picture of email deployements. Furthermore, we identified challenges in the available measurement methodologies and best practices when it comes to email measurements, and work on a publication addressing the requirements for conducting ethical email measurements. Finally, we are providing a service to the general public to make our results reproducibly, and to let operators and users assess their email setups under the complex reality of the current state of the protocol at: email-security-scans.org

References
• [1] T. Fiebig, F. Lichtblau, F. Streibelt, T. Krüger, P. Lexis, R. Bush, and A. Feldmann. Learning from the past: designing secure network protocols. In Cybersecurity Best Practices, pp. 585–613. Springer, 2018.
• [2] F. Holzbauer, J. Ullrich, M. Lindorfer, and T. Fiebig. Not that simple: Email delivery in the 21st century. In USENIX ATC ’22, USENIX Annual Technical Conference, Carlsbad, CA, USA, 2022, pp. 295–308. USENIX Association.

Investigators: Tobias Fiebig and Mannat Kaur

The areas of networking and computer security regularly overlook a core component of secure infrastructure: The people actually building and running these systems [2]. This leads to a situation where computer scientists observe technical effects on the Internet, but are unable to explain the root-causes of these, with a common example being the root-causes of security incidents, which are regularly rooted in simple errors and not complex attacks [1]. This project converges our expertise in system and network operations with methods from the social sciences to investigate how social and cultural effects interact with how technology is shaped. While not purely technical, this work is instrumental for explaining technical measurement results and demonstrating excellence in science by addressing research questions end-to-end.

Our recent contributions in this field are an investigation of how COVID-19 lockdowns affected the work of system administrators using an established theoretical model developped at NASA [3]. Our work characterizes how social dynamics inflict on the work of system administrators, highlighting the impact of visibility and coordination issues amplified by the pandemic. Most critically, we find first indications for the significant role of care-work in operating systems. Our subsequent study utilizes a feminist perspective on system administration to investigate the experiences of people with marginalized genders [4]. Our findings shake foundations in this field, demonstrating that non-inclusive and toxic work environments negatively impact the career prospects of system administrators working in respectful and inclusive work environments by limiting their ability to utilize common practices for career development due to the threat of moving to a toxic environment. Additionally, we empirically describe a critical connection between a working environemnt where people can be themselves, and the security and safety of systems. Thereby, we are the first to converge the fields of system/network operations, computer security, safety science, and feminist research/gender studies work.

We are currently pursuing a joint project with TU Delft to further investigate cultural interaction effects between inclusive work environments and the system operations community, conjecturing that cultural priming effects lead to a refusal of practices even though these align with operators’ values. Furthermore, We are expanding our investigation into implicit coordination mechanisms in operators’ work, and currently prepare a study on expectations and responsibility as perceived by operators and users.

References
• [1] C. Dietrich, K. Krombholz, K. Borgolte, and T. Fiebig. Investigating system operators’ perspective on security misconfigurations. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 1272–1289.
• [2] M. Kaur, M. van Eeten, M. Janssen, K. Borgolte, and T. Fiebig. Human factors in security research: Lessons learned from 2008-2018. arXiv preprint arXiv:2103.13287, 2021.
• [3] M. Kaur, S. Parkin, M. Janssen, and T. Fiebig. “I needed to solve their overwhelmness”: How system administration work was affected by COVID-19. Proceedings of the ACM Human-Computer Interaction (Proc. CSCW), 6, CSCW2, Article 390, 2022.
• [4] M. Kaur, H. S. Ramulu, Y. Acar, and T. Fiebig. “Oh yes! over-preparing for meetings is my jam :)”: The gendered experiences of system administrators. Proceedings of the ACM Human-Computer Interaction (Proc. CSCW). Accepted 2022.

Investigators: Tobias Fiebig, Florian Streibelt, and Florian Scheurer

As also highlighted in our project on the cloudification of academia, the Internet is centralizing at accelerating speed. Understanding these developments is instrumental for assessing their impact on the Internet, protocol development, and ultimately society–beyond the narow
scope of academic cloudification.  In this project, we develop new measurement techniques and infrastructure to aid researchers in investigating centralization, from its historic origins to the current state of the world.

