July 06, 2008

Digital Evidence: Musing on the rocky path to wisdom

I've notched up two events in London: the International Conference on Digital Evidence 10 days ago, and yesterday I attended BarCampBankLondon. I have to say, they were great events!

Another great conference in our space was the original FC in 1997 in Anguilla. This was a landmark in our field because it successfully brought together many disciplines who could each contribute their specialty. Law, software, cryptography, managerial, venture, economics, banking, etc. I had the distinct pleasure of a professor in law gently chiding me that I was unaware of an entire school of economics known as transaction economics that deeply affected my presentation. You just can't get that at the regular homogeneous conference, and while I notice that a couple of other conferences are laying claim to dual-discipline audiences, that's not the same thing as Caribbean polyglotism.

Digital Evidence was as excellent as that first FC97, and could defend a top rating in conferences in the financial cryptography space. It had some of interactivity, perhaps for two factors: it successfully escaped the trap or fixation on local jurisdiction, and it had a fair smattering of technical people who could bring the practical perspective to the table.

Although I'd like to blog more about the presentations, it is unlikely that I can travel that long journey; I've probably enough material for a month, and no month to do it in. Which highlights a continuing theme here at on this blog: there is clearly a hole in the knowledge-to-wisdom market. It is now even an archaic cliche that we have too much data, too much information to deal with, so how do we make the step up through knowledge and on to wisdom?

Conferences can help; but I feel it is far too easy to fall into the standard conference models. Top quality names aimed at top paying attendees, blindness by presumptions about audience and presenters (e.g., academic or corporate), these are always familiar complaints.

Another complaint is that so much of the value of conferences happens when the "present" button is set to "off". And that leads to a sort of obvious conclusion, in that the attendees don't so much want to hear about your discoveries, rather, what they really want is to develop solutions to their own problems. FC solved this in a novel way by having the conference in the Caribbean and other tourist/financial settings. This lucky choice of a pleasant holiday environment, and the custom of morning papers leaving afternoons freer made for a lot of lively discussion.

There are other models. I experimented at EFCE, which Rachel, Fearghas and I ran a few years back in Edinburgh. My call (and I had to defend my corner on this one) was that the real attendees were the presenters. If you could present to peers who would later on present to you, then we could also more easily turn off the button and start swapping notes. If we could make an entire workshop of peers, then structure would not be imposed, and relationships could potentially form naturally and evolve without so many prejudices.

Which brings us to yesterday's event: BarCampBankLondon. What makes this bash unusual is that it is a meeting of peers (like EFCE), there is a cross-discipline focus (finance and computing, balanced with some legal and consulting people) and there isn't much of an agenda or a selection process (unlike EFCE). Addendum: James Gardner suggests that other conferences are dead, in the face of BarCamp's model.

I'm all for experimentation, and BCBL seemed to manage the leading and focussing issue with only the lightest of touches. What is perhaps even more indicative of the (this?) process was that it was only 10 quid to get in, but you consume your Saturday on un-paid time. Which is a great discriminator: those who will sacrifice to work this issue turned up, and those looking for easy, paid way to skive off work did not.

So, perhaps an ideal format would be a BarCamp coupled with the routine presentations? Instead of a panel session (which I find a bit fruitless) replace one afternoon with a free-for-all? This is also quite similar to the "rump sessions" that are favoured in the cryptography world. Something to think about when you are running your next conference.

Posted by iang at 05:54 PM | Comments (2) | TrackBack

June 17, 2008

Digital Evidence -- 26-27 June, London

Cryptographers, software and hardware architects and others in the tech world have developed a strong belief that everything can be solved with more bits and bites. Often to our benefit, but sometimes to our cost. Just so with matters of law and disputes, where inventions like digital signatures have laid a trail of havoc and confusion through security practices and tools. As we know in financial cryptography, public-key reverse encryptions -- confusingly labelled as digital signatures -- are more usefully examined within the context of the law of evidence than within that of signatures.

Now here cometh those who have to take these legal theories from the back of the technologists' napkins and make them really work: the lawyers. Stephen Mason leads an impressive line-up from many countries in a conference on Digital Evidence:

Digital evidence is ubiquitous, and to such an extent, that it is used in courts every day in criminal, family, maritime, banking, contract, planning and a range of other legal matters. It will not be long before the only evidence before most courts across the globe will all be in the form of digital evidence: photographs taken from mobile telephones, e-mails from Blackberries and laptops, and videos showing criminal behaviour on You Tube are just some of the examples. Now is the time for judges, lawyers and in-house counsel to understand (i) that they need to know some of the issues and (ii) they cannot ignore digital evidence, because the courts deal with it every day, and the amount will increase as time goes by. The aim of the conference will be to alert judges, lawyers (in-house lawyers as well as lawyers in practice), digital forensic specialists, police officers and IT directors responsible for conducting investigations to the issues that surround digital evidence.

Not digital signatures, but evidence! This is a genuinely welcome development, and well worth the visit. Here's more of the blurb:

Conference Programme International Conference on Digital Evidence

26th- 27th June 2008, The Vintner's Hall, London – UNITED KINGDOM
Conference: 26th & 27th June 2008, Vintners' Hall, London
Cocktail & Dinner: 26th June 2008, The Honourable Society of Gray's Inn

THE FIRST CONFERENCE TO TREAT DIGITAL EVIDENCE FULLY ON AN INTERNATIONAL PLATFORM...

12 CPD HOURS - ACCREDITED BY THE LAW SOCIETY & THE BAR STANDARDS BOARD
This event has also been accredited on an ad hoc basis under the Faculty's CPD Scheme and will qualify for 12 hours

Understanding the Technology: Best Practice & Principles for Judges, Lawyers, Litigants, the Accused & Information Security & Digital Evidence Specialists

MIS is hosting & developing this event in partnership with & under the guidance of Stephen Mason, Barrister & Visiting Research Fellow, Digital Evidence Research, British Institute of International and Comparative Law.
Mr. Mason is in charge of the programme's content and is the author of Electronic Signatures in Law (Tottel, 2nd edn, 2007) [This text covers 98 jurisdictions including case law from Argentina, Australia, Brazil, Canada, China, Colombia, Czech Republic, Denmark, Dominican Republic, England & Wales, Estonia, Finland, France, Germany, Greece, Hungary, Israel, Italy, Lithuania, Netherlands, Papua New Guinea, Poland, Portugal, Singapore, South Africa, Spain, Switzerland and the United States of America]. He is also an author and general editor of Electronic Evidence: Disclosure, Discovery & Admissibility (LexisNexis Butterworths, 2007) [This text covers the following jurisdictions: Australia, Canada, England & Wales, Hong Kong, India, Ireland, New Zealand, Scotland, Singapore, South Africa and the United States of America]. Register Now!

Stephen is also International Electronic Evidence, general editor, (British Institute of International and Comparative Law, 2008), ISBN 978-1-905221-29-5, covering the following jurisdictions: Argentina, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, Norway, Poland, Romania, Russia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Thailand and Turkey.

Posted by iang at 09:46 AM | Comments (2) | TrackBack

June 06, 2008

BarCampBankLondon: alternative finance workshop

Thomas Barker sends this press release:

Innovators Gather in the City to Set Shape for Future of Finance


Contact: Thomas Barker
Email: tbarker(at)barcampbank[..]org

LONDON, UK, Monday June 2nd, 2008 - On Saturday July 5th, 2008, one of the most unusual conferences in the financial services industry, BarCampBankLondon (BCBL), will get underway at 9:30 AM near the heart of the City. BCB London follows the success of previous BarCampBanks in Paris, Seattle, San Francisco, New Hampshire and New York City. Ranging from interested students, to banking executives, to VCs, startup founders and internet technologists. BCBL is a forum where participants from diverse backgrounds can get together to discuss topics impacting the industry. It will attract thought leaders and innovators from as far away as America for an intense day of discussions on the future of financial services.

Event co-founder, Frederic Baud said "We wanted to get away from the typical event where a group of senior executives listen to PowerPoint slides and exchange business cards. This is really about getting together people who share a genuine interest in building the future." The event has no set speakers, agenda or sales pitches and getting in the door will only set you back £10. To ensure that the event is relevant to all those attending, the agenda will be discussed online (http://barcamp.org/BarCampBankLondon), then set by the participants on the morning of the event.

It might seem strange that an event like this has taken so long to reach London, a city often considered to be the global financial hub. Another organizer, Thomas Barker said "People might not immediately think of London as a tech cluster. But walking around the City, you can see hundred of software firms nestled in among the banks and lawyers. There's a lot happening here". So far, BCBL intends to discuss the topics of P2P lending, startup financing, mobile banking, personal finance management and micro-finance amongst others.

To attend BCBL, register online at http://bcblondon.eventbrite.com/ .

Sun Microsystems are generously hosting BCBL in their City offices. The event, which is organized by volunteers, welcomes participation from anyone who would like to help with logistics or spreading the word. Interested parties can contact Thomas Barker at tbarker [at]barcampbank,org, or Antony Evans at Antony (At) thestartupexchange D0t com.

About BarCampBank:

The aim of BarCampBank is to foster innovation and the creation of new business models in the world of banking and finance. The next BarCampBank after London will be held in Charleston, USA. For more information, please contact George Pasley at gpasley att gmail d0T com . The following one will be held in Vancouver, Canada. For more information, please contact Tim McAlpine at tmcalpine (a) currencymarketing AT ca .

# # #
If you'd like more information about his event, please contact Thomas Barker (contact information above) or Antony Evans (Antony _Att_ thestartupexchange . com)

Posted by iang at 06:54 AM | Comments (1) | TrackBack

April 18, 2008

2 views on the RSA security conference: a war of signals?

2 guys went to RSA conference and came back with slightly different tales. Both are down on it. Gunnar Peterson says the sellers of product are not of our kind, to put it politely. He spotted an apparent exception with Ping Identity, a seller of something or other, which apparently is impressing clients, who reported this anecdote:

Someone wandered by our booth and when they saw the Ping logo, they stopped and paused, looking perplexed. When one of our sales team inquired, the gentleman said, "I thought you guys were bigger than that."

Signal! In a market with insufficient information, signals arise as proxies for the metrics that we don't have, but still demand. There are no good signals, only less bad ones, because if it was good it would be a metric.

In this case, the observer thought that the booth size indicated corporate size, with the implied expectation that this said something (good) about the product. The Ping guy went on to muse on a strategy of deliberately going perverting the signal by setting his booth size at 10x10 (feet?) regardless. He could go further, and not go at all, but apparently he isn't ready for that test.

Meanwhile, Bruce Schneier also went to RSA and said:

Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying.

It's not the quality of the wares. The show floor is filled with new security products, new technologies, and new ideas. Many of these are products that will make the attendees' companies more secure in all sorts of different ways. The problem is that most of the people attending the RSA Conference can't understand what the products do or why they should buy them. So they don't.

This is a subtle difference between Gunnar and Bruce. Gunnar says that all is crap, and Bruce says that the products are good, but the buyers don't get it. Bruce's theory is that the marketing departments are not selling on security, and in some sense have drifted off to selling something else.

"I can't figure out what any of those companies do," he replied.

I believe him. The booths are filled with broad product claims, meaningless security platitudes and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused.

Which is to say, whatever they are selling, it isn't speaking to security, as far as their customers are concerned. So if we assume that they do know security (whatever that means) and their products are good for us (as Bruce suggests), the question then becomes, why can't they communicate this to us?

Bruce provides the answer elsewhere:

In 2006, IBM bought ISS. The same year BT bought my company, Counterpane, and last year it bought INS. These aren't large security companies buying small security companies; these are non-security companies buying large and small security companies.

Whatever it is that the security companies know, it isn't about what the customer needs. Now, we could split hairs about this point: is the wisdom that the company holds "security" or, is what the customer needs, security?

But it is clear that the customer needs X and the seller isn't aware of what X is. Further, if the above events are indicative, the specialised security company is not capable of entering the market for X. The market for X is reserved for the IT generalist company.

I agree with the notion that we are facing crunch time for the sector (and have been predicting it for longer than I care to remember). It is certainly an exercise for the armchair economists to predict where it goes from here. But, let there be no doubt about change: It has to change, because the disconfirming data is in: the security industry did not save us from the current threats, and has no good answer, if the RSA conference is anything to go by.

From my armchair, here is where it goes: It's your job, do it. Security is something that becomes a part of the application, and the market then splits two ways: you the builder of applications will do it yourself, or you will outsource practically all of the application to (only) companies who can sell all parts of the application, from requirements to rollout (the consolidation that Bruce refers to).

Buy IBM, sell anti-virus companies. Ditch security professionals as contractors, re-employ them as permanent parts of your generalist team, if they are general enough. Integrate savvy people into your team, and encourage them to learn some security, too. Install books on secure programming on the bookshelf, uninstall security products.

Which still leaves a hair-splitting question of what the difference between security and X is. Well, back to my armchair for that one.

Posted by iang at 07:21 AM | Comments (1) | TrackBack

February 14, 2008

FC2008 -- report by Dani Nagy

This was my first time [writes Dani Nagy] at the annual Financial Cryptography and Data Security Conference, even though I have extensively used results published at this conference in my research. In short, it was very interesting from both a technical and a social point of view (as in learning new results and meeting interesting people from the field). And it was a lot of fun, too.

Pairing based cryptography seems to be all the rage in the fundamental crypto research department. Secure Function Evaluation seems to be slowly inching from pure theory into the realm of applicable techniques. But don't hold your breath, yet.

