Entries Tagged "security conferences"

Page 3 of 11

Security and Human Behavior (SHB 2014)

I’m at SHB 2014: the Seventh Annual Interdisciplinary Workshop on Security and Human Behavior. This is a small invitational gathering of people studying various aspects of the human side of security. The fifty people in the room include psychologists, computer security researchers, sociologists, behavioral economists, philosophers, political scientists, lawyers, anthropologists, business school professors, neuroscientists, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

I call this the most intellectually stimulating two days of my years. The goal is discussion amongst the group. We do that by putting everyone on panels, but only letting each person talk for 5-7 minutes The rest of the 90-minute panel is left for discussion.

The conference is organized by Alessandro Acquisti, Ross Anderson, and me. This year we’re at Cambridge University, in the UK.

The conference website contains a schedule and a list of participants, which includes links to writings by each of them. Ross Anderson is liveblogging the event. It’s also being recorded; I’ll post the link when it goes live.

Here are my posts on the first, second, third, fourth, fifth, and sixth SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops. It’s hard to believe we’ve been doing this for seven years.

Posted on June 9, 2014 at 4:50 AMView Comments

The Cryptopocalypse

There was a presentation at Black Hat last month warning us of a “factoring cryptopocalypse”: a moment when factoring numbers and solving the discrete log problem become easy, and both RSA and DH break. This presentation was provocative, and has generated a lot of commentary, but I don’t see any reason to worry.

Yes, breaking modern public-key cryptosystems has gotten easier over the years. This has been true for a few decades now. Back in 1999, I wrote this about factoring:

Factoring has been getting easier. It’s been getting easier faster than anyone has anticipated. I see four reasons why this is so:

  • Computers are getting faster.
  • Computers are better networked.
  • The factoring algorithms are getting more efficient.
  • Fundamental advances in mathematics are giving us better factoring algorithms.

I could have said the same thing about the discrete log problem. And, in fact, advances in solving one problem tend to mirror advances in solving the other.

The reasons are arrayed in order of unpredictability. The first two—advances in computing and networking speed—basically follow Moore’s Law (and others), year after year. The third comes in regularly, but in fits and starts: a 2x improvement here, a 10x improvement there. It’s the fourth that’s the big worry. Fundamental mathematical advances only come once in a while, but when they do come, the effects can be huge. If factoring ever becomes “easy” such that RSA is no longer a viable cryptographic algorithm, it will be because of this sort of advance.

The authors base their current warning on some recent fundamental advances in solving the discrete log problem, but the work doesn’t generalize to the types of numbers used for cryptography. And they’re not going to generalize; the result is simply specialized.

This isn’t to say that solving these problems won’t continue to get easier, but so far it has been trivially easy to increase key lengths to stay ahead of the advances. I expect this to remain true for the foreseeable future.

Posted on August 19, 2013 at 6:47 AMView Comments

Security and Human Behavior (SHB 2013)

I’m at the Sixth Interdisciplinary Workshop on Security and Human Behavior (SHB 2013). This year we’re in Los Angeles, at USC—hosted by CREATE.

My description from last year still applies:

SHB is an invitational gathering of psychologists, computer security researchers, behavioral economists, sociologists, law professors, business school professors, political scientists, anthropologists, philosophers, and others—all of whom are studying the human side of security—organized by Alessandro Acquisti, Ross Anderson, and me. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

It is still the most intellectually stimulating conference I attend all year. The format has remained unchanged since the beginning. Each panel consists of six people. Everyone has ten minutes to talk, and then we have half an hour of questions and discussion. The format maximizes interaction, which is really important in an interdisciplinary conference like this one.

The conference website contains a schedule and a list of participants, which includes links to writings by each of them. Both Ross Anderson and Vaibhav Garg have liveblogged the event.

Here are my posts on the first, second, third, fourth, and fifth SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops.

Posted on June 5, 2013 at 7:20 AMView Comments

Marketing at the RSA Conference

Marcus Ranum has an interesting screed on “booth babes” in the RSA Conference exhibition hall:

I’m not making a moral argument about sexism in our industry or the objectification of women. I could (and probably should) but it’s easier to just point out the obvious: the only customers that will be impressed by anyone’s ability to hire pretty models to work their booth aren’t going to be the ones signing the big purchase orders. And, it’s possible that they’re thinking your sales team are going to be a bunch of testosterone-laden assholes who’d be better off selling used tires. If some company wants to appeal to the consumer that’s going to jump at the T&A maybe they should relocate up the street to O’Farrell where they can include a happy ending with their product demo.

