Frank Stajano's Things

Frank Stajano, PhD

Professor of Security and Privacy

Department of Computer {Science and Technology}
Computer Laboratory, University of Cambridge
Security Group and Digital Technology Group

Former Head, Academic Centre of Excellence in Cyber Security Research, University of Cambridge

Fellow of Trinity College, Cambridge

CEO and co-founder, Cambridge Cyber Ltd

Dojo leader (5th Dan), University of Cambridge Kendo Society

Regional coach (Level 3), British Kendo Association

cl-krenew -f --maxout

for h in $(host -t ptr slogin-serv|sed -n 's/.cl.cam.ac.uk.$//;s/.*domain name pointer //p'); do scp /tmp/krb5cc_1616 $h:/tmp/& done &

Fix 00~ problem with Ctrl-Opt-R

Hello and welcome to my home on the web!

Highlights, in a nutshell: Happy dad. Author of a few books, and of 3 papers with over 1000 citations each. CEO and startup founder. Kendo dojo leader. Comics philologist. Youtuber. Personal web page since 1994. Erdös number 3. And I used to share my Trinity office with a Nobel laureate in physics.

I run a Youtube channel, Frank Stajano Explains (.com), for students of computer science and for younger people whom I hope to inspire to become students of computer science in the future. The same lectures I give to my Cambridge students are now available to everyone in the world, at no charge. Check it out and subscribe!

In this video I talk about entrepreneurship and commercialisation of research from the academic viewpoint. In this other one I introduce Pico, my project to replace passwords. If you prefer reading papers to watching videos, this highly cited one explains why replacing passwords is hard and this one gives insights on the psychology of scam victims, with lessons for security system designers.

I founded a national (Inter-ACE) and an international (Cambridge2Cambridge) cyber security competition and ran them for three years, as a contribution towards raising a new generation of cyber-defenders (Poster). The international competition was a collaboration with MIT CSAIL. The successor to Cambridge2Cambridge is an even more international Country2Country, which I helped create, and I serve on its Steering Committee.

I am the CEO and co-founder of Cambridge Cyber, a security consultancy offering competent, trustworthy and discreet services in the areas of training, penetration testing and security analysis (open for business: myfirstname at cambridge cyber dot com).

Please read this before mailing me, and this if you want to become my student.
Maybe you're already at Cambridge and want to do your project with me?
Contact information is at the bottom of the page.

Things I... | am | 've written | teach | like | don't like | am on the program committee of | keep on my web page | said

---

My research interests revolve primarily around three interconnected themes:

• systems security
• privacy in the electronic society
• ubiquitous computing.

I have a particular interest in the human aspects of systems security: many people like my 2009 work with Paul Wilson about understanding the psychology of scam victims to improve systems security. It was an invited talk at Usenix Security in August 2010 and an updated and abridged version of our technical report appeared in Communications of the ACM in March 2011, © ACM (cached).

Lately, my research question has been: can we do better than passwords? In 2011 I wrote Pico: no more passwords! (blog post, Forbes coverage) which then became an invited talk at Usenix Security 2011 in San Francisco, USA and the opening keynote talk at RTCSA 2011 in Toyama, Japan. I have since received generous funding from the European Research Council, in the form of a prestigious and competitive ERC Starting Grant, to pursue my research on Pico. While revising that work I then decided that the ever-growing "related work" section of Pico was worth its own study, so I invited three expert coauthors for the project that became The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, the highest-scoring peer-reviewed paper at Oakland 2012 (watch me give the talk in San Francisco on 2012-05-23). An extended version, with full details and ratings for over 30 password replacement schemes, is available as a tech report.

In related threads, and with other coauthors, I also studied the security and privacy of forensic genomics and of social networking web sites such as Facebook. See the web page of my brilliant former graduate student Jonathan Anderson for more on privacy in social networks.

Historically, my most significant research contributions include works on the following topics (presented in papers that have since attracted over a thousand citations each):

I also enjoy coming up with quirky, eyebrow-raising uses of security protocols (sometimes with a serious aside), such as

I worked with civil engineers on the real-world security of wireless sensor networks to monitor the structural health of subway tunnels and suspension bridges. Other topics of interest include wireless technologies (efficient MAC protocols, 4G systems, Bluetooth security), context-aware software, distributed multimedia and so on: see further down for a full publications list.

Although I now have a permanent faculty post at the University of Cambridge, I have a mixed academic and industrial background, having been employed by the R&D centres of major electronics, telecommunications and software multinationals (Google, Toshiba, AT&T, Oracle, Olivetti). Thanks to this, my research has always retained a strong practical orientation. Since my academic appointment I have continued to consult for industry in Europe and Asia on systems security, strategic research planning, creativity and innovation. I am the author of the well-regarded research monograph Security for Ubiquitous Computing (Wiley, 2002).

I am a popular public speaker and I was called upon as invited or keynote speaker over 50 times on four continents (not counting the presentations of my refereed papers). I also served as program chair at over a dozen international conferences or workshops; as program committee member for over 50 events; as technical reviewer of book proposals for scientific publishers such as Wiley and Addison-Wesley; and as associate editor for an IEEE journal. I have authored or co-authored over 50 refereed publications, guest chapters in three books, two patent applications, one book and I have edited about a dozen Springer LNCS proceedings volumes.

I was elected a Toshiba Fellow in 2000. I was appointed to a Lectureship at the University of Cambridge in 2000, originally at the Department of Engineering, then transferred to the Computer Laboratory in 2004. In 2006 I was awarded academic tenure until retiring age. In 2007 I was promoted to a University Senior Lectureship, in 2013 to a Readership and in 2017 to a Professorship. I was also elected to a Fellowship at Trinity College in 2015, where I serve as a Director of Studies in Computer Science, a Senior Lecturer and the Chair of the IT Committee.

Before that, I had the privilege of doing a security PhD here at Cambridge under the supervision of Ross Anderson. I completed it in exactly three years: matriculated in January 1998, submitted in December 2000, approved with no corrections (rare) in January 2001. My PhD was nominated for the British Computer Society "distinguished dissertation" award and was later turned into the book mentioned above. The first few steps of my academic lineage are all at the Cambridge Computer Laboratory and go back to its founder Sir Maurice Wilkes, who built the first stored-program computer in the world: Frank Stajano - Ross Anderson - Roger Needham - David Wheeler - Maurice Wilkes. These were all people I knew well on a personal basis. According to the Mathematics Genealogy Project, my lineage then continues upwards to John Ratcliffe, Edward Appleton, JJ Thomson, John Strutt (Lord Rayleigh), Edward Routh, William Hopkins, Adam Sedgwick, Thomas Jones, Thomas Postlethwaite, Stephen Whisson, Walter Taylor, Robert Smith, Roger Cotes, Isaac Newton, Isaac Barrow, Vincenzo Viviani, Galileo Galilei, Ostilio Ricci, Nicolò Tartaglia, with additional non-linear detours through such eminent figures as Rutherford and Torricelli among others.

I have taught a variety of core computing subjects to engineers and computer scientists, including operating systems, computer architecture, security, data structures and algorithms, as well as more specialized subjects such as hardware design, FPGA programming, assembly language programming and ubiquitous computing. I greatly enjoy lecturing and helping other people reach "lightbulb moments".

I love Japan! I lived in Japan for one year and I maintain strong ties to the Toshiba Corporate Research and Development Center in Kawasaki and Keio University.

In my spare time I am a comics scholar with a particular interest in Disney material. I have coauthored a few books, book chapters and articles on this subject. Although not as frequently as I'd like, I offer audio interviews with comics authors on my comics podcast.

I have a strong interest in kendo (Japanese swordsmanship). Since October 2002 I am the leader of Tsurugi Bashi, the kendo dojo of the University of Cambridge. I am 5th dan and a BKA-licenced "Level 3 Regional Coach" (meaning that I run courses to train and license other kendo instructors). I attended the gruelling one-week "Foreign Kendo Leaders" seminar in Kitamoto, Japan in 2008 and 2014. I haven't kept an exact count but by now about a thousand people have started kendo as my students. At least a couple dozen of them have obtained dan grades; some of them also hold BKA coaching licences and some even started their own dojo.

