Monday, November 21, 2011

Joinging the Lyric Carolers this year!

As I'm not quite up to dancing, yet, I was excited to find another venue for getting to perform - The Lyric Carolers!

The Lyric Theatre typically performs Gilbert and Sullivan light operas, or other similar period type pieces, but what to do after their fall show closes and their spring show opens? Why, sing holiday carols!

I successfully auditioned and joined the group this year. What an honor to be with such amazing singers! I even have a wonderful Victorian costume and bonnet to wear for the season. The bonnet's got a bird on it. Yes, a bird! :-)

We're still available for booking large groups of singers and small. Whether you're looking for a simple quartet to lighten up your holiday party, or the full choir for your corporate event - we can do it all!

To book, simply fill out the booking form, or send mail to ask any questions.

All proceeds go to supporting the theater's regular efforts.

Friday, November 11, 2011

GHC: Anita Borg Social Impact Award Winner

This year's ABI Social Impact Award winner is Anne Ikiara, from NairoBits.

What If More African Women Had More Access and Use of ICT Skill?

Anne Ikiara started the talk by telling us about her background as an African woman, not unlike others. She was the youngest of ten children - 6 brothers and 3 sisters. Once men are circumcised, they no longer do chores. And these aren't like American chores you give children. Ikiara had to cook. To cook, she first had to go to the forest and get firewood. Then she had to go to the well and pump water. Nothing is simple.

Forty percent of the women do not have access to any education - they aren't even functionally literate. If you cannot read or write, how can you possibly interact with technology? There is so much violence against women that just surviving is their number one task. The only time you can get online is to go to a cyber cafe, usually a long walk, which a woman can only do after she's finished her house work, and sometimes at great peril.

Making matters worse, as soon as a young girl starts to develop breasts, she can be married - as young as eight years old - to a man as old as eighty. How can she get an education then?

Still today, in Africa, women are discouraged by their teachers from pursuing math and science.

Women do 80% of the agricultural work, but only own 5% of the land. Nearly 50% of women in the sub Sahraran Africa are married by the time they turn 18!
Ikiara was lucky and didn't marry until she was 22 and her husband didn't rush her to have children. Her mother, and others, thought there must be something wrong with her, that she needed a doctor, as she hadn't had any children by the age of 26. So much pressure to just be a mother.

A recent contested political election resulted in riots - most of the dead were women.

Women in Africa need more access to education, more role models, more equality!

What has Nairobits done? They target youth from non-formal settlements - very impoverished people. No running water, living 10 people in a 10x10 shack, etc.

Originally this started in Nairobi and was meant to be a one time event - but the interest was so ovewhelming, they needed to do more.

In order to encourage women, they accept much older girls and have flexible times to come for the training. They know these 16 year olds, many of them are mothers, cannot commit to 8AM-5PM for training. Nairobits asks the girls when they cam come for training, and work with that.

This type of training is now being replicated in Uganda, Tanzania, Zanzibar and Ethiopia. Nairobits has trained more than 6,000 youths, mostly women, in Kenya alone.

Training starts slow - they may have to introduce the youths to things like indoor plumbing. What a different world. Can you imagine?

Continuing this is difficult, as donor funding is down, and there is an overwhelming need for services. So many students have to be turned away.

Nairobits has centers where the students can come and use their skills after their graduation and get access at times convenient for them.

I had to ask Ikiara how she got out of this poverty: her brother. One of her brothers recognized that she was smarter than he was, and was able to get her into boarding school where she had six years to learn in peace, with no house work. She has taken this gift, and is passing it on to others. The women she trains in technology, they, too, tell others.

The women who are trained can then get real jobs and increase the financial well being of their entire family, so parents, in the end, are usually very happy to have an educated daughter.

The most limiting thing for Nairobits is money. They need sponsors, they need funds. To put one student through six months of training - it merely costs 10,000 Kenyan Shillings - $107 USD.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Anita Borg Denice Denton Emerging Leader Award Winner

This year's ABI Denice Denton Emerging Leader award winner is Tiffani Williams from Texas A&M University.

Discovering Relationships in the Tree of Life

Dr Williams has been studying phylogentic trees to discover relationships. She opens with the example of the Dentist in Florida in 1990 that gave HIV to one of his patients. Even though HIV can mutate from person to person, phylogentic trees can show that the source of the virus and could prove that the dentist did indeed give the virus to his patient. It was also used in a court case to identify a man that intentionally gave HIV to 6 women - he is deservedly spending the next 70 years in prison.

There is some more work in this area is used for studying big cats - to see which cats are most related. For example, the lion, leopard, jaguar, tiger and snow leopard are part of the same group, but clouded leopard is not. By studying this, they can try to help save the species.

Dr. Williams did a great job showing that some of the most interesting is cross disciplinary - you need computer science, genetics and statistics to help save species!

But, these trees can be very large, expensive to store and impossible to easily transfer. Compressed files help, but you might lose useful data.

Storage is cheap, in theory, but upgrading and adding storage to your laptop is not easy and sometimes simply not possible.

Phylogentic trees are represented in Newick formatting, a notation based on balanced parentheses. something like this: (((A,B),D),C,(E,F))); It was actually pretty clear when Dr. Williams used the laser pointer :-)

The problem: one simple phylogentic tree can have 32 Newick patterns! This makes it hard to both compress and identify relationships. Dr. Williams came up with a way to store a unique tree as a unique binary code - then a simple hash algorithm can identify related trees.

The hash table can be further compressed with shorthand, like a special symbol that means "all trees have this relationship", and another for relationships when there are fewer items that share a relationship that do. And this can all be compressed using Tree Zip and stored in plain text!

As much fun as compression is, Dr. Williams advises against using it on humans - we don't like to be compressed into a group, especially when it comes to negative stereotypes.

I learned so much today - I'd love to take an entire class from her!
This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Plenary Session: Partnering with Executive Leaders for Shared Vision and Career Growth

The plenary sessions always seem a bit mislabeled to me - this one is about partnering in executive leadership, and, yes, there are executive type people on the panel - but their advice is actually useful in any level of your career.

Moderator: Linda Apsley (Microsoft)


Microsoft Partnership: Bill Laing and Betsy Speare

CA Technologies Partnership: Gabby Silbermann and Carrie Gates

Harvey Mudd College Partnership: Marie Klawe and Christine Alvarado

Bill Laing and Betsy Speare started out the discussion by introducing each other. At first I thought this was odd, as most people can introduce themselves the best, right? But, it was so interesting to hear the words they chose to describe each other - much more glowing than most people would use for themselves.

Both Laing and Speare again reiterate that if you're seeking advancement, you need a sponsor. And sponsors and mentors are not the same thing. When looking for a sponsor, you need to choose someone you admire and has something that you want (skills, connections, etc). But, you can't just say, "Hey, be my sponsor!" Laing suggests also looking for people you can have an authentic connection with, as that will be the most successful advocate for you.

Marie Klawe, President and Professor at Harvey Mudd, and Christine Alvarado, Assistant Professor at Harvey Mudd, met when Klawe joined Harvey Mudd as president. Alvarado was surprised to discover that Klawe had already heard about her, a measly second year associate professor. Klawe had heard of Alvarado, because of her energy and the women's programs she was starting.

When Alvarado joined Harvey Mudd in 2005, their CS department was only 12% women - not unlike the rest of the US. Between her efforts, and Klawe putting them in overdrive when she joined, they are now up to 40% women!

Some of the things that they do - they bring first year undergraduates to this conference, even non-CS majors. This encourages more women to join the department and helps to retain them, as they are able to build a network.

Silberman and Gates go all the back to when Gates was still in school, and they kept in touch. When he wanted to hire her, they actually met up at TGI Fridays in an airport. He hired Gates and has been her sponsor ever since.

Gates wanted to make it clear that Silberman wasn't just watching her and taking her to the next promotion level - she asked him. Now she's a Distinguished Engineer at CA technologies, but quipped that she's still not sure what she wants to do when she grows up. ;-)

An observation from the panel was that men and women don't necessarily think differently, but they do tend to act differently. Men have been conditioned since they were 5 to show off and try to top everyone around you. Some professors can find that type of thing annoying, when a student is constantly trying to one up them - but they are certainly noticed.

Speare recommends She Wins, You Win : The Most Important Rule Every Businesswoman Needs to Know and Overcoming the Five Dysfunctions of a Team: A Field Guide for Leaders, Managers, and Facilitators (J-B Lencioni Series), to learn more about fixing your teams and fixing them with women. :-)

A question from the audience asked about how you prevent things from looking like favoritism. Liang said this is why he recommends finding a sponsor that is not in your direct reporting line of management - they could even be at a different company! Another panelist noted that this is a reason to have more than one sponsor.

