Posts by spaf

A Special Opportunity to Support CERIAS

Purdue University is a land-grant university, founded in 1869. As a land-grant university, our focus has always been on service to the public good — providing excellent education and research results for the betterment of the world around us. While many universities take great pride at their faculty’s leverage of research to launch new companies or publish many academic papers, we’ve always been very focused on delivering a truly world-class education and performing “game changer” discovery.

Purdue Day of Giving

The Purdue community just celebrated a reunion of astronaut alumni — a visible symbol of the spirit of service and exploration inherent in our makeup. Purdue is the alma mater of more astronauts than any other university; the first and last men to walk on the moon were Purdue alumni. They did not do it for profit or fame — they did what they did to advance science, to push back boundaries of ignorance, and to give others something to dream about. Purdue’s story is full of people like that, from around the nation and around the world. Our students come from well over a hundred countries, and our graduates go out to improve the lives of people in at least that number.

Our history of exploration and being there “first” extends to many other area, including the first degree-granting CS department (founded in 1962), the first dedicated freshman engineering program, the first television broadcast, and having the fastest campus supercomputer in the world. (A few other notable firsts are detailed here and here .)

But more to the point of this blog, Purdue is the location of CERIAS — the first multidisciplinary institute in cyber security and privacy research, and the home of the first defined degree in information security.

CERIAS is not a department within the university. We are a cross-cutting, multidisciplinary institute at the university, supported largely with soft funds: the vast majority of our funding has always come from small, outside donations by companies and foundations. Our finances depend on the generosity of others, but we are structured so as to not be beholden to the government or one or two big commercial entities that can dictate the direction of our efforts. Instead, we investigate those ideas that our faculty think will solve real problems and help others in what they want to do. Some of our organizational donors are partners in our program, providing advice and research assistance for our efforts, and they reap the rewards in new hires and new ideas (see the link for information on how your organization can join the program).

Historically, we have not done much to solicit others to support CERIAS, although it has always been possible for anyone to make a donation. But that will change, for one special day, April 30th. And we would like everyone who cares about our mission and our future to consider making a donation, even if it is only a small amount.

The first-ever Purdue Day of Giving, a 24-hour online event designed to boost Purdue visibility and support, will take place Wednesday, April 30. CERIAS, and many other campus units, will be promoting Purdue efforts -- granting opportunities, launching dreams, and achieving greatness while promoting an affordable and accessible Purdue.

Plus, as a result of a recent US$500,000 gift to Purdue, a (tax-deductible in the US, at least) each CERIAS donation will receive an additional percentage match. Thus, your donation on April 30th will support CERIAS at even a great extent than your donation alone! This is a special one-day-only opportunity for your gift, large or small! Also, If your employer does charitable matches, please be sure to let them know to match your donation, thus, increasing your impact even further!

Your donation can be made through the website http://dayofgiving.purdue.edu/ (click on “CERIAS” near the bottom of the page), by texting “purdue_cerias” to 41444 (you will receive a reply text with more details) or by the telephone at 1-800-319-2199.

But the Purdue Day of Giving is much more than an opportunity to support CERIAS; it’s about helping spread the word about us, our great history and our brighter future along with Purdue's drive to re-define college education. If you’re associated with Purdue and whether you make a donation or not, you can help by posting your story -- or sharing/re-tweeting one of ours – in social media; just add @cerias and #PurdueDayofGiving to your posts and tweets. The University has contests and incentives in place for CERIAS and other units who have friends and alumni posting about #PurdueDayofGiving.

Track our progress and enjoy the day-long series of announcements and highlight videos (one of them featuring on a certain bearded professor known for his fondness of bowties) at http://dayofgiving.purdue.edu/. Don’t wait until April 30 to join the fun; visit http://dayofgiving.purdue.edu/ now, view videos of some of the exciting student success stories, plus sign up for an email to remind you on the 30th to pay it forward. And please, pass along a link to this blog entry to others who you think might be interested in helping.

Thank you to all of our friends, alumni, and partners for their past support, and thank you in advance for helping to “spread the word.” We do hope that you will take this opportunity to provide a donation that day — even if it’s a small one — to help us advance our work towards a more safe and security future.


Thoughts on the RSA Conference, Boycotts, and Babes

I’ve been delayed in posting this as I have been caught up in travel, teaching, and the other exigencies of my “day job,” including our 15th annual CERIAS Symposium. That means this posting is a little stale, but maybe it is also a little more complete.

I try to attend the RSA Conference every year. The talks are not usually that useful, but the RSAC is the best event to see what is new in the market, and to catch up with many of my colleagues (new and old), touch base with some organizations, see CERIAS alumni, sample both some exotic cuisines and questionable hors d'oeuvres, and replenish my T-shirt supply. It is a very concentrated set of activities that, when properly managed, fits in a huge set of conversations. My schedule for the week is usually quite full, and I am exhausted by the time I return home. This year, I was particularly worn out because I was recovering from a mild case of pneumonia. Still, I mostly enjoyed my week in San Francisco.

This year, there was a boycott, of sorts, against the conference by various parties who were upset at the purported collaboration of RSA with US government agencies many years ago. I’m not going to go into that here, but I think it (the boycott) was misguided. Not only is there no hard evidence that there was any actual weakening of any algorithms, but it was over a decade ago and at a time when both the national security climate and public sentiment were different than today. There is also the issue that companies are susceptible to legal pressures that are not easily dismissed. If there is any blame to accrue to RSA, it would be better directed to the company’s products than the conference. As it was, during my week there, I only saw about 30 seconds of protest — and the conference had (I believe) record attendance.

The conference really has three general components: the technical track, the exhibit floor, and the informal connections around everything else. I’ll address each separately. I have some particular comments about the use of “booth babes” on the exhibit floor.

