Subscribe: CERIAS Blog
http://www.cerias.purdue.edu/weblogs/feed/
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
award  cerias  cyber security  cyber  field  information  ken  new  people  purdue  research  security  talk  time  year  years 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: CERIAS Blog

CERIAS Blog





Published: 2018-01-25T19:52:09+00:00

 



Spaf videos, blasts from the past, future thoughts

2018-01-25T19:52:09+00:00

I created a YouTube channel a while back, and began uploading my videos and linking in videos of me that were online. Yes, it’s a dedicated Spaf channel! However, I’m not on camera eating Tide pods, or doing odd skateboard stunts. This is a set of videos with my research and views over the years on information (cyber) security, research, education, and policies.

There are two playlists under the channel — one for interviews that people have conducted with me over the years, and the other being various conference and seminar talks.

One of the seminar talks was one I did at Bellcore on the Internet Worm — about 6 weeks after it occurred (yes, that’s 1988)! Many of my observations and recommendations in that talk seem remarkably current — which I don’t think is necessarily a good observation about how current practice has (not) evolved.

My most recent talk/video is a redo of my keynote address at the 2017 CISSE conference held in June, 2017 in Las Vegas. The talk specifically addresses what I see as the needs in current information security education. CISSE was unable to record it at the time, so I redid it for posterity based on the speaker notes. It only runs about 35 minutes long (there were no introductions or Q&A to field) so it is a quicker watch than being at the conference!

I think there are some other goodies in all of those videos, including views of my bow ties over the years, plus some of my predictions (most of which seem to have been pretty good). However, I am putting these out without having carefully reviewed them — there may be some embarrassing goofs among the (few) pearls of wisdom. It is almost certain that many things changed away from the operational environment that existed at the time I gave some of these talks, so I’m sure some comments will appear “quaint” in retrospect. However, I decided that I would share what I could because someone, somewhere, might find these of value.

If you know of a recording I don’t have linked in to one of the lists, please let me know.

Comments appreciated. Give it a look!

(image)



How far do warrants reach in “The Cloud”?

2018-01-18T17:58:00+00:00

There is a case currently (early 2018) pending before the Supreme Court of the United States (SCOTUS) addressing if/how a US warrant applies to data held in a cloud service outside the US but run by a US entity. The case is United States vs. Microsoft, and is related to interpretation of 18 U.S.C. § 2703 — part of the Stored Communications Act. The case originated when US authorities attempted to serve a warrant on Microsoft to retrieve email of a user whose email was serviced by MS cloud servers in Ireland. Microsoft asserted the data resided in Ireland and the US warrant did not extend outside the US. The US contends that the warrant can be fully served inside the US by Microsoft and no foreign location is involved. Microsoft sued to vacate. The district court upheld the government, and found Microsoft in contempt for not complying. On appeal, the 2nd Circuit Court of Appeals overturned that decision (and the contempt citation), and remanded the case for reconsideration. The US government sought and obtained a writ of certiorari (basically, sought a hearing before SCOTUS to consider that appellate ruling). The oral arguments will be heard the last week in February. The decision in the case has some far-reaching consequences, not least of which is that if the warrant is allowed, it is likely to drive business away from US service providers of cloud services — clients outside the US will be concerned that the US could compel production of their data. At the same time, if the warrant is not allowed, it could mean that service providers could spring up serving data out of one or more locations that routinely ignore US attempts to cooperate on computer crime/terrorism investigations. (Think of the cloud equivalent of banking havens such as the Caymen Islands, Vanuatu, and the Seychelles.) Neither result is particular appealing, but it seems (to me) that under current law the warrant cannot be enforced. I signed on to an amicus (friend of the court) brief, along with 50 other computing faculty. Our brief is not explicitly in favor of either side in the dispute, but is intended to help educate the court about how cloud services operate, and that data does actually have a physical location. If you are interested in reading the other briefs — including several from other amici ("friends of the court”) there are links from the SCOTUS blog about the case. It is interesting to note the perspectives of the EU and Irish governments, trade associations, former law enforcement and government officials, and more. The general consensus of the ones I read seems to me to favor Microsoft in this case. We shall have to see if the SCOTUS agrees, and whether Congress then acts to set new law in the area, if so. This case is an example of one of the difficulties when we have few barriers in network communications, and the data flows across political borders. It is, in some sense, analogous to the “going dark” concerns of the FBI. How do we maintain privacy in an arena where bad actors use the technology to “hide” what they do, potentially forever beyond reach of law enforcement? Furthermore, how do we enforce the rules of law in an environment where some of the legal authorities are ideologically opposed to privacy rights or rule of law as envisioned by other authorities? It is also related to searches of computing devices carried across borders (including cell phones), and similar instances where the attempt has been made to equate the presence of end points or corporate operators as somehow including the data accessible via those end points. All of these are problems that the technology aggravates but are unlikely — if not impossible — to solve by technology alone. Interesting times, no matter which side of these matters one is normally likely to support. This is the 3rd amicus brief before the SCOTUS to which I have been a signatory, and one of 10 overalll. This is very different from publishing academic papers!) [...]