Our contributions so far include public infrastructure – and an accompanying publication introducing the methodology [1] – to perform IP address attribution. Our ongoing work in this domain focuses on further developing these methods and infrastructure, while also combining existing methods to perform large-scale measurement studies to form a comprehensive picture of centralization. Especially the public infrastructure we provide to the research community at large amplifies the impact of our work, enabling others to advance the field along us.

References
[1] F. Streibelt, M. Lindorfer, S. Gürses, C. H. Gañán, and T. Fiebig. Back-to-the-Future Whois: An IP Address Attribution Service for Working with Historic Datasets, 2022.

Investigators: Tobias Fiebig and Mannat Kaur

Security and privacy are essential properties of digital infrastrucutre. Hence, there is a multitude of frameworks, standards, and certifications aimed at ensuring security and privacy in these systems, and experts are tasked with implementing and deploying technology to preserve these values. However, in practice, we regularly find these mechanics failing [2]. The question is: Why?

In this project, we take a closer look at how experts and users from various domains think about security and privacy, i.e., which mental models they hold. We conjecture that assumptions, especially regarding the expertise of domain experts, are often wrong, leading to miscommunication and non-ideal results in the implementation of policies, especially when experts from different domains communicate while holding diverging mental models. In our recent work on experts’ and end-users’ mental models concerning corporate VPN infrastructure, we already demonstrated that even security professionals’ mental models of VPNs do not necessarily conform with the actual functionality of the technology, and overall do not necessarily diverge significantly from the mental models held by non-experts [1]. We are currently in the process of expanding this work to the general domain of security and privacy. Here, our assumption is that experts in privacy–often with a more legal or policy focused background–have diverging mental models of the technology they govern, while the technology experts ultimate implementing systems conforming to privacy policies hold diverging mental models on privacy topics. This leads to a situation where communication between the parties is significanly inhibited, contributing to concepts like “Privacy-by-Compliance” [3], which lacks actual privacy protections, being unintentionally realized. Hence, with our work we contribute to tangible security and privacy improvements for society.

References
• [1] V. Binkhorst, T. Fiebig, K. Krombholz, W. Pieters, and K. Labunets. Security at the end of the tunnel: The anatomy of VPN mental models among experts and non-experts in a corporate context. In 31st USENIX Security Symposium, Boston, MA, USA, 2022, pp. 3433–3450. USENIX.
• [2] T. Fiebig. How to stop crashing more than twice: A clean-slate governance approach to IT security. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2020, pp. 67–74. IEEE.
• [3] T. Fiebig, M. Lindorfer, and S. Gürses. Position paper: Escaping academic cloudification to preserve academic freedom. Privacy Studies Journal, 1(1):49–66, 2022.

Investigator: Tobias Fiebig

Our world is changing, and humanity is facing unprecedented challenges. The global climate crisis, collapsing supply chains, the ever increasing threat of pandemics due to the progressing destruction of wildlife habitats. All these developments will ultimately change our world and
society. Given this changing world, we use the synthesis of our research projects to answer the ultimate question of system and network engineering: “What is our role, what is our responsibility, in an ever changing, ever failing future?”

Based on our research, we were able to derive 13 propositions illustrating the state of the Internet, analyzing pressing issues, from the impact of progressing centralization to matters of digital sovereignty [1]. Our work makes scientific results accessible to a wider community, and is especially appreciated by the applyed networking community. Hence, in summary, our work is part of our scientific responsibility to inform and assist society, and help it prepare for the future to come, in a way that is accessible and actionable. For the future, this project highlights new research directions, and informs our existing research projects’ direction, to ultimately conduct research that makes the world a better place.

References
• [1] T. Fiebig and D. Aschenbrenner. 13 propositions on an Internet for a “Burning World”. In G. Sileno, A. Abhishta, and C. Becker, eds., TAURIN+BGI ’22, ACM SIGCOMM 2022 Joint Workshops on Technologies, Applications, and Uses of a Responsible Internet and Building Greener Internet, Amsterdam, The Netherlands, 2022, pp. 1–5. ACM.