Category: Conferences

Off to the Moscone Center

Every year around this time, thousands of people converge on the Moscone Center in San Francisco for RSA. I had never given much thought to who Moscone was–some local politician I figured.

I first heard about Harvey Milk in the context of the Dead Kennedys cover of I Fought The Law:

The law don’t mean shit if you’ve got the right friends
That’s how this country’s run
Twinkies are the best friend I’ve ever had
I fought the law
And I won

I blew George and Harvey’s brains out with my six-gun
I fought the law and I won

I learned about Harvey Milk, but didn’t really remember George. I learned who he was from Milk, the movie.

When you hear someone talking about the absolute catastrophe that getting hacked might be, put it in context of human life. Most hacking incidents are annoying, some have real financial impact, and some few have the potential to do real and irreparable harm.

So as we go to the Moscone Center, remember the murders committed by an authorized entrant into city hall. When you hear someone talking about the absolute catastrophe that getting hacked might be, put it in context, and remember George Moscone and Harvey Milk.

Research Revealed Track at RSA

For the past few months, I’ve been working with the folks at the RSA Conference to put together a track entitled “Research Revealed.” Our idea is that security needs to advance by getting empirical, and bringing in a wide variety of analytic techniques. (Regular readers understand that Andrew Stewart and I brought these ideas together in a book, “The New School of Information Security.)”

The content is really exciting. From the opening with a top rated speaker, Betsy Nichols, who’ll be talking about “Crunching Metrics from Public Security Data” continuing to Gene Kim’s talk about applying real analysis of practice to virtualization and a great panel talking about lessons learned from Election 2008, this track is just packed with hard facts and practical analysis.

Because I’m so excited by this, I’ve put the data into a Research Revealed .ics file you can use to bring these into your calendar.

I also extracted this table from the RSA website (it was hard to link), so you can easily see the track:

Session ID Title Classification Session Type Scheduled
RR-105 Crunching Metrics from Public Security Data Advanced Track Session Tuesday, April 21 01:30 PM
RR-106 Controlling Virtualization Security Risks: Tips from the Experts Intermediate Track Session Tuesday, April 21 03:00 PM
RR-107 Technology Lessons Learned from Election 2008 Advanced Track Session Tuesday, April 21 04:10 PM
Senior Computer Scientist,
SRI International
Chief Technology Officer,
Open Source Digital Voting Foundation
Associate Professor,
Rice University
Associate Professor,
University of California, Berkeley
Associate Professor,
University of Iowa
RR-108 Security Risk Metrics: The View from the Trenches Intermediate Track Session Tuesday, April 21 05:40 PM
RedSeal Systems
RR-201 Fraud Management Strategies of North American Financial Institutions Intermediate Track Session Wednesday, April 22 08:00 AM
Senior Analyst,
Aite Group
RR-202 Data Sources, Methods, and Challenges Not Rated Track Session Wednesday, April 22 09:10 AM
The Security Consortium, Inc.
Program Manager,
Microsoft Corporation
Professor of Computer Science,
University of Pennsylvania
RR-203 Why Software is Still Insecure: Conclusions from a Ten-Year Study Advanced Track Session Wednesday, April 22 10:40 AM
Research Director, Secure Content and Threat Management Products,
Security Innovation
RR-301 Into the Breach: An Analysis of Attack Data Trends Intermediate Track Session Thursday, April 23 08:00 AM
Software Engineer,
Information Security Manager,
RR-302 Best Practices for Mitigating Insider Threat: Lessons Learned from 250 Cases Advanced Track Session Thursday, April 23 09:10 AM
Senior Member of the Technical Staff,
Carnegie Mellon Software Engineering Institute
Technical Manager,
Carnegie Mellon Software Engineering Institute
RR-303 Using Science to Battle Data Loss: Analyzing Breaches by Type and Industry Intermediate Track Session Thursday, April 23 10:40 AM
Interhack Corporation
RR-304 Cyber Warfare: Technology, Law and Ethics Advanced Track Session Thursday, April 23 02:10 PM
Professor and Program Coordinator,
Sheridan Institute of Technology and Advanced Learning
RR-401 The Data-Driven CSO: Steering Clear of Security Breaches Intermediate Track Session Friday, April 24 09:00 AM
Vice President of Technology & Innovation,
Verizon Business
RR-402 Closed-Loop Information Assurance Advanced Track Session Friday, April 24 10:10 AM
Treadstone 71
RR-403 Applying Pattern Recognition in SOD, Fraud or GRC-Related Violations Advanced Track Session Friday, April 24 11:20 AM
Software Development Director,

Deadline extended: Computers, Freedom & Privacy Research Showcase

This year’s Computers, Freedom and Privacy Conference will feature a research showcase in the form of a research poster session as well as a research panel that includes the authors of the best research posters. CFP is the leading policy conference exploring the impact of the Internet, computers, and communications technologies on society. For more than a decade, CFP has anticipated policy trends and issues, and has shaped the public debate on the future of privacy and freedom in an ever more technology-filled world. CFP focuses on topics such as freedom of speech, privacy, intellectual property, cybersecurity, telecommunications, electronic democracy, digital rights and responsibilities, and the future of technologies and their implications. Researchers who work in any of these areas are invited to submit research abstracts.

