James Alistair Heather

3 Old School House

Perry Hill
Worplesdon
GU3 3QZ

Home:
Mobile:
Email:
Web:

01483 822403
07973 742473
james@chiastic-security.co.uk
http://www.chiastic-security.co.uk

Summary
Software developer with 15+ years of Java experience, and 15+ years of academic research into computer security, formal verification
of concurrent and distributed systems, and secure electronic voting.
Programming languages: Java (including Android), Haskell, CSP, bash, Python, C
Technologies: OOP, Swing, Hibernate, MySQL, Apache Lucene, XML, FDR
Operating systems: Linux/UNIX, Android
Dev/build tools: Eclipse, JUnit, Ant, Maven, GIT, subversion, make

Employment record
2014

Managing Director, Chiastic Security Ltd: software development and computer security consultancy

20102014

Senior Lecturer in Computing, Department of Computing, University of Surrey

20012010

Lecturer in Computing, Department of Computing, University of Surrey

Education
19972001

PhD in Computing, Royal Holloway, University of London

19961997

MSc in Computation, Corpus Christi College, Oxford

19931996

BA in Mathematics and Computation, Corpus Christi College, Oxford (First Class Honours)

Responsibilities and highlights in Chiastic Security role

Designing and developing a bespoke stock control and client management system for an art gallery in South Kensington. This
is a distributed system that runs on all machines in the gallery, and controls invoicing, stock management, mailouts, and many
other essential tasks. Coded in Java, with Hibernate used to connect to a MySQL database, and Lucene to speed up searching
and reduce load on the database. Connects to a web service to push updates to the gallerys live web site.
Technologies used: Java, Swing, MySQL, Hibernate, Lucene, docx4j, ant, maven, bash scripting
Snapfest: Collaboration to design and build a distributed system for realtime upload/display of photos taken on smartphones.
The Android app intercepts any photo taken with the camera app, and instantaneously compresses it and uploads it to the server
for display on a large screen.
Technologies used: Client (me): Java/Android, web services, JUnit; Server (others): Scala, Google App Engine
Conducting research and publishing in high quality journals and conference proceedings (see full publication list)

Responsibilities in Surrey role

Conducting and publishing research into computer security, verifiable voting and formal methods: large number of publications
on formal modelling and analysis of security systems
Attracting funding to support research
Managing project teams to ensure successful outcomes: whole SDLC lifecycle, from inception to deployment
Presenting work to major international conferences: 15+ years experience speaking to technical and non-technical audiences
Teaching key aspects of computer science to undergraduates and MSc students, including:
Android/Java programming, Linux (first year undergraduate)
Principles of operating systems, how Android builds on Java and the Linux kernel, Android app development
Computer security (MSc)
Symmetric crypto, public key crypto, hash functions, security protocols
Finding innovative ways to improve teaching of computer science
Learning programming through competition: building The Arena to enable students to write programs that play games
against each other

Achievements
To present

10 peer-reviewed journal articles, 32 peer-reviewed conference publications

2014

Consultancy: conducted code review of mixnet developed by Victorian Electoral Commission (VEC) for use in
verifiable voting system
Technologies used: Java, JUnit, gradle, GIT

2014

Fourth placed in B-Sides hacking challenge (cryptanalysis)

Technologies used: C, Python, Raspberry Pi, bash scripting

2013

Invited speaker at European Parliaments Privacy Platform on surveillance, in response to Edward Snowden
revelations. One of four panellists, with Jacob Appelbaum (former spokesperson for WikiLeaks); Ladar Levison
(Lavabit); Troels Oerting (Director of the EUs European Cybercrime Centre)

2013

Invited speaker at EVT2013, the most prestigious secure voting conference, to talk about work with Victorian
Electoral Commission

2012

Contract secured with VEC to develop verifiable voting system for use in Victorian state elections from Nov 2014

2010

Awarded 45K from Royal Academy of Engineering for Real-World Secure Elections Fellowship project, running
Oct 2010 to Oct 2011 (highly competitiveonly seven awarded nationally each year)

2010

Interviewed on BBC Radio about an article in Times Higher Education on my work ([3]) on security weaknesses
in Turnitin, the plagiarism detection system.

2010

Promotion to Senior Lecturer for excellent research and teaching record

2009

Awarded 1.06M from Engineering and Physical Sciences Research Council for Trustworthy Voting Systems
project, running Apr 2009 to Apr 2014. This is the only time a public research council anywhere in the world
has approved funding on this scale to look at secure electronic voting.

