Tuesday, April 17, 2007

Midwest Security Workshop

The third Midwest Security Workshop is to be held on the 21st of this month. If you are somewhere close to Purdue and interested in information security, come join us!

Monday, April 16, 2007

Talk: A Quant Looks at the Future

Dan Geer (Verdasys) was the closing speaker of the 8th CERIAS Security Symposium. I really enjoyed his talk and the loud applause at the end confirmed that the majority did as well. It was truly amazing how he had synthesized his thoughts through a series of graphs. He's a real quant(itative guy) !

The crust of his talk was that we need to protect data not the infrastructure where the data is transmitted. Those who are in possession of data will rule the world!



Based on the NCMS data, he beautifully talked about the connection between the degree of collaboration and anticipation/mitigation costs.



And another fact...phishing is a profession!


Sunday, April 15, 2007

Ugly side of blogging

Creating Passionate Users is one of the blogs that I enjoy reading. Kathy (aka a master mind behind head first series) is the primary blogger. Now she has temporarily stopped blogging after receiving various threats. I hope she'll not give in to those few people who cannot bear her success.

Randomly I selected two posts I liked:

The first one..
How to become an expert.. As she puts it so eloquently, "The only thing standing between you-as-amateur and you-as-expert is dedication". The following diagram shows it all.


(Courtesy: Creating Passionate Users)

The second one
Code like a girl... I am talking about true beauty here and it cannot be precisely defined as goes with the famous line "beauty lies in the eyes of the beholder". As a person who likes numbers a lot, I sometime come across beautiful mathematical equations. I like Kathy's idea of associating coding with beauty. The code we write should not only act right but look right ;-)

Wednesday, April 11, 2007

Talk: Dumb Ideas in Computer Security

(The last) Talk #3 for the day: If I rated this talk by 1 to 10 scale with 10 being the best, I'd give all ten points without holding anything back! It goes with the line "best things come last" (actually I am rather short of words to express it, maybe there's a related line, anyway, this is how we say it in our mother tongue "hoda hoda sellum eliwena jameta" :-)

The presenter was Dr Charles P Pfleeger, a consultant, speaker, educator and author on computer and information system security. It was done as part of CERIAS seminar.

He talked about 6 dumbest ideas in computer security. These are additions to what Markus J. Ranum had to say about the $subject. Here is the summary of what I remember out of his talk.

#1 We'll do security later.
The idea is you cannot retrofit security. You have to think about security up front.

#2 We'll do privacy later.
The idea is we should have fair information practices. You have to tell user what you are going to do with their data.

#3 Encryption cure all.
Encryption is over-rated. You need to think about the period where the data is in the plain. For example, even if you have end-to-end encryption where you don't have data in the clean in transit, you still have data in the clear at the start of the transaction and at the end of the transaction. Other issues, which are less sever compared to the one I mentioned above, are key management and implementation/algorithm weakness.

#4 You have either perfect security or nothing
Putting in his own words, providing security is not like riding a tight rope where you are either on the rope or not. Security is a continuum. It's not practical, even unnecessary, to seek to provide more security than required. You have to quantify the risk you have and you need to decide how much risk you are willing to take. In other words, we need to keep the security requirements sensible.

#5 Separation is Unnecessary
The idea is controlled sharing requires separation. Just like, you have to draw a line between spectators from players, you have to think about different levels of security. This idea is not new; in fact, it was introduced in operating systems way back in 1970's..we went back into old habits in 1980's..now now we are again getting back to good old principles.

#6 It's easy - we can do security ourselves
This idea is not very clear to me yet. Have to read some of the references he cited to get a real understanding of it. However, the idea is the program complexity inhibits security; so it is more difficult to enforce security than you may think with the complexity of the code.

Some post-talk thoughts:
Most of the papers I have seen in security areas try to come up with security solutions (complete security solutions, if you will) that do not consider about some of the misconceptions mentioned above (for example, risk vs. gain analysis).
Another thing that I ponder about is, do we, in the security field, actually put enough weight into understanding who is going to use our solutions, how they are different in interpreting solutions we provide, etc.

That's it from me about the talk!

<sport>
I've just looked at the world cup super 8, cricket match score between England and Bangladesh. England has managed to limp pass Bangladesh. Had Tigers (Bangladesh team) put a few more runs on the board, they could have caused the third (first, second) famous upset in the world cup. Tomorrow we, lions (Sri Lankan team) take on black hats (New Zealand team). I think our team is in a good shape to seal the victory.
</sport>

<study>
Now it's time to get back to other fun stuff. I need to do some finishing touches on the operating system paging lab which is due tomorrow 11.59.59 pm ;-) and get into the fast track of preparing for the two quals I am taking in two weeks time. And also I need to prepare a report for the independent study I am doing. I will have to wait to reveal more about that work until the paper gets accepted. So stay tuned!
</study>

There are bunch of papers related to the $subject. Maybe I'll put out a list with my interpretation when I get some time.

Talk: Browser Security: A New Research Territory

Talk #2 for the day: By Dr. Shuo Chen, Microsoft Research. His talk was centered around two papers (technical reports if you will) published:

1. A Systematic Approach to Uncover Security Flaws in GUI Logic
2. Light-Weight Transparent Defense Against Browser Cross-Frame Attacks Using Script Accenting

As the $subject and $titles imply, their goal is to improve security in web browsers: though he presented the concepts citing examples using IE, most of the issues prevail in other browsers as well.

One thing that fascinated me is the systematic approach they took to reason about the security. In more specific terms, they initially have clearly defined the system invariants and made sure that the invariants are maintained through out. (This is what we call formal verification.)

He beautifully explained how (smart) hackers have exploited logic bugs in browser interfaces to launch phishing attacks (some of them are very subtle) and went out to talk about how to uncover systematically and fix them.

The next area he talked about is how do deal with browser cross-domain attacks. He showed how hackers have exploited, among other things, race conditions to launch such attacks and provided some insight about script accenting technique he has developed to counter them.

The talk was well worth the time!

One last thought about it...If hackers can exploit browser inconsistencies (may be bugs) with the black box techniques (they know the general techniques that all browsers use), I wonder how many more attacks we would have seen if proprietary browser codes are made public. Doesn't it violate one of the pillars of security?: "the security of a mechanism should not depend on the secrecy of its implementation".

Talk: Managing Uncertainty Using Probabilistic Databases

With the frequency (Nyquist-Shannon sampling theorem should give you an idea of how fast I need to be to keep up with the information in flow :-) of talks I am attending to and the palate full of other work, I usually don't get much time to randomize ;-) those talks. Enough about beating the bush..let's get started with the $subject..

Talk #1 for the day: By Nilesh Dalvi (PhD Candidate, University of Washington) who is being considered for a faculty position at Purdue. It's that time of the year at Purdue where many faculty candidate talks are organized and I usually don't miss any talk that touches my area of interest. (One incentive to go there is you get free food..I am just kidding :-). Getting even a slot to be considered as a faculty candidate at Purdue is quite tough..so these guys are really really prepared with their stuff). Although databases/data mining is not my main area of research, I do find it interesting. His talk was centered around data mining approach to measuring uncertainty more or less objectively in information retrieval from probabilistic databases. Well, he presented what he ate, drank, slept on for the last 5 years. You can get direct access to most of the papers he authored/co-authored from his home page. His talk rekindled my liking about probability and statistics techniques I learnt back in high school (well we call it GCE advanced level) and then later in undergrad studies at the University of Moratuwa. OTOMH, some of the highlights of his talk:

-how do we rank query results from a probabilistic databases?
-how do we efficiently evaluate queries on probabilistic databases? (they have an implementation adding some more syntax to existing SQL)
-how do we reason about the privacy in data sharing with many published views (snapshots if you will) from a database irrespective of how large is our sample?
-how do we come up with optimization techniques for queries which are NP-complete?

Seminar Bingo!

I've been attending quite a few seminars (cs faculty candidate talks, cerias security seminar series, industry talks, etc)..I am thinking if I should take this card with me ;-) to rate the talks. For more cards click here or here ;-)