Today I spent the day with my daughter, and got to meet two of her three roommates for her sophomore semester: Varsha and Hayden. We spent the day with Varsha and Erin visiting the Legion of Honor Fine Art Museum (for one of their Art History projects), and had dinner with Erin and Hayden. I’ll note that at the Legion of Honor, we saw one of the most moving holocaust memorials I have ever seen. So art and history are on my mind, plus a little bit of science and security…
In the history department, I have a few deaths (or potential deaths) of interest:
- Yvonne Brill. The LA Times has an interesting writeup on Yvonne Brill, who died March 27 at age 88. Brill was a very important woman rocket scientist and engineer who developed a revolutionary propulsion system that remains the industry standard for keeping unmanned spacecraft in constant, stationary orbit. Later in her career, she became the director of the space shuttle’s solid rocket motor program for NASA. In the last quarter-century of her life, she strove to help others pursue careers in science and math and especially pushed for women to achieve scientific recognition. Still, at one point, she moved to the East Coast to support her husband’s career, noting “good jobs are easier to find than good husbands.”
- Martyl Langsdorf. The St. Louis Post Dispatch is reporting the death last month of Martyl Langsdorf, who designed what has been called the world’s scariest logo — the Doomsday Clock of the Bulletin of the Atomic Scientists. Since its introduction in 1947, the drawing of the Doomsday Clock has kept watch as international incidents flared. The clock is a symbol of the nuclear age, whose minute hand moves closer to midnight— and presumed annihilation — with each major immediate danger. The clock hands can also move backward, if tensions cool. The hand has moved only 20 times during the past 65 years. It currently stands at five minutes to midnight.
- CPI Corporation. You probably haven’t heard of CPI Corporation, which abruptly shut down last week. CPI Corporation is better known as the provider of photo studios in Sears and some Wal-Mart stores, and their shutdown deprives parents of an old-fashioned way of taking awkward photos of their children. Of course, there is always the cell phone.
- Time Magazine. The Atlantic has an interesting article on how the death of Time Magazine may be soon, as they haven’t managed the Internet transition well.
Turning to the science side: a number of interesting computer security articles. First, Israeli hackers have started attacking back at anti-Israel groups that have vouched to wipe Israel off the Internet. Next, researchers at Washington University in St. Louis have uncovered a way to fingerprint credit cards to address credit card fraud. Lastly, a data breech at a St. Louis supermarket chain have alerted a large number of people to the risks of how data is handled.
Finally, a PS: To my friends who are involved with Northern Faire: Erin is interested in going this year, so I’ll be glad to forward to her any information on how to get discount tickets &c. (and how to coordinate transportation). She’s also likely interested in Dickets. She’s at UC Berkeley.
Music: Alive Alive-O (Jose Feliciano): “The Comedy Bit”
Bruce Schneier has come out saying that Security Awareness training isn’t worth the money, and I couldn’t disagree more. Specifically, Schneier has said:
I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.
Bruce’s statement and belief reflect the fallacy and overconfidence of the engineer. I saw this discussed once in a seminar on highway safety, where the highway engineers talked about how they once believed that they could eliminate traffic fatalities solely by engineering better highways and better cars. They soon learned that wasn’t enough — they they needed the four Es:
- Emergency Response
Engineering highways — or security — is only part of the picture. You still need to have policies and enforce them. You still need to teach users to be aware of threats and to know how to response. And you need emergency response to ensure your systems are not killed by the attacks — that they are resilient and can recover.
Awareness training is a vital part of this. Yes, you can engineer away some of the problems. But you can’t get rid of them all, and you certainly need to educate about social engineering attacks.
Bruce — I’m surprised at you for this statement.
(and now it is off to the shower before I go to work….)
Earlier this week, I wrote about the negative impacts of the Internet on society. Today’s news chum deals with a similar subject: the impacts of the Internet and technologies on industry and academia:
- Let’s Go To The Movies… Let’s Go To A Picture Show. Technology is having a big impact on your local theater. The model is changing: people have discovered there are many different ways to go see a movie. The theater an aging industry that’s been run more or less the same way for generations, and it’s competing with a host of technologies and distribution channels that make it unnecessary to schlep to the multiplex at a set time. But strangely the business is hanging in there, largely due to big-budget, multiple-picture franchises. People are going to the newer theaters, impacting older multiplexes. Even then, the industry tend is towards upscale theaters with reservations, plush seating, drinks, and other fancy amenities. This is raising ticket prices to between $18 and $20, with even higher prices for 3D movies. People wonder why I go to so much live theatre, and I tell them I can get tickets usually for prices comparable to movies (especially through services such as Goldstar). I’m paying $17.50, with service charges, for tickets to Company in North Hollywood. Why go to the theater when the theatre is so cheap!
