Saturday, March 22, 2008

IFIP 11.10 2008 Conference

I’ve just returned from a the IFIP 11.10 security conference in Washington D.C. where I was presenting a paper. As far as conferences go, it was a pretty good one. Some of the keynote speakers:

  • A former deputy director of science and technology of the CIA.
  • Director of control system security for the Dept of Homeland Security
  • An executive director of Verizon
  • Former Special Assistant to the President for Critical Infrastructure Protection
  • A KGB agent from the cold-war era

One of the things I liked about the conference was that there was plenty of time given to breaks where you could socialize and network. People who are experts in their field aren’t always great public speakers. So you can sometimes get more information from them sitting over dinner, drinking wine.

It takes an effort to go up to someone you don’t know, introduce yourself, and start some small talk. Thankfully I’ve found most people at these conferences are really friendly. As they are passionate about what they present, you can usually get them really going by asking some questions about their research. They can even be pretty vague or uneducated questions. People like telling stories.

A participant told of me a consortium of security personnel from different companies that would get together and exchange information they had gathered. This information could not be shared outside of the security people. The information was only to be used for increasing security, not gaining a competitive advantage. Only one member had violated this, and he and his company were permanently barred from ever joining the consortium again. The person I talked to was British, and pointed out American laws would never permit this.


A topic of discussion was the use of civilian contractors in “cyber-warfare”. If a civilian is partaking in such an event, then he/she is a combatant under the Geneva Conventions. The presenter mentioned Article 51.3, but that article didn't seem relevant when I looked it up.

The building that he/she is working from is considered a legitimate target and the software is a weapon, under Article 52.2. Again, I couldn't find a match for that article. If a civilian doesn’t distinguish himself as a combatant, he doesn’t fall under standards for POWs.

In other words, it is important for the military to have their own set of people to handle cyber-warfare.

Quite a while back there was the famous case of the U.S. planting a Trojan Horse in software for control systems to Siberia. The software was used for controlling valves on a gas processing plant. The U.S. had the software changed so that it would fail at a certain time. Soon after, the plant was reduced to a smoking crater with a three kiloton explosion.

I thought it was kind of tacky that one of the participants kept asking the ex-KGB guy what he thought of that. Of course, I wanted to ask the same thing. But come on, reverse the tables. Do you think in 20 years time, you’d appreciate an ex-terrorist wanting to know what you thought of 9/11?

Security Research

While at the conference I met a woman that had worked as an intern for the NSA while she was getting her Master’s degree. After graduation she started work for the Department of Defense. After three years of working full-time, she’s started her Ph.D. She says that working at the department of defense is like “nerd heaven” for anyone interested in Math and Science. She had a sense of style though; you wouldn’t guess she worked at nerd heaven.

While she majored in Computer Science, she started college not even knowing what computer science was. I’ve heard this more than once, and I think it is a disturbing trend. Computer Science has some of the hottest jobs in the market, and lots of talented people are graduating high school without even knowing what computer science is.

Travelling to D.C.

I enjoy conferences in D.C. I get to see my cousin, who is a lawyer and has a band called the Dog Waggers. I also like when I can get where I need to by using the MetroRail. Plus the monuments are great. I love the Jefferson Memorial, and FDR’s.

To really get a feel for the monuments you have to pause and reflect. Jumping in front of the statue, making goofy faces, and getting your photo taken seems kind of disrespectful. I think it is more important to take time to read the quotes, and remember why we honor those leaders. What must have gone through their minds?

I’ve often thought it would be so cool to tell these great people what became of the nation they served. Although right now, I’d hate to tell them about Bush and Iraq.