Postdoctoral Researcher in Secure Software Engineering and Vulnerability Reporting Programmes (2 years initially) at University of Iceland

Helmut Neukirchen, 2. December 2023

Update: The position is not vacant anymore.

Field of Work:

The department of Computer Science in the School of Engineering and Natural Sciences at the University of Iceland seeks applicants for a post-doctoral researcher in the area of Secure Software Engineering and Vulnerability Reporting Programmes to work as part of the Digital Europe Programme project Defend Iceland ICEDEF.

The position is initially funded for 2 years with possibility of extension.

The ICEDEF project involves the creation of a national vulnerability reporting web portal and associated services for paying bounties to ethical hackers for discovering these vulnerabilities. Once vulnerabilities are reported there are challenges in effectively integrating (and verifying the effectiveness) of the fixes into the software development life cycle. Technical challenges include poor observability of the software supply chain and an inability to affect it due to change, intellectual property, proprietary development pipelines, 3rd party libraries and infrastructure, etc. Social challenges are related to the impact of identified vulnerabilities on business continuity and clearly translating the results and impact to industry partners and stakeholders.

The responsibilities of the role are envisioned to include:

Developing and implementing a research project in vulnerability reporting programs.
Education of secure development practices and software vulnerabilities to stakeholders.
Assisting in the organisation of security events such as hackathons and workshops.
Contributing to the maintenance of cybersecurity research infrastructure.
Supervising research assistants.

Qualification requirements:

PhD in Computer Science, Software Engineering or related to Cybersecurity more broadly.
Proficiency in English.
Strong communication skills and the ability to work both individually and in groups.

Beneficial:

A strong publication history in high-quality software engineering and/or security journals and conferences. (e.g. IEEE and ACM).
Experience in developing, delivering, and innovating in cybersecurity and software engineering education.
Experience in server administration including virtualisation and cloud tools.
Application:

Interested parties should, in the first instance, send a CV and covering letter explaining their motivation for applying and their research interests in software engineering and/or cybersecurity via e-mail to Dr. Tom Welsh (tomwelsh@hi.is) and Dr. Helmut Neukirchen (helmut@hi.is).

For an informal discussion regarding research topics, responsibilities, or Iceland in general prior to this please feel free to contact Tom or Helmut as above.

Work Environment:

The University of Iceland is a flourishing community of knowledge in the heart of Reykjavik. A modern, diversified, and rapidly developing state university, it offers opportunities for study and research in over 400 programmes spanning most fields of science and scholarship.
https://english.hi.is/

The University of Iceland's School of Engineering and Natural Sciences employs about 390 people in teaching and research. The School offers an exciting working environment where about a quarter of all employees and graduate students are international. The School has about 2000 students, with about 800 students in the Faculty of Industrial Engineering, Mechanical Engineering and Computer Science.
https://english.hi.is/school_of_engineering_and_natural_sciences

The Department of Computer Science is located in the University Science Park's new "House of Ideas" together with a vibrant community of startup and tech companies of all sizes.

Iceland participates in many cooperative European programmes, such as Horizon Europe and the Digital Europe Programme. The country consistently ranks at or close to the top of the Human Development Index, Global Gender Gap Index, LGBT Equality Index and Global Peace Index. For more information on living and working in Reykjavik, see https://www.reykjaviksciencecity.is/ and https://english.hi.is/international_staff_services

categories Cybersecurity, Research

Digital Europe-funded cybersecurity projects Eyvör NCC-IS and ICEDEF started

Helmut Neukirchen, 1. December 2023


While we had the the Icelandic National Coordination Centre (NCC-IS) for Cybersecurity established already in 2022, it got now even stronger by benefiting since October 2023 from a two year co-funding via the Digital Europe Programme. We even gave it an Icelandic name: Eyvör – National Cybersecurity Coordination Centre of Iceland. Eyvör NCC-IS will raise awareness and foster education in Iceland in the field of cybersecurity.

For more info, see also my research page on Eyvör NCC-IS.


