Thursday, August 31, 2006

purdue seminar

I gave a seminar talk at the CERIAS lab of Purdue University yesterday. They had arranged for me to spend most of the day meeting with miscellaneous faculty -- it was great. Sometime in the next few weeks, they'll be posting a streaming video of my talk here (I think).

The talk discussed invasive browser sniffing and countermeasures that was presented at the WWW 2006 conference in Edinburgh, Scotland. (Abstract, Slides)


Sick of physical spam (pspam -- the crap that comes in the post to your home mailbox)? The USPS suggests you write to these folks, and ask to be added to the "no advertisements" list:

CARMEL NY 10512-0643


Friday, August 11, 2006

is my research pointless?

This is kind of a ranting... it may not make much sense.  Input (comments) will be appreciated.

During lunch today, I flipped on the TV and watched a PBS special on a nun who makes cheese.  Actually, it was called "The Cheese Nun".  In it, Sister Noella Marcellino talked about how they make cheese and essentially commune with the world (the beasts, the earth, the cheese-making fungi).  It was kind of neat, everything she did was backed by enormous motivation and inspiration -- though none of it was heavily religous.  In her cheese-making escapades, she was asked to go back to school and study more to make the cheese better or at least understand why they use the very antiquated cheesing methods they do (no pasturization, specific locations for aging, etc).

She went back to school to get her PhD in microbiology (ended up on a Fullbright scholarship to France) -- studying specific fungi in the cheesemaking process, and she figured out, down to the strain of fungus, exactly why each cheese tastes different.  It turns out that in the aging caves, a whole different ecosystem of microorganisms live, and a new strain of the cheese-making fungus develops and thrives.  Destroy one of these caves, and the flavor of cheese made in it will go extinct.

She illustrated the importance of keeping around these antique cheese caves, and supporting the independent middle-of-nowhere cheesemakers. Through her research, she helped a whole lot of people realize what is *really* going on in a rather mysterious process of cheesemaking.  She is the pious Indiana Jones of the cheese world.

I think it should be the goal of every advanced student to strive for something like this -- not only to pioneer something new in their field, but also try to make a real contribution to add perceived value to society.  Help steer our world straight -- a researcher with any other purpose is just a cog in the big machine.

Computer Security, as a field, is an arms' race.  You have the defenders and the attackers.  We make them wear different hats (black hat, white hat).  You also have some "gray hats" that simply find new angles of security and anti-security, then talk about them, as opposed to taking advantage of them or fixing them.  We often call the black-hats "Hackers", and the white-hats "Researchers". 

As a side-effect, the struggle (you could call it the "war on cyberterrorists" if you really want) brings about a whole new little society.  The cryptographers, virologists, coding gurus, stack smashers, documentation trolls, social engineers and script kiddies speak a language of their own, and more or less just fight amongst themselves.  Bring in malevolents -- spammers and phishers -- and you break out of the security bubble and start harming the everyday Joe and Jane who barely know what an anti-virus program does.  Jane and Joe are at everyone's mercy, and are mostly oblivious of the war going on.

So what does this have to do with cheese?  Sometimes I have to step back and think to myself, "self, what is your goal here?"  A lot of security research seems to be to be intellectual masturbation; you find a flaw, you find a solution, then you pat yourself on the back and publish it.  If you read through journals of computer security, this is all you will see: layers and layers of vulnerabilities and their solutions.  There are whole companies whose business plan is based around cataloging all of these pairs. They don't really seem to make a difference to anybody outside of this focused war.

Cheesemaking has changed radically over the years, mostly due to health scares ("you're eating WHAT kind of mold?")  and process regulation ("you must boil the milk first, to spoil the flavor and bacteria").  Due to these changes, many of the great cheesemakers have gone out of business, and what used to be a great cheese is now extinct.  It is a noble effort to preserve other cheeses from extinction.  I want to find a noble effort in computer security. 

But it doesn't seem to me that saving peoples' identity from theft is as noble as some claim.  Educated Internet users can figure out how to prevent this theft.  The everyday Joe does not, and probably never will.  Most identity thefts occur in a way that leaves the victim completely clueless until money disappears or an agency questions them about actions they did not commit.  Wouldn't the best solution to the Bank-ID-Theft problem simply be to stop allowing online banking? Why don't we just stop using computers for commercial purposes? 

Things seemed to work fine before they were used this way -- election vote counts were not disputed or mistrusted, banks employed security guards to prevent theft, junk mail was directed to "current resident."  For each problem, an expert was employed: election officials, security guards, the trash can.  Now, it takes a computer expert to solve all three of these problems!  Say there are 10 areas of expertise in the world.  One of them is computers.  Before this "information age" 1/10th of the people could be employed to solve any given problem.  Now there are only 1/10th of the entire population available to solve ALL of the problems.  This doesn't sound good.  It makes me want to go live as a hermit in a cabin in the middle of the woods.

The Internet and this "digital society" are very very complex systems.  They are not getting simpler.  In the future either everyone will need to become a computer security guru to survive -- either that or much of the population will have to place unconditional trust into the expert few for ID theft protection.  Only some of the experts are trustworthy; the others want your ID.  It is a noble effort to solve this problem while keeping computers in their currently heavy-use roles!  The current, unfortunate, direction of things seems to be a downward spiral into infinite complexity and obscurity.