Archives
Seeing as this is ostensibly a crypto blog, I'd like to comment on a paper from earlier this year: It's no secret-- Measuring the security and reliability of authentication via 'secret' questions, by Stuart Schechter, A. J. Bernheim Brush, and Serge Egelman. This paper looks at the security of 'security questions': those questions about yourself you have to answer to get back into an account when you've forgotten your password. And (shock! surprise!) they find that this sort of mechanism generally sucks from a security point of view-- perhaps even more than passwords do.
The always interesting Jon Katz has recently posted a number of thought-provoking articles on the state of computer-security research and some problems therein. (See here and the follow-up here.) I have my own thoughts on the general issue (which I will post about later) but wanted to quickly reply to one particular suggestion from the comments: that we don't need journals, or at least we don't need paper journals.
In reply, I would like to state as clearly and as emphatically as I can: we need paper journals. Why? Because we are not the end of history.
The conference I'm at, CCS 2009, is scheduled to wrap up a little later today. It's been a great conference so far, and I've fully enjoyed attending it. But it occurred to me that this is the fifth major computer-security conference I've attended, and that there are some big differences between them. As a service to students and young researchers, therefore, I'd like to present a very personal and biased overview and comparison of major security conferences so that readers can decide which ones are the best uses of their travel budgets.
Between my trip to CCS last month and my employer's internal security-focused reading-group, I've been exposed to quite a bit of recent research in the area of computer security recently. Much of it has been highly technical, of course, but after a while it has sparked some very general observations about the field. Over the next few posts, I'd like to review some of the more accessible papers and use them to motivate some of those observations. In this post: why I am so frustrated by the field of academic cryptography.
Quick: what is the following text about?
... the result of the collapse of large portions of the three provinces to have a syntax which can be found in the case of Canada and the UK, for the carriage of goods were no doubt first considered by the British, and the government, and the Soviet Union operated on the basis that they were...
Give up? It's about pwning your computer, actually. That's not 'real' English text, there, but a cleverly-disguised attack on your computer.
For ten days at the beginning of 2009, a team of computer-security researchers managed to take control of a live, real-world, criminal botnet. Over those days, they observed (and recorded) the botnet harvest over 70GB of stolen data (password, bank-account number, etc.) from almost two hundred thousand subverted machines. Why did they do this? Simple curiosity, probably. But that's not nearly as interesting as how they did it, what they found, and what this means about the field of computer security.
I am pleased to announce that the 2010 Computer Security Foundations Symposium will be held in Edinburgh, UK this year, in conjunction with FLoC 2010. Once again, I am honored to serve as the Publications Chair. I also note that the remarkable Graham Steel is serving as General Chair, with the astonishing Michael Backes and Andrew Myers serving as Program Chairs, making me all the more confident that it will once again be a wonderful event.
As I have mentioned elsewhere, this is one of my favorite venues-- mostly because it is very small, very collegial, and of very high quality. But don't just take my word for it: in May of 2003, CiteSeer rated it as having the 38th largest impact among all conferences and journals in computer science. Take that, CRYPTO (#79) and Oakland (#134)!
So, if any of you feel like visiting Scotland in mid-July of 2010, this will make an excellent excuse. (But I note that the deadline for submissions is coming up fast: Feb 4 for abstracts, Feb 8 for papers. I probably should have announced this before now.)
I have no idea how this paper came about, but I'm glad it did. The first author is a computer-science professor at Cambridge University specializing in privacy and systems security. The second author is a professional scam artist and stage magician who demonstrates real-world scams on unsuspecting victims as part of a BBC television show. Together, they fight crime!
First, I should warn my non-CS readers: I had originally decided that this paper was too technical to blog about. But then I received a request that I actually discuss this specific paper, and who am I to say 'no' to a beloved reader? So be aware that this one is going to be a bit more esoteric than even usual, but I also will go somewhere with it at the end.
I would ordinarily regard this as a rather obscure piece of esoterica, too technical to blog about (and merely a technical report, besides) but:
- My beloved readers seem to like topics more technical that I would have thought, and (more importantly)
- It's my piece of obscure esoterica.
So, tech report or no, it gets a blog post.
I am proud to announce that I have been invited to join the Program Committee for The 12th International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS 2010)-- Crypto Track. That is: this venue has a number of technical tracks, roughly reflecting different areas of study. The crypto track (to be ably co-chaired by Jonathan Katz and Gene Itkis) is new this year, but will (I trust) receive the same quality of submissions as the other, more established tracks.
While researching something unrelated, I stumbled across an interesting feature of CiteSeerX: "estimated venue impact factors." That is, it attempts to rank CS-related conferences and journals in terms of their 'impact.' However, something seems to be wrong with their algorithm-- there is no way that a single sub-specialty (security) can contain eight of the top 25 conferences.
It's good to be slapped upside the head with your own misconceptions every once in a while, even when it occurs within your own specialty. Now, I deal with other people's misconceptions about cryptography all the time. If people have heard of cryptography at all, they generally are left with the impression that
cryptography = secure = cryptography = secure = ...
This is very forgivable, but wrong.
If you are thinking of going to the IEEE Computer Security Foundations Symposium (CSF) this year, please be aware that you must register by TODAY if you want to have a print proceedings at the event itself. For various reasons (worthy of a blog-post in their own right) this year will not be like previous years. In previous years, you could register at any time and automatically receive a copy of the proceedings when you showed up. This year, on the other hand, is more complicated:
- If you register by June 10, 2010, and order a copy of the proceedings during registration, then you will get your copy when you show up at CSF.
