Learning from Authoritative Security Experiment Results (LASER) 2013 workshop

This writeup is the first in a series of “cooked” version versions of my notes from the LASER 2013 Workshop. It highlights the things that I found interesting or where I learned something significant. Your definitions of interesting and significant may vary. Fortunately, videos of many of the LASER 2013 talks are available. I would welcome your feedback.

What LASER is about

From the conference web site:

The goal of the Learning from Authoritative Security Experiment
Results (LASER) 2013 workshop is to help the security community
quickly identify and learn from both success and failure from all
properly conducted experimental (cyber) security research. This will
encourage people to share not only what works, but also what
doesn’t. This is the primary goal of this workshop. The specific
technical results of the experiments are of secondary importance for
this workshop.

Topics include, but are not limited to

Unsuccessful research in experimental security Methods and designs
for security experiments Experimental confounds, mistakes, and
mitigations Successes and failures reproducing experimental
techniques and/or results Issues in hypothesis and methods
development (e.g., realism, fidelity, scale) The workshop focuses on
research that has a valid hypothesis and reproducible experimental
methodology, but where the results were unexpected or did not
validate the hypotheses, where the methodology addressed difficult
and/or unexpected issues, or that unsuspected confounding issues
were found in previous work.

Why applying scientific methods to cybersecurity matters

There is a lot of hype around “cybersecurity”. There is a lot of money flowing to “cybersecurity” research, conferences, operations, etc. People who’s main claim to fame is being able to break things are called “security researchers”. There is far more black art than science.

On the other side, we’ve learned a lot about how the world works over a few thousand years through the development and application the scientific method. Modern medicine, electricity, computers and the Internet are a few of the beneficial applications of scientific principals that come to mind.

The securtiy of computers and networked systems (a.k.a. “cybersecurity”) has become centrally important to the human endeavor. Correctly functioning computers are central to our critical infrastructure (think water and electricity), our economy (banking, wall street), our communications and entertainment (the Internet), our health care, our governments and our military.

The question is, can we in “cybersecurity” research learn from the lessons and methods of science developed over several millennia and successfully apply them in this new domain. Can we move past black arts, buzzwords and funding based on FUD (fear, uncertainty and doubt)?

Clearly “the physicists will never love us”1 The “Science of Cyber Security” will never be a hard science. We’re dealing with people, policies, assets, values and intelligent adversaries. But but can we discover SOME invariant principals? Can we apply the methods of science? Can we delineate areas where it is possible to have repeatability and certainty from those that will forever be in the realm of chance and the unknowable?

It may turn out that the “Science of Cyber Securtiy” has more in common with Psychology, Criminology, Economics and Anthropology than Computer Science, Math and Physics. Knowing that will allow us to move forward. Not knowing that will result in wasted time, money effort and possibly worse to the extent that correct functioning of computers and networks remains central to the human endeavor.

More to come

The long-ish delay in the start of these postings was due largely to three things: life and work are busy, I decided to switch to WordPress and thus incurred ramp-up cost, and decided to also ramp up on Org2Blog for blog production. I think I’m past the ramp-up costs on the latter two, any further delays will be due to the first. An amusing graphic on Geek productivity: http://ergoemacs.org/emacs/emacs_macro_example.html

Future posts to be more abstracts of talks and discussions, less my generalized prognostications, provocations and possible prevarications.

I welcome your feedback.

Footnotes:

1

The keynote speaker, Seth Zenz, was a Princeton physicist working on the large hadron collider at CERN, see the video of Seth Zenz keynote talking about Higgs Boson at LASER 2013.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s