James Alistair Heather

3 Old School HousePerry HillWorplesdonGU3 3QZ

Home: 01483 822403Mobile: 07973 742473Email: james@chiastic-security.co.uk

Web: http://www.chiastic-security.co.uk

SummarySoftware developer with 15+ years of Java experience, and 15+ years of academic research into computer security, formal verificationof concurrent and distributed systems, and secure electronic voting.

Programming languages: Java (including Android), Haskell, CSP, bash, Python, CTechnologies: OOP, Swing, Hibernate, MySQL, Apache Lucene, XML, FDROperating systems: Linux/UNIX, AndroidDev/build tools: Eclipse, JUnit, Ant, Maven, GIT, subversion, make

Employment record2014– Managing Director, Chiastic Security Ltd: software development and computer security consultancy

2010–2014 Senior Lecturer in Computing, Department of Computing, University of Surrey

2001–2010 Lecturer in Computing, Department of Computing, University of Surrey

Education1997–2001 PhD in Computing, Royal Holloway, University of London

1996–1997 MSc in Computation, Corpus Christi College, Oxford

1993–1996 BA in Mathematics and Computation, Corpus Christi College, Oxford (First Class Honours)

Responsibilities and highlights in Chiastic Security role• Designing and developing a bespoke stock control and client management system for an art gallery in South Kensington. This

is a distributed system that runs on all machines in the gallery, and controls invoicing, stock management, mailouts, and manyother essential tasks. Coded in Java, with Hibernate used to connect to a MySQL database, and Lucene to speed up searchingand reduce load on the database. Connects to a web service to push updates to the gallery’s live web site.

– Technologies used: Java, Swing, MySQL, Hibernate, Lucene, docx4j, ant, maven, bash scripting• Snapfest: Collaboration to design and build a distributed system for realtime upload/display of photos taken on smartphones.

The Android app intercepts any photo taken with the camera app, and instantaneously compresses it and uploads it to the serverfor display on a large screen.

– Technologies used: Client (me): Java/Android, web services, JUnit; Server (others): Scala, Google App Engine• Conducting research and publishing in high quality journals and conference proceedings (see full publication list)

Responsibilities in Surrey role• Conducting and publishing research into computer security, verifiable voting and formal methods: large number of publications

on formal modelling and analysis of security systems• Attracting funding to support research• Managing project teams to ensure successful outcomes: whole SDLC lifecycle, from inception to deployment• Presenting work to major international conferences: 15+ years’ experience speaking to technical and non-technical audiences• Teaching key aspects of computer science to undergraduates and MSc students, including:

– Android/Java programming, Linux (first year undergraduate)∗ Principles of operating systems, how Android builds on Java and the Linux kernel, Android app development

– Computer security (MSc)∗ Symmetric crypto, public key crypto, hash functions, security protocols

• Finding innovative ways to improve teaching of computer science

– Learning programming through competition: building The Arena to enable students to write programs that play gamesagainst each other

AchievementsTo present 10 peer-reviewed journal articles, 32 peer-reviewed conference publications

2014 Consultancy: conducted code review of mixnet developed by Victorian Electoral Commission (VEC) for use inverifiable voting system

Technologies used: Java, JUnit, gradle, GIT

2014 Fourth placed in B-Sides hacking challenge (cryptanalysis)

Technologies used: C, Python, Raspberry Pi, bash scripting

2013 Invited speaker at European Parliament’s Privacy Platform on surveillance, in response to Edward Snowdenrevelations. One of four panellists, with Jacob Appelbaum (former spokesperson for WikiLeaks); Ladar Levison(Lavabit); Troels Oerting (Director of the EU’s European Cybercrime Centre)

2013 Invited speaker at EVT2013, the most prestigious secure voting conference, to talk about work with VictorianElectoral Commission

2012 Contract secured with VEC to develop verifiable voting system for use in Victorian state elections from Nov 2014

2010 Awarded £45K from Royal Academy of Engineering for Real-World Secure Elections Fellowship project, runningOct 2010 to Oct 2011 (highly competitive—only seven awarded nationally each year)

2010 Interviewed on BBC Radio about an article in Times Higher Education on my work ([3]) on security weaknessesin Turnitin, the plagiarism detection system.

2010 Promotion to Senior Lecturer for excellent research and teaching record

2009 Awarded £1.06M from Engineering and Physical Sciences Research Council for Trustworthy Voting Systemsproject, running Apr 2009 to Apr 2014. This is the only time a public research council anywhere in the worldhas approved funding on this scale to look at secure electronic voting.