Klawe notes that she'll mentor just about anyone she has time for, but will only sponsor people that she truly believes in, so that when she tells everyone about the sponsored accomplishments, nobody will be able to deny the value of it.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Anita Borg Change Agent Winners

This year's ABI Change Agent award winners are Marita Cheng (Robogals) and Judith Owigar (Akirachix). It's unusual to see two winners, but these young women are so fascinating, I can see how got two!

The Small Victories
Presenter: Marita Cheng (Robogals)

Marita Cheng graduated in the top 0.2% in her country from high school, and was sought after by many schools. Her parents wanted her to medicine, so she'd have a nice, steady job. Cheng wasn't interested, though, so she found she couldn't answer any of the questions during her biology review - but the reviewer did suggest she follow her passion, engineering, instead of what her parents wanted her to do.

So, her career as an engineering student began. Cheng only knew two other girls from her small home town entering engineering, and thought this must just be because she was from a small town. That view was shattered when she actually arrived at school and couldn't find any women.

Cheng surveyed friends and others to try to figure out why this was. Through all her research, she discovered that middle school aged girls are not getting enough exposure to engineering - and Robogals began!

Cheng and her volunteers started teaching 10-14 year old girls how to build robots using the Lego Mindstorms during Australian school holiday in July.
Robogals now has 17 chapters in 6 countries, has taught over 3000 girls about engineering and use 1000 student volunteers.

Why 10-14 years old? It's the best time to capture their interest so that they still have enough time to get the right pre-requisites to explore engineering in university.

The charity is fully student run! Right now just in Australia and New Zealand, UK and Europe - will be expanding to the US in 2012.

And, yeah, Cheng is still a student, too! Wow!

Where Did All the Girls Go?
Presenter: Judith Owigar (Akirachix)

Judith Owigar from Nairobi, and while studying in Kenya, discovered a great dearth of other African women studying engineering and she wanted to fix this.

Africa really lacks infrastructure - no land lines, DSL, etc. Mobile phone technology has really changed the picture - giving more people a chance to connect in Africa.

In Kenya alone, they have 25 million mobile subscribers (64% of the population), and 12.5 million Internet users - mostly accessed via mobile phones. So, anything AkiraChix wants to do needs to be accessible via mobile phones.

The organization seeks women already in tech to train them to do outreach, give them networking opportunities and set them up with with high school girls that they can mentor.

Owigar believes that having more technical women in Africa can help end poverty. Education is the key to a successful life ahead. I've heard so many other people talk about this - more educated women have more control over how many children they have and their ability to feed and educate their children. That's how you end the cycle!

AkiraChix has been training high school girls in Java - and some of their former students are already developing software for Android!

Owigar is seeing more results, girls are forming tech businesses, going into new higher paying jobs, more confident, expanding their network and staying in tech.

Both really inspired me! Small changes are making a big difference already!

This post syndicated from Thoughts on security, beer, theater and biking!

Exciting Crypto Advances with the T4+ processor and Oracle Solaris 11

I'm sure you all heard about the T4 launch in September, announcing the latest and greatest in the SPARC hardware line. These systems add a number of new features, but I'm going to focus on the ones that are related to cryptography.

UPDATE 4/2016: Everything in this document additionally applies to Oracle Solaris 11.1, 11.2, and 11.3, and all of the Oracle SPARC chips we've released since T4! This includes our latest launch of Oracle SPARC M7/T7. While the underlying crypto instructions have been very stable we, of course, have continued to tune performance and tweak mode support.  Since 11.2 we have additionally supported Camelia, which is also optimized by Oracle SPARC T4 and newer platforms! I've updated the document throughout to note T4+.

The Cryptographic Framework feature of Oracle Solaris was first included with Oracle Solaris 10.
Our focus was always to provide highly optimized algorithms to the rest of Oracle Solaris, so that the entire operating system could take advantage of the best cryptographic performance available.

At that time of the initial release of Oracle Solaris 10, there were no standard CPUs with cryptographic cores, but as the SPARC T series chips were developed, we always made sure to have a driver plugged into the Cryptographic Framework that would give the Cryptographic Framework consumers access to these devices.

But things have changed with T4+. These chip sets have made crypto a part of the core instruction set, accessible via nonprivileged instructions. That means, there are no drivers required to enable hardware assistance for cryptographic operations. Applications just access these instructions just like any other basic CPU instruction. That's right, crypto is now just a basic service provided by the CPU.

What does this mean? Well, before, in order for an application to access hardware crypto on a T3 system, the stack would look something like this: application -> libpkcs11 -> pkcs11_kernel -> IOCTL interface -> n2cp (7D) -> hypervisor -> crypto unit.

Now the stack will look more like this: application -> libpkcs11 -> pkcs11_softtoken -> CPU.

The one notable exception for this is the hardware random number generator (HW RNG), which still is only directly accessible via hyper-privileged registers through the n2rng driver. You can access this via /dev/random and /dev/urandom, as well as through the Cryptographic Framework's libpkcs11. See random(7D), n2rng(7D), and libpkcs11(3LIB) for more details.

With all of these changes, we're able to even more highly optimize the performance of cryptography on Oracle Solaris 11 and newer.

Algorithms Included

A primary goal of the Cryptographic Framework is to provide Oracle Solaris with highly optimized algorithms, and we made no exception for this release.

In Oracle Solaris 10 Update 10 (08/11), AES, DES, DES3, MD5, SHA1, SHA2 (SHA256, SHA384, SHA512), RSA, and DSA are all accelerated by T4+ crypto instructions for all supported modes of operation. To access these via libpkcs11 (3LIB), you'd use the standard PKCS#11 mechanisms listed below [1].

If you additionally download patch 147159 for Oracle Solaris 10 Update 10, you'll get further optimizations for AES-ECB, AES-CBC, AES-CTR, AES-CFB128, and MD5, SHA1, and SHA2.

In Oracle Solaris 11, we have all of those optimizations, plus optimizations for DES and 3DES, as well as optimizations and support for AES-CCM and AES-GCM.

To access these optimizations on Solaris 11, you need change nothing. We've made all of the code changes necessary in the Cryptographic Framework for you. Your applications that use the Cryptographic Framework (see Consumers section below for many examples), will take advantage of our optimizations and the T4 hardware right out of the box.

OpenSSL engine

UPDATE 4/2016: The OpenSSL T4 engine no longer exists, since our friends at OpenSSL have inlined all of the T4+ instructions into the main source tree! Thank you! Misaki wrote up a great blog describing this.

In Oracle Solaris 11 on a T4 system, you'll notice a new OpenSSL engine called t4. The t4 engine allows OpenSSL to access the optimized T4 crypto instructions directly, without needing to go through PKCS#11. The t4 engine is on by default, if the processor below supports those instructions. Nothing for you to do.

If you're still running Oracle Solaris 10 Update 10, you'll still need to set up your application to go through the pkcs11 engine, and make sure you apply patch 147707.

For example, if you're using Apache Web Server on Oracle Solaris 10 Update 10, or on Oracle Solaris 11 (in order to get the RSA accelerations) you'll need to set this line in your ssl.conf:
SSLCryptoDevice pkcs11

Consumers and Performance

The consumers of the Cryptographic Framework includes: ZFS, IPsec, IKE, kerberos (user and kernel), libsasl, KSSL (in Kernel SSL), OpenSSL, SSH, Java JCE, libsnmp, lofi(7D), and the Oracle DB ( As well as anything that accesses libpkcs11(3LIB).

Just a note about the Java, T4 and newer processors are treated the same way as on T2, T3 and Intel - you need to go through the Java JCE provider.  UPDATE 4/2016: Java has started taking advantage of SPARC T4+ crypto acceleration directly. Currently in JDK8u40, Java accelerates generic AES, SHA1 and SHA2.  Keeping up-to-date on JDK8 patches will provide the best out-of-the-box performance.

And the Oracle Database? Uses our optimized T4 functions right out of the box (v and newer).

Do you want to see just how much our performance optimizations get you on T4? Click on any of the hyperlinked consumers above to see their specific performance gains on T4, or navigate on over to BestPerf to see the latest and greatest numbers.

With the exception of the extra steps required on Oracle Solaris 10 Update 10 for OpenSSL to obtain access to the optimized functions that use the T4+ instructions, there is nothing for the administrator to do to get access to this acceleration. It simply works right out of the box.

How do I know if I'm using this?

Accessing these instructions does not require a driver, so there are no kstats to indicate how often any of these instructions are being used. At this time, it is not possible to obtain data from the Operating System regarding execution counts for nonprivileged cryptographic instructions.

UPDATE 4/2016: There is a hardware counter, but it also includes a bunch of floating point operations as well. Dan Anderson wrote a blog about detection that has been updated since we removed the OpenSSL T4 engine (in favor of simpler inlined instructions).

[1] PKCS#11 mechanisms used for accessing T4+ crypto instructions via libpkcs11 (3LIB) in Oracle Solaris 10 Update 10 and Oracle Solaris 11:


UPDATE 4/2016: As of Oracle Solaris 11.2, we also include the following hardware assisted mechanisms:  CKM_CAMELLIA_CBC, CKM_CAMELLIA_CBC_PAD, CKM_CAMELLIA_CTR, CKM_CAMELLIA_ECB, CKM_CAMELLIA_KEY_GEN.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Anita Borg Technical Leadership Award Winner

This year's ABI Technical Leadership award winner is Mary Lou Soffa, from the University of Virginia. Her talk was titled "My Dance with Research: An Ode to my Graduate Students"

Dr. Mary Lou Soffa has graduated a bunch of PhD and MS students, half of which are women and/or minorities - impressive! Thirty-two PhD students alone (half women).

Dr. Soffa has been so inspired by her own graduate students, they keep her on her toes (she's got to make sure she's reading all of the latest publications in her area), lead her research in unexpected directions and challenge her on a regular basis.

One of her favorite things about being a professor has been mentoring. When she saw what a big difference she could make with just one student with just a little extra time, she knew this was something she had to pursue.

She's noticed a consistent pattern between her male and female students - for example, when a male student's paper is rejected, he believes the program committee is full of idiots. When a female student has her paper rejected, she believes it's because the paper was just junk. Hrm, gets back to yesterday's keynote about men overestimating their own accomplishments.

Dr. Soffa draws parallels to some of her favorite dances for how different students work - like the Swing - all over the place (she must remind them to focus, focus, focus!!), or Hokey Pokey - coordinated and works well with others.

Dr. Soffa had quite a windy path to becoming a computer scientist! She started out in maths, tried sociology, philosophy, environmental acoustics - all in PhD programs, before discovering computer science (via a course required by her environmental acoustics studies).

Not only does Dr. Soffa metaphorically dance with her students, they do so with each other as well. She took us through a cool graphical adventure about how each of her students work influenced each-other, even years later, as well as the general computing world. For example, one of her fist student's work went into the C++ language.

Dr. Soffa's students work on code analysis is now being used to find vulnerabilities in code in a safe lab environment.

One suggestion Dr. Soffa had for one of her students, who was always rushing to implement things and not thinking through the designs, was to sit in a room for four hours and just think. No laptop, no cellphone, not even any paper. Just think. She said there are so many interesting ideas you can come up with in the silence of your mind. Might have to try this, but when could I have four hours to do this? Maybe just starting small.

It sounds like she's just had a blast in academia, anyone thinking about pursuing a PhD should look to have her (or someone like her) as an adviser. Student success, learning new skills (for students and herself), and moving research forward are so important to her. What an inspiring woman!

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Friday Keynote

This morning's keynote: The Honorable Shirley Ann Jackson, Rensselaer Polytechnic Institute. The first African American to get a PhD from MIT and the first African American woman to head up a national university, among many other firsts.

Dr. Jackson joked that it's often easier to get two computer scientists to communicate, even from across the world, then it is to get a CS person to communicate with sales person in the same room. :-)

She notes, more seriously, how important science is to communicating on a global perspective. It's a way to grow, think, interact and imagine. The digital world has shrunk the world, allowing people from radically different cultures and disciplines to work together.

Overcoming communication barriers is so important for helping to bring solutions to the international marketplace. Realize that some women may see three different colours: azure, teal, aquamarine... a man may just see green. Choose your words carefully and respect those you're talking to. Listen and be prepared to short out conflicts.

Another barrier to communication is cognitive biases. To best be able to collaborate, we need to go in with trust and assume that the others at the table are also honest and looking for sincere collaboration.

As technologists, we need to learn how to take data and show it in a way that can touch the general public - humanize it.

Expand this idea to social cognitive networks. There is so much here that can still be explored, how can we apply this? Will it allow us to make wiser choices? Communicate with others better? Or perhaps just be really cool :)

When we start to add sentience to the network, we're again back to trust. Having trust is easy, validating that your trust is well placed is hard.

This post syndicated from Thoughts on security, beer, theater and biking!

Thursday, November 10, 2011

GHC: Senior Women's Summit

The day long session started out with some great tips from Jo Miller, both talking about our brand again and got us brainstorming about what things we think are holding us back. Jo had a recently published article on the Anita Borg site that talked about the difference between a sponsor and a mentor. A sponsor or advocate is someone that stands up

After lunch, we sorted ourselves by industry and academia, as well as by goals (Industry Individual Contributer vs Executive tracks), and I had a tough call to make. Do I want to pursue the DE track? Or management? Then Jo Miller reminded me that this is just a networking and learning exercise - why not get exposure to people I don't have access to now? So, I sat down with an executive from American Express. :-)

Then we got a wonderful panel of very senior women that told us about their paths.

Moderator: Sabina Nawaz, Executive coach and organizational development consultant; CEO, Nawaz LLC


  • Nora Denzel, Senior Vice President, Big Data, Social Design and Marketing, Intuit
  • Jamie Erbes, HP Fellow and Director, Services Research Lab, Hewlett-Packard Labs
  • Ann Gates, Associate Vice President of Research and Sponsored Projects, University of Texas at El Paso
  • Leah Jamieson, The John A. Edwardson Dean of Engineering and Ransburg Distinguished Professor of Electrical and Computer Engineering, Purdue University
Leah Jamieson has been the Dean of Engineering as well as a professor at Purdue University for 5 years, and has found it to be a rewarding and demanding task - she's had to learn how balance looking forward and looking up, while still taking care of everything beneath her - as Dean, there are a ton of responsibilities.

Ann Quiroz Gates talked about making sure you stay active in your communities, for her that means IEEE. You need to be able to articulate what you need, and be ready to make a case for what you bring to the table. Don't just be the squeaky wheel - show what someone is going to get in return.

Nora Denzel said she actually had a really fast rise into the executive ladder - just 15 years! HP actually sent her back to school to get her MBA. Her advice? "I strive to make sure I'm not the smartest person in the room - be comfortable with being uncomfortable." How else can you grow? She believes that sometimes the biggest thing that holds us back is our own minds - grow your network, worry about doing a good job and not necessarily make everyone like you.

Jamie Erbes said she thought she herself is her biggest roadblock sometimes. For example, at HP you have to apply for fellowship - and she kept not doing it. One year, as the deadline approached, executives and other fellows kept coming to her and asking her why she hadn't submitted her application, yet. She didn't think she was worthy, but after enough people asked her

Jamieson marks the import of picking a clear communication style and make sure it works for the job you're aiming towards.

Several of the panelists mention how times were rougher when it came to networking in the 80s, like Erbes being left in the car when the rest of her co-workers went to strip club. Fortunately, that type of thing would not be considered acceptable behaviour.

Denzel and Jamieson both stress how important it is to show agility. While working for the same boss for 10 years may show your loyalty, it doesn't necessarily show your ability to learn new things quickly. This is a weird one for me - I've worked in such a large company for so long, but my job is always changing. My LinkedIn profile is full of all sorts of different jobs, even though it was always the same person writing my paycheck. Does that show agility? Does the fact that I like a steady paycheck and stability of having health insurance mean that I'm not willing to learn new things? Probably not, but it's something to be sure that I can present well that it's not just one job.

Advice from the panelists on your brand (after being asked by the audience what their brand was) was to do a "360 review" and see what people think your brand is - it could help you better align what you're doing, or motivate changes if it's not something you like.

After the panel, we all got to sit down at a table with a senior executive from major companies and ask anything we wanted. I even got to practice my elevator pitch with an exec from Adobe, and she gave me some great tips to improve. Then we did some more speed networking, then through our biggest "want" on the wall and people signed up to help us. I definitely have things to follow up on here!

More on that later!

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Thursday Keynote Sheryl Sandberg

Our keynote speaker is Sheryl Sandberg, from Facebook.

Sheryl Sandberg has the tough balancing act between providing connections and protecting privacy. Best career advice she ever got came from Eric Schmidt, after she was leaving government and entering industry, and he offered her a position as general manager of Google. To Sandberg, that GM position was nothing, and she didn't want it. Schmidt tolder her "Stop being an idiot, all that matters is growth. If you go to a comapany that is growing, it doesn't matter what you're doing."

In the US, we have a huge unemployment rate, with fears that this is not a temporary problem, but Sandberg doesn't see this in tech. She said every technology firm she knows is hiring and growing. Technology jobs are the exception.

Sandberg admits that she's not a computer scientist, not even very technical, but she is a woman, so finally decided she felt qualified to do the keynote at Grace Hopper. She said she would be better at her job if she were more technical, and doesn't think that someone could do her job in the future unless they were technical.

STEM jobs pay more across the board, but women still only make 86 cents per dollar for the same job, compared to men with the same qualifications.

In order to have leaders in the future, we need more women to join STEM careers. But, in order to do that, we need to attract them to the programs and make sure they stay in. This has been accomplished at Harvey Mudd - gone from 12% women in CS to %40.

But, we're losing ground in leadership roles. Women are not getting promoted, women are losing seats in congress.

Seventy percent of the people in poverty are women. Women are still the property of their husbands. This type of thing just cannot go on.

Sandberg has 5 pieces of advice for staying ina career in CS and in a career in

1. Believe in yourself

The best talk she'd ever attended was "Feeling like a Fraud" (Imposter Syndrome, now). When she mentioned it to male colleagues, they didn't get why it would be interesting. Men, time and time again, overestimate their achievements - women undervalue. Men attribute success to themselves. Women, to working hard, help from others, and being lucky.

Raise your hand, even when you're not sure you can do it - because there's a man next to you that is raising his, and he's not necessarily anymore qualified then you are.

You need to sit at the table, or opportunities pass you by.

When Sandberg gave this talk at Facebook, she said she had time for two more questions as they were short on time. Later, a woman came by her office and said she learned something. Sandberg felt pretty awesome, so asked what it was. The employee said, "I learned to keep my hand up". Huh? Well, Sandberg said she'd only take 2 more questions - so after the second question was asked, all the women put their hands down. Because there wouldn't be anymore questions. But, that's not what actually happened - Sandberg continued to take more questions - from the men. Several more.

Sandberg noted that if she didn't notice this, as a woman while giving this talk, how could we possibly expect our peers, managers, leaders to notice us if we aren't raising our hands?

2. Dream big

We have an achievement gap - until we close this gap, we won't have more women in these top fields. As men get more successful, men and women like them more. As women get more successful, men and women like them less! Huh? So, we, as humans, want to be liked. so may not be as ambitious - may not seek those top positions. What if we had 50% of power positions filled by women? We couldn't possibly dislike 50% of our leaders. Sandberg believes that the solution to this problem is simply more women in computer science, more women at the top.

3. Make your partner a real partner

If you want to succeed - you have to have a real partner. You can't rise to the top and still be in charge of the majority of the house work and parenting. Sure, date the wrong guy in college, have fun - but marry someone that's going to be a partner. Just like with work achievements, most men overestimate how much time they spend on parenting as well!

4. Don't leave before you leave

Women leave jobs piece by piece. For example, if she is attending medical school, but knows she will be in charge of raising the children - she might pick a less interesting field. If she turns down an interesting job, because she's thinking of having children - she'll feel undervalued and regret missing that opportunity later.

"Lean forward. Always lean forward."
Tech jobs are the most flexible, so they tend to attract women who need the flexibility.

5. Start talking about this

I know what it's like being the only woman in the room. You don't want to rem
ind people about this. "I spent the majority of my career fitting in". Men are
jumping at the opportunities, women wait to feel comfortable with the idea of the new career.

Sandberg was advised against doing TED talks about being a woman in tech, told it would ruin her career if she dared to say that men and women were different. In fact, it didn't - it did lead to more women applying for jobs at Facebook.

Sandberg used to work 7AM-7PM, but that's just not possible with children. Sandberg is always home for dinner at 6PM - yes, she's checking email later at night than she used to, but she is doing it.

We need to talk about it - if we don't, things won't change.

"I'm older than most of you in the audience, by decades. I want to tell you something - my generation is not going to change this. You are the promise for equality, and equality is what matters."

What if men were half of the stay-at-home parents? What if we had more women CEOs?

"What would you do if you weren't afraid?"
What an amazing talk - so inspiring!

This post syndicated from Thoughts on security, beer, theater and biking!

Wednesday, November 9, 2011

GHC: Workshop: Building Your Brand as a Technical Expert or Leader

I love Jo Miller. She has an excellent grasp of personal brand. And not that cheesy brand thing you hear every one else talking about, but what do you want to be known for - what do people come to you for. Being well branded helps you to make connections and help others make connections.

Jo gave us a goal to come up with what we want our career niche to be, create a personal brand statement and figure out how make our brand visible. And this has to be something we can really use.

How does one figure out ones ideal career niche? Well, first, I should stop writing like I'm the Queen (as she's already got her niche figured out for her :-). Really, what are you passionate about, what are your skills and talents, and what does your company need/value? If you can find a place where those things intersect, you may have just found your niche!

When you know your sweet spot, it's easier to choose assignments, mentors and sponsors.

For me, I've been in my field for more than a decade. Back in the late 1990s, early 2000s, I was the firewall expert. I knew all there was to know about the complicated protocols, ins and outs of PASV FTP (passive file transfer protocol, used by browsers), and I rearchitected the SunScreen firewall NAT (Network Address Translation) component. I was nicknamed the Goddess of NAT.

But, as the years have gone on, I've become much more general - focusing on more connecting technologies, like the Oracle Solaris Cryptographic Framework. I'm not a cryptographer, but I know the basics and I know the standards. I'm a great public speaker, all the acting I've done really helps with that. I'm great at making connections and helping people to solve their problems, even if I can't solve it myself. I write good code and debug problems. I design software. I am an expert in defect tracking. Certainly those are useful skills? How do I make that a brand?

It may not be as bad as I think, as when I asked a fellow conference attendee what my brand was, she said: "security, beer and bicycling". Well, that does sum up my passions!

Jo Miller also talks about what happens if you've somehow ended up a negative brand? One example was a woman who was branded as "high maintenance". The woman was a QA manager and thought she taking care of problems. She needed to change from being the complainer, to the partner in helping people to solve their issues. Something definitely to think about. (side thought of my own: do men have to worry about this?)

Another place you can get caught is as an entry-level or mid-level type person, which makes it hard to get promoted.

While you're still in school, it's easier to create a brand - work hard and get good grades, and you're branded as a good student. But how does that work in the real world? How do you take results and get to reward and recognition? You've got to add visibility!

How can you do this? Jo Miller's first step, strangely, is work less! Huh? Well, if you're always working and never telling people about what you're doing, nobody will notice. This doesn't mean spend 95% of your time evangelizing yourself - you have to have something to evangelize after all. Just spend 5% of your time doing this.

She asks us to write a "30 second commercial" for ourselves. Mine would be, "I'm Valerie Bubb Fenwick, Principle Software Engineer in Oracle Solaris. I'm known for security, beer and ...." oh, wait. Gotta tweak that. "I"m known for security and as the bug queen. Come to me when you need help learning about security, defect tracking, or finding the right person to help you in the Oracle Solaris organization." "and, we can talk over a beer" :-)

So, that just gets us through the first two steps. Once we pull this all together, we need to have a career-planning conversation with our leaders. Yes, that includes your manager, but others in your organization. Show them your value in the thing you're interested in. And, once you do that - you need to ask for help. Just something as simple as, "Is there anyone else you think I should talk to about this?"

The fourth step sounds so simple: work hard, but on the right projects. How do you know what the right projects are? Something that aligns with your brand or where you'd like your brand to go. And deliver. If you don't deliver valuable results, no matter what else you do, you aren't going to get anywhere.

When picking the project, look for specific roles (as opposed to general), push the cutting edge in your field of expertise, executive special projects, projects that directly support your organizations strategic plan, exposes you to a new department and demonstrates higher level of technical, business or leadership skills.

Now, on to speed network!

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: PhD Forum 1: Hardware and Security

Intelligent Cache Management for Reducing Memory System Waste

Presenter: Samira M. Khan (University of Texas at San Antonio)

Caches are just not efficient, if there's a cache miss hundreds of extra cycles of delay are added. Processor performance is doubling every 18months, but memory performance is only doubling every 10 years! It just can't really keep up.

Most of microprocessor die are is cache, but they aren't efficient. Using the cache efficiently is important to improve performance and reduce power. The problem is dead blocks - not even getting used. Up to 86% of blocks in the cache are dead at any one time.

This is caused by the most recently used cache management policy, so many blocks just simply go unused. Khan's research was based around predicting which blocks were going to be dead and take advantage of them and changing the replacement policy, reducing power requirements of the system.

Usable Security and Privacy Policy Management

Presenter: Maritza L. Johnson (Columbia University)

Johnson's research is around access control and policy management. She started out with some real world examples, like how all of us are wearing Grace Hopper Conference badges, which grants us access this session.