Another good one gone too soon

2017-10-24T01:50:26+00:00

Today, I attended the funeral in Illinois of another good friend in infosec: Ken Olthoff. Ken was my friend for over 25 years, and his death was a surprise to me and to everyone who knew him. It was also a significant loss to the field, and another sad reminder that each of us needs to live our goals sooner rather than later. The funeral included a great set of remembrances of some aspects of Ken’s life and contributions, with the service conducted by his cousin, Pastor Diane Maodush-Pitzer. Kenneth George Olthoff was born November 18, 1959. He grew up outside Chicago in Thornton, and received a degree from Purdue Calumet. His family remembers him exhibiting, at a young age, great curiosity about how things worked and clear engineering aptitude. Around three decades ago, he joined the NSA, where he worked until his untimely passing. Ken was on leave to visit family in Illinois in early October, as he did twice each year. Along with visiting his relatives, he engaged in some repairs to his childhood home — where he planned to retire in a small number of years, using it as a base for travel. On this most recent visit, he worked his way through his “to do” list, with the last being his annual long distance bike ride of 60+ miles (Ken did a lot of recumbent bicycling all year round). He then had dinner with his brother, Jack, and sister-in-law, Sue. Jack tried to reach him by phone Sunday, October 15, and when he did not get an answer, Jack went to check on him. Jack found Ken sitting in a recliner, in front of the TV. He had died, peacefully, during the night. The medical examiner listed cause of death as cardiaovascular-related. Ken would have been 58 next month. Ken had many “families” in which he was connected. I think Vonnegut’s concept of the “karass” may be more a more accurate characterization. Ken had a wide-ranging curiosity and set of interests that created bridges to all sorts of people. Notably, Ken was a hardworking, creative, and valued contributor to national information security solutions. He wasn’t always acknowledged (or even known outside where he worked) for what he did, but many of the people who worked with him treasured his positive contributions. Ken’s commitment to “speak truth to power” sometimes grated on a few, but more often was valued within a community that sometimes has been too quick to buy into the “emperor’s new wardrobe.” I know a little of what Ken did at the Agency, and I have heard from others who knew his work better than I do (because some of it was classified and on a need-to-know basis); more than one of these people have commented that there were many in military service who made it home — alive, to their families — because of things Ken designed or built. Ken was notable in the broader cybersecurity community, too, although not as well-known as many others. Whether it was as the first person ever identified in the “Spot-the-Fed” at DefCon, or writing outrageous plays about security foibles for performance at NSPW, or any of a number of other activities, Ken also had many admirers and friends outside of where he worked. Ken was also, in the words of a friend, “… an avid disc golfer and recumbent bike rider, collector of Japanese prints and wood turnings, fan of authentic ethnic cuisines, aficionado of the Chicago music scene (particularly loyal to Pezband), fan and supporter of dirt track racing and youth hockey, and patron and production crew member for Charm City Roller Girls, and the AXIS Theatre and Rapid Lemon Productions companies in Baltimore.” He ran several mailing lists on these topics (and more), with eclectic and interesting memberships that evidenced a broad set of interests beyond even these. I learned today that he held at least five patents, on topics ranging from cyber security mechanisms to accessories for musical instruments! Anyone who knew Ken also remembers his amazing [...]



A Blast from the Past

2017-08-09T02:29:44+00:00

In December of 1988, I was invited to speak at Bell Communications Research (Bellcore) about the Morris Internet Worm that had been released about six weeks before. The invitation was to speak on computer security in general, malicious software more specifically, and particularly “The Worm."

At the time, I was a new assistant professor — I had joined the faculty at Purdue in August of 1987. This was only my second ever presentation on computing security issues, although I had been working in the area for years. Note, that this was well before I had coauthored either the Computer Virus book or Practical Unix Security.

The title of the talk was Worms, Viruses, and Other Programmed Pests. I went on to give a variant of this presentation about 2 dozen times in the year following this talk.

I had forgotten that I had a copy of this video stored away. I’m sharing it now for historical purposes (and for some of my friends, hysterical purposes).

I think that this talk has aged very well, considering it was given nearly 30 years ago. Most of what I talk about here (but not all) is still relevant. Clearly, a number of the examples and numbers have changed drastically since then, but some of the most significant aspects have remained unchanged. Much of the advice I gave then could be given today because it still applies….and still is largely ignored. Especially, check out the Q&A at the end.

You can tell this video is really old, not only because of the video artifacts, but because:

  1. I am wearing a normal tie (I switched to bow ties exclusively a few years later)
  2. I am making the presentation using acetates instead of from a computer
  3. I have almost a full head of hair
  4. I only had a waistline in double digits.

You'll also note that I had the odd sense of humor even then. Oh, and I used the Oxford comma in the title.

Enjoy.


width="560" height="315" src="https://www.youtube.com/embed/4Jy5hRU5des" frameborder="0">

(Direct link to YouTube page here.)

(image)



Purdue CERIAS Researchers Find Vulnerability in Google Protocol

2017-04-14T14:16:32+00:00

[This is posted on behalf of the three students listed below. This is yet another example of bad results when speed takes precedence over doing things safely. Good work by the students! --spaf] As a part of an INSuRE project at Purdue University, PhD Information Security student Robert Morton and seniors in Computer Science Austin Klasa and< Daniel Sokoler conducted an observational study on Google’s QUIC protocol (Quick UDP Internet Connections, pronounced quick). The team found that QUIC leaked the length of the password potentially allowing eavesdroppers to bypass authentication in popular services like Google Mail or G-mail. The team named the vulnerability Ring-Road and is currently trying to quantify the potential damage. During the initial stages of the research, the Purdue team found that the Internet has been transformed over the last five years with a new suite of performance improving communication protocols such as SPDY, HTTP/2 and QUIC. These new protocols are being rapidly adopted to increase the speed and performance of applications on the Internet. More than 10% of the top 1 Million websites are already using some of these technologies, including many of the 10 highest traffic sites. While these new protocols have improved speed, the Purdue team focused on determining if any major security issues arose from using QUIC. The team was astonished to find that Google's QUIC protocol leaks the exact length of sensitive information when transmitted over the Internet. This could allow an eavesdropper to learn the exact length of someone's password when signing into a website. In part, this negates the purpose of the underlying encryption, which is designed to keep data confidential -- including its length. In practice, the Purdue team found QUIC leaks the exact length of passwords into commonly used services such as Google's E-mail or G-mail. The Purdue team than created a proof-of concept exploit to demonstrate the potential damage: Step 1 - The team sniffed a target network to identify the password length from QUIC. Step 2 - The team optimized a password dictionary to the identified password length. Step 3 - The team automated an online attack to bypass authentication into G-mail. The Purdue team believes the root cause of this problem came when Google decided to use a particular encryption method in QUIC: the Advanced Encryption Standard Galois/Counter Mode (AES-GCM). AES-GCM is a mode of encryption often adopted for its speed and performance. By default, AES-GCM cipher text is the same length as the original plaintext. For short communications such as passwords, exposing the length can be damaging when combined with other contextual clues to bypass authentication, and therein lies the problem.Conclusion In summary, there seems to be an inherent trade-off between speed and security. As new protocols emerge on the Internet, these new technologies should be thoroughly tested for security vulnerabilities in a real-world environment. Google has been informed of this vulnerability and is currently working to identify a patch to protect their users. As Google works to create a fix, we recommend users and system administrators to disable QUIC in Chrome and their servers by visiting this link. We also recommend -- independent of this issue -- that users consider enabling two step verification with their G-mail accounts, for added protection, as described here. The Purdue team will be presenting their talk and proof-of-concept exploit against G-mail at the upcoming CERIAS Symposium on 18 April 2017.Additional Information To learn more, please visit ringroadbug.com and check out the video of our talk called, "Making the Internet Fast Again...At the Cost of Security" at the CERIAS Symposium on 18 April 2017.Acknowledgements This research is a part of the Information Security Research and Education (INSuRE) project. The project was under the direction of Dr. Melissa Dark and Dr. John Springer and assisted by tec[...]



Time passes, and we lose friends

2017-03-15T03:49:55+00:00

[Note: update added March 15, 2017] 2017 has gotten off to a bad start for the security community…and to me, personally. First, we lost Kevin Ziese. I met Kevin over two decades ago, when he was involved in computer investigations with the Air Force. I got involved with a couple of investigations, as it was a new field and I had some connections with the Air Force at the time. Kevin later served as a UN Weapons Inspector in Iraq after the first Gulf War. He was at the Pentagon on 9/11. He served in our military with distinction. Later, he was involved with intrusion detection research, and became one of the principals in Wheelgroup, which was acquired by Cisco. He had a significant career in cyber, and made a number of seminal contributions to the field that most current practitioners have never heard about. Kevin was very creative and an able investigator, but what I remember most about him was his incredible enthusiasm and sense of humor. In all our interactions, I can’t recall him being anything other than upbeat, and with great insight. I regularly crossed paths with him at IDS and computer crime workshops, and in activities for the Air Force. He was also generous with his time, and he found ways to visit Purdue several times to give talks to my students. I hadn’t seen Kevin for a few years, and was vaguely planning on visiting him in the next year or so. We were overdue to catch up. We had been keeping in touch electronically, and his death was a huge — and sad — surprise to me. Kevin introduced me, electronically, to Howard Schmidt in the early 1990s, after Howard joined AFOSI. We exchanged email and phone calls for several years until we spoke on a conference panel together and finally met in person. Early on, we discovered we were in sync on a number of things, and continued to enjoy our correspondence and occasional meetings through his time at Microsoft. When he moved to his position at the White House (the first time) in 2002, I visited several times to join in conversations on how to fix some of the cyber security problems of the country. One time, he hosted my family for a Saturday morning breakfast in the West Wing staff dining room, and was so very kind to my young daughter — answering her questions with tremendous patience. Thereafter, we continued to interact in his various roles, and on through his time at the Obama White House. Whenever I’d get to Washington, we’d get together for a conversation, and sometimes a beer. Twice, Howard came to Purdue to speak in our annual CERIAS Security Symposium. Each time, he told me in confidence that he had decided to leave his position at the White House, and his visit to me each time had cemented his decision. (Thereafter, I got a note from someone who worked with Howard at the WH suggesting that I stop inviting critical personnel to speak at Purdue!) I have so many stories about my times with Howard and they are all good. He was always supportive and positive, and he was always trying to find a way to make things better for others. He also never let his seniority and distinctions get in the way of helping others. For instance, I fondly recall when the EWF was starting its Women of Influence awards, and they asked Howard and me serve as judges for the first awards. However, to keep with the spirit of the awards (and the restriction on judges), we had to be declared as “honorary women.” Howard and I agreed, even when told that we might need to show up at the awards in skirts and heels as part of the process! We laughed about that in later years — that the reason the awards made it into subsequent years was because we weren’t asked to do that! (And we did view being “honorary women” judges as an honor.) The last time I saw Howard was in late 2015, when we both appeared on a panel at a meeting at a government agency. For the last 2 years we kept up wi[...]