In between theory and practice, was Moty Yung's very entertaining invited talk about Kleptography -- using cryptographic techniques for offensive, malicious purposes, rather than defenses, typically against other cryptographic systems. As an example, he gave a public-private RSA key generation algorithm, which is indistinguishable from an honest, random one in a black box manner, and even if reverse engineered, the keys generated with it can be factored only with the effort of factoring a key half that long. The attacker, however, that pushes this key generation algorithm on unsuspecting victims, will be able to factor their keys with very little effort.

By sheer accident, I found myself on the panel about e-cash. The topic was the gap between real-life electronic cash and academic research. One rule was not to speak about one's own work. The participants were selected from different parts of the world and different walks of life. For me, the biggest news was that credit cards are not common at all in Japan. For most of the people, WebMoney (which was what I talked about) was a complete novelty; I, in turn, found it a bit surprising that WebMoney is almost entirely unknown among FC people. On the other hand, the reason is obvious: most of their publications, including scientific ones, are available only in Russian.

The rump session was a lot of fun, too. In the last minute, I decided to present the core of my other paper that was rejected. There were many different talks, with quite a bit of humor.

The other panel, about usability issues was also interesting, but my personal conclusion was that there's still a very long way to go, until Skype-like usability becomes the norm rather than odd exceptions. The completely wrong threat models of the 1990-es with all-powerful adversaries, men in the middle and completely trustworthy third parties are still to deeply entrenched in many people's thinking.

For future conferences, the goal is to attract more people with finance, business and law backgrounds, in addition to cryptography and CS, which still dominate almost exclusively, despite the fact that there is a growing realization that it is not necessarily the crypto part that makes or breaks FC solutions.

At the general meeting of IFCA, there were the usual voting-on-voting discussions and people not willing to take any responsibility for anything, but I sort of expected it. The important news is that the next island is Barbados and the one after that is, hopefully, Tenerife (this is what most voting members seem to prefer, including myself). The financial objective of having the cost of two conferences in the bank has not been achieved yet, but IFCA is getting there. The nightmare scenario is that a hurricane destroys the island AFTER EVERYTHING HAS BEEN PAID, and all registered participants still need to be refunded.

The conference hotel (Beach Resort El Cozumeleño) was excellent (except for one of the evening shows, which was horrible), the Internet access was reasonably good, the food was good, the sea and the weather were warm, so the overall impression is very positive. The various organized activities were fun, too, such as diving and snorkeling.

For those of us, who left some time before and/or after the conference for exploring, the Yucatan peninsula also offered numerous opportunities. But that was not strictly part of the conference.

Daniel A. Nagy
AgilEight, Security Architect

Posted by iang at 02:09 PM | Comments (3) | TrackBack

August 31, 2007

Identity news: Identity Forum, November 07 open for business, Second Life identifies with its users

Over at the Digital Identity Forum, they have announced this year's conference. London, 21-22 November. I have been to several of the series run by Consult-Hyperion, and can attest that they are worthwhile. Dave and companions do try very hard to cover a broad swathe of the difficult territory known as "Identity," without getting caught in the academic definitions trap that other conferences perpetually fall into.

Well recommended! And, by way of disclosure, I might be there myself, courtesy of a prize ticket.

To continue identifying with today's theme, over in Second Life, they have added an identity verification service. One blog thinks that this is a great move:

The possibilities are huge. Off the top of my head, I see contracts executed in-world, legal representation that starts in-world, and virtual world employment that goes beyond warming a camp chair. And that’s just the beginning.

The important details are:

  • Verification is voluntary.
  • You can verify your age, location, gender, and/or name.
  • You can do it piecemeal (e.g. just age, for access to restricted content).
  • If you don’t verify age, you can’t access restricted parcels.
  • It will be free at first, but there will be fees imposed later.

This other blog sounds warnings of skepticism:

The new system is called "Identity Verification (IDV)", a shift away from the old use of the term "age verification". The shift is significant, as the focus now is in finding out who its users are, rather than whether or not it's ok to let them in. None of this information will be stored by Linden Lab, but no such assurances have been given about what the service provider will do with your personal details once they have them.

The service provider is Integrity, a subsidiary of Aristotle, a data-mining agency in the business of helping people run political campaigns. Users will have to trust that they won't ever use their personal details for anything that disagrees with their personal politics.

And other comments of how much of a failure the chosen service provider is.

I'll defer commenting on that one today. Frequent visitors to the world of FC can probably guess!

Posted by iang at 06:45 AM | Comments (0) | TrackBack

July 05, 2007

Metricon 2.0 -- Boston, 7.Aug.2007 -- talks announced

Gunnar Peterson writes The agenda for Metricon 2.0 in Boston August 7th has been set. Metricon is co-located with Usenix security conference. The details, travel info, registration, and agenda are here.

There are a limited number of openings so please REGISTER SOON if interested in attending. A summary of the presentations:

  • "Do Metrics Matter?"
  • "Security Meta Metrics--Measuring Agility, Learning, and Unintended
    Consequence"
  • "Security Metrics in Practice: Development of a Security Metric System to
    Rate Enterprise Software"
  • "A Software Security Risk Classification System"
  • "Web Application Security Metrics"
  • "Operational Security Risk Metrics: Definitions, Calculations, and
    Visualizations"
  • "Metrics for Network Security Using Attack Graphs: A Position Paper"
  • "Software Security Weakness Scoring"
  • "Developing secure applications with metrics in mind"
  • "Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail"

    The Read more....

    Posted by iang at 02:09 AM | Comments (0) | TrackBack
  • July 04, 2007

    CFP -- FC07 -- papers by 25th September

    This is writes Radu Sion an advanced call for papers for the Financial Cryptography and Data Security Conference in Cozumel, Mexico, 28-31 January, 2008 (http://fc08.ifca.ai).

    Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance in the context of finance and commerce. The conference covers all aspects of securing transactions and systems. Submissions focusing on both fundamental and applied real-world deployments are solicited.

    This year, for the first time, we are also accepting submissions for posters and short papers. The poster session is the perfect venue to share a provocative opinion, interesting established or preliminary work, or a cool idea that will spark discussion. Poster presenters will benefit from a multi-hour session to discuss their work, get exposure, and receive feedback from attendees. The intention behind short papers (peer-reviewed) is to encourage authors to introduce work in progress, novel applications and corporate or industrial experiences. Short papers will be evaluated with a focus on novelty and potential for sparking participants' interest and future research avenues.

    DATES

    Submission: 25 September
    Posters: 13 November
    Panels: 13 November

    read more...

    Posted by iang at 07:08 AM | Comments (0) | TrackBack

    April 24, 2007

    WEIS2007 - Econ Info Sec - programme announced

    Follows is the Programme for WEIS2007, the annual Workshop on Economics of Information Security to be held in June 7- 8, 2007, Pittsburgh, USA.

    Session I - 8:30-10:30am (Disclosure),

    The legitimate vulnerability market: the secretive world of 0-day exploit sales
    Charles Miller, Independent Security Evaluators

    Inadvertent Disclosure - Information Leaks in the Extended Enterprise
    M. Eric Johnson and Scott Dynes, Dartmouth College

    Network Security: Vulnerabilities and Disclosure Policy
    Jay Pil Choi, Michigan State University,
    Chaim Fershtman, Neil Gandal, Tel Aviv University

    The Countervailing Incentive of Restricted Patch Distribution: Economic and Policy Implications
    Mohammad S. Rahman Karthik Kannan, Mohit Tawarmalani, Purdue University

    Session II - 11am-12pm (Privacy),

    On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?
    Rainer Böhme and Sven Koble, Technische Universität Dresden

    When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information
    Jens Grossklags, University of California at Berkeley,
    Alessandro Acquisti, Carnegie Mellon University

    Keynote speech (George Loewenstein),

    WEIS 2007 is delighted to host a keynote speech by Dr. George Loewenstein, Herbert A. Simon Professor of Economics and Psychology at Carnegie Mellon University.

    George Loewenstein is the Herbert A. Simon Professor of Economics and Psychology at Carnegie Mellon University. He received his PhD from Yale University in 1985 and since then has held academic positions at The University of Chicago and Carnegie Mellon University, and fellowships at Center for Advanced Study in the Behavioral Sciences, The Institute for Advanced Study in Princeton, The Russell Sage Foundation and The Institute for Advanced Study in Berlin. He is one of the founders of the field of behavioral economics and more recently of the new field of neuroeconomics. Loewenstein's research focuses on applications of psychology to economics, and his specific interests include decision making over time, bargaining and negotiations, psychology and health, law and economics, the psychology of adaptation, the role of emotion in decision making, the psychology of curiosity, conflict of interest, and "out of control" behaviors such as impulsive violent crime and drug addiction. He has published over 100 journal articles, numerous book chapters, and has edited 6 books on topics ranging from intertemporal choice to behavioral economics to emotions.

    Session III - 2:-3:30pm (Security Investments),

    Optimally Securing Enterprise Information Systems and Assets
    Vineet Kumar, Rahul Telang, Tridas Mukhopadhyay, Carnegie Mellon University

    Interdependence of Reliability and Security
    Peter Honeyman, University of Michigan,
    Galina A. Schwartz, University of California Berkeley,
    Ari Van Assche, HEC Montréal

    A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making
    Rachel Rue, Shari Lawrence Pfleeger and David Ortiz, RAND Corporation

    Session IV - 4-5:30pm (Managed security Service Providers),

    Growth and sustainability of MSSP networks
    Alok Gupta and Dmitry Zhdanov, University of Minnesota

    Will Outsourcing IT Security Lead to a Higher Social Level of Security?
    Brent Rowe, RTI International

    Measuring Security Investment Benefit for Off the Shelf Software Systems - A Stakeholder Value Driven Approach
    Yue Chen, Barry Boehm, Luke Sheppard, University of Southern California

    Session I - 8:30-10am (Privacy-Personalization),

    Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns
    Ramnath K. Chellappa, Emory University Atlanta,
    Shivendu Shivendu, University of Southern California

    The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study
    Janice Tsai, Serge Egelman, Lorrie Cranor, Alessandro Acquisti, Carnegie Mellon University

    Economics of User Segmentation, Profiling, and Detection in Security
    Srinivasan Raghunathan, Huseyin Cavusoglu, Byungwan Koh, The University of Texas at Dallas,
    Bin Mai, Northwestern State University

    Session II - 10:30am-12pm (Empirics of Information Security),

    The Deterrent Effect of Enforcement Against Computer Hackers: Cross-Country Evidence
    Ivan Png, Chen Yu Wang, National University of Singapore

    An Empirical Analysis of the Current State of Phishing Attack and Defence
    Tyler Moore and Richard Clayton, University of Cambridge

    Privacy, Network Effects and Electronic Medical Record Technology Adoption
    Amalia R. Miller, University of Virginia,
    Catherine E. Tucker, MIT

    Session IV 3- 4:30pm (Risk),

    Mental Models of Computer Security Risks
    Farzaneh Asgharpour, Debin Liu, L. Jean Camp, Indiana University

    Cyber-Insurance: Copula Pricing Framework and Implications for Risk Management
    Hemantha S. B. Herath, Brock University,
    Tejaswini C. Herath, University at Buffalo

    Strategic Defense and Attack of Complex Networks
    Kjell Hausken, University of Stavanger

    Posted by iang at 08:56 AM | Comments (1) | TrackBack

    April 09, 2007

    Metricon 2.0 -- Boston, 7.Aug.2007

    Better be quick -- Gunnar posts that to get a talk idea into Metricon 2.0, you have to have it in by 11th May.

    Second Workshop on Security Metrics (MetriCon 2.0)

    August 7, 2007 Boston, MA

    Do you cringe at the subjectivity applied to security in every manner? If so, MetriCon 2.0 may be your antidote to change security from an artistic "matter of opinion" into an objective, quantifiable science. The time for adjectives and adverbs has gone; the time for hard facts and data has come.

    MetriCon 2.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable approaches and results to problems afflicting information security today, with a bias towards practical, specific implementations. Topics and presentations will be selected for their potential to stimulate discussion in the Workshop.

    MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, ...

    And I just posted over on EC that one needed slow, careful, critical thought to consider metrics and data...

    Posted by iang at 04:39 PM | Comments (3) | TrackBack

    January 10, 2007

    Usable Security 2007 -- Preliminary Programme -- colocated with FC2007

    Preliminary Programme for "USABLE SECURITY 2007" which is colocated with FC2007 below, again in "title-only-peer-review" mode.

  • An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks
  • WSKE: Web Server Key Enabled Cookies
  • (Panel) - The Future of Phishing
  • Usability Analysis of Secure Pairing Methods
  • Low-cost Manufacturing, Usability, and Security: An Analysis of Bluetooth Simple Pairing and Wi-Fi Protected Setup
  • Empirical Studies on Software Notices to Inform Policy Makers and Usability Designers
  • Prime III: Where Usable Security and Electronic Voting Meet
  • (Panel) Building Trusted Systems: Does Trusting Computing Enable Trusted Systems?
  • Click to vote your interest: https://www.usablesecurity.org/accepted.html

    (Ha! Finally someone else who supports encrypted web browsing. Hey, guys, can you fix the links so that they are relative and keep people in HTTPS?)

    Posted by iang at 05:55 AM | Comments (3) | TrackBack

    January 08, 2007

    FC07 Preliminary Programme - Leaving Room for the Bad Guys

    Mike Bond, an EMV researcher from Cambridge crypto labs and now Security Director at Cryptomathic, is giving the Kenote Address at FC. As it strongly rhymes with many of my rantings (GP, Pareto-secure, the hacker yin-yang relationship ...) here is the abstract in full. The other Invited Talk by Dawn Jutla also resonates with talk of end-to-end security and how Kherchhoffs' 6th says the user is the first requirement.

    (Keynote - Mike Bond)

    Leaving Room for the Bad Guys

    When designing a crypto protocol, or building a large security architecture, no competent designer ignores considering the bad guy, and anticipating his plans. But often we designers find ourselves striving to build totally secure systems and protocols -- in effect writing the bad guys entirely out of the equation. In a large system, when you exclude the bad guys, they soon muscle their way in elsewhere, and maybe in a new and worse way over which you may have much less control. A crypto protocol with no known weaknesses may be a strong tool, but when it does break, it will break in an unpredictable way.

    This talk explores the hypothesis that it is safer and better for designers to give the bad guys their cut, but to keep it small, and keep in control. It may not just be our systems but also our protocol building blocks that should be designed to make room for the bad guy to take his cut. The talk is illustrated with examples of very successful systems with known weaknesses, drawn primarily from the European EMV payment system, and banking security in general. We also discuss a few "too secure" systems that end up failing in worse ways as a result.

    (Invited Talk — Dawn Jutla)

    Title: Usable SPACE: Security, Privacy, and Context for the Mobile User

    Users breach the security of data within many financial applications daily as human and/or business expediency to access and use information wins over corporate security policy guidelines. Recognizing that changing user context often requires different security mechanisms, we discuss end-to-end solutions combining several security and context mechanisms for relevant security control and information presentation in various mobile user situations. We illustrate key concepts using Dimitri Kanevsky's (IBM Research) early 2000s patented inventions for voice security and classification.

    Curiously, these talks are the most encouraging for a long time. Does this signify a shift in IFCA focus away from academic crypto to practical security?

    The rest of the programme I pass on in "title-only-peer-review-mode" so you can scan and click for anything that grabs attention.

    Programme in title-only-peer-review-mode:

  • Vulnerabilities in First-Generation RFID-enabled Credit Cards
  • Conditional E-Cash
  • A Privacy-Protecting Multi-Coupon Scheme with Stronger Protection against Splitting
  • (Panel) RFID - yes or no?
  • A Model of Onion Routing with Provable Anonymity
  • K-Anonymous Multi-party Secret Handshakes
  • Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer
  • Scalable Authenticated Tree Based Group Key Exchange for Ad-Hoc Groups
  • On Authentication with HMAC and Non-Random Properties
  • Hidden Identity-Based Signatures
  • Space-Efficient Private Search
  • Cryptographic Securities Exchanges
  • Improved multi-party contract signing
  • Informant: Detecting Sybils Using Incentives
  • Dynamic Virtual Credit Card Numbers
  • The unbearable lightness of PIN cracking
  • (Panel) Virtual Economies - Threats and Risks, Moderator
  • The Motorola Personal Digital Right Manager
  • Certificate Revocation using Fine Grained Certificate Space Partitioning
  • An Efficient Aggregate Shuffle Argument Scheme
  • Programme in Full

    Posted by iang at 08:49 AM | Comments (2) | TrackBack

    December 01, 2006

    CFP - Computer Security Foundations

    Twan says of WEIS: "Darn, why did I miss this workshop!? ... interesting stuff" Me too. Here's another one:

    Call For Papers

    20th IEEE Computer Security Foundations Workshop (CSF)
    Venice, Italy, July 6 - 8, 2007

    Sponsored by the Technical Committee on Security and Privacy
    of the IEEE Computer Society

    CSF20 website: http://www.dsi.unive.it/CSFW20/
    CSF home page: http://www.ieee-security.org/CSFWweb/
    CSF CFP: http://www.cs.chalmers.se/~andrei/CSF07/cfp.html

    The IEEE Computer Security Foundations Workshop (CSF) series brings together researchers in computer science to examine foundational issues in computer security. Over the past two decades, many seminal papers and techniques have been presented first at CSF. The CiteSeer Impact page lists CSF as 38th out of more than 1200 computer science venues in impact (top 3.11%) based on citation frequency. There is a possibility of upgrading CSF to an IEEE symposium already in 2007.

    New theoretical results in computer security are welcome. Also welcome are more exploratory presentations, which may examine open questions and raise fundamental concerns about existing theories. Panel proposals are welcome as well as papers. Possible topics include, but are not limited to:

       Authentication    Access control    Distributed systems
       Information flow  Trust and trust   security
       Security          management        Security for mobile
       protocols         Security models   computing
       Anonymity and     Intrusion         Executable content
       Privacy           detection         Decidability and
       Electronic voting Data and system   complexity
       Network security  integrity         Formal methods for
       Resource usage    Database security security
       control                             Language-based
                                           security
    

    Proceedings published by the IEEE Computer Society Press will be available at the workshop, and selected papers will be invited for submission to the Journal of Computer Security.

    Important Dates

    Papers due:                   Monday, February 5, 2007
    Panel proposals due:          Thursday, March 15, 2007
    Notification:                 Monday, March 26, 2007
    Camera-ready papers:          Friday, April 27, 2007
    Workshop:                     July 6-8, 2007

    Workshop Location

    The 20th IEEE Computer Security Foundations Workshop will be held in the facilities of Venice International University, located on the island of San Servolo, about 10 minutes by water ferry from the Piazza San Marco.

    More details: http://www.cs.chalmers.se/~andrei/CSF07/cfp.html

    Posted by iang at 03:40 PM | Comments (0) | TrackBack

    September 15, 2006

    WESII - Programme - Economics of Securing the Information Infrastructure

    The Workshop on the Economics of Securing the Information Infrastructure

    http://wesii.econinfosec.org/

    October 23-24, 2006
    Washington, DC

    PRELIMINARY PROGRAM & CALL FOR PARTICIPATION
    ...

    9:00AM Panel - Economic Barriers and Incentives for DNSSEC Deployment

    11:00AM Session 1
    * Comparing the Costs of Public Key Authentication Infrastructures
    * Economics of Internet Security Outsourcing: Simulation Results Based on the Schneier Model
    * The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market

    1:30PM Panel - Data Sources: Should we answer questions for which data is available, can we get more data, or can we do without?

    3:30PM Session 2

    * Toward A Dynamic Modeling Of The Vulnerability Black Market
    * Toward One Strong National Breach Disclosure Law - Justification and Requirements
    * Using Self-interest to Prevent Malice; Fixing the Denial of Service Flaw of the Internet

    9:00AM Session 3

    * A Closer Look at Attack Clustering
    * Predictive Modelling for Security Operations Economics
    * Assessing Trusted Network Access Control Cost-Benefit Factors

    11:00AM Session 4

    * The Statistical Value of Information
    * On the Economic Placement of Monitors in Router Level Network Topologies

    1:00PM Work-in-Progress (WIP) Session

    * Economic Interpretation and a Simulation Exercise for Exploring Corporate Investments in Cyber Security
    * Securing Our Data Storage Infrastructures
    * A Neo-institutional Perspective on Cyber Attacks
    * Beyond Media Hype: Empirical Analysis of Disclosed Privacy Breaches 2005-2006 and a DataSet/Database Foundation for Future Work
    * Securing the Process of Insurance Application
    * Evaluation of Information Security Investment Portfolios: A Probabilistic Approach
    * Direct measurement of spam zombie activity in a residential broadband network

    ========================================================================
    Hotel & Registration
    ========================================================================

    *The WESII Hotel Reservation Deadline is September 20*

    *Registration is now open*

    ========================================================================
    Preliminary Program
    ========================================================================
    For updates, see

    Monday, October 23, 2006

    9:00AM Panel
    Economic Barriers and Incentives for DNSSEC Deployment
    Moderator: Andy Ozment
    Panelists: Sam Weiler, Steve Crocker, and more TBA

    11:00AM Session 1
    * Comparing the Costs of Public Key Authentication Infrastructures
    Patroklos Argyroudis (University of Dublin, Trinity College)
    Robert McAdoo (University of Dublin, Trinity College)
    Donal O'Mahony (University of Dublin, Trinity College)
    * Economics of Internet Security Outsourcing:
    Simulation Results Based on the Schneier Model
    William Yurcik (University of Illinois)
    Wen Ding (University of Illinois)
    * The Effect of Information Security Incidents on Corporate
    Values in the Japanese Stock Market
    Masaki Ishiguro (Mitsubishi Research Institute)
    Hideyuki Tanaka (The Graduate School of
    Interdisciplinary Information Studies),
    Kanta Matsuura (Institute of Industrial Science,
    University of Tokyo),
    Ichiro Murase (Mitsubishi Research Institute)

    1:30PM Panel
    Data Sources:
    Should we answer questions for which data is available,
    can we get more data, or can we do without?
    Moderator: Allan Friedman
    Panelists: TBA

    3:30PM Session 2

    * Toward A Dynamic Modeling Of The Vulnerability Black Market
    Jaziar Radianti (Agder University College)
    Jose. J. Gonzalez (Agder University College)
    * Toward One Strong National Breach Disclosure Law -
    Justification and Requirements
    William Yurcik (University of Illinois)
    Ragib Hasan (University of Illinois at Urbana-Champaign)
    * Using Self-interest to Prevent Malice;
    Fixing the Denial of Service Flaw of the Internet
    Bob Briscoe (BT & UCL)


    Tuesday, October 24, 2006

    9:00AM Session 3

    * A Closer Look at Attack Clustering
    Rainer Böhme (TU Dresden)
    Gaurav Kataria (Carnegie Mellon University)
    * Predictive Modelling for Security Operations Economics
    Mike Yearworth (HP Labs)
    Brian Monahan (HP Labs)
    David Pym (HP Labs)
    * Assessing Trusted Network Access Control Cost-Benefit Factors
    Susmit Panjwani (Deviant Intelligence LLC)
    Stephanie Tan (IBM)

    11:00AM Session 4

    * The Statistical Value of Information
    Luther Martin (Voltage Security)
    * On the Economic Placement of Monitors in
    Router Level Network Topologies
    Yongping Tang (Iowa State University)
    Thomas E. Daniels (Iowa State University)

    1:00PM Work-in-Progress (WIP) Session

    * Economic Interpretation and a Simulation Exercise for
    Exploring Corporate Investments in Cyber Security
    Jonathan Crawford (University of Virginia)
    Kenneth G. Crowther (University of Virginia)
    Barry Horowitz (University of Virginia)
    James Lambert (University of Virginia)
    * Securing Our Data Storage Infrastructures
    Bob Mungamuru (Stanford University)
    Hector Garcia-Molina (Stanford University)
    * A Neo-institutional Perspective on Cyber Attacks
    Nir Kshetri (University of North Carolina--Greensboro)
    * Beyond Media Hype: Empirical Analysis of Disclosed Privacy
    Breaches 2005-2006 and a DataSet/Database Foundation for Future Work
    Ragib Hasan (University of Illinois at Urbana-Champaign)
    William Yurcik (University of Illinois)
    * Securing the Process of Insurance Application
    Vincent Wolff-Marting (University of Leipzig)
    André Köhler (University of Leipzig)
    Volker Gruhn (University of Leipzig)
    * Evaluation of Information Security Investment Portfolios:
    A Probabilistic Approach
    Tae-Sung Kim (Chungbuk National University)
    Chandrasekhar Subramaniam (UNC Charlotte),
    Sungjune Park (UNC Charlotte),
    Ram Kumar (UNC Charlotte)
    * Direct measurement of spam zombie activity in a
    residential broadband network
    Geoff Bennett (StreamShield)
    Brian Webb (BT Retail)


    ========================================================================
    Program Committee
    ========================================================================

    Alessandro Acquisti Carnegie Mellon University
    Heinz School of Public Policy & Management

    Ross Anderson University of Cambridge

    Jean Camp Indiana University

    Huseyin Cavusoglu University of Texas at Dallas

    Richard Clayton University of Cambridge

    Steve Crocker Shinkuro / DNSSEC Deployment Working Group

    Ben Edelman Harvard University Department of Economics

    Allan Friedman Harvard University
    Kennedy School of Government

    Adam M. Golodner Cisco Systems

    Larry Gordon University of Maryland
    Smith School of Business

    Yacov Haimes University of Virginia

    Cathy Handley U.S. Department of Commerce, National
    Telecommunications & Information Administration

    Barry Horowitz University of Virginia

    Richard Hovey U.S. Federal Communications Commission (FCC)

    Jeff Hunker Carnegie Mellon University
    Heinz School of Public Policy & Management

    M. Eric Johnson The Tuck School of Business at Dartmouth College

    Jeffrey M. Kopchik U.S. Federal Deposit Insurance Corporation (FDIC)

    Technology Supervision Branch

    Steve Lipner Microsoft

    Marty Loeb University of Maryland
    Smith School of Business

    Doug Maughan U.S. Department of Homeland Security (DHS)
    Science and Technology Directorate

    Doug Montgomery U.S. National Institute of Standards & Technology
    Internetworking Technologies Group

    Milton Mueller Syracuse University School of Information Studies

    Andrew Odlyzko University of Minnesota

    Andy Ozment MIT Lincoln Laboratory / University of Cambridge

    Shari Lawrence Pfleeger RAND Corporation

    Stuart Schechter MIT Lincoln Laboratory

    Bruce Schneier Counterpane Internet Security

    Rahul Telang Carnegie Mellon University
    Heinz School of Public Policy & Management

    Andrew Wyckoff Organisation for Economic Cooperation and
    Development (OECD)

    Bill Yurcik National Center for Supercomputing Applications
    (NCSA)


    ========================================================================
    Workshop Sponsors
    ========================================================================
    The Institute for Information Infrastructure Protection (I3P)
    The Workshop on the Economics of Information Security (WEIS)

    ________________________________________________________________________
    Economics of Information Security (EIS) Mailing List Information

    We retried your name from either the author/attendee lists of one of the
    previous workshops on the economics of information security (WEIS) or
    through the suggestion of a member of the WEIS steering committee.
    This list will never be used for commercial purposes and we will work to
    ensure traffic is kept to a minimum (no more than 10 messages per year).

    If you would prefer not to receive future emails about this or related
    workshops, we apologize for this intrusion and offer you the following
    options for unsubscribing:
    1) Visit http://announce-list.econinfosec.org
    2) Email stuart@econinfosec.org

    Posted by iang at 06:29 AM | Comments (1) | TrackBack

    FC'07 - call for papers - Financial Cryptography and Data Security

    Call for Papers

    FC'07: Financial Cryptography and Data Security
    http://fc07.ifca.ai/

    Eleventh International Conference
    February 12-15, 2007
    Lowlands, Scarborough, Trinidad and Tobago

    Submissions Due Date: October 9, 2006, 11:59pm, EDT (UTC-4)

    Program Chair: Sven Dietrich (Carnegie Mellon University)
    General Chair: Rafael Hirschfeld (Unipay)

    At its 11th year edition, Financial Cryptography and Data Security (FC'07) is a well established and major international forum for research, advanced development, education, exploration, and debate regarding security in the context of finance and commerce. We will continue last year's augmentation of the conference title and expansion of our scope to cover all aspects of securing transactions and systems. These aspects include a range of technical areas such as: cryptography, payment systems, secure transaction architectures, software systems and tools, fraud prevention, secure IT infrastructure, and analysis methodologies. Our focus will also encompass financial, legal, business, and policy aspects. Material both on theoretical (fundamental) aspects of securing systems,and on secure applications and real-world deployments will be considered.

    ...
    http://fc07.ifca.ai/

    The conference goal is to bring together top cryptographers, data-security
    specialists, and computer scientists with economists, bankers,
    implementers, and policy makers. Intimate and colorful by tradition, the
    FC'07 program will feature invited talks, academic presentations,
    technical demonstrations, and panel discussions.

    This conference is organized annually by the International Financial
    Cryptography Association (IFCA).

    Original papers, surveys, and presentations on all aspects of financial
    and commerce security are invited. Submissions must have a strong and
    visible bearing on financial and commerce security issues, but can be
    interdisciplinary in nature and need not be exclusively concerned with
    cryptography or security. Possible topics for submission to the various
    sessions include, but are not limited to:

    Anonymity and Privacy
    Auctions
    Audit and Auditability
    Authentication and Identification, including Biometrics
    Certification and Authorization
    Commercial Cryptographic Applications
    Commercial Transactions and Contracts
    Digital Cash and Payment Systems
    Digital Incentive and Loyalty Systems
    Digital Rights Management
    Financial Regulation and Reporting
    Fraud Detection
    Game Theoretic Approaches to Security
    Identity Theft, Phishing and Social Engineering
    Infrastructure Design
    Legal and Regulatory Issues
    Microfinance and Micropayments
    Monitoring, Management and Operations
    Reputation Systems
    RFID-Based and Contactless Payment Systems
    Risk Assessment and Management
    Secure Banking and Financial Web Services
    Securing Emerging Computational Paradigms
    Security and Risk Perceptions and Judgments
    Security Economics
    Smart Cards and Secure Tokens
    Trust Management
    Trustability and Trustworthiness
    Underground-Market Economics
    Virtual Economies
    Voting system security

    For those interested, last year's proceedings are available from Springer.

    Submission Instructions

    Submission Categories

    FC'07 is inviting submissions in four categories: (1) research papers, (2)
    systems and applications presentations, (3) panel sessions, (4) surveys.
    For all accepted submissions, at least one author must attend the
    conference and present the work.

    Research Papers

    Research papers should describe novel scientific contributions to the
    field, and they will be subject to rigorous peer review. Accepted
    submissions will be included in the conference proceedings to be published
    in the Springer-Verlag Lecture Notes in Computer Science (LNCS) series
    after the conference, so the submissions must be formatted in the standard
    LNCS format (15 page limit).

    Systems and Application Presentations

    Submissions in this category should describe novel or successful systems
    with an emphasis on secure digital commerce applications. Presentations
    may concern commercial systems, academic prototypes, or open-source
    projects for any of the topics listed above. Where appropriate, software
    or hardware demonstrations are encouraged as part of the presentations in
    these sessions. Submissions in this category should consist of a short
    summary of the work (1-6 pages in length) to be reviewed by the Program
    Committee, along with a short biography of the presenters. Accepted
    submissions will be presented at the conference (25 minutes per
    presentation), and a one-page abstract will be published in the conference
    proceedings.

    Panel Sessions

    Proposals for panel sessions are also solicited, and should include a
    brief description of the panel as well as prospective participants.
    Accepted panel sessions will be presented at the conference, and each
    participant will contribute a one-page abstract to be published in the
    conference proceedings.

    Surveys

    A limited number of surveys presentations may also be included in the
    program. We encourage submissions that summarize the current state of the
    art on any well-defined subset of the above listed submission topics. A
    limited description of visions on future directions of research in these
    topics would also be appreciated. Survey submissions can be significantly
    shorter than research paper submissions.

    Preparation Instructions

    Submissions to the research papers, systems/application presentation
    categories, and surveys must be received by the due date. Papers must be
    formatted in standard PostScript or PDF format. Submissions in other
    formats will be rejected. All papers must be submitted electronically
    according to the instructions and forms found on this web site and at the
    submission site.

    Authors should provide names and affiliations at submission time, and have
    the option of including or not names and affiliations in their submitted
    papers, that must include on their first page the title of the paper, a
    brief abstract, and a list of topical keywords. Accepted submissions will
    be included in the conference proceedings to be published in the
    Springer-Verlag Lecture Notes in Computer Science (LNCS) series after the
    conference, so the submissions must be formatted in the standard LNCS
    format (15 page limit). Authors of accepted submissions will be required
    to complete and sign an IFCA copyright form. A pre-proceedings volume
    containing preliminary versions of the papers will be distributed at the
    conference.

    Questions about all conference submissions should be directed to the
    Program Chair at fc07chair@cert.org.

    Paper Submission

    Authors should only submit work that does not substantially overlap with
    work that is currently submitted or has been accepted for publication to a
    conference with proceedings or a journal.

    To submit your paper, use our online submission service..

    The Rump Session

    FC'07 will also include the popular "rump session" held on one of the
    evenings in an informal, social atmosphere. The rump session is a program
    of short (5-7 minute), informal presentations on works in progress,
    off-the-cuff ideas, and any other matters pertinent to the conference. Any
    conference attendee is welcome to submit a presentation to the Rump
    Session Chair (to be announced). This submission should consist of a talk
    title, the name of the presenter, and, if desired, a very brief abstract.
    Submissions may be sent via e-mail, or submitted in person through the
    Monday of the conference.

    Associated Workshop

    There will be a Usability Workshop held in conjunction with FC 2007.

    Program Committee

    Alessandro Acquisti, Carnegie Mellon University
    Jon Callas, PGP Corporation
    Yvo Desmedt, University College London
    Giovanni di Crescenzo, Telcordia Technologies
    Roger Dingledine, The Free Haven Project
    Bernhard Esslinger, Deutsche Bank
    Philippe Golle, PARC
    Klaus Kursawe, Philips Research Eindhoven
    Arjen Lenstra, EPFL
    Patrick McDaniel, Penn State University
    Tatsuaki Okamoto, NTT
    Kazue Sako, NEC
    Radu Sion, SUNY Stony Brook
    Stuart Stubblebine, Stubblebine Consulting
    Paul Syverson, NRL
    Mike Szydlo, RSA
    Jonathan Trostle, ASK Consulting and Research
    Moti Yung, RSA & Columbia University
    Yuliang Zheng, University of North Carolina at Charlotte

    Important Dates:
    Paper Submission: October 9, 2006

    Notification: December 11, 2006
    Pre-Proceedings: January 11, 2007
    Conference dates: February 12-15, 2007
    Post Proceedings: April 10, 2007

    Posted by iang at 06:19 AM | Comments (0) | TrackBack

    August 10, 2006

    Usable Security (USEC'07)

    Rachna writes: I am organizing a workshop on usable security that will be held in conjunction with Financial Cryptography and Data Security (FC'07). I encourage people on this list to submit their work and/or to attend the workshop!

    Thanks,
    Rachna

    FIRST CALL FOR PAPERS

    Usable Security (USEC'07)
    http://www.usablesecurity.org/

    February 15-16, 2007
    Lowlands, Scarborough, Trinidad/Tobago

    A workshop co-located with
    The Eleventh Conference on Financial Cryptography and Data Security (FC'07)

    Submissions Due Date: November 5, 2006, 11:59pm, PST

    Some of the most challenging problems in designing and maintaining secure systems involve human factors. A great deal remains to be understood about users' capabilities and motivations to perform security tasks. Usability problems have been at the root of many widely reported security failures in high-stakes financial, commercial and voting applications.

    USEC'07 seeks submissions of novel research from academia and industry on all theoretical and practical aspects of usable security in the context of finance and commerce. The workshop will bring together an interdisciplinary group of researchers and practitioners, allowing experts in human-computer interaction, cryptography, data security and public policy to explore emerging problems and solutions.

    (Editorial comment -- it is good to see the arisal of more polymath conferences, which is where much of the work will be done in risks and security in the future.)

    Posted by iang at 12:47 PM | Comments (0) | TrackBack

    July 29, 2006

    FC'07 - call for papers

    FC'07: Financial Cryptography and Data Security
    http://fc07.ifca.ai/

    Eleventh International Conference
    February 12-15, 2007
    Lowlands, Scarborough, Trinidad and Tobago

    Submissions Due Date: October 9, 2006, 11:59pm, EDT (UTC-4)

    Program Chair: Sven Dietrich (Carnegie Mellon University)
    General Chair: Rafael Hirschfeld (Unipay)

    At its 11th year edition, Financial Cryptography and Data Security (FC'07) is a well established and major international forum for research, advanced development, education, exploration, and debate regarding security in the context of finance and commerce. We will continue last year's augmentation of the conference title and expansion of our scope to cover all aspects of securing transactions and systems. These aspects include a range of technical areas such as: cryptography, payment systems, secure transaction architectures, software systems and tools, fraud prevention, secure IT infrastructure, and analysis methodologies. Our focus will also encompass financial, legal, business, and policy aspects. Material both on theoretical (fundamental) aspects of securing systems,and on secure applications and real-world deployments will be considered.
    ...


    The conference goal is to bring together top cryptographers, data-security
    specialists, and computer scientists with economists, bankers, implementers,
    and policy makers. Intimate and colorful by tradition, the FC'07 program
    will feature invited talks, academic presentations, technical
    demonstrations, and panel discussions.

    This conference is organized annually by the International Financial
    Cryptography Association (IFCA).

    Original papers, surveys, and presentations on all aspects of financial and
    commerce security are invited. Submissions must have a strong and visible
    bearing on financial and commerce security issues, but can be
    interdisciplinary in nature and need not be exclusively concerned with
    cryptography or security. Possible topics for submission to the various
    sessions include, but are not limited to:

    Anonymity and Privacy
    Auctions
    Audit and Auditability
    Authentication and Identification, including Biometrics
    Certification and Authorization
    Commercial Cryptographic Applications
    Commercial Transactions and Contracts
    Digital Cash and Payment Systems
    Digital Incentive and Loyalty Systems
    Digital Rights Management
    Financial Regulation and Reporting
    Fraud Detection
    Game Theoretic Approaches to Security
    Identity Theft, Physhing and Social Engineering
    Infrastructure Design
    Legal and Regulatory Issues
    Microfinance and Micropayments
    Monitoring, Management and Operations
    Reputation Systems
    RFID-Based and Contactless Payment Systems
    Risk Assessment and Management
    Secure Banking and Financial Web Services
    Securing Emerging Computational Paradigms
    Security and Risk Perceptions and Judgments
    Security Economics
    Smart Cards and Secure Tokens
    Trust Management
    Trustability and Trustworthiness
    Underground-Market Economics
    Virtual Economies
    Voting system security

    For those interested, last year's proceedings are available from Springer.

    Submission Instructions

    Submission Categories

    FC'07 is inviting submissions in four categories: (1) research papers, (2)
    systems and applications presentations, (3) panel sessions, (4) surveys. For
    all accepted submissions, at least one author must attend the conference and
    present the work.

    Research Papers

    Research papers should describe novel scientific contributions to the field,
    and they will be subject to rigorous peer review. Accepted submissions will
    be included in the conference proceedings to be published in the
    Springer-Verlag Lecture Notes in Computer Science (LNCS) series after the
    conference, so the submissions must be formatted in the standard LNCS format
    (15 page limit).

    Systems and Application Presentations

    Submissions in this category should describe novel or successful systems
    with an emphasis on secure digital commerce applications. Presentations may
    concern commercial systems, academic prototypes, or open-source projects for
    any of the topics listed above. Where appropriate, software or hardware
    demonstrations are encouraged as part of the presentations in these
    sessions. Submissions in this category should consist of a short summary of
    the work (1-6 pages in length) to be reviewed by the Program Committee,
    along with a short biography of the presenters. Accepted submissions will be
    presented at the conference (25 minutes per presentation), and a one-page
    abstract will be published in the conference proceedings.

