Emergent Chaos » conferences

A quick pointer

cwalsh — Mon, 30 Jan 2012 04:43:38 +0000

I wrote a blog post regarding the BSidesSF/RSA conf dust-up.

(If I knew how to work Adam’s twitter integration thingy, you’d have been spared this)

We Robot: The Conference

adam — Tue, 29 Nov 2011 16:33:26 +0000

This looks like it has the potential to be a very interesting event:

The University of Miami School of Law seeks submissions for “We Robot” – an inaugural conference on legal and policy issues relating to robotics to be held in Coral Gables, Florida on April 21 & 22, 2012. We invite contributions by academics, practitioners, and industry in the form of scholarly papers or presentations of relevant projects.

We seek reports from the front lines of robot design and development, and invite contributions for works-in-progress sessions. In so doing, we hope to encourage conversations between the people designing, building, and deploying robots, and the people who design or influence the legal and social structures in which robots will operate.

Robotics seems increasingly likely to become a transformative technology. This conference will build on existing scholarship exploring the role of robotics to examine how the increasing sophistication of robots and their widespread deployment everywhere from the home, to hospitals, to public spaces, and even to the battlefield disrupts existing legal regimes or requires rethinking of various policy issues.

They’re still looking for papers at: http://www.we-robot.com. I encourage you to submit a paper on who will get successfully sued when the newly armed police drones turn out to be no more secure than Predators, with their viruses and unencrypted connections. (Of course, maybe the malware was just spyware.) Bonus points for entertainingly predicting quotes from the manufacturers about how no one could have seen that coming. Alternately, what will happen when the riot-detection algorithms decide that policemen who’ve covered their barcodes are the rioters, and opens fire on them?

The possibilities for emergent chaos are nearly endless.

The 1st Software And Usable Security Aligned for Good Engineering (SAUSAGE) Workshop

adam — Wed, 08 Dec 2010 03:15:26 +0000

National Institute of Standards and Technology
Gaithersburg, MD USA
April 5-6, 2011

Call for Participation
The field of usable security has gained significant traction in recent years, evidenced by the annual presentation of usability papers at the top security conferences, and security papers at the top human-computer interaction (HCI) conferences. Evidence is growing that significant security vulnerabilities are often caused by security designers’ failure to account for human factors. Despite growing attention to the issue, these problems are likely to continue until the underlying development processes address usable security.

See http://www.thei3p.org/events/sausage2011.html for more details.

Black Hat Slides

adam — Thu, 29 Jul 2010 21:26:16 +0000

My talk at Black Hat this year was “Elevation of Privilege, the Easy Way to Get Started Threat Modeling.” I covered the game, why it works and where games work. The link will take you to the PPTX deck.

Black Hat Best Practices

adam — Mon, 26 Jul 2010 14:31:48 +0000

Breath mints
Ricola
Purell
Advil
Gatorade.

Hacker Hide and Seek

adam — Tue, 20 Jul 2010 15:20:32 +0000

Core Security ~~Ariel Waissbein~~ has been building security games for a while now. ~~He was~~ They were kind enough to send a copy of ~~his~~ their “Exploit” game after I released Elevation of Privilege. [Update: I had confused Ariel Futoransky and Ariel Waissbein, because Waissbein wrote the blog post. Sorry!] At Defcon, he and his colleagues will be running a more capture-the-flag sort of game, titled “Hide and seek the backdoor:”

For starters, a backdoor is said to be a piece of code intentionally added to a program to grant remote control of the program — or the host that runs it – to its author, that at the same time remains difficult to detect by anybody else.

But this last aspect of the definition actually limits its usefulness, as it implies that the validity of the backdoor’s existence is contingent upon the victim’s failure to detect it. It does not provide any clue at all into how to create or detect a backdoor successfully.

…

A few years ago, the CoreTex team did an internal experiment at Core and designed the Backdoor Hiding Game, which mimics the old game Dictionary. In this new game, the game master provides a description of the functionalities of a program, together with the setting where it runs, and the players must then develop programs that fulfill these functionalities and have a backdoor. The game master then mixes all these programs with one that he developed and has no backdoors, and gives these to the players. Then, the players must audit all the programs and pick the benign one.

First, I think this is great, and I look forward to seeing it. I do have some questions. What elements of the game can we evaluate and how? A general question we can ask is “Is the game for fun or to advance the state of the art?” (Both are ok and sometimes it’s unclear until knowledge emerges from the chaos of experimentation.) His blog states “We discovered many new hiding techniques,” which is awesome. Games that are fun and advance the state of the art are very hard to create. It’s a seriously cool achievement.

My next question is, how close is the game to the reality of secure software development? How can we transfer knowledge from one to the other? The rules seem to drive backdoors into most code (assuming they all work, (n-1)/n). That’s unlike reality, with a much higher incidence of backdoors than exist in the wild. I’m assuming that the code will all be custom, and thus short enough to create and audit in a game, which also leads to a higher concentration of backdoors per line of code. That different concentration will reward different techniques from those that could scale to a million lines of code.

More generally, do we know how to evaluate hiding techniques? Do hackers playing a game create the same sort of backdoors as disgruntled employees or industrial spies? Because of this contest and the Underhanded C Contests, we have two corpuses of backdoored code. However, I’m not aware of any corpus of deployed backdoor code which we could compare.

So anyway, I look forward to seeing this game at Defcon, and in the future, more serious games for information security.

Previously, I’ve blogged about the Underhanded C contest here and here

SOUPS Keynote & Slides

adam — Fri, 16 Jul 2010 13:54:45 +0000

This week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:”

In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the engineer. All too often, engineers are assumed to have infinite time and skills for usability testing and iteration. They have time to read papers, adapt research ideas to the specifics of their product, and still ship cool new features. This talk will bring together lessons from enabling Microsoft’s thousands of engineers to threat modeling effectively, share some new approaches to engineering security usability, and propose new directions for research.

A fair number of people have asked for the slides, and they’re here: Engineers Are People Too.

Visual Notetaking

Richard — Tue, 10 Nov 2009 09:09:12 +0000

I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have a professional notetaker who is using this. It really makes the notes much more powerful and useful then just text. Imagine having notes with visual cues to (including but not limited to network diagrams) help you remember what happened. I’m sitting here looking at the posters, the notetaker made in real time with our discussions and it’s amazing how much more useful they are.

Mini Metricon 4.5 Call for Participation

cwalsh — Sat, 07 Nov 2009 14:05:09 +0000

[Posting this here to help get the word out - Chris ]
Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees are eligible for free RSA exhibit passes.
Like its predecessors, Mini Metricon 4.5 is an informal workshop designed to facilitate exchange of new ideas as well as practical experience in using metrics to drive better security, compliance, and risk management. The day will be divided between open/moderated exchange and short presentations. Participants are expected to come prepared to actively interact as either presenters or active listeners (or both).
Place: University of San Francisco (walking distance to the Moscone Center)
Time: 8:30am to 4:30pm
Participation: by invitation.
Attendance: Limited to 80 people
Additional details, including links to past workshops, presentations, and digests, as well as a calendar with important dates and instructions for submitters is available at securitymetrics.org

RSA 2010 Call for Proposals: August 14

adam — Mon, 10 Aug 2009 10:46:48 +0000

RSA 2010 Call for Speaking Proposals. You know you want to.