Another Surprise for Spaf

2016-11-18T18:48:46+00:00

2016 has been a year of setbacks and challenges for me, including being ousted as executive director of CERIAS. Rather than dwell on those issues, I have tried to stay focused on the future and move forward. Thankfully, some good things have come along and the year is going to close out on several positive notes. My last blog post noted recounted being informed that I am to receive the 2017 IFIP Kristian Beckman Award as one such positive item. Today was the announcement of another pleasant surprise — I have been named as a Sagamore of the Wabash. This is the most significant civilian award from the state of Indiana. The award is in recognition of three decades of leadership in cyber security, and service to organizations in the state, including my leadership at CERIAS, work with local companies, and support of government and law enforcement. As noted in the Purdue press release,I want to thank all the colleagues and students, past and present, who have worked with me over those many years. What we have accomplished only occurred because of our collective efforts; one individual can usually effect only a small amount of change. It is as a group that we have had a tremendous impact. It is gratifying to see their individual successes, too — some of my most gratifying experiences have been when former students tell me that what I helped them to learn was an important component of their success. Some of my friends may be amused by an irony present in my now having two certificates on my office wall, one signed by George W. Bush and one by Mike Pence, but none from anyone in the Clinton or Obama administrations. (If you don’t understand that irony, move along.) However, irony is not new to me — I’ve repeatedly been recognized internationally for my research and leadership, but actually penalized by some at the university — including within my own department — for those same activities. I haven’t done any of what I do for recognition, though. My goal is to help ensure that the world is a better, safer place as a result of my actions. Even if no one notices, I will continue to do so. For years I had a sign above my desk with a quote by Mark Twain: Always do right. This will gratify some people and surprise the rest. I no longer have the sign, but I still live the words. I also want to note (as I have several times recently) that as I get these “lifetime achievement” types of recognitions, I don’t want people to think that the problems are solved, or that I am planning on retiring. Far from it! The problem space has gotten larger and more complex, and the threats are more severe and imminent. I certainly am not bored with what I do, and I think I have some good experience and ideas to apply. I’m not sure what I’ll do next (or where) but, I don’t intend to step to the sidelines! Another of my favorite aphorisms was stated by Archimedes: Give me a lever long enough and a place to stand, and I will move the Earth. If I can find the resources (offers?) and the right place to work (suggestions?), I plan on continuing to move things a bit. Best wishes to you all for a wonderful holiday season, and a great start to 2017! [...]



It Was A Good Monday

2016-10-19T15:42:11+00:00

Mondays. There are many reasons Monday have a bad reputation. Few of us would claim to like Mondays. My Monday earlier this week got off to a poor start. I was traveling to attend a workshop (a good one, on ethics in cyber) and staying, yet again, at a hotel. As sometimes happen when I travel, I wasn’t sleeping well. I awoke shortly after 3am and couldn’t get back to sleep. Being the compulsive gadget user I am, I checked my email on my cellphone. There, I saw a new message posted from Europe that made my Monday quite a bit better. (Unfortunately, it didn’t help me get back to sleep.) Actually, as I write this on Wednesday, I’m still pretty happy, as well as better rested. The email informed me that I am the 2017 IFIP TC-11 recipient of the Kristian Beckman Award. IFIP is the International Federation of Information Processing Societies, and the Beckman Award is one of the top recognitions in the field. Many of the previous recipients of this honor have been mentors and heroes of mine. As noted on their WWW site, IFIP is recognized by the UN, and it represents IT societies from 56 countries/regions, covering five continents with a total membership of over half a million. TC-11 is the subgroup (technical committee) devoted to security and privacy protection in information processing systems. The Kristian Beckman Award is presented annually, starting in 1993. According to the web site, "The objective of the award is to publicly recognize an individual, not a group or organisation, who has significantly contributed to the development of information security, especially achievements with an international perspective." The letter noted my achievements in research, education, and service; my creation and leadership of CERIAS; my guidance and mentorship of students developing security tools in widespread use; and my work as Academic Editor then Editor-in-Chief of Computers & Security, the oldest journal in the field of information security. The award will be formally presented at 32nd International Conference on ICT Systems Security and Privacy Protection (IFIP SEC 2017) in Rome, in May 2017. I will be presenting an invited plenary address as part of the award. I am honored to be named as a recipient of this award. I have worked with IFIP TC-11 on various things over the last 25 years, including as a subcommittee chair (TC 11.4), as a member of several other groups, and serving as editor of Computers & Security, which is recognized as the official journal for TC-11. Along with ACM, ISSA, (ISC)2, IFIP is a significant force in research and education in cyber security. I have been quite fortunate in my career. With the Beckman Award, I believe I have now been recognized with every major cyber security award, including the National Computer System Security Award; ISSA Hall of Fame; Harold F. Tipton Award; Cyber Security Hall of Fame; SANS Lifetime Achievement Award; Outstanding Contribution Award from ACM SIGSAC; the Joseph Wasserman Award from ISACA. I haven’t done all this on my own — I have been fortunate enough to work with some outstanding students, colleagues, and staff. I will always be grateful for their collegial support. I would also like to note that many of these awards can be seen as "lifetime" awards. Although the administrators and some of my colleagues at Purdue think I’m no longer functional, I want to assure everyone else that I’m not done yet — I still have some ideas to pursue, possibly another book or two to write, and more students to teach and advise! Now, if only I could get enough sleep on a regular basis…but I’m willing to wake up for news like this! And no, I still don’t particularly like Mondays. [...]