Technical Track

The conference every year has scores (hundreds?) of talks, workshops, and panels, usually given by industry analysts, CEOs, and engineers, and by various government officials. It is not a scientific conference by any stretch of the imagination. Although marketing talks are strictly prohibited, one of the primary motivations of speakers is to get on stage to promote “their brand.” Often, the talks are filtered through a particular product point of view to reinforce the marketing pitch given elsewhere, or to sell a book, or to subtly promote the speaker’s usefulness as a consultant. Over the last decade I have attended many talks, but found few of them really informative, and several involved misinformation that was not challenged by anyone during the session. I have stopped sending in proposals for talks because my past proposals didn’t fare well — “too academic” was the judgement. I guess if I don’t pull a hacker out of my hat and make a database disappear, I’m not entertaining enough for this crowd considering overall conference attendance, which simply goes to my point about conference focus.

This year there was at least one partially informative session. I was asked at the last minute to fill in on a panel hosted by Gary McGraw. The panel attempted to address a topic that I spend several hour-long lectures covering in class: the classic Saltzer and Schoeder principles of secure design. The panel only covered four of the principles, and superficially, but I think the panel went okay. We had a small crowd.

I attended, briefly, a number of other sessions, but didn’t stay for any but one of them. Perhaps I am getting too cynical and jaded, but I didn’t find anything that was new and interesting; yes, a few things were new, but not surprising or even well-analyzed. I’m not sure it mattered for the audience.

The one session that I stayed for, and thoroughly enjoyed, was the closing session with Stephen Colbert. He was brilliant and funny. His off-the-cuff answers during the Q&A session was excellent all by itself — he not only displayed better than superficial knowledge of portions of the field, but he gave some very quick answers that showed some level of insight as well as humor. Not all of his answers went over with all of the crowd, but I think that showed he was giving some genuine answers of his own rather than trying to amuse.   

Informal Connections

Lots of the real business at the conference really isn’t at the conference, but in the halls, hotels, restaurants, and bars in the vicinity. Companies hold both formal and informal receptions for past & future customers, everyone from CEOs to sales reps work out deals over dinner and drinks, analysts and commentators get news over lunch and finger foods, and employees are recruited in all sorts of venues. Some of the media conduct interviews with notable people (and some rather sketchy types). Organizations presented awards and recognized members at receptions (e.g., the ISSA honored their newest Fellows and Distinguished Fellows, and the (ISC)2 celebrated its 25th anniversary).

These connections are a major draw of the conference for me. I get to reconnect with people I don’t often get to see otherwise, and I also get to meet many others who I might not otherwise encounter. I get to hear about interesting stories that aren’t told to the general sessions, hear about new projects, and tell people about how they are missing out on hiring our great grads from CERIAS. I always return home with a stack of business cards with notes on them of things to send, lookup, and people to call.

This year was no different: I connected with over 30 people I had not seen in months…or years, and met another few score new. I missed running into several people I was hoping to see, but generally had a full schedule. Luckily, there are enough people who have yet to get the memos, and I was invited to some of the receptions. In several instances, I got to meet some people in person that I have only known via on-line persona. In other cases, I got to meet long-time friends and acquaintances who I never get to see often enough because of schedule issues. Some people I was hoping to see weren’t able to make it because of budget issues this year curtailing travel, which seems to have been a little more pronounced this year than the last couple of years, at least among my circle.

I should note that few academics attend this conference: the cost, even with a discounted admission, is significant, and combined with travel, hotel, and other expenses, it can take a sizable chunk out of a limited academic-sized budget. I saw a few colleagues in attendance, but we were all senior. In past years I have tried to cover the expenses for junior colleagues to attend at times in their careers where the possibility of networking with industry might be beneficial, but there is seldom enough unrestricted funding coming in to CERIAS (or me) to cover this on a regular basis.

Overall, I saw little impact from the “boycott.” In fact, I saw several people who spoke or attended the “boycott” event and were also present at the RSA events!

Exhibit Floor

The exhibition at the conference is huge. Nearly all major vendors — and several government entities, from several countries -- have booths of some sort. This year the booths covered both the North and South halls at Moscone Center — there were many hundreds of them. Walking the exhibit floor is mind (and foot) numbing, but I try to do it at least twice each year to be sure I get a good coverage of what is new and interesting…and what is not.

Some companies opt for large — even multistory — booths with lots of screens and demos. Others have small booths with simply a counter and some literature. Many new companies spend a fair amount for a booth to try to gain some market awareness of their products and services. I haven’t done a formal tally, but I’d guess that somewhere around 20% of the companies I see in any given year are no longer there 2 years later — either they fail or are acquired.

Overall, I didn’t see much that excited me as new or particular innovative. Again, that may simply be the longer perspective I bring to this. I remember the old National Computer Security Conferences in the 1990s as a sort of precursor to this, and the baseline trend is not a good one. In the 90s, the exhibitors were all about secure software development and hardened systems. In 2014, the majority of big vendors were flogging services to detect threats that get through all the defenses on Windows and Linux, recovery from break-ins, and other technologies that basically already concede some defeat. Of course, there were also trends — more about encryption, threat intelligence, big data, and securing “cloud” computing, for N different definitions of cloud. I think the best summary of the exhibits was given by Patrick Gray and Marcus Ranum (click the link to hear the audio): somewhat cynical, but dead on.

As I noted in my last blog entry here, the industry is continuing to focus on solving some of the wrong problems.

Flash and Booth Babes

With all those exhibitors on the floor, they are all seeking ways to place some branding with attendees, and to get people to stop by the booths for longer discussions (and to harvest addresses for later sales calls). Usually, this is with some form of giveaway item, such as pens, candy, or T-shirts with clever designs. Sometimes they have a notable security figure there autographing books. I certainly pick up my share of T-shirts and books, plus a few other items that I may use, but the majority of items I decline. The giveaway that amazes me the most is the free USB item that people gladly accept and plug into systems. This is a security conference in 2014 and people are doing that?? Consider that one of the vendors that seemed to be successful giving out a lot of USB sticks was Huawei…. simply wow.

