security research
So, GSM (Groupe Spécial Mobile) is the most widely-used standard for cellular communication. Wikipedia tells me that 80% of the cellular market uses this standard, representing about 4.3 billion people. And guess what? The encryption algorithm of this standard is completely broken-- according to this paper, anyway. And the *way* in which the paper goes about breaking the algorithm is itself beautiful, illustrating a number of common crypto flaws simultaneously.
If you are thinking of going to the IEEE Computer Security Foundations Symposium (CSF) this year, please be aware that you must register by TODAY if you want to have a print proceedings at the event itself. For various reasons (worthy of a blog-post in their own right) this year will not be like previous years. In previous years, you could register at any time and automatically receive a copy of the proceedings when you showed up. This year, on the other hand, is more complicated:
- If you register by June 10, 2010, and order a copy of the proceedings during registration, then you will get your copy when you show up at CSF.
- If you register after June 10, or register before then but don't order the proceedings, then you will have a chance to order a copy of the proceedings at CSF itself. It will be printed by a print-on-demand operation and shipped to any address you specify. Total cost: it depends, but probably on the order of $15 plus shipping. But you won't get it until after CSF ends.
- If you do not register for CSF, or do not order your copy at CSF itself, you can still order a copy from the IEEE. It will again be printed by a print-on-demand operation, and likely to be of very high quality. And it better be, for what they charge: ordering the 2009 CSF Proceedings this way will cost you about $100.
So, if you were thinking about attending CSF, let this give you the impetus to do so. It's a great conference, it's going to be co-located with a bunch of other great conferences (included in the registration-price) and it's in Edinburgh, Scotland. What more do you need?
It's good to be slapped upside the head with your own misconceptions every once in a while, even when it occurs within your own specialty. Now, I deal with other people's misconceptions about cryptography all the time. If people have heard of cryptography at all, they generally are left with the impression that
cryptography = secure = cryptography = secure = ...
This is very forgivable, but wrong.
I would ordinarily regard this as a rather obscure piece of esoterica, too technical to blog about (and merely a technical report, besides) but:
- My beloved readers seem to like topics more technical that I would have thought, and (more importantly)
- It's my piece of obscure esoterica.
So, tech report or no, it gets a blog post.
While researching something unrelated, I stumbled across an interesting feature of CiteSeerX: "estimated venue impact factors." That is, it attempts to rank CS-related conferences and journals in terms of their 'impact.' However, something seems to be wrong with their algorithm-- there is no way that a single sub-specialty (security) can contain eight of the top 25 conferences.
I am proud to announce that I have been invited to join the Program Committee for The 12th International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS 2010)-- Crypto Track. That is: this venue has a number of technical tracks, roughly reflecting different areas of study. The crypto track (to be ably co-chaired by Jonathan Katz and Gene Itkis) is new this year, but will (I trust) receive the same quality of submissions as the other, more established tracks.
First, I should warn my non-CS readers: I had originally decided that this paper was too technical to blog about. But then I received a request that I actually discuss this specific paper, and who am I to say 'no' to a beloved reader? So be aware that this one is going to be a bit more esoteric than even usual, but I also will go somewhere with it at the end.
I have no idea how this paper came about, but I'm glad it did. The first author is a computer-science professor at Cambridge University specializing in privacy and systems security. The second author is a professional scam artist and stage magician who demonstrates real-world scams on unsuspecting victims as part of a BBC television show. Together, they fight crime!
I am pleased to announce that the 2010 Computer Security Foundations Symposium will be held in Edinburgh, UK this year, in conjunction with FLoC 2010. Once again, I am honored to serve as the Publications Chair. I also note that the remarkable Graham Steel is serving as General Chair, with the astonishing Michael Backes and Andrew Myers serving as Program Chairs, making me all the more confident that it will once again be a wonderful event.
As I have mentioned elsewhere, this is one of my favorite venues-- mostly because it is very small, very collegial, and of very high quality. But don't just take my word for it: in May of 2003, CiteSeer rated it as having the 38th largest impact among all conferences and journals in computer science. Take that, CRYPTO (#79) and Oakland (#134)!
So, if any of you feel like visiting Scotland in mid-July of 2010, this will make an excellent excuse. (But I note that the deadline for submissions is coming up fast: Feb 4 for abstracts, Feb 8 for papers. I probably should have announced this before now.)
For ten days at the beginning of 2009, a team of computer-security researchers managed to take control of a live, real-world, criminal botnet. Over those days, they observed (and recorded) the botnet harvest over 70GB of stolen data (password, bank-account number, etc.) from almost two hundred thousand subverted machines. Why did they do this? Simple curiosity, probably. But that's not nearly as interesting as how they did it, what they found, and what this means about the field of computer security.