Another project has started in November 2023 with three year co-funding via the Digital Europe Programme: ICEDEF – Defend Iceland. The ICEDEF project involves the creation of a national vulnerability reporting web portal and associated services for paying bounties to ethical hackers for discovering these vulnerabilities. (Our research shows that vulnerability reporting needs to be improved in Iceland.) The Icelandic Defend Iceland web page gives an idea how that could look like (do not get confused by that fact that on some screenshots depicted on that web page, still the old working title Hack Iceland is used).

Once vulnerabilities are reported there are challenges in effectively integrating (and verifying the effectiveness) of the fixes into the software development life cycle and University of Iceland will take care of this together and educate stakeholders about secure development practices and software vulnerabilities, e.g. via security events such as hackathons and workshops.

For more info, see also my research page on ICEDEF.

Vacancy: We are hiring a postdoc for ICEDEF: please contact me or our new cybersecurity professor Tom Welsh.

categories Cybersecurity, Research

European Researchers' Night 2023 / Vísindavaka 2023

Helmut Neukirchen, 26. September 2023

On Saturday, 30. September 2023, 13:00-18:00, there was Vísindavaka 2023, the Icelandic family-friendly-during-daytime edition of European Researchers' Night 2023 at Laugardalshöll.

With 6500 visitors, we had even more guests than last year. The Computer Science department of University of Iceland had a booth there, showcasing some of their research:

  • Cybersecurity: Eyvör/NCC-IS, the National Coordination Centre Iceland for Cybersecurity will start 1st of October with full force using co-funding from the European commission. The Computer Science department of University of Iceland is part of it and we will show three pieces to raise awareness:
    • Has my user info (in the worst case: my password) been leaked? Look up who else owns your login data: https://haveibeenpwned.com
      Note: if your data shows up there to have been leaked, then this is not your fault, but the fault of the website that was storing your data in an insecure manner and you should change your password at that website (also check whether the password has been leaked or only, e.g., your email adress). However, it is your fault if you use the same password for multiple websites: should your password leak from one website, criminals will try that password on other websites and will have success if you use the same password there. Use different passwords for different services. Even better: use multifactor authentication, i.e. not just a password that can be easily leaked, but in addition something that can be less easily stolen, such as your phone: an authenticator app running on it, an SMS sent to your phone number, or the Icelandic digital ID on your SIM card.
    • An online quiz on how good you are at identifying phishing emails, i.e. emails trying to trick you into providing information, e.g. passwords: https://cybersecuritymonth.eu/quiz (Note: solutions not provided online -- you need to visit us to get hints where you were wrong and where you were right!)
    • A flyer for kids: Hvernig á að vera öruggur á netinu
  • CoE RAISE (Centre of Excellence for Research on AI- and Simulation-Based Engineering at Exascale) gives a glimpse into artificial intelligence by using a neural network that runs purely in your browser without any connection to a super computer. Simply use the camera of your smartphone (or laptop) to detect objects in real-time -- just open the following web page and allow your browser to use the camera: https://nvndr.csb.app/

    (Allow some seconds, up to a minute, for loading the trained model and initialisation.)
  • Interaction design with sketches on a huge touch screen:
  • A 3D scanner that scans the shape of your ear: used in CoE RAISE in order to find with AI out how the shape of your ear influences how you hear from different directions.
  • A remote sensing demonstration that relates also to work done in CoE RAISE where neural networks are used to classify land cover from satellite images: Compete against a neural network to classify land cover!
  • Quantum computing: a new piece to show, therefore no photos yet -- you really need to come and see!

See you at Laugardalshöll!

categories Research

Salary as PhD student (and postdoc) / laun doktorsnema (og nýdoktor)

Helmut Neukirchen, 22. September 2023

As the typical advertisement for a PhD student position has some statement like "salary according to wages contract", an applicant does not know what this means in practise for the salary to expect.

Currently, the union responsible for PhD students at University of Iceland is Félag háskólakennara / Association of University Teachers. They made a contract with University of Iceland. For the latest version, check for Stofnanasamningur Fh og HÍ. In the version from 5. March 2021, you find in Section 4.3 that PhD students (doktorsnemar) get salary level 030. The first two digits are the y axis in the salary table and the last digit is the x axis.

There are two salary tables, one for academic staff, i.e. those who have a PhD ("A 696") and another one for administrative staff ("S 695") -- note that these cryptic numbers are sometimes used a pre-fix in front of the salary level, e.g. "695 030". As PhD students have not yet a PhD degree, rather the non-academic, i.e. the administrative staff salary table applies, so you need to look at Launatafla stjórnsýslu.

The most recent salary table is from 1. April 2023. Take care to have in that spreadsheet the tab "Mánaðarlaun" opened to get the monthly salary. There, you will find that salary level 030 gives you 462 586 kr. per month (as of 1. April 2023.). This is before taxes, so feeding this into a tax calculator gives 361 867 kr. after taxes (as of the tax system valid at time of writing, i.e. 2023).

P.S.: As postdoc (Icelandic term: nýdoktor), the academic salary table applies and you have at least salary level 061 (which is 662 090 kr. in the salary table at time of writing). But for academic staff, in fact an evaluation system applies where the salary depends on the amount of publications that you accumulated over your life. Each publication gives points (for details do a web search for "Evaluation System for Public Higher Education Institutions") and the Table 2.3 in the Stofnanasamningur Fh og HÍ shows a mapping of points to salary levels. While if your PhD is 5 years or longer ago, your are not called a postdoctoral fellow anymore, but a research specialist, but this alone does not increase your salary level.

categories Research

First M.Sc. thesis in cybersecurity defended at the Computer Science department of University of Iceland

Helmut Neukirchen, 22. September 2023

To the best of my knowledge, we had just the first M.Sc. thesis in cybersecurity defended at the Computer Science department of the University of Iceland. (There were earlier cybersecurity-related theses, e.g., at the school of Social Sciences.)

The topic was: The state of cybersecurity vulnerability reporting in Iceland.

Read the thesis PDF or watch the defense on YouTube:

categories Cybersecurity, Research, Teaching

Information meeting on the new joint cybersecurity master's programme.

Helmut Neukirchen, 25. August 2023

Friday, 25.8.2023, 15:00, room Ada, in Gróska, 3rd floor is an information meeting on the new joint cybersecurity master's programme.

You can find more info here: https://uni.hi.is/helmut/cybersecurity/

categories Cybersecurity, Teaching

Kia EV6 engineering mode

Helmut Neukirchen, 31. May 2023

The HYUNDAI/KIA/GENESIS models have a "hidden" engineering mode that can be used to, e.g., find out manufacturing date or software versions (you can also reset settings -- which you probably want to avoid).

Entering engineering mode seems to differ from region to region and also from head unit firmware version, here are the instructions for European models up to (Dec 2022) 221223 versions:

  1. Switch from air condition panel to navigation and radio panel
  2. Switch radio on (probably to FM)
  3. Turn the volume dial to 7
  4. Press the other dial (marked "FILE")
  5. Turn the volume dial to 3
  6. Press the other dial (marked "FILE")
  7. Turn the volume dial to 1
  8. Press the other dial (marked "FILE")
  9. Now, some number buttons are displayed to enter a secret number code
  10. The number code varies from head unit (AKA center display) version to version. For the Nov 2022 (221129) and Dec 2022 (221223) versions, the number code is: 1950 0624

This info can be found, e.g., on YouTube:

For European models up to Dec 2022 (221223) versions:

I have yet to try how it works for the Jun 2023 (230601) version that does not seem to use the volume dial method anymore, but some very specific touch locations (and then, then number code 19450815)

For example, using the versions displayed in Engineering Mode, you can see that service action SA533 "VCU Software Upgrade for i-Pedal Operation" did update the VCU version from, e.g., 5.10 to 5.12, but none of the other ECUs firmwares get updated.

