The paper is here.
The very sane opening paragraph is:
On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve (NFS, ). The number RSA-768 was taken from the now obsolete RSA Challenge list  as a representative 768-bit RSA modulus (cf. ). This result is a record for factoring general integers. Factoring a 1024-bit RSA modulus would be about a thousand times harder, and a 768-bit RSA modulus is several thousands times harder to factor than a 512-bit one. Because the first factorization of a 512-bit RSA modulus was reported only a decade ago (cf. ) it is not unreasonable to expect that 1024-bit RSA moduli can be factored well within the next decade by an academic effort such as ours or the one in . Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years.
It’s an interesting read if factoring fascinates you.
So, Adam retweets a hysterical reference to a viral email about an absolute genius of a Xmas light display made to look like an accident with a ladder, and the hapless homeowner left hanging from the gutter of his house.
The email explains that the display was taken down after two days in large part because so many people were stopping to help, in some cases at risk to themselves.
After pausing a moment to reflect on the evil genius behind this idea, I immediately wondered how the willingness of passers-by to assist might vary according to the amount of traffic on the road passing the house. The notion, exemplified in the infamous Kitty Genovese murder, is that the willingness of people to “get involved” decreases as the (individually-perceived) number of possible interveners increases. If a passer-by knew the route was well-travelled, she would (so one theoretical formulation goes) be less likely to stop, whereas on an infrequently-used byway, she would be more likely to assist. (I later realized that the “cul-de-sac”scenario is more complex, in that drivers/walkers on such a road are much more likely to (think they) know the victim AND to think that their action or inaction will become known by others).
After having these thoughts, I was left chuckling at myself. Would most sane people have analyzed a prank in these terms? Maybe it was because I was reading Luce and Raiffa before breakfast…
[Posting this here to help get the word out – Chris ]
Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees are eligible for free RSA exhibit passes.
Like its predecessors, Mini Metricon 4.5 is an informal workshop designed to facilitate exchange of new ideas as well as practical experience in using metrics to drive better security, compliance, and risk management. The day will be divided between open/moderated exchange and short presentations. Participants are expected to come prepared to actively interact as either presenters or active listeners (or both).
Place: University of San Francisco (walking distance to the Moscone Center)
Time: 8:30am to 4:30pm
Participation: by invitation.
Attendance: Limited to 80 people
Additional details, including links to past workshops, presentations, and digests, as well as a calendar with important dates and instructions for submitters is available at securitymetrics.org
The Apollo program took place at just about the right time for me. I was six (or, as I would quickly have pointed out at the time, six *and a half*) when the first lunar landing occurred, and barely ten when Apollo 17 splashed down. This was old enough to be fascinated by the technology and the sheer coolness (I would not have known the words “audacity” or “chutzpah”), and too young to question the wisdom of the project given the pressing alternative terrestrial uses for the funds. It’s funny that what my brain decided to remember, and what society made iconic or controversial do not really coincide. I distinctly remember the Apollo 8 launch, but nothing of the reading from the book of Genesis. I watched the Apollo 11 launch, but I don’t specifically recall Armstrong’s first steps. In all cases, I was glued to the TV for the launch and splashdown. Oddly, these more than the flight to (or activities on) the moon brought to mind the vast scale of the project. Launches always included references to tracking stations in Australia — a vast distance away for the 6-8 year-old mind. Splashdowns involved a whole aircraft carrier! This truly was big stuff.
Skylab and Apollo-Soyuz held my interest, but the shuttle never did. Viking, with actual color pictures of Mars, got things back on track, but it was clear that no human would set foot on Mars for some time. The sense of purpose just was not there the way it was for Apollo, and it hasn’t been since. It’s hard to know whether the undertone of loss I feel when thinking about Apollo is an effect of time — I am no longer the wide-eyed boy — or of a recognition of what might have been, but was not, due to the disintegration of the consensus that allowed Apollo to succeed.
I received some excellent comments on my previous breach visualization post, which I wanted to highlight for EC readers and take a stab at addressing.
I took the latest DataLossDB.org breach database and extracted all breaches involving a third party, omitting all columns other than the reporting entity and the third party. I then ran the resulting two-column CSV file through afterglow, and finally made pretty (3MB) picture with graphviz.
This was done more for fun than for insight, but I thought others might be interested.
In no particular order, your friendly neighborhood Dept. of Pre-blogging hereby predictively reports on:
Increased speculation, coupled with a spike in Twitter activity.
Politicization of the event from the Right (blame Mexico and/or Big Government), the Left (if we spent money in the right places, this would not happen), and out in left field (this is actually the result of an experiment by the CIA/NSA/World Bank/Freemasons/etc).
Rapid adoption of irrational coping mechanisms, perhaps including a run on N95 respirators and surface disinfectants.
Reassuring releases from the Pork Council that in addition to being the Other White Meat(tm), yummy bacon cannot transmit influenza unless it has previously been used as a handkerchief.
An upcoming Schneier blog item on swine flu hysteria being related to confirmation bias.
Registration for The Eighth Workshop on the Economics of Information Security (WEIS 2009) is now open.
The deadline for the Early Bird registration is 1 June 2009.
We’ve written here often (and favorably) about WEIS, and about papers delivered there.
A Missouri state bill requiring notification of the state attorney general as well as of individuals whose records have been exposed just took a step closer to becoming law.
As reported in the St. Louis Business Journal on April 1:
Missouri businesses would be required to notify consumers when their personal or financial information is compromised in security breaches, under a bill that received initial approval Wednesday from the Missouri Senate.
f the personal information of more than 1,000 Missourians has been breached, companies would be required to notify the state attorney general’s office, which would have the authority to seek civil penalties up to $150,000 per security breach, under the bill.
The legislation needs a second vote of approval before moving to the House for similar consideration.
St. Louis Business Journal
Should the bill become law, Missouri would become one of several states requiring centralized notification to state authorities for at least some breaches.
British newspaper announces all-tweet format. Hilarity ensues.
I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11.
Metricon 4 – The Importance of Context
MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics.
It is a forum for quantifiable approaches and results to problems afflicting information security
today, with a bias towards practical, specific approaches that demonstrate the value of security
metrics with respect to a security-related goal. Topics and presentations will be selected for their
potential to stimulate discussion in the workshop.
MetriCon 4.0 will be a one-day event, Tuesday, August 11, 2009, co-located with the 18th
USENIX Security Symposium in Montreal, Quebec.
Beginning first thing in the morning, with meals taken in the meeting room, and extending into the
evening. Attendance will be by invitation and limited to 60 participants. All participants will be
expected to “come with findings” and be willing to address the group in some fashion, formally or
not. In keeping with the theme of The Importance of Context, preference will be given to the
authors of position papers/presentations who have actual work in progress that demonstrates the
value of security metrics with respect to a security-related goal.
Topics that demonstrate the importance of context include:
Data and analyses emerging from ongoing metrics efforts
Studies in specific subject matter areas
Time and situation-dependent aspects of security metrics
Long-term trend analysis and forecasts
Measures of the depth and breadth of security defenses
Metrics definitions that can be operationalized
Incorporating unknown vulnerabilities into security metrics
Security and risk modeling calibrations
Security measures in system design
Software assurance initiatives
Security metrics relationship to security assessments
The program committee will also consider any innovative security metrics related work
How to Participate
Submit a short position paper or description of work done or ongoing. Your submission must be
brief — no longer than two pages including both text and graphical displays of quantitative
information. Author names and affiliations should appear first in the submission. Submissions
may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to
email@example.com. These requests to participate are due no later than noon GMT,
Monday, May 25, 2009 (a hard deadline). You should receive an email acknowledgment of your
submission within a day or two of posting; take action if you do not.
The Program Committee will invite both attendees and presenters. Participants of either sort will
be notified of acceptance quickly — by June15, 2009. Presenters who want hardcopy materials to
be distributed at the Workshop must provide originals of those materials to the Program
Committee by July 27, 2009. All slides, position papers, and what-not will be made available to
all participants at the Workshop. No formal academic proceedings are intended, but a digest of
the meeting will be prepared and distributed to participants and the general public. (Digests for
previous MetriCon meetings are on the past event pages mentioned above.) Plagiarism is
dishonest, and the organizers of this Workshop will take appropriate action if dishonesty of this
sort is found. Submission of recent, previously published work as well as simultaneous
submissions to multiple venues is entirely acceptable, but only if you disclose this in your
Brad DeLong has a FAQ up about Geithner’s plan to purchase toxic assets on the theory that the market has undervalued them, and will in time price them properly. Among the items:
Q: What if markets never recover, the assets are not fundamentally undervalued, and even when held to maturity the government doesn’t make back its money?
A: Then we have worse things to worry about than government losses on TARP-program money–for we are then in a world in which the only things that have value are bottled water, sewing needles, and ammunition.
This response reminded me of a conversation I had over a beer with a banking regulator back in August 2006 or thereabouts. He reported on a IM conversation he had had with a colleague whose expertise lay in the area which subsequently imploded. After jokingly asking “Time to buy gold, huh?”, there was a pregnant pause. Then came the response: “Buy ammunition”.
I ordered another beer.
March 15-21 is “Sunshine Week“, a government transparency initiative described by its main proponents as
a national initiative to open a dialogue about the importance of open government and freedom of information. Participants include print, broadcast and online news media, civic groups, libraries, non-profits, schools and others interested in the public’s right to know.
The arguments in favor of governmental transparency are numerous and well-known. On a purely pragmatic basis, it is harder to hide misdeeds, inefficiencies, and feather-bedding when anyone can ask you to show your work. Stated simply, quality evidence aids decision-making and reveals entrenched self-dealing, waste, and deception.
Information security folks, particularly New School adherents, should find much to like in this. I want to highlight once again the outstanding work of our friends at DataLossDB.org. In addition to operating what was formerly Attrition.org’s DataLoss database, they have become a central repository for the actual source documents — notification letters, reporting forms, etc. — pertaining to breaches. The majority of these documents have been obtained via — you guessed it — Freedom of Information requests.
By highlighting DataLossDB, I do not mean to slight the actions of others. Since I have been fairly active as a researcher in querying government entities, I know there is a small community of like-minded folks, with DataLossDB having several (and certainly the fastest RonR coders!).
The fact that relatively obscure people — all of whom have day jobs, as far as I know — can assemble an archive of this caliber is a testament to the leverage Freedom of Information laws give to citizens. And we know the information in these materials is valuable when made available broadly because state legislatures have seen the results and are looking to emulate the leaders.
So, with Spring on it’s way — at least at my latitude — here’s to more sunshine.