I just returned from USENIX Security ‘05 in Baltimore. I stayed in Washington D.C., and it is not close to Baltimore as many people think! I attended a tutorial on Tuesday, and the Wednesday technical sessions.
Butler Lampson from MIT and Microsoft gave his keynote address on real-world security. He stated that real-world security is feasible if it costs less in inconvenience, simple enough for users, and simple enough for vendors. He listed several reasons why we do not have real-world security: people don’t buy it ($$$$), and systems are so complicated now that they have so many bugs. He gave high-level reviews of locks, deterrence, and the Access Control Model, and presented a trust / “speaks for” relational model of security.
Professor Ben Schneiderman, Professor of Computer Science at the University of Maryland, discussed Human-Computer Interaction (HCI) opportunities for improving security and privacy. He reviewed the usability design goals, and discussed the importance of usability in controlling security and privacy, as put forth by the CRA and 2005 PITAC Report. Professor Schneiderman offered strategies to improve security usability: using multilayer interfaces, showing consequences of decision, and using information visualization to link relationships and to understand hostile events.
After lunch, Douglas Maughan, program manager at the Department of Homeland Security Science and Technology Directorate discussed some of the issues and tools the department is currently working on. Mr. Maughan discussed the research and development priorities at the DHS, the importance of cybersecurity, and its scope. He engaged the audience to discuss several important issues, such as the United States’ control of DNS. Mr. Maughan presented two DHS projects, DETER and PREDICT. DETER is a shared testbed infrastructure for medium-scale security research including repeatable experiments, and especially for experiments that may involve “risky” code. The Protected Repository for Defense of Infrastructure Against Cyber Threats (PREDICT) is a repository of defense infrastructure data, where the aim is to have private corporations donate real incident data for security researchers and academia to use.
Professor Avi Rubin at The Johns Hopkins University gave an update of his experiences on electronic voting in the United States. He spoke of his recent experiences at an annual conference of all state Chief Justices. Then, Professor Rubin discussed how many people in this country still do not believe the problems that exist in electronic voting in this country.