Discover and read the best of Twitter Threads about #enigma2021

Most recents (24)

Last talk of #enigma2021 by Marcus Botacin: "DOES YOUR THREAT MODEL CONSIDER COUNTRY AND CULTURE? A CASE STUDY OF BRAZILIAN INTERNET BANKING SECURITY TO SHOW THAT IT SHOULD!"

usenix.org/conference/eniā€¦
The outcomes I get from my analysis of malware I find in Brazil were quite different than what I saw in analysis of malware from other researchers. Why? Because the malware attacks were different!
The Brazilian banking system:
* let's move banking to computers (80s)to keep up with hyperinflation
* desktop clients for users... and the attackers migrated from physical to fake desktop app attacks -- that would only work in Brazil because that's where the banking was
Read 18 tweets
@gianluca_string is up at #enigma2021 speaking about "COMPUTATIONAL METHODS TO UNDERSTAND AND MITIGATE ONLINE AGGRESSION"

[Make sure to catch the talks when they're posted -- my hands can't keep up with these speakers and the talks are šŸ”„]

usenix.org/conference/eniā€¦
Content note: this talk is about online abuse as some of the content may be upsetting
Got pulled into this after a screenshot of a class assignment sending folks to post on 4chan to post about race/gender/etc issues got posted on 4chan without the email address... so the 4chan folks thought it was @gianluca_string. It wasn't, but they doxxed and harassed anyway
Read 15 tweets
Kicking off the last session of #enigma2021, @katestarbird is speaking about an extremely pressing topic: "ONLINE RUMORS, MISINFORMATION AND DISINFORMATION: THE PERFECT STORM OF COVID-19 AND ELECTION2020"

usenix.org/conference/eniā€¦
So much mis/dis-information in the last few months about covid: rumours about lockdowns, home remedies... and then conspiracy theories
This ... thing was taken viral by media and social media and spread so much mis/dis-information.
Read 24 tweets
"THE LIMITS OF SANDBOXING AND NEXT STEPS" from Chris Palmer at #enigma2021

usenix.org/conference/eniā€¦
This talk is going to go through the experience pushing the boundaries on sandboxing in the Chrome browser

What is sandboxing?
* breaking something into lower/higher privileged process
* necessary for browers, OSes, VMs etc.
Chromium uses to reduce the amount of privilege of the application: also to reduce the amount of privilege for code that touches websites (renderer)
* split different websites into different processes
* good defense against logic bugs (e.g. same-origin policy)
Read 18 tweets
Next up at #enigma2021, Alex Gaynor from @LazyFishBarrel (satirical security company) will be talking about "QUANTIFYING MEMORY UNSAFETY AND REACTIONS TO IT"

usenix.org/conference/eniā€¦
Look for places where there are a lot of security issues being handled one-off rather than fixing the underlying issue
We tried to fix credential phishing mostly by telling people to be smarter, rather than fixing the root cause: people being able to use phished credential.

2-factor auth just ... fixes the problem.
Read 15 tweets
It's time to talk about @zoom_us security over @zoom_us at #enigma2021 by Merry Ember Mou with the talk "BUILDING E2EE AND USER IDENTITY"

usenix.org/conference/eniā€¦
Zoom's launched end-to-end encryption 5 months after the white paper was published
* prevents eavesdroppers between users who are speaking to each other
* protection against compromised servers
[ here's the E2EE whitepaper from Zoom]

github.com/zoom/zoom-e2e-ā€¦
Read 20 tweets
@carmelatroncoso is speaking about "CONTACT TRACING APPS: ENGINEERING PRIVACY IN QUICKSAND" at #enigma2021

usenix.org/conference/eniā€¦
Engineering contact-tracing apps has been a marathon

Why make them?
* manual contact-tracing became totally overwhelmed with covid cases
* can we supplement with technology?
Constraints: security and privacy
* protect from misuse: surveillance, target marginalized individuals, etc.
* purpose limitation by default
* hide user's identity, location, behaviour
* preserve system integrity
Read 18 tweets
In more pandemic talks at #enigma2021, Mark Funk is here to talk about "DESIGNING VERIFIABLE HEALTH SOLUTIONS FOR GLOBAL PANDEMIC"

usenix.org/conference/eniā€¦
This is about work done with a nonprofit to try to find a way to prevent infected people from entering a location in a privacy-preserving way.

(Stopped this work when it became clear that this was being built for a world which wouldn't exist any time soon.)
Right now, we ask people to self-diagnose, which requires on diagnosis and truthfulness

There are stronger mechanisms like PCR tests
Read 25 tweets
Last day of #enigma2021 and we're kicking off with @cooperq from @EFF talking about "DETECTING FAKE 4G LTE BASE STATIONS IN REAL TIME"

usenix.org/conference/eniā€¦
Focus on tech which targets at-risk people (e.g. activists, rights defenders, sex workers)
What is a cell site simulator?

*transmitter or receiver which intercepts metadata from cell phones, often by pretending to be a legit cell tower
Read 21 tweets
Last talk at #enigma2021 today is @iMeluny speaking about "DA DA: WHAT SHARK CONSERVATION TEACHES US ABOUT EMOTIONALITY AND EFFECTIVE COMMUNICATION STRATEGIES FOR SECURITY AND PRIVACY"

usenix.org/conference/eniā€¦
I dreamt of being a shark scientist and worked my ass off to get a scholarship to one of the top programs. My career took a loop, but to this day I find lessons from sharks for security and privacy.
Lessons:
Incidents are emotional
* Risks will never be zero
* Public is ill-informed and fear is common
* science-based policy is not the norn
Read 20 tweets
Kicking off the final session of today at #enigma2021: Sofia Celi with ""I THOUGHT I WAS BEING STRONG WITH A COMPLICATED PERSON": THE TALES OF INTIMATE GENDER-BASED ONLINE ABUSE IN THE GLOBAL SOUTH"

[Content disclaimer: difficult content.]

usenix.org/conference/eniā€¦
The way people use technology to abuse others is different in the global south.

This talk is a reminder that we can work together to change this.
Where does one begin?
From a personal experience to a shared experience to a community experience to a global situation

This started from my personal experience.
Read 15 tweets
Finishing up this session at #enigma2021 is from Trey Herr speaking about "BREAKING TRUST ā€“ SHADES OF CRISIS ACROSS AN INSECURE SOFTWARE SUPPLY CHAIN"

[ *cough* #SolarWinds #SolarWindsHack *cough* ]

usenix.org/conference/eniā€¦
The software supply chain is huge and reaches everywhere.

In the US and elsewhere there's a lot of COTS (commercial off the shelf) software being used.

We don't build most of the software that we use, from mobile phones to container architechture.
Our mental models around supply chain (and regulatory architecture) are built around the hardware supply chain
Read 17 tweets
Kicking off the next session at #enigma2021 is @maddiestone with "THE STATE OF 0-DAY IN-THE-WILD EXPLOITATION"

usenix.org/conference/eniā€¦
What do you think of when I say 0-day? Only the most elite hackers and most elite targets, that they're super hard and expensive to develop.

I started looking back over what we're really seeing in the wild, looking at all of these bugs together to look at the bugs and gaps.
It became clear that we are not requiring the most elite skills to exploit 0-days. But there are mitigations that can make it much harder.
Read 22 tweets
Kicking off #enigma2021 second day with our Contact Notification panel, moderated by @benadida with panelists Mike Judd, CDC COVID-19 Exposure Notification Initiative; Ali Lange, Google; Tiffany C. Li, Boston University School of Law; Marcel SalathƩ, EPFL

usenix.org/conference/eniā€¦
Ben: The reason why we cannot be here in the same physical space is the same reason we have this panel on Contact Tracing. What is that?
* Run around looking for people who have been infected
* And looking for people who have been exposed to the people who have been infected
* To try to contain the spread
Read 112 tweets
Last talk at #enigma2021 for today by Pardis Emami-Naeini on "PRIVACY AND SECURITY NUTRITION LABELS TO INFORM IOT CONSUMERS"

usenix.org/conference/eniā€¦
Toilets are getting smarter (and more invasive)
People keep buying smart devices, but they're worried about them. Which makes sense because they keep getting hacked!
Read 18 tweets
Kicking off our Humans Making Decisions session with @patrickgage speaking about how "PRIVACY, MEASURABLY, ISN'T DEAD"

usenix.org/conference/eniā€¦
[ Personal note: this study was literally the MOST EXPENSIVE THING in my opex budget. For years. I'm so excited you all can see it now. ]

... on with the talk
I hear all the time that privacy is dead. But you know it's not. Every time you tell someone a secret, write something in a journal, have a thought inside of your own mind you're having a moment of privacy as trust or secrecy or freedom.
Read 24 tweets
Last up in Privacy Tech for #enigma2021, @xchatty speaking about "IMPLEMENTING DIFFERENTIAL PRIVACY FOR THE 2020 CENSUS"

usenix.org/conference/eniā€¦
Differential privacy was invented in 2006. Seems like a long time but it's not a long time since a fundamental scientific invention. It took longer than that between the invention of public key cryptography and even the first version of SSL.
But even in 2020, we still can't meet user expectations.
* Data users expect consistent data releases
* Some people call synthetic data "fake data" like
"fake news"
* It's not clear what "quality assurance" and "data exploration" means in a DP framework
Read 17 tweets
Next up in Privacy Technology at #enigma2021, Kelly Huang from @ethyca speaking about "GONE, BUT NOT "FORGOTTEN"ā€”TECHNICAL & PRACTICAL CHALLENGES IN OPERATIONALIZING MODERN PRIVACY RIGHTS"

usenix.org/conference/eniā€¦
Just imagine there's a global pandemic forcing everyone to stay home and buy their stuff over the internet. And you've been working on your sanitization-on-demand startup. You've got more users than you can count! ... literally, because your data's all over.
Now you're a multi-national international country with privacy issues because your information is all over the place.

Now a user writes to request you delete their data. Where is it? How do you do that? Who's responsible for privacy in your business.
Read 17 tweets
We're kicking off the Privacy Tech session at #enigma2021 with Mitch Negus speaking about "NO DATA, NO PROBLEMā€”GIVING NUCLEAR INSPECTORS BETTER TOOLS WITHOUT REVEALING STATE SECRETS"

usenix.org/conference/eniā€¦
A nuclear catastrophe hasn't occurred... yet. So we need to stay vigilant. Nuclear inspectors go in according to treaties to check what's going on and check compliance with treaty rules.
But as sophisticated analytics become more common, states will only want to share the minimum amount of information necessary under the treaty.

But perhaps we can use MPC -- secure multi-party computation
Read 20 tweets
Next up at #enigma2021, Sanghyun Hong will be speaking about "A SOUND MIND IN A VULNERABLE BODY: PRACTICAL HARDWARE ATTACKS ON DEEP LEARNING"

(Hint: speaker is on the market)

usenix.org/conference/eniā€¦
In recent years ML models have worked from research labs to production, which makes ML security important. Adversarial ML research studies how to mess with ML
For example by messing with the training data (c.f. Tay which became super-racist super-fast) or by foiling ML models by changing inputs in ways humans can't see.
Read 19 tweets
Last talk about Securing Democracy at #enigma2021: @jackhcable speaking about "THE FULL STACK PROBLEM OF ELECTION SECURITY"

usenix.org/conference/eniā€¦
Let's imagine that elections use all the security measures security people have been advocating: risk-limiting audits, paper ballots, etc. Would people trust the elections more?
Jack would argue no. Most people don't understand this stuff and most of the claims people are making can't be disproven. And are massively bogus already.

Georgia did a full recount on paper ballots and it very much didn't stop people from doubting the election!
Read 17 tweets
In more Securing Democracy at #enigma2021, @ChrFolini talking about "THE ADVENTUROUS TALE OF ONLINE VOTING IN SWITZERLAND"

usenix.org/conference/eniā€¦
Switzerland is a direct democracy where citizens get to vote at least 4x/year, with a lot of mail-in voting. We have a long history of online voting.

Disclaimer: THIS IS NOT SWEDEN.

[I get the picture that @ChrFolini has had to explain the difference several times.]
Process around mail-in ballots.

[tl;dr it's very complicated and wasn't threat-modeled until recently]
Read 19 tweets
Next up at #enigma2021, Sunny Consolvo will be speaking about "SECURITY & U.S. POLITICAL CAMPAIGNS: A STUDY & EXPERT ROUNDTABLE"

usenix.org/conference/eniā€¦
What if your personal account getting hacked could lead to years of harassment, allow election interference, and subvert democracy?

What if to avoid this you have to fundamentally change your online habits? And you work in politics, not tech.
Not all hacks will lead to outsized outcomes like that, but some will! And it's especially hard in a fast-paced temporary environment of a political campaign.
Read 17 tweets
First talk at #enigma2021 is coming up in just a moment: @scottjshapiro speaking about "IS CYBER WAR LEGAL: A FOUR HUNDRED YEAR RETROSPECTIVE".

Don't worry, it's a 20-minute talk, not 400 years. šŸ˜…

usenix.org/conference/eniā€¦
Imagine you log into Twitter one morning and see that the Pentagon's network was taken down, chlorine gas is being released, NYC stock exchange is taken down, and then the electric grid is taken down... by Iran by cyber-attacks in retaliation for sanctions.

Would this be legal?
It would be illegal for Iran to bomb is. Chemical warfare is illegal.

Did the outlawing of kinetic war outlaw cyber-law or not, thought?
Read 29 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!