Financial Cryptography

Digital Evidence: Musing on the rocky path to wisdom

I've notched up two events in London: the International Conference on Digital Evidence 10 days ago, and yesterday I attended BarCampBankLondon. I have to say, they were great events!

Another great conference in our space was the original FC in 1997 in Anguilla. This was a landmark in our field because it successfully brought together many disciplines who could each contribute their specialty. Law, software, cryptography, managerial, venture, economics, banking, etc. I had the distinct pleasure of a professor in law gently chiding me that I was unaware of an entire school of economics known as transaction economics that deeply affected my presentation. You just can't get that at the regular homogeneous conference, and while I notice that a couple of other conferences are laying claim to dual-discipline audiences, that's not the same thing as Caribbean polyglotism.

Digital Evidence was as excellent as that first FC97, and could defend a top rating in conferences in the financial cryptography space. It had some of interactivity, perhaps for two factors: it successfully escaped the trap or fixation on local jurisdiction, and it had a fair smattering of technical people who could bring the practical perspective to the table.

Although I'd like to blog more about the presentations, it is unlikely that I can travel that long journey; I've probably enough material for a month, and no month to do it in. Which highlights a continuing theme here at on this blog: there is clearly a hole in the knowledge-to-wisdom market. It is now even an archaic cliche that we have too much data, too much information to deal with, so how do we make the step up through knowledge and on to wisdom?

Conferences can help; but I feel it is far too easy to fall into the standard conference models. Top quality names aimed at top paying attendees, blindness by presumptions about audience and presenters (e.g., academic or corporate), these are always familiar complaints.

Another complaint is that so much of the value of conferences happens when the "present" button is set to "off". And that leads to a sort of obvious conclusion, in that the attendees don't so much want to hear about your discoveries, rather, what they really want is to develop solutions to their own problems. FC solved this in a novel way by having the conference in the Caribbean and other tourist/financial settings. This lucky choice of a pleasant holiday environment, and the custom of morning papers leaving afternoons freer made for a lot of lively discussion.

There are other models. I experimented at EFCE, which Rachel, Fearghas and I ran a few years back in Edinburgh. My call (and I had to defend my corner on this one) was that the real attendees were the presenters. If you could present to peers who would later on present to you, then we could also more easily turn off the button and start swapping notes. If we could make an entire workshop of peers, then structure would not be imposed, and relationships could potentially form naturally and evolve without so many prejudices.

Which brings us to yesterday's event: BarCampBankLondon. What makes this bash unusual is that it is a meeting of peers (like EFCE), there is a cross-discipline focus (finance and computing, balanced with some legal and consulting people) and there isn't much of an agenda or a selection process (unlike EFCE). Addendum: James Gardner suggests that other conferences are dead, in the face of BarCamp's model.

I'm all for experimentation, and BCBL seemed to manage the leading and focussing issue with only the lightest of touches. What is perhaps even more indicative of the (this?) process was that it was only 10 quid to get in, but you consume your Saturday on un-paid time. Which is a great discriminator: those who will sacrifice to work this issue turned up, and those looking for easy, paid way to skive off work did not.

So, perhaps an ideal format would be a BarCamp coupled with the routine presentations? Instead of a panel session (which I find a bit fruitless) replace one afternoon with a free-for-all? This is also quite similar to the "rump sessions" that are favoured in the cryptography world. Something to think about when you are running your next conference.

Digital Evidence -- 26-27 June, London

Cryptographers, software and hardware architects and others in the tech world have developed a strong belief that everything can be solved with more bits and bites. Often to our benefit, but sometimes to our cost. Just so with matters of law and disputes, where inventions like digital signatures have laid a trail of havoc and confusion through security practices and tools. As we know in financial cryptography, public-key reverse encryptions -- confusingly labelled as digital signatures -- are more usefully examined within the context of the law of evidence than within that of signatures.

Now here cometh those who have to take these legal theories from the back of the technologists' napkins and make them really work: the lawyers. Stephen Mason leads an impressive line-up from many countries in a conference on Digital Evidence:

Digital evidence is ubiquitous, and to such an extent, that it is used in courts every day in criminal, family, maritime, banking, contract, planning and a range of other legal matters. It will not be long before the only evidence before most courts across the globe will all be in the form of digital evidence: photographs taken from mobile telephones, e-mails from Blackberries and laptops, and videos showing criminal behaviour on You Tube are just some of the examples. Now is the time for judges, lawyers and in-house counsel to understand (i) that they need to know some of the issues and (ii) they cannot ignore digital evidence, because the courts deal with it every day, and the amount will increase as time goes by. The aim of the conference will be to alert judges, lawyers (in-house lawyers as well as lawyers in practice), digital forensic specialists, police officers and IT directors responsible for conducting investigations to the issues that surround digital evidence.

Not digital signatures, but evidence! This is a genuinely welcome development, and well worth the visit. Here's more of the blurb:

Conference Programme International Conference on Digital Evidence

26th- 27th June 2008, The Vintner's Hall, London – UNITED KINGDOM
Conference: 26th & 27th June 2008, Vintners' Hall, London
Cocktail & Dinner: 26th June 2008, The Honourable Society of Gray's Inn

THE FIRST CONFERENCE TO TREAT DIGITAL EVIDENCE FULLY ON AN INTERNATIONAL PLATFORM...

12 CPD HOURS - ACCREDITED BY THE LAW SOCIETY & THE BAR STANDARDS BOARD
This event has also been accredited on an ad hoc basis under the Faculty's CPD Scheme and will qualify for 12 hours

Understanding the Technology: Best Practice & Principles for Judges, Lawyers, Litigants, the Accused & Information Security & Digital Evidence Specialists

MIS is hosting & developing this event in partnership with & under the guidance of Stephen Mason, Barrister & Visiting Research Fellow, Digital Evidence Research, British Institute of International and Comparative Law.
Mr. Mason is in charge of the programme's content and is the author of Electronic Signatures in Law (Tottel, 2nd edn, 2007) [This text covers 98 jurisdictions including case law from Argentina, Australia, Brazil, Canada, China, Colombia, Czech Republic, Denmark, Dominican Republic, England & Wales, Estonia, Finland, France, Germany, Greece, Hungary, Israel, Italy, Lithuania, Netherlands, Papua New Guinea, Poland, Portugal, Singapore, South Africa, Spain, Switzerland and the United States of America]. He is also an author and general editor of Electronic Evidence: Disclosure, Discovery & Admissibility (LexisNexis Butterworths, 2007) [This text covers the following jurisdictions: Australia, Canada, England & Wales, Hong Kong, India, Ireland, New Zealand, Scotland, Singapore, South Africa and the United States of America]. Register Now!

