100 likes | 249 Views
NSF Cyber Trust PI Meeting Mark Seiden, Yahoo! Tomas Sander, HP Labs Moti Yung, Google Evelyne Viegas, Microsoft. What are Underfunded Areas in Information Security and Privacy that Would (most) Benefit Industry?. Methodology. First, enumerate unsolved problems of Industry.
E N D
NSF Cyber Trust PI MeetingMark Seiden, Yahoo!Tomas Sander, HP LabsMoti Yung, GoogleEvelyne Viegas, Microsoft What are Underfunded Areas in Information Security and Privacy that Would (most) Benefit Industry?
Methodology • First, enumerate unsolved problems of Industry. + bits of wish lists from colleagues = Corpus of Unsolved Problems Make sure these are research-worthy, and require Science versus “just” engineering. To be fair, filter out those which should properly be the responsibility of industrial research organizations (not the taxpayer) = Big Unsolved Industry Problems needing NSF-funded Research
Then calculate the set of NSF funded research areas…. • Start with what’s being funded now • Measure funding adequacy wrt hardness of problem being solved = Underfunded research areas • Then simply match up the two sets and now we can talk about the common elements!
Why are so many problems in industry woefully unsolved? • Industry is unaware of relevant research • Research papers are often not industrial-strength recipes for building anything • Industry does not highly value findings without implementation and examples • Legacy, complicated context, scaling problems, user expectations prevents change • Hard to make business cases for disruptive change or bleeding edge technology • Sometimes research is not applied skilfully
Static authenticators (a source of chronic pain and suffering) … have facilitated an entire set of plagues: Identity theft (phishing, keylogging, bribery, etc) Dictionary-based/Brute force cracking which requires CAPTCHA and distributed abuse detection for defense Password reuse means the damage is often widespread.
Not just passwords! We need • A replacement for Social Security Number with finer grained credentials that can convey one’s limited rights (e.g. right to vote, right to drink, right to drive, right to borrow books, etc.) but not all details of identity on a single card
Desirable technologies for research? • Reputation systems which are more resistant to manipulation (For buyers and sellers, for trusted parties, for addresses (IP and physical), for payment instruments • Privacy-preserving micropayment systems that can operate at Internet scale (stamps for email to stamp out spam? Click fraud?). • Fair Share Resource Scheduling (where greedy people get less) seems hard in distributed systems • Distributed systems need better defenses against attack. Autonomous operation? Self-organizing? How much global state do we need? • Logs that become fuzzier over time
Browser trust model Say we have two browsers, Alice and Bob. Alice only comes in executable form. We have the source code for Bob. Can we write a program that will describe the differences in the semantics of the Javascript implementation in these two programs? Does the source code help? (Of interest partly because the browser’s trust model did not anticipate that both benign and malevolent parties could be running code in a single execution context).
A few other smaller questions • How do I design an online contest which is ungameable and easy to administer? • How do I design an online contest which is ungameable and easy to administer? • How can we distinguish good security from bad?