First, I have to find the damn registration desk. Hotels are like snowflakes — no two the same — and the conference location is often less than obvious. (This being a geek audience, someone is going to write me to point out that the snowflakes can be identical. Here’s a nickel kid, get yourself a nice hash algorithm.)
Up floor, down a hallway, around a corner… look, there’s a registration desk, but why are people wearing suits? Wrong conference. Oh, down the other hallway, there are people milling around with shorts and sandals. That guy with the ponytail… yeah, that's Rik Farrow. And there’s Casey Henderson busily doing something. Ok, found it. (No kidding, over the years this scenario plays out more often than not.)
This is going to sound a bit silly, but bear with me. As I head for the conference, it feels somewhat reminiscent of going home for a holiday, like Thanksgiving. You get packed up and take off for a few days. Walk in the door and there are the people busily running around getting everything prepared. There will be traditional events — dinner, watching games, playing games, the airing of grievances and feats of strength, etc. And most importantly, there will be the old friends, also just come into town, who will be fun to catch up with (and maybe a few not so much fun). There will be new people to meet. There will be some interesting arguments. Occasionally someone makes a scene. The wifi cuts in and out. Bread will be broken. And a good time will be had by all.
To me, that’s what a USENIX conference is about.
I’ve been going to The USENIX Security Symposium for almost 25 years. It’s one of my two favorite conferences. (The other is a small invite-only workshop, so there’s isn’t really a comparison.) Since then I have missed only a handful of USENIX Security Symposia, and most of those in the last few years — COVID and a couple of cross country moves kinda got in the way.
I approach this year with a combination of that nostalgia and curiosity, knowing that things had changed a bit since I last attended. 400(!) accepted papers alone was gonna make it interesting. And attendance is sold out! There are gonna be long lines at the coffee breaks…
I first attended USENIX Security in 1999. There were 18 papers plus 5 invited talks, across two tracks and two days. You only had to decide between paper and invited talk. And the invited talks were quite the lineup — Steve Bellovin, Marcus Ranum, Susan Landau, Paul Van Oorschot. There were a number of notable papers. Peter Gutmann talked about his cryptography framework. We had never met, but I asked him a question in the hallway afterward and we eventually became good friends. Alma Whitten presented a really good paper, an empirical study of the usability of PGP, which I have referred to numerous times over the years — a great example of how getting security right is not just a matter of technology, it’s about the people too. Matt Blaze was there too, he presented a WIP on trust management.
Okay, I’m registered, badged, I’m official. Off to the opening remarks and see some paper presentations.
My first reaction when I heard there were 400 papers was that I was going to miss a lot of interesting stuff, and then I found out that the videos of all of them will be online. The interesting upside of so many papers is that the session topics were very coherent. Usually it’s a bit hit and miss as to whether there’s a talk I want to hear — not that they’re bad, just some topics aren’t in my wheelhouse. Like I’m not a cryptography nerd. But here there are entire sessions that are interesting. There's one just about logging. I remember a time when I couldn’t get people interested in talking about logging anything but network/firewall logs, and here were papers on how to improve system and application logging.
I find myself in the track titled “Interpersonal Abuse,” (there's a session on interpersonal abuse!) listening to the talk on The Digital-Safety Risks of Financial Technologies for Survivors of Intimate Partner Violence. While the paper itself is good, what I really find interesting is how far we’ve come since my first Security Symposium. Then we were mostly concerned with pretty basic security technologies — cryptographic frameworks, VPNs, graphical passwords; there was one paper on usability, albeit a very interesting one. But now I’m listening to someone talk specifically about IPV and how security interfaces can enable an abuser, a subtlety of HCI that not only wasn’t on the radar in 1999, it wasn’t even in the same galaxy.
And of course there’s the Hallway Track.™ In 1999, the Hallway Track jump-started my career; I ran into Tom Perrine there, and it turned out he was looking to hire someone at the San Diego Supercomputer Center. We talked a bit, and a few months later I started there, in the Security Group. Not to downplay the value of the presentations, but the Hallway Track has often been my favorite part of the conference. I’ve met numerous great people over the years who have become good friends, collaborators, and advisers. I’ve come up with paper topics there.
There are lots of memories. Nitrogen ice cream in Vancouver with Bill Cheswick. Mudge standing on a table shouting my name because I’d just won an MP3 player in a raffle. Peter Neumann playing piano at the after-party while people stood around the piano singing along. Thai food with Marcus Ranum. Sandy Clark, always in a striped cricket blazer, telling me about the latest thing they’d managed to break. Dinner with Perry Metzger, where we talked about anything but security and avoided having an argument about it.
So this year, the first non-USENIX person I see in the Hallway Track is my old friend Aashish. We’ve known each other for over 20 years now (!), but like many people, I hadn’t seen him in maybe five years. Lots to catch up on. And it turns out that he might have some work that I can help with.
Years ago I met Simson Garfinkel while sitting in a hallway, he looked over my shoulder and asked why I was using a terminal emulator on my Mac when the OS had such a nice user interface.
Sometimes I'm a little late to the conference lunch — a paper runs over or the hallway track is particularly engaging. So I end up at a table where I can find a space, which usually leads to meeting someone new. This time it’s with Yoshi Kohno and his students. I ask the grad students how they like the conference. They talk about the food (and complain about the snacks at the break).
My first few USENIces, I rented a car at the airport. But then I realized that I ended up driving to the conference hotel, parking the car, and then not driving again until leaving for the airport. Some years, I never even left the hotel — not because I’m boring, but there was simply so much socializing happening on-site.
