Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Overview
  • Registration Information
  • Registration Discounts
  • At a Glance
  • Calendar
  • Summit Program
  • Birds-of-a-Feather Sessions
  • Co-located Workshops
  • Activities
  • Hotel and Travel Information
  • Students
  • Questions
  • Help Promote!
  • For Participants

sponsors

Bronze Sponsor

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » Summit Program
Tweet

connect with us

http://twitter.com/usenixsecurity
https://www.facebook.com/usenixassociation
http://www.linkedin.com/groups/USENIX-Association-49559/about
https://plus.google.com/108588319090208187909/posts
http://www.youtube.com/user/USENIXAssociation

Summit Program

To access a presentation's content, please click on its title below.

All sessions will be held in Regency B unless otherwise noted.

 

Tuesday, August 13, 2013

8:30 a.m.–9:00 a.m. Tuesday

Continental Breakfast

Hall of Battles

9:00 a.m.–9:45 a.m. Tuesday

Discussion 1

The Death of Passwords

Discussion Leader: Joseph Bonneau, Google

Academic research over the past five years has produced many exciting results on authentication, thanks to the availability of large password datasets and large behavioral studies using Mechanical Turk. Yet it's unclear if we are any closer to killing passwords. This session will include a talk by Joseph Bonneau contrasting his academic password research with his industry experiences at Yahoo! and Google, arguing that Web authentication at scale consists of different problems than those typically considered in academic research. The discussion will focus on what problems academic research should focus on as authentication systems at large Web providers grow increasingly complex.

Academic research over the past five years has produced many exciting results on authentication, thanks to the availability of large password datasets and large behavioral studies using Mechanical Turk. Yet it's unclear if we are any closer to killing passwords. This session will include a talk by Joseph Bonneau contrasting his academic password research with his industry experiences at Yahoo! and Google, arguing that Web authentication at scale consists of different problems than those typically considered in academic research. The discussion will focus on what problems academic research should focus on as authentication systems at large Web providers grow increasingly complex.

Available Media
  • Read more about The Death of Passwords
9:45 a.m.–10:30 a.m. Tuesday

Discussion 2

Eroding Trust and the CA Debacle

Discussion Leader: Jeremy Clark, Concordia University

The cracks are becoming increasingly apparent in the certificate infrastructure supporting SSL/TLS, which is used for establishing "secure" HTTPS (HTTP over SSL) connections to Web sites. The sophistication and difficulty of attacking the TLS protocol directly has shifted attention to this infrastructure, including its reliance on human factors, and many attacks have been hypothesized and/or executed in the wild. As the number of browser-trusted (and thus de facto, user-trusted) certificate authorities has proliferated, the due diligence in baseline certificate issuance has declined. In response, numerous mechanisms and protocol extensions have been proposed, with many under active development. This session explores these related research trends and the competing visions they present, as we attempt to determine a path forward. The planned format is presentation plus group discussion.

The cracks are becoming increasingly apparent in the certificate infrastructure supporting SSL/TLS, which is used for establishing "secure" HTTPS (HTTP over SSL) connections to Web sites. The sophistication and difficulty of attacking the TLS protocol directly has shifted attention to this infrastructure, including its reliance on human factors, and many attacks have been hypothesized and/or executed in the wild. As the number of browser-trusted (and thus de facto, user-trusted) certificate authorities has proliferated, the due diligence in baseline certificate issuance has declined. In response, numerous mechanisms and protocol extensions have been proposed, with many under active development. This session explores these related research trends and the competing visions they present, as we attempt to determine a path forward. The planned format is presentation plus group discussion.

Available Media
  • Read more about Eroding Trust and the CA Debacle
10:30 a.m.–11:00 a.m. Tuesday

Break with Refreshments

Hall of Battles

11:00 a.m.–11:45 a.m. Tuesday

Discussion 3

Privacy Considerations of Genome Sequencing

Discussion Leader: Jean-Pierre Hubaux, École Polytechnique Fédérale de Lausanne

Millions of human genomes will be fully sequenced in the coming years, yet security researchers have just begun to look at how to protect the data. In recent years, whole genome sequencing (WGS) evolved from a futuristic-sounding research project to an affordable technology for mapping complete human genome sequences. This prompts a wide range of revolutionary applications for improving modern healthcare and providing a better understanding of how the human genome relates to disease and response to treatments. By the same token, this progress raises worrisome privacy and ethical issues, since, besides uniquely identifying its owner, the genome constitutes a treasure trove of highly personal and sensitive information. Some laws exist, but they are very difficult to enforce. In this session, we will summarize recent advances in genomics and describe important privacy issues associated with human genomic information.

Millions of human genomes will be fully sequenced in the coming years, yet security researchers have just begun to look at how to protect the data. In recent years, whole genome sequencing (WGS) evolved from a futuristic-sounding research project to an affordable technology for mapping complete human genome sequences. This prompts a wide range of revolutionary applications for improving modern healthcare and providing a better understanding of how the human genome relates to disease and response to treatments. By the same token, this progress raises worrisome privacy and ethical issues, since, besides uniquely identifying its owner, the genome constitutes a treasure trove of highly personal and sensitive information. Some laws exist, but they are very difficult to enforce. In this session, we will summarize recent advances in genomics and describe important privacy issues associated with human genomic information. Then, with the whole audience, we will discuss how the research community can respond to this formidable challenge.

An introduction to genome privacy can be found here.