    Panel Sessions

    Proposals for panel sessions are also solicited, and should include a brief
    description of the panel as well as prospective participants. Accepted panel
    sessions will be presented at the conference, and each participant will
    contribute a one-page abstract to be published in the conference
    proceedings.

    Surveys

    A limited number of surveys presentations may also be included in the
    program. We encourage submissions that summarize the current state of the
    art on any well-defined subset of the above listed submission topics. A
    limited description of visions on future directions of research in these
    topics would also be appreciated. Survey submissions can be significantly
    shorter than research paper submissions.

    Preparation Instructions

    Submissions to the research papers, systems/application presentation
    categories, and surveys must be received by the due date. Papers must be
    formatted in standard PostScript or PDF format. Submissions in other formats
    will be rejected. All papers must be submitted electronically according to
    the instructions and forms found on this web site and at the submission
    site.

    Authors should provide names and affiliations at submission time, and have
    the option of including or not names and affiliations in their submitted
    papers, that must include on their first page the title of the paper, a
    brief abstract, and a list of topical keywords. Accepted submissions will be
    included in the conference proceedings to be published in the
    Springer-Verlag Lecture Notes in Computer Science (LNCS) series after the
    conference, so the submissions must be formatted in the standard LNCS format
    (15 page limit). Authors of accepted submissions will be required to
    complete and sign an IFCA copyright form. A pre-proceedings volume
    containing preliminary versions of the papers will be distributed at the
    conference.

    Questions about all conference submissions should be directed to the Program
    Chair at fc07chair@cert.org

    Paper Submission

    Authors should only submit work that does not substantially overlap with
    work that is currently submitted or has been accepted for publication to a
    conference with proceedings or a journal.

    Paper submission will occur via website to be announced at a later time.

    The Rump Session

    FC'07 will also include the popular "rump session" held on one of the
    evenings in an informal, social atmosphere. The rump session is a program of
    short (5-7 minute), informal presentations on works in progress,
    off-the-cuff ideas, and any other matters pertinent to the conference. Any
    conference attendee is welcome to submit a presentation to the Rump Session
    Chair (to be announced). This submission should consist of a talk title, the
    name of the presenter, and, if desired, a very brief abstract. Submissions
    may be sent via e-mail, or submitted in person through the Monday of the
    conference.

    Associated Workshop

    There will be a Usability Workshop held in conjunction with FC 2007. Details
    will be published at a later time.

    Program Committee

    Alessandro Acquisti, Carnegie Mellon University
    Jon Callas, PGP Corporation
    Yvo Desmedt, University College London
    Giovanni di Crescenzo, Telcordia Technologies
    Roger Dingledine, The Freehaven Project
    Bernhard Esslinger, Deutsche Bank
    Philippe Golle, PARC
    Klaus Kursawe, Philips Research Eindhoven
    Arjen Lenstra, EPFL
    Patrick McDaniel, Penn State University
    Tatsuaki Okamoto, NTT
    Kazue Sako, NEC
    Radu Sion, SUNY Stony Brook
    Stuart Stubblebine, Stubblebine Consulting
    Paul Syverson, NRL
    Mike Szydlo, RSA
    Jonathan Trostle, ASK Consulting and Research
    Moti Yung, RSA & Columbia University
    Yuliang Zheng, University of North Carolina at Charlotte

    Important Dates:

    Paper Submission: October 9, 2006
    Notification: December 11, 2006
    Pre-Proceedings: January 11, 2007
    Conference dates: February 12-15, 2007
    Post Proceedings: April 10, 2007

    Posted by iang at 09:23 AM | Comments (0) | TrackBack

    May 24, 2006

    CFP - W. Economics of Securing the Information Infrastructure

    The Workshop on the Economics of Securing the Information Infrastructure

    October 23-24, 2006 Washington, DC

    SECOND CALL FOR PAPERS

    Our information infrastructure suffers from decades-old vulnerabilities, from the low-level algorithms that select communications routes to theapplication-level services on which we are becoming increasingly dependent. Are we investing enough to protect our infrastructure? How can we best overcome the inevitable bootstrapping problems that impede efforts to add security to this infrastructure? Who stands to benefit and who stands to lose as security features are integrated into these basic services? How can technology investment decisions best be presented to policymakers?

    We invite infrastructure providers, developers, social scientists, computer scientists, legal scholars, security engineers, and especially policymakers to help address these and other related questions. Authors of accepted papers will have the opportunity to present their work to government and corporate policymakers. We encourage collaborative research from authors in multiple fields and multiple institutions.

    Submissions Due: August 6, 2006 (11:59PM PST)

    Posted by iang at 03:35 PM | Comments (0) | TrackBack

    March 28, 2006

    Call for Nominations - 2006 PET AWARD

    You are invited to submit nominations to the 2006 PET Award.

    The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Workshop (PET). The PET Award carries a prize of 3000 Euros thanks to the generous support of Microsoft.

    Any paper by any author written in the area of privacy enhancing technologies is eligible for nomination. However, the paper must have appeared in a refereed journal, conference, or workshop with published proceedings in the period that goes from the end of the penultimate PET Workshop (the PET workshop prior to the last PET workshop that has already occurred: i.e. June 2004) until April 15th, 2006. The complete Award rules including eligibility requirements can be found at http://petworkshop.org/award/.

    Anyone can nominate a paper by sending an email message containing the following to award-chairs06@petworkshop.org:

    - Paper title
    - Author(s)
    - Author(s) contact information
    - Publication venue
    - A nomination statement of no more than 250 words.

    All nominations must be submitted by April 15th, 2006. A seven-member Award committee will select one or two winners among the nominations received. Winners must be present at the PET workshop in order to receive the Award. This requirement can be waived only at the discretion of the PET Advisory board.

    2006 Award Committee:

    - Alessandro Acquisti (chair), Carnegie Mellon University, USA
    - Roger Dingledine (co-chair), The Free Haven Project, USA
    - Ram Chellappa, Emory University, USA
    - Lorrie Cranor, Carnegie Mellon University, USA
    - Rosario Gennaro, IBM Research, USA
    - Ian Goldberg, Zero Knowledge Systems, Canada
    - Markus Jakobsson, Indiana University at Bloomington, USA

    More information about the PET award (including past winners) is available at http://petworkshop.org/award/.

    More information about the 2006 PET workshop is available at http://petworkshop.org/2006/.


    -----------------------
    Alessandro Acquisti
    Heinz School, Carnegie Mellon University
    (P) 412 268 9853
    (F) 412 268 5339
    http://www.heinz.cmu.edu/~acquisti
    -----------------------

    Posted by iang at 01:32 PM | Comments (0) | TrackBack

    March 20, 2006

    Digital Money 29th, 30th

    Digital Money is coming up, 29th and 30th March. Always good for a visit.

    The goal of the Forum is to encourage discussion and debate around the real issues at the heart of electronic identity [sic - must be digital money] in all its forms. In addition to this Forum, every autumn we organise the annual Digital Identity Forum (see the web site at www.digitalidforum.com for more details), the sister event to the Digital Money Forum.

    There are several great things about the Hyperion conferences. Firstly, Dave and the team work hard to keep the commercial presentations down to a minimum. Next, he casts out looking for up and coming trends including the wild and woolly social experiments. Lastly, there's usually a great book giveaway!

    Talks I'd travel some distance for, if I could:

    Replacing Cash with Mobile Phones
    Susie Lonie, Vodafone
    A case study on the African M-PESA scheme

    Currency for Kids
    Jonathan Attwood, Swap-it-Shop UK
    The UK's "eBay for kids"

    Cross-Border Funds Transfer before the Internet - The ransom of King Richard
    David Boyle, Author of "Blondel's Song"

    Posted by iang at 01:22 PM | Comments (3) | TrackBack

    November 06, 2005

    ACM Interactions - special issue on Security

    Submissions Deadline: February 1st, 2006
    Publications Issue: May+June 2006 Issue
    PDF: here but please note that it causes lockups.

    Interactions is published bi-monthly by the Association for Computer Machinery (ACM) for designers of interactive products. It is a magazine that balances articles written for professionals and researchers alike providing broad coverage of topics relevant to the HCI community.

    The May+June 2006 issue of Interactions is dedicated to the user experience around security in information systems. Designing systems that are both secure and usable offers unique challenges to interaction designers. System complexity, user acceptance and compliance, and decisions about protection versus convenience all factor into the design process and resulting effectiveness of security systems in the hands of users.

    Interactions invites authors to submit case studies and articles related to the security user experience. Papers should be written in a reader-friendly magazine style and tone as opposed to a conference proceedings or journal style (no abstracts, appendicies, etc).

    Relevant contributions will address issues related, but not limited to, the following:

    • Interaction design of systems with usable security and user trust as primary goals
    • Innovative methods for conducting user experience evaluations on user trust or security systems
    • Novel user interfaces or interaction methods for security systems
    • Basic principles of psychology of user-security interaction
    • Best practices and interaction guidelines in the design of secure and trustworthy systems
    • Field research related to user-security interaction in the wild
    • Social and/or philosophical issues related to security, trust, and the user experience

    Interactions invites papers in the following two formats:

    1. Case Studies 7-9 pages. Case Studies are reports on experiences gained and lessones learned designing, using, or studying security components/systems or techniques. They take a comprehensive view of a problem from requirements analysis through design, implementation, and use.
    2. Articles 1-3 pages. Articles are much shorter and broader case studies and may present research findings, points of view, social or philosophical inquiries, novel interface designs, or other information relevant to the HCI community regarding security and the user experience.

    Papers that appear in Interactions are archived in the ACM Digital Library and available online. The Special Issue on Security will appear in the May+June 2006 issue of Interactions and the deadline for submissions is February 1st, 2006.

    For more information about submission guidelines or appropriate topics, contact ryan.west@sas.com.

    Posted by iang at 08:15 AM | Comments (0) | TrackBack

    November 04, 2005

    CFP for iTrust in May 2006

    iTrust closes for submitted papers in a couple of weeks - November 18, 2005. The conference itself is on 16th-19th May 2006, and is in Tuscanny in Italy. As it aspires to be cross-disciplinary and involved in all aspects of "trust" over the net, it is actually quite close to Financial Cryptography. Here's the blurb, click on the site for the rest:

    Call for Papers

    The iTrust international Conference looks at trust from multidisciplinary perspectives: economic, legal, psychology, philosophy, sociology as well as information technology.

    Building upon the work of the IST iTrust working group (http://www.itrust.uoc.gr) and the success of the three previous iTrust International conferences, the aims of iTrust'2006 are to attract a critical mass of experts from industry, government and academia with a keen interest in the area of trust management.

    The objectives of the Conference are:

    • To facilitate the cross-disciplinary investigation of fundamental issues underpinning computational trust models by bringing together expertise from technology oriented sciences, law, philosophy and social sciences.
    • To facilitate the emergence of widely acceptable trust management processes for dynamic open systems and applications.
    • To facilitate the development of new paradigms in the area of dynamic open systems which effectively utilize computational trust models.
    • To facilitate the integration of new trust management paradigms and emerging architectures for Grid computing and Virtual Organizations.
    • To help the incorporation of trust management elements in existing standards.
    Topics of Interest:

    Full technical papers contributing to the issue of trust management are solicited in the relevant areas, including but not limited to:

    • The legal notion of trust in computer science and engineering
    • Requirements and methodologies to ensure that the user can reasonably trust the functioning of software systems
    • Trust management frameworks for secure collaborations in dynamic Virtual Organisations
    • Design of trust-based architectures and decision-making mechanisms for e-community and e-service interactions
    • Trust specification, analysis and reasoning
    • Dynamics of trust dispositions and relations
    • Realization of prototypes of software architectures and applications
    • Trust elements in contract negotiation, execution monitoring, re-negotiation and arbitration
    • Legal contribution to trust in technological infrastructures and interactions: the on-line identification of subjects, the evaluation of their reliability, data protection, security, privacy and, confidentiality, commercial transactions, the resolution of disputes, software agents, and management of access to source code
    • Trust in interaction and cooperation mediated through computer and network, and the balance of control and intervention
    • Research in on-line trust, the trust of the consumer towards the web sites of distribution companies
    • Analysis of the relationship between trust and such notions as Confidence, distrust, diffidence, expectation, risk, and reliance

    Important Dates

    Submission of papers: November 18, 2005
    Notification of paper acceptance: January 13, 2006
    Submission of final camera ready version: February 17, 2006

    Submissions must be original and must not have been submitted for publication elsewhere. Submission will be through the web. Available soon.

    The proceedings of the Conference will be published by Springer in the Lecture Notes in Computer Science series (under negotiation). Submissions must be in English and authors should ensure that papers are formatted according to the LNCS format (see author's instructions given on the Conference Web site). Full technical papers should not exceed 15 pages in the abovementioned format.

    Contact: itrust06@iit.cnr.it

    Posted by iang at 12:00 PM | Comments (0) | TrackBack

    October 13, 2005

    Conferences coming up... and this weekend is Pooool

    Conferences coming up soon - close of submission dates, in order of how close they are:

    If anybody has any others specifically for FC style topics let me know. * means I added it after first blog posting.


    If you are in Austria over the next couple of weekends, check out Pooool in Vienna's Museum Quarter. It's an open event that brings together an interesting polymath crowd of artists, business and software people to explore how to better match artistic needs to business needs and the technology of the net.

    DRM in other words, but done from the point of view of sharing not exploiting. The difference between this attempt and others is that they are looking far deeper into property rights as agreements, and agreements as tradeable financial instruments for others like monies, and trading as market places for acquiring and creating new work. I've been asked to put my contracts experience into the mix, and it's a challenging project.

    (If I find the link I'll post it, elsewise just read below for the full programme.)


    Optical Machines for the New Collecting Society - Expo to the Future
    october 8th to 23rd 2005
    daily from 10a.m. to 10p.m
    free entrance

    Invitation for the creative culture, art colleges, advanced technical colleges, universities and cultural enterprises.

    In the halls of the Museum Quarter's Freiraum pooool plays offers the first Expo for visualists, Users, research and developing institutions, art and culture enterprises as well as companies!

    The areas of activity for the visual arts are infinite.
    The exiting realm of visual media has scarcely begun!!
    Where is the creative potential? Where are we going? What are the technical possibilities? How can the art-form be relevant for society? Where is the long-term advantage?

    During the 10 days of this globally unique event pooool offers a survey of the diverse new forms of the Visual Arts and will inform through presentations, discussions and by experience and practice oriented exhibits. The utilization of the Visual Arts is advancing intensively the world over. Conscious awareness and commercial marketing obviously lag behind this progression.

    With this Expo pooool will open a barely investigated universe. Get prepared.

    pooool plays Incentive and Participation Program

    You can register to join or participate in both group and individual presentations. Themes:
    • visual media products, techniques and artists
    • the diversity of products for mobile devices
    (mobil phones, PDAs, MP3, 3GP..)
    • experience applied examples for semi-public and public space.
    (facades, interiors, Info-screens, visual wallpaper ...)
    • Join the pool platform and participate! Upload your material to the pool data-archive. Bring your analog or digital visuals to the Expo!
    • Perform with us! Work on and modify the visual material in the pooool databank or project on an architecture model. (A gigantic architecture model is available.)

    Or you are looking for communication and would like to participate in
    • exchanging experience and content with the local and international Visual Arts Scene
    • gaining contact to artists and cultural institutions
    • joining panel and round-table discussions, giving lectures on selected subjects

    pooool podium
    Especially the cultural and artistic aspects are of growing in importance for the future. Legal questions need to be clarified, contextual and commercial collaborations promoted and above all qualitative socio-political standards need evolve, that are not only serve public interests, but the artists as well. pool podium offers a broad discussion forum to this purpose.

    Block 1 Visualists - october 9./10./11. sunday-tuesday

    Monday 10.10./19h pooool Presentation and Discussion
    Platform :: Archive, Label & Community
    Julia Zdarsky MagArt. pooool co-founder and visualist from the very first.

    Tuesday 11.10./ Phemos Lecture
    Existing Technologies and Future Perspectives ::

    Block 2 Publicities - october 14./15./16. friday-sunday

    Friday 14.10. / 16h Lecture Followed by Discussion
    inverted panopticum
    Thomas Fürstner, Prof. University of Applied Arts, Vienna, Digital Arts
    Oliver Bertram, Ass. Prof.. University of Applied Arts, Vienna

    Monday 17.10/19 h pooool Campfire Winding ways through copyright and exploitation
    Where are the approaches to fair exploitation models and clear copyright situations? We will address these questions within the scope of c-pooool.

    Found around the campfire are
    Elisabeth Vlasaty (Lawyer)
    Roland Alton-Scheidl (International media group / cooperative)
    Andreas Trawöger (Free Software Foundation)
    Robert Stachel (Community TV Vienna)
    Georg Pleger (Creative Commons Vienna, invited)

    Block 3 Clients & Customers - october 21./22./23., friday-sunday
    Industry
    Music

    registrar for program placement, group/individual presentations and participants:

    Melissa Saavedra +43 / 699 / 10752218
    info@pooool.net

    pooool is a departure promoted project

    Posted by iang at 01:14 PM | Comments (2) | TrackBack

    August 03, 2005

    FC conference returns to Anguilla

    For the 2006 conference, the annual Financial Cryptography conference run by IFCA will return to Anguilla.

    Crucial dates are: papers submitted by 17th October. Conference itself is 27th February to 2nd March (monday - thursday). The full announcement:




    Call for Papers

    FC'06: Financial Cryptography and Data Security
    http://fc06.ifca.ai/

    Tenth International Conference
    February 27 to March 2, 2006
    Anguilla, British West Indies

    Submissions Due Date: October 17, 2005

    Program Chairs: Giovanni Di Crescenzo (Telcordia)

    Avi Rubin (Johns Hopkins University)

    General Chair: Patrick McDaniel (Penn State University)

    Local Arrangements Chair: Rafael Hirschfeld (Unipay Technologies)

    At its 10th year edition, Financial Cryptography and Data Security (FC'06) is a well established and major international forum for research, advanced development, education, exploration, and debate regarding security in the context of finance and commerce. We will continue last year's augmentation of the conference title and expansion of our scope to cover all aspects of securing transactions and systems. These aspects include a range of technical areas such as: cryptography, payment systems, secure transaction architectures, software systems and tools, user and operator interfaces, fraud prevention, secure IT infrastructure, and analysis methodologies. Our focus will also encompass financial, legal, business and policy aspects. Material both on theoretical (fundamental) aspects of securing systems, on secure applications and real-world deployments will be considered.

    The conference goal is to bring together top cryptographers, data-security specialists, and scientists with economists, bankers, implementers, and policy makers. Intimate and colorful by tradition, the FC'06 program will feature invited talks, academic presentations, technical demonstrations, and panel discussions. In addition, we will celebrate this 10th year edition with a number of initiatives, such as: especially focused session, technical and historical state-of-the-art panels, and one session of surveys.

    This conference is organized annually by the International Financial Cryptography Association (IFCA).

    Original papers, surveys and presentations on all aspects of financial and commerce security are invited. Submissions must have a visible bearing on financial and commerce security issues, but can be interdisciplinary in nature and need not be exclusively concerned with cryptography or security. Possible topics for submission to the various sessions include, but are not limited to:

     Anonymity and Privacy           Microfinance and
     Auctions                        Micropayments
     Audit and Auditability          Monitoring, Management and
     Authentication and              Operations
     Identification, including       Reputation Systems
     Biometrics                      RFID-Based and Contactless
     Certification and               Payment Systems
     Authorization                   Risk Assessment and
     Commercial Cryptographic        Management
     Applications                    Secure Banking and Financial
     Commercial Transactions and     Web Services
     Contracts                       Securing Emerging
     Digital Cash and Payment        Computational Paradigms
     Systems                         Security and Risk
     Digital Incentive and           Perceptions and Judgments
     Loyalty Systems                 Security Economics
     Digital Rights Management       Smart Cards and Secure
     Financial Regulation and        Tokens
     Reporting                       Trust Management
     Fraud Detection                 Trustability and
     Game Theoretic Approaches to    Trustworthiness
     Security                        Underground-Market Economics
     Identity Theft, Physhing and    Usability and Acceptance of
     Social Engineering              Security Systems
     Infrastructure Design           User and Operator Interfaces
     Legal and Regulatory Issues     Voting system security

    Submission Instructions

    Submission Categories

    FC'06 is inviting submissions in four categories: (1) research papers, (2) systems and applications presentations, (3) panel sessions, (4) surveys. For all accepted submissions, at least one author must attend the conference and present the work.

    Research Papers

    Research papers should describe novel scientific contributions to the field, and they will be subject to rigorous peer review. Papers can be a maximum of 15 pages in length (including references and appendices), and accepted submissions will be published in full in the conference proceedings.

    Systems and Application Presentations

    Submissions in this category should describe novel or successful systems with an emphasis on secure digital commerce applications. Presentations may concern commercial systems, academic prototypes, or open-source projects for any of the topics listed above. Where appropriate, software or hardware demonstrations are encouraged as part of the presentations in these sessions. Submissions in this category should consist of a short summary of the work (1-6 pages in length) to be reviewed by the Program Committee, along with a short biography of the presenters. Accepted submissions will be presented at the conference (25 minutes per presentation), and a one-page abstract will be published in the conference proceedings.

    Panel Sessions

    Proposals for panel sessions are also solicited, and should include a brief description of the panel as well as prospective participants. Accepted panel sessions will be presented at the conference, and each participant will contribute a one-page abstract to be published in the conference proceedings.

    Surveys

    A limited number of surveys presentations may also be included in the program. We encourage submissions that summarize the current state of the art on any well-defined subset of the above listed submission topics. A limited description of visions on future directions of research in these topics would also be appreciated. Survey submissions can be significantly shorter than research paper submissions.

    Preparation Instructions

    Submissions to the research papers, systems/application presentation categories and surveys must be received by the due date. Papers must be formatted in standard PostScript, PDF format, or MS Word. Submissions in other formats will be rejected. All papers must be submitted electronically according to the instructions and forms found on this web site and at the submission site.

    Authors should provide names and affiliations at submission time, and have the option of including or not names and affiliations in their submitted papers, that must include on their first page the title of the paper, the a brief abstract, and a list of topical keywords. Accepted submissions will be included in the conference proceedings to be published in the Springer-Verlag Lecture Notes in Computer Science (LNCS) series after the conference, so the submissions must be formatted in the standard LNCS format (15 page limit). Authors of accepted submissions will be required to complete and sign an IFCA copyright form. A pre-proceedings volume containing preliminary versions of the papers will be distributed at the conference.

    Questions about all conference submissions should be directed to the Program Chairs.

    Paper Submission

    Authors should only submit work that does not substantially overlap with work that is currently submitted or has been accepted for publication to a conference with proceedings or a journal.

    Please check back as the deadline approaches for a link to the submission server.

    The Rump Session

    FC'06 will also include the popular "rump session" held on one of the evenings in an informal, social atmosphere. The rump session is a program of short (5-7 minute), informal presentations on works in progress, off-the-cuff ideas, and any other matters pertinent to the conference. Any conference attendee is welcome to submit a presentation to the Rump Session Chair (to be announced). This submission should consist of a talk title, the name of the presenter, and, if desired, a very brief abstract. Submissions may be sent via e-mail, or submitted in person through the Monday of the conference.

    Program Committee

    Matt Blaze, University of Pennsylvania
    Alfredo De Santis, University of Salerno, Italy
    Sven Dietrich, CERT Research Center
    Juan Garay, Bell Labs
    Dan Geer, Verdasys
    Ari Juels, RSA
    Aggelos Kiayias, University of Connecticut
    Yoshi Kohno, University of California San Diego
    Arjen Lenstra, Bell Labs and Technische Universiteit Eindhoven
    Helger Lipmaa, Cybernetica AS and University of Tartu
    Steve Myers, Indiana University
    Andrew Odlyzko, University of Minnesota
    Tatsuaki Okamoto, NTT
    Carles Padro, Universitat Politecnica de Catalunya
    Andrew Patrick, NRC, Canada
    Ahmad-Reza Sadeghi, Ruhr-University Bochum
    Kazue Sako, NEC
    Dawn Song, CMU
    Stuart Stubblebine, University of California Davis & Stubblebine Labs
    Adam Stubblefield, Independent Security Evaluators
    Paul Syverson, NRL
    Mike Szydlo, RSA
    Gene Tsudik, University of California Irvine
    Doug Tygar, Berkeley University
    Alma Whitten, Google
    Yacov Yacobi, Microsoft Research
    Moti Yung, RSA & Columbia University
    Yuliang Zheng, University of North Carolina

    Important Dates:

    Paper Submission: October 17, 2005
    Notification: December 8th, 2005
    Pre-Proceedings: January 27th, 2005
    Conference dates: February 27 to March 2, 2006
    Post Proceedings: April 10, 2006

    Posted by iang at 04:54 AM | Comments (4) | TrackBack

    April 17, 2005

    Conferences as Scams

    For some reason I kept getting mailed about a conference called "Systemics, Cybernetics and Informatics." Perhaps it is the name, as Systemics is a company I have something to do with... But a brief look at the conference left me wondering whether it really existed; and later on I noticed other strange conferences popping up in Florida with similar weird appearances, and similar spam techniques. And, today, Levi pointed me at this: All is answered!

    MIT students pull prank on conference
    Computer-generated gibberish submitted, accepted
    Thursday, April 14, 2005 Posted: 7:29 PM EDT (2329 GMT)

    CAMBRIDGE, Massachusetts (Reuters) -- In a victory for pranksters at the Massachusetts Institute of Technology, a bunch of computer-generated gibberish masquerading as an academic paper has been accepted at a scientific conference.

    Jeremy Stribling said Thursday that he and two fellow MIT graduate students questioned the standards of some academic conferences, so they wrote a computer program to generate research papers complete with "context-free grammar," charts and diagrams.

    The trio submitted two of the randomly assembled papers to the World Multi-Conference on Systemics, Cybernetics and Informatics (WMSCI), scheduled to be held July 10-13 in Orlando, Florida.

    To their surprise, one of the papers -- "Rooter: A Methodology for the Typical Unification of Access Points and Redundancy" -- was accepted for presentation.

    The prank recalled a 1996 hoax in which New York University physicist Alan Sokal succeeded in getting an entire paper with a mix of truths, falsehoods, non sequiturs and otherwise meaningless mumbo-jumbo published in the quarterly journal Social Text, published by Duke University Press.

    Stribling said he and his colleagues only learned about the Social Text affair after submitting their paper.

    "Rooter" features such mind-bending gems as: "the model for our heuristic consists of four independent components: simulated annealing, active networks, flexible modalities, and the study of reinforcement learning" and "We implemented our scatter/gather I/O server in Simula-67, augmented with opportunistically pipelined extensions."

