Lucas Mast responds to Dorothy Denning's "Why I Love Biometrics" article.

On Thursday, January 24, Joseph Atick of Visionics, Mark Rotenberg of EPIC, Dorothy Denning of Georgetown, and John Woodward Jr. of RAND met at The Cato Institute in DC for a policy forum on the topic of biometrics. Three documents, including this one and "Nameless in Cyberspace" (which discusses Georgia's HB1630), were distributed to attendees.

Biometrics: Hold On, Chicken Little

Author and professor Dorothy E. Denning explains why good biometrics systems will succeed without keeping secrets. Both direct and concise, it's worth reading. She mentions two startup companies whose biometrics technologies look promising.

'Why I Love Biometrics' | Dorothy Denning in InfoSec Magazine

Very cool and Important topic for a workshop. SF crew, check it! Members of the program committee include Hal Varian, Ross Anderson, Li Gong, Andrew Odlyzko, and Bruce Schneier. Get to work on your position paper ... time's a-wasting!

"Do we spend enough on keeping `hackers' out of our computer systems? Do we not spend enough? Or do we spend too much?

Many system security failures occur not so much for technical reasons but because of failures of organisation and motivation. For example, the person or company best placed to protect a system may be insufficiently motivated to do so, because the costs of system failure fall on others. Such perverse incentives raise many issues best discussed using economic concepts such as externalities, asymmetric information, adverse selection and moral hazard. They are becoming increasingly important now that information security mechanisms are not merely used to protect against malicious attacks, but also to protect monopolies, differentiate products and segment markets. There are also interesting security issues raised by industry monopolization and the accompanying reduction in product heterogenity. For these and other reasons, the confluence between information security and economics is of growing importance.

We are organising the first workshop on the topic, to be held in the School of Information Management and Systems at the University of California, Berkeley, on the 16th and 17th May 2002. In order to keep the event informal and interactive, attendance will be limited to about 30-35 participants. If you would like to participate, please send us a position paper (of 1-2 pages) by the 31st March 2002.

We welcome interest not just from economists and information security professionals, but from people with relevant experience, such as in the insurance industry, corporate risk management, or law enforcement agencies.

Workshop on Economics and Information Security

"How Not To Be Seen"

Published on 11 January 2002, this 16-page document from Decision Support Systems, Inc. explains the purpose of "SCOT", discusses best practices, highligts weaknesses in and attacks on SCOT, and more. There are lots of other papers listed on the company's web site (metatempo.com), including "Applications of Memetics" and "Memetic Engineering-PsyOps and Viruses for the Wetware". The "Wetware" paper was published in 1993 and is also hosted online by 7Pillars Partners. (DSSi and 7Pillars are partner firms.)

The firm is self-described in this way: "DSSi is a collective of high-tempo, multi-disciplinary, self-organizing, and experienced professionals with a wide range of cross-domain expertise, from international economics, finance, and operations, to technology development, security, intelligence, and cognitive sciences. We combine such domain expertise with a deep understanding of the rapidly evolving international environment to help clients improve the value of their operations, reframe their strategic position or brand, improve their business processes continually, and implement custom solutions in order to thrive on the increasing complexity of modern global political economies."

Secure Communications Operational Tradecraft [PDF]

The National Academy of Sciences has made available a prepublication copy of this report on "cybersecurity." David Clark, Butler Lampson, Don Norman, David Patterson, Herb Lin, and others on the Computer Science and Telecommunications Board produced this report. Reviewers include Steve Bellovin, Carl Landwehr, and Fred Schneider.

Excerpts of the summary from 01/09/02 NYT: [O]ur ability and willingness to deal with threats has, on balance, changed for the worse. ... Industry needs to do more, and policy makers should finance research.

Don't you have infrastructure to secure? Read this report, and then GET BUSY!

Cybersecurity Today and Tomorrow: Pay Now or Pay Later

"Building Secure Software cuts to the heart of computer security to help you get security right the first time. If you are serious about computer security, you need to read this book, which includes essential lessons for both security professionals who have come to realize that software is the problem, and software developers who intend to make their code behave. Written for anyone involved in software development and use--from managers to coders--this book is your first step toward building more secure software. Building Secure Software provides expert perspectives and techniques to help you ensure the security of essential software. If you consider threats and vulnerabilities early in the devel-opment cycle you can build security into your system. With this book you will learn how to determine an acceptable level of risk, develop security tests, and plug security holes before software is even shipped."

One of the chapters of this book is entitled "trust management and input." Although the site appears to offer a sample chapter, it is not currently available at the specified URL.

Building Secure Software: How to Avoid Security Problems the Right Way

"We present a formal specification of the PING protocol, and use three concepts of convergence theory, namely closure, convergence, and protection, to show that this protocol is secure against weak adversaries (and insecure against strong ones). We then argue that despite the security of PING against weak adversaries, the natural vulnerability of this protocol (or of any other protocol for that matter) can be exploited by a weak adversary to launch a denial of service attack against any computer that hosts the protocol. Finally, we discuss three mechanisms, namely ingress filtering, hop integrity, and soft firewalls that can be used to prevent denial of service attacks in the Internet."

On the Security and Vulnerability of PING

[Sony has shipped] about 11 million equipped with on-card memory [...] used for Hong Kong?s public transport systems.

MemeStreamers: Have you seen/used these cards when in HK? I'm also curious to know if the Cambridge [UK] crew has experimented with these devices.

Infineon, Sony To Jointly Develop Contactless Chip Card ICs

A 26-page report, issued November 9.

Testimony Before the Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, Committee on Government Reform, House of Representatives

* continuing pervasive weaknesses in federal information security
* serious risks that these weaknesses pose at selected individual agencies
* major common weaknesses that agencies need to address
* the importance of establishing a strong agencywide security management program in each agency

Excerpts: at least 20 countries are targeting infowar against the United States; significant weaknesses were found at every federal agency studied; IRS electronic filing systems are vulnerable; agencies lack necessary expertise and the funds needed to acquire and retain it.

Computer Security: Improvements Needed to Reduce Risk to Critical Federal Operations and Assets [PDF]

Finally! This conference was held back in April, but the proceedings just became available online today. Get 'em while they're hot! (if you can :( )

Authors whose names many may know or recognize include Tonda Benes, Markus G. Kuhn, Adam Back, Ulf Möller, David Goldberg, Roger Dingledine, Michael J. Freedman, and David Molnar.

This conference is typically full of excellent papers, but those of particular interest may include:

The Strong Eternity Service
A Reputation System to Increase MIX-Net Reliability
An Analysis of One of the SDMI Candidates
Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems
Real World Patterns of Failure in Anonymity Systems
Intellectual Property Metering
Computational Forensic Techniques for Intellectual Property Protection
Natural Language Watermarking: Design, Analysis, and a Proof-of-Concept Implementation
Robust Covert Communication over a Public Audio Channel Using Spread Spectrum
A Perceptual Audio Hashing Algorithm: A Tool for Robust Audio Identification and Information Hiding

LNCS2137: Information Hiding Workshop 2001