2008

Ran tournament for British Computer Society using The Arena, a system I created to stimulate students interest
in programming, through competition. Provides a framework for hosting two-player, turn-based strategy games.
Students write Java code that takes a game in progress, and returns their favoured move from that position; The
Arena uses students player modules to run a large tournament on a cluster. Much of the codebase deals with
security and sandboxing, to stop player modules breaking rules or compromising the host system.
Technologies used: Java, MySQL, bash scripting, cluster deployment, heavily multithreaded/distributed

2008

Interviewed on BBC Radio, ABC Radio (Aus), and Colombian National Radio, about voting research

2007

VoComp (International Voting Systems Competition): Best Design award, and second place overall. Led a
team of five in designing and building a verifiable voting system, to a very tight timescale.
Technologies used: Java, MySQL, LATEX, BouncyCastle, svn

2007

SCEPTrE Fellowship, a prestigious Surrey award to acknowledge excellence in teaching

2006

Consultancy for Microsoft to determine physical distance travelled by a computer mouse over one year

2002

Provided bespoke security tuition for the Swedish Security Service, including training in cryptographic techniques and general security topics

Key projects
20092014

Trustworthy Voting Systems (EPSRC): Research into how to provide two critical and seemingly conflicting properties of a voting system: (1) voter privacy and anonymity; (2) a means for voters to verify that their vote was
included, unaltered, in the count, and challenge the election if not. The initial plan was for a simple prototype of
a verifiable voting system, with the UKs fairly simplistic electoral system in mind; but it led to a real implementation for use in governmental state elections in Victoria. I led this project, and was responsible for managing a
team of 2 academics, 3 post-docs, and 3 PhD students.

20102011

Real-world Secure Elections (Royal Academy of Engineering): Fellowship project that allowed me to spend an
extended period in Melbourne working on various aspects of voter privacy. Conversations I had there with a key
manager at the Victorian Electoral Commission led to the invitation to design and build a system for them.

20122014

Building a verifiable voting system for use in Victoria (VEC): adapting our prototype for use in Victorian state
elections (3.6M voters, with a complex ballot system). The system will be deployed in a state-wide governmental
election for the first time in Nov 2014. This will be the first governmental use worldwide of a large-scale verifiable
voting system.
The hardest aspect of applying the Trustworthy Voting Systems work to the Australian context was the sheer
complexity of the ballots used in Australia: there may be up to 50 candidates in some Victorian elections, and
voters in some cases are required to rank them in preference order, with these orderings then subjected to a

complex tallying process to determine the winners. Applying verifiable voting in Victoria involved a significant
upward shift in ambitions for the field of voting, taking things from an academic toy to a real-world solution in
one of the most complex electoral environments in existence.
Surrey designed and developed most of the system (available at https://bitbucket.org/tvsproject),
under my direction. I was also responsible for code review of the part developed outside Surrey.
Technologies used: Java, MongoDB, MySQL, BouncyCastle, ElGamal/ECC, GIT, svn, JUnit
Key publications arising from these projects: establishing a formal framework ([2]) for analysing voting systems for coercion resistance; follow-up work ([1]) to improve the techniques to enable the analysis to be automated.

Other skills/activities
Good understanding of, and relationship with, academic computer security community
Leader of student team on a Christian holiday camp for 1418 year olds each summer (1994present)

Selected publications
[1] Murat Moran, James A. Heather, and Steve A. Schneider. Verifying Anonymity in Voting Systems using CSP. Formal Aspects
of Computing, 26(1):6398, 2014. Available at http://epubs.surrey.ac.uk/745657/1/facsanon.pdf.
[2] James A. Heather and Steve A. Schneider. A Formal Framework for Modelling Coercion Resistance and Receipt Freeness. In
Proceedings of Formal Methods (FM) 2012, volume 7436, pages 217231, Paris, August 2012. Available at http://epubs.
surrey.ac.uk/726040/1/MASTER.pdf.
[3] James A. Heather. Turnitoff: identifying and fixing a hole in current plagiarism detection software. Journal of Assessment
and Evaluation in Higher Education, 35(6):647660, 2010. Available at http://epubs.surrey.ac.uk/107387/2/
turnitoff-named.pdf.
[4] James A. Heather, Gavin Lowe, and Steve A. Schneider. How to avoid type flaw attacks on security protocols. Journal of
Computer Security, 11(2):217244, 2003. Available at http://epubs.surrey.ac.uk/1901/1/fulltext.pdf.

References available on request.