Also annoying are the booths where the people can’t even answer simple questions about their companies. Instead, they want to scan my badge and have me sit through a presentation. No thank you. If you can’t tell me in 30 seconds what your company is about, then I’m not about to sit through 10 minutes of someone breathlessly extolling your “industry leading” approach to … whatever it is you do, and I certainly don’t want to sit through a WebEx presentation next month when I am right here with you now.

In an attempt to stand out, some vendors have gone in odd directions by trying to have some “flash” at the booth to bring people in. In prior years, I saw people in suits of armor and gorilla costumes. There have been booths with motorcycles and sports cars. This year, they had professional magicians, gymnasts, and even a ring with a boxing match! These are not items with branding that someone will walk away with and possibly display in the weeks to come, but simply an attempt to attract attention. It is fairly strange, and annoying, however. Why should those tell me anything about a product or security service, other than the company leadership thinks flash is more important than substance? How the heck do those displays relate to information security?

The most egregious example of this disconnect is the “booth babe.” These are when women (and rarely, men) — usually in some scanty outfit involving spandex — are on display to draw people into the booth. They are never themselves engineers or even in sales: there are agencies that hire out their staff to do this kind of thing. Heck, they can’t even answer basic questions about the company! I make it a point to try to talk to some of these people to see why they are at the booth, and I can’t recall an instance in the past few years where any of the women actually had a technical job within the company whose booth they “adorned."

Let me make clear that I appreciate attractive women. That has been my particular orientation for 45 years, and I am not unhappy with it (although I have always wished more of them appreciated me in return!) But more to the point, I appreciate all women — and men who exemplify achievement and dedication. I appreciate imagination. I appreciate professionalism. I do not appreciate attempts to lure me to a vendor through setting off fireworks, dangling shiny objects, or having women in short shorts trying to get me into the booth. It is insulting.

  • It is insulting to those of us who find women particularly attractive because it implies we need to be seduced in some way to pay attention to technical merit -- that we so lack self-awareness that such lures will overcome our judgement.
  • It is insulting to those of us who do not find women overly attractive, because it implies that we are somehow not part of the community if we aren’t affected by such displays.
  • It is insulting to those of us who are not skinny, or young, or …whatever, because it suggests those features are the values of the companies on display and the values that we are seeking.
  • In is insulting to the women who work in the field, especially the ones who work for those companies in technical positions, because it suggests their abilities and accomplishments are secondary to come-hither looks.

Simply put, it is the wrong message in the wrong context, and the people sending the message are seriously short of clue.

This kind of behavior is harmful to the field because it conveys a message that women are valued primarily because of their appearance, and it trivializes their intellectual contributions. I talked about this in a recent interview and recently wrote about how the field is skewed. We should not and cannot condone the negative messages.

Let me make it clear that I have no quibble with the women themselves who were involved in this — they were hired to put on costumes and be cheerful, to try to draw people in. Standing on concrete floors in 3” heels all day, in not enough clothing to stay warm with the A/C, and trying to be cheerful is not easy. Some of them are students, working to pay tuition, others are supporting children. In one case, the company receptionist and her friend were gamely hanging out in short-shorts to support her company in return for the trip to San Fran. In another case, a company had a beauty pagent winner present, dressed conservatively. She is a pleasant person, and uses her minor celebrity for some good causes, but I do not think that is why the company had her at their booth; I don’t fault her for that decision, however.

Across the exhibition I saw many women who were not on display. Some were in t-shirts and jeans. Some were in heels and dresses. (I asked a few, and it was their first RSA — few will wear heels a second time!) More importantly — it was their own choice, and not something imposed by management. They dressed to be comfortable —as themselves — and if asked technical questions, they were able to respond. Some were thoughtful, some tired, some funny — but all real and there to interact as members of the profession, not as window dressing. That is precisely how they should be treated, and how they want to be treated — as professional colleagues.

I know I’m not the only person who thinks the "booth babe" approach is wrong. I discussed this with several people I know, men and women, and the majority were bothered by it as well. I think the blog posts by Marcus Ranum and Chenxi Wang sum up some of the different reactions quite well. Winn Schwartau actually captured this and many of my other frustrations with the exhibits in one wonderful article.

My message to the vendors: start treating all of us as thinking adults. Focus on the value proposition of your products and services and you'll get a much better response.

Summary

I think it was overall a good experience. I hope to attend next year’s conference, and I look forward to seeing old and new friends, maybe hearing something innovative, and seeing a change in the way exhibitors are showing off their wares. We shall see.

Telling the Future, Looking at the Past: A Few Short Items

I have continued to update my earlier post about women in cybersecurity. Recent additions include links to some scholarship opportunities offered by ACSA and the (ISC)2 Foundation. Both scholarship opportunities have deadlines in the coming weeks, so look at them soon if you are interested.

The 15th Annual Security Symposium is less than a month away! Registration is still open but filling quickly. If you register for the Symposium, or for the 9th ICCWS held immediately prior, you can get a discount on the other event. Thus, you should think about attending both and saving on the registration costs! See the link for more details.

I periodically post an item to better define my various social media presences. If you follow me (Spaf) and either wonder why I post in multiple venues, or want to read even more of my musings, then take a look at it.

I ran across one of my old entries in this blog — from October 2007 — that had predictions for the future of the field. In rereading them, I think I did pretty well, although some of the predictions were rather obvious. What do you think?

Sometime in the next week or so (assuming the polar vortex and ice giants don’t get me) I will post some of my reflections on the RSA 2014 conference. However, if you want a sneak peek at what I think about what I saw on the display floor and after listening to some of the talks, you can read another of my old blog entries — things haven’t changed much.

If you are bored or morbidly curious…

The Charles Babbage Institute at the University of Minnesota is devoted to research and preservation of the history of computing. They have amassed an interesting collection of literature and memorabilia that shows the history of the field.

One of the projects associated with the CBI is to gather oral histories of notable figures in the field of computing security. They have some fascinating oral histories of people including Willis Ware, Peter Neumann, Becky Bace, Roger Schell, Donn Parker and others, as well as lots of oral histories in other subfields of computing. You can find the full set online.