Johnson's next slide was the Confidentiality, Integrity and Availability triangle, while she discussed the balance while talking about read write access to files, an every day problem in shared environments. To properly approach this, there needs to be a constant cycle of evaluation, analysis, and design. You can't just come up with a design and be unwilling to modify it, as needs and usage may change.

As users of Facebook, we're all access control managers, as well. Johnson and her colleagues did their research around facebook, as it's so open and available for studying.

A question the research sought to solve was Are users' Facebook privacy settings correct. This is hard to totally know what someone else's intent was, as each person has a different level of information they feel comfortable sharing.

The app they developed an application to look for potential violations between what the user intended and what they got. For example, if someone shared publicly "I'm at work. I'm just laying on these chairs until my boss..." ... should that really be public?

The research involved participants using an app that they told what type of information they wanted to share, and then it studied what happened over a period of time, and showed what it believed were violations of the policy to the users. Many of these were confirmed to be violations, yet, users still didn't want to change their privacy settings.

The ideal setting for most user is actually to just share with friends only.

Detecting Stealthy Malware Using Behavioral Features in Network Traffic

Presenter: Ting-Fang Yen (Carnegie Mellon University)

Yen started out with a great background in what a Botnet is: infected hosts with a subtle command & control system that are doing malicious activities. One single botnet has 3.6 million hosts - combined, they have more computing power than the top 500 supercomputers combined.

A botnet may have a centralized control, where all infected hosts get their commands from a central control computer, but many have peer-to-peer control.

Previous work in this area looked for a signature of a botnet to identify new infections. Similar work is done by mapping behaviour of a botnet.

Botnets are becoming more sophisticated, but our current techniques are just not keeping up.

Yen's research was around finding previously unknown bots. One way of doing this is using the research that shows that most hosts use a consistent amount of network traffic on a daily basis - if that traffic suddenly rises, or happens during odd hours, the host may be infected. Bots also use consistent payloads - so look for a lot of similar communication.

Peer-to-peer botnets tend to blend in, traffic wise, with other, normal peer-to-peer traffic. Research noticed, though, that timing of botnets packets are too regular - not being driven by a human.

This post syndicated from Thoughts on security, beer, theater and biking!

Monday, November 7, 2011

GHC: Excited about presenting!

I'm getting really excited about the Grace Hopper Celebration of Women in Computing - I fly to Portland tomorrow. I've got my schedule put together [1], and the slides for our presentation posted on the GHC Wiki.

I'm thrilled to be presenting with Radia Perlman (Intel), Terri Oda (University New Mexico), and Lindsey Wegrzyn (Adobe) - such an esteemed group of women. We're presenting on modern day security attacks and how to protect your privacy online. This isn't going to be a highly theoretical talk, but helping technically savvy people understand the sometimes tricky environment we all work in every day.

We're presenting on Thursday, November 10th 11:30AM-12:30PM Convention Center – B113-115. Come and check us out!

What talks are you most interested in seeing?

[1] Unlike most conferences where you have a choice between an invited speaker track and refereed papers - the Grace Hopper Celebration of Women In Computing has EIGHT simultaneous tracks. If you haven't spent time at least narrowing down which track you want to attend for each session, you won't really have time to figure it out on the fly and will likely end up in a track that isn't as interesting to you as some of the others. Btw, you can switch to different tracks throughout the day.

Thursday, November 3, 2011

Wow, Ten Platelet Donations This Year!

And it's only just November!  I got an email this morning from the StanfordBlood Center telling me that last night's platelets donation was my tenth of the year. I still have 4 or 5 more appointments scheduled, so as long as I can stay away from sick people, hopefully I can get to 15 by the end of the year!

Why do I give platelets? First of all, I can give more often - once every 72 hours (though a maximum of 24 times a year). Platelets are also the most precious component of the blood - when they take platelets from you at the center, they use an apheresis machine that puts the red blood cells back in your body. The platelets are needed for premature babies and cancer patients, among other critical need patients.  I've had enough friends and relatives that were very sick and needed platelets, so I want to make sure the blood bank always has plenty on hand.

Unfortunately, platelets don't have as long of a shelf life as regular blood - so, it's a good think I can give more often!

I'm going again in a couple of weeks (November 14th at 5:30PM in Mountain View) - who wants to come with me? If you've never donated platelets before, you'll have to donate whole blood and get tested to see if you have enough spare platelets in your blood stream that you donate.

This post syndicated from Thoughts on security, beer, theater and biking!

Wednesday, November 2, 2011

Using Twitter and LinkedIn at Conferences

For those of you that don't also follow the Grace Hopper Bloggers blog, I wrote two posts there recently on getting the most out of LinkedIn and Twitter for conferences.

As I've been managing the Anita Borg Institute for Women in Technology group and the Grace Hopper subgroup for more than a year, each with thousands of members, I've come to learn a thing or two about what makes a good profile and what makes you look like a spam troll.  If you're interested, wander on over to GHCBloggers and check them out.

And what makes me an expert on Twitter? Um... 7500+ tweets?

Did I miss anything?

Monday, October 31, 2011

Oracle Solaris 10 Encryption Kit has moved

The Oracle Solaris 10 Encryption Kit has moved from the Sun Download Center to the Oracle Technical Network. This package is only for older Solaris 10 systems, prior to release Solaris 10 09/07 (aka Update 4). All newer versions of Oracle Solaris have the larger key sizes installed on the system by default.

This post syndicated from Thoughts on security, beer, theater and biking!

Sunday, October 30, 2011

Levi's Gran Fondo Wrap Up

Mark and our friends were fortunate enough to have spots in the Levi Leipheimer Gran Fondo earlier this month.


For you non-cyclists out there, that means they got a spot in the 100 mile, very hilly, bicycle route.  Due to my injury last year, I didn't sign up. So, I could sit at the festival all day while I waited for Mark and the gang... or be useful. This year, I chose to be useful.


I volunteered at the Ocean Song water station, where we provided water, electrolytes, and toilets to very tired riders who were 80 miles into their ride and had just completed a nasty climb. (except those on the Medi-fondo route, who were 43 miles in... but had also just completed that same nasty climb!)


This woman just amazed me - she had pedaled up that hill on a cruiser, complete in her custom made cycling outfit - with the Fondo embroidered on it!

Best of all, I got to meet Levi himself (again). He is just the nicest guy you'll ever meet, always willing to pose for a picture.

Me and Levi!

Mark and Rod made it to the rest stop eventually:


And, finally, we ran into Levi again at the festival. Super nice guy that he is, he posed for another picture, this time with Mark.

Mark and Levi

Friday, October 28, 2011

Are you Going to Grace Hopper?

The Grace Hopper Celebration of Women in Computing is less than two weeks away!
Do you have a blog? Are you planning on taking notes of the sessions you attend on your laptop? Please consider sharing your blog entries and notes on the Grace Hopper wiki. For more details, please see Charna's latest post, and sign up for the sessions you're planning to attend.

The Grace Hopper Celebration of Women in Computing is less than two weeks away! Are you ready? I'm not, but I'm getting there.

Monday, September 26, 2011

Oracle Open World is Next Week!

I can't believe another year has passed - Oracle Open World is just next week. What makes this extra exciting? Attendees will get their first official peek at the final Oracle Solaris 11 release.  Both Larry Ellison (Sunday) and John Fowler (Tuesday) will be talking about it, as well as 15 sessions and meet the experts Monday through Friday.

Are you planning to attend?

Friday, September 23, 2011

Grace Hopper Conference is just around the corner!

I can't believe the Grace Hopper Celebration of Women in Computing is coming up in November! So soon! Oracle is a silver sponsor of the conference this year, and there are several women from Oracle that are presenting!

Again this year, I'm on the Communities Committee, but this year I'm co-chair! We make sure that major sessions are both blogged and have notes taken, encourage people to tweet, blog, and share on facebook.

I'll also be presenting "Security Attacks, Countermeasures and Protecting Yourself Online!" with Teri Oda, Radia Perlman, Satwant Kaur, and Lindsey Wegrzyn. We've only got a half and hour, so it'll be hard to pack it all in, but I know we'll manage. Better start working on our slides... :-)

Are you coming to the conference? Willing to blog or take notes?

This post syndicated from Thoughts on security, beer, theater and biking!

Tuesday, September 20, 2011

Palo Alto Players: Nunsense with a Twist!

This weekend, we went to go see Palo Alto Players' production of Nunsense with a Twist. There are quite a few versions of Nunsense out there, but this was the first one I've seen. The twist, in this case, was that Mother Superior (Sister Mary Regina) was played by Chris Blake... and Chris is not short for Christina. :-)

The basic premise is the nuns are short on cash for a very important project and they are doing a fund raiser, which explains why they are all on stage and singing. Hilarity, of course, ensues, as the show goes on and things just keep going wrong.

