Real World Crypto conference

Hal Murray hmurray at
Thu Feb 4 09:10:49 UTC 2016

I went to the Real World Crypto conference in early Jan.  I met Daniel.  He 
might have corrections or additions.  Many of the slides are here (no videos):

My primary interest was in trying to find a way to get secure NTP off the 
ground.  Typical crypto using certificates assumes you know the time.  DNSSEC 
assumes you have valid time.  I didn't find a solution, but at least nobody I 
talked to told me I was asking a stupid question.

I though the best talk was the first one.  Jon Callas from Silent Circle was 
describing their Blackphone project/product.  It's a seriously secure phone 
targeted at CEOs rather than geeks.  He had lots of good comments, but the 
one that attracted my attention was that good Software Engineering was as 
important as good crypto.  Have your act together so you can get fixes out 
quickly.  Get rid of old cruft.  Crypto geeks are not good UI designers. ...  
Their WiFi was connected to the main CPU via a serial port rather than DMA so 
they didn't have to worry about bugs in the WiFi taking over the system.  
Check out his slides.

There were good talks by Nate Cardozo from the EFF and Daniel Kahn Gillmor 
from ACLU.  The latter had lots of good info/advice for sysadmins: SSLMate 
and Let's Encrypt.

One of his concerns is privacy/security for people without a lot of money.  
They are likely to be running old phones.  That leads to an interesting 
conflict.  You would like software projects to simplify things by dropping 
support for old hardware.

Adrienne Porter Felt from Google/Chrome discussed the UI side of security 
issues in browser error messages.  A significant fraction of their 
certificate errors were actually bogus time on the users system.  (Yes, there 
really was a link with time.)

These are my opinions.  I hate spam.

More information about the devel mailing list