Category: Conferences

Base Rate & Infosec

At SOURCE Seattle, I had the pleasure of seeing Jeff Lowder and Patrick Florer present on “The Base Rate Fallacy.” The talk was excellent, lining up the idea of the base rate fallacy, how and why it matters to infosec. What really struck me about this talk was that about a week before, I had read a presentation of the fallacy with exactly the same example in Kahneman’s “Thinking, Fast and Slow.” The problem is you have a witness who’s 80% accurate, describing a taxi as orange; what are the odds she’s right, given certain facts about the distribution of taxis in the city?

I had just read the discussion. I recognized the problem. I recognized that the numbers were the same. I recalled the answer. I couldn’t remember how to derive it, and got the damn thing wrong.

Well played, sirs! Game to Jeff and Patrick.

Beyond that, there’s an important general lesson in the talk. It’s easy to make mistakes. Even experts, primed for the problems, fall into traps and make mistakes. If we publish only our analysis (or worse, engage in information sharing), then others can’t see what mistakes we might have made along the way.

This problem is exacerbated in a great deal of work by a lack of a methodology section, or a lack of clear definitions.

The more we publish, the more people can catch one anothers errors, and the more the field can advance.

Smashing the Future for Fun and Profit

I’d meant to post this at BlackHat. I think it’s worth sharing, even a bit later on:

I’m excited to have be a part of a discussion with others who spoke at the first Blackhat: Bruce Schneier, Marcus Ranum, Jeff Moss, and Jennifer Granick. We’ve been asked to think about what the future holds, and to take lessons from the last 15 years.

I have three themes I want to touch on during the panel:

Beyond the vuln: 15 years ago Aleph One published “Smashing the Stack for Fun and Profit.” In it, he took a set of bugs and made them into a class, and the co-evolution of that class and defenses against it have in many ways defined Black Hat. Many of the most exciting and cited talks put forth new ways to reliably gain execution by corrupting memory, and others bypassed defenses put in place to make such exploitation harder or less useful. That memory corruption class of bugs isn’t over, but the era ruled by the vulnerability is coming to an end. That’s going to be challenging in all sorts of ways, some of which we can predict. First, researcher/organization conversations are going to become even harder, because some things are going to be less clearly bugs, and some will be harder to fix without breaking functionality. Second, secure development activity is going to need to drive threat modeling the way we’ve driven static analysis, and that’s hard because it involves people and their thought patterns. More on that in a second. Third, attackers are going to move more and more to social engineering attacks, and that brings my to my second main point.

Beyond the Computer: We’re going to see more and more attacks that target people, and many people going to hate those talks. The Review Board shares the idea that talks about buying UPS uniforms on eBay suck, and we don’t want them at Black Hat. At the same time, we’re going to need to go where attackers go, and if that’s people, we need to start to learn about people in deeper, and less condescending ways. (This is the end of people claiming UI doesn’t matter by saying “you can’t patch stupid.”) We’re going to need to understand psychology, sociology, cognitive science and more. At the same time as we’re learning to understand people, we’re going to need to learn to influence them. We’re going to need to stop relying on the sticks, and start learning to use carrots. This is why I’ve been engaged in games for the last few years, from Elevation of Privilege to Control-Alt-Hack and others. Getting people to want what we want, rather than grudgingly acquiesce, is going to be a key factor in our success as individuals and as a profession.

Beyond Tittering at Victims: We’ve been hearing for a year or so that we should all just assume breach. That breaches are common and should be expected. Over the next few years, we’re going to go from giggling about breaches to learning from them. We’re going to see more and more details come out about what happened, and we’re going to learn from one another’s mistakes. We’re going to start creating feedback loops that allow us to get better faster, and move away from flaming one another over opinions to arguing over statistical methodologies. My article “The Evolution of Information Security” shows how close we are to getting to a data-driven science of security, and that transformation will involve many sacred cows being roasted, and many of today’s practices abandoned because we’ll show that they don’t work, and more importantly, we’ll be able to see how to replace them.

My BlackHat Plans

I’ll be speaking twice at BlackHat. First on the “Smashing the Future” panel with Bruce Schneier, Marcus Ranum, Jeff Moss and Jennifer Granick (10AM Wednesday, main hall). My second talk is also on Wednesday, on a new game, Control-Alt-Hack. I’ve been helping Tamara Denning and Yoshi Kohno create Control-Alt-Hack, and we’ll be speaking Wednesday at 2:15 in Palace 2.

Also for your BlackHat edification, why not check out one or more of Bill Brenner’s Black Hat, DefCon and B-Sides survival guide, 2012, TK’s Advanced Survival Guide to Blackhat, or my own Black Hat Best Practices, which have remained remarkably stable over the years.

My AusCert Gala talk

At AusCert, I had the privilege to share a the gala dinner stage with LaserMan and Axis of Awesome, and talk about a few security lessons from Star Wars.

I forgot to mention onstage that I’ve actually illustrated all eight of the Saltzer and Schroeder principles, and collected them up as a single page. That is “The Security Principles of Salzter and Schroeder, Illustrated with Scenes from Star Wars“. Enjoy!

We Robot: The Conference

This looks like it has the potential to be a very interesting event:

A human and robotinc hand reaching towards each other, reminiscent of Da Vinci

The University of Miami School of Law seeks submissions for “We Robot” – an inaugural conference on legal and policy issues relating to robotics to be held in Coral Gables, Florida on April 21 & 22, 2012. We invite contributions by academics, practitioners, and industry in the form of scholarly papers or presentations of relevant projects.

We seek reports from the front lines of robot design and development, and invite contributions for works-in-progress sessions. In so doing, we hope to encourage conversations between the people designing, building, and deploying robots, and the people who design or influence the legal and social structures in which robots will operate.

Robotics seems increasingly likely to become a transformative technology. This conference will build on existing scholarship exploring the role of robotics to examine how the increasing sophistication of robots and their widespread deployment everywhere from the home, to hospitals, to public spaces, and even to the battlefield disrupts existing legal regimes or requires rethinking of various policy issues.

They’re still looking for papers at: I encourage you to submit a paper on who will get successfully sued when the newly armed police drones turn out to be no more secure than Predators, with their viruses and unencrypted connections. (Of course, maybe the malware was just spyware.) Bonus points for entertainingly predicting quotes from the manufacturers about how no one could have seen that coming. Alternately, what will happen when the riot-detection algorithms decide that policemen who’ve covered their barcodes are the rioters, and opens fire on them?

The possibilities for emergent chaos are nearly endless.

Photoblogging CHI2011

Last week, I had the pleasure of attending the ACM conference on Computer Human Interaction, CHI. As I mentioned in a work blog post, “Adding Usable Security to the SDL,” I’m now focused on usable security issues at work. I’m planning to say more about the conference in a little bit, but for right now, wanted to share my photographic notes. So here’s a Flickr set of pictures of some of the interesting talks I attended and posters I saw: “SIGCHI 2011 photos.”

The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

National Institute of Standards and Technology
Gaithersburg, MD USA
April 5-6, 2011

Call for Participation

The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant security vulnerabilities are often caused by security designers’ failure to account for human factors. Despite growing attention to the issue, these problems are likely to continue until the underlying development processes address usable security.

See for more details.