In July, there will be a workshop on the history of computing security. CBI has issued a call for papers. This effort is funded by the National Science Foundation.

Late last year, Jeff Yost of the CBI visited Purdue to conduct an interview with me. He got a lot of material out of me, including some anecdotes that I don’t think I have ever related to anyone else before. We spent a good portion of a day going through this. It’s long.

I question how many people might really want to read through the whole thing, but if you’re interested in some of the history of the security program at Purdue, how I ended up at Purdue, my start in software engineering, my initial work in digital forensics, how I got involved in security, or any of a bunch of other topics likely to be of little or no interest to most people, then you can check out my oral history at CBI.

I’ve mentioned a lot of students, colleagues, and influences by name. If you’re one of them, I hope what I said doesn’t bother you! (Unless I intended it to bother you, in which case…. grin

I don’t think I said anything unduly embarrassing, and I’m actually happy to have documented some of the history of how CERIAS got started. So, if that kind of thing floats your boat (or balances your parity), then check it out.

You’re invited!

Four days -- two major events!




The 15th Annual CERIAS Security Symposium

Purdue University, March 26-27, 2014

We're living in a time of transition. Cyberthreats are increasing and becoming more sophisticated, victimized organizations are cooperating with competitors and fighting back, and the discussion of expected privacy has become front-page news. These topics, and more, will be explored at the 15th Annual CERIAS Security Symposium. Join the conversation amongst academic educators and researchers, commercial R&D engineers, government researchers, and industry practitioners as we examine the current state, possible solutions and emerging technologies addressing issues of information assurance, security, privacy and cybercrime.

CERIAS Symposium activities will include:

Keynotes:

Amy S. Hess
Executive Assistant Director of Science and Technology, Federal Bureau of Investigation
George Kurtz
President/CEO and Co-Founder, CrowdStrike

Featured Technical Presentation:

Josh Corman
Chief Technology Officer, Sonatype

Panel Discussions:

  • APT, Threat Actors and Trends in Cybercrime
  • Sharing Incident Data While Under Attack

A "Two Views" Discussion

  • Security Plus (not Versus) Privacy
    Featuring:
  • David Medine, chair of the Federal Privacy and Civil Liberties Oversight Board (PCLOB)
  • Mark Rasch, Chief Privacy Officer of SAIC

Security Research and Project Poster Session

Featuring a selection of the 60+ projects currently in progress by by CERIAS faculty and students. Meet the researchers while hearing about their work.

Networking Opportunities

The event has a number of built-in opportunities for social and professional networking, and exploration of new opportunities. CERIAS partners will be provided an exclusive opportunity for recruiting CERIAS students for internships and employment; non-partners can find out more about joining the CERIAS consortium. Attendees may also schedule other visits and tours while on campus.

For more information and to register visit:

http://www.cerias.purdue.edu/site/symposium2014/



The 9th Annual International Conference on Cyber Warfare and Security

Purdue University, March 24-25, 2014

CERIAS Symposium attendees are invited to join the ICCWS conference being held the two days prior to the CERIAS Symposium. The ICCWS provides an opportunity for the cyber warfare and security community of interest and practice to gather and exchange their views on the current state of the security research, governance and implementation. The conference is intended to draw an audience of practitioners, researchers, consultants and regulators from academia, business and government.

CERIAS Symposium attendees will receive a discount off ICCWS registration. For more information on ICCWS-2014 visit:
http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm




We hope to see you at Purdue the week of March 24!

Another Loss in the Community

I received news today that Yves Deswarte passed away on January 27th.

YD-2010b.jpgDr. Deswarte was a notable member of the computing community, with a career of 30+ years as an educator, researcher, and manager. His career as a computing research pioneer spanned issues ranging from fault-tolerant computing to microcomputer systems to networking to issues of identity and privacy to system safety, and more. His most recent affiliation was with theLAAS-CNRS; the Laboratory for Analysis of Architecture of Systems at the French National Center for Research in Toulouse. He also had been an engineer and manager at INRIA, and spent time with SRI and at Microsoft Labs in Cambridge (with the late Roger Needham). Some of his more recent work involved the security of cloud and embedded systems.

Yves was the deserving recipient of the 2012 IFIP TC-11 Kristian Beckman Award and an award for Outstanding Service to IFIP. His acceptance address for the Beckman was devoted to issues of identity and privacy — topics which had been central to some of his research in recent years. In addition to his research and his work with IFIP, Dr. Deswarte was also notable for his work with ESORICS, and for the Ph.D. students whose work he advised: his webpage lists 20 Ph.D. graduates advised, and 5 in progress.

A memorial page for Dr. Deswarte has been established at LAAS.

I only met Yves once or twice, and our work only occasionally brought us into contact. Interestingly, his path in computing had some parallels to mine — he was working fault-tolerant computing (the SURF project) about the time I was (as a grad student), and then moved into security and privacy issues. I have known of him and his work for most of my career in computing, but unfortunately did not have the opportunity to get to know him well in person. I am undoubtedly not doing justice to his many contributions with the meager account above, and I would welcome comments from those who knew him better.

I have written memorium pieces for many people in the field over the last few years, most recently Willis Ware. Yves is closer to my age than most of them, so that makes is a little more personal. It is a sign that the field is maturing as we begin to lose our colleagues, but that is hardly any solace.   

R.I.P. Yves Deswarte, 1949-2014.

We’re Out of Balance

I’ve had several items cross my social media feeds, along with email, in the last few days that prompt me to write this. It’s gotten a bit longer than I intended, but there’s a lot to say on an important topic. As a first post to this blog in 2014, I think it is a good topic to address. It has to do with imbalance and bad behavior in the overall field of cybersecurity: the low percentage of women, and how they are sometimes treated.

Computing, as a field in the USA, has had a low and almost constantly decreasing percentage of women going into the field and staying. (The US is the primary focus of this blog entry; I believe the problem is similar in Canada, the UK, Australia, and others, but don’t have the data. Also, there is a corresponding problem with other traditional minorities, but that’s not what prompted this post and I hope to visit it later.). There are many reasons posited for this, many of which are likely somewhat to blame; there is no single, dominant reason, apparently. Many studies and reports have been conducted, experiments tried, and programs put into place, but few have made any measurable, long-term change. The problem is almost undoubtedly rooted in social behaviors and expectations because there are other cultures where the ratio of women to men is about 1:1, or even has women in larger percentages.

Cybersecurity is little different, and may be worse. I regularly speak at conferences, companies, and agencies where the room will have 30 men and one (or no) women. At events where there are speakers or panels, all the speakers and panelists are men. The few women attending often are simply the ones there processing registrations. And there are a nontrivial number of reports of women being groped and harassed at professional meetings (see, for instance, this). Also bad, women are frequently abused online as well as offline, and not only in security and computing. Many are reluctant to publish email addresses or contact info online because of unwanted, inappropriate content sent to them — no matter whether they’re 8 or 80.

(Right now, if you are thinking to yourself that there isn’t a real problem, that things are fine, and it is all a problem of some women who can’t take a joke, then you are part of the problem, and you need to shape up. Worse, if you think that women shouldn’t be upset about this status quo, instead they should get back to the kitchen, then you are so out of touch that I don’t know where to start. In either case, try telling that same thing to women doctors, pilots, police, firefighters, or better yet, to our many women in the military — especially when your safety is in their care. Then come back when you’ve healed up. If nothing else, at least keep in mind that there are legal reasons to treat people equally and with respect.)

Assuming you are actually living in the 21st century, let me assure you that the overall situation is a HUGE problem for us. As a field, and as a society this is bad because we have a shortage of talent that is getting worse with time. We also have some rather skewed and limited ideas of how to approach problems that might benefit from a more inclusive pool of designers and practitioners. And as human beings we should be concerned — especially those of us who are sons, brothers, fathers, and husbands — people who could be (and sometimes are) our mothers, sisters, daughters, and wives are being mistreated and demeaned. That simply isn’t right. Neither is it right that we are limiting the opportunities for individuals to learn, grow, and achieve.

Computing, security, privacy, creativity — those are all traits of the mind. Minds exist in all kinds of bodies, including those with other colors, more or fewer curves, different masses and volumes, varied ages, and some have less physical abilities than others. But that doesn’t change what is possible in their minds! We should applaud ability, dedication, and imagination wherever we find it. Discouraging women (or anyone with ability) from pursuing a career in computing, abusing them online, and groping them at conferences are all counterproductive to our own futures — as if rude and wrong wasn't enough. Cybersecurity and privacy are key areas where we need more insight and creativity — we should enhance it rather than diminish it.

No field is populated only with superstars and wild talents. That is especially true in IT. We hear about people with great accomplishments, and we like to think we’re special in our way, but the truth is that the field is too large for any individuals to master it. Success comes from teams, and the most successful teams are those that integrate many different viewpoints, backgrounds, and skill sets, and who respect their differences yet work with common goals. That includes bringing in people from different genders, ethnicities, ages, and more. Success is enhanced by diversity.

I’m not going to go through a longer litany of problems here, or try to analyze the situation further. I’ve been working with various women’s groups for over 20 years and I still don’t pretend to be able to understand all of what is happening. It is complex. However, I see the problem continuously when I look at our student body, when I visit professional meetings, and when I read reports. I know it is real.

What I can do, is offer some advice to those who care.

For Men

Here are some general tips that should be common sense.

  1. Simple: be aware. Help others be aware. Don’t limit your involvement to this alone, but everything else flows from here.
  2. If you have children, encourage them and their friends to consider computing in school. Be supportive of anyone trying an IT profession. Be positive and not condescending.
  3. If you are a teacher/professor, don’t let the male students bully or harass the females. You are there to create a learning environment for everyone. Generally speaking, many women are less quick to respond to questions as they think about how to frame the answers, and they tend to let others speak without interruption; males generally are the opposite. Don’t let anyone be interrupted when speaking, and ensure that everyone gets a chance.
  4. At a conference or professional meeting? Don’t assume that the women are less important than then men there -- especially if they look young! Address everyone equally. No one should be invisible. Would you want people to ignore you or trivialize what you had to say if you looked different than you do? Address the person, not the appearance.
  5. Don’t ever touch a woman, without her clear uncoerced permission, in any manner that you would not touch a male authority figure. That is, would you touch your boss/professor/policeman in the same manner — without getting slugged/fired/arrested? Thus, shaking hands, fine. Catching someone if they stumble, fine. A greeting hug? Let her initiate it. Grabbing their butts? Definitely no. Use the same rule of thumb for language. Would you proposition a male policeman you just met?
  6. As for language, think carefully about your adjectives. If you would be “firm” and “decisive” in what you do, don’t describe a woman colleague as “bitchy” if she acts similarly! If you are "aggressive" she is not “pushy.” Banish “overly emotional” and “moody” from the list, too.
  7. Don’t set perceptions based on age. Women report that young male colleagues are often given opportunities to “prove themselves” or “learn the ropes” but they are not given the same opportunities because they are too young. Don’t either give or limit opportunities based on age or whether you think someone is attractive — either way, you are limiting what you could get and what they can do, and that is your loss.
  8. Be polite to everyone. Manners matter, even if it doesn’t seem that way some times. Don’t treat any group differently than any other. This includes not making jokes about people to others, staring openly, etc. That’s maybe the norm in 3rd grade, but not in a professional context.
  9. If you see someone else being gropy, rude, or otherwise inappropriate, speak up. (And “Attaway, bro!” is not the thing to say.) No, of course you are not defending someone weaker — you are chastising someone acting unprofessionally. That is because you should also do the same for anyone being rude to someone in a wheelchair, wearing a turban, with brown skin, with a missing limb, speaking with a lisp, or simply standing there. Being different is never an invitation to be abusive or rude. Report it to event organizers or management, too.
  10. If you are invited to speak or appear on a panel at an event, ask who else has been invited. If they don’t seem to have invited (m)any women, suggest some and don’t agree to speak until they filled out the roster a little more. I have heard one good rule of thumb (which I try to follow) is not appear on a panel unless at least one woman is also on the panel. Help give other voices a chance to be heard.
     