- You Turn Me On, I’m a Radio. The movie theater isn’t the only place impacted by radio. Modern technologies, such as satellite radio, Internet radio, and MP3 players are killing terrestrial radio, which is increasing seeing commerical bloat… which further drives people away. You can’t easily get portable radios these days (when was the last time you saw someone listening to a “transistor radio”); the primary listening place for radio now is the automobile. And even auto manufacturers are moving away from AM and FM — for example, new Fords will be able to play music off the Amazon Cloud. Radio will soon only be used for traffic reports and news, and that is most likely only because Google News and Google Traffic Maps makes one take their eyes off the road. These changes also have an effect on artists: as music streaming has grown, artists have seen their royalties drop (because the streaming services don’t pay the same royalties as radio).
- In The Classroom. Even the classroom isn’t immune. The Daily Cal at UC Berkeley has an interesting article on how the classroom is being transformed. Large lecture sessions are being webcast (my daughter is in one such lecture for her Astronomy class), and interactions with the instructors occurs via Twitter and other mechanisms. Many find this approach liberating; I’d find it annoying.
- Strip Searches and Privacy. Even the lowly power strip is not immune. DARPA has funded a power strip that can be used as a launching point for network attacks. Presumably, this is via the power protection for the network lines or people using networking over electrical wiring, but still…. (and in a related article, it appears the LA Times at one point was serving malware off their deals site, but isn’t anymore). The “smart” powerstrip could conceivably monitor what you do as well. But privacy is at risk from many things… from proposed car black boxes to those e-readers that people like so much.
Well, it’s Friday, and you know what… what do you mean it is Thursday… to me, it is virtual Friday, as starting tomorrow I’m taking off to the end of the year. So as I said… well, it’s Friday, and you know what that means… Time to clear out the accumulated links:
- Blood Types. We’re all aware of different blood types for people (and some of us even know our blood types, but not me). Have you ever thought about whether humans are unique with blood types. We’re not, and this article from Mental Floss looks at the different blood types of Dogs and Cats. A co-worker basically said what one of the comments said: For dogs, they often are universal until the first transfusion.
- End of the World. Tomorrow, or is it Saturday (I guess it depends on your time zone) is the end of the world. What? You didn’t know? In any case, you can be prepared. Evidently, the Zombie Apocalypse Store in Las Vegas is doing thriving business.
- The Mail Will Get Through. Even if the world ends, the mail will still get through. I know, because Tom Paxton told me. It will certainly get through to Santa. In fact, an enterprising teacher in a Missouri school district is having her students write paper letters to Santa Claus. This bothers me quite a bit. I have no problem with the exercise and having students write letters. That’s good. The problem is that they are to Santa… seemingly irrespective of the student’s beliefs… and being imposed by a public school district.
- A Word from Our Sponsor. I noticed in the Ventura County Star today a report that a Christian radio network has bought 92.7 FM in Thousand Oaks. This is worrisome to me, as 92.7 used to be Jill-FM, and was a sponsor of Cabrillo Music Theatre.
- Password Generation. One of my favorite tricks that I recommend to generate passwords is to take a map — the older, the better — and use names from that map to give you a series of words (you connect with special characters) that can create a password (I normally take the first 2-4 letters of each and do some substitutions). Old transit maps are great for this, so when I saw on the big map blog the 1900 map of the Union Pacific railroads and steamships I figured it was worth highlighting (and no, I don’t use this map).
- Jail vs. Prison. Lastly, an article that highlights an interesting language distinction: jail vs. prison. The article is about Iron County Missouri’s 145-year-old ‘dungeon’. This is an incredibly old jail, constructed two years after Lincoln was elected and still in use, un-remodeled.