2008 Ran tournament for British Computer Society using The Arena, a system I created to stimulate students’ interestin programming, through competition. Provides a framework for hosting two-player, turn-based strategy games.

Students write Java code that takes a game in progress, and returns their favoured move from that position; TheArena uses students’ player modules to run a large tournament on a cluster. Much of the codebase deals withsecurity and sandboxing, to stop player modules breaking rules or compromising the host system.

Technologies used: Java, MySQL, bash scripting, cluster deployment, heavily multithreaded/distributed

2008 Interviewed on BBC Radio, ABC Radio (Aus), and Colombian National Radio, about voting research

2007 VoComp (International Voting Systems Competition): ‘Best Design’ award, and second place overall. Led ateam of five in designing and building a verifiable voting system, to a very tight timescale.

Technologies used: Java, MySQL, LATEX, BouncyCastle, svn

2007 SCEPTrE Fellowship, a prestigious Surrey award to acknowledge excellence in teaching

2006 Consultancy for Microsoft to determine physical distance travelled by a computer mouse over one year

2002 Provided bespoke security tuition for the Swedish Security Service, including training in cryptographic tech-niques and general security topics

Key projects2009–2014 Trustworthy Voting Systems (EPSRC): Research into how to provide two critical and seemingly conflicting prop-

erties of a voting system: (1) voter privacy and anonymity; (2) a means for voters to verify that their vote wasincluded, unaltered, in the count, and challenge the election if not. The initial plan was for a simple prototype ofa verifiable voting system, with the UK’s fairly simplistic electoral system in mind; but it led to a real implemen-tation for use in governmental state elections in Victoria. I led this project, and was responsible for managing ateam of 2 academics, 3 post-docs, and 3 PhD students.

2010–2011 Real-world Secure Elections (Royal Academy of Engineering): Fellowship project that allowed me to spend anextended period in Melbourne working on various aspects of voter privacy. Conversations I had there with a keymanager at the Victorian Electoral Commission led to the invitation to design and build a system for them.

2012–2014 Building a verifiable voting system for use in Victoria (VEC): adapting our prototype for use in Victorian stateelections (3.6M voters, with a complex ballot system). The system will be deployed in a state-wide governmentalelection for the first time in Nov 2014. This will be the first governmental use worldwide of a large-scale verifiablevoting system.

The hardest aspect of applying the Trustworthy Voting Systems work to the Australian context was the sheercomplexity of the ballots used in Australia: there may be up to 50 candidates in some Victorian elections, andvoters in some cases are required to rank them in preference order, with these orderings then subjected to a

complex tallying process to determine the winners. Applying verifiable voting in Victoria involved a significantupward shift in ambitions for the field of voting, taking things from an academic toy to a real-world solution inone of the most complex electoral environments in existence.

Surrey designed and developed most of the system (available at https://bitbucket.org/tvsproject),under my direction. I was also responsible for code review of the part developed outside Surrey.

Technologies used: Java, MongoDB, MySQL, BouncyCastle, ElGamal/ECC, GIT, svn, JUnit

Key publications arising from these projects: establishing a formal framework ([2]) for analysing voting systems for coercion resis-tance; follow-up work ([1]) to improve the techniques to enable the analysis to be automated.

Other skills/activities• Good understanding of, and relationship with, academic computer security community• Leader of student team on a Christian holiday camp for 14–18 year olds each summer (1994–present)

Selected publications[1] Murat Moran, James A. Heather, and Steve A. Schneider. Verifying Anonymity in Voting Systems using CSP. Formal Aspects

of Computing, 26(1):63–98, 2014. Available at http://epubs.surrey.ac.uk/745657/1/facsanon.pdf.

[2] James A. Heather and Steve A. Schneider. A Formal Framework for Modelling Coercion Resistance and Receipt Freeness. InProceedings of Formal Methods (FM) 2012, volume 7436, pages 217–231, Paris, August 2012. Available at http://epubs.surrey.ac.uk/726040/1/MASTER.pdf.

[3] James A. Heather. Turnitoff: identifying and fixing a hole in current plagiarism detection software. Journal of Assessmentand Evaluation in Higher Education, 35(6):647–660, 2010. Available at http://epubs.surrey.ac.uk/107387/2/turnitoff-named.pdf.

[4] James A. Heather, Gavin Lowe, and Steve A. Schneider. How to avoid type flaw attacks on security protocols. Journal ofComputer Security, 11(2):217–244, 2003. Available at http://epubs.surrey.ac.uk/1901/1/fulltext.pdf.

References available on request.