What I loved most about this production is that there was no mention or issue made of the fact that Mother Superior was being played by a man... Mr. Blake wore the same shoes as the rest of the ladies and the same habit. They didn't tart him up nor did Mr. Blake act like a man in drag. He was, quite simply, just Mother Superior.

Okay, not "just" - Mr. Blake brought wonderful physical comedy to the show, peppered in his priceless expressions throughout, and even sang wonderfully.

All five cast members were a joy to watch and brought something unique to the production, particularly Charlotte Jacobs as Sister Robert Anne, who really shined in "Growing up Catholic" and "I Just Want to Be a Star".

The show also featured great performances from Juanita Harris (Sister Mary Hubert), Jennifer Martinelli (Sister Mary Amnesia) and Jennifer Gregoire (Sister Mary Leo, the ballerina nun).

Of course, these actors did not direct themselves, nor choreograph their own dances! The wonderful staging and delightful dance numbers deserve kudos as well! Mark Drumm directed and Alexandria Kaprielian choreographed.

I loved that the band was behind the performers, as this theater, like so many poorly designed theaters in the bay area, has no pit for the orchestra. Even behind them, none of the cast struggled with tempo or cut-offs. Definitely a well-oiled machine, kudos to band director Matthew Mattei.

Excellent lighting, of course, as Ed Hunter was behind lighting design, as he is for many shows that I've seen, performed in, or merely heard great things about. (When Mr. Hunter is not lighting a show, he may be playing cello in the orchestra. Definitely a love of theater!)

My only complaint would be about the slow start to the show, which had some awkward audience interaction at the top. I believe they were delaying due to late comers for the show, as parking was particularly difficult that night. Once the show actually started, with Sister Robert Anne welcoming us all to the theater, it was a delight.

One other small nit: On the back page of the program, along with the donation envelopes, there was a bizarre lack of apostrophes. For example, they have a "Producers Circle" level of donors. Instead of either "Producer's Circle" or "Producers' Circle" (depending on how many producers own the circle). Hopefully they'll get that cleaned up for the next production. Maybe I've just been reading Cake Wrecks for too long ;-)

This post is syndicated from Thoughts on security, beer, theater and biking!

Thursday, September 8, 2011

Mary Ann Davidson on Security Auditors

Mary Ann Davidson, Chief Security Officer at Oracle, has just published an outstanding article, Those Who Can't Do, Audit, on companies that are now offering static code analysis as a service and why Oracle won't be turning over any of our code to them. Here at Oracle, security is a core part of every product.

While I do work in the Oracle Solaris Security team, we work on software that are typically seen as performing a security based services. For example, I work on the Oracle Solaris Cryptographic Framework - we provide hardware optimized cryptographic algorithms to applications and the rest of the operating system. A pretty standard security function. But, secure coding standards, in-house static analysis, and security considerations need to be a part of the development of the entire operating system.

I think Ms. Davidson said it best: "Oracle cannot – does not – outsource security."

This post is syndicated from Thoughts on security, beer, theater and biking!

Wednesday, September 7, 2011

Bugs in my oatmeal

I made a bowl of oatmeal this morning, threw some fresh black berries on it, and was about to pour milk on top, which I noticed some movement out of the corner of my eye in the clear plastic container we keep the oatmeal in... at first, I thought it was an ant, and wasn't too creeped out. Then I noticed more. I remember getting these things in our flour when I was a kid, though our flour wasn't in an airtight container. All the same, I couldn't eat the oatmeal I had just made (though I did salvage the black berries).

I'm going to pretend that the bugs (and larvae) weren't in there yesterday when I did eat that oatmeal.

Guess we get to clean out our pantry tonight! Ah, so nice to be back from vacation.... ICK!

This post is syndicated from Thoughts on security, beer, theater and biking!

Friday, August 12, 2011

USENIX: Applied Cryptography, Refereed Papers

Differential Privacy Under Fire
Andreas Haeberlen, Benjamin C. Pierce, and Arjun Narayan, University of Pennsylvania.

There is a lot of data out there that is very important that we try to protect. For example, Netflix knows what movies you watch. Users rate movies in Netflix so that Netflix can make recommendations, but they don't necessarily want to share that information with the rest of the world. Simply replacing people's real names with pseudonyms is not enough, because if people know enough about you, then they will still be able to identify you from the available data and learn even more about you.

Even with protections, people can take advantage of timing attacks where they know the data must be in there, just based on how long the system took to reply to the query.

So, how can we avoid leaking information via query completion time? Their suggestion is to make timing predictable - so regardless of how long the query takes, always return at a constant time. That may mean padding on a delay, or aborting part of the query and returning an error.

By aborting the query, that could actually change the result, but the researchers say that's okay, because the default values will be set to what was expected if the lookout had completed (in this case 1, for true).

Their proposed solution, Fuzz, will pad this time in there, which sounds like it will solve the timing attack, but may make your transactions unacceptably slow, in my opinion.

The audio and video of this presentation are now online.

Outsourcing the Decryption of ABE Ciphertexts
Matthew Green and Susan Hohenberger, Johns Hopkins University; Brent Waters, University of Texas at Austin. Presented by Matt Green.

The researchers have been working on protecting medical records. By using cryptographic control on the records, you can encrypt the record for all valid participants, but that is not very flexible - what if you add, or remove, relevant people?

Attribute-based encryption (ABE) is a little more general. For example, you can encrypt data that can be read by "Cardiologist at Johns Hopkins", so if your cardiologist changes, your new doctor can still access your medical record.

The main problem is that the more complex the policy, the larger the ciphertext grows as well as the decryption time. For example, doing a decrypt on a smartphone could take up to 30 seconds - too long for practical use, particularly if you were a doctor that had to do these decrypts all day long.

The naive approach is to leverage the cloud to assist with the decryption, but you really need to trust your cloud....just too many vectors for attack.

Their approach is to have *two* keys - a transform key (TK) and a secure key (SK). The transform key, which can be in the cloud, can't fully decrypt the ciphertext by itself. The cloud would then partially decrypt the data, and the SK on the phone would complete it.

The researchers found that by doing this transform, which allows external assist, the decrypt time on their iPhone went from 28 seconds to under 2 seconds.

This same research can be applied to smartcards, which are very slow little chips.

The audio and video of this presentation are now online.

Faster Secure Two-Party Computation Using Garbled Circuits
Yan Huang and David Evans, University of Virginia; Jonathan Katz, University of Maryland; Lior Malka, Intel. Presented by Yan Huang.

The researches are trying to implement a system for secure 2-party computation using garbled circuits that is much more scalable and significantly faster than prior work.

This is based on prior work by Andrew Yao from the 1980s. While the garbled circuits theory has been around for a long time, prior implementations have been too slow to be used in practice. The researchers used a Yao chaining garbled circuit, and added a method of parallel processing to speed up the processing time.

Their framework doesn't require people to have expert knowledge about cryptography, but users will need to know basic ideas of boolean circuits. You can learn more and try out their Android app at their website,

The audio and video of this presentation are now online.

This article is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Pico: No More Passwords!

Frank Stajano, from the University of Cambridge, talked about the growing password problem Many years ago, when we all only had one or two passwords to remember, memorizing one or two simple 8 character passwords was very simple to do.

Nowadays, we like have 20-30 (or more?) accounts, all with different password policies, and we just can't memorize them all - and the things we're coming up with that we believe have high entropy, are actually very easily cracked - as illustrated by this recent xkcd.

The little shortcuts we take, like reusing our "good" passwords, means that once it is compromised on one site (through no fault of the user), the attacker has access to many more sites. This was demonstrated recently with the Sony password leaks.

Because we forget passwords, all websites have a method for recovering your password - which can be attacked.

Stajano says that passwords are both unusable and insecure, so why on earth are we still using them?

Perhaps we can start over? Let's get rid of passwords! That's where Pico comes in. The goals of Pico are:
  • no more passwords, passphrases or PINs
  • scalable to thousands of vendors
  • no less secure than passwords (trivial)
  • usability benefits
  • security benefits
He wants to make sure we stay away from trying to make the user remember things, so that eliminates things like remembering pictures, shapes, etc.

Other requirements for Pico are it must be scalable, secure, loss-resistant, theft-resistant, works-for-all, works from anywhere, no search, no typing, continuous.

Pico would have a camera, display, pairing button and main button, as well as radio to communicate. The device could look like a smart phone, a keyfob, watch, etc, but it is a dedicated device. It shouldn't be on multipurpose device, like an actual smart phone, as it would then be opened up to too many forms of attack.