    Can’t think of any? Then either you aren’t paying attention or you are willfully ignoring the situation. Here’s a partial list of some of the better known women in the field of cybersecurity/privacy, all of whom I hold in great regard (and my apologies as there are many more I could list — these are off the top of my imperfect memory): Anita Jones, Dorothy Denning, Mary Ann Davidson, Window Snyder, Jean Camp, Elisa Bertino, Rhonda MacLean, Deborah Frincke, Melissa Hathaway, Chenxi Wang, Terry Benzel, Cristina Nita-Rotaru, Jeannette Wing, Cynthia Irvine, Lorrie Cranor, Dawn Song, Helen Wang, Cathy Meadows, Harriet Pearson, Diana Burley, Rebecca Herold, Shari Pfleeger, Shafi Goldwasser, Barbara Simons, Erin Jacobs, Becky Bace, Radia Perlman, Nuala O'Connor Kelly, Wendy Nather, Linda Northrup, Angela Sasse, Melissa, Dark, Susan Landau, Mischel Kwon, Phyllis Schneck, Carrie Gates, Katie Moussouris, Ronda Henning…. There are literally thousands more who are less senior but are likely to have interesting things to say. Simply look around. And if you’re organizing the event, consider this.
  11. If you are a VC or senior executive, don’t automatically hire someone from the “good ol boys.” That you only think of men to fill senior positions may be a case of tunnel vision, as in the previous item. Look around. And don’t let implicit assumptions about age or gender drive your decision-making: leaders come in all shapes, sizes, and ages.
  12. Besides giving opportunities to women to speak or lead, give them opportunities to fail without blanket condemnation. Everybody has limits and make mistakes. If you asked a young male employee to do something and he didn’t succeed, would you think to yourself “I never should have assigned that to a man”? Unless the task is peeing his name in a snowbank, gender doesn’t have anything to do with it (and if that is the tasking you give employees you have other serious problems to resolve).
  13. In a professional setting, don’t exclude the women because you think they’ll be “offended” or that they’re “too sensitive.” They aren’t china dolls that are easily broken! Include them as part of your team and make them feel like part of it. We look at the world in different ways. If you’re concerned that jokes or activities might be offensive, then maybe those aren’t the right kind of team-building experiences you should be having. (For example, you don’t need to go out for beers to the strip bar on Friday to build team presence; going out to a nearby Irish pub or a restaurant will accomplish the same thing if what you are after is a social experience.) Do the same with students if that is your context.
  14. Similarly, think about mentoring — be a positive mentor for colleagues and those junior to yourself, men as well as women. Offer it, but don’t force it (that’s what a mentor is: a voluntary guide).

The basic idea here is really embodied in #8. Be thoughtful and don't treat anyone as substantially different Instead, relate to every person as a professional. But most of all, speak up if you see someone getting picked on or treated badly, or if they aren’t getting encouragement they should. It’s like security and privacy itself — an attack on any link is an attack on the whole, and if a link falls we are all diminished.

For Women

As a general tip similar to the list above, don’t ever think you are the only one experiencing some of the things that happen. Don’t blame yourself, or wonder what it is you are doing wrong — that is sometimes a natural reaction when you are in the minority and everyone seems to react to you in a manner you don’t expect. Do push back on rude behavior, don’t be afraid to make it clear when limits are reached (or exceeded), and do consider reporting persistent or very rude misbehavior to event organizers or supervisors. Yes, it can sometimes have unexpected consequences, but without that negative feedback the behavior is likely to continue against you and others; evaluate your own tolerance for risk vs. harassment.

There is debate within many minority communities of whether aligning with self-interest groups is helpful. On the plus side, the mentoring, the support resources, and the sense of community can all be a big help. However, that also runs the risk of not sufficiently engaging in the mixed environment where one has to work, of developing unrealistic expectations based on anecdotal stories, and failing to help educate the majority in how to help. There seems to be enough positive “buzz” about some groups and their activities to warrant recommending them. Not all are likely to fit your own particular needs and interests, so check them out. If you know of some I have missed, please let me know so I can add them here.

  1. ACM-W is generally for women in computing, world-wide, and provides community and resources. See their web page for more info. They have a mailing list to which you can subscribe, even if you have not (yet) joined ACM; computing professionals should consider joining the ACM.
  2. There is a long list of organizations for computing, in general, at the Ada Project that I won’t try to duplicate — I suggest you look at it. (I will also note that I have heard some criticism of the Ada Project itself, so I am only recommending the list.)
  3. The Anita Borg Institute. The ABI sponsors the annual Grace Hopper Celebration conference, which is worth attending, plus they do a lot more in events and activities, one of which is the Systers List.
  4. The National Center for Women & Information Technology (NCWIT) has quite a few resources and activities.
  5. The Computing Research Association’s CRA-W is directed to enhancing the careers of women in computing research
  6. The ISSA has a SIG with multiple blogs, meetings, and resources. You must be an ISSA member to access them. They also have a private LinkedIn group. (Security professionals should give thought to joining ISSA)
  7. I am told that ISACA is another organization in the security space to check out for their support and activities.
  8. The Women’s Society of Cyberjutsu is a security-focused organization for women that seems to have a fair bit of momentum.

The (ISC)2 is organizing a women’s special interest group. I have spoken with organizers , but am unsure of the status of it at this time.

The Women in Cyber Security conference will be held in April in Nashville. I know nothing about it other than what is on their web page, but it looks like it could be a great experience.

ACSA has a scholarship program for women in computing; multiple scholarships are available. The (ISC)2 Foundation also has scholarships available.