Mark Rothman on the same topic.

EDITED TO ADD (3/11): Winn Schwartau makes a similar point.

Posted on March 5, 2013 at 1:58 PMView Comments

Me at the RSA Conference

I’ll be speaking twice at the RSA Conference this year. I’m giving a solo talk Tuesday at 1:00, and participating in a debate about training Wednesday at noon. This is a short written preview of my solo talk, and this is an audio interview on the topic.

Additionally: Akamai is giving away 1,500 copies of Liars and Outliers, and Zcaler is giving away 300 copies of Schneier on Security. I’ll be doing book signings in both of those companies’ booths and at the conference bookstore.

Posted on February 25, 2013 at 1:49 PMView Comments

All Those Companies that Can't Afford Dedicated Security

This is interesting:

In the security practice, we have our own version of no-man’s land, and that’s midsize companies. Wendy Nather refers to these folks as being below the “Security Poverty Line.” These folks have a couple hundred to a couple thousand employees. That’s big enough to have real data interesting to attackers, but not big enough to have a dedicated security staff and the resources they need to really protect anything. These folks are caught between the baseline and the service box. They default to compliance mandates like PCI-DSS because they don’t know any better. And the attackers seem to sneak those passing shots by them on a seemingly regular basis.

[…]

Back when I was on the vendor side, I’d joke about how 800 security companies chased 1,000 customers—meaning most of the effort was focus on the 1,000 largest customers in the world. But I wasn’t joking. Every VP of sales talks about how it takes the same amount of work to sell to a Fortune-class enterprise as it does to sell into the midmarket. They aren’t wrong, and it leaves a huge gap in the applicable solutions for the midmarket.

[…]

To be clear, folks in security no-man’s land don’t go to the RSA Conference, probably don’t read security pubs, or follow the security echo chamber on Twitter. They are too busy fighting fires and trying to keep things operational. And that’s fine. But all of the industry gatherings just remind me that the industry’s machinery is geared toward the large enterprise, not the unfortunate 5 million other companies in the world that really need the help.

I’ve seen this trend, and I think it’s a result of the increasing sophistication of the IT industry. Today, it’s increasingly rare for organizations to have bespoke security, just as it’s increasingly rare for them to have bespoke IT. It’s only the larger organizations that can afford it. Everyone else is increasingly outsourcing its IT to cloud providers. These providers are taking care of security—although we can certainly argue about how good a job they’re doing—so that the organizations themselves don’t have to. A company whose email consists entirely of Gmail accounts, whose payroll is entirely outsourced to Paychex, whose customer tracking system is entirely on Salesforce.com, and so on—and who increasingly accesses those systems using specialized devices like iPads and Android tablets—simply doesn’t have any IT infrastructure to secure anymore.

To be sure, I think we’re a long way off from this future being a secure one, but it’s the one the industry is headed toward. Yes, vendors at the RSA conference are only selling to the largest organizations. And, as I wrote back in 2008, soon they will only be selling to IT outsourcing companies (the term “cloud provider” hadn’t been invented yet):

For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure—power, water, cleaning service, tax preparation—customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers.

[…]

The RSA Conference won’t die, of course. Security is too important for that. There will still be new technologies, new products and new startups. But it will become inward-facing, slowly turning into an industry conference. It’ll be security companies selling to the companies who sell to corporate and home users—and will no longer be a 17,000-person user conference.

Posted on February 22, 2013 at 6:03 AMView Comments

Sexual Harassment at DefCon (and Other Hacker Cons)

Excellent blog post by Valerie Aurora about sexual harassment at the DefCon hackers conference. Aside from the fact that this is utterly reprehensible behavior by the perpetrators involved, this is a real problem for our community.

The response of “this is just what hacker culture is, and changing it will destroy hackerdom” is just plain wrong. When swaths of the population don’t attend DefCon because they’re not comfortable there or fear being assaulted, we all suffer. A lot.

Finally, everyone at DEFCON benefits from more women attending. Women “hackers”—in the creative technologist sense—are everywhere, and many of them are brilliant, interesting, and just plain good company (think Limor Fried, Jeri Ellsworth, and Angela Byron). Companies recruiting for talent get access to the full range of qualified applicants, not just the ones who can put up with a brogrammer atmosphere. We get more and better talks on a wider range of subjects. Conversations are more fun. Conferences and everyone at them loses when amazing women don’t attend.

When you say, “Women shouldn’t go to DEFCON if they don’t like it,” you are saying that women shouldn’t have all of the opportunities that come with attending DEFCON: jobs, education, networking, book contracts, speaking opportunities—or else should be willing to undergo sexual harassment and assault to get access to them. Is that really what you believe?

And in case you’re thinking this is just a bunch of awkward geeks trying to flirt, here are one person’s DefCon stories:

Like the man who drunkenly tried to lick my shoulder tattoo. Like the man who grabbed my hips while I was waiting for a drink at the EFF party. Like the man who tried to get me to show him my tits so he could punch a hole in a card that, when filled, would net him a favor from one of the official security staff (I do not have words for how slimy it is that the official security staff were in charge of what was essentially a competition to get women to show their boobs). Or lastly, the man who, without prompting, interrupted my conversation and asked me if I’d like to come back to his room for a “private pillowfight party.” “You know,” he said. “Just a bunch of girls having a pillowfight….fun!” When I asked him how many men would be standing around in a circle recording this event, he quickly assured me that “no one would be taking video! I swear!”

Aurora writes that DefCon is no different from other hacker cons. I had some conversations with people at DefCon this year to the contrary, saying that DefCon is worse than other hacker cons. We speculated about possible reasons: it’s so large (13,000 people were at DefCon 20), it’s in Las Vegas (with all the sexual context that implies), and it’s nobody’s home turf. I don’t know. Certainly the problem is rampant in geek culture.

Aurora also mentions the “Red/Yellow Card project” by KC, another hacker: warning cards that can be handed out in response to harassing behavior. The cards are great, and a very hackerish sort of solution to the problem. She gave me a complete set—there’s also a green card for good behavior—and I have been showing them to people since I returned. I haven’t heard any stories about them being given out to harassers, but I suspect they would be more effective if they were given out by observers rather than by the harassed. (Bystanders play a large role in normalizing harassing behavior, and similarly play a large role preventing it.)

Of course, the countermove by harassers would be to collect the cards as kind of a game. Yes, that would reduce the sting of the cards. No, that doesn’t make them a bad idea. Still, a better idea is a strong anti-harassment policy from the cons themselves. Here’s a good model.

More resources: here, here, and here.

Posted on August 15, 2012 at 8:57 AMView Comments

WEIS 2012

Last week I was at the Workshop on Economics and Information Security in Berlin. Excellent conference, as always. Ross Anderson liveblogged the event; see the comments for summaries of the talks.

On the second day, Ross and I debated—well, discussed—cybersecurity spending. At the first WEIS, he and I had a similar discussion: I argued that we weren’t spending enough on cybersecurity, and he argued that we were spending too much. For this discussion, we reversed our positions.

Posted on July 2, 2012 at 6:20 AMView Comments

Security and Human Behavior (SHB 2012)

I’m at the Fifth Interdisciplinary Workshop on Security and Human Behavior, SHB 2012. Google is hosting this year, at its offices in lower Manhattan.

SHB is an invitational gathering of psychologists, computer security researchers, behavioral economists, sociologists, law professors, business school professors, political scientists, anthropologists, philosophers, and others—all of whom are studying the human side of security—organized by Alessandro Acquisti, Ross Anderson, and me. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

This is the best and most intellectually stimulating conference I attend all year. I told that to one of the participants yesterday, and he said something like: “Of course it is. You’ve specifically invited everyone you want to listen to.” Which is basically correct. The workshop is organized into panels of 6-7 people. Each panelist gets ten minutes to talk about what he or she is working on, and then we spend the rest of the hour and a half in discussion.

Here is the list of participants. The list contains links to readings from each of them—definitely a good place to browse for more information on this topic. Ross Anderson, who has far more discipline than I, is liveblogging this event. Go to the comments of that blog post to see summaries of the individual sessions.

Here are links to my posts on the first, second, third, and fourth SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops.

Posted on June 5, 2012 at 1:16 PMView Comments

1 2 3 4 5 11

Sidebar photo of Bruce Schneier by Joe MacInnis.