Keynote by Enrique Salem, CEO of
Symantec, talking about Digital Natives - those born in the 1990s never knowing a non-web-connected world vs. Digital Immigrants, those of us who had to migrate to the Web and learn the language. Digital Natives are wired for social and as such create new challenges for security and a new of thinking about how to keep information "in" rather than keeping bad guys out. When everything is interconnected and linked, bad guys can get quite a complete picture of who you are and potentially use that to their advantage.
Symantec looking ahead to software that is context-aware, policy aware, auto-encrypting and that can learn and adapt.
Award given to Texas Rep Mac
Thornberry for his report on
Cyber Security. Who is Mac Thornberry? Seems worth a look.
Math Award given for differential and linear cryptanalysis tool used to analyze goodness of block ciphers.
Then the always interesting Cryptographers Panel with Whitfield
Diffie (of
Diffie-
Hillman Key Exchange Protocol) and two of the
RSA founding father letters -
Rivest and
Shamir, talking about the state of
crypto and the recent findings about weakness of some
RSA keys, apparently attributable to the weakness of one or more random number generators. It ain't easy to crank out truly random numbers on a regular basis!
Also mentioned
on the panel, a quote from Mike McConnell, former Admiral and head of NSA: "No company can ever really protect itself from attack". The assumption must be that "they are in and we have to live with it..". This led to discussion of how we need to apply science to the effectiveness of various defenses - what works, what does n0t.
Shamir then made the comment "What happens when your cloud goes away, as it did recently when the government shut down a cloud provider and
everyone's files were lost. Moral: even clouds need backup lest they turn to vapor..
Another
interesting panel on Advanced Persistent Threats (acronym = APT). Conversations about new generation of attacks and attackers that don't go away, they keep coming, persistently to continue to test for vulnerabilities - sponsored by who knows, nation states, large criminal networks. Bottom line: folks with money and resources are active and it's necessary for companies to understand their role in their supply chain and how they may be targeted not for what they have but for what they have access to. In many ways its about "big data". New grads should understand how to work with and analyze big data - have some clue about tools such as Map Reduce and R, in addition to the basics:
MySql and Object technology.
The Bruce
Schneier session was packed, and Bruce was
rockin as usual. He talked about new threats - not from the standpoint of bad guys out there but from us - how the rise of "big data" has led to aggregation of data about us, by Google, Apple, Amazon who are really advertising companies, desirous of gathering all they can about us, competing with each other to be "the" company that monetizes data about you. He sees this as a war against general purpose computing, where the devices we use will matter less and less since everything will be in the cloud. The net effect: we will be less secure. Check out his site:
http://www.schneier.com/and sign up for his crypto-gram newsletter. I picked up a copy of his new book: Liars and Outliers. [while writing this, I got an automated call asking me to press 1 to validate my Google 411 Listing. I didn't even know I had a Google 411 Listing! Beware Big Data!]
Some sites to check out:
Travis
Goodspeed, respected security blogger:
http://travisgoodspeed.blogspot.com/And for the well received Checklist for Secure Mobile Devices:
http://www.sans.org/score/mobile-device-checklist.phpLots of concerns about the cloud, of course. Two recent events of interest:
1) Amazon XML Signature vulnerability
2)
Dropbox authentication bypass (someone apparently turned off password checking on the weekend??)