    Stribling said the trio targeted WMSCI because it is notorious within the field of computer science for sending copious e-mails that solicit admissions to the conference.

    The idea of a fake submission was to counter "fake conferences...which exist only to make money," explained Stribling and his cohorts' website, "SCIgen - An Automatic CS Paper Generator."

    "Our aim is to maximize amusement, rather than coherence," it said. The website allows users to "Generate a Random Paper" themselves, with fields for inserting "optional author names."

    "Contrarily, the lookaside buffer might not be the panacea..."

    Nagib Callaos, a conference organizer, said the paper was one of a small number accepted on a "non-reviewed" basis -- meaning that reviewers had not yet given their feedback by the acceptance deadline.

    "We thought that it might be unfair to refuse a paper that was not refused by any of its three selected reviewers," Callaos wrote in an e-mail. "The author of a non-reviewed paper has complete responsibility of the content of their paper."

    However, Callaos said conference organizers were reviewing their acceptance procedures in light of the hoax.

    Asked whether he would disinvite the MIT students, Callos replied, "Bogus papers should not be included in the conference program."

    Stribling said conference organizers had not yet formally rescinded their invitation to present the paper.

    The students were soliciting cash donations so they could attend the conference and give what Stribling billed as a "completely randomly-generated talk, delivered entirely with a straight face."

    They exceeded their goal, with $2,311.09 cents from 165 donors.

    Posted by iang at 02:42 PM | Comments (0) | TrackBack

    March 17, 2005

    Open Peer Review

    Following on from discussions on peer reviewed papers, I checked an up and coming conference (Econ & Security), and the call for papers had closed. Adam points out we should invent an open peer review process, so as my curiosity is piqued, here is a proposal of sorts.

    Take a paper and blog it in some fashion. (Perhaps limit the blog entry to the abstract and a link to the full paper.) Then, open the blog entry for comments and trackbacks.

    Hey presto, we have peer review but not peer gatekeeping. (So far this was all Adam's idea.) We can also include substantial milestones such as major review periods, closing off one blog entry and shifting to another when the author has enough material to rewrite.

    Reputation is built in as over time, the volume of attention should indicate the importance of the work. Let's draw a line in the sand and say that papers should be licensed under a Creative Commons licence.

    Now, blogs already do this. But they are spontaneous, free flowing and full of spelling errors. So in order to turn the blog more to a weighty forum suited to the gravity of academia, we could put some links on the blog front page indicating the papers under spotlight.

    Has anyone got an FC paper ready to roll? As Digital Money and FC-conference have just passed, and Econ&Security is closed, there seems to be a bit of a hole for the next 6 months in the peer review process. I would point out that the workshop in Electronic Contracting is open for another month. Oops, no, it's closed too. Double-oops. It's cancelled for lack of critical mass! Well, that just goes to show how hard the conference game is - having been there myself.

    Having said that, in general, most of these conferences presume that Internet discussion does not count as publication. So you can have the best of both worlds, you can take advantage of a blog peer-review forum to hone your argument, then go for old world dead tree publication as well. (As long as you are careful not to muck up the licensing...)

    Posted by iang at 08:42 PM | Comments (1) | TrackBack

    March 14, 2005

    Digital Money Forum - London - this week

    Hyperion's Digital Money Forum is on, Wednesday and Thursday. Dave Birch runs an engaging show for financial cryptographers, and well worth the 2 days if you can get to London. At £275, it doesn't break the bank.

    (I guess they'll take late bookings.) The schedule is on the site, but it is in PDF.

    Posted by iang at 02:44 PM | Comments (1) | TrackBack

    February 24, 2005

    Cybercash on Vacation - ruminations on FC

    Peter Wayner has written a downbeat piece on the history of the Financial Cryptography conference. He asks a bunch of people why FC hasn't taken off, and gets a lottery of answers. I think he's wrong...

    The ideas have infiltrated into places, but few have noticed. PayPal did find some sustenance in the process, as did the gold currencies, and certain of the ideas that were talked about are now internalised. They simply didn't tell the FCers. Other more conventional plays such as ETFs have simply adopted the models from those players, and again, they've not recognised where they came from. Either publically or privately.

    The reason for this lack of feedback on success - and hence the apparant lack of success - is because the FC organisers lack one thing: perspective. They were either academics, security guys, geeks, cryptographers or netizens. Often they were 2 or even 3 of those, but rarely did they have a straightforward business ability to integrate the ideas into other spheres. It was this integration that I wrote about in the 7 layers paper, and it is this integration that people like Dave Birch speak of in the conferences he runs.

    When business people attend the 'vacational conference' of FC, what they see are a lot of different ideas expressed as fomulas, and it is left to them to construct them into business context. The fact that they didn't then credit FC with their successes is a foregone conclusion, as the FC community isn't capable of understanding the perspective that they are offering. That doesn't mean it wasn't there, it is just that until organisers stop treating FC as a forum to present new equations, they won't have the language to recognise what it's about.

    Posted by iang at 01:35 PM | Comments (5) | TrackBack

    January 25, 2005

    FC05 Registration Deadline

    There are now (26°C) less than two weeks (writes Stuart Schechter) to register for FC05 (Dominica, 28th Feb - 3rd March, 24 °C) before the late registration rates kick in. Registering by February 6th is necessary to ensure that we can provide you with food, pre-proceedings, and a conference t-shirt (warmth is guaranteed).

    If you must register late, please get in touch with me and let me know your t-shirt size and whether you will be qualifying for the general, academic, or student rate. If we don't know to expect you, we cannot guarantee that there will be pre-proceedings, t-shirts, or meal tickets available for you. (But you won't freeze.)

    Best regards

    Stuart Schechter
    General Chair
    Financial Cryptography and Data Security 2005

    Registration deadline drivers:
    January 25 - 26 °C, clear, sunny, warm.
    February 7 - Late registration period begins at 12:00AM EST
    February 7 - Orders for pre-proceedings due to printer
    February 7 - Orders for t-shirts due to shirt printer
    February 14 - Count of attendees due to hotel caterers
    February 28 to March 3 - 24 °C, 2cm precipitation

    Posted by iang at 08:03 AM | Comments (0) | TrackBack

    January 01, 2005

    Journal of Internet Banking and Commerce

    Recent grumbles in the comments to the recent FC papers post brought to mind an old journal called JIBC. I'd lost my "subscription" reminder to it many years ago and I guess I just assumed it had stopped. But, no, a little googling and I found it: the Journal of Internet Banking and Commerce. It is still pushing out 2-3 editions per year.

    Back in the very early years, JIBC was there and publishing before things like the Financial Cryptography term had even been coined by Bob Hettinga. So I'm happy to come back and cheer them into the last year of their decade, given that the the first edition of this venerable journal was January 1996!

    Some highlights include a regular column by Dave Birch, an article asking Why does SSL dominate the e-payment market ?, and an article predicting the return of digital cash in Waves Of Multimedia Banking Development.

    JIBC published my second paper in 1997, the Critique on the 1994 EU Report on Prepaid Cards. Sometimes papers work out well, the lessons in that one are still useful in comparison to where Europe is now. So say I, at least.

    Posted by iang at 07:17 PM | Comments (2) | TrackBack

    December 29, 2004

    FC'05 programme - announced

    Stuart Schechter sent out the FC05 programme announcement just now, and it includes a text version of the programme, so here it is. The programme looks pretty good this year, with some varied stuff away from the "pure crypto" legacy of prior FC conferences.

    For those who don't know, FC is a fun conference, with a lot of 'beach time' due to the locations. Good mixing opportunities are had by all.



    The program and preliminary schedule can be found at:
    http://www.ifca.ai/fc05/program.html

    An official call for participation will be sent out as soon as
    registration is open. (We expect this to be early next week.)

    If you've yet to make travel arrangements, I would encourage you to stay
    in Dominica on Thursday night (3/3) or longer to avoid a rush to the airport
    after the morning program. In the past, attendees who have stayed after the
    conference have found that this is an excellent time to meet with others.


    Keynote Speakers
    ================

    Lynne Coventry (NCR)
    Bezalel Gavish (Southern Methodist University)

    Panel Sessions
    ==============

    Financial Technology in the Developing World
    Allan Friedman (Harvard) - Organizer
    Alessandro Acquisti (CMU)
    H William Burdett, Jr. (Foley & Lardner, LLP)
    Jon Peha (CMU)

    Phishing
    Steve Myers (Indiana University) - Organizer
    Drew Dean (SRI)
    Stuart Stubblebine (Stubblebine Research Labs)
    Richard Clayton (Cambridge, UK)
    Markus Jakobsson (Indiana University CACR)

    Research Papers
    ===============

    Fraud within Asymmetric Multi-Hop Cellular Networks
    Gildas Avoine (EPFL, Lausanne, Switzerland)

    Information-Theoretic Security Analysis of Physical Uncloneable Functions
    P. Tuyls
    B. Skoric
    S. Stallinga
    A.H. Akkermans
    W. Ophey (Philips Research Laboratories, The Netherlands)

    Views, Reactions and Impact of Digitally-Signed Mail in e-Commerce.
    Simson L. Garfinkel
    Jeffrey I. Schiller
    Erik Nordlander (MIT)
    David Margrave (Amazon.com)
    Robert C. Miller (MIT)

    Identity-based Partial Message Recovery Signatures
    (or How to Shorten ID-based Signatures)
    Fangguo Zhang (Sun Yat Sen University, P.R.China)
    Yi Mu
    Willy Susilo (University of Wollongong, Australia)

    How to Non-Interactively Update a Secret
    Eujin Goh (Stanford University)
    Philippe Golle (Palo Alto Research Center)

    Interactive Diffie-Hellman Assumptions with Applications
    to Password-Based Authentication
    Michel Abdalla
    David Pointcheval (Ecole Normale Superieure)

    Achieving Fairness in Private Contract Negotiation
    Keith Frikken
    Mikhail Atallah (Purdue University)

    Protecting Secret Data from Insider Attacks
    David Dagon
    Wenke Lee
    Richard Lipton (Georgia Tech)

    RFID Traceability A Multilayer Problem
    Gildas Avoine
    Philippe Oechslin (EPFL Lausanne Switzerland)

    A User-Friendly Approach to Human Authentication of Messages
    Jeff King
    Andre dos Santos (Georgia Tech)

    Countering Identity Theft through Digital Uniqueness,
    Location Cross-Checking, and Funneling
    P.C. van Oorschot (Carleton University)
    S. Stubblebine (Stubblebine Research Labs)

    Policy-Based Cryptography and Applications
    Walid Bagga
    Refik Molva (Eurecom)

    A Privacy Protecting Coupon System
    Liqun Chen (HP Laboratories)
    Matthias Enzmann (Fraunhofer SIT)
    Ahmad-Reza Sadeghi (University of Bochum)
    Markus Schneider (Fraunhofer SIT)
    Michael Steiner (IBM T.J. Watson)

    Analysis of a Multi-Party Fair Exchange Protocol and Formal
    Proof of Correctness in the Strand Space model
    Steve Kremer
    Aybek Mukhamedov
    Eike Ritter (University of Birmingham, UK)

    Secure Biometric Authentication for Weak Computational Devices
    Mikhail J. Atallah
    Keith B. Frikken (Purdue)
    Michael T. Goodrich (UC Irvine)
    Roberto Tamassia (Brown)

    Small Coalitions Cannot Manipulate Voting
    Edith Elkind (Princeton University)
    Helger Lipmaa (Helsinki University of Technology)

    Efficient Privacy-Preserving Protocols for Multi-Unit Auctions
    Felix Brandt (Stanford)
    Tuomas Sandholm (Carnegie Mellon University)

    Risk Assurance for Hedge Funds using Zero Knowledge Proofs
    Michael Szydlo (RSA Security/Independent)

    Testing Disjointness of Private Datasets
    Aggelos Kiayias (University of Connecticut)
    Antonina Mitrofanova (Rutgers University)

    Time Capsule Signature
    Yevgeniy Dodis (NYU)
    Dae Hyun Yum (POSTECH)

    Probabilistic Escrow of Financial Transactions
    with Cumulative Threshold Disclosure
    Stanislaw Jarecki (UC Irvine)
    Vitaly Shmatikov (UT Austin)

    Approximation in Message Authentication
    Giovanni Di Crescenzo
    Richard Graveman (Telcordia)
    Gonzalo Arce
    Renwei Ge (U Delaware)

    Systems & Applications Presentations
    ====================================

    Securing Sensitive Data with the Ingrian DataSecure Platform
    Andrew Koyfman (Ingrian Networks)

    Ciphire Mail Email Encryption
    Lars Eilebrecht (Ciphire Labs)

    Posted by iang at 12:10 PM | Comments (3) | TrackBack

    December 27, 2004

    FC'05 (the conference) posts the programme!

    FC'05 - the Financial Cryptography conference to be held in Dominica, first week of March - has posted a preliminary programme. I haven't seen it announced yet, so maybe this is a 'leak' :-)

    There are lots of interesting papers, and it looks like this year they may have actually brought in more relevant stuff. Also, two panels:

    A Panel on Phishing! Well, it makes sense. The only thing that will protect users from being phished will be good relationship management ... as based on caching of certs. That's finance and crypto, right there.

    And, a Panel on Financial Technology in the Developing World. Another fine topic where much has been done, much could be done, and much more is being asked of us.