---

• 2026: Frank Stajano. "Users are not ungrateful: Making sense of user resistance to well-intentioned innovation". Sassefest 2026.
• 2026: Frank Stajano. "Ross John Anderson". Biographical Memoirs of Fellows of the Royal Society. doi.org/10.1098/rsbm.2025.0026
• 2025: Frank Stajano, Ferdinando Samaria, Shuqi Zi. "On the nature and security of expiring digital cash". Journal of Risk and Financial Management 2025, 18(8), 452. doi.org/10.3390/jrfm18080452. Previously presented at the 24th Workshop on the Economics of Information Security (WEIS 2025), Tokyo, Japan.
• 2025: Frank Stajano (Editor). Rossfest Festschrift, 2025.
• 2025: Frank Stajano. "Ross John Anderson—A biographical memoir". In Rossfest Festschrift, 2025.
• 2025: Frank Stajano. "Ross Anderson's PhD ancestors". In Rossfest Festschrift, 2025.
• 2025: Frank Stajano. "Open problems about the forthcoming financial infrastructure of the digital society". In Rossfest Festschrift, 2025.
• 2024: Emma Urquhart and Frank Stajano. Acceleration of core post-quantum cryptography primitive on open-source silicon platform through hardware/software co-design. Proc. International Conference on Cryptology and Network Security (CANS 2024).
• 2023: Frank Stajano. Sleepwalking into disaster? Requirements engineering for digital cash. Proc. Security Protocols Workshop 2023.
• 2020: Seb Aebischer, Claudio Dettoni, Graeme Jenkinson, Kat Krol, David Llewellyn-Jones, Toshiyuki Masui and Frank Stajano. Deploying authentication in the wild: Towards greater ecological validity in security usability studies. Journal of Cybersecurity, special issue on Usable Security and Privacy, 2020. (blog post)
• 2020: Terry Benzel and Frank Stajano. "IEEE EuroS&P: The Younger Sibling Across the Pond Following in Oakland's Footsteps", IEEE Security & Privacy 18(3):6-7, May-June 2020, DOI: 10.1109/MSEC.2020.2980180. © 2020 IEEE.
• 2018: Frank Stajano, Graham Rymer, Michelle Houghton. Raising a new generation of cyber-defenders. University of Cambridge Computer Laboratory Technical Report 922, June 2018, 307 pages; (also Poster)
• 2018: Kat Krol, David Llewellyn-Jones, Seb Aebischer, Claudio Dettoni, Frank Stajano. Intentionality and agency in security. Proc. Security Protocols Workshop 2018 (SPW 2018), Springer LNCS 11286.
• 2018: Frank Stajano and Mark Lomas. User authentication for the internet of things. Proc. Security Protocols Workshop 2018 (SPW 2018), Springer LNCS 11286.
• 2017: Seb Aebischer, Claudio Dettoni, Graeme Jenkinson, Kat Krol, David Llewellyn-Jones, Toshiyuki Masui, Frank Stajano. Pico in the Wild: Replacing Passwords, One Site at a Time. Proc. European Workshop on Usable Security (EuroUSEC 2017).
• 2017: Kat Krol, Seb Aebischer, David Llewellyn-Jones, Claudio Dettoni, Frank Stajano. Seamless Authentication with Pico. Short Talk at IEEE European Symposium on Security and Privacy (EuroS&P 2017).
• 2017: Virgil Gligor and Frank Stajano. Assuring the Safety of Asymmetric Social Protocols. In Proc. Security Protocols Workshop 2017, Springer LNCS 10476, pp 38-48, Cambridge, UK, 20-22 March 2017.
• Brian Glass, Graeme Jenkinson, Yuqi Liu, M. Angela Sasse and Frank Stajano. The usability canary in the security coal mine: A cognitive framework for evaluation and design of usable authentication solutions In Proc. European Workshop on Usable Security 2016 (EuroUSEC 2016), 18 July 2016, Darmstadt, Germany.
• 2016: Ian Goldberg, Graeme Jenkinson, and Frank Stajano. Low-cost mitigation against cold boot attacks for an authentication token. In Proc. 14th International Conference on Applied Cryptography and Network Security, June 2016.
• 2016: Ian Goldberg, Graeme Jenkinson, David Llewellyn-Jones and Frank Stajano. Red button and yellow button: usable security for lost security tokens. Proc. Security Protocols Workshop 2016, Brno, Czech Republic. Springer LNCS.
• 2016: David Llewellyn-Jones, Graeme Jenkinson and Frank Stajano. Explicit delegation using configurable cookies. Proc. Security Protocols Workshop 2016, Brno, Czech Republic. Springer LNCS.
• 2016: Jeunese Payne, Graeme Jenkinson, Frank Stajano, Angela Sasse and Max Spencer. Responsibility and Tangible Security: Towards a Theory of User Acceptance of Security Tokens. Proc. USEC 2016, San Diego, CA, USA.
• 2015: Frank Stajano and Paul Wilson. "Understanding scam victims: Seven principles for systems security" (poster)
• 2015: Joseph Bonneau, Cormac Herley, Paul C. van Oorschot and Frank Stajano. Passwords and the Evolution of Imperfect Authentication. Comms ACM 58(7):78-87, July 2015.
• 2015: Frank Stajano, Bruce Christianson, Mark Lomas, Graeme Jenkinson, Jeunese Payne, Max Spencer, Quentin Stafford-Fraser. Pico without public keys. In Proceedings of Security Protocols Workshop 2015. Springer LNCS 9379.
• 2015: Frank Stajano, Max Spencer, Graeme Jenkinson, Quentin Stafford-Fraser. Password-manager friendly (PMF): Semantic annotations to improve the effectiveness of password managers. In Proceedings of Passwords 2014, Springer LNCS 9393.
• 2015: Jonathan Millican, Frank Stajano. SAVVIcode: Preventing Mafia Attacks on Visual Code Authentication Schemes. In Proceedings of Passwords 2014, Springer LNCS 9393.
• 2014: Quentin Stafford-Fraser, Frank Stajano, Chris Warrington, Graeme Jenkinson, Max Spencer, Jeunese Payne. To Have and Have Not: Variations on Secret Sharing to Model User Presence. Proc. UPSIDE workshop of UBICOMP 2014.
• 2014: Frank Stajano, Graeme Jenkinson, Jeunese Payne, Max Spencer, Quentin Stafford-Fraser, Chris Warrington. Bootstrapping Adoption of the Pico Password Replacement System. Proc. Security Protocols Workshop 2014, Springer LNCS 8809.
• 2014: Graeme Jenkinson, Max Spencer, Chris Warrington, Frank Stajano. I bought a new security token and all I got was this lousy phish— Relay attacks on visual code authentication schemes. Proc. Security Protocols Workshop 2014, Springer LNCS 8809.
• 2013: Jonathan Anderson, Frank Stajano. "Must Social Networking Conflict with Privacy?", IEEE Security & Privacy 11(3):51-60.
• 2012: Joseph Bonneau, Cormac Herley, Paul C. van Oorschot and Frank Stajano . "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes" In Proc. IEEE Symposium on Security and Privacy 2012, San Francisco, CA, USA. Extended version available as University of Cambridge Computer Laboratory Technical Report UCAM-CL-TR-817.
• 2012: Oliver Stannard and Frank Stajano. "Am I in good company? A privacy-protecting protocol for cooperating ubiquitous computing devices" In Proceedings of Security Protocols Workshop 2012. LNCS 7622. © Springer.
• 2011: Jonathan Anderson and Frank Stajano. "Psychic Routing: Upper Bounds on Routing in Private DTNs" In Proceedings of HotPETs 2011.
• 2011: Frank Stajano. "Pico: No more passwords!" In Proceedings of Security Protocols Workshop 2011, Springer LNCS 7114. © Springer.
• 2011: Jonathan Anderson, Frank Stajano and Robert Watson. "How to keep bad papers out of conferences (with minimum reviewer effort)" In Proceedings of Security Protocols Workshop 2011, Springer LNCS 7114. © Springer.
• 2011: Omar Choudary and Frank Stajano. "Make noise and whisper: a solution to relay attacks" In Proceedings of Security Protocols Workshop 2011, Springer LNCS 7114. © Springer.
• 2011: Frank Stajano and Paul Wilson. "Understanding scam victims: Seven principles for systems security", Communications of the ACM 54(3):70-75, © ACM. Updated and abridged version of Tech Rep 754 (2009).
• 2011: Francesco Stajano. "Don Rosa's Libido Colligandi" in Paolo Castagno (ed.), Don Rosa - A little something special, Papersera, 2011.
• 2011: Francesco Stajano. "Don Rosa interview (2008): before the ducks" in Paolo Castagno (ed.), Don Rosa - A little something special, Papersera, 2011.
• 2011: Francesco Stajano. "Don Rosa interview (1997): the dream of a lifetime" in Paolo Castagno (ed.), Don Rosa - A little something special, Papersera, 2011.
• 2010: Jonathan Anderson, Joseph Bonneau and Frank Stajano. "Inglourious installers: security in the application marketplace". In proceedings of WEIS 2010.
• 2010: Francesco Stajano. "Epico ma non troppo" in Paolo Castagno (ed.), Massimo de Vita - Il cugino di Alf, Papersera, 2010.
