About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

25 October 2006

Reflections: WESII

For the last two days, I have been attending the The Workshop on the Economics of Securing the Information Infrastructure, sponsored by I3P. It was quite an interesting conference bringing together people from different disciplines including computer security, economics and social sciences. A lot of the content did revolve around policies; but unlike ISSA, the content was much more constructive, and dare I say, more useful.

There were a few really interesting discussions and topics; so I will briefly discuss them - maybe some of you have something to say about them ...

First up, there was a panel discussion on DNSSec, including a very quick demonstration on how quick and easy it is to actually commit DNS spoofing attacks. Considering the fact that DNS forms the backbone of the Internet (from the users perspective), a secure DNS solution is really important. In summary, DNS entries themselves are not verifiable, and like the paper I am going to present next week at the DRM workshop; there is no verification service currently available for DNS. This means that a man in the middle attack is very possible scenario for DNS - because in the current DNS setup; the first response received from a DNS query is taken to be the correct query. For a spoofer, it is therefore possible to redirect any DNS query, and a malicious attacker can really cause a lot more damage than phishing attacks. DNSSec seems like a good solution; but implementation is the problem as it requires every top level domain controller to actually do it; and also enforce others to carry on.

Two papers at the end of the first day were also quite interesting. There was a discussion on modeling black markets for software vulnerabilities; a scenario that already exists with botnets - but can seemingly also extend to any malicious intent; just like the arms trade I suppose.

But it is the last paper that I am really excited about. Bob Briscoe from British Telecoms presented an idea on how to control congestion on the Internet; allowing users an equal share of the bandwidth pie. The proposal raises the potential for real quality of service guarantees for Internet access; but at the same time provide a very real solution for denial of service attacks. It is a very neat idea, and is definitely a paper I intend following up on.

One of the interesting papers from today was the analylis of the value of data, using techniques similar to the insurance industry. The paper discussed how data can be valued, and why the valuation easily explains why the uptake for some security products like disk encryption and email encryption is so low. Can't really say I agreed with the values; but the approach made sense overall.

No comments: