NISNet winter school 25-30 of April, 2010 (program, pdf) at Finse1222. Here's my report & rants.
Yep, that's where they shot parts of Star Wars : The Empire Strikes Back in 1979. :-)
Not only did I listen to a range of really interesting presentations from recognized researchers within security, but I was also allowed to do an evening presentation on my favorite topic; passwords.
I've done countless presentations for different audiences, but this was the first time with the attendees and speakers being professors, Post Docs, PhD students and a few others with rather similar backgrounds. Impressive, at least to me. For some reason though, I didn't feel any nervousness before my presentation on wednesday evening. Who knows, maybe I'm getting comfortable talking about passwords? Ask my friends or colleagues. ;-)
There are a few lectures that i would like to highlight for you (in regard to passwords). First of all, Danilo Gligoroski from NTNU have done some work already in this area. I enjoyed his talk, even when some of the crypto stuff is just... well.... unknown symbols to me. Gligoroski and 3 others from NTNU/SINTEF published a paper in 2009 entitled "All in a day's work: Password cracking for the rest of us". It made me smile, thinking of the collaborative efforts at freerainbowtables to create large and efficient rainbow tables, the works of PhD student Matt Weir on improving password cracking, as well as numerous others on the net. I'll raise you on that paper. ;-)
The monday "after dinner" lecture (at 20:45) brought some crypto puzzles. The puzzles were handed out earlier that day, and as usual my brain malfunctioned somewhere early on page 2 (if not before). On the other hand, i think somebody had already talked about attacking the weak spot earlier in the day, so...:
Me: "Quick question: is that your laptop?"
Me: "I see you are running Windows XP. Do you use hard disk encryption?"
Me: "Do you have the answers for tonights puzzle on your hard drive?"
Me: "Is it ok with you if i steal your computer for approximately one hour? Bonus: I'll show you your password as well as all the correct answers for the puzzle!"
I interpreted his silence as that not being ok. Well, it was worth asking at least. Always attack the weakest spot. Strong crypto? Probably bad passwords at both ends. :-)
The presentation on Biometrics from Christoph Busch on biometrics was really interesting as well. Not only that, but i got the opportunity to discuss a bit of biometrics with him as well as some of his students. And to challenge them a little i said that biometrics may improve user friendliness, but I'm not so sure about the "improving security" part. In some cases yes, but as I told them: "my examinations into passwords shows that as much as 20-30% of all accounts in a Windows domain may be non-personal accounts. Those accounts cannot log in with their fingerprint or iris scans. As such accounts may very well be domain administrators, I'll attack the weakest link." Bruce Schneier has some opinions as well.
Professor Audun Jøsang on "The human factor on IT security" was a spot-on presentation to me. Finally an academic who understands - and talks - about the weakest link of them all: US. (as in humans, not the United States!). BRAVO, and I really look forward to talk to him again. Contact details exchanged, stand by for more information.
blablabla, me doing 2+ hours of passwords wednesday evening, and thursday morning with Prof. Dr. Dieter Gollmann talking about "Access control in the web". A few slides into his presentation, i was thinking:
1. Man, all web application programmers should do mandatory 1-2 weeks of training with this guy!
2. If they did, those applications produced would increase heavily in price
3. They would probably never make it to market, or be too late to get a high market share
4. Software sold "as is". Any flaws can be fixed for a hefty consultant fee. Makes the world go round.
Oh well, really good presentation anyway.
Then Professor Kristian Gjøsteen rounded off the program with 2 talks on our current national efforts on electronic elections, due for a live "test run" in several municipalities in Norway, autumn 2011. "We have no positive reason to trust this solution". Nice way of saying "I don't trust that". :-)
Travelled back to Bergen by train friday afternoon, brain filled, new contacts established and several new ideas for further investigations and discussions. Just too bad the reception didn't tell me about the 30-year anniversary for filming famous Star Wars scenes at Finse.... It could have been fun to watch!
Darth Vader: You have learned much, young one.
Luke: You'll find I'm full of surprises.
More to come. :-)