Available Media
  • Read more about Privacy Considerations of Genome Sequencing
11:45 a.m.–12:30 pm. Tuesday

Discussion 4

Crypto APIs

Discussion Leader: Matthew Green, Johns Hopkins University

For decades the security community has waited for cryptographic software to become ubiquitous. To some extent we've achieved that goal—hundreds of modern applications employ strong cryptography. Many of these applications are not security tools per se, which means that non-expert developers have increasingly become consumers of cryptographic technology. Unfortunately our cryptographic libraries have not been redesigned with this consumer in mind. Most of the popular libraries sport complex and non-intuitive APIs that present the developer with numerous choices, many of of which are insecure. The result is that even experienced developers routinely select dangerous combinations.

For decades the security community has waited for cryptographic software to become ubiquitous. To some extent we've achieved that goal—hundreds of modern applications employ strong cryptography. Many of these applications are not security tools per se, which means that non-expert developers have increasingly become consumers of cryptographic technology. Unfortunately our cryptographic libraries have not been redesigned with this consumer in mind. Most of the popular libraries sport complex and non-intuitive APIs that present the developer with numerous choices, many of of which are insecure. The result is that even experienced developers routinely select dangerous combinations. The visible consequence is a superabundance of security vulnerabilities in recent cryptographic software, including: SSL implementations that fail to properly check certificates, widespread use of unauthenticated encryption, RSA with exponent 1, and the continued use of dangerous and obsolete encryption padding schemes.

These flawed library APIs are often viewed as a mild eccentricity, or at worst a way to dissuade non-experts. In this session I argue that this view is fundamentally dangerous and counterproductive. Thousands of open source projects currently list OpenSSL's libcrypto as a core dependency—and a surprising number are finding their way into critical niches within our ecosystem. Indeed, years of careful security research are often foiled by the design of library interfaces. Perhaps worst of all, these legacy APIs are being reflected in brand new efforts such as the proposed W3C Web Cryptography API for browser-based cryptography. As a consequence. we'll be facing these problems for years to come.

In this session we'll discuss the future of cryptographic APIs, ranging from libraries to encryption applications. We'll discuss the difficulty of using these tools correctly and how cryptographers and security researchers can contribute to actually making them useful.

Available Media
  • Read more about Crypto APIs
12:30 p.m.–2:00 p.m. Monday

Summit Luncheon

Regency A

2:00 p.m.–2:45 pm. Tuesday

Discussion 5

Balancing Academic Freedom and Responsibility in Security Research

Discussion Leaders: Dan Wallach, Rice University; Kurt Opsahl, Senior Staff Attorney, Electronic Frontier Foundation (EFF)

The computer security community—researchers and vendors—seemingly have all agreed on a common standard of responsible disclosure. Researchers are expected to give vendors a suitable advance start to address inadequacies, and vendors are expected to actually fix their inadequacies, knowing that public disclosure is coming. Unfortunately, when security vulnerabilities impact companies from outside our immediate community, ranging from the music industry through voting system vendors to RFID cards, the shared standard of responsible disclosure seemingly falls apart. We'll review some of the history of how we got here and where we're going. Should the security community—and the computing community at large—back down when faced with legal threats to the disclosure of our research? If not, how should we fight back? How do we balance academic integrity, sharing knowledge for the greater good, and the law?

The computer security community—researchers and vendors—seemingly have all agreed on a common standard of responsible disclosure. Researchers are expected to give vendors a suitable advance start to address inadequacies, and vendors are expected to actually fix their inadequacies, knowing that public disclosure is coming. Unfortunately, when security vulnerabilities impact companies from outside our immediate community, ranging from the music industry through voting system vendors to RFID cards, the shared standard of responsible disclosure seemingly falls apart. We'll review some of the history of how we got here and where we're going. Should the security community—and the computing community at large—back down when faced with legal threats to the disclosure of our research? If not, how should we fight back? How do we balance academic integrity, sharing knowledge for the greater good, and the law?

Available Media
  • Read more about Balancing Academic Freedom and Responsibility in Security Research
2:45 p.m.–3:30 pm. Tuesday

Discussion 6

Security, Usability, and Why We Have Neither

Discussion Leader: L. Jean Camp, Indiana University

Two decades after "Why Johnny Can't Encrypt" and a decade after "Users Are Not the Enemy," usable security is still the exception rather than the rule. Is it that there is something unique about usable security as opposed to usability in other domains? Or is this a cultural issue? This session argues for both sides of the argument, for security being a distinct problem that is ill-suited to the cultures of user-centered design.

Two decades after "Why Johnny Can't Encrypt" and a decade after "Users Are Not the Enemy," usable security is still the exception rather than the rule. Is it that there is something unique about usable security as opposed to usability in other domains? Or is this a cultural issue? This session argues for both sides of the argument, for security being a distinct problem that is ill-suited to the cultures of user-centered design.

Available Media
  • Read more about Security, Usability, and Why We Have Neither
3:30 p.m.–4:00 p.m. Tuesday

Break with Refreshments

Hall of Battles

4:00 p.m.–4:45 pm. Tuesday

Discussion 7

Security and Privacy for Wearable Computing

Discussion Leader: David Wagner, University of California, Berkeley

Wearable computing is coming. Are we ready? Get ready for devices that will be recording everything around them—video, audio, you name it—and uploading it to the cloud for analysis. How do we manage the security and privacy risks? How do we establish a foundation for security and privacy? What problems should the security community be thinking about now, to ensure we are ready for the future?

Wearable computing is coming. Are we ready? Get ready for devices that will be recording everything around them—video, audio, you name it—and uploading it to the cloud for analysis. How do we manage the security and privacy risks? How do we establish a foundation for security and privacy? What problems should the security community be thinking about now, to ensure we are ready for the future?

Available Media
  • Read more about Security and Privacy for Wearable Computing

Bronze Sponsors

© USENIX

  • Privacy Policy
  • Contact Us