2010 Agenda

1:00 p.m. to 4:30 p.m.	Into the Cloud: A Hands-on Workshop Exploring the Pros and Cons of Hosting Servers in Public, Private, and Hybrid Clouds Adam Goldstein IT Security Engineer, Dartmouth College Location: Haldeman Center, Room 125
1:00 p.m. to 4:30 p.m.	Data Driven Security: A Different Approach to Determining Security Requirements Steve Nyman Chief Information Security Officer, Dartmouth College Location: Haldeman Center, Room 031

Tuesday, July 20.  Presentations

Picking Policy Priorities: Porn, Privacy, Procurement, P2P, or IP?
Greg Jackson

We in higher education have limited capability to influence IT policy, and we who work in IT have limited capability to influence campus policy. So we have to choose where to spend our policy chips. But everything relates to everything else, so we can't. Simply continuing as we have won't work. The issues are becoming more numerous and complicated. I'll outline some of the challenges we face, the options for addressing them, and the choices that are emerging.

Three Approaches to Awareness: Unified Messaging, Local Responses, and National Cybersecurity Awareness Month
Michael Kaiser

We are only as cyber secure as the weakest link on any network. For people, organizations, government, colleges and universities and others engaged in education and awareness activities that poses considerable challenges. How do we build out our capability to share and disseminate messages that provide clear motivation and methods to stay safe online? How do we saturate the community of users with messages so we know they receive them? Who are the partners critical to these efforts?

This presentation will look at three efforts underway that attempt to bring some answers to these questions—a messaging campaign, a local collaboration on cybersecurity, and National Cybersecurity Awareness Month.

Characterizing the Cyberthreat Landscape
Matthew Devost

Are we currently in a state of dynamic cyberconflict or is the threat overhyped? While it may be difficult to discern the truth based on current political discourse and media coverage, the truth currently lies somewhere in the middle. This presentation will provide an overview of the current threat landscape, how it is changing and how that will impact technology-dependent organizations in the future.

So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users
Cormac Herley

It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.

Looking at various examples of security advice, we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.

How Should Colleges Respond to RIAA and Other File Sharing Subpoenas? 
Ray Beckerman 

1. Colleges should not assume the RIAA's lawyers, or the Courts, know what they are doing; this is all a new, untested landscape where almost no normal litigation has taken place to carve out meaningful precedent
2. Legal departments & student legal affairs should be fully engaged to protect students' legal rights 
3. IT departments should be fully engaged to ensure that, in the event an enforceable subpoena must be answered, the information supplied is technically accurate

American Privacy: Can a 19th Century Right Survive 21st Century Technology?
Frederick Lane

The right to privacy holds a unique position in American law and society. Unlike most of our other familiar rights, the right to privacy has no roots in the nation's founding documents. Instead, it owes its existence to judicial interpretations of state common law and the underlying intent of the Bill of Rights. The tenuous nature of the right to privacy makes it particularly susceptible to erosion by technological advances, a process that each of us in our own way has accelerated. Our love affair with digital technology -- from the mainframe computer to smartphones -- is in constant tension with our belief in a right to privacy. Can the two concepts co-exist, or will we be forced to choose between processors or privacy?

 

Break-out Session Abstracts 

Botnets, A Look Into Today's Malware Battle Front
Marc Evans

As malware and the internet have evolved, botnets have become core functionality for a large number of malicious actors. This presentation will provide an overview of botnet concepts and then explore a more detailed look at recent trends of both malicious actors and methods being attempted to minimize botnet effectiveness.

Social Media and College Students: Understanding the Millennial Generation's Staying Connected Mindset
Davina Pruitt-Mentle

As the first generation to come of age since 2000, the Millennial Generation, or those born after 1980, is often distinguished by the integration of technology throughout their lives. It is well documented that their lifestyles include a plethora of gadgets which include wireless technology and the creation of self-designed media. Several research studies highlight the Millennials' fusion of technology into their social lives.

This session will present an overview of the latest research findings regarding Millennials' use of social networking sites such as Facebook, Twitter, Prezis, and formspring.me, but also note sharing, book rentals and other tools used by students. We will discuss the do's and don'ts for college students when using these sites, and concerns for students, faculty, and administrators alike.

Hacking Tools and the Hacker Curriculum
Sergey Bratus and Far McKon

As network and internet connections have become more vital to research, business, and day to day life, many institutions have responded by discouraging student exploration and 'play' on university networks. At the same time global competition and the new reliance on networks make it more important than ever that students develop a rich understanding of technology. Students need the room to develop their passion, and learn from mistakes without causing (much) trouble.

Private VPN, 'Capture The Box' networks, and technologies like Agora Link can give students a space to hack for good or bad, and learn voraciously about network infrastructure while ameliorating concerns about collateral network damage from their exploration. Students can also augment existing college IT departments, and through their experience they can develop their skills, and extend IT capabilities.

This talk will give a short background on the link between students & hacking, offer some ideas and suggestions for giving students freedom to hack and play within a academic network, and give some insight into related projects under development in the hackerspace community. We will also suggest some good outlines for getting student IT collaborations started.