Stephen is also International Electronic Evidence, general editor, (British Institute of International and Comparative Law, 2008), ISBN 978-1-905221-29-5, covering the following jurisdictions: Argentina, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, Norway, Poland, Romania, Russia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Thailand and Turkey.

BarCampBankLondon: alternative finance workshop

Thomas Barker sends this press release:

Innovators Gather in the City to Set Shape for Future of Finance

Contact: Thomas Barker
Email: tbarker(at)barcampbank[..]org

LONDON, UK, Monday June 2nd, 2008 - On Saturday July 5th, 2008, one of the most unusual conferences in the financial services industry, BarCampBankLondon (BCBL), will get underway at 9:30 AM near the heart of the City. BCB London follows the success of previous BarCampBanks in Paris, Seattle, San Francisco, New Hampshire and New York City. Ranging from interested students, to banking executives, to VCs, startup founders and internet technologists. BCBL is a forum where participants from diverse backgrounds can get together to discuss topics impacting the industry. It will attract thought leaders and innovators from as far away as America for an intense day of discussions on the future of financial services.

Event co-founder, Frederic Baud said "We wanted to get away from the typical event where a group of senior executives listen to PowerPoint slides and exchange business cards. This is really about getting together people who share a genuine interest in building the future." The event has no set speakers, agenda or sales pitches and getting in the door will only set you back £10. To ensure that the event is relevant to all those attending, the agenda will be discussed online (http://barcamp.org/BarCampBankLondon), then set by the participants on the morning of the event.

It might seem strange that an event like this has taken so long to reach London, a city often considered to be the global financial hub. Another organizer, Thomas Barker said "People might not immediately think of London as a tech cluster. But walking around the City, you can see hundred of software firms nestled in among the banks and lawyers. There's a lot happening here". So far, BCBL intends to discuss the topics of P2P lending, startup financing, mobile banking, personal finance management and micro-finance amongst others.

To attend BCBL, register online at http://bcblondon.eventbrite.com/ .

Sun Microsystems are generously hosting BCBL in their City offices. The event, which is organized by volunteers, welcomes participation from anyone who would like to help with logistics or spreading the word. Interested parties can contact Thomas Barker at tbarker [at]barcampbank,org, or Antony Evans at Antony (At) thestartupexchange D0t com.

About BarCampBank:

The aim of BarCampBank is to foster innovation and the creation of new business models in the world of banking and finance. The next BarCampBank after London will be held in Charleston, USA. For more information, please contact George Pasley at gpasley att gmail d0T com . The following one will be held in Vancouver, Canada. For more information, please contact Tim McAlpine at tmcalpine (a) currencymarketing AT ca .

# # #
If you'd like more information about his event, please contact Thomas Barker (contact information above) or Antony Evans (Antony _Att_ thestartupexchange . com)

Posted by iang at 06:54 AM | Comments (1) | TrackBack

2 views on the RSA security conference: a war of signals?

2 guys went to RSA conference and came back with slightly different tales. Both are down on it. Gunnar Peterson says the sellers of product are not of our kind, to put it politely. He spotted an apparent exception with Ping Identity, a seller of something or other, which apparently is impressing clients, who reported this anecdote:

Someone wandered by our booth and when they saw the Ping logo, they stopped and paused, looking perplexed. When one of our sales team inquired, the gentleman said, "I thought you guys were bigger than that."

Signal! In a market with insufficient information, signals arise as proxies for the metrics that we don't have, but still demand. There are no good signals, only less bad ones, because if it was good it would be a metric.

In this case, the observer thought that the booth size indicated corporate size, with the implied expectation that this said something (good) about the product. The Ping guy went on to muse on a strategy of deliberately going perverting the signal by setting his booth size at 10x10 (feet?) regardless. He could go further, and not go at all, but apparently he isn't ready for that test.

Meanwhile, Bruce Schneier also went to RSA and said:

Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying.

It's not the quality of the wares. The show floor is filled with new security products, new technologies, and new ideas. Many of these are products that will make the attendees' companies more secure in all sorts of different ways. The problem is that most of the people attending the RSA Conference can't understand what the products do or why they should buy them. So they don't.

This is a subtle difference between Gunnar and Bruce. Gunnar says that all is crap, and Bruce says that the products are good, but the buyers don't get it. Bruce's theory is that the marketing departments are not selling on security, and in some sense have drifted off to selling something else.

"I can't figure out what any of those companies do," he replied.

I believe him. The booths are filled with broad product claims, meaningless security platitudes and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused.

Which is to say, whatever they are selling, it isn't speaking to security, as far as their customers are concerned. So if we assume that they do know security (whatever that means) and their products are good for us (as Bruce suggests), the question then becomes, why can't they communicate this to us?

Bruce provides the answer elsewhere:

In 2006, IBM bought ISS. The same year BT bought my company, Counterpane, and last year it bought INS. These aren't large security companies buying small security companies; these are non-security companies buying large and small security companies.

Whatever it is that the security companies know, it isn't about what the customer needs. Now, we could split hairs about this point: is the wisdom that the company holds "security" or, is what the customer needs, security?

But it is clear that the customer needs X and the seller isn't aware of what X is. Further, if the above events are indicative, the specialised security company is not capable of entering the market for X. The market for X is reserved for the IT generalist company.

I agree with the notion that we are facing crunch time for the sector (and have been predicting it for longer than I care to remember). It is certainly an exercise for the armchair economists to predict where it goes from here. But, let there be no doubt about change: It has to change, because the disconfirming data is in: the security industry did not save us from the current threats, and has no good answer, if the RSA conference is anything to go by.

From my armchair, here is where it goes: It's your job, do it. Security is something that becomes a part of the application, and the market then splits two ways: you the builder of applications will do it yourself, or you will outsource practically all of the application to (only) companies who can sell all parts of the application, from requirements to rollout (the consolidation that Bruce refers to).

Buy IBM, sell anti-virus companies. Ditch security professionals as contractors, re-employ them as permanent parts of your generalist team, if they are general enough. Integrate savvy people into your team, and encourage them to learn some security, too. Install books on secure programming on the bookshelf, uninstall security products.

Which still leaves a hair-splitting question of what the difference between security and X is. Well, back to my armchair for that one.

FC2008 -- report by Dani Nagy

This was my first time [writes Dani Nagy] at the annual Financial Cryptography and Data Security Conference, even though I have extensively used results published at this conference in my research. In short, it was very interesting from both a technical and a social point of view (as in learning new results and meeting interesting people from the field). And it was a lot of fun, too.

Pairing based cryptography seems to be all the rage in the fundamental crypto research department. Secure Function Evaluation seems to be slowly inching from pure theory into the realm of applicable techniques. But don't hold your breath, yet.

In between theory and practice, was Moty Yung's very entertaining invited talk about Kleptography -- using cryptographic techniques for offensive, malicious purposes, rather than defenses, typically against other cryptographic systems. As an example, he gave a public-private RSA key generation algorithm, which is indistinguishable from an honest, random one in a black box manner, and even if reverse engineered, the keys generated with it can be factored only with the effort of factoring a key half that long. The attacker, however, that pushes this key generation algorithm on unsuspecting victims, will be able to factor their keys with very little effort.

By sheer accident, I found myself on the panel about e-cash. The topic was the gap between real-life electronic cash and academic research. One rule was not to speak about one's own work. The participants were selected from different parts of the world and different walks of life. For me, the biggest news was that credit cards are not common at all in Japan. For most of the people, WebMoney (which was what I talked about) was a complete novelty; I, in turn, found it a bit surprising that WebMoney is almost entirely unknown among FC people. On the other hand, the reason is obvious: most of their publications, including scientific ones, are available only in Russian.

The rump session was a lot of fun, too. In the last minute, I decided to present the core of my other paper that was rejected. There were many different talks, with quite a bit of humor.

The other panel, about usability issues was also interesting, but my personal conclusion was that there's still a very long way to go, until Skype-like usability becomes the norm rather than odd exceptions. The completely wrong threat models of the 1990-es with all-powerful adversaries, men in the middle and completely trustworthy third parties are still to deeply entrenched in many people's thinking.

For future conferences, the goal is to attract more people with finance, business and law backgrounds, in addition to cryptography and CS, which still dominate almost exclusively, despite the fact that there is a growing realization that it is not necessarily the crypto part that makes or breaks FC solutions.

At the general meeting of IFCA, there were the usual voting-on-voting discussions and people not willing to take any responsibility for anything, but I sort of expected it. The important news is that the next island is Barbados and the one after that is, hopefully, Tenerife (this is what most voting members seem to prefer, including myself). The financial objective of having the cost of two conferences in the bank has not been achieved yet, but IFCA is getting there. The nightmare scenario is that a hurricane destroys the island AFTER EVERYTHING HAS BEEN PAID, and all registered participants still need to be refunded.

The conference hotel (Beach Resort El Cozumeleño) was excellent (except for one of the evening shows, which was horrible), the Internet access was reasonably good, the food was good, the sea and the weather were warm, so the overall impression is very positive. The various organized activities were fun, too, such as diving and snorkeling.

For those of us, who left some time before and/or after the conference for exploring, the Yucatan peninsula also offered numerous opportunities. But that was not strictly part of the conference.

Daniel A. Nagy
AgilEight, Security Architect

Identity news: Identity Forum, November 07 open for business, Second Life identifies with its users

Over at the Digital Identity Forum, they have announced this year's conference. London, 21-22 November. I have been to several of the series run by Consult-Hyperion, and can attest that they are worthwhile. Dave and companions do try very hard to cover a broad swathe of the difficult territory known as "Identity," without getting caught in the academic definitions trap that other conferences perpetually fall into.

Well recommended! And, by way of disclosure, I might be there myself, courtesy of a prize ticket.

To continue identifying with today's theme, over in Second Life, they have added an identity verification service. One blog thinks that this is a great move:

The possibilities are huge. Off the top of my head, I see contracts executed in-world, legal representation that starts in-world, and virtual world employment that goes beyond warming a camp chair. And that’s just the beginning.

The important details are:

• Verification is voluntary.
• You can verify your age, location, gender, and/or name.
• You can do it piecemeal (e.g. just age, for access to restricted content).
• If you don’t verify age, you can’t access restricted parcels.
• It will be free at first, but there will be fees imposed later.

This other blog sounds warnings of skepticism:

The new system is called "Identity Verification (IDV)", a shift away from the old use of the term "age verification". The shift is significant, as the focus now is in finding out who its users are, rather than whether or not it's ok to let them in. None of this information will be stored by Linden Lab, but no such assurances have been given about what the service provider will do with your personal details once they have them.

The service provider is Integrity, a subsidiary of Aristotle, a data-mining agency in the business of helping people run political campaigns. Users will have to trust that they won't ever use their personal details for anything that disagrees with their personal politics.

And other comments of how much of a failure the chosen service provider is.

I'll defer commenting on that one today. Frequent visitors to the world of FC can probably guess!

Metricon 2.0 -- Boston, 7.Aug.2007 -- talks announced

Gunnar Peterson writes The agenda for Metricon 2.0 in Boston August 7th has been set. Metricon is co-located with Usenix security conference. The details, travel info, registration, and agenda are here.

There are a limited number of openings so please REGISTER SOON if interested in attending. A summary of the presentations:

"Do Metrics Matter?"

"Security Meta Metrics--Measuring Agility, Learning, and Unintended
Consequence"

"Security Metrics in Practice: Development of a Security Metric System to
Rate Enterprise Software"

"A Software Security Risk Classification System"

"Web Application Security Metrics"

"Operational Security Risk Metrics: Definitions, Calculations, and
Visualizations"

"Metrics for Network Security Using Attack Graphs: A Position Paper"

"Software Security Weakness Scoring"

"Developing secure applications with metrics in mind"

"Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail"

The Read more....

Posted by iang at 02:09 AM | Comments (0) | TrackBack

CFP -- FC07 -- papers by 25th September

This is writes Radu Sion an advanced call for papers for the Financial Cryptography and Data Security Conference in Cozumel, Mexico, 28-31 January, 2008 (http://fc08.ifca.ai).

Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance in the context of finance and commerce. The conference covers all aspects of securing transactions and systems. Submissions focusing on both fundamental and applied real-world deployments are solicited.

This year, for the first time, we are also accepting submissions for posters and short papers. The poster session is the perfect venue to share a provocative opinion, interesting established or preliminary work, or a cool idea that will spark discussion. Poster presenters will benefit from a multi-hour session to discuss their work, get exposure, and receive feedback from attendees. The intention behind short papers (peer-reviewed) is to encourage authors to introduce work in progress, novel applications and corporate or industrial experiences. Short papers will be evaluated with a focus on novelty and potential for sparking participants' interest and future research avenues.

DATES

Submission: 25 September
Posters: 13 November
Panels: 13 November

read more...

WEIS2007 - Econ Info Sec - programme announced

Follows is the Programme for WEIS2007, the annual Workshop on Economics of Information Security to be held in June 7- 8, 2007, Pittsburgh, USA.

Session I - 8:30-10:30am (Disclosure),

The legitimate vulnerability market: the secretive world of 0-day exploit sales
Charles Miller, Independent Security Evaluators

Inadvertent Disclosure - Information Leaks in the Extended Enterprise
M. Eric Johnson and Scott Dynes, Dartmouth College

Network Security: Vulnerabilities and Disclosure Policy
Jay Pil Choi, Michigan State University,
Chaim Fershtman, Neil Gandal, Tel Aviv University

The Countervailing Incentive of Restricted Patch Distribution: Economic and Policy Implications
Mohammad S. Rahman Karthik Kannan, Mohit Tawarmalani, Purdue University

Session II - 11am-12pm (Privacy),

On the Viability of Privacy-Enhancing Technologies in a Self-Regulated Business-to-Consumer Market: Will Privacy Remain a Luxury Good?
Rainer Böhme and Sven Koble, Technische Universität Dresden

When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information
Jens Grossklags, University of California at Berkeley,
Alessandro Acquisti, Carnegie Mellon University

Keynote speech (George Loewenstein),

WEIS 2007 is delighted to host a keynote speech by Dr. George Loewenstein, Herbert A. Simon Professor of Economics and Psychology at Carnegie Mellon University.

George Loewenstein is the Herbert A. Simon Professor of Economics and Psychology at Carnegie Mellon University. He received his PhD from Yale University in 1985 and since then has held academic positions at The University of Chicago and Carnegie Mellon University, and fellowships at Center for Advanced Study in the Behavioral Sciences, The Institute for Advanced Study in Princeton, The Russell Sage Foundation and The Institute for Advanced Study in Berlin. He is one of the founders of the field of behavioral economics and more recently of the new field of neuroeconomics. Loewenstein's research focuses on applications of psychology to economics, and his specific interests include decision making over time, bargaining and negotiations, psychology and health, law and economics, the psychology of adaptation, the role of emotion in decision making, the psychology of curiosity, conflict of interest, and "out of control" behaviors such as impulsive violent crime and drug addiction. He has published over 100 journal articles, numerous book chapters, and has edited 6 books on topics ranging from intertemporal choice to behavioral economics to emotions.

Session III - 2:-3:30pm (Security Investments),

Optimally Securing Enterprise Information Systems and Assets
Vineet Kumar, Rahul Telang, Tridas Mukhopadhyay, Carnegie Mellon University

Interdependence of Reliability and Security
Peter Honeyman, University of Michigan,
Galina A. Schwartz, University of California Berkeley,
Ari Van Assche, HEC Montréal

A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making
Rachel Rue, Shari Lawrence Pfleeger and David Ortiz, RAND Corporation

Session IV - 4-5:30pm (Managed security Service Providers),

Growth and sustainability of MSSP networks
Alok Gupta and Dmitry Zhdanov, University of Minnesota

Will Outsourcing IT Security Lead to a Higher Social Level of Security?
Brent Rowe, RTI International

Measuring Security Investment Benefit for Off the Shelf Software Systems - A Stakeholder Value Driven Approach
Yue Chen, Barry Boehm, Luke Sheppard, University of Southern California

Session I - 8:30-10am (Privacy-Personalization),

Incentive Design for Free but No Free Disposal Services: The Case of Personalization under Privacy Concerns
Ramnath K. Chellappa, Emory University Atlanta,
Shivendu Shivendu, University of Southern California

The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study
Janice Tsai, Serge Egelman, Lorrie Cranor, Alessandro Acquisti, Carnegie Mellon University

Economics of User Segmentation, Profiling, and Detection in Security
Srinivasan Raghunathan, Huseyin Cavusoglu, Byungwan Koh, The University of Texas at Dallas,
Bin Mai, Northwestern State University

Session II - 10:30am-12pm (Empirics of Information Security),

The Deterrent Effect of Enforcement Against Computer Hackers: Cross-Country Evidence
Ivan Png, Chen Yu Wang, National University of Singapore

An Empirical Analysis of the Current State of Phishing Attack and Defence
Tyler Moore and Richard Clayton, University of Cambridge

Privacy, Network Effects and Electronic Medical Record Technology Adoption
Amalia R. Miller, University of Virginia,
Catherine E. Tucker, MIT

Session IV 3- 4:30pm (Risk),

Mental Models of Computer Security Risks
Farzaneh Asgharpour, Debin Liu, L. Jean Camp, Indiana University

Cyber-Insurance: Copula Pricing Framework and Implications for Risk Management
Hemantha S. B. Herath, Brock University,
Tejaswini C. Herath, University at Buffalo

Strategic Defense and Attack of Complex Networks
Kjell Hausken, University of Stavanger

Metricon 2.0 -- Boston, 7.Aug.2007

Better be quick -- Gunnar posts that to get a talk idea into Metricon 2.0, you have to have it in by 11th May.

Second Workshop on Security Metrics (MetriCon 2.0)

August 7, 2007 Boston, MA

Do you cringe at the subjectivity applied to security in every manner? If so, MetriCon 2.0 may be your antidote to change security from an artistic "matter of opinion" into an objective, quantifiable science. The time for adjectives and adverbs has gone; the time for hard facts and data has come.

MetriCon 2.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable approaches and results to problems afflicting information security today, with a bias towards practical, specific implementations. Topics and presentations will be selected for their potential to stimulate discussion in the Workshop.

MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, ...

And I just posted over on EC that one needed slow, careful, critical thought to consider metrics and data...

Usable Security 2007 -- Preliminary Programme -- colocated with FC2007

Preliminary Programme for "USABLE SECURITY 2007" which is colocated with FC2007 below, again in "title-only-peer-review" mode.

