"Only for a moment" RSA conference 2003 REDUX
By Seth Ross
Nobody can accuse RSA of not knowing how to host a great conference
or throw a great party. This year's show was held last week in San
Francisco, where former RSA President Jim Bidzos kicked it off on
an exquisite note by introducing the surprise musical guest: Kansas.
The band delivered a rousing rendition of their 1977 hit "Dust
in the Wind".
Kansas' lyric, "Don't hang on, nothing lasts forever but the
earth and sky", fit nicely with the Mayan theme for the conference
-- the Mayan civilization that blew away like dust in the tenth
century. Indeed, a quick walk about the trade show floor illustrated
the role of impermanence in the computer security industry: many
of the new companies that swept over the conference in the past
two or three years were gone, blown away by either deep fiscal crisis
or business failure
It wasn't supposed to work out that way, either for the new security
firms or the Mayans, who had the most sophisticated writing system
in the Americas. Just a couple of short years ago, the conference
was exultant and expansive. Encryption was riding the wave of the
Internet boom; President Clinton liberalized export control laws
twice, and the venture capital dollars were flowing. New entrants
in the industry were solving problems most customers didn't even
know they had. Last year, even as the boom was receding, the computer
security industry was preparing for a boost in demand due to the
terrorist attacks on 9/11. That boost never happened, and the Internet
bust dragged the whole IT industry down with it.
The impermanence theme resonated throughout the five-day-long show
and probably amplified the festivities, which were sparked off by
several good keynote presentations. The Cryptographers' Panel featured
Whitfield Diffie's admonitions against various trusted computing
initiatives like the TCPA (Trusted Computing Platform Alliance),
its successor, the TCG (Trusted Computing Group), and Microsoft's
Next Generation Secure Computing Base. "Hold the keys to your
own computers", Diffie warned. These new security standards
were recurring themes during the conference. Depending on the speaker,
they will usher in either an era of secure computing or an era of
Paul Kocher spoke to the importance of the validation stage of
security product development in his "Rational Paranoia"
talk. Michael Coe captivated the audience with a recounting of how
the Mayan writing system was decoded. Stephen Wolfram presented
a new kind of science based on simple computations, prompting the
question: is he mad, a genius, or both?
The real nitty-gritty of the conference is in the class tracks,
held this year in the Sony Metreon's spacious theaters. Phillip
Hallam-Baker, principal scientist at VeriSign, delivered one of
the most interesting classes, "XKMS: The Second Coming of PKI".
He cited some of the many barriers to PKI acceptance and use: How
do you find Alice's public key when you don't even know which directory
holds it? The XML Key Management Standard is in place and provides
a lightweight and simplified approach to PKI that can be applied
to a variety of devices (PCs, PDAs, phones). It's designed to work
across organizational boundaries: as Baker says, "It's not
about Alice and Bob. It's about GM, Ford, and Chrysler." Baker
sees a future in which key lookups are handled like email: through
Kevin Mitnick held a session on "The Art of Deception: Controlling
the Human Element of Security". Now that he's out of prison,
Mitnick is able to exploit his notoriety. He's a very charismatic
speaker and it's easy to see how he was able to pull off his social
engineering attacks. He told of breaking into Novell's network by
fooling an IT administrator. It's worth noting, for those of you
who don't know the story's epilogue, that the admin happened to
be in the audience and is good friends with Mitnick now. Mitnick
is one of the most flamboyant and controversial figures in computer
security and a great storyteller. Regardless of the strong reactions
he engenders, his advice on how large organizations can ward off
social engineering attacks is spot on.
Bruce Schneier's session on "How to Think About Security"
covered analogies between computer security and real world security.
Schneier feels that computer security can inform other kinds of
security and that the computer security community needs to speak
out. He noted how many security measures are really driven by non-security
agendas. He has a new book coming out -- "Beyond Fear: Thinking
Sensibly About Security in an Uncertain World" -- which seems
certain to join _Applied Cryptography_ and _Secrets & Lies_
in the library of classic computer security texts.
Thomas Berson's talk on "Cryptography After the Boom"
provided some philosophical fodder as well as a timely overview
of the essential elements of successful security technologies like
SSL and Kerberos. They are: secure enough for the job; simple to
understand; placing trust assumptions under user control; a "verb"
(performing action); reusable; addressing a killer app.
Steve Ross of Deloitte & Touche held forth on "The Case
For (and Against) International Security Standards". It's interesting
to think about the ways that security standards can actually decrease
security since they often take a least common denominator approach.
I will discuss international standards in general and the Common
Criteria in the next issue of the Securius Newsletter. One of the
conference highlights for me was the brief ceremony where a representative
from NIST awarded a Common Criteria certificate for Encryption Plus
Hard Disk to Noah Groth, President of PC Guardian, which sponsors
Beyond the keynotes and classes, much of the conference revolved
around food and drink. While RSA didn't have any really compelling
announcements at its press luncheon, the roast chicken at Jillian's
was excellent. The company did unveil Nightingale, a secret splitting
technology for ecommerce servers. The idea is that rather than storing
sensitive info like credit card numbers on a server, where it's
subject to both external and internal attack, you split it across
two separate servers -- a Nightingale server and an application
server -- so that both servers can verify a secret without seeing
it. An attacker who compromises either server gets no access to
any of the sensitive data.
The pinnacle of the RSA experience is the annual Cryptographers'
Gala, which was held in San Francisco City Hall this year. City
Hall was refurbished a few years ago; the towering rotunda gleamed
in "Mayan Orange" lighting. The event was very posh, with
drinks flowing from bars stuck in the hall's every nook and corner,
ambient jungle sounds, and women dressed in minimal and untraditional
Mayan outfits walking about on stilts. I made a taco, shared random
conference impressions with interesting folks, and trolled for new
newsletter subscribers (send this issue to a friend or colleague!).
My only complaint -- about the gala or the conference -- is that
the martini I tried from the martini bar was shaken, not stirred.
It wasn't the end of civilization as we know it. Next year I'll
have a scotch.