I went to the Real World Crypto conference in early Jan. I met Daniel. He might have corrections or additions. Many of the slides are here (no videos): http://www.realworldcrypto.com/rwc2016/program
My primary interest was in trying to find a way to get secure NTP off the ground. Typical crypto using certificates assumes you know the time. DNSSEC assumes you have valid time. I didn't find a solution, but at least nobody I talked to told me I was asking a stupid question. I though the best talk was the first one. Jon Callas from Silent Circle was describing their Blackphone project/product. It's a seriously secure phone targeted at CEOs rather than geeks. He had lots of good comments, but the one that attracted my attention was that good Software Engineering was as important as good crypto. Have your act together so you can get fixes out quickly. Get rid of old cruft. Crypto geeks are not good UI designers. ... Their WiFi was connected to the main CPU via a serial port rather than DMA so they didn't have to worry about bugs in the WiFi taking over the system. Check out his slides. There were good talks by Nate Cardozo from the EFF and Daniel Kahn Gillmor from ACLU. The latter had lots of good info/advice for sysadmins: SSLMate and Let's Encrypt. One of his concerns is privacy/security for people without a lot of money. They are likely to be running old phones. That leads to an interesting conflict. You would like software projects to simplify things by dropping support for old hardware. Adrienne Porter Felt from Google/Chrome discussed the UI side of security issues in browser error messages. A significant fraction of their certificate errors were actually bogus time on the users system. (Yes, there really was a link with time.) -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
