Real World Crypto conference
Hal Murray
hmurray at megapathdsl.net
Thu Feb 4 09:10:49 UTC 2016
I went to the Real World Crypto conference in early Jan. I met Daniel. He
might have corrections or additions. Many of the slides are here (no videos):
http://www.realworldcrypto.com/rwc2016/program
My primary interest was in trying to find a way to get secure NTP off the
ground. Typical crypto using certificates assumes you know the time. DNSSEC
assumes you have valid time. I didn't find a solution, but at least nobody I
talked to told me I was asking a stupid question.
I though the best talk was the first one. Jon Callas from Silent Circle was
describing their Blackphone project/product. It's a seriously secure phone
targeted at CEOs rather than geeks. He had lots of good comments, but the
one that attracted my attention was that good Software Engineering was as
important as good crypto. Have your act together so you can get fixes out
quickly. Get rid of old cruft. Crypto geeks are not good UI designers. ...
Their WiFi was connected to the main CPU via a serial port rather than DMA so
they didn't have to worry about bugs in the WiFi taking over the system.
Check out his slides.
There were good talks by Nate Cardozo from the EFF and Daniel Kahn Gillmor
from ACLU. The latter had lots of good info/advice for sysadmins: SSLMate
and Let's Encrypt.
One of his concerns is privacy/security for people without a lot of money.
They are likely to be running old phones. That leads to an interesting
conflict. You would like software projects to simplify things by dropping
support for old hardware.
Adrienne Porter Felt from Google/Chrome discussed the UI side of security
issues in browser error messages. A significant fraction of their
certificate errors were actually bogus time on the users system. (Yes, there
really was a link with time.)
--
These are my opinions. I hate spam.
More information about the devel
mailing list