Passing of a Cyber Securty Pioneer

2016-07-12T16:45:21+00:00

Stephen T. Walker recently died. He was the founder of the pioneering Trusted Information Systems, a prime force behind the establishment of the NCSC (now the Commericial Solutions Center, but also the producer of the Rainbow Series), and he was the recipient of the first National Computer Security Systems Award  His obituary lists his many notable accomplishments and awards. Steve was a major influencer (and mentor) in the field of cyber security for decades.

I only recall meeting Steve once, and I am poorer for not having had more contact with him.

If you work in cyber security, you should read his obituary and ponder the contributions that have led to the current state of the field, and how little we have credited people like Steve with having had a lasting influence.

(image)



Changes for CERIAS…and Spaf

2016-06-30T23:20:53+00:00

Today (June 30) is my last day as CERIAS Executive Director. This marks the end of a process that began about 15 months ago, when it was unexpectedly announced that my appointment was not being renewed. Last week, the dean responsible announced the appointment of Professor Dongyan Xu as interim executive director as of July 1. He also announced, to our surprise, that Professor Elisa Bertiino would not be reappointed as CERIAS Director of Research. I wish to express my deep gratitude to Elisa for her support and her participation in the growth of CERIAS; I very much value having Elisa as a colleague. I will not make any other public comments at this time about this transition other than to voice my unequivocal support of Dongyan, and of the wonderful CERIAS staff. Dongyan is an outstanding scholar and colleague, and he has a long history of active involvement with CERIAS. I helped recruit him to Purdue in 2001 as a new assistant professor working in security, so I am very familiar with his background. He has worked with CERIAS as he has advanced through the academic ranks, so he has the experience — both professional and personal — to handle the job in this time of transition. Looking back, I have had the honor of working with some incredible people over the last 25 years, first as leader of the COAST Laboratory, and then as the founder and (executive) director of CERIAS. CERIAS participants have set an example of “thinking differently” to effect a profound and lasting set of changes — many of which are not recognized nor appreciated locally; As with most things in academia, the further away one gets from one’s home institution in space and time, the more the value of contributions are understood! It is widely acknowledged outside that our faculty, staff, and students have made a huge contribution to establishing cyber security as an academic discipline. When CERIAS was founded in 1998, there were only four small academic groups in the world that were devoted to cyber security, and they were all quite small. CERIAS was established to help build the field, establish leadership, and investigate new ideas, all while embracing the spirit of the land-grant university to perform research in the public good. In the years since then, our local community has: grown our participating faculty to over 100, with visitors and senior grads of at least as many again assisted over a dozen other universities, and dozens more smaller institutions, develop curricula and degrees in the area initiated research into hundreds of new topic areas, bringing in over $100 million in externally funded research supported several dozen companies and government agencies in our partner program, with research, policy, and hiring What is more, we helped show that the whole field of cyber protection is really multidisciplinary — it is more than computer science or engineering, but a rich area of study that includes a range of disciplines. Over the last 18 years, we have had faculty from 20 different academic departments participate in CERIAS activities…and still do. Also back in 1998, there were few programs producing graduates with concentrations in cyber security. I did a survey for some Congressional testimony at the time, and found that only about 3 PhDs a year were being produced in all of the US (and almost none elsewhere) in the field (excluding cryptography). Although not explicitly part of CERIAS, which is a research-only entity, CERIAS participants also: helped produced 250 new PhDs in cyber security, cyber forensics, and privacy, and many more hundreds with MS degrees established the first graduate program with an explicit information security degree established a graduate certificate in public policy and cyber security established an[...]



Nominations solicitied for the CSHOF

2016-06-13T03:26:59+00:00

The nomination cycle for the 2016 induction into the Cyber Security Hall of Fame is now open.


Details on the nomination procedure are available online.