The camera would use a visual code in order to know what it is trying to authenticate. The radio device would be used to communicate to the computer over an encrypted channel. The main button is used to authenticate, and the pairing button would be used for initialization of an authentication pairing. Obviously, this type of system would not just be an extension of existing systems, but would require hardware extensions.

Pico would initialize by scanning the application's visual code, get the full key via radio and check it against the visual code and stores it. Pico would respond, then, with an ephemeral public key, then challenges the application to prove ownership of the application's secret key. Once all of those challenges are passed, then Pico will come up with it's on keypair for that application and share a long term public key with the application. The application will store that and then would know your Pico the next time you try to connect to that application.

While you're connected to the application, your Pico would be continually talking to the application, via the radio interface.

Of course, simply having the Pico cannot be enough - otherwise someone could take your Pico and impersonate you. This is where the concept of "picosiblings" comes into play. Picosiblings would be things like a watch, belt, ring, cellphone, etc (things you often have with you), and the device would only work with those things nearby. [VAF: Personally, I'd hate to think I wouldn't be able to get money out of the ATM simply because I'd forgotten to wear my Java ring that day].

If you lose your Pico, you'd need to use some of your picosiblings to regenerate it - so don't lose all of your picosiblings as well! It seems that you want to have enough picosiblings, but not too many. I'm not sure how you determine that correct level :)

Pico access can't be tortured out of you, as it can't be unlocked by anything that you know (there's no PIN or password).

"Optimization is the process of taking something that works and replacing it with something that almost works, but costs less." - Roger Needham

With that in mind, Stajano notes that if he actually wants people to adopt this, he would likely need to think of a smart phone client.

There were a lot of interesting ideas in this talk, but the thought of carrying around yet another device is not appealing, and the burden of replacement and function (with all the picosiblings) makes this seem untenable to me - but, if it gets people thinking, then it's definitely a step in the right direction!

The audio and video of this presentation are now online.

This article is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Dealing with Malware and Bots, Refereed Papers

Detecting Malware Domains at the Upper DNS Hierarchy
Manos Antonakakis, Damballa Inc. and Georgia Institute of Technology; Roberto Perdisci, University of Georgia; Wenke Lee, Georgia Institute of Technology; Nikolaos Vasiloglou II, Damballa Inc.; David Dagon, Georgia Institute of Technology. Presented by Manos ANtonakakis.

The motivation is that IP-based blocking techniques cannot keep up with the number of IP addresses that the C&C domains use, as well as there is a time gap between the day the malware is released and the day the security community analyzes it. There is a new tool, Kopis, that can analyze large volumes of DNS messages at AuthNN or TLD [top level domain] servers that will detect malware-related domain names.

Kopis asks the question: who is looking up what and where is it pointing?

The research focused on "interesting domain names" - those that have the most lookup requester diversity and resolvers that are from networks that historically from networks that have been compromised in the past.

Their researchers also looked at the rise of IMDDOS.The first big infection happened in China, and it took between 15-20 days before the US and Europe were infected.

Kopis can be used to detect phishing campaigns by identifying malware-related domains, before a related hash for the attack is identified. You can protect your network before it's infected.

The audio and video of this presentation are now online.

BOTMAGNIFIER: Locating Spambots on the Internet
Gianluca Stringhini, University of California, Santa Barbara; Thorsten Holz, Ruhr-University Bochum; Brett Stone-Gross, Christopher Kruegel, and Giovanni Vigna, University of California, Santa Barbara. Presented by Gianluca Stringhini.

Spam is getting sneakier and sneakier, coming up with subjects and senders that seem relevant to you, which gets it through filters and gets you to open the mail. It's hard to track spambots, as IP addresses of infected machines change frequently and new members can be recruited quickly.

They've been able to find other members of a botnet by assuming that all members will behave in a similar fashion (ie frequency and targets). Additionally, they used a spam trap to populate seed pools (a set of IP addresses that participated in a specific spam campaign) and logs at a Spamhause mirror to find known spammers.

In order to get this right and avoid false positives, they need to have at least 1,000 IP addresses in their seed pool. They came up with a great equation for calculating the threshold for what is really spam, and attempted to label which spam was coming from which botnets.

When they ran their software between September 28, 2010 and February 5, 2011, they tracked 2,031,110 bot IP addresses! The hope is that this software can help to improve existing blacklists.

The audio and video of this presentation are now online.

JACKSTRAWS: Picking Command and Control Connections from Bot Traffic

Gregoire Jacob, University of California, Santa Barbara; Ralf Hund, Ruhr-University Bochum; Christopher Kruegel, University of California, Santa Barbara; Thorsten Holz, Ruhr-University Bochum. Presented by Gregoire Jacob.

Current detection techniques fall into a two categories: host-based techniques, network-based techniques. In order to automatically detect these, you need to be able to examine clean command and control (C&C) logs, but this can be hard as these are often encrypted.

Jackstraws uses a combination of network traces and host-based activity and applies machine learning to identify and generalize C&C related host activity. They achieve the latter by mining significant activities and identify similar activity types.

All of this data is input into jackstraws so it can generate a template for matching other botnets. With lots of interesting graphs, they can now identify C&C traffic from noise.

The audio and video of this presentation are now online.

This article syndicated from Thoughts on security, beer, theater and biking!

USENIX: The (Decentralized) SSL Observatory

Peter Eckersley, Senior Staff Technologist for the Electronic Frontier Foundation, and Jesse Burns, Founding Partner, iSEC Partners, started with the well known crypto stipulation, which is your encryption is only as good as your trust anchor. Knowing that, they wanted to see how secure the X.509 certificates in the wild are, so they started scanning port 443 on IPv4 servers the world over, so they could collect certificates.

They have created an Observatory Browser Extension that collects certificate chain, destination domain, approximate time stamp, optional ASN and server IP that users can install into Firefox that can be used to help the researchers gather more information, and also help you to identify if you've got a bogus certificate in your browser.

Certificate Authorities have a hard job (verifying server identities) with strange incentives (they get paid for each certificate they issue). In 2009 there were three major vulnerabilities due to CA mistakes and in 2010, EFF discovered some evidence that governments were compelling CAs to put in back doors for them. On top of all that, there are a lot of certificate authorities out there. All of these things were daunting to the researchers as they started their project.

The technology this is all based on, X.509, was designed in the 1980s, before TLS/SSL or even HTTP! In their research, they discovered 10,320 kinds of X.509 certificates in the wild, of those, only about 1300 were *valid* (according to SSL).

They found 16.2 million IPs were listening on port 443, and 11 million responded to their SSL handshake.

Typical browsers trust about 1500 CAs. Can that really be a good thing?

These CAs are located in about 52 different countries. They found many certificates that are valid but don't actually identify anyone in particular: localhost, exchange, Mail and private IP addresses [RFC 1918]. What's the point of having a CA verify your identity, if you aren't really providing an actual identity?

They tried to use their browsers to check certificate validity, but had a hard time using it, because Firefox and IE cache intermediate CAs. This means that some certificates are considered valid only sometime (depending on where you've been before with you browser). Clearly, that shouldn't be - a certificate should either be valid, or not.

Even when problems are found and the CA authorities are aware, revocation of problematic certificates is difficult or impossible to do, as many browsers and other software doesn't look at revocation data. They found nearly 2 million revocations, 4 in the future and 2 from the 1970s (before this technology existed).

They found a few subordinate CAs that claim to be from the country "ww" (which doesn't exist), with organization "global" and a bunch of other bogus information - that were irrevocable, and the CPS pointed to dead websites.

So, what can we do? Consensus measurement, more vigilant auditing, DNSSEC + DANE, or certificate pinning via HTTPS headers.

Consensus measurement is where you look for sites to all agree that a certificate is valid, but false warnings can happen when sites swap certificates for testing purposes or for other unknown reasons. Users are already "trained" to ignore warnings if they get too many false positives, so this approach would be problematic.

Certificate pinning relies on whoever used to be should stay, which works great if it is implemented correctly. The right way to do this, is to create a private CA just for this domain, and use it in parallel to PKIX. Using this correctly can protect you against compromise and malice, though users would still be vulnerable at first connection.

This article is syndicated from Thoughts on security, beer, theater and biking!

Thursday, August 11, 2011

USENIX: Deport on Arrival: Adventures in Technology, Politics, and Power

J. Alex Halderman, Assistant Professor, Computer Science and Engineering at the University of Michigan, started the talk out with a look back at his family history. Apparently his great-grandfather was an illegitimate of a noble and artist, and his grandmother was a spy. As a grad student, back in 2003, he was working on DRM technologies (at the time made to protect CDs - remember those?).

