About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

07 November 2006

Reflections: ACM CCS 2006 and ACM STC 2006

I had been meaning to do a review earlier, but I have been busy exploring Scotland instead (and proof reading Honours Project reports) :p

To be honest, the program for the main ACM CCS 2006 was not very exciting; mainly because there was too much focus on cryptography, and less on security of systems in general. Also, I ended up at times choosing the wrong sessions - I went to a tutorial on Digital Forensics, where I learnt nothing new; and was a horrible presentation; and I later heard that the alternate, intrusion detection research papers, was quite good. Similarly, the paper sessions on Thursday turned out to be quite dreary; while I heard great reviews on the tutorials ... oh well.

The keynote talk, by Peter Neumann, while interesting at parts, was largely inconsequential - as he was effectively talking to the converted. His talk centred around software design that does not take account of the full scenario - and thus leads to security pitfalls. This has to do with a lot of things, including bad design principles and off course the lack of software liability.

The most interesting paper on Day 1, was "Hot or Not: Revealing Hidden Services by their Clock Skew", which investigated the potential of revealing a person's geographical location by studying his/her clock skew due to temperature fluctuations. It was a fun discussion; although maybe not very applicable.

Day 2 had a couple of interesting papers, mainly dealing with privacy. "Doppelganger: Better Browser Privacy Without the Bother", discussed a new cookie management system using Firefox extension. Not recommended for UCT though - requires quite a bit of bandwidth to work :p The very next paper, "Fourth-Factor Authentication: Somebody You Know", was also an interesting idea, discussing how to manage password retrievals in a more secure manner.

The paper in the session after lunch, "How to Win the Clone Wars: Efficient Periodic n-Times Anonymous Authentication", featured a brilliant presentation, and the content was interesting, but I don't think it will be easy to implement such a system in real life. The last session featured various attacks, and these were, as always, very interesting; including a discussion on botnets created through browser exploits, a discussion of 1-time pad problems in current software and a paper on short attacks through keyboard emanations - not as effective as last year's paper, but more useful for short attacks. Day 3 featured interesting papers but I wasn't really bowled over by any of them.

The Scalable Trusted Computing Workshop, on Friday was quite interesting - although the papers focussed more on "scalable" aspect. I learnt a lot more about the Trusted Computing Group, and even made some interesting contacts, so it was good from that point of view.

The highlight of the conference though, was probably, meeting Michael Schroeder (of Needham-Schroeder fame), who was being honoured by SIGSAC for his contributions to computer security. When we were talking, he mentioned reading about mobile banking in South Africa in the Economist, and he was very interested in the results of the honours mobile banking project. So, if we reference his paper, I am sure it is already one step to publishing (and the honours guys haven't even officially finished)!

No comments: