Enigma 2023 Conference Program

The most ubiquitous kind of vulnerability that plagues modern computing is the memory safety vulnerability—where the underlying programming language doesn't inherently protect data structures in memory. When "memory unsafe" code fails, it can allow attackers access to arbitrary pieces of system memory, and potentially execution of malicious code. Over the years, writing code in memory safe languages, "sandboxing" memory unsafe code, and raising awareness around memory unsafety have been important steps in more generally protecting computerized and networked systems against this class of threats. But where are we at? What is the current state of memory unsafety? Join Yael and Amira from Consumer Reports, who are currently working on a report surveying the landscape of memory safety, in a fireside conversation with Alex Gaynor and Josh Aas, two key informants on the quest to squash this pernicious class of bugs.

Given the time and energy we spend worrying about the Internet‘s flaws, it’s easy to forget how the Internet makes our lives better in many ways. This talk will highlight one under appreciated aspect: how the Internet has the capacity to improve the human species by increasing pro-social interactions and reducing anti-social ones. The talk will also show how this scenario probably won’t be realized because of misguided regulatory efforts to “fix” the Internet.

While misinformation and disinformation is not a new threat, it is accelerated by social media platforms. High-stakes information like election-related information, health-related information, etc., has critical consequences on individuals and communities in real life, but it is muddled with mis/disinformation. Platforms use various technological measures and predictive machine learning tools to detect unlawful content like child sexual images, pornography, dis/misinformation. These technological measures have their merits to an extent, especially where platforms can act faster and at scale. At the same time, we increasingly see content falling through the crack due to false negatives and getting struck or taken down due to false positives.

One of the critical reasons social media posts fall through the cracks is that platforms are presently confined to content-level intervention in the absence of process-level clarity and intervention within the content moderation pipeline. This lack of process-level intervention causes platforms to utilise resources and time inefficiently.

Against this backdrop, in this talk, I discuss/propose a novel process-level intervention that would refine the content moderation pipeline and enable the efficient use of tools and resources across its entirety. I propose a “prevalence-based gradation process” (PBG) – a system that uses prevalence as an integral element for hard moderation to tackle mis/disinformation. The talk will also show how the PBG process would act as a means through which social media platforms can evaluate content using ex-ante measures and exercise optimal corrective action in a calibrated format adjusted according to the exposure level of the information.

Security and privacy can be kind of a bummer. Take a break and come watch a fake professor from a real university cover current events in tech policy, “SNL Weekend Update”-style. It’s not fake, it’s not an hour, and it’s probably not news to anybody attending Enigma.

Public interest researchers (such as journalists, academics, or even concerned citizens) testing for algorithmic bias and other harms can take much away from security testing practices. The Computer Fraud and Abuse Act, while intended to dissuade hacking, can be a legal barrier for public interest security testing (although recently much of this has been cleared up by the courts). Similarly, researchers trying to test for algorithmic bias and other harm in the AI space run into similar CFAA barriers when tinkering with algorithms. AI researchers can look to legal and practical techniques that security researchers have done in the past. This includes apply for DMCA exemptions for narrowly tailored objectives, promoting the use of bug bounty programs but for AI harm, and more. We provide practical and policy recommendations that stem from security researchers that AI testing experts can advocate for in attempts to remove legal and practical barriers that prevent this kind of research.

Open source software has an important role in our everyday-lives: as foundation, glue, or tooling, open source constitutes many important links in the software supply chain. But the openness of this ecosystem brings unique (security) challenges, including code submissions from unknown entities, limited developer-hours & tooling to review commits or dependencies, and the necessity to vet included open source components. Through the results from interview studies with contributors of open source projects, companies that use open source components, maintainers that distribute their packages on open source packages repos, as well as developers that create reproducible software, we examined the security and trust processes and considerations in the open source supply chain, especially those that are not directly visible on a data level and can only be understood through engagement with the open source community.

During this talk, I will introduce the different aspects and challenges of security and trust in the open source ecosystem to a wider audience, highlight interviews as a collaborative, less harmful approach for open source research that positively engages with the community and creates excitement for academic research, and share practical advice on how to improve security in the software supply chain by enabling stakeholders such as maintainers and contributors.

From the recent Twitter data privacy breakdowns to the role of Big Brother, whistleblowers are society’s eyes and ears to abuses of power that betray the public trust. Likewise, Congress relies on these courageous individuals to sound the alarm around threats to our civil liberties and conduct effective oversight.

The Office of the Whistleblower Ombuds, an independent and nonpartisan support office for the House of Representatives, will discuss the ways in which it advises Congress on best practices for working with whistleblowers from the public and private sectors – and how whistleblowers can also take precautions to protect their communications.

Drawing from the past five years working with public interest and investigative journalists, Harlo Holmes will share a variety of field notes she has gathered regarding the particular challenges journalists face using open source technologies on the job; including the complexities that have arisen before, during, and after COVID-19 lockdown across the globe.