Using an OBD port adapter and the Car Scanner app for Android, you can even get further information use the Car Scanner feature for an ECU dump (ECU information from the main screen) which contains version numbers as well. After the ICCU software update, I should be able to see the version numbers changing. Update: after the Service Campaign SC271 ICCU update, I have exactly the version number of before and after as shown in this video (except that I have a 3 days younger ECU manufacturing date (HEX): 20210906). But I later read that the ICCU update does not really solve the ICCU issues, but mainly improves reporting the issue, so that the owner has more time before the car stops moving because of the dead ICCU; but at least also that software improvements will improve calibration values and preventing fuse from going burned.

categories Electric mobility

Open position as professor in cybersecurity

Helmut Neukirchen, 21. April 2023

Reykjavik University and University of Iceland have each an open position for a professor in cybersecurity.

The advertisement of the position at University of Iceland can be found at Euraxess, at University of Iceland, and here below:

Assistant Professor in Cyber Security

The department of Computer Science in the School of Engineering and Natural Sciences at the University of Iceland seeks applicants to fill an assistant professor position in computer science with a specialisation in cybersecurity within the Faculty of Industrial Engineering, Mechanical Engineering and Computer Science.

Further information

Field of work

The candidate will carry out research in the area of cybersecurity. In addition to research, the successful applicant is expected to teach courses at the undergraduate and graduate level, to supervise M.Sc. and Ph.D. students, to attract third-party funding and to participate actively in departmental activities. The University of Iceland is developing a new research and M.Sc. program in cybersecurity receiving national funding. Moreover, the Department of Computer Science is involved in research and education activities in the context of the government-led Icelandic National Coordination Centre for Cybersecurity. The candidate is expected to participate in these activities.

Qualification requirements

  • The position requires a Ph.D. degree in computer science or a closely related field.
  • Record of research according to the applicant's academic age as well as future potential in the field of cybersecurity.
  • Academic teaching experience.
  • Good communication and interpersonal skills.
  • Proficiency in written and spoken English.

The selection process will take into consideration how well how well the applicant fits the needs and goals of the Department.

Application process

The tentative starting date is September 1st 2023 or according to a further agreement.

When evaluating applications, special attention will be paid to success in research, taking into account how long the person has been working on research. The hiring process will focus on identifying candidates who are best suited to the circumstances and needs of the Faculty of Industrial Engineering, Mechanical Engineering and Computer Science.

Applicants are required to submit the following documents with their application:

  1. Cover letter stating how the applicant meets the qualification requirements
  2. Certificates of education
  3. Curriculum Vitae
  4. List of publications
  5. Report on scholarly work and other work they carried out
  6. Outline of proposed research and teaching plan
  7. Contact Information for three referees willing to provide a reference

The applicant must list up to eight of their most important publications, in relation to this position. The applicant must include a copy of these publications along with the application or indicate where they can be accessed electronically. When multiple authors are listed on a publication, the applicant must include an account of their contribution to the publication. Applications and accompanying documents, which are not submitted in electronic form, must be sent in duplicate to the Division of Science and Innovation, University of Iceland, Main Building, Saemundargata 2, 102 Reykjavik, Iceland.

The successful candidate will be hired for five years with the possibility of a permanent contract at the end of this period, cf. paragraph 3, Article 31 of the Regulation for the University of Iceland no. 569/2009.

Processing of applications, evaluation of applicants' competence and hiring shall be in accordance with the Act on Public Higher Education Institutions no. 85/2008 and the Regulation for the University of Iceland no. 569/2009. The rector may promote an assistant professor to the position of an associate professor or full professor.

All applications will be answered, and applicants will be informed about the appointment when a decision has been made. Applications are stored for six months after the application deadline.

Appointments to positions at the University of Iceland are made in consideration of the Equal Rights Policy of the University of Iceland.

The University of Iceland has a special Language Policy.

 

Application deadline

Application deadline is 12.05.2023

For further information contact

Helmut Neukirchen

helmut@hi.is

Ingibjörg Óðinsdóttir

ingaodins@hi.is

Applications are submitted via the Icelandic State Recruitment web portal where you can switch to English language and register a user account:
Apply now

Update

The position is filled: we welcome our new colleague Thomas Welsh.

