Financial Cryptography and Data Security #16 recap

Had a great time down in Bonaire at the recent Financial Cryptography and Data Security conference. The last one I attended was 2002 in Bermuda. Interestingly enough, IFCA, still uses the main website logo and design that my previous company made for them for the 2001 conference.

Besides the wonderful scuba diving I did, I also managed to meet some very interesting people and discuss data security and privacy issues. Here is just a snippet of what I learned:

Ross Anderson discussed Social Authentication, particularly Facebook’s use of pictures of your friends as a double check on who you are. Upon hearing the title, I half expected the talk to be about using your friends to verify you, something I discussed last year in a previous blog post. Ross told me later that Facebook does have a system in place similar to my idea. It is called Guardian Angel. Hmmmm…I wonder if somebody at Facebook read my blog post back in March of last year. 🙂

Joseph Bonneau described the non-random user chosen PINs are not so hard to crack and that random 3 digit pins would be better than user picked 4 digit PINs.

One of my favorite presentations was by Dan Bogdanov on deploying secure multi-party computation for financial data analysis. What’s great about what Dan did is it wasn’t just theoretical, they actually create a distributed system using Javascript that was put to actual use. Dan’s blog and more information is available at Sharemind. The night before the conference I also had the pleasure of having dinner with Dan and his lovely (wife? girlfriend?) and a few others including Barry Peddycord, Ben Mood and Riivo Talviste.

One of the most entertaining talks was about a hack of the DC Internet voting system. The team only had a few days to crack the system, which was based on an open source project. However, they totally demolished it, to the degree that DC had to completely give up any hope of using the system for a real election.

Daniel Slamanig gave a good talk on access control and outsourced storage. I need to read up more on it as well as Mariana Raykova’s talk on privacy enhanced access control for outsourced data sharing before I can talk intelligently about it. Right before my panel session we heard about some uses of and deficiencies in the BitCoin system. Makes me want to re-investigate BitCoin. Of course, my panel session went off without a hitch and the audience really seemed to enjoy it. Many thanks to Peter Swire, Travis Breaux and Stuart Shapiro for making it go smoothly.

I was unable to attend the last days session as I went out scuba diving.

Some of the other interesting things I learned include

the concept of shingling. More information at http://codingplayground.blogspot.com/2009/03/hashing-shingling-and-hashtrees.html

Amazon’s mTurk https://www.mturk.com/mturk/welcome

The microfinance system M-Pesa

Dan also told me a little about ISO 29100-2011 Privacy Framework and 29101 Privacy Reference Framework which are both in development.

All of these things I need to look into in more detail.

In the coming weeks, I’m going to go more in detail on a few of these topics that interest me. Specifically I’m going to be looking at the Secure MultiParty Computations and how they can be applied to cloud computing environments.

P.S. Many thanks to Springer publisher Jennifer Evans for the book Computers Privacy and Data Protection: an Element of Choice and also to her and her husband John for the enjoyable time diving together!