An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks

WSKE: Web Server Key Enabled Cookies

(Panel) - The Future of Phishing

Usability Analysis of Secure Pairing Methods

Low-cost Manufacturing, Usability, and Security: An Analysis of Bluetooth Simple Pairing and Wi-Fi Protected Setup

Empirical Studies on Software Notices to Inform Policy Makers and Usability Designers

Prime III: Where Usable Security and Electronic Voting Meet

(Panel) Building Trusted Systems: Does Trusting Computing Enable Trusted Systems?

Click to vote your interest: https://www.usablesecurity.org/accepted.html

(Ha! Finally someone else who supports encrypted web browsing. Hey, guys, can you fix the links so that they are relative and keep people in HTTPS?)

FC07 Preliminary Programme - Leaving Room for the Bad Guys

Mike Bond, an EMV researcher from Cambridge crypto labs and now Security Director at Cryptomathic, is giving the Kenote Address at FC. As it strongly rhymes with many of my rantings (GP, Pareto-secure, the hacker yin-yang relationship ...) here is the abstract in full. The other Invited Talk by Dawn Jutla also resonates with talk of end-to-end security and how Kherchhoffs' 6th says the user is the first requirement.

(Keynote - Mike Bond)

Leaving Room for the Bad Guys

When designing a crypto protocol, or building a large security architecture, no competent designer ignores considering the bad guy, and anticipating his plans. But often we designers find ourselves striving to build totally secure systems and protocols -- in effect writing the bad guys entirely out of the equation. In a large system, when you exclude the bad guys, they soon muscle their way in elsewhere, and maybe in a new and worse way over which you may have much less control. A crypto protocol with no known weaknesses may be a strong tool, but when it does break, it will break in an unpredictable way.

This talk explores the hypothesis that it is safer and better for designers to give the bad guys their cut, but to keep it small, and keep in control. It may not just be our systems but also our protocol building blocks that should be designed to make room for the bad guy to take his cut. The talk is illustrated with examples of very successful systems with known weaknesses, drawn primarily from the European EMV payment system, and banking security in general. We also discuss a few "too secure" systems that end up failing in worse ways as a result.

(Invited Talk — Dawn Jutla)

Title: Usable SPACE: Security, Privacy, and Context for the Mobile User

Users breach the security of data within many financial applications daily as human and/or business expediency to access and use information wins over corporate security policy guidelines. Recognizing that changing user context often requires different security mechanisms, we discuss end-to-end solutions combining several security and context mechanisms for relevant security control and information presentation in various mobile user situations. We illustrate key concepts using Dimitri Kanevsky's (IBM Research) early 2000s patented inventions for voice security and classification.

Curiously, these talks are the most encouraging for a long time. Does this signify a shift in IFCA focus away from academic crypto to practical security?

The rest of the programme I pass on in "title-only-peer-review-mode" so you can scan and click for anything that grabs attention.

Programme in title-only-peer-review-mode:

Vulnerabilities in First-Generation RFID-enabled Credit Cards

Conditional E-Cash

A Privacy-Protecting Multi-Coupon Scheme with Stronger Protection against Splitting

(Panel) RFID - yes or no?

A Model of Onion Routing with Provable Anonymity

K-Anonymous Multi-party Secret Handshakes

Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer

Scalable Authenticated Tree Based Group Key Exchange for Ad-Hoc Groups

On Authentication with HMAC and Non-Random Properties

Hidden Identity-Based Signatures

Space-Efficient Private Search

Cryptographic Securities Exchanges

Improved multi-party contract signing

Informant: Detecting Sybils Using Incentives

Dynamic Virtual Credit Card Numbers

The unbearable lightness of PIN cracking

(Panel) Virtual Economies - Threats and Risks, Moderator

The Motorola Personal Digital Right Manager

Certificate Revocation using Fine Grained Certificate Space Partitioning

An Efficient Aggregate Shuffle Argument Scheme

Programme in Full

CFP - Computer Security Foundations

Twan says of WEIS: "Darn, why did I miss this workshop!? ... interesting stuff" Me too. Here's another one:

Call For Papers

20th IEEE Computer Security Foundations Workshop (CSF)
Venice, Italy, July 6 - 8, 2007

Sponsored by the Technical Committee on Security and Privacy
of the IEEE Computer Society

CSF20 website: http://www.dsi.unive.it/CSFW20/
CSF home page: http://www.ieee-security.org/CSFWweb/
CSF CFP: http://www.cs.chalmers.se/~andrei/CSF07/cfp.html

The IEEE Computer Security Foundations Workshop (CSF) series brings together researchers in computer science to examine foundational issues in computer security. Over the past two decades, many seminal papers and techniques have been presented first at CSF. The CiteSeer Impact page lists CSF as 38th out of more than 1200 computer science venues in impact (top 3.11%) based on citation frequency. There is a possibility of upgrading CSF to an IEEE symposium already in 2007.

New theoretical results in computer security are welcome. Also welcome are more exploratory presentations, which may examine open questions and raise fundamental concerns about existing theories. Panel proposals are welcome as well as papers. Possible topics include, but are not limited to:

   Authentication    Access control    Distributed systems
   Information flow  Trust and trust   security
   Security          management        Security for mobile
   protocols         Security models   computing
   Anonymity and     Intrusion         Executable content
   Privacy           detection         Decidability and
   Electronic voting Data and system   complexity
   Network security  integrity         Formal methods for
   Resource usage    Database security security
   control                             Language-based
                                       security

Proceedings published by the IEEE Computer Society Press will be available at the workshop, and selected papers will be invited for submission to the Journal of Computer Security.

Important Dates

Papers due:                   Monday, February 5, 2007
Panel proposals due:          Thursday, March 15, 2007
Notification:                 Monday, March 26, 2007
Camera-ready papers:          Friday, April 27, 2007
Workshop:                     July 6-8, 2007

Workshop Location

The 20th IEEE Computer Security Foundations Workshop will be held in the facilities of Venice International University, located on the island of San Servolo, about 10 minutes by water ferry from the Piazza San Marco.

More details: http://www.cs.chalmers.se/~andrei/CSF07/cfp.html

WESII - Programme - Economics of Securing the Information Infrastructure

The Workshop on the Economics of Securing the Information Infrastructure

http://wesii.econinfosec.org/

October 23-24, 2006
Washington, DC

PRELIMINARY PROGRAM & CALL FOR PARTICIPATION
...