• 2010: Ross Anderson and Frank Stajano. "It's the anthropology, stupid!". In proceedings of Security Protocols Workshop 2010. (This is an unrevised preprint.)
• 2010: Saad Aloteibi and Frank Stajano. "On the value of hybrid security testing". In proceedings of Security Protocols Workshop 2010.
• 2010: Jonathan Anderson and Frank Stajano. "On storing private keys in the cloud". In proceedings of Security Protocols Workshop 2010. (This is an unrevised preprint.)
• 2010: Bruce Christianson, Alex Shafarenko, Frank Stajano and Ford-Long Wong. "Relay-proof channels using UWB lasers". In proceedings of Security Protocols Workshop 2010.
• 2010: Frank Stajano, Ford-Long Wong and Bruce Christianson. "Multichannel protocols to prevent relay attacks". In proceedings of Financial Cryptography 2010, Springer LNCS 6054. © IFCA.
• 2009: Frank Stajano. "Privacy in the era of genomics". ACM netWorker, 13:4, Winter 2009. © ACM.
• 2009: Bogdan A. Roman, Ioannis Chatzigeorgiou, Ian J. Wassell, Frank Stajano. "Evaluation of Multi-Carrier Burst Contention and IEEE 802.11 with Fading During Channel Sensing". In Proceedings of 20th IEEE International Symposium on Personal Indoor Mobile Radio Communications, PIMRC'09, September 2009.
• 2009: Frank Stajano, Neil Hoult, Ian Wassell, Peter Bennett, Campbell Middleton and Kenichi Soga. "Smart Bridges, Smart Tunnels: Transforming Wireless Sensor Networks from Research Prototypes into Robust Engineering Infrastructure". Elsevier Ad Hoc Networks http://dx.doi.org/10.1016/j.adhoc.2010.04.002
• 2009: Frank Stajano and Paul Wilson, "Understanding scam victims: Seven principles for systems security". Technical report UCAM-CL-TR-754. Updated and abridged version in Communications of the ACM 54(3):70-75, March 2011. Presented at 2nd Interdisciplinary Workshop on Security and Human Behaviour (SHB 2009) and a dozen other places over four continents.
• 2009: Jonathan Anderson, Joseph Bonneau, Frank Stajano, "Security APIs for Online Applications", in Proc. 3rd International Workshop on Analysis of Security APIs, July 2009.
• 2009: Frank Stajano, "Foot-driven computing: our first glimpse of location privacy issues", in in ACM SIGSPATIAL 1(2):28-32, Special Issue on Privacy and Security of Location-Based Systems, July 2009.
• 2009: Francesco Stajano, Prefazione al catalogo della mostra personale di Giorgio Cavazzano tenutasi a Dolo (VE) nel maggio-giugno 2009.
• 2009: Francesco Stajano, "Intervista a Giorgio Pezzin", in Paolo Castagno (Ed.), Giorgio Pezzin - Tanto gli strumenti sono solo dipinti, Papersera, 2009.
• 2009: Francesco Stajano, "Giorgio Pezzin, il genio techno", in Paolo Castagno (Ed.), Giorgio Pezzin - Tanto gli strumenti sono solo dipinti, Papersera, 2009.
• 2009: Jonathan Anderson, Claudia Diaz, Joseph Bonneau, Frank Stajano, "Privacy-enabling social networking over untrusted networks", in Proceedings of WOSN 2009: The Second ACM SIGCOMM Workshop on Online Social Networks, Barcelona, Spain, 17 August 2009.
• 2009: Luke Church, Jonathan Anderson, Joseph Bonneau and Frank Stajano, Privacy Stories: Confidence in Privacy Behaviors through End User Programming (poster), in Proceedings of the 5th ACM Symposium on Usable Privacy and Security (SOUPS 2009), Mountain View, CA, USA, July 2009.
• 2009: Joseph Bonneau, Jonathan Anderson, Frank Stajano, Ross Anderson, Eight Friends are Enough: Social Graph Approximation via Public Listings, in Proceedings of SocialNets 2009: The Second ACM Workshop on Social Network Systems, Nurembeg, Germany, 31 March 2009.
• 2009: Jonathan Anderson and Frank Stajano, "Not That Kind of Friend: Misleading Divergences Between Online Social Networks and Real-World Social Protocols". Proceedings of Seventeenth International Workshop on Security Protocols, Cambridge, UK, 1-3 April 2009. Springer LNCS. You may download an unrevised preprint.
• 2009: Frank Stajano, "Security Issues in Ubiquitous Computing", book chapter in Handbook of Ambient Intelligence and Smart Environments. It received the highest score of any chapter in the book, as two out of two volume editors who reviewed it gave it a "strong accept". Thanks to the people who sent me useful comments.
• 2008: Dave Singelée, Ford-Long Wong, Bart Preneel and Frank Stajano. "A Theoretical Model for Location Privacy in Wireless Personal Area Networks" (or cached). KU-Leuven COSIC internal report no 1176, 2008.
• 2008: Frank Stajano, Lucia Bianchi, Pietro Liò and Douwe Korff. "Forensic Genomics: Kin Privacy, Driftnets and Other Open Questions". in Proceedings of ACM Workshop on Privacy in the Electronic Society (WPES 2008), Alexandria, VA, USA, 27 October 2008. © ACM, 2008. You may comment on it (and read other people's comments) on our blog.
• 2008: Frank Stajano and Richard Clayton. Cyberdice: peer-to-peer gambling in the presence of cheaters. Proceedings of 16th Security Protocols Workshop, Cambridge, UK, 16-18 April 2008. Springer LNCS 6615. A transcript of the discussion is also available. © Springer.
• 2008: Francesco Stajano. "Filologia disneyana, fra crudo empirismo e dotta speculazione", in Paolo Castagno (Ed.), Abramo e Giampaolo Barosso - Fra logaritmi e fiordalisi, Papersera, 2008.
• 2008: Francesco Stajano. "Abramo e Giampaolo Barosso: trecento e più occasioni per risate intelligenti", in Paolo Castagno (Ed.), Abramo e Giampaolo Barosso - Fra logaritmi e fiordalisi, Papersera, 2008.
• 2008: Frank Stajano, Dan Cvrcek, Matt Lewis. "Steel, Cast Iron and Concrete: Security Engineering for Real World Wireless Sensor Networks". Proceedings of Applied Cryptography and Network Security conference (ACNS 2008), Springer LNCS 5037, pp.460-478. © Springer.
• 2008: Bogdan Roman, Frank Stajano, Ian Wassell, David Cottingham. "Multi-Carrier Burst Contention (MCBC): Scalable Medium Access Control for Wireless Networks". Proceedings of IEEE Wireless Communications & Networking Conference 2008 (WCNC'08), Las Vegas, March 2008.
• 2007: Francesco Stajano, "Giorgio Cavazzano: Maestro, oltre il talento", 2007. Ripubblicato su Papersera VI(1), 2008.
• 2007: Ford Long Wong and Frank Stajano, "Multichannel Security Protocols", in IEEE Pervasive Computing, Special Issue on Security and Privacy, 6(4):31-39, Oct-Dec 2007.
• 2007: Frank Stajano, Catherine Meadows, Srdjan Capkun, Tyler Moore (Eds.), Security and Privacy in Ad-hoc and Sensor Networks 4th European Workshop, ESAS 2007, Cambridge, UK, July 2-3, 2007. Proceedings. Springer Lecture Notes in Computer Science volume 4572.
• 2007: Francesco Stajano, "Salsicce allo spiedo! Attorno al fuoco con Nonno Rodolfo", in Paolo Castagno (Ed.), Rodolfo Cimino - Dalla tana del bestio all'angolo dei salici, Papersera, 2007.
• 2007: Francesco Stajano, "Rodolfo Cimino, maestro cantastorie: da antiche magie a romantiche avventure (senza scordare i tapiri)", in Paolo Castagno (Ed.), Rodolfo Cimino - Dalla tana del bestio all'angolo dei salici, Papersera, 2007.
• 2007: Ford Long Wong, Min Lin, Shishir Nagaraja, Ian Wassell and Frank Stajano, "Evaluation Framework of Location Privacy of Wireless Mobile Systems with Arbitrary Beam Pattern", in Proceedings of Fifth Annual Conference on Communication Networks and Services Research (CSNR 2007), Fredericton, New Brunswick, Canada, 14 - 17 May 2007, IEEE Communications Society and Association for Computing Machinery.
• 2007: Kasim Rehman, Frank Stajano and George Coulouris, "An Architecture for Interactive Context-Aware Applications", IEEE Pervasive Computing 6(1):73-80, January 2007.
• 2006: Frank Stajano, Hyoung Joong Kim, Jong-Suk Chae, Seong-Dong Kim (Eds.), Ubiquitous Convergence Technology, First International Conference, ICUCT 2006, Jeju Island, Korea, December 5-6, 2006, Revised Selected Papers. Springer Lecture Notes in Computer Science volume 4412.
• 2006: Joonwoong Kim, Alastair Beresford and Frank Stajano, "Towards a Security Policy for Ubiquitous Healthcare Systems (Position Paper)", in Proceedings of First International Conference on Ubiquitous Convergence Technology (ICUCT 2006), Jeju, Korea, Dec 2006, LNCS 4412, © Springer-Verlag.
• 2006: Francesco Stajano, "Luciano Bottaro e lo scherzo cinese", in Paolo Castagno (Ed.), Luciano Bottaro - Un "gioviale" omaggio, Papersera, 2006.