    Posted by iang at 11:57 AM | Comments (1) | TrackBack

    May 21, 2004

    FC05 - Dominica - March 2005

    FC'05 is announced with a new title "Financial Cryptography and Data Security." Vital statistics are 28th Feb to 3rd March, 2005, in Roseau, Dominica, East Caribbean, and submissions in the Call for Papers are due by 10th September, 2004.

    -------- Original Message --------
    Subject: [fc-announce] CFP: FC'05 - Financial Cryptography and Data Security
    Date: Tue, 18 May 2004 16:59:41 -0400
    From: Stuart Schechter <stuart@eecs.harvard.edu>
    Organization: Harvard University
    To: <fc-announce@ifca.ai>

    FC'05
    Financial Cryptography and Data Security
    http://www.ifca.ai/fc05/

    CALL FOR PAPERS

    Ninth International Conference
    February 28-March 3, 2005
    Roseau, The Commonwealth Of Dominica

    Submissions Due Date: September 10, 2004

    Financial Cryptography and Data Security (FC'05) is the premier international forum for research, advanced development, education, exploration, and debate regarding security in the context of finance and commerce. We have augmented our conference title and expanded our scope to cover all aspects of securing transactions and systems. These aspects include a range of technical areas such as: cryptography, payment systems, secure transaction architectures, software systems and tools, user and operator interfaces, fraud prevention, payment systems, secure IT infrastructure, and analysis methodologies. Our focus will also encompass legal, financial, business and policy aspects. Material both on theoretical (fundamental) aspects of securing systems and on secure applications and real-world deployments will be considered.

    The conference goal is to bring together top cryptographers, data-security specialists, and scientists with economists, bankers, implementers, and policy makers. Intimate and colorful by tradition, the FC'05 program will feature invited talks, academic presentations, technical demonstrations, and panel discussions. This conference is organized annually by the International Financial Cryptography Association (IFCA).

    Original papers and presentations on all aspects of financial and commerce security are invited. Submissions must have a visible bearing on financial and commerce security issues, but can be interdisciplinary in nature and need not be exclusively concerned with cryptography or security. Possible topics for submission to the various sessions include, but are not limited to:

    * Anonymity and Privacy
    * Auctions
    * Audit and Auditability
    * Authentication and Identification, including Biometrics
    * Certification and Authorization
    * Commercial Cryptographic Applications
    * Commercial Transactions and Contracts
    * Digital Cash and Payment Systems
    * Digital Incentive and Loyalty Systems
    * Digital Rights Management
    * Financial Regulation and Reporting
    * Fraud Detection
    * Game Theoretic Approaches to Security
    * Infrastructure Design
    * Legal and Regulatory Issues
    * Microfinance and Micropayments
    * Monitoring, Management and Operations
    * Reputation Systems
    * RFID-Based and Contactless Payment Systems
    * Risk Assessment and Management
    * Secure Banking
    * Secure Financial Web Services
    * Securing Emerging Computational Paradigms
    * Security and Risk Perceptions and Judgments
    * Security Economics
    * Smart Cards and Secure Tokens
    * Trust Management
    * Trustability and Trustworthiness
    * Underground-Market Economics
    * Usability and Acceptance of Security Systems
    * User and Operator Interfaces


    SUBMISSION INSTRUCTIONS
    =======================

    FC'05 is inviting submissions in three categories:

    (1) research papers,
    (2) systems and applications presentations,
    (3) panel sessions.

    For all accepted submissions, at least one author must attend the conference and present the work.

    Research Papers
    ===============
    Research papers should describe novel scientific contributions to the field, and they will be subject to vigorous peer review. Papers can be a maximum of 15 pages in length (including references and appendices), and accepted submissions will be published in full in the conference proceedings. Submission of previously published material and simultaneous submission of papers to other conferences or workshops with proceedings is not permitted. Authors of research papers found to be doubly submitted risk having all their submissions withdrawn from consideration as well as other appropriate sanctions.

    Systems and Application Presentations
    =====================================
    Submissions in this category should describe novel or successful systems with an emphasis on secure digital commerce applications. Presentations may concern commercial systems, academic prototypes, or open-source projects for any of the topics listed above. Where appropriate, software or hardware demonstrations are encouraged as part of the presentations in these sessions. Contributions must reflect careful thought and effort and provide valuable, up-to-date experience that is relevant to practitioners in the fields of financial cryptography and data security. Submissions in this category should consist of a short summary of the work (1-6 pages in length) to be reviewed by the Program Committee, along with a short biography of the presenters. Accepted submissions will be presented at the conference (25 minutes per presentation), and a one-page abstract will be published in the conference proceedings.

    Panel Sessions
    ==============
    Proposals for panel sessions are also solicited, and should include a brief description of the panel as well as prospective participants. Panel proposals should be submitted via e-mail, in plain ASCII format, to the Program Chairs. Accepted panel sessions will be presented at the conference, and each participant will contribute a one-page abstract to be published in the conference proceedings.

    The Rump Session
    ================
    FC'05 will also include the popular "rump session" held on one of the evenings in an informal, social atmosphere. The rump session is a program of short (5-7 minute), informal presentations on works in progress, off-the-cuff ideas, and any other matters pertinent to the conference. Any conference attendee is welcome to submit a presentation to the Rump Session Chair (to be announced). This submission should consist of a talk title, the name of the presenter, and, if desired, a very brief abstract. Submissions may be sent via e-mail, or submitted in person through the Monday of the conference.

    Preparation Instructions
    ========================
    Submissions to the research papers and systems/application presentation categories must be received by the due date. Papers must be formatted in standard PostScript, PDF format, or MS Word. Submissions in other formats will be rejected. All papers must be submitted electronically according to the instructions and forms found on this web site. (Specific instructions for electronic submissions will be published in the near future.)

    Author names and affiliations on submissions must be explicit. In other words, submitted papers should not be anonymized. Submissions must include on the first page the title of the paper, the names and affiliations of all authors, a brief abstract, and a list of topical keywords. Accepted submissions will be included in the conference proceedings to be published in the Springer-Verlag Lecture Notes in Computer Science (LNCS) series after the conference, so the submissions must be formatted in the standard LNCS format. Authors of accepted submissions will be required to complete and sign an IFCA copyright form. A pre-proceedings volume containing preliminary versions of the papers will be distributed at the conference.

    Questions about all conference submissions should be directed to the Program Chairs.

    IMPORTANT DATES
    ===============

    Submission Deadline: September 10, 2004
    Author Notification: November 1, 2004
    Pre-Proceedings Version Due: TBA
    Conference: February 28 - March 3, 2005
    Final Proceedings Version Due: TBA

    CONFERENCE ORGANIZERS
    =====================

    Conference Website: http://www.ifca.ai/fc05/

    General Chair:

    Stuart Schechter, stuart@eecs.harvard.edu

    Program Chairs:

    Andrew Patrick, Andrew.Patrick@nrc-cnrc.gc.ca

    Moti Yung, moti@cs.columbia.edu

    Program Committee: TBA

    _______________________________________________
    fc-announce mailing list
    fc-announce@ifca.ai
    http://mail.ifca.ai/mailman/listinfo/fc-announce

    Posted by iang at 12:49 PM | Comments (0) | TrackBack

    February 14, 2004

    Workshop on Sensitive Data

    July, 2004, Stanford, California

    This workshop is intended to foster collaborations between computer scientists who seek to enhance the security and privacy of sensitive data about people and organizations and domain experts in fields that need technological solutions to address customer concerns and to fulfill legal obligations. The goal is to formulate specific technical problems that are important to user communities that deal with large amounts of sensitive but are not satisfactorily solved by current
    technology.

    PORTIA Workshop on Sensitive Data in Medical, Financial, and Content-Distribution Systems

    July 8-9, 2004
    Frances C. Arrillaga Alumni Center, Stanford University, Stanford CA

    A half-day will be spent on each of three domains:

    1) Medicine, in which advances in computing and communication technology can enhance treatment and research but can also threaten patient privacy. This session will include an invited presentation by Dr. Daniel Masys, Director of Biomedical Informatics at the UCSD Medical School (http://medicine.ucsd.edu/faculty/masys/).

    2) Financial services, in which vast amounts of transaction data are routinely stored and transmitted, but individuals and firms are deeply concerned about security and privacy, and complex legal requirements apply. This session will include an invited presentation by Dr. Daniel Schutzer, Vice President, Director of External Relations and Emerging Technologies in Information Security and Compliance at Citigroup.

    3) Digital content distribution, in which rights holders and libraries seek distribution systems that simultaneously obey copyright law, respect user privacy, and permit legitimate user profiling, usage
    monitoring, and data mining.

    There will also be one half-day devoted to technological challenges common to all domains and user communities that deal with large amount of sensitive data. Activities will include invited presentations, contributed presentations, and break-out sessions.

    Workshop Co-Chairs:
    Joan Feigenbaum (Yale University)
    Vitaly Shmatikov (SRI)
    Vicky Weissman (Cornell University)

    Important Dates:
    May 1, 2004: Submissions due
    May 1, 2004: Requests for travel support due
    June 1, 2004: Accept/reject decisions sent
    June 15, 2004: Final abstracts due
    July 8-9, 2004: Workshop

    Submission Instructions:
    If you would like to speak at this workshop, please send a 1- to 2-page abstract of your proposed talk by May 1, 2004 to pw-org@csl.sri.com. If your submission is accepted, you will be expected to provide a final version of your abstract for posting on the workshop website by June 15, 2004. Links to complete papers may also be posted at the speakers' request but are not required.

    Travel Support:
    A modest amount of travel support is available. If you would like to attend this workshop but require travel support in order to do so, please contact pw-org@csl.sri.com by May 1, 2004.

    This workshop is sponsored by the National Science Foundation's ITR program through the PORTIA project on sensitive data (http://crypto.stanford.edu/portia).

    Posted by iang at 12:01 PM | Comments (0) | TrackBack

    February 03, 2004

    Paysec 2004

    Payments Systems and Security
    18/19th June 2004

    Enhyper are proud to announce a conference with a difference,Payments Systems and Security, to be held at The Innholders Hall, London, on 18/19th Jun 2004.

    At PaySec2004 we've brought together payments systems developers, security architects, operational risk practitioners and academics to address all aspects of technology, security and operation in the payment systems domain, both present and future state.

    The best of the Internet versus the best of the City. Short key technical demonstrations will be interspersed to bring context to the challenges and the solutions. Rump sessions will allow you to contribute your experiences for the benefit of others.

    Headline Topics

    * Payment Transformations and integration
    * Settlement to T+0 and RTGS
    * Programmatic electronic contract negotiation
    * Systems Performance Monitoring: Service Level Compliance
    * Extensible Electronic Currency Frameworks
    * SSL/SSH based infrastructure to enhance federated security
    * Payment Systems as Critical National Infrastructure
    * Automated System Risk Audits for Operational Risk Compliance
    * Strategies for Defending against Infrastructure Attacks
    * Reusable Security Architecture via pre-risk assessed patterns

    Speakers

    Geoff Chick, Product Director, Century 24 Solutions
    Integration Objects

    Dr Iain Saville, Head of Business Process Reform, Lloyds
    Kinnect - Taking Contracts Digital

    Ian Grigg, Principal Architect, Systemics
    Integrating Business into the Payments System

    Dr Alistair Dunlop, Director of the Open Middleware
    Infrastructure Institute, University of Southampton
    Grid Computing based Web Services

    Paul Guthrie, Principal/CTO, Payment Software Corporation
    Micropayments and E-Cash, Then and Now

    Dr Simon Lelieveldt, Lelieveldt Consultancy
    Security Profiles in Pre-paid payments

    Frank Trotter, CEO, Everbank
    Blazing the Internet Bank Trail

    Graeme Burnett, Enhyper
    Future State Security Architecture

    James Turk, Managing Director, Goldmoney
    Internet Gold - the new Governance

    John Walker, Managing Director, NDS UK Ltd
    Unto the breach: breaking the hardware and cryptography
    of smart card chips.

    (Some additional speaker slots are reserved.)

    Details

    Conference site is at http://www.enhyper.com/paysec/

    Location: London, 18/19th Jun 2004. Venue details on site.

    Cost: £1500 which includes all catering and all refreshments.

    Advance Registration is at
    http://www.enhyper.com/paysec/registration.html

    Please note that this is not a sales conference.
    Speakers are not selling their product to attendees.

    Posted by graeme at 09:06 AM | Comments (0) | TrackBack

    January 21, 2004

    CodeCon 2004

    The program for CodeCon 2004 has been announced.

    CodeCon is the premier showcase of active hacker projects. It is a workshop for developers of real-world applications with working code and active development projects. All presentations will given by one of the active developers, and accompanied by a functional demo.

    Highlights of CodeCon 2004 include:

    PGP Universal - Automatic, transparent email encryption with zero clicks
    Osiris - A free Host Integrity Monitor designed for large scaleserver deployments that require auditable security
    Tor - Second-generation Onion Routing: a TCP-based anonymizing overlay network
    Vesta - An advanced software configuration management system that handles both versioning source files and building
    PETmail - Permission-based anti-spam replacement for SMTP
    FunFS - Fast User Network File System - An advanced network file system designed as a successor for NFS
    Codeville - Distributed version control system
    Audacity - A cross-platform multi-track audio editor

    The third annual CodeCon takes place February 20 - 22, noon - 6pm, at Club NV (525 Howard Street) in San Francisco. CodeCon registration is $95; a $20 discount is available for attendees who register online prior to February 1, 2004.

    http://www.codecon.org/2004/registration.html

    Posted by iang at 08:34 AM | Comments (0) | TrackBack