9:00AM Panel - Economic Barriers and Incentives for DNSSEC Deployment

11:00AM Session 1
* Comparing the Costs of Public Key Authentication Infrastructures
* Economics of Internet Security Outsourcing: Simulation Results Based on the Schneier Model
* The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market

1:30PM Panel - Data Sources: Should we answer questions for which data is available, can we get more data, or can we do without?

3:30PM Session 2

* Toward A Dynamic Modeling Of The Vulnerability Black Market
* Toward One Strong National Breach Disclosure Law - Justification and Requirements
* Using Self-interest to Prevent Malice; Fixing the Denial of Service Flaw of the Internet

9:00AM Session 3

* A Closer Look at Attack Clustering
* Predictive Modelling for Security Operations Economics
* Assessing Trusted Network Access Control Cost-Benefit Factors

11:00AM Session 4

* The Statistical Value of Information
* On the Economic Placement of Monitors in Router Level Network Topologies

1:00PM Work-in-Progress (WIP) Session

* Economic Interpretation and a Simulation Exercise for Exploring Corporate Investments in Cyber Security
* Securing Our Data Storage Infrastructures
* A Neo-institutional Perspective on Cyber Attacks
* Beyond Media Hype: Empirical Analysis of Disclosed Privacy Breaches 2005-2006 and a DataSet/Database Foundation for Future Work
* Securing the Process of Insurance Application
* Evaluation of Information Security Investment Portfolios: A Probabilistic Approach
* Direct measurement of spam zombie activity in a residential broadband network

========================================================================
Hotel & Registration
========================================================================

*The WESII Hotel Reservation Deadline is September 20*

*Registration is now open*

========================================================================
Preliminary Program
========================================================================
For updates, see

Monday, October 23, 2006

9:00AM Panel
Economic Barriers and Incentives for DNSSEC Deployment
Moderator: Andy Ozment
Panelists: Sam Weiler, Steve Crocker, and more TBA

11:00AM Session 1
* Comparing the Costs of Public Key Authentication Infrastructures
Patroklos Argyroudis (University of Dublin, Trinity College)
Robert McAdoo (University of Dublin, Trinity College)
Donal O'Mahony (University of Dublin, Trinity College)
* Economics of Internet Security Outsourcing:
Simulation Results Based on the Schneier Model
William Yurcik (University of Illinois)
Wen Ding (University of Illinois)
* The Effect of Information Security Incidents on Corporate
Values in the Japanese Stock Market
Masaki Ishiguro (Mitsubishi Research Institute)
Hideyuki Tanaka (The Graduate School of
Interdisciplinary Information Studies),
Kanta Matsuura (Institute of Industrial Science,
University of Tokyo),
Ichiro Murase (Mitsubishi Research Institute)

1:30PM Panel
Data Sources:
Should we answer questions for which data is available,
can we get more data, or can we do without?
Moderator: Allan Friedman
Panelists: TBA

3:30PM Session 2

* Toward A Dynamic Modeling Of The Vulnerability Black Market
Jaziar Radianti (Agder University College)
Jose. J. Gonzalez (Agder University College)
* Toward One Strong National Breach Disclosure Law -
Justification and Requirements
William Yurcik (University of Illinois)
Ragib Hasan (University of Illinois at Urbana-Champaign)
* Using Self-interest to Prevent Malice;
Fixing the Denial of Service Flaw of the Internet
Bob Briscoe (BT & UCL)

Tuesday, October 24, 2006

9:00AM Session 3

* A Closer Look at Attack Clustering
Rainer Böhme (TU Dresden)
Gaurav Kataria (Carnegie Mellon University)
* Predictive Modelling for Security Operations Economics
Mike Yearworth (HP Labs)
Brian Monahan (HP Labs)
David Pym (HP Labs)
* Assessing Trusted Network Access Control Cost-Benefit Factors
Susmit Panjwani (Deviant Intelligence LLC)
Stephanie Tan (IBM)

11:00AM Session 4

* The Statistical Value of Information
Luther Martin (Voltage Security)
* On the Economic Placement of Monitors in
Router Level Network Topologies
Yongping Tang (Iowa State University)
Thomas E. Daniels (Iowa State University)

1:00PM Work-in-Progress (WIP) Session

* Economic Interpretation and a Simulation Exercise for
Exploring Corporate Investments in Cyber Security
Jonathan Crawford (University of Virginia)
Kenneth G. Crowther (University of Virginia)
Barry Horowitz (University of Virginia)
James Lambert (University of Virginia)
* Securing Our Data Storage Infrastructures
Bob Mungamuru (Stanford University)
Hector Garcia-Molina (Stanford University)
* A Neo-institutional Perspective on Cyber Attacks
Nir Kshetri (University of North Carolina--Greensboro)
* Beyond Media Hype: Empirical Analysis of Disclosed Privacy
Breaches 2005-2006 and a DataSet/Database Foundation for Future Work
Ragib Hasan (University of Illinois at Urbana-Champaign)
William Yurcik (University of Illinois)
* Securing the Process of Insurance Application
Vincent Wolff-Marting (University of Leipzig)
André Köhler (University of Leipzig)
Volker Gruhn (University of Leipzig)
* Evaluation of Information Security Investment Portfolios:
A Probabilistic Approach
Tae-Sung Kim (Chungbuk National University)
Chandrasekhar Subramaniam (UNC Charlotte),
Sungjune Park (UNC Charlotte),
Ram Kumar (UNC Charlotte)
* Direct measurement of spam zombie activity in a
residential broadband network
Geoff Bennett (StreamShield)
Brian Webb (BT Retail)

========================================================================
Program Committee
========================================================================

Alessandro Acquisti Carnegie Mellon University
Heinz School of Public Policy & Management

Ross Anderson University of Cambridge

Jean Camp Indiana University

Huseyin Cavusoglu University of Texas at Dallas

Richard Clayton University of Cambridge

Steve Crocker Shinkuro / DNSSEC Deployment Working Group

Ben Edelman Harvard University Department of Economics

Allan Friedman Harvard University
Kennedy School of Government

Adam M. Golodner Cisco Systems

Larry Gordon University of Maryland
Smith School of Business

Yacov Haimes University of Virginia

Cathy Handley U.S. Department of Commerce, National
Telecommunications & Information Administration

Barry Horowitz University of Virginia

Richard Hovey U.S. Federal Communications Commission (FCC)