We seek research abstracts describing recent or ongoing research in all areas relevant to the conference themes. We are especially interested in research abstracts that present results with clearly articulated policy implications. Abstracts should be written for a general audience and should avoid using technical or legal jargon.

Submitted research abstracts can be either unpublished original research (including work in progress), or research that has been recently published (2008 or 2009).

This is a great opportunity to get interesting work in front of a diverse audience. I’m on the program committee, and we’ve extended the deadline — all you need to submit is an abstract — to Friday the 10th. Check it out.

Metricon 4.0 Call for Papers

I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11.

Metricon 4 – The Importance of Context

MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics.
It is a forum for quantifiable approaches and results to problems afflicting information security
today, with a bias towards practical, specific approaches that demonstrate the value of security
metrics with respect to a security-related goal. Topics and presentations will be selected for their
potential to stimulate discussion in the workshop.
MetriCon 4.0 will be a one-day event, Tuesday, August 11, 2009, co-located with the 18th
USENIX Security Symposium
in Montreal, Quebec.
Beginning first thing in the morning, with meals taken in the meeting room, and extending into the
evening. Attendance will be by invitation and limited to 60 participants. All participants will be
expected to “come with findings” and be willing to address the group in some fashion, formally or
not. In keeping with the theme of The Importance of Context, preference will be given to the
authors of position papers/presentations who have actual work in progress that demonstrates the
value of security metrics with respect to a security-related goal.
Topics that demonstrate the importance of context include:

• Data and analyses emerging from ongoing metrics efforts
• Studies in specific subject matter areas
• Time and situation-dependent aspects of security metrics
• Long-term trend analysis and forecasts
• Measures of the depth and breadth of security defenses
• Metrics definitions that can be operationalized
• Incorporating unknown vulnerabilities into security metrics
• Security and risk modeling calibrations
• Security measures in system design
• Software assurance initiatives
• Security metrics relationship to security assessments

The program committee will also consider any innovative security metrics related work
How to Participate
Submit a short position paper or description of work done or ongoing. Your submission must be
brief — no longer than two pages including both text and graphical displays of quantitative
information. Author names and affiliations should appear first in the submission. Submissions
may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to These requests to participate are due no later than noon GMT,
Monday, May 25, 2009 (a hard deadline). You should receive an email acknowledgment of your
submission within a day or two of posting; take action if you do not.
The Program Committee will invite both attendees and presenters. Participants of either sort will
be notified of acceptance quickly — by June15, 2009. Presenters who want hardcopy materials to
be distributed at the Workshop must provide originals of those materials to the Program
Committee by July 27, 2009. All slides, position papers, and what-not will be made available to
all participants at the Workshop. No formal academic proceedings are intended, but a digest of
the meeting will be prepared and distributed to participants and the general public. (Digests for
previous MetriCon meetings are on the past event pages mentioned above.) Plagiarism is
dishonest, and the organizers of this Workshop will take appropriate action if dishonesty of this
sort is found. Submission of recent, previously published work as well as simultaneous
submissions to multiple venues is entirely acceptable, but only if you disclose this in your

All atwitter

In re-reading my blog post on twittering during a conference I realized it sounded a lot more negative than I’d meant it to.

I’d like to talk about why I see it as a tremendous positive, and will be doing it again.

First, it engages the audience. There’s a motive to pay close attention and share what you hear. They’re using their laptops for good, not evil.

Second, it multiplies the attention to the talk. The talk was standing room only, but the room held fewer than 100 people. The people who tweeted had 5,300 followers. Now, that’s total followers, not unique (does anyone have an easy way to calculate that?) It’s also unlikely that many of them were reading Twitter or read backscroll, but it seems like an ok guess to say that 200-500 people saw some mention of the talk on Twitter.

Third, it promotes the audience from passive to engaged (although that wasn’t a problem for my audience, I’ve seen it in other talks). They’re no longer just listeners, they’re interpreting, quoting, and generating additional content as we engaged around the ideas in the talk.

What chaotically emerged is larger than my talk. It’s a conversation.

Security Breach Notification Symposium

Next Friday (March 6th) I’ll be speaking at the “Security Breach Notification Symposium:”

A one-day symposium on identity theft and security breaches. Experts from law, government, computer science, and economics will discuss laws that protect personal information and suggest reforms to strengthen them. Although most agree that reforms are needed, leading thinkers clash on what the solutions should be. Questions remain concerning the scope of security breach laws, their effectiveness, and cost. Critics argue that notification laws are wasteful and that most breaches aren’t connected to identity theft. Supporters say the laws create vital incentives to safeguard information and reveal hidden cracks in security.

The symposium begins with a session on California’s security breach law and continues with a look at current research and proposed reforms by the state’s top policy makers and scholars.

Conference Information and agenda is online at:

DETAILS: The program is free for public interest groups and media. Registration required by the general public. For more info, go to

Space is still available, please join us!

[Update: the linked site had permission issues, now fixed. Thanks Chris!]