I’ve been the training chair for the Annual Computer Security Applications Conference since 1990. In my over 20 years in this position, I’ve seen what was a very popular training program decrease in attendance. Whereas in the past we regularly had attendance for courses in the 15-35 student range, of late the attendance has been in the single digits (of course, there are always a few exceptional courses). That’s true again this year, even with (what I believe to be) one of our strongest training programs in years (look at Monday and Tuesday). [I certainly encourage all of my readers to attend the conference, and to encourage your friends to attend and take training courses.]
I’ve been trying to figure out the reasons for the decline in the program, and what to do about it. This post is part of that effort: I’d love comments that might help me figure out how to move the program forward in the future. Here’s what I think are some of the problems:
- Publicity. As always, our publicity for the courses is poor. They tend to be subsumed into the technical program, and it is difficult to figure out what is a tutorial/training course and what is not. Part of this is due to how the Advance Program has changed: there used to be a separate section highlighting the training program and the courses, and it’s not there anymore. Part of this is due to a change in format: I’m of the strong belief that our move to electronic notification methods makes publicity in general less effective. People ignore email blasts and web pages except when they are seeking information. At least with mailed advance programs, if the target wasn’t interested, they could put it on a board or hand it to a colleague.
- Growth of the Field. When ACSAC started back in the late 1980s, it was one of three major computer security conferences: ACSAC, IEEE (Oakland), and the NCSC. Today? There are hundreds and hundreds of conferences, each providing their own aspect of training. There are also online webinars, courses at local universities, and such. People don’t need to go to ACSAC to get their training, especially in a short course format for which they pay $$$.
- Changing Budgets. Related to the last point is the change in budget. It is harder and harder for commercial contractors, defense contractors, and government to get funds to go to conferences. When they do, they need to be able to get something they can’t get elsewhere. That’s certainly true for the technical program–you only get the papers at the conference. That’s also true for workshops, where there is interaction with others in the field. Training courses? As noted above, those are increasingly available. With tighter budgets, it is harder to justify travel dollars for courses, even with CISSP requirements.
- Changing Audience. One problem the conference has had is a changing audience. We’re working to fix that, but right now, the conference has become more academic. Contractors and government need tutorials to keep abreast of a changing field (and to maintain their CISSPs). Academics? Much less so. As the conference has become more academic, I believe the interest of that side for tutorials has gone down.
So what should the conference do about the situation. I haven’t fully worked that out yet. We already have an effort underway to restore the mix of the conference. Hopefully, this will increase the participation of industry and government. Doing that should help out the training courses some. Beyond that, however, what should we do? Here are some ideas:
- Reduce Tutorial Days. If we reduce the number of paid tutorials, we can ensure that what we do present are the strongest and most attractive. I’m thinking right now of experimenting with only a single tutorial day (3 tracks), and using the second day for something training-related in a different way. Perhaps this might be more workshops related to the conference theme; perhaps this might be more interactive seminars.
- Integrate Tutorials Into The Conference. Right now, we have two training approaches. We have our formal tutorials, for which attendees pay separately, and our government track, which has training sessions during the conference and is included in the conference fee. We could eliminate the training as a separate gated event, and just have a training track across all the days of the conference. This would provide more space for technical papers and discussions, and may increase attendance at the training courses.
- Fix the Topics. I’ve begun to realize that general introductory topics are not good draws, even though they may be good courses. If I could get the material at a local university course, why have it at the conference? Our topics need to either be unique or something that clearly cannot be easily gotten elsewhere. Looking at our top draws this year, they are topics you are not seeing elsewhere. In past year, a regular strong draw was a tutorial on botnets. We need ACSAC-unique topics… and I need to find presenters to propose them.
Right now, I’m just at the musing stage on how to fix things. I’d welcome your ideas.
Ahoy mateys. Today be humpday, as well as International Talk Like a Pirate Day, and so your Captain thought he would share some broadsides that me parrot done brought me. So while we chow down on our hearty lunch n’ grog, let’s throw these overboard and see what sharks they attract. Aye.
Music: Wichita Lineman (Glen Campbell): “You Better Sit Down Kids”
You know you’ve been doing security too long when you see an article about a restaurant called “A1 Cucina Italiana” opening… and you wonder who did the Orange Book evaluation.
(ducks and runs)