Steve Bellovin in Ottawa (Part II)

Actual lecture was on the 5th floor of Carleton’s Minto building.

It started with the Cognos folks giving a brief speech on how glad they are to see Carleton partnering with them, and how glad they are to see Professor Bellovin in Ottawa. Cognos is one of the larger employers in Ottawa, and hires a good number of Carleton’s comp sci graduates, and this time they were the ones who brought professor Bellovin into Ottawa (or at least that’s the impression I got).

After that, Carleton’s Dean of Sciences took the podium, and thanked Cognos folks, thanked everyone for attending, and introduced
Paul Van Oorschot, a Canada Research Chair in Network and Software Security. Dr. Van Oorschot, in turn introduced Dr Bellovin.

Seriously, I don’t know any of these people, so I have no comment.

Then Professor Bellovin took the stage, and for about an hour and 20 minutes kept the audience interested. Professor Bellovin is a great speaker – he interspersed the the slides with a number of personal anecdotes about first hand encounters with improper security design.

Do at least page through the slides – it’s worth while.

So here are a couple of photos:
Professor Steve Bellovin in the hallway after the lecture
Professor Bellovin.
Professor Bellovin in the hallway after the lecture.

Oh, and I got my copy of “Wily Hacker” autographed. 🙂

So now some questions on my part….

On page 3 of the slides, Dr Bellovin talks about NSA “Blacker Front End” project for end to end encryption and access control on a computer network.

In an article Uncultured Perl (use bugmenot to login, why do these folks want to track you?), Larry Wall says:

Like the typical human, Perl was conceived in secret, and existed for roughly nine months before anyone in the world ever saw it. Its womb was a secret project for the National Security Agency known as the “Blacker” project, which has long since closed down. The goal of that sexy project was not to produce Perl. However, Perl may well have been the most useful thing to come from Blacker. Sex can fool you that way.

Is that the same project?

Is security really in the interest of the operating system vendors? Commercial vendors see little motivation due to lack of demand. OpenSource/Free vendors see little motivation because crypto is hard, and making crypto user friendly AND correctly implemented is beyond the scope of what they teach you in the 2nd or even 4th year of Comupter Science program. Heck, it’s a multi-discipline approach, that requires user interface skills, math skills and programming skills.

Any joker can implement an RSA algorithm. Heck, I implemented it using libtommath and libtomcrypt for a group theory course in a couple of hours. But I won’t trust my implementation worth a damn – I know how poorly it is coded. I am not sure I can get it “right” at my current skill level.

So without demand and corresponding monetary inscentive and without gratification from a good job, do folks even bother? I don’t see former FreeS/WAN folks toiling hard on IPsec. Last release is in April of 2004 (2.0.6) (Their web site says 2003!), so I guess just user gratitude didn’t cut it.

Is going strong?

The only folks that I know who are actually working on security now a day are OpenBSD folks. And when was the last time YOU installed or used OpenBSD? Using it right now? Good for you.

How do you educate users? Of course alt.sysadmin.recovery FAQ advocates one approach, which is:

4.3) What is the best way to deal with lusers?

Lusers are much easier to deal with if they aren't breathing.  240V across the
heart, a revolver round through the head, or even a simple little broadsword
thrust into their abdomen will improve your interactions wonderfully.
See next item.

4.4) Revolvers, cyanide and high voltages:  The pros and cons of various luser
education strategies.

There has been a great deal of debate on ASR about the best way of dealing
with lusers, and at this time no consensus has been reached.  What we can
suggest, however, is to be sure it is painful, clean, and doesn't harm
the computer.  That unfortunately leaves a lot of options out; you can't
just throw a grenade at them; it will hurt the machine.

At one point in the past, I would have agreed. Now a days, I am not sure that even these methods will work.