Now I’m at another paper session. This one has a pre-recorded presenter. It’s my first post-Covid USENIX; it takes me a moment to realize the speaker is not in the room, he’s a corner of the projection. The talk is pretty well polished — the speaker is clear and well organized — as are the other remote talks that I end up at. There’s the advantage of pre-recording the talk — you can keep doing it until you get it right. (For that matter, every talk I went to was pretty well done. Maybe people are just getting better at it.)
Two things I notice that are a bit different. The crowd size at each of the talks is pretty small. That’s partly an artifact of there being so many tracks. And there aren’t so many questions, which in turn could be an artifact of smaller crowds. Maybe there are more in the Slack channel.
There used to be a thing at question time — coming up to the microphone to tell the speaker how they were completely wrong. (Did I hear someone say “Peter Honeyman?”) Seemed to almost be a competition. I don’t see any of that happening here. Maybe everyone’s getting a bit more considerate?
The next hallway track I get to say “hi” to Steve Bellovin. Matt Blaze strolls in; he has just flown in from Defcon. Another person I haven’t seen for five years; I’ve moved cross country twice since then. We spend a while catching up.
I got to be around and part of some notable events over the years. Ed Felten’s presentation on breaking SDMI copy protection when the RIAA threatened to sue him to prevent publication, after they had issued a public challenge to break it. Matt Blaze on a panel discussing malicious cryptographic code found in Cisco’s IOS, saying that we’d spent too much time worrying about attackers sniffing networks instead of supply-chain vulnerabilities — years before Solarwinds was a thing. Marcus Ranum and Bill Cheswick in a kerfuffle over Bill sniffing the network, which led to me hosting a panel on ethics at the next conference, and USENIX updating their AUP for wireless use. One of the first panels on voting security, with Perry Metzger chewing out the voting company reps. (After several minutes of Perry ranting — intelligently, and he is usually right — the moderator asked Perry if he actually had a question. He exclaimed “No I don’t!” and sat down. The whole room laughed.) Alma Whitten’s paper on PGP usability, where they actually tried teaching civilians to use PGP (and showed how difficult it was) — an actual real-world human-subjects usability survey, at a time when most security nerds thought usability meant having graphics instead of text (and there was a paper on graphical passwords the day before).
The reception is another great place to wander into conversations and meet people (and although it’s technically not dinner, the food is often sufficient for a meal). Again I go asking for feedback on the conference. The results are mixed. Some people find so many papers overwhelming, others like having enough choices that there’s always something interesting.
The reception is where we recognize our peers' accomplishments. Test-of-time awards, lifetime achievements, that sort of thing. And now, Susan Landau, Steve Bellovin, and Matt Blaze are all getting the Flame Award. It was a little disappointing that half the room didn’t seem to be listening.
The lightning talks are a relatively new development, and in addition to being a good way to find out about talks one might want to attend, they’re always a lot of fun. They really bring out the creative side of the authors, and have a lighthearted approach to the talk that most presenters don’t show in their full presentation. The lightning talks aren’t recorded; ya had to be there.
I do notice over the three days, the paper tracks do seem to be creating more competition with the hallway track — there aren’t as many people hanging out in the hallways during the sessions. And there are a lot of people around; did I mention the Symposium was sold out?
The Hallway Track is also a great place to find dining partners for lunch and dinner — another opportunity to have an interesting conversation, maybe discover a nice restaurant, or have a good steak with Bill Cheswick (though he and I don’t see eye-to-eye on Arby’s). Perry Metzger and I got to know each other because we ended up across the table from each other at a group dinner.
The breaks between papers provide a good opportunity to see a large cross-section of the conference, as everyone comes pouring out of the meeting rooms for the refreshments. What strikes me is how many young people I see — partly a sign that I’m getting older — and how diverse the crowd is — it’s definitely not as male dominated as it used to be.
Naturally with so many newer, younger people there are a lot of faces I don’t know. That's partly because the conference is sold out, so there are around a thousand people hovering around the coffee service, talking and getting caffeinated. An amazing amount of energy in the room. But it also seems that I’m not seeing as many familiar faces. I know a few who have retired, but some other “regulars” are co-authors of the papers, they just didn’t come this year.
Poster sessions are also a fun place to socialize and see what students are working on. I stop to talk to a couple of presenters whose work catches my eye. In both cases I ask if they’ve read Reflections On Trusting Trust [1] (it relates to their work.) Neither of the two had even heard of it. I’m not sure what to make of that.
Another long-standing unofficial event at the conference was the semi-secret after-party (c.f. Peter Neuman + piano, above). One of the hotel suites, a table full of booze and snacks, and people talking (or singing) into the wee hours. There might be some shouting, especially if Peter Honeyman was there. I recall several different times sitting in a corner with Marcus and Ches, thinking of new ways to break the Internet, with tacit understanding that we keep it to ourselves. I think one or two of those ways might still work.
I don’t know if they had a party this year; I heard some rumors that they’d petered (but not honeymanned) out. Being local-ish, I had to head back home early Friday evening. And now being self-employed, I had some early morning telecons during the week which weren’t very compatible with staying up late, plus some work to do in the evening. So I didn’t ask.
I ended my Friday in the Hallway Track again, in a great conversation about how hard it is to teach an intro to programming class, amongst other things.
And then I got in my car, and as I wound my way through LA traffic, I reflected on why I like going to USENIX Security…
The papers, I can read those online. I can email the authors and ask questions. I can review results, analyze algorithms, and probably grok the paper better that way than from 15-20 minutes of presentation. And of course, now the presentations are recorded too.
Being at the conference is about seeing old friends, making new ones. Having long geeky discussions and debates, coming up with new ideas, finding synergies. Learning about things I’d like to pursue further. Sparking a collaboration that leads to something interesting.
And of course there are one or two people that I’d just as soon avoid. Just like going home for Thanksgiving.
In the end, it’s really about the people.
And the WiFi worked great.