PKI Labs Conference Call, April 15, 2003

*PKI Labs Conference Call*
April 15, 2003

*Attendees*

Neal McBurnett (convener) - Internet2

Sean Smith - Dartmouth

Eric Norman - Wisconsin

Peter Honeyman - Michigan
Carl Ellison - Intel
Lisa Hogeboom - Internet2

Ben Chinowsky (scribe) - Internet2

*Discussion*

The minutes of the previous meeting were approved without changes.

The group discussed the "super-DMCA" legislation now being promoted by the MPAA at the state level. Neal pointed the group to an overview on the EFF web site (http://www.eff.org/IP/DMCA/states/200304_sdmca_eff_analysis.php) and noted that super-DMCA extends DMCA's "circumvention prevention" to all forms of digital communication. Sean noted that Blackboard is taking action against two hackers who'd been planning to present information on security holes in its ID card software; see http://features.slashdot.org/article.pl?sid=03/04/14/1846250 for details. Sean observed that DMCA and super-DMCA are creating a chilling effect on research into security weaknesses, and predicted that they will lead to what a friend calls "a generation of crap" from the manufacturers. Sean also noted that the seriousness of these concerns seems to be little appreciated outside computer security circles; in particular, he recounted being received as "a lunatic" when he raised these issues in a recent talk.

Eric noted that his new boss, Mairead Martin, recently went to DC to testify about digital rights management on behalf of universities and libraries; see http://www.netcaucus.org/events/2003/drm/. Sean observed that one perspective on DRM is that its dangers arise from the technology simplifying away "all the fuzzy stuff" that makes rights management work in real life. Carl recently attended a workshop on security on pervasive computing. One way of stating the fundamental problem in this area is that there are so many computers in your environment that you don't even know they exist, but nonetheless you want a security policy implemented on them. Think for example of making sure that data from a document you print out at an airport doesn't linger on any of the machines it passes through on its way to the printer. Carl noted the similarity between the problems of security in pervasive computing and the problems of implementing DRM -- not a good thing in his opinion, because it lends legitimacy to DRM.

Sean noted that as a result of having attended the Workshop on Human-Computer Interaction and Security Systems at CHI 2003, he's getting more interested in user interface issues. More and more it appears that many, many problems with security can be traced back to poorly-designed human-computer interaction. In particular Sean called the group's attention to the contributions of Angela Sasse, who says that security is the last branch of computing to start thinking seriously about users, and Alma Whitten, who is looking at how warning labels for consumer appliances are developed, with a view to applying lessons learned to the design of user interfaces for security software. Sean also noted that Donald Norman's _The Design of Everyday Things_ and Robert Bailey's _Human Performance Engineering_ had been recommended to him at the workshop. Papers from the workshop are at http://www.andrewpatrick.ca/CHI2003/HCISEC/; Sean's draft summary is at http://www.cs.dartmouth.edu/~sws/papers/hcidraft.pdf.

The rest of the call was devoted to finalizing plans for the April 28-29 2nd Annual PKI Research Workshop. The next PKI Labs conference call will take place Tuesday, May 13, at 4:00 PM Eastern; this is 24 hours after the regularly-scheduled time.