ACSAC 29 is now history. It was a busy week (as you could tell by the dearth of blog posts). Conference weeks are especially busy for me, as I’m the training chair for this conference and one of the long-time regulars — meaning that I’m one of the folks that helps to run the conference. Combine this with conference activites that run late, a few migraines, and there is just no energy at the end of the day to write a post.
Let me summarize, from memory, the conference day by day. This year was a weird year — tight budgets and the government shutdown meant that our registration numbers were down — severely — by the advance registration deadline. They slowly rose over the last two weeks of November to near normal levels, but it was a nail-biter. There was much more on-site registration than usual. Combine this with really bad weather at the beginning of last week that impacted the ability of people to get to New Orleans from DFW and IAD/BWI, and… Let’s put it this way: I wasn’t sure if some of the course instructors would make it. Luckily, they did.
The first day of the conference was tutorials and workshops. As training chair, I “audited” the tutorial on systems and security engineering. I’ve previously written about this: we had 3 instructors who were from Europe (Spain, Germany), and one US instructor. The European instructors seemed to emphasize modeling and security pattern work as opposed to the traditional system engineering process (or in support of it). I didn’t connect with that approach, perhaps because I’m not a UML type of guy. The US instructor talked about the NIST approach and the upcoming 800-160 document. This approach integrates security engineering into the traditional IEEE systems and software engineering approach, and made a lot more sense.
The second day was more tutorials and workshops, followed by the conference reception. During the morning, none of the tutorials were of interest (I had seen the 1/2 day tutorial the previous year), so I sat in the Next Generation Malware Workshop. The first speaker was really interesting — Michael Franz of UC Irvine talked about some approaches he is working on regarding randomization of generated code, essentially making it so that each user has a unique executable, making stack attacks to execute code much more difficult. I didn’t connect with the subsequent two morning speakers. In the afternoon, I attended the tutorial on Cyber-Physical Systems. This was a reasonably good overview, and emphasized my contention that space is just another example of a cyber-physical system.
Wednesday was the first technical program day. The distinguished practitioner talk was great — Nancy Levison on applying Systems Thinking to Safety and Security Engineering. The basic notion was that simple failure analysis was not enough, because safety and security are both emergent properties. Engineering for both is similar, and must be done in the design. She related this to feedback control loops, and showed how to use that thinking to engineer better systems. A very good talk. After that, I attended a panel on high-assurance approaches to cyber-physical systems. I’m unsure about the approach discussed, as I don’t think formal methods will scale to complex CPS. In the afternoon was a talk on the NIST Cybersecurity Initiative, followed by a panel that I chaired looking back at the legacy of the Orange Book. Following that was the conference dinner — which was excellent — and included a great performance of the Dapper Dandies, a New Orleans Jazz Band.
Thursday started out with a great invited essay by Carl Landwehr of GWU on the need for software building codes, which he justified using the analogy to traditional building codes. After that talk, I sat for a bit in the Cyber-Resiliency session, as none of the other tracks looked that interesting. Lunch was the annual meeting of ACSA; as Secretary, I was responsible for taking notes. That ended up going long, so I missed the session after lunch. For the post-break session, I attended a paper sessions with two interesting papers on malware attacks: one looking at attacks and the forensic capabilities of solid-state drives; the other looking at a stealth hard-drive backdoor. I skipped out on the Works-In-Progress session, but then came back for the posters. After that, was the conference committee dinner at Bayona Restaurant in the Quarter. This was a spectacular dinner.
Friday… a migraine got me. It started at 2pm, and got steadily worse. I attended the committee breakfast in pain, went back to my room, and drowsed out till it was gone, missing the first session. I also have the responsibility to pack the conference office, which meant I missed the second session as well :-(. After the end of the conference, we dropped off the shipping, and then went to Squeal for some great BBQ. It was then off to the airport and home.
Next year, the conference will be in New Orleans at the same hotel. We may recast the name to avoid some of the silliness going around in the DOD about “Conference” in the name — focusing more on what the conference is. I’m suggesting “ACSAC | Your Cybersecurity Technology Interchange Meeting”. It will be our 30th year.
ACSAC moves every two years, and aims for the sunbelt — or at least some place that isn’t freezing. We need some place with a reasonably sized airport, that can accommodate direct international flights (for attendees do not like changing to small planes). We need to have hotels with suitable meeting room layouts, that will provide government rates, and can accomodate 200-300 people. We also want to be within walking distance of restaurants and evening stuff, not in the middle of nowhere. For ACSAC 31 and ACSAC 32 (2015 and 2016), we’re looking to the west coast, and the two candidate cities are Los Angeles and Portland. I’m looking into Los Angeles, trying to find areas that will meet the above requirements — most likely, Santa Monica / Marina Del Rey, the south bay (Manhattan Beach / Torrance), Hollywood / Fairfax area, or Universal City. I think Long Beach and Pasadena are too far away to work, and LAX doesn’t have the right atmosphere. Probably in 2017 we’ll start looking back to the mid-country and east coast again.