Return to Conference Proceedings
The keynote was given by Professor Ron Rivest, of MIT. He is extremely well-known as the 'R' in RSA, a founder of RSA Data Security Inc., and a prodigious inventor of ciphers and hash functions. His keynote was about SDSI (pronounced 'sudsy'), a simple distributed security infrastructure. This is a framework based around lisp s-expressions and public key cryptography which may soon provide an infrastructure for robust security and authentication. This is an important area of research at the moment, with a number of standards being proposed (perhaps prematurely).
As with all of the larger USENIX conferences, there were cash prizes for the best paper and best student paper. The situation was confused a bit by the fact that the best paper was a student paper. So, the best paper award went to 'A Secure Environment for Untrusted Helper Applications' by Ian Goldberg, David Wagner, Randi Thomas and Eric Brewer of Berkeley. The (second) Best Student Paper award then went to 'Building Systems that Flexibly Download Executable Content' by Trent Jaeger and Atul Prakash of the University of Michigan and Avi Rubin of Bellcore.
The second day's invited talks were generally well attended. Randall Schwartz, co-author of the Perl books, gave a talk entitled 'Just another convicted perl hacker'. This interesting talk was about the things which can go wrong when a security consultant attempts to make active attacks on the customer's machines. I think the biggest lesson here is 'get it in writing in advance'.
Sameer Parekh runs an extremely interesting ISP in Berkeley, called Community ConneXions (c2 for short). They have a novel approach to security, privacy and anonymity. In his talk, he gave details about the supposedly untraceable anonymous accounts offered by his company's 'alpha' service.
Markus Ranum, a well known security person, gave the next talk entitled 'Firewalls: are they being used right? Are they cost effective?' A more correct title for the talk would have been 'We're all doomed, aren't we?'. While doing research for the talk, examining dollars being spent on firewalls, and the benefits, Markus came to the surprising conclusion that it would be far better to re-engineer all applications from the ground up rather than continuing to spend money on patchwork solutions such as firewalls. Of course, this could never actually happen, as there would be people continuing to sell new applications while the old ones were being reworked.
This was a very well-attended talk and was well received, even if the message was a bit negative.
The final invited talk was by Derek Atkins, previously from MIT, now with Sun Labs, and one of the major implementors of the newer versions of PGP. He spoke about the coming PGP version 3, and of its programmer's interface and modular construction. He gave a preview of the API for it, but stressed that it wasn't yet completely frozen.
In this talk, I don't intend to give much detail about the papers. As I have already mentioned, the general standard was very high. These are just some of the highlights.
In 'A DNS Filter and Switch for Packet Filtering Gateways', Bill Cheswick and Steve Bellovin talked about applying some firewall-style technology to the Domain Name service, which is a pretty interesting concept.
Tatu Ylonen developed 'SSH' some years ago, but has finally had time to write it up. This is a wonderful tool for secure connections, particularly X session forwarding across insecure networks, and is well worth a look. There is a new version coming out soon with an improved protocol stack and algorithm choices and negotiation.
Carl Ellison of Cybercash gave a fascinating talk about 'Establishing Identity Without Certification Authorities' in which he estimates the identity value of questions and responses involving shared experiences or mutual friends - an offbeat look at an extremely important problem.
'Secure deletion of data from magnetic and solid state memory', by Peter Gutmann of Auckland University was a fascinating presentation. Peter had overheads made from electron microscopes and other fascinating bits of hardware. These showed clearly that you can recover data quite reliably after a couple of overwrites from magnetic media, and for a surprisingly long time from solid state memory after the power is withdrawn. (Peter tells me he had a number of visits from 'interesting people' after his paper was selected for this conference.)
Dan Boneh and Richard Lipton, of Princeton University, talked about a novel cryptographic application,'A revokable backup system'. This is just the thing for Alan Bond, as he would now only have to forget one thing...
In 'Compliance Defects in Public Key Cryptography', Don Davis talked about some of the things which make public key cryptosystems so hard to get right in practice. This paper is required reading for anyone intending to use public key systems seriously.
Wietse Venema, co-author of SATAN, talked about 'Murphy's Law and Computer Security'. He gave a number of instances of some of the basic errors which people (who really should know better, such as himself) still make with monotonous regularity.
'Problem areas for the IP Security Protocols' was a somewhat scary presentation by Steve Bellovin. He pointed out that there are a number of people who think that IPSEC (optional and not widely adopted in IPv4, and supposed to be supported by all implementations of IPv6) is a 'cure-all' solution. He started by pointing out how, when the optional authentication fields were left out of the packets, it is possible to do essentially arbitrary cut-and-paste operations on encrypted streams. Even fully encrypted and authenticated sessions could be read in certain circumstances; for example when individual keystrokes were being sent using telnet.
Dan Farmer, the other author of SATAN, rented out a chunk of a brew pub around the corner from the hotel and threw a nice little party which was titled 'The 1996 Internet Security Cabal World Tour'. This was after a typical USENIX reception where the food and drink flowed freely. There were quite a few bleary eyes in the morning.
And someone's laptop had the video clip of the exploding whale... this drew capacity crowds every time it was played.
Return to Conference Proceedings