Jeff Hunker Carnegie Mellon University
Heinz School of Public Policy & Management

M. Eric Johnson The Tuck School of Business at Dartmouth College

Jeffrey M. Kopchik U.S. Federal Deposit Insurance Corporation (FDIC)

Technology Supervision Branch

Steve Lipner Microsoft

Marty Loeb University of Maryland
Smith School of Business

Doug Maughan U.S. Department of Homeland Security (DHS)
Science and Technology Directorate

Doug Montgomery U.S. National Institute of Standards & Technology
Internetworking Technologies Group

Milton Mueller Syracuse University School of Information Studies

Andrew Odlyzko University of Minnesota

Andy Ozment MIT Lincoln Laboratory / University of Cambridge

Shari Lawrence Pfleeger RAND Corporation

Stuart Schechter MIT Lincoln Laboratory

Bruce Schneier Counterpane Internet Security

Rahul Telang Carnegie Mellon University
Heinz School of Public Policy & Management

Andrew Wyckoff Organisation for Economic Cooperation and
Development (OECD)

Bill Yurcik National Center for Supercomputing Applications
(NCSA)

========================================================================
Workshop Sponsors
========================================================================
The Institute for Information Infrastructure Protection (I3P)
The Workshop on the Economics of Information Security (WEIS)

________________________________________________________________________
Economics of Information Security (EIS) Mailing List Information

We retried your name from either the author/attendee lists of one of the
previous workshops on the economics of information security (WEIS) or
through the suggestion of a member of the WEIS steering committee.
This list will never be used for commercial purposes and we will work to
ensure traffic is kept to a minimum (no more than 10 messages per year).

If you would prefer not to receive future emails about this or related
workshops, we apologize for this intrusion and offer you the following
options for unsubscribing:
1) Visit http://announce-list.econinfosec.org
2) Email stuart@econinfosec.org

FC'07 - call for papers - Financial Cryptography and Data Security

Call for Papers

FC'07: Financial Cryptography and Data Security
http://fc07.ifca.ai/

Eleventh International Conference
February 12-15, 2007
Lowlands, Scarborough, Trinidad and Tobago

Submissions Due Date: October 9, 2006, 11:59pm, EDT (UTC-4)

Program Chair: Sven Dietrich (Carnegie Mellon University)
General Chair: Rafael Hirschfeld (Unipay)

At its 11th year edition, Financial Cryptography and Data Security (FC'07) is a well established and major international forum for research, advanced development, education, exploration, and debate regarding security in the context of finance and commerce. We will continue last year's augmentation of the conference title and expansion of our scope to cover all aspects of securing transactions and systems. These aspects include a range of technical areas such as: cryptography, payment systems, secure transaction architectures, software systems and tools, fraud prevention, secure IT infrastructure, and analysis methodologies. Our focus will also encompass financial, legal, business, and policy aspects. Material both on theoretical (fundamental) aspects of securing systems,and on secure applications and real-world deployments will be considered.

...
http://fc07.ifca.ai/

The conference goal is to bring together top cryptographers, data-security
specialists, and computer scientists with economists, bankers,
implementers, and policy makers. Intimate and colorful by tradition, the
FC'07 program will feature invited talks, academic presentations,
technical demonstrations, and panel discussions.

This conference is organized annually by the International Financial
Cryptography Association (IFCA).

Original papers, surveys, and presentations on all aspects of financial
and commerce security are invited. Submissions must have a strong and
visible bearing on financial and commerce security issues, but can be
interdisciplinary in nature and need not be exclusively concerned with
cryptography or security. Possible topics for submission to the various
sessions include, but are not limited to:

Anonymity and Privacy
Auctions
Audit and Auditability
Authentication and Identification, including Biometrics
Certification and Authorization
Commercial Cryptographic Applications
Commercial Transactions and Contracts
Digital Cash and Payment Systems
Digital Incentive and Loyalty Systems
Digital Rights Management
Financial Regulation and Reporting
Fraud Detection
Game Theoretic Approaches to Security
Identity Theft, Phishing and Social Engineering
Infrastructure Design
Legal and Regulatory Issues
Microfinance and Micropayments
Monitoring, Management and Operations
Reputation Systems
RFID-Based and Contactless Payment Systems
Risk Assessment and Management
Secure Banking and Financial Web Services
Securing Emerging Computational Paradigms
Security and Risk Perceptions and Judgments
Security Economics
Smart Cards and Secure Tokens
Trust Management
Trustability and Trustworthiness
Underground-Market Economics
Virtual Economies
Voting system security

For those interested, last year's proceedings are available from Springer.

Submission Instructions

Submission Categories

FC'07 is inviting submissions in four categories: (1) research papers, (2)
systems and applications presentations, (3) panel sessions, (4) surveys.
For all accepted submissions, at least one author must attend the
conference and present the work.

Research Papers

Research papers should describe novel scientific contributions to the
field, and they will be subject to rigorous peer review. Accepted
submissions will be included in the conference proceedings to be published
in the Springer-Verlag Lecture Notes in Computer Science (LNCS) series
after the conference, so the submissions must be formatted in the standard
LNCS format (15 page limit).

Systems and Application Presentations

Submissions in this category should describe novel or successful systems
with an emphasis on secure digital commerce applications. Presentations
may concern commercial systems, academic prototypes, or open-source
projects for any of the topics listed above. Where appropriate, software
or hardware demonstrations are encouraged as part of the presentations in
these sessions. Submissions in this category should consist of a short
summary of the work (1-6 pages in length) to be reviewed by the Program
Committee, along with a short biography of the presenters. Accepted
submissions will be presented at the conference (25 minutes per
presentation), and a one-page abstract will be published in the conference
proceedings.

Panel Sessions

Proposals for panel sessions are also solicited, and should include a
brief description of the panel as well as prospective participants.
Accepted panel sessions will be presented at the conference, and each
participant will contribute a one-page abstract to be published in the
conference proceedings.

Surveys

A limited number of surveys presentations may also be included in the
program. We encourage submissions that summarize the current state of the
art on any well-defined subset of the above listed submission topics. A
limited description of visions on future directions of research in these
topics would also be appreciated. Survey submissions can be significantly
shorter than research paper submissions.

Preparation Instructions

Submissions to the research papers, systems/application presentation
categories, and surveys must be received by the due date. Papers must be
formatted in standard PostScript or PDF format. Submissions in other
formats will be rejected. All papers must be submitted electronically
according to the instructions and forms found on this web site and at the
submission site.