Of course, please keep in mind that not all men are the same! Many want to do the right things but aren’t always sure what is appropriate. Help train a few. grin

Parting Thoughts

From a professional point of view, being a member of ACM and ISSA is good idea for anyone in the field, based simply on the value of the organizations. Both promote professionalism, community, and personal growth, and there are a variety of other benefits to membership. Both have steep discounts for student members. I am a long-standing member of both, and can recommend them.

Our society has a lot of problems with cybersecurity and privacy. New flaws show up, and old flaws don’t really get fixed. Parties ranging from individual criminals to nation-state organizations are all seeking ways to penetrate our systems and mess with our information. We need every good person we can get on board and working together if we hope to make progress. We should make every effort to enable that partnership.

Or think of it in these terms: if we can’t be trusted to protect and empower those within our own community, why should anyone trust us to protect anything else?


Updated 1/7: Added a few list items about mentoring and language, listed ISACA, small grammatical corrections.

Updated 1/8: Corrected several typos

Updated 1/10: Added ISSA group link. Added comment from Anita Jones; this is the memo she mentions in that comment.

Updated 1/14: Small grammatical corrections.

Updated 1/22: Added ACM-W page link

Updated 1/24: Added the Systers link

Updated 2/16: Added link to subscribe to the ACM-W list. Minor grammatical cleanup.

Updated 3/2: Added links to ACSA and (ISC)2 scholarship information.

If you have any additions or corrections to the above lists, please send me private email. Also note that, as usual, anonymous, spammy, or abusive feedback to the blog may not be published as is, if at all.

The Passing of A Pioneer

Willis H. Ware, a highly respected and admired pioneer in the fields of computing security and privacy, passed away on November 22nd, 2013, aged 93.

willis Born August 31,1920, Mr. Ware received a BSEE from the University of Pennsylvania (1941), and an SM in EE from MIT (1942). He worked on classified radar and IFF (identify friend or foe) electronic systems during WWII. After the war he received his Ph.D. in EE from Princeton University (1951) while working at the Institute for Advanced Studies for John von Neumann, building an early computer system.

Upon receiving his Ph.D., Dr. Ware took a position with North American Aviation (now part of Boeing Corporation). After a year, he joined the RAND Corporation (in 1952) where he stayed for the remainder of his career -- 40 more years — and thereafter as an emeritus computer scientist. His first task at RAND was helping to build the "Johnniac," an early computer system. During his career at RAND he advanced to senior leadership positions, eventually becoming the chairman of the Computer Science Department.

Willis was influential in many aspects of computing. As an educator, he initiated and taught one of the first computing courses, at UCLA, and wrote some of the field's first textbooks. In professional activities, he was involved in early activities of the ACM, and was the founding president of AFIPS (American Federation of Information Processing Societies). From 1958-1959 he served as chairman of the IRE Group on computers, a forerunner of the current Computer Society of the IEEE. He served as the Vice Chair of IFIP TC 11 from 1985-1994. At the time of his death he was still serving as a member of the EPIC Advisory Board.

Dr. Ware chaired several influential studies, including one in 1967 that produced a groundbreaking and transformational report to the Defense Science Board for ARPA (now DARPA) that was known thereafter as "The Ware Report." To this day, some of the material in that report could be applied to better understand and protect computing systems security. The follow-on work to that study eventually led, albeit somewhat indirectly, to the development of the NCSC "Rainbow Series" of publications. (The NCSC, National Computer Security Center, was a public-facing portion of the NSA ,serving as an office for improving security in commercial products.)

In 1972, Dr. Ware was tapped to chair the Advisory Committee on Automated Personal Data Systems for the HEW (now HHS) Secretary. That report, and Willis's subsequent paper,"Records, Computers, and the Rights of Citizens," established the first version of the Code of Fair Information Practices. That, in turn, significantly influenced the Privacy Act of 1974, and many subsequent versions of fair information practices. The Privacy Act mandated the creation of the Privacy Protection Study Commission, of which Dr. Ware was vice chair.

Willis was the first chairman of the Information System and Privacy Advisory Board, created by the Computer Security Act of 1987. He remained chairman of that board for 11 years following its establishment. Over the years, Dr. Ware served on many other advisory boards, including the US Air Force Scientific Advisory Board, the NSA Scientific Advisory Board, and over 30 National Research Council boards and committees.

Willis Ware was one of the most honored professionals in computing. He was a Member of the National Academy of Engineering, and was a Fellow of the AAAS, of the IEEE, and of the ACM — perhaps the first person to accrue all four honors. He was a recipient of the IEEE Centennial Medal in 1984, the IEEE Computer Pioneer Award in 1993, and a USAF Exceptional Civilian Service Medal in 1979. He was the recipient of the NIST/NSA National Computer System Security Award in 1989, the IFIP Kristian Beckman Award in 1999, a lifetime achievement award from the Electronic Privacy Information Center (2012), and was inducted into the Cyber Security Hall of Fame in 2013.

Dr. Willis H. Ware was truly a pioneer computer scientist, an early innovator in computing education, one of the founders of the field of computer security, and an early proponent of the need to understand appropriate use of computing and the importance of privacy. His dedication to the field and the public interest was both exceptional and seminal.

The Rand Corporation posted an in memorium piece on their website.

(Any updates or corrections will be posted here as they become available.)


Update 10/26: included acronym expansions of IFF and NCSC, along with links for NCSC and HHS. Added small grammatical corrections.

Update 10/29: added the note and link to the Rand Corporation in memorium piece.

Update 12/9: added the mention of the DSB

Thoughts—Some Random, Some Structured

On October 9th, 2013, I delivered one of the keynote addresses at the ISSA International Conference. I included a number of observations on computing, security, education, hacking, malware, women in computing, and the future of cyber security.

You can see a recording of my talk on YouTube or view it here. You might find it somewhat amusing. See the old guy with the bow tie ramble on. grin


(If you work in cyber security, you should think about joining the ISSA.)