These early copy protections could be easily over-ridden with felt tip markers or by pressing the shift key while inserting a disk. Halderman wrote about this online, and was quickly threatened with lawsuits by the DCMA and the company that had created the DRM technology (their slogan was "Light years beyond encryption").

The next round of DRM technology would install software onto your computer to prevent you from copying CDs - in the form of a rootkit that munged with your registry. Not only was that software doing things that that weren't disclosed, but they also introduced privilege escalation bugs, and if you did uninstall the software, it would leave a remotely executable vulnerability on your desktop.

"Most people, I think, don't even know what a rootkit is, so why should they care about it?" - Thomas Hess, Sony.

Halderman, by publishing these issues, caused Sony to have to recall millions of CDs over the holiday season and brought government oversite into the industry. To the best of his knowledge, attempts at putting DRM software onto CDs has been dropped by the industry. [VAF: though I have seen these recently on CDs I've purchased, at least labeled that it had copy protection.]

Since then, Halderman has been focusing on voting machines, all the way back to the old machines with the big pull levers. In that time, most of the requirements around "robustness" had to do with machines working in hot or cold weather and not losing data if they were dropped.

After the 2000 election debacle, may electronic voting machines were rushed to market without adequate testing and without a third party security review. The code was put up online accidentally by Diebold, and people found many mistakes quite quickly. Diebold claimed the software was out of date and threatened to sue many of the people who had found issues.

In 2008, Halderman and two other researchers finally got their hands on an actual Diebold Accuvote machine, which he acquired from a man in Times Square wearing a trench coat in an alley.... really.

Realizing how litigious Diebold was, the researchers performed their experiments on the machine in a room (missing from the building blue prints) in the basement of their building.

They were able to discover a method to set the percentage of votes they wanted one candidate to get at the end of the voting period, all the while, the paper tape was printing the correct numbers for those voting.

Another method of attack could be done with just 30 seconds of access to the machine with a memory card that would overwrite the voting machine's memory.

Finally, they were able to come up with a voting machine virus that would self-propagate to every voting machine.

Despite these findings, these machines are still used state wide in at least Maryland.

Diebold argued that the box had security in the form of a lock, but the researchers found you could pick the lock with a lock pick set in 10-15 seconds, a little longer with a paper clip. But, why bother? All boxes had the same key, and that same key was also used on minibars and jukeboxes - readily available for purchase on the Internet.

Debra Bowen, Secretary of State in California, took this research to heart and began a full audit of all of California's voting machines and demand e-voting machine manufacturers to provide source code for analysis. The California review found that it wasn't just Diebold that had issues, but all manufacturers of electronic voting machines.

Halderman and other researchers were able to obtain voting machines for next to nothing at various government surplus sales. In one case, they thought, why bother doing this again? We know the box will be insecure. So, instead, the got the voting machine to boot Linux, start X and run a PacMan emulator.... :-)

As states can't seem to find enough bugs in physical electronic voting machines, places like Washington, D.C. wanted to try Internet voting last year. Luckily for Halderman and his grad students, D.C. put the system online a few weeks in advance of voting to allow people to attempt to attack the system.

The students discovered the router passwords were "cisco123" and that there was a publicly accessible webcam in the server rooms. By watching the server rooms for a few days, they knew the schedule of the admin (shown in the talk picking his nose) and when security went home. So, they could launch their attack after 5PM.

They were able to put in false ballots *and* get the system to send them copies of other people's votes. The ballots were encrypted on the server, but the temporary copy of the ballots were not...

Halderman and his researchers did not let D.C. folks know that they were in active attack mode, but wanted to see how long it would take them to notice. They modified the "Thank You for Voting" page to play Michigan's fight song after every vote. It took two days for them to discover this, only because another tester complained to the authorities that he didn't like the new music they'd put on the page - it was annoying.

That still may not have been enough to stop them from deploying. It was also discovered that one of their internal testers wanted to make sure the system wouldn't crash if someone uploaded a very large PDF file, so he uploaded the biggest file he could find... which happened to be the real voter credentials for the election. So, the e-voting was called off... for last year. Wonder what 2011 will hold?

Halderman broke from election talk to tell us about his recent adventures in airports, including filming TSA agents (who don't like to be filmed patting people down, because they feel their privacy is being violated) and wandering around parts of airports that were meant to be secured, but weren't (doors unlocked and security guards were asleep).

Halderman and another researcher went to India to study their electronic voting machines, which previously had not been evaluated by independent researchers. They were able to get their hands on some actual voting systems, and did find that the software was hardcoded into the hardware during manufacturing. So, they attacked the LED display that shows you how many votes each candidate got by making a lookalike board that had chips hidden under the LEDs and a blue tooth transmitter, so you could remotely stack the votes.

The person in India, Hari, who had helped them get access to the voting machine was taken into custody by police a short time later. Fortunately, all ended well for Hari, but it must have been a terrible time while he was in custody. This, of course, led to Halderman being denied future access to India, which he discovered the next time he traveled there.

This was a very entertaining talk, done mostly with pictures, yet it was still very easy to follow. A delight! Once this talk is posted online, definitely check it out!

The audio and video of this presentation are now online.

This article is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Privacy in the Age of Augmented Reality

Presented by Alessandro Acquisti, Associate Professor of Information Technology and Public Policy at Heinz College, Carnegie Mellon University.

Acquisti asks what are the trade-offs associated with protecting and sharing personal information? How, rationally, do we calculate the risk and benefits?

You can look at it from a economics point of view. Acquisti starts with an example from a paper called Guns, Privacy and Crime, analyzing where the state of Tennessee released the names and zip codes of all people that had handgun carry permits. The NRA was outraged, as well as privacy experts, saying this information would make these people at more risk for crime - newspapers believed it would be the opposite. Acquisti and his colleagues studied this and found a direct relation between crime in those areas - that is, crime went *up* in areas with low gun ownership. Obviously, the criminals knew the risk was lower to themselves in those neighborhoods. I'm sure that's not what the state of Tennessee was going for.

The conundrum here, of course, is that different people value their privacy at different levels. He asks us to consider: "Willingness to accept (WTA) money to give away information" vs. "Willingness to pay (WTP) money to protect information." In theory, they should be the same, but in practice, they believed people have a higher WTP.

Acquisti and his colleagues did an experiment at a local shopping mall where they rewarded survey participants gift cards as a reward. One group received a $10 gift card that would not be traced, and the other group was given $12 card that would have the transactions tracked and linked to your name, and they were given the option to swap.

So, while they're both actually being given the same choice, it was psychologically framed differently when presented. People who were originally given the $12 card very rarely wanted to give up the $12 to get their privacy back, while those that started with the $10 card wanted to keep it. If you have less privacy, you value privacy less. McNeally's famous quote, "You have zero privacy anyway. Get over it," came up.

Another area they were curious about was is the Internet really the end of forgetting? That is, memories fade, but Facebook doesn't. I've said this over & over again to teenagers, "The Internet is forever." What the researchers wanted to see was that if people would discount the information if it was old. Their hypothesis was that bad information would be discounted more slowly than good information. For example, if you last received an award 10 years ago, people may say, "Yeah, but what have they done lately," compared to being caught drunk driving, for which you may not ever be forgiven.

Their researchers did three experiments: the dictator game (with real money), the company experiment (judging a real company, but no real money involved), and the wallet experiment (where subjects read about someone doing something either good or bad with a wallet and then judge him).

In the wallet experiment, even though all of this information is fresh on the mind of the subjects, they found that if they said Mr. A did something positive with a found wallet 5 years ago (returning cash found), does not impact people's feelings about Mr. A, whereas if he had done it recently, they would have a more positive view of him. But, if he did something negative (like keeping the cash), it didn't matter if it happened last year or 5 years ago - people did not like this Mr. A.

The lesson learned here is that be careful about letting negative information about yourself from getting on the Internet, as people will not forgive your past indiscretions. The speaker gave specific examples of the Facebook meme where young women post pictures of themselves when they are out of control drunk and passed out or worse. Even as they grow up and mature, they will not be forgiven for those past indiscretions.

And, with computer facial tagging getting better and better, even untagging yourself won't prevent you from being recognized.

The researchers studied public Facebook profile pictures along with their IDs and compared them to publicly known pictures of those people to see if people are using their real picture - they were able to discover that about 85% of them were accurate images. This could be further leveraged to see if people are using their own real picture on dating sites :)

What this means, is that even if you change your name, you still won't be able to escape your face (well, not without significant cost and potentially negative consequences).

The better and faster that facial recognition software gets, the less privacy we will have in public. Someone you just met could look you up by your face and learn all sorts of information about you. Scary!

The audio and video of this presentation are now online.

This article is syndicated from Thoughts on security, beer, theater and biking!