Authors should provide names and affiliations at submission time, and have
the option of including or not names and affiliations in their submitted
papers, that must include on their first page the title of the paper, a
brief abstract, and a list of topical keywords. Accepted submissions will
be included in the conference proceedings to be published in the
Springer-Verlag Lecture Notes in Computer Science (LNCS) series after the
conference, so the submissions must be formatted in the standard LNCS
format (15 page limit). Authors of accepted submissions will be required
to complete and sign an IFCA copyright form. A pre-proceedings volume
containing preliminary versions of the papers will be distributed at the
conference.

Questions about all conference submissions should be directed to the
Program Chair at fc07chair@cert.org.

Paper Submission

Authors should only submit work that does not substantially overlap with
work that is currently submitted or has been accepted for publication to a
conference with proceedings or a journal.

To submit your paper, use our online submission service..

The Rump Session

FC'07 will also include the popular "rump session" held on one of the
evenings in an informal, social atmosphere. The rump session is a program
of short (5-7 minute), informal presentations on works in progress,
off-the-cuff ideas, and any other matters pertinent to the conference. Any
conference attendee is welcome to submit a presentation to the Rump
Session Chair (to be announced). This submission should consist of a talk
title, the name of the presenter, and, if desired, a very brief abstract.
Submissions may be sent via e-mail, or submitted in person through the
Monday of the conference.

Associated Workshop

There will be a Usability Workshop held in conjunction with FC 2007.

Program Committee

Alessandro Acquisti, Carnegie Mellon University
Jon Callas, PGP Corporation
Yvo Desmedt, University College London
Giovanni di Crescenzo, Telcordia Technologies
Roger Dingledine, The Free Haven Project
Bernhard Esslinger, Deutsche Bank
Philippe Golle, PARC
Klaus Kursawe, Philips Research Eindhoven
Arjen Lenstra, EPFL
Patrick McDaniel, Penn State University
Tatsuaki Okamoto, NTT
Kazue Sako, NEC
Radu Sion, SUNY Stony Brook
Stuart Stubblebine, Stubblebine Consulting
Paul Syverson, NRL
Mike Szydlo, RSA
Jonathan Trostle, ASK Consulting and Research
Moti Yung, RSA & Columbia University
Yuliang Zheng, University of North Carolina at Charlotte

Important Dates:
Paper Submission: October 9, 2006

Notification: December 11, 2006
Pre-Proceedings: January 11, 2007
Conference dates: February 12-15, 2007
Post Proceedings: April 10, 2007

Usable Security (USEC'07)

Rachna writes: I am organizing a workshop on usable security that will be held in conjunction with Financial Cryptography and Data Security (FC'07). I encourage people on this list to submit their work and/or to attend the workshop!

Thanks,
Rachna

FIRST CALL FOR PAPERS

Usable Security (USEC'07)
http://www.usablesecurity.org/

February 15-16, 2007
Lowlands, Scarborough, Trinidad/Tobago

A workshop co-located with
The Eleventh Conference on Financial Cryptography and Data Security (FC'07)

Submissions Due Date: November 5, 2006, 11:59pm, PST

Some of the most challenging problems in designing and maintaining secure systems involve human factors. A great deal remains to be understood about users' capabilities and motivations to perform security tasks. Usability problems have been at the root of many widely reported security failures in high-stakes financial, commercial and voting applications.

USEC'07 seeks submissions of novel research from academia and industry on all theoretical and practical aspects of usable security in the context of finance and commerce. The workshop will bring together an interdisciplinary group of researchers and practitioners, allowing experts in human-computer interaction, cryptography, data security and public policy to explore emerging problems and solutions.

(Editorial comment -- it is good to see the arisal of more polymath conferences, which is where much of the work will be done in risks and security in the future.)

FC'07 - call for papers

FC'07: Financial Cryptography and Data Security
http://fc07.ifca.ai/

Eleventh International Conference
February 12-15, 2007
Lowlands, Scarborough, Trinidad and Tobago

Submissions Due Date: October 9, 2006, 11:59pm, EDT (UTC-4)

Program Chair: Sven Dietrich (Carnegie Mellon University)
General Chair: Rafael Hirschfeld (Unipay)

At its 11th year edition, Financial Cryptography and Data Security (FC'07) is a well established and major international forum for research, advanced development, education, exploration, and debate regarding security in the context of finance and commerce. We will continue last year's augmentation of the conference title and expansion of our scope to cover all aspects of securing transactions and systems. These aspects include a range of technical areas such as: cryptography, payment systems, secure transaction architectures, software systems and tools, fraud prevention, secure IT infrastructure, and analysis methodologies. Our focus will also encompass financial, legal, business, and policy aspects. Material both on theoretical (fundamental) aspects of securing systems,and on secure applications and real-world deployments will be considered.
...

The conference goal is to bring together top cryptographers, data-security
specialists, and computer scientists with economists, bankers, implementers,
and policy makers. Intimate and colorful by tradition, the FC'07 program
will feature invited talks, academic presentations, technical
demonstrations, and panel discussions.

This conference is organized annually by the International Financial
Cryptography Association (IFCA).

Original papers, surveys, and presentations on all aspects of financial and
commerce security are invited. Submissions must have a strong and visible
bearing on financial and commerce security issues, but can be
interdisciplinary in nature and need not be exclusively concerned with
cryptography or security. Possible topics for submission to the various
sessions include, but are not limited to:

Anonymity and Privacy
Auctions
Audit and Auditability
Authentication and Identification, including Biometrics
Certification and Authorization
Commercial Cryptographic Applications
Commercial Transactions and Contracts
Digital Cash and Payment Systems
Digital Incentive and Loyalty Systems
Digital Rights Management
Financial Regulation and Reporting
Fraud Detection
Game Theoretic Approaches to Security
Identity Theft, Physhing and Social Engineering
Infrastructure Design
Legal and Regulatory Issues
Microfinance and Micropayments
Monitoring, Management and Operations
Reputation Systems
RFID-Based and Contactless Payment Systems
Risk Assessment and Management
Secure Banking and Financial Web Services
Securing Emerging Computational Paradigms
Security and Risk Perceptions and Judgments
Security Economics
Smart Cards and Secure Tokens
Trust Management
Trustability and Trustworthiness<