Friday Night Keynote
Rethinking Passwords by Bill Cheswick
We’ve known that they have been inadequate for over thirty years, and they have only gotten worse. Can we escape the varying eye-of-newt password rules that plague everyone’s online lives? Can we get grandma safely to the other side of the authentication street? I will review some of the many research ideas that have been proposed, and offer some suggestions toward getting us out of this thicket.
Bill Cheswick logged into his first computer in 1968. Seven years later, he was graduated from Lehigh University in 1975 with a degree resembling Computer Science. Cheswick has worked on (and against) operating system security for over 35 years. He has worked at Lehigh University and the Naval Air Development Center in system software and communications. At the American Newspaper Publishers Association/Research Institute he shared his first patent for a hardware-based spelling checker, a device clearly after its time.
For several years he consulted at a variety of universities doing system management, software development, communications design and installation, PC evaluations, etc.
Ches joined Bell Labs in December 1987, where he became postmaster and firewall administrator and designer. In 1990 he published a paper on firewall design that coined the word "proxy" in its current meaning. He followed this with "An Evening With Berferd", and then the publication of "Firewalls and Internet Security; Repelling the Wily Hacker", co-authored with Steve Bellovin. This book taught Internet security to a generation of administrators. In 1998, Ches started the Internet Mapping Project with Hal Burch. This work became to core technology of a Bell Labs spin-off, Lumeta Corporation. Ches has pinged a US nuclear attack submarine (distance, 66ms).
During his sabbatical over the winter of 2007 he worked on science museum including an upgrade for the Liberty Science Center’s digital darkroom.
He joined AT&T Research in Florham Park in April 2007 and is working in security, visualization, user interfaces, and a variety of other things. He is a frequent keynote speaker at securty conferences.
Ches has a wide interest in science and medicine. In his spare time he reads technical journals, hacks on Mythtv and his home, and develops exhibit software for science museums. He eats very plain food—boring by even American standards.
Saturday Afternoon Keynote
The Black Swan and Information Security
by Rebecca Mercuri, Ph.D.
Notable Software, Inc.
The economic theories proposed by Nassim Nicholas Taleb in his book “The Black Swan” have strong parallels in information security. Indeed, the concepts of robustness and risk assessment mentioned in Taleb’s writing are also well known to those who design software and systems intended to withstand attack. Such assaults on computers, networks and data are now so commonplace that if these threats all suddenly vanished, this would likely constitute a Black Swan Event. But whether a successful and novel attack should also be considered a Black Swan may be debatable. This talk will compare the shortcomings of bell curve (Mediocristan) and power law (Extremistan) event models. The idea that outlier occurrences should be considered more “normal” will shed insight on new methods for recovery mitigation. Attendees need no formal knowledge of statistics or economics in order to appreciate the concepts discussed in this talk.
Rebecca Mercuri is the lead forensic expert at Notable Software, Inc., the company she founded in 1981. Her caseload has included matters involving contraband, child endangerment, murder, computer viruses and malware, wrongful work termination, class-action suits, copyright and patent infringement, and election recounts (most notably Bush vs. Gore). Dr. Mercuri has provided formal testimony and comment to the House Science Committee, the U.S. Commission on Civil Rights, the Election Assistance Commission, the National Institute of Standards and Technologies, the U.K. Cabinet, and numerous state legislatures and municipal bodies. She is a senior life member of the Association for Computing Machinery, where she authored the Security Watch feature and numerous guest columns of Inside Risks for Communications magazine. Rebecca is currently the Chair of the IEEE Princeton / Central Jersey Section.