• 2006: Matthew Johnson and Frank Stajano, "Usability of Security Management: Defining the Permissions of Guests", in Proceedings of 14th Security Protocols Workshop, Cambridge, UK, 2006-03-27..29, LNCS, © Springer-Verlag.
• 2006: Ford-Long Wong and Frank Stajano, "Multi-channel Protocols for Group Key Agreement in Arbitrary Topologies", in Proceedings of 3rd IEEE Workshop on Pervasive Computing and Communications Security (PerSec 2006).
• 2005: Pablo Vidales, Javier Baliosian, Joan Serrat, Glenford Mapp, Frank Stajano, Andy Hopper, "Autonomic System for Mobility Support in 4G Networks", in IEEE Journal On Selected Areas In Communications, December 2005.
• 2005: Kasim Rehman, Frank Stajano and George Coulouris, "Visually Interactive Location-Aware Computing", in UbiComp 2005: Ubiquitous Computing: 7th International Conference, UbiComp 2005, Tokyo, Japan, September 11-14, 2005. Proceedings, LNCS 3660, 2005, © Springer-Verlag. ISBN 3-540-28760-4.
• 2005: Francesco Stajano, "Addio, Romano!", in DDF(R)appet, June 2005, fanzine of the Danish Donaldist society.
• 2005: Frank Stajano, "RFID is X-ray vision", University of Cambridge Computer Laboratory Technical Report 645. Revised write-up of keynote talk I gave at the first workshop in the International Workshop Series on RFID, Tokyo, Japan, November 2004. A condensed version, featuring some prudish censorship courtesy of the CACM editors, appears in the September 2005 issue of Communications of the ACM.
• 2005: Ford-Long Wong and Frank Stajano, "Location Privacy in Bluetooth", in Proceedings of 2nd European Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS 2005), LNCS 3813, © Springer-Verlag, pages 176-188.
• 2005: Ford-Long Wong and Frank Stajano, "Multi-channel protocols", in Proceedings of Security Protocols Workshop 2005, LNCS 4631, © Springer-Verlag.
• 2005: Ford-Long Wong, Frank Stajano and Jolyon Clulow, "Repairing the Bluetooth pairing protocol", in Proceedings of Security Protocols Workshop 2005, LNCS 4631, © Springer-Verlag.
• 2005: Matthew Johnson and Frank Stajano, "Implementing a multi-hat PDA", in Proceedings of Security Protocols Workshop 2005, LNCS 4631, © Springer-Verlag.
• 2005: Frank Stajano, "A visit to a sword polisher's workshop", in Proceedings of Seminar on Japanese Swords, Tsurugi-Bashi Kendo Kai, 2005.
• 2005: Pablo Vidales, Glenford Mapp, Frank Stajano, Jon Crowcroft, Carlos Jesus Bernardos, "A Practical Approach for 4G Systems: Deployment of Overlay Networks", in Proceedings of Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities / TRIDENTCOM 2005. (Best paper award)
• 2004: Frank Stajano, Security for Ubiquitous Computing (abstract of invited talk), in Proceedings of 7th International Conference on Information Security and Cryptology (ICISC 2004), Seoul, Korea, Dec 2004. Springer LNCS 3506.
• 2004: Frank Stajano, "Will your digital butlers betray you?", in Proceedings of ACM Workshop on Privacy in the Electronic Society (WPES), October 2004, Washington, DC, USA, © ACM.
• 2004: Frank Stajano, "One user, many hats; and, sometimes, no hat—towards a secure yet usable PDA", in Proceedings of 12th International Security Protocols Workshop, April 2004, Cambridge, UK. LNCS 3957 pages 51-64, © Springer-Verlag.
• 2004: Alastair Beresford and Frank Stajano, "Mix Zones: User privacy in location-aware services", in Proceedings of First IEEE International Workshop on Pervasive Computing and Communication Security (PerSec) 2004, a workshop in PerCom 2004. © IEEE.
• 2003: Frank Stajano and Jon Crowcroft, "The Butt of the Iceberg: Hidden Security Problems of Ubiquitous Systems", in Basten et al., eds., Ambient Intelligence: Impact on Embedded System Design, Kluwer 2003.
• 2003: Frank Stajano, "The Security Challenges of Ubiquitous Computing" (Abstract of invited talk for CHES 2003)
• 2003: Frank Stajano, "Security in Pervasive Computing" (Abstract of invited talk for SPC 2003, Boppard, Germany, March 2003), Springer LNCS 2802.
• 2003: Alastair Beresford and Frank Stajano, "Location Privacy in Pervasive Computing", IEEE Pervasive Computing, 2(1):46-55, 2003. © IEEE.
• 2002: Frank Stajano, Security for whom? The shifting security assumptions of pervasive computing in Proceedings of International Security Symposium 2002, Tokyo, Japan, LNCS 2609, © Springer-Verlag.
• 2002: Kasim Rehman, Frank Stajano and George Coulouris, Interfacing with the Invisible Computer, In Proceedings of NordiCHI 2002, Aarhus, Denmark, 2002-10-19.
• 2002: Pablo Vidales and Frank Stajano, "The Sentient Car: Context-Aware Automotive Telematics", in Proceedings of First IEE European Workshop on Location Based Services (LBS-2002), London, UK. Also appeared as a poster and extended abstract at Ubicomp 2002.
• 2002: Frank Stajano and Ross Anderson, The Resurrecting Duckling: Security Issues for Ubiquitous Computing. Journal version of the Duckling article. Appeared in the pre-series inaugural issue of IEEE Security & Privacy, published as a supplement to IEEE Computer magazine 35(4), April 2002.
• 2002: Frank Stajano, Security for Ubiquitous Computing, Wiley, 2002.
• 2002: Frank Stajano and Hiroshi Isozaki, "Security Issues for Internet Appliances" in Proceedings of SAINT 2002.
• 2002: Tatsuo Nakajima, Hiro Ishikawa, Eiji Tokunaga and Frank Stajano, "Technology Challenges for Building Internet-Scale Ubiquitous Computing", in Proceedings of WORDS 2002.
• 2002: Frank Stajano and Yutaka Sata, "Personalized reminder service", Japanese patent application P2002-12052 (in Japanese), 2002.
• 2001: Frank Stajano and Hiroshi Isozaki, "Apparatus for managing software and method of installing software", Japanese patent application P2001-315815 (in Japanese), 2001.
• 2001: Security Policies
• 2000: Romantic Cryptography
• 2000: The Grenade Timer: Fortifying the Watchdog Timer Against Malicious Mobile Code
• 2000: A personal homage to Carl Barks, the great comics storyteller, creator of Uncle Scrooge and Gyro Gearloose, who died on 2000-08-25 at age 99.
• 2000: A set of flash cards to practice the Japanese hiragana and katakana syllabaries (Frank's do-it-yourself kana cards).
• 2000: A better version of Python's getopt module.
• 2000: The Resurrecting Duckling -- What Next?
• 2000: Il falsario contro il crittologo: sicurezza per la lotteria informatizzata
• 2000: Python in Education: Raising a Generation of Native Speakers
• 1999: Disney comics from Italy
• 1999: The Cocaine Auction Protocol: on the Power of Anonymous Broadcast
• 1999: The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks
• 1998: Il grande Floyd Gottfredson - Una vita con Topolino
• 1998: The SMS server, or why I switched from Tcl to Python
• 1998: The Thinnest Of Clients: Controlling It All Via Cellphone
• 1998: Nothing better than a Python to write a Serpent
• 1998: Visual Cryptography Kit
• 1998: A few pairs of mutually self-generating programs.
• 1998: A detailed, illustrated trip report on IPC7, the 7th International Python Conference held in Houston, Texas, USA, 10-13 November 1998.
• 1998: A Gentle Introduction to Relational and Object Oriented Databases
• 1998: A design for my Cambridge University business card
• 1998: HTML pretty-print
• 1997: Restituire l'anima rubata
• 1997: Don Rosa e il Rinascimento disneyano
• 1997: A few self-generating programs that now live in Eli Biham's collection.
• 1996-7: a chapter in The Art of Giorgio Cavazzano
• 1996: Carta, inchiostro, emozioni
• 1996: Javatalk (effectively ORL's first piece of Open Source software)
• 1996: Success story: net risks melt-down as web hits critical mass
• 1996?: Chess Replay applet
• 1995: The Doom Zoo with its Rotator applet
• 1995: Taming the Complexity of Distributed Multimedia Programs
• 1994: The Doom Honorific Titles
• 1994: Frank Stajano, Writing Tcl Programs in the Medusa applications environment, Proceedings of 2nd Tcl/Tk Workshop, New Orleans, LA, USA, 1994.
• 1992: Manuale Modem
• 1991: Media Composition and Synchronization Aspects in an Interactive Multimedia Authoring Environment
• 1991?: Il Terzo Universo
• 1991?: Artigiani e artisti dell'immateriale

Courses and projects

I used to run the Computer and Communications Technology Reading Club, perhaps better known as the LCE Monday Meetings.

Computer Science Tripos (BA)

MPhil in Advanced Computer Science

PhD: Eli Katsiri, Zheng Li, Matthew Johnson, Joong-Woong Kim, Bogdan Roman, Saad Aloteibi, Omar Choudary

MPhil: Omar Choudary, Miltiadis Allamanis, Bogdan Matican, Max Nicosia, Junayed Mizan

Former undergraduate students whose final year project I supervised

1999-2000:

George Danezis

2002-2003:

Julian Dale, David Stern, Mark Victory

2003-2004:

Grant Oddoye

2004-2005:

Peng Yuan Fan, Arun Rakhra

2011-2012:

Bo Tian, Oliver Stannard

2013-2014:

Alex Chadwick, Jonathan Millican

2014-2015:

Daniel Low

2016-2017:

Gábor Szarka

2018-2019:

Harry Jones

2021-2022:

Joe O'Connor, Weronika Wiech, Viktor Mirjanic

Former undergraduate students whose coursework I supervised

Lent 1999, Security:

Chris Reed, John Hall, Ross Younger, Ari Krakauer, Martin Thorpe, Ben Waine, Katie Bebbington, Ciaran McNulty, Matthew Slyman, Dominic Crowhurst, Matt Cobley, Alfredo Gregorio, Andrei Serjantov, Jacob Nevins, Theo Honohan, Ben Mansell, Alastair Beresford, Richard Sharp, David Scott.

Lent 2000, Security:

Siraj Khaliq, Julian Brown, George Danezis, Mark Shinwell, Patrick Wynn, Bruno Bowden, Justin Siu, Paul Gotch.

(...then stopped keeping track...)

• Animals, except insects
• Books (I have well over 50 metres worth of them)
• Building things
• Cats
• Comics, especially but not exclusively Walt Disney ones
• Computers
• Geeky gadgets
• Hocho (Japanese knives)
• Jokes
• Japan
• Kendo
• Languages and etymology
• Photography
• Pizza
• Public speaking
• Reading
• Sashimi
• Teaching
• Writing

• Air conditioning as a replacement for opening the windows
• Books and articles written in a complicated way in the mistaken belief that this will make readers think that the author is more clever than them
• Cars, especially traffic jams and parking problems
• Commuting to work
• Insects, especially mosquitos
• Political correctness (an alternative spelling for hypocrisy)
• Supermarket loyalty cards
• Tabs in source code
• Tobacco smoke

1. IPC9 aka 9th International Python Conference (5-8 March 2001, Long Beach, CA, USA)
2. IPC10 aka 10th International Python Conference (4-7 February 2002, Alexandria, VA, USA)
3. IWSAWC 2002 aka The 2nd International Workshop on Smart Appliances and Wearable Computing (2 July 2002, Vienna, Austria)
4. Mobicom 2002 aka The Eighth ACM International Conference on Mobile Computing and Networking (23-28 September 2002, Atlanta, GA, USA)
5. WiSe aka Workshop on Wireless Security (28 September 2002, Atlanta, GA, USA)
6. SPC 2003 aka 1st International Conference on Security in Pervasive Computing (12-14 March 2003, Boppard, Germany)
7. PerSec 2004 aka First IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2004 (14-17 March 2004, Orlando, FL, USA)
8. ICDCS 2004 aka 24th International Conference on Distributed Computing Systems (23-26 March 2004, Tokyo, Japan)
9. Uk-Ubinet 2004 aka 2nd UK-UbiNet Workshop, Security, trust, privacy and theory for ubiquitous computing (5-7th May 2004, Cambridge, UK)
10. ESAS 2004 aka 1st European Workshop on Security in Ad-Hoc and Sensor Networks (5-6 August 2004, Heidelberg, Germany)
11. Mobiquitous 2004 aka First Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services (22-25 August 2004, Boston, MA, USA)
12. UCS 2004 aka 2nd International Symposium on Ubiquitous Computing Systems (8-9 November 2004, Tokyo, Japan)
13. PerSec 2005 aka 2nd IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2005 (8-12 March 2005, Hawaii, USA) (Program co-chair)
14. SPC 2005 aka 2nd Conference on Security in Pervasive Computing (6-8 April 2005, Boppard, Germany)
15. LoCa 2005 aka International Workshop on Location- and Context-Awareness, in cooperation with Pervasive 2005 (12-13 May 2005, Oberpfaffenhofen near Munich, Germany)
16. TSPUC 2005 aka First International Workshop on Trust, Security and Privacy for Ubiquitous Computing (13 June 2005, Taormina, Italy), affiliated with IEEE WOWMOM 2005
17. PerSec 2006 aka 3rd IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2006 (13-17 March 2006, Pisa, Italy) (Program co-chair)
18. HPCC-06 aka The Second International Conference on High Performance Computing and Communications (13-15 September 2006, Munich, Germany) (Program vice-chair)
19. ESAS 2006 aka Third European Workshop on Security and Privacy in Ad Hoc and Sensor Networks (20-21 September 2006, Hamburg, Germany)
20. UCS 2006 aka 2006 International Symposium on Ubiquitous Computing Systems (11-13 October 2006, Seoul, Korea)
21. ICUCT 2006 aka International Conference on Ubiquitous Convergence Technology (6-8 December 2006, Jeju, Korea) (Program co-chair)
22. PerSec 2007 aka 4th IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2007 (26 March 2007, New York, USA) (Program co-chair)
23. PerCom 2007 aka 5th Annual IEEE International Conference on Pervasive Computing and Communications, (26-30 March 2007, New York, USA)
24. ESAS 2007 aka Fourth European Workshop on Security and Privacy in Ad Hoc and Sensor Networks (2-3 July 2007, Cambridge, UK) (General chair)
25. SecureComm 2007 aka Third International Conference on Security and Privacy in Communication Networks (17-21 September 2007, Nice, France)
26. WiSec 2008 aka First ACM Conference on Wireless Network Security (31 March - 2 April 2008, Alexandria, VA, USA)
27. WiSec 2009 aka Second ACM Conference on Wireless Network Security (16 - 18 March 2009, Zurich, Switzerland)
28. IWSSI/SPMU 2009 aka Second International Workshop on Security and Privacy in Spontaneous Interaction and Mobile Device Use, held in conjunction with Pervasive 2009 (11 May 2009, Nara, Japan)
29. SPW 2009 aka Seventeenth International Workshop on Security Protocols (1-3 April 2009, Cambridge, UK)
30. WISTP 2009 aka Workshop in Information Security Theory and Practices on Smart Devices, Pervasive Systems, and Ubiquitous Networks (2-4 September 2009, Brussels, Belgium)
31. DWSAN4CIP 2009 aka International Workshop on Dependable Wireless Sensor and Actuator Networks for Critical Infrastructure Protection (18-19 October 2009, St. Petersburg, Russia), held in conjunction with ICUMT 2009.
32. WISEC 2010 aka Third ACM Conference on Wireless Network Security (March 2010, New York, USA) (Program co-chair)
33. SPW 2010 aka Eighteenth International Workshop on Security Protocols (24-26 March 2010, Cambridge, UK)
34. SEC 2010 aka International Information Security Conference 2010: Security & Privacy - Silver Linings in the Cloud (20-23 September 2010, Brisbane, Australia)
35. WISEC 2011 aka Fourth ACM Conference on Wireless Network Security (14-17 June 2011, Hamburg, Germany)
36. SPW 2011 aka Nineteenth International Workshop on Security Protocols (March 2011, Cambridge, UK)
37. SPW 2012 aka Twentieth International Workshop on Security Protocols (April 2012, Cambridge, UK)
38. WRIT 2013 aka Workshop on Research for Insider threat, a workshop of Oakland 2013 (24 May 2013, San Francisco, CA, USA) (Program co-chair)
39. Oakland 2014 aka 35th IEEE Symposium on Security and Privacy (18-21 May 2014, San Jose, CA, USA)
40. SPW 2013 aka Twentyfirst International Workshop on Security Protocols (April 2013, Cambridge, UK)
41. SPW 2014 aka Twentysecond International Workshop on Security Protocols (April 2014, Cambridge, UK)
42. Passwords14 aka 7th international conference on passwords (8-10 December 2014, Trondheim, Norway).
43. SPW 2015 aka Twentythird International Workshop on Security Protocols (April 2015, Cambridge, UK)
44. SOUPS 2015 aka Symposium On Usable Privacy and Security (22-24 July 2015, Ottawa, Canada).
45. Passwords 2015 aka 9th international conference on passwords (7-9 December 2015, Cambridge, UK) (Program co-chair)
46. SPW 2016 aka Twentyfourth International Workshop on Security Protocols (6-8 April 2016, Brno, Czech Republic)
47. SOUPS 2016 aka Twelfth Symposium on Usable Privacy and Security (22-24 June 2016, Denver, CO, USA)
48. EuroUSEC 2016 aka First European Workshop on Usable Security (18 July 2016, Darmstadt, Germany).
49. Passwords 2016 aka 11th International Conference on Passwords (5-7 December 2016, Bochum, Germany) (Program co-chair)
50. EuroS&P 2017 aka Second IEEE European Symposium on Security and Privacy (26-28 April 2017, Paris, France)
51. SPW 2017 aka Twentyfifth International Workshop on Security Protocols (20-22 March 2017, Cambridge, UK) (Program chair)
52. SPW 2018 aka Twentysixth International Workshop on Security Protocols (19-21 March 2018, Cambridge, UK) (General chair)
53. SPW 2019 aka Twentyseventh International Workshop on Security Protocols (10-12 April 2019, Cambridge, UK) (General chair)
54. EuroS&P 2019 aka Fourth IEEE European Symposium on Security and Privacy (17-19 June 2019, Stockholm, Sweden) (Program co-chair)
55. SPW 2020 aka Twentyeighth International Workshop on Security Protocols (April 2020, Cambridge, UK) (General chair) CANCELLED
56. EuroS&P 2020 aka Fifth IEEE European Symposium on Security and Privacy (June 2020, Genova, Italy) (Program co-chair)
57. SPW 2023 aka Twentyeighth International Workshop on Security Protocols (27-28 March 2023, Cambridge, UK) (Program Chair and General Chair)
58. Rossfest Symposium in memory of Ross Anderson (25 March 2025, Cambridge, UK) (General Chair)
59. SPW 2025 aka Twentyninth International Workshop on Security Protocols (26-27 March 2025, Cambridge, UK) (Program Chair and General Chair)
60. SHB 2025 aka Eighteenth Workshop on Security and Human Behavior (Cambridge, UK) (General Chair)

