[ Speaker I || Speaker II || Speaker III || Speaker IV
Security Market: Incentives for Disclosure of Vulnerabilities
11:00 AM - 12:00 PM
A previous paper by the author proposed a model for when disclosure helps or hurts security, and provided reasons why computer security is often different in this respect than physical security. This paper examines the incentives of actors to disclose vulnerabilities. A chief point of this paper is that the incentives of disclosure depend on two, largely independent, assessments ? the degree to which disclosure helps or hurts security, and the degree to which disclosure creates advantages or disadvantages for the organization competitively.
The paper presents a 2x3 matrix, where disclosure for security and competition are assessed for three types of systems or software: Open Source; proprietary software; and government systems. Surprisingly, the paper finds significant convergence on disclosure between Open Source and proprietary software. For instance, Open Source security experts often do not disclosure configurations and settings, and Open Source programmers often rely on trade secrets (i.e., lack of disclosure) to gain competitive advantage. Similarly, proprietary software often uses more disclosure than assumed. For security, large purchasers and market forces often lead to disclosure about proprietary software. For competitive reasons, proprietary software companies often disclose a great deal in order to seek to become a standard in a competitive space.
Despite this greater-than-expected convergence of practice for Open Source and proprietary software, there are strong reasons to believe that less-than-optimal disclosure happens for government systems. The tradition of military secrecy, and the concern about tipping off attackers, leads to a culture of secrecy for government security. Competition for turf, such as the FBI¡¯s reputation for not sharing with local law enforcement, further reduces agency incentives to share information about vulnerabilities.
|Peter P. Swire Peter P. Swire is a Professor of Law and John Glenn Scholar of Public Policy Research at the Moritz College of Law of the Ohio State University and director of that school¡¯s Washington, D.C. summer program. From 1999 to early 2001 he served as the Clinton Administration's Chief Counselor for Privacy, in the U.S. Office of Management and Budget. In that position, he coordinated Administration policy on the use of personal information in the public and private sectors, and served as point of contact with privacy and data protection officials in other countries.|
Professor Swire is a consultant to the law firm of Morrison Foerster, LLP, and in 2005-2006 is a Visiting Senior Fellow at the Center for American Progress. He was White House coordinator for the proposed and final HIPAA medical privacy rules, and played a leading role on topics including financial privacy, Internet privacy, encryption, public records and privacy, ecommerce policy, and computer security and privacy. With Lawrence Lessig, he is Editor of the Cyberspace Law Abstracts of the Social Science Research Network. Many of his writings appear at www.peterswire.net.
According to the Federal Trade Commission, identity theft has
been the number one consumer concern for the last five years. In
2004, identity theft constituted 39 percent of the 635,173
consumer fraud complaints filed with the agency. Other sources
put the cost of identity theft to the United States economy at
over $50 b per year. Significantly, European countries and Asian
countries have not experienced the same levels of identity theft
as have occurred in the United State.
The United States Congress is considering a wide range of legislative proposals to address the problem of identity theft and the associated problem of security breaches. This talk will examine the proposals now before Congress, the key goals of stake-holders, the central policy disputes, and the likely outcome.
|Marc Rotenberg is Executive Director of the Electronic Privacy
Information Center in Washington, DC. EPIC is a public interest
research organization established in 1994 to focus public
emerging civil liberties issues. EPIC publishes a comprehensive
annual report, "Privacy and Human Rights: An International
Survey of Privacy Law and Developments" that explores privacy
developments around the globe. |
Marc also teaches information privacy law at Georgetown University Law Center and has testified before Congress on many privacy issues. He testified before the 9-11 Commission on "Security and Liberty: Protecting Privacy, Preventing Terrorism." He has served on several national and international advisory panels. He chairs the ABA Committee on Privacy and Information Protection. He is former Chair of the Public Interest Registry, which manages the .ORG domain. He is co-editor of "Technology and Privacy: The New Landscape" (MIT Press 1997) and co-editor of "Information Privacy Law" (2d ed., Aspen Publishing 2005). He is a graduate of Harvard College and Stanford Law School.
He served as Counsel to Senator Patrick J. Leahy on the Senate Judiciary Committee after graduation from law school. He is the recipient of several awards, including the World Technology Award in Law and the 2005 ABA Cyberspace Excellence Law Award.
Identity-Based encryption is an asymetric encryption system where identifiers such as email addresses, server names or phone numbers, can be used as public keys. Originally proposed by Adi Shamir in 1984, only in 2001 the first practical algorithms became available. Since then IBE has not only generated huge interest in academia, it has seen rapid adoption in industry and is being considered for standartization by the IEEE. In this talk give an overview of the state of IBE, and reflect on what led to its rapid success. Unlike other algorithms, IBE is a new cryptographic primitive that can not be built from existing PKI systems. As a new primitive, IBE directly solves some of the existing problems with classic public key systems. Specifically it enables the use of short-lived public keys, removes the overhead of certificate management and enables keys to be centrally managed. In this talk we will give an overview over IBE, describe a secure email systems based on IBE, and give an example of a live enterprise deployment of IBE with thousands of users.|
Guido Appenzeller co-founded what is now Voltage Security while attending Stanford University in 2002 and now serves as Chief Technology Officer, overseeing the expansion of Voltage IBE technology into new application areas such as mobility, VoIP and other forms of digital communication. Guido has over a decade of computer science, security, networking and e-commerce experience and has held numerous academic and entrepreneurial positions and is a MIT TR100 award winner for 2004.|
Guido was previously an Associate at Kappa IT Ventures, a European Technology Investor, worked for McKinsey and Company in their German office and was CTO and vice president of BASES, the Business Association of Stanford Students (BASES).
Guido received a Ph.D. in 2004 and an M.S. in Computer Science from Stanford University in Spring of 2000 and his undergraduate degree in Physics magna cum laude from the University of Karlsruhe, Karlsruhe, Germany in 1996.
Biometric-based user authentication is no longer just the domain of James Bond movies or government installations. Fingerprint sensors, in particular, are now showing up standard on notebooks from IBM, HP and Toshiba, and in new line of peripherals from Microsoft. The benefits to the user and organization are clear: unlike passwords or tokens, fingerprints cannot be lost, forgotten, or easily lent to others. The consequence is a reduction in administration costs, improvement in audit logs for compliance, and the prospect of heightened security by reducing reliance on each user to adhere to security policy. However, the potential weaknesses are also well known, such as reversible templates, gummy fingers, storage of secrets, and central databases. Since no single security approach is a magic bullet, the strengths and weaknesses of biometric authentication must be considered in light of the threats in a given environment. This talk will survey the current state of the art of biometric authentication algorithms, readers and security architectures used for network security with a critical analysis of the security and privacy considerations. |
|As co-founder of DigitalPersona, Vance Bjorn co-developed the core algorithm for fingerprint recognition, the foundation of DigitalPersona's technology. This algorithm and fingerprint reader is now relied on by over 20 million people, 400 enterprises, and 2000 ISVs worldwide, and has been licensed by Microsoft as the foundation of their biometric security product line. In his role as CTO he is responsible for establishing key business and technology relationships and evolving DigitalPersona's technology to meet the demands of the market. Vance graduated from the California Institute of Technology and was a Ph.D. candidate at the MIT AI Lab holding a National Defense Graduate Fellowship prior to founding DigitalPersona. In 2004, he was a recipient of an MIT TR100 award.|