HotSec '14 Summit Program

Beneath the Internet as we know it lies a sprawling and vulnerable security infrastructure. Until recently this infrastructure was assumed to be self-maintaining; many developers simply ignored it. The April 2014 publication of the Heartbleed vulnerability exposed the folly of this approach. More than a simple vulnerability, Heartbleed was a watershed moment for our community: for the first time in decades, the vulnerability of our security libraries was front page news. At one level, the Heartbleed vulnerability is simply a story of poor software design. But viewed with a wider lens, Heartbleed revealed fundamental weaknesses in our design patterns, trust models, resource allocation, and more. In this session we will discuss the Heartbleed vulnerability as a technical and cultural phenomenon; explore the way it’s changed our industry; discuss the responses to Heartbleed (both technical and organizational); and explore approaches to securing the Internet’s critical infrastructure going forward.

As we know from news reports, many countries are engaged in mass surveillance of various forms. Private companies are also engaging in various and sundry forms of large-scale data collection of their own, some of which can be fed back into governments' hands. What, though, is "mass surveillance"? Is it ever justifiable? How necessary is it? We all know that there really are Bad People out there, though of course there are many different opinions on just who they are. Does mass surveillance work? If it does but is immoral, are there alternatives that are more palatable but equally effective? How much diminution in effectiveness is acceptable?

Bitcoin has had far more real-world impact as a crypto-currency than any academic proposal in this space. Depending on one's perspective, this is either despite or because its design violates many assumptions cryptographers and security researchers hold dear. While it builds off of crypto concepts researched in the 90s, Bitcoin was developed and rose to prominence almost completely independently of the mainstream academic research community. How did we miss the ideas behind Bitcoin? What questions remain about Bitcoin that academics are well-positioned to answer? What lessons can we learn to avoid missing such a promising idea in the future? How can academics productively collaborate with the broader Bitcoin research and development community?

Recently, we have witnessed a sharp increase in actions from both the private and public sectors as they fight to take down botnets. Unfortunately, only a hand full of these actions can be objectively evaluated and collectively deemed as an operational success. While the popular press has exalted much of the short-term gains, the operational community has often been left to deal with the aftermath of failed botnet takedown operations. In this session we will examine the lessons learned from recent takedown efforts. Together with participants from the operational community, we will explore questions pertaining to the lack of strategic planning in our actions against miscreants and solicit input on what such planning should entail. Several questions abound, including (but not limited to) whether better strategic planning could avoid "blue-on-blue" violence and minimize collateral damage; what forms of information sharing can better facilitate such planning? how should we prioritize actions against threats? how can we assist judges who must objectively validate the abuse data presented to them?

There is an old adage in computer science that states: "All problems in computer science can be solved by another level of indirection..." Virtualization, broadly written to include techniques at both the network and host, has enabled computation, storage, and communications approaches that leverage new software layers to abstract complexity. However, any computer scientist who has been around the block more than once will tell you there is more to the old adage: "...except of course for the problem of too many indirections." Security, performance, and availability problems plague these new approaches and in many cases the reality simply doesn't live up to the hype. In this discussion we will tease out what is genuinely new and exciting about virtualization and what are simply old ideas in new packaging. We will approach this problem with a particular bent towards security and network virtualization, discussing the impact of new network virtualization technologies, such as software defined networking (SDN) and network feature virtualization (NFV).

Join us in the afternoon for a mini-unconference! The HotSec unconference is designed to provide a structured environment for groups of people to dive deeply into topics of mutual interest. The HotSec unconference will have two one-hour long sessions, one at 3:15 p.m. and one at 4:20 p.m., and each session will have three parallel tracks (for a total of six break-out sessions). The contents of each break-out? That's up to you, the attendees. We will have a sign-up sheet for those wishing to propose a break-out session topic. You don't need to be an expert in an area to propose a topic for a break-out session. Come to HotSec with ideas for break-out sessions in mind, or let ideas come to you as topics arise during the earlier HotSec sessions.