Nominations are due by July 20.(image)



Another year, another RSAC

2016-03-07T04:21:05+00:00

I have attended 10 of the last 15 RSA conferences. I do this to see what’s new in the market, meet up with friends and colleagues I don’t get to see too often, listen to some technical talks, and enjoy a few interesting restaurants and taverns in SF. Thereafter, I usually blog about my impressions (see 2015 and 2014, for example).I think I could reuse my 2015 comments almost unchanged… There have been some clear trends over the years: The technical talks each year seem more focused on superficial approaches and issues: there seemed to be less technical content, at least in the few I observed. This goes with the rather bizarre featured talks by cast members of CSI: Cyber and Sean Penn — well known experts on cyber. Not. (Several others told me they thought the same about the sessions.) Talks a decade ago seemed to me to be deeper. This matches some of what I observed at booths. The engineers and sales reps at the booths have little deep knowledge about the field. They know the latest buzzwords and market-speak, but can’t answer some simple questions about security technologies. They don’t know people, terms, or history. More on this later. There is still an evident level of cynicism among booth personnel that surprised me, but less than last year. There seemed to be more companies exhibiting (both sides of Moscone were full). There also seemed to be more that weren’t there last year and are unlikely to be around next year; I estimate that as many as 20% may be one-time wonders. This year showed some evidence of effectiveness of new policies against “booth babes.” I talked to a number of women engineers who were more comfortable this year working at the booths. A couple indicated they could dress up a little without being mistaken for “the help.” That is a great step forward, but it needs reinforcement and consistency. At least one tried to come close to the edge and sparked some backlash. As I noted above, the majority of people I talked to at vendor booths didn’t seem to have any real background in security beyond a few years of experience with the current market. This is a longer-term trend. The market has been tending more towards patching and remediation of bad software rather than strong design and really secure posture. It is almost as if they have given up trying to fix root causes because few end-users are willing to make the tough (and more expensive) choices. Thus, the solutions are after-the-fact, or intended to wrap broken software rather than fix it. Employees don’t need to actually study the theory and history of security if they’re not going to use it! Of course, not everyone is in that category. There are a number of really strong experts who have extensive background in the field, but it seems to me (subjectively) that the number attending decreases every year. Related to that, a number of senior people in the field that I normally try to meet with skipped the conference this year. Many of them told me that the conference (and lodging and…) is not worth what they get from attending. (As a data point, the Turing Award was announced during the first day of the conference. I asked several young people, and they had no idea who Diffie and Hellman were or what they had done. They also didn’t know what the Turing Award was. Needless to say, they also had no idea who I was, which is more or less what I expect, but a change from a decade ago.) As far as buzzwords, this year didn’t really have one. Prior years have highlighted “the cloud,” “big data,”, and “threat intelligence” (to recap a few). This year I thought there would be more focus on Internet of Things (IoT), b[...]



A looming anniversary, and a special offer

2015-12-06T14:31:10+00:00

It may seem odd to consider June 2016 as January approaches, but I try to think ahead. And June 2016 is a milestone anniversary of sorts. So, I will start with some history, and then an offer to get something special and make a charitable donation at the same time. In June of 1991, the first edition of Practical Unix Security was published by O’Reilly. That means that June 2016 is the 25th anniversary of the publication of the book. How time flies! Read the history and think of participating in the special offer to help us celebrate the 25th anniversary of something significant! History In summer of 1990, Dan Farmer wrote the COPS scanner under my supervision. That toolset embodied a fair amount of domain expertise in Unix that I had accumulated in prior years, augmented with items that Dan found in his research. It generated a fair amount of “buzz” because it exposed issues that many people didn’t know and/or understand about Unix security. With the growth of Unix deployment (BSD, AT&T, Sun Microsystems, Sequent, Pyramid, HP, DEC, et al) there were many sites adopting Unix for the first time, and therefore many people without the requisite sysadmin and security skills. I thus started getting a great deal of encouragement to write a book on the topic. I consulted with some peers and investigated the deals offered by various publishers, and settled on O’Reilly Books as my first contact. I was using their Nutshell handbooks and liked those books a great deal: I appreciated their approach to getting good information in the hands of readers at a reasonable price. Tim O’Reilly is now known for his progressive views on publishing and pricing, but was still a niche publisher back then. I contacted Tim, and he directed me to Debby Russell, one of their editors. Debby was in the midst of writing her own book, Computer Security Basics. I told her what I had in mind, and she indicated that only a few days prior she had received a proposal from a well-known tech author, Simson Garfinkel, on the same topic. After a little back-and-forth, Debby introduced us by phone, and we decided we would join forces to write the book. It was a happy coincidence because we each brought something to the effort that made the whole more than the sum of its parts. That first book was a little painful for me because it was written in FrameMaker to be more easily typeset by the publisher, and I had never used FrameMaker before, Additionally, Simson didn’t have the overhead of preparing and teaching classes, so he really pushed the schedule! I also had my first onset of repetitive stress injury to my hands — something that bothers me occasionally to this day, and has limited me over the years from writing as much as I’d like. I won’t blame the book as the cause, but it didn’t help! The book was completed in early 1991 and included some of my early work with COPS and Tripwire, plus a section on some experiments with technology for screening networks. I needed a name for what I was doing, and taking a hint from construction work I had done when I was younger, I called it a “firewall.” To the best of our recollection, I was the one who coined that term; I had started speaking about firewalls in tutorials and conferences in at least late 1990, and the term soon became commonplace. (I also described the DMZ structure for using firewalls, although my term for that didn’t catch on.) Anyhow…. the book appeared in the summer of 1991 and became a best seller (for its kind; last I heard, over 100,000 copies have been sold in 11 languages, and at least twice that many copies pirated). Thereafter, Simson and I also worked on a book on www security (edi[...]



Cyber Security in Stasis

2015-10-25T03:40:16+00:00

This evening, someone pointed out Congressional testimony I gave over 6 years ago. This referenced similar testimony I gave in 2001, and I prepared it using notes from lectures I gave in the early-to-mid 1990s.

What is discouraging is that if I were asked to provide testimony next week, I would only need to change a few numbers in this document and it could be used exactly as is. The problems have not changed, the solutions have not been attempted, and if anything, the lack of leadership in government is worse.

Some of us have been saying the same things for decades. I’m approaching my 3rd decade of this, and I’m a young’un in this space.

If you are interested, read the testimony from 2009 and see what you think.

(image)



Privacy, Surveillance, Freedom of Expression, and Purdue University

2015-10-13T20:54:23+00:00

On September 24 and 25 of this year, Purdue University hosted the second Dawn or Doom symposium. The event — a follow-up to the similarly-named event held last year — was focused on talks, movie, presentations, and more related to advanced technology. In particular, the focus has been on technology that poses great potential to advance society, but also potential for misuse or accident that could cause great devastation. I was asked to speak this year on the implications of surveillance capabilities. These have the promise of improving use of resources, better marketing, improved health care, and reducing crime. However, those same capabilities also threaten our privacy, decrease some potential for freedom of political action, and create an enduring record of our activities that may be misused. My talk was videotaped and is now available for viewing. The videographers did not capture my introduction and the first few seconds of my remarks.The remaining 40 or so minutes of me talking about surveillance, privacy, and tradeoffs are there, along with a few audience questions and my answers. If you are interested, feel free to check it out. Comments welcome, especially if I got something incorrect — I was doing this from memory, and as I get older I find my memory not not be quite as trustworthy as it used to be. You can find video of most of the other Dawn or Doom 2 events online here. The videos of last year's Dawn or Doom event are also online. I spoke last year about some of the risks of embedding computers everywhere, and giving those systems control over safety-critical decisions without adequate safeguards. That talk, Faster Than Our Understanding , includes some of the same privacy themes as the most recent talk, along with discussion of security and safety issues. Yes, if you saw the news reports, the Dawn or Doom 2 event is also where this incident involving Barton Gellman occurred. Please note that other than some communication with Mr. Gellman, I played absolutely no role in the taping or erasure of his talk. Those issues are outside my scope of authority and responsibility at the university, and based on past experience, almost no one here listens to my advice even if they solicit it. I had no involvement in any of this, other than as a bystander. Purdue University issued a formal statement on this incident. Related to that statement, for the record, I don’t view Mr. Gellman’s reporting as “an act of civil disobedience.” I do not believe that activities of the media, as protected by the First Amendment of the US Constitution and by legal precedent, can be viewed as “civil disobedience” any more than can be voting, invoking the right to a jury trial, or treating people equally under the law no matter their genders or skin colors. I also share some of Mr. Gellman’s concerns about the introduction of national security restrictions into the entire academic environment, although I also support the need to keep some sensitive government information out of the public view. That may provide the topic for my talk next year, if I am invited to speak again. [...]