(Also, if you didn't know, I have two other blogs. One blog is a Tumblr blog feed of various media stories about security, privacy and cybercrime. The other blog is about various personal items that aren't really related to CERIAS, or even necessarily to cyber security — some serious, some not so much.)

Happy Anniversary—Bang My Head Against A Wall

Over the last month or two I have received several invitations to go speak about cyber security. Perhaps the up-tick in invitations is because of the allegations by Edward Snowden and their implications for cyber security. Or maybe it is because news of my recent awards has caught their attention. It could be it is simply to hear about something other than the (latest) puerile behavior by too many of our representatives in Congress and I'm an alternative chosen at random. Whatever the cause, I am tempted to accept many of these invitations on the theory that if I refuse too many invitations, people will stop asking, and then I wouldn't get to meet as many interesting people.

As I've been thinking about what topics I might speak about, I've been looking back though the archive of talks I've given over the last few decades. It's a reminder of how many things we, as a field, knew about a long time ago but have been ignored by the vendors and authorities. It's also depressing to realize how little impact I, personally, have had on the practice of information security during my career. But, it has also led me to reflect on some anniversaries this year (that happens to us old folk). I'll mention three in particular here, and may use others in some future blogs.

In early November of 1988 the world awoke to news of the first major, large-scale Internet incident. Some self-propagating software had spread around the nascent Internet, causing system crashes, slow-downs, and massive uncertainty. It was really big news. Dubbed the "Internet Worm," it served as an inspiration for many malware authors and vandals, and a wake-up call for security professionals. I recall very well giving talks on the topic for the next few years to many diverse audiences about how we must begin to think about structuring systems to be resistant to such attacks.

Flash forward to today. We don't see the flashy, widespread damage of worm programs any more, such as what Nimda and Code Red caused. Instead, we have more stealthy botnets that infiltrate millions of machines and use them for spam, DDOS, and harassment. The problem has gotten larger and worse, although in a manner that hides some of its magnitude from the casual observer. However, the damage is there; don't try to tell the folks at Saudi Aramaco or Qatar's Rasgas that network malware isn't a concern any more! Worrisomely, experts working with SCADA systems around the world are increasingly warning how vulnerable they might be to similar attacks in the future.

Computer viruses and malware of all sorts first notably appeared "in the wild" in 1982. By 1988 there were about a dozen in circulation. Those of us advocating for more care in design, programming and use of computers were not heeded in the head-long rush to get computing available on every desktop (and more) at the lowest possible cost. Thus, we now have (literally) tens of millions of distinct versions of malware known to security companies, with millions more appearing every year. And unsafe practices are still commonplace -- 25 years after that Internet Worm.

For the second anniversary, consider 10 years ago. The Computing Research Association, with support from the NSF, convened a workshop of experts in security to consider some Grand Challenges in information security. It took a full 3 days, but we came up with four solid Grand Challenges (it is worth reading the full report and (possibly) watching the video):

  1. Eliminate epidemic-style attacks within 10 years
    • Viruses and worms
    • SPAM
    • Denial of Service attacks (DOS)
  2. Develop tools and principles that allow construction of large-scale systems for important societal applications that are highly trustworthy despite being attractive targets.
  3. Within 10 years, quantitative information-systems risk management will be at least as good as quantitative financial risk management.
  4. For the dynamic, pervasive computing environments of the future, give endusers security they can understand and privacy they can control.

I would argue -- without much opposition from anyone knowledgeable, I daresay -- that we have not made any measurable progress against any of these goals, and have probably lost ground in at least two.

Why is that? Largely economics, and bad understanding of what good security involves. The economics aspect is that no one really cares about security -- enough. If security was important, companies would really invest in it. However, they don't want to part with all the legacy software and systems they have, so instead they keep stumbling forward and hope someone comes up with magic fairy dust they can buy to make everything better.

The government doesn't really care about good security, either. We've seen that the government is allegedly spending quite a bit on intercepting communications and implanting backdoors into systems, which is certainly not making our systems safer. And the DOD has a history of huge investment into information warfare resources, including buying and building weapons based on unpatched, undisclosed vulnerabilities. That's offense, not defense. Funding for education and advanced research is probably two orders of magnitude below what it really should be if there was a national intent to develop a secure infrastructure.

As far as understanding security goes, too many people still think that the ability to patch systems quickly is somehow the approach to security nirvana, and that constructing layers and layers of add-on security measures is the path to enlightenment. I no longer cringe when I hear someone who is adept at crafting system exploits referred to as a "cyber security expert," but so long as that is accepted as what the field is all about there is little hope of real progress. As J.R.R. Tolkien once wrote, "He that breaks a thing to find out what it is has left the path of wisdom." So long as people think that system penetration is a necessary skill for cyber security, we will stay on that wrong path.

And that is a great segue into the last of my three anniversary recognitions. Consider this quote (one of my favorite) from 1973 -- 40 years ago -- from a USAF report, Preliminary Notes on the Design of Secure Military Computer Systems, by a then-young Roger Schell:

…From a practical standpoint the security problem will remain as long as manufacturers remain committed to current system architectures, produced without a firm requirement for security. As long as there is support for ad hoc fixes and security packages for these inadequate designs and as long as the illusory results of penetration teams are accepted as demonstrations of a computer system security, proper security will not be a reality.

That was something we knew 40 years ago. To read it today is to realize that the field of practice hasn't progressed in any appreciable way in three decades, except we are now also stressing the wrong skills in developing the next generation of expertise.

Maybe I'll rethink that whole idea of going to give a talks on security and simply send them each a video loop of me banging my head against a wall.


PS -- happy 10th annual National Cyber Security Awareness Month -- a freebie fourth anniversary! But consider: if cyber security were really important, wouldn't we be aware of that every month? The fact that we need to promote awareness of it is proof it isn't taken seriously. Thanks, DHS!

Now, where can I find I good wall that doesn't already have dents from my forehead....?