SOUPS 2008 conference

If you don’t know about the Symposium on Usable Privacy and Security (SOUPS) you probably should. Its a symposium dedicated to research on usable solutions to privacy and security problems. Attendees come to discuss topics ranging from graphical passwords to physical security management systems. I’ve included a description of the conference below. This year SOUPS will feature two workshops Usable IT Security Management (USM ‘08) and The Symposium on Accessible Privacy and Security (SOAPS).

SOUPS 2008

Symposium On Usable Privacy and Security

July 23-25, 2008

Carnegie Mellon University, Pittsburgh, PA USA

The 2008 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, discussion sessions, and in-depth sessions (workshops and tutorials). Detailed information about technical paper submissions appears below. For information about other submissions please see the SOUPS web site

Datadvantages and the MOMA

I just ran across this data management application from Varonis called Datadvantages. They appear to be doing some very interesting things with file control management interfaces. Their application not only gives administrators the ability to view who can access what in a very fine grain manner they also provide a recommendation service. The recommendations suggest access rights that should be granted or removed based on the system’s heuristics. Based on their marketing documentation it looks like their recommendations are primarily based on frequency of use and the relations between people. If anyone has a better understanding of what the recommendation capabilities of this interface are I would be interested to hear about it.

The Museum of Modern Art (MOMA) in New York had some very interesting though common access control issues when it came to their data. In addition to the general problem of having a large number of users accessing a large number of files the MOMA also has business relations with many other organizations. They also have a need to archive all data that isn’t being used. For there access issues they ended up turning to Datadvantages which seems to be working well for them.

A Computer World article had this to say about the MOMA’s installation of Datadvantages:

Granting or revoking permissions for data access is challenging because the user repository and data file server information are in constant flux. Moreover, once permissions are granted, they are rarely revoked because doing so may have unpredictable consequences on authorized use. This often results in overly permissive access rights for most data users.

Privacy & data protection survey

Deloitte and Ponemon Institute published a survey on privacy and security in the enterprise enviornment.

I saw a talk given by Deloitte today on the survey and here are some of the highlights I found interesting:

  • Over 85% of respondents reported at least one breach where user notification was required and 63% reported multiple breaches.
  • The most implemented (59.9%) technology solution to privacy and security issues was segregation of duties tools. (Note: this sounds like companies are making use of the RBAC model)
  • Data classification was also high (57.7%) on the list of technology solutions. (Note: This may also be part of RBAC, classifying data into roles as well as people)
  • Encryption is being implemented (55%) but the encryption isn’t being applied to everything and a significant number of companies fail to adequately protect data both in storage and while in transit.
  • Both privacy and security professionals spend most of their time on incident response which includes notifying affected users.
  • Female and Male security professionals make approximately the same salary.

Subversion on Ubuntu

Why is it always so hard to setup applications in Linux? Don’t get me wrong I much prefer setting up complex applications in Linux to setting them up in Windows but still there must be an easier way. I just spent several hours setting up subversion on my Ubuntu machine which involved some time on help pages and some time debugging and some time figuring out how I wanted my setup to work vs. other people’s setups. So I’m documenting some of my problems and solutions here just in case some other poor soul has a similar issue.

Basic Subversion setup

To begin the following url was an excellent help guide to start with. The guide described everything except how to do ssl encryption and I had some issues with the authentication which is detailed below.

Authentication issues

Once I got everything installed and working I tried doing a checkout on another machine. Much to my surprise the checkout worked but asked for no username or password. For some reason the server was requiring a username and password to write to a file on svn but not to read. Since I wanted my files to be kept private I had to lookup some documentation on how to change the authentication. I recommend this site, it is fairly cryptic but it has some good examples. I ended changing the /etc/apache2/mods-available/dav_svn.conf so it would only allow bob and myself to make changes.

<Location /svn/compilers>
DAV svn
SVNPath /home/svn/compilers
AuthType Basic
AuthName "compilers subversion repository"
AuthUserFile /etc/subversion/passwd
require user kami bob

SSL Encryption

Using the basic setup SVN sends all passwords and other data in the clear. This is somewhat insecure and I wanted to enable SSL encryption. There is a nice Ubuntu documentation page on how to do this. The only problem is that a default install of apache2 on Ubuntu doesn’t come with the apache2-ssl-certificate application. I found a discussion forum that talks about the issue and proposes several solutions. I’ve quoted the solution I used below:

* apache2-ssl.tar.gz (964 bytes, application/x-tar)

You can grab ssleay.cnf and apache2-ssl-certificate from Edgy’s apache2 version.

I hope this workaround works for people who bothered by this issue. Extract the package and put ssleay.cnf to /usr/share/apache2/ and apache2-ssl-certificate to /usr/sbin.

Create /etc/apache2/ssl directory. Then apache2-ssl-certificate script should work.