Note that Reykjavik University has funding for a further position that most likely will be advertised in early 2024. Also, we at University of Iceland have an open position as Postdoctoral Researcher in Secure Software Engineering and Vulnerability Reporting Programmes (2 years initially) at University of Iceland.

categories Cybersecurity, Organisational, Research, Teaching

EDIH-IS European Digital Innovation Hub Iceland opened

Helmut Neukirchen, 21. April 2023

The European Digital Innovation Hub Iceland (EDIH-IS) or in Icelandic: Miðstöð stafrænnar nýsköpunar has been formally opened. As name suggests, it serves as a hub to drive digital innovation, e.g. artificial intelligence, high-performance computing or cybersecurity, and connects industry and academia. University of Iceland is part of EDIH-IS and in particular the computer science department contributes in exactly these fields, i.e. artificial intelligence, high-performance computing or cybersecurity.

In fact, EDIH-IS has been operational already before that formal opening event and Auðna Tæknitorg, the Technology Transfer Office (TTO) Iceland is taking care of the day-to-day operations of EDIH-IS. For example, Auðna Tæknitorg/EDIH-IS is a partner in the Icelandic National Coordination Centre (NCC-IS) for Cybersecurity together with University of Iceland and other relevant partners.

categories Cybersecurity, Tech

Siðfræðistofnun HÍ -- The Centre for Ethics that is above the rules

Helmut Neukirchen, 25. January 2023

At University of Iceland, all are equal, but some are more equal. So much more equal that they think rules do not apply for them. Last week, Siðfræðistofnun HÍ, the Centre for Ethics at the University of Iceland, was using for some event the teaching room GR-321 Ada (named after Ada Lovelace) at the Computer Science department in the Gróska building. The rules for using teaching rooms are common-sense and pretty simple (English translations added by me):

  • 1. gr. Almennt

    Skylt er að ganga vel um húsakynni Háskóla Íslands, umhverfi hans, tæki og búnað á hverjum stað. Enginn má skilja eftir sig rusl, hvorki innan dyra né utan. Notum ruslafötur!

    Deal well with the premises and equipment. No one may leave trash behind. We use trash cans!

  • 2. gr. Tillitssemi

    Hverjum og einum ber að sýna tillitssemi og valda ekki öðrum truflun eða óþægindum.

    Everyone is responsible to show consideration and does not disturb others or cause inconvenience.

  • 5. gr. Neysla matar

    Neysla matar er óheimil í kennslustofum og tölvuverum.

    Consuming food is forbidden in teaching rooms and computer rooms.

  • 8. gr. Brot á húsreglum

    Brot á húsreglum, tjón og hvers konar spjöll geta leitt til bótaskyldu og/eða brottvísunar.

    Breaking rules, damage or any kind of harm can lead to liability and/or expulsion.

How the Centre of Ethics left the teaching room behind: tables re-arranged, nothing cleaned up

Coffee stains left behind by the Centre of Ethics become visible after I started to clean up

I was the first one to teach in Ada on Monday morning and was quite surprised that I cannot use the room for teaching as intended. To put the room into a state usable for teaching, it would have been necessary to:

  1. put the tables and chairs again in the position needed for teaching -- the Centre for Ethics re-arranged the tables without reverting that.
  2. collect the trash (single-use coffee cups distributed over the room, including where the teacher's computer is) and throw them into the trash can -- the Centre for Ethics had left behind coffee cups that they did not throw away.
  3. collect water glasses from the tables and put them into our dish washer -- the Centre for Ethics had taken water glasses from our kitchen, but did not put them back to the kitchen from where they had taken them.
  4. wipe away huge coffee stains -- in their ivory tower, the people from the Centre for Ethics do not even know how to operate a coffee dispenser, so they messed around on the tables of the teaching room.
  5. move all kind of stuff (coffee dispenser, napkins, tea) into a tray and move the tray outside the teaching room -- the Centre for Ethics had ordered this stuff but did not consider it necessary to move them out of the teaching room after the meeting so that teaching would not be disturbed when the stuff is fetched.

I therefore wrote emails to four persons of the Centre for Ethics asking them to clean up there mess before my teaching starts in that room: first, no one replied, but then, the head of the board replied that this is not their fault, but that this is fault of the service from where they ordered the coffee as that service was supposed to tidy the room (How can that coffee service re-arrange the tables if they do not know how they were before? How can that coffee service find all the single-use coffee cups that were partly well hidden behind the teacher's computer screen? How can that coffee service put the water glasses back into the kitchen if they do not know how from where they have been taken? How can that coffee service clean all the coffee stains if a coffee service was ordered and not a cleaning service?)

Because the board members of the Centre of Ethics refused to clean up their mess, I had to do that on my own in the time that I had planned for preparation of the class. This all was then crowned with my teaching was later being disturbed by a coffee service employee trying to get back the coffee dispensers because the Centre of Ethics had told them to fetch it from the teaching room (instead from the kitchen that is just next to the teaching room).

I do not know why they do not follow my request to clean up their mess, but some hypotheses come into my mind:

  • Hopefully, this was not the usual discrimination that probably every foreigner experiences in Iceland. (While I am -- as a professor from Germany -- privileged in comparison to other foreigners, even I experience discrimination.) -- so far, I experienced the university as a foreigner-friendly space (except that some scholars are maniac about enforcing a language policy of requiring to use the Icelandic language, because the university tries to solve the dilemma of being an Icelandic-speaking university and an international university at the same time).
  • Cultural issues: If you have a look at the names of the members of the board of Centre for Ethics, then these are all patronymic: Elínborg Sturludóttir, Henrý Alexander Henrýsson, Kolbrún Pálsdóttir, Páll Rafnar Þorsteinsson, Sólveig Anna Bóasdóttir, Vilhjálmur Árnason. While the gender diversity is balanced at the board, the university committed to diversity in all fields. And in fact, cultural diversity is non-existing at the board of Centre for Ethics: they all have very likely a socialisation in an Icelandic culture: I once was told about a survey among Icelanders that showed that a huge majority thinks that rules are important for the Icelandic society, but that rules do not apply to yourself, because you consider yourself as so important that exceptions are justified for you (unfortunately, I do not have the source -- a social scientist reported about this at an introductory event on the Icelandic society for foreign staff at the University of Iceland). If you look how people in Iceland park their cars (one car parking in the middle of two parking slots, i.e. occupying space for two), this is no surprise.
  • Maybe, this is not a cultural issue, but just personality of the head of the board of the Centre of Ethics -- but: I wrote to four members of the board and the other board members even preferred to remain silent.
  • If you are in the board of the Centre of Ethics, there is the danger of developing the attitude that you are the authority on concepts of what is right and wrong behaviour. And if you are then convinced that your behaviour is right (and the head of the board of the Centre of Ethics obviously is convinced), then you make your own rules and therefore behave like as you are above the rules.

I also tried to build the head of the board of the Centre for Ethics a bridge by offering him to apologise, but the head of the board answered that he will not, because leaving the teaching room in that state was not their fault, but rather the fault of the coffee service not cleaning up. So, even saying sorry seems not to be part of the culture of the Centre for Ethics.

While I am not a lawyer, I would be surprised if their arguing would hold the Icelandic law system: they rented the teaching room, so they have to adhere to the rules of using the teaching room. Just the fact that they outsourced some service, does not mean that they themselves do not need to adhere to the rules anymore and are not liable anymore (even if they would have ordered a service to clean up the room who then failed to do that).

Does the Centre for Ethics think, they are above the law? (And what does it means for ethics in Iceland if such people run the Centre for Ethics?)

In fact, they did break all of the above rules, even the above 8th rule: they refused to take liability for their mess -- après moi, le déluge!

O tempora, o mores!

P.S.: I have no problem with holding an event with food and drinks, but for that, the computer science department has a kitchen/coffee room just next to the teaching room: just serve the food and drinks there, instead of using a teaching room for that. (When, e.g., the rector holds a meeting in the aula, the food is simply served after the meeting and outside of the aula.) Or a pragmatic approach: if you think you need to break the rules: do it in a way that no one notices it, i.e. clean up your mess.

categories Organisational, Teaching