Interesting People mailing list archives
IP: A response from Purdue on Good question NSA TAPS UNIVERSITIES FOR INFO SECURITY STUDIES -- from Edupage
From: Dave Farber <farber () cis upenn edu>
Date: Mon, 17 May 1999 17:23:21 -0400
Date: Mon, 17 May 1999 16:15:31 -0500 From: spaf () cs purdue edu (Gene Spafford) As director of the CERIAS at Purdue, the focus of infosec work here, I'll respond.Date: Mon, 17 May 1999 11:03:01 -0700 To: farber () cis upenn edu From: Jim Warren <jwarren () well com> Subject: Re: IP: NSA TAPS UNIVERSITIES FOR INFO SECURITY STUDIES -- from EdupageThe National Security Agency ... says the centers will become "focal points for recruiting, and may create a climate to encourage independent research in information assurance." The seven universities--James Madison, George Mason, Idaho State, Iowa State, Purdue, Idaho, and the University of California at Davis--will be formally named at an IBM information security systems conference on May 25-29. (EE Times Online 05/12/99)But one of the most important questions is -- will those institutions vigorously pursue public research sharing and enforce open publication of their research results? Or will they just grab the NSA money and obediently trash the most fundamental principle of academic freedom?First of all, this designation by NSA/DoD has no money associated with it, so any greed we might be accused of is not a factor here. :-) Purdue does not conducted any classified research: we have no facilities to do it, and no particular interest. In infosec in particular, with 3/4 of our CS grad students non-citizens (and perhaps 1/2 of our faculty likewise), this would be very difficulty to do. Purdue is a public, land-grant institution committed to research in the public good. Standard policy is to publish our results. Historically, Purdue has been at the forefront of making scientific research public. I have (once) been involved in the process of holding back a thesis for a few months and it is onerous to accomplish -- the university system does not support it. The CERIAS is supported by 16 commerical entities and the university itself. All have equal stake in what we do, and our goal is to share information with them. We explicitly state that we do not perform proprietary research -- that is contrary to our mission. There is also the factor that I am the director of the CERIAS (and the campus Information Systems Security Officer). My career has been devoted to making security information and research public, whether in my books or articles, or embodied in our software (starting with COPS, and our most recent work in public vulnerability database sharing -- which, by the way, was funded by NSA.). The only times I have not published information is when publication would result in immediate risk to others -- I am not an advocate of full disclosure until after fixes have been made available -- but even then, I eventually published after fixes were available. Also, I doubt that anyone who knows me would consider me "obedient." :-) If yu don't trust the institutions or people involved, it doesn't matter what we say. And in the end, security (infosec or otherwise) is all about trust. Draw your own conclusions. --spaf
Current thread:
- IP: A response from Purdue on Good question NSA TAPS UNIVERSITIES FOR INFO SECURITY STUDIES -- from Edupage Dave Farber (May 17)