security research

I couldn't talk you out of it, huh? Best of luck to you, and I hope you enjoy it as much as I did. To help you on your way, though, here are a few resources I found helpful and which I suggest to you. (Note: all links are affiliate links.)

• The most important skill I can recommend to you, as a new professor, is time management. This boils down two to two things: managing your commitments & projects, and focusing on your long term goals. For the first of these, I can recommend no resource higher than Getting Things Done by David Allen. Essentially, this is just a collection of 'tricks' for collecting and managing requests/information/ideas/etc as they are thrown at you, but they work. And furthermore, they continue to work even if you implement them piecemeal, tweak them to suit your own particular way of doing things, etc. I cannot recommend it too highly. (In fact, I try to re-read it once a year or so just to see if there's anything more in there I can use. There usually is.)

  Right. So with that one book, you've got the commitment/project management side covered. I wish I could recommend a similarly strong book for the other side, focusing on your long-term goals, but I haven't found one yet. David Allen has written a follow-up book on this exact topic (Making It All Work) but I haven't read it yet. A lot of people seem to find inspiration in Seven Habits of Highly Effective People, but I found it a little insipid. Your mileage may vary.

  If anyone has a good book on the topic they'd like to recommend, can they please leave it in the comments?

• Teaching is a skill. It helps to have talent, but everyone's got some learning to do before they get good at it. Now, you can learn from your own painful experience, but I prefer to learn from other people's painful experience instead. And the best book I can recommend for in-classroom teaching skills is The Torch or the Firehose by Arthur P. Mattuck, a pamphlet published by MIT for its TAs. Everything I learned about working a classroom, I learned from that book. (And every time I deviated from its good advice, I regretted it.) It's good, and it's free. Go download it.

• As for everything else, I recommend Advice for New Faculty Members, by Robert Boyce. In particular, I especially appreciate that this is not a collection of tricks. Instead, it tries to instill a specific mindset to have-- one which focuses on maintaining equilibrium for the long haul. From the table of contents: "Wait" (Chapter 1), "Stop" (Chapter 4), and "Let others do some of the work" (Chapter 7). The book does have its share of specific advice and tricks, but the thing that sets it apart from other books on the topic is this zen-like mindset of moderation in all things. Like Getting Things Done, above, 90% of this book will go over your head the first time you read it. I suggest you re-read it every year or so until there's nothing more in it to be gained. (And if you ever get to that point, you've made it well past me.)

Do any of the other professors out there have other suggestions to throw in?

This post is really a follow-up to my last post, in which I tried my damnedest to talk people out of going to graduate school. The rationale there was that grad school is a serious commitment with some very high hidden costs, and that while those costs may be worth it for some people, they would go to grad school no matter what I said. If I could possibly talk you out of grad school, therefore, you really shouldn't go.

When writing that post, I was planning to take the same position in this one: that if I could talk you out of being a professor, you shouldn't be one. But between then and now, I gave it more thought and realized two things:

• There is absolutely no way that I would be able to talk anybody at all out of taking a professorship.
• My feelings on professorships are more mixed than they were about graduate school.

So, I'm not going to try to talk people out of professorships after all. In fact, I'm not even going to try to answer the question in the title of this post. Instead, I'll just lay out my observations on the matter and let people decide for themselves.

We're been recruiting like mad at my place of work, which means that I've been interviewing a lot of people recently. Many of them are just graduating college, and are trying to decide whether to join the Real World or to continue on to grad school. Many of the others are just finishing grad school, and trying to decide whether to join the Real World or pursue a professorship. I've actually been on both sides of both decisions. I did go to grad school, but only after working in the Real World (well, real-ish) for three years or so. And while I did serve as a Professor for a while (two years), I left it to return to the Real World. So I've seen both sides of the fence, for both grad school and professorships, and have some advice I'd like to share with people facing these decisions. I'll leave the professorship-question for the next post, and focus here on the decision whether or not to go back to grad school.

So, should you go back to grad school?

No.

My employer's incredible need for computer security experts continues unabated. Some new job-postings for you:

• Formal Methods Researcher
• Scientific Intellegence Analyst
• Malicious Code Analysis Researcher

Descriptions under the fold, and the full list of open jobs can be found here:

https://www.ll.apply2jobs.com/ProfExt/index.cfm?fuseaction=mExternal.showSearchInterface

Just select Group 06-68 (Cyber Systems and Technology) from the 'Group' pull-down menu. And please notice that there are two screens of job postings.

So, GSM (Groupe Spécial Mobile) is the most widely-used standard for cellular communication. Wikipedia tells me that 80% of the cellular market uses this standard, representing about 4.3 billion people. And guess what? The encryption algorithm of this standard is completely broken-- according to this paper, anyway. And the *way* in which the paper goes about breaking the algorithm is itself beautiful, illustrating a number of common crypto flaws simultaneously.

If you are thinking of going to the IEEE Computer Security Foundations Symposium (CSF) this year, please be aware that you must register by TODAY if you want to have a print proceedings at the event itself. For various reasons (worthy of a blog-post in their own right) this year will not be like previous years. In previous years, you could register at any time and automatically receive a copy of the proceedings when you showed up. This year, on the other hand, is more complicated:

• If you register by June 10, 2010, and order a copy of the proceedings during registration, then you will get your copy when you show up at CSF.
• If you register after June 10, or register before then but don't order the proceedings, then you will have a chance to order a copy of the proceedings at CSF itself. It will be printed by a print-on-demand operation and shipped to any address you specify. Total cost: it depends, but probably on the order of $15 plus shipping. But you won't get it until after CSF ends.
• If you do not register for CSF, or do not order your copy at CSF itself, you can still order a copy from the IEEE. It will again be printed by a print-on-demand operation, and likely to be of very high quality. And it better be, for what they charge: ordering the 2009 CSF Proceedings this way will cost you about $100.

So, if you were thinking about attending CSF, let this give you the impetus to do so. It's a great conference, it's going to be co-located with a bunch of other great conferences (included in the registration-price) and it's in Edinburgh, Scotland. What more do you need?

It's good to be slapped upside the head with your own misconceptions every once in a while, even when it occurs within your own specialty. Now, I deal with other people's misconceptions about cryptography all the time. If people have heard of cryptography at all, they generally are left with the impression that

cryptography = secure = cryptography = secure = ...

This is very forgivable, but wrong.

I would ordinarily regard this as a rather obscure piece of esoterica, too technical to blog about (and merely a technical report, besides) but:

1. My beloved readers seem to like topics more technical that I would have thought, and (more importantly)
2. It's my piece of obscure esoterica.

So, tech report or no, it gets a blog post.

While researching something unrelated, I stumbled across an interesting feature of CiteSeerX: "estimated venue impact factors." That is, it attempts to rank CS-related conferences and journals in terms of their 'impact.' However, something seems to be wrong with their algorithm-- there is no way that a single sub-specialty (security) can contain eight of the top 25 conferences.

I am proud to announce that I have been invited to join the Program Committee for The 12th International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS 2010)-- Crypto Track. That is: this venue has a number of technical tracks, roughly reflecting different areas of study. The crypto track (to be ably co-chaired by Jonathan Katz and Gene Itkis) is new this year, but will (I trust) receive the same quality of submissions as the other, more established tracks.