I encourage you to submit papers to those of the events above for which the submission date is still in the future. The Calls for Papers are available from the links.

I also served as associate editor for IEEE Transactions on Dependable and Secure Computing.

• Websurfo, ergo sum
• The truly cool don't have backgrounds
• ...and even sillier things that enterprising students have seen fit to record for posterity. In fact, they have a whole database of quotes from lecturers in this department.

---

Professor Frank Stajano
William Gates Building
15 JJ Thomson Avenue
Cambridge CB3 0FD
United Kingdom

ORCID: 0000-0001-9186-6798
SCOPUS: 10041405900
GOOGLE SCHOLAR: F Stajano

Fax: +44 1223 334611

Telephone contact is generally not encouraged but, if you are a friend or if you have a good reason, with a little homework you can find my number in the departmental directory. Don't, if you're a salesperson, or I may be rude to you.

Time zone info: the UK uses the UTC+0 time zone and goes to UTC+1 during the summer (actually from the last Sunday in March to the last Sunday in October); most other EU countries, instead, are on UTC+1 and UTC+2 respectively, but the change is synchronised, so the time difference with Central Europe is now always 1 hour (this used to be different). Japan is on UTC+9 and, in its wisdom, stays there all year long.

These days, I get a lot of email. A long time ago I used to reply to almost every message. I soon stopped doing that, but for many years I kept on carefully reading every message. In the late 1990s I stopped doing that too, because of spam: initially it was a big shock for me to delete stuff without having read it ("what if it was important?"), but then I got over it. Nowadays I ask the Bayesian filter in Thunderbird (not as good as the wonderful Python-powered Spambayes, but more conveniently accessible) to throw away messages on my behalf without even showing them to me. The stuff that gets through I usually read, except if it's too long or if it contains Microsoft attachments.

DON'T send me Microsoft attachments, which are notorious virus vehicles; ideally, if you want to be kind, please don't send me any attachments at all. Unless I already know you have a good reason for sending it to me, mail with attachments may be discarded unread, or actually not even downloaded from the server. I am happiest when people send me plain text or, at most, a pointer to a pdf.

Even after all this filtering, I still get way too much mail. I write over 10 replies per workday (often many more), but course I can't hope to keep up with an influx that is an order of magnitude larger. As Joachim Posegga once wrote, "response time tends to be an exponential function of message length".

If you want to write to me because you want to become my student at Cambridge, please read this helpful and instructive page. If you don't (and I will be able to tell from your message) I might just silently ignore you; or, if you're lucky, just point you again to this page.

Having said all that, my university email address is givenname.familyname@cl.cam.ac.uk.

I use and encourage the use of PGP (or its free equivalent GPG, to which I even once contributed a minor bug fix). My PGP keys are on the keyservers. I prefer to receive encrypted mail messages as inline ascii-armoured text as opposed to attachments.

---

HTML advice of the day: don't misuse tables for page layout purposes and, above all, avoid browser-specific crap!

"With HTML 4.0, any Web application can be vendor independent. There really is no excuse for tying yourselves or your partners to proprietary solutions."
--Tim Berners-Lee, inventor of the World Wide Web

(recheck) (recheck)