We still need privacy policies even if nobody reads them, but they fall short as effective communication and education tools. What else can organizations do to ensure customers and users are adequately informed about data use and data rights? Time for privacy to show creative flex.

Smart home devices are becoming increasingly popular in our living spaces. Wearable devices that let you capture photos and videos in the moment, without taking out your phone, are designed to take with you everywhere you go. In the future, augmented reality (AR) glasses will feature a wide variety of cameras and sensors for capturing and understanding your surroundings. Because these devices transcend the keyboard, many of them feature sensors that are always-on, such as the wake word engines of smart voice assistants. Yet, despite thier many benefits, these emerging computing platforms also present new classes of security and privacy challenges to users and bystanders alike.

As these devices are gaining adoption, there are two evolving hardware privacy features that promise awareness and user control over sensor privacy - the Recording Indicator LED light and the Privacy “Mute” Switch. However, very little has been published on their design and security. How do these features work? Are they trustworthy? What does the LED actually mean?

This talk will describe these hardware privacy mechanisms and explain in detail their design, purpose, and security properties. We'll explore the constraints and trade-offs that influence their function and discuss the importance of hardware security assurance. I’ll clarify what privacy LED indicators mean, don't mean, and why augmented reality poses new challenges to their semantics.

These privacy features are deceptively simple and evolving. To preserve their meaning and potential for trustworthy privacy protection, we need to come together as an industry and align on new security and privacy standards.

While the most advanced digital watch in 1980 asked us to manually enter and store our phone book on the watch, modern smartwatches are sending our GPS location pings and heartbeat each second to unknown cloud machines which you know nothing about! To tackle this information void of where our data flows, various regulations and privacy frameworks have been developed. While there are multiple stakeholders such as lawyers and privacy officers in privacy conversations, the onus falls on the developers to eventually write code that respects those regulations - or fix issues that got introduced. In this talk we discuss how tried and tested static analysis techniques such as taint tracking and dataflow analysis can be used on large code bases at scale to help fix privacy leaks right at the source itself. What does it take to build such tooling? What challenges would we face and how can you, a developer or a privacy engineer fix privacy bugs in code!

The role journalists play in reporting cybercrime is often more complicated than we imagine. What if you're contacted by a source involved in a crime? What obligation, if any, do journalists have to law enforcement, victims, and the general public? This panel of seasoned journalists will share their experiences from real investigations.

In InfoSec, many closely held beliefs, commonly accepted best practices, and accepted ‘facts’ are just wrong. These myths and lies spread quickly. Collectively, they can point security teams in the wrong direction. They can give rise to ineffective products. They often make their way into legitimate research, clouding results.

"Sixty percent of small businesses close within 6 months of being hacked."

There's a good chance you've seen this stat before. It has no basis in reality. The available evidence suggests quite the opposite.

"Attackers only need to get it right once, defenders have to get it right every single time."

This idea has been repeated so often in InfoSec that it has become generally accepted as a true statement. It isn't just wrong, it's demotivating and encourages defeatist thinking that can sink the morale of a security team.

Most of the myths and lies in InfoSec take hold because they seem correct, or sound logical. Similar cognitive biases make it possible for even the most preposterous conspiracy theories to become commonly accepted in some groups.

This is a talk about the importance of critical thinking and checking sources in InfoSec. Our industry is relatively new and constantly changing. Too often, we operate more off faith and hope than fact or results. Exhausted and overworked defenders often don't have the time to seek direct evidence for claims, question sources, or test theories for themselves.

This talk compiles some of the most interesting research I’ve done over the past decade. My goal is to convince you to treat vendor claims, commonly accepted industry statistics, and best practices with healthy skepticism. You don't need to be a data scientist or OSINT expert to test theories and discover the truth - you just need to sacrifice a bit of your time now and then. I'll show you how.

Information security is often seen as a drain on the organization and defenders struggle to prove the value of their decisions to the rest of the organization. Security teams usually consider the narrow benefits of implementing a defensive measure for their own goals while ignoring the variegated costs they impose on the organization, its employees, its users, and even society. Therefore, information security is in continual danger of suboptimal outcomes and missed opportunities.

Opportunity cost can help transform information security programs from an organizational drag to an uplifting force by considering the foregone benefits of alternative options. This talk explores the importance of opportunity cost in security decision making and why defenders must incorporate different forms of cost in every decision. Drawing on cross-disciplinary research on opportunity cost in complex system domains, we will examine the tangible and intangible costs and effects that practitioners must take into account when evaluating defensive options. Through this lens, we’ll discuss negative externalities beget by security investments and how “cost” is far more than just money. To make these concepts more concrete, we’ll close with practical examples from the realm of application security to demonstrate why opportunity cost – and an appreciation of the kaleidoscopic nature of "cost" – is essential when making defensive decisions.