Black Hat (Live) Blog: Keynote

Ian Angell from the London School of Economics gave a great keynote on complexity in systems and how the desire to categorize, enumerate, and add technology can break things in interesting ways.

An example of his: there’s an increasing desire among politicians and law enforcement to create huge DNA databases for forensic purposes, to aid in crime fighting and whatever. This will work until criminals start collecting DNA samples and scatter them at a crime scene creating confusion.

Angell didn’t mention a counter-measure, and I have one that I’m sure the politicos will want to use: make the possession of DNA a crime. There’s the obvious exemption for your own DNA, but this brings new and important expansions of the old standby of “inappropriate contact.”

This brings me to a complaint and irony about the “improvements” to Black Hat this year. The ironies occurred to me as Angell was speaking, talking about the ways added complexity brings new ways to fail.

One of the Black Hat improvements is that Black Hat is adopting a number of cool web-isms. There’s a Twitter feed, for example. They’re encouraging blogging by handing out blogging credentials for Defcon. This good and cool.

However, one of the other improvements is to move The Wall of Sheep from Defcon to Blackhat. Professor Angell’s cat Oscar would have a thing or two to say about that. However, Nick Matthewson of Tor said it best, I think.

If you are not familiar with The Wall of Sheep, it is a project in which the shepherds run a protocol analyzer on the network looking people using insecure protocols, plaintext passwords, and the lot. They quasi-anonymize them and then offer them up for what in Puritan days would be a pillory.

Nick’s comment about this, was that it’s a very 1990s thing. Here we are in the late aughties, and you have assume that if someone is at a security conference and using a non-secure protocol, that it is a lot like not wearing pants. If you’re at a conference in Vegas and someone there is not wearing pants, it’s probably wise to assume that they know they’re not wearing pants, and that they are not wearing pants for some reason.

I was paying enough attention at the time to note that Nick was wearing a kilt when he said that.

The Wall of Sheep is the Pants Police. They run a Pants Panopticon in which they rush around madly looking for people with no pants and posting them up on the Wall of No Pants. They’ve decided on their own that a lack of pants is a ridiculable offense, even for people who know they’re not wearing pants, and don’t care what you can see. Even moreso, they also post the mere rumor of pantslessness. I have heard tell that some people enjoy hacking the Pants Police by telnetting to some service and typing in usernames and passwords to be sniffed. I would never do that myself, but I’ve heard stories. They’re actually more the Pants TSA than the Pants Police, but Pants TSA doesn’t alliterate.

The Angell-quality irony here is that all these new communications systems that on the one hand we’re being encouraged to use are — questionable. Twitter looks a lot like knickers to me. And let’s face it, WordPress won a Pwnie award for the incredible number of vulns they’ve coded.

In short, you’d be a fool to use Twitter at Black Hat, or to blog, or — well, use DNS. For Pete’s sake, we’re being told to set up manual arp entries. (Yes, I know. You can use a VPN, or you mobile, or something else. That’s all very good, but once the Pants Police decide your Bermudas look like Speedos to them….)

The message of Black Hat that people should take away is that nothing is safe. That’s not necessarily bad. If we wanted houses to be safe as houses, we’d take out the windows and turn off the electricity. Technology is risk, as Angell said eloquently and entertainingly.

This is just more of the security wags naming, shaming, and blaming the victims. Is the message that one should take away from Black Hat is not to use a computer there? Even Professor Angell isn’t that pessimistic. He thinks that four ounces in an eight-ounce tumbler means you have too much glass.

Which is it at Black Hat? Web or no web? Pick one. Either Black Hat is (like Defcon) an open free-for-all in which griefing is just another way to spell 1337 and you’re a fool to bring electronics, or it’s an information exchange between smart people who blog, Tweet, and Plurk. Is a handshake a greeting, or a way to get a DNA sample? Are we using cutting edge or trailing edge technologies? If the former, remember that their security is going to suck until they get beat up — cutting edge techs can make you bleed. To phrase it another way, pick a century we’re in — 20 or 21. It matters less which one you pick than that you pick.

I hope it’s 21. I think Twitter is twee, but I’ve been using it and I smile when I do. (Plurk is much cooler, but I can hear The Good, The Bad, and The Ugly theme every time I go there.) I truly believe that blogging is just journalism in the cheapest free press civilization has ever had. AJAX is scary, but it’s scary in the way that driving a go-cart is scary. I don’t want to have to worry about the Pants Police, too, to make fun of me if I’ve misconfigured something I’m not as adept at as IRC. I’d like to deliver a live blog about the opening keynote on the day it was given, as opposed to while I’m still alive.

I think Black Hat is moving in a very good direction to make information flow better, more interesting, and more fun. Let’s just leave the old school hectoring back in era, and find out how to fix the new things by using them.

SOUPS 2008, summarized

I really appreciate the way that Richard Conlan has in-depth blogged all of the sessions from the 2008 Symposium on Usable Privacy and Security. The descriptions of the talks are really helpful in deciding which papers I want to dig into. More conferences should do this.

There’s only one request I’d make: There’s no single “pointer post” which lists all the blog posts in a way I can easily link to. It would be great to have such a post on the Usable Security blog.