- If you register after June 10, or register before then but don't order the proceedings, then you will have a chance to order a copy of the proceedings at CSF itself. It will be printed by a print-on-demand operation and shipped to any address you specify. Total cost: it depends, but probably on the order of $15 plus shipping. But you won't get it until after CSF ends.
- If you do not register for CSF, or do not order your copy at CSF itself, you can still order a copy from the IEEE. It will again be printed by a print-on-demand operation, and likely to be of very high quality. And it better be, for what they charge: ordering the 2009 CSF Proceedings this way will cost you about $100.
So, if you were thinking about attending CSF, let this give you the impetus to do so. It's a great conference, it's going to be co-located with a bunch of other great conferences (included in the registration-price) and it's in Edinburgh, Scotland. What more do you need?
So, GSM (Groupe Spécial Mobile) is the most widely-used standard for cellular communication. Wikipedia tells me that 80% of the cellular market uses this standard, representing about 4.3 billion people. And guess what? The encryption algorithm of this standard is completely broken-- according to this paper, anyway. And the *way* in which the paper goes about breaking the algorithm is itself beautiful, illustrating a number of common crypto flaws simultaneously.
My employer's incredible need for computer security experts continues unabated. Some new job-postings for you:
- Formal Methods Researcher
- Scientific Intellegence Analyst
- Malicious Code Analysis Researcher
Descriptions under the fold, and the full list of open jobs can be found here:
https://www.ll.apply2jobs.com/ProfExt/index.cfm?fuseaction=mExternal.showSearchInterface
Just select Group 06-68 (Cyber Systems and Technology) from the 'Group' pull-down menu. And please notice that there are two screens of job postings.
We're been recruiting like mad at my place of work, which means that I've been interviewing a lot of people recently. Many of them are just graduating college, and are trying to decide whether to join the Real World or to continue on to grad school. Many of the others are just finishing grad school, and trying to decide whether to join the Real World or pursue a professorship. I've actually been on both sides of both decisions. I did go to grad school, but only after working in the Real World (well, real-ish) for three years or so. And while I did serve as a Professor for a while (two years), I left it to return to the Real World. So I've seen both sides of the fence, for both grad school and professorships, and have some advice I'd like to share with people facing these decisions. I'll leave the professorship-question for the next post, and focus here on the decision whether or not to go back to grad school.
So, should you go back to grad school?
No.
This post is really a follow-up to my last post, in which I tried my damnedest to talk people out of going to graduate school. The rationale there was that grad school is a serious commitment with some very high hidden costs, and that while those costs may be worth it for some people, they would go to grad school no matter what I said. If I could possibly talk you out of grad school, therefore, you really shouldn't go.
When writing that post, I was planning to take the same position in this one: that if I could talk you out of being a professor, you shouldn't be one. But between then and now, I gave it more thought and realized two things:
- There is absolutely no way that I would be able to talk anybody at all out of taking a professorship.
- My feelings on professorships are more mixed than they were about graduate school.
So, I'm not going to try to talk people out of professorships after all. In fact, I'm not even going to try to answer the question in the title of this post. Instead, I'll just lay out my observations on the matter and let people decide for themselves.
I couldn't talk you out of it, huh? Best of luck to you, and I hope you enjoy it as much as I did. To help you on your way, though, here are a few resources I found helpful and which I suggest to you. (Note: all links are affiliate links.)
-
The most important skill I can recommend to you, as a new professor, is time management. This boils down two to two things: managing your commitments & projects, and focusing on your long term goals. For the first of these, I can recommend no resource higher than Getting Things Done
by David Allen. Essentially, this is just a collection of 'tricks' for collecting and managing requests/information/ideas/etc as they are thrown at you, but they work. And furthermore, they continue to work even if you implement them piecemeal, tweak them to suit your own particular way of doing things, etc. I cannot recommend it too highly. (In fact, I try to re-read it once a year or so just to see if there's anything more in there I can use. There usually is.)
Right. So with that one book, you've got the commitment/project management side covered. I wish I could recommend a similarly strong book for the other side, focusing on your long-term goals, but I haven't found one yet. David Allen has written a follow-up book on this exact topic (Making It All Work
) but I haven't read it yet. A lot of people seem to find inspiration in Seven Habits of Highly Effective People
, but I found it a little insipid. Your mileage may vary.
If anyone has a good book on the topic they'd like to recommend, can they please leave it in the comments?
-
Teaching is a skill. It helps to have talent, but everyone's got some learning to do before they get good at it. Now, you can learn from your own painful experience, but I prefer to learn from other people's painful experience instead. And the best book I can recommend for in-classroom teaching skills is The Torch or the Firehose by Arthur P. Mattuck, a pamphlet published by MIT for its TAs. Everything I learned about working a classroom, I learned from that book. (And every time I deviated from its good advice, I regretted it.) It's good, and it's free. Go download it.
-
As for everything else, I recommend Advice for New Faculty Members
, by Robert Boyce. In particular, I especially appreciate that this is not a collection of tricks. Instead, it tries to instill a specific mindset to have-- one which focuses on maintaining equilibrium for the long haul. From the table of contents: "Wait" (Chapter 1), "Stop" (Chapter 4), and "Let others do some of the work" (Chapter 7). The book does have its share of specific advice and tricks, but the thing that sets it apart from other books on the topic is this zen-like mindset of moderation in all things. Like Getting Things Done
Do any of the other professors out there have other suggestions to throw in?
