Securitymetrics.org has changed hosting providers. If you can read this message, it means that you are seeing the new server. Nice and fast, eh?

If you have registered with the securitymetrics.org website within the last 24-36 hours, you may need to register again.

Dear Sir,

Please stop printing sensationalist headlines.

The headline of your article on 21 April 2006, "Report: Non-Windows attacks on the rise" gives the misleading impression that non-Windows platforms are increasingly being "attacked", and cites a recent Kaspersky report by Konstantin Sapronov as evidence. In fact, the report says nothing of the kind.

The report states that the number of malware samples Kaspersky Lab collected increased in 2005 to 863, from 422 in 2004. That is indeed a substantial increase, but the report is very careful not to characterize these as "attacks" — defined per Oxford as "aggressive and violent actions against persons or places." Obtaining malware programs is not the same as reporting an attack. Indeed, Sapronov cites only one bona fide infection, noting that with respect to actual Linux incidents, "it was a quiet year...as for other Unix platforms, the situation is even quieter." Other than that, no other evidence of specific actions against any particular person or place was cited in Kaspersky's report, and I am sure they did not intend to imply any.

In addition, it would be entirely unfair to mention Kaspersky's malware report on non-Windows platforms without mentioning their accompanying Windows report also. That report states that the number of Windows-related malware programs detected by Kaspersky Lab increased to 53,950 in 2005 from 2004's 31,726. That is a number 60 times larger than the Linux figure, and is certainly more worrying than a few hundred new malware samples, very few of which have been claimed to cause any harm to anybody.

Best regards,

Andrew

(sent from my YG account 25 April 2006)

First Workshop on Security Metrics (MetriCon 1.0), August 1, 2006 Vancouver,B.C., Canada

Overview

Ever feel like Chicken Little? Wonder if letter grades, color codes, and/or duct tape are even a tiny bit useful? Cringe at the subjectivity applied to security in every manner? If so, MetriCon 1.0 may be your antidote to change security from an artistic "matter of opinion" into an objective, quantifiable science. The time for adjectives and adverbs has gone; the time for numbers has come.

MetriCon 1.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable approaches and results to problems afflicting information security today, with a bias towards practical, specific implementations. Topics and presentations will be selected for their potential to stimulate discussion in the Workshop.

Workshop Format

MetriCon 1.0 will be a one-day event, Tuesday, August 1, 2006, co-located with the 15th USENIX Security Symposium in Vancouver, B.C., Canada. Beginning first thing in the morning, with meals taken in the meeting room, and extending into the evening.

Attendance will be by invitation and limited to 50 participants. All participants will be expected to "come with opinions" and be willing to address the group in some fashion, formally or not. Preference given to the authors of position papers/presentations who have actual work in progress.

Each presenter will have 10-15 minutes to present his or her idea, followed by 15-20 minutes of discussion with the workshop participants. Panels may be convened to present different approaches to related topics, and will be steered by what sorts of proposals come in in response to this Call.

Goals and Topics

The goal of the workshop is to stimulate discussion of and thinking about security metrics and to do so in ways that lead to realistic, early results of lasting value. Potential attendees are invited to submit position papers to be shared with all. Such position papers are expected to address security metrics in one of the following categories:

• Benchmarking
• Empirical Studies
• Metrics Definitions
• Financial Planning
• Security/Risk Modeling
• Visualization

Practical implementations, real world case studies, and detailed models will be preferred over broader models or general ideas.

How to Participate

Submit a short position paper or description of work done/ongoing. Your submission must be no longer than five(5) paragraphs or presentation slides. Author names and affiliations should appear first in/on the submission. Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to MetriCon AT securitymetrics.org.

Presenters will be notified of acceptance by June 15, 2006 and expected to provide materials for distribution by July 15, 2006. All slides and position papers will be made available to participants at the workshop. No formal proceedings are intended.

Simultaneous submission of the same work to multiple venues, submission of previously published work, and plagiarism constitute dishonesty. The organizers of this Workshop as well as USENIX prohibit these practices and will take appropriate action if dishonesty of this sort is found.

Location

MetriCon 1.0 will be co-located with the 15th USENIX Security Symposium (Security ’06).

Cost

$200 all-inclusive ofmeeting space, materials preparation, and meals for the day.

Important Dates

• Requests to participate: by May 15, 2006
• Notification of acceptance: by June 15, 2006
• Materials for distribution: by July 15, 2006

Workship Organizers

• Andrew Jaquith, Yankee Group, Chair
• Adam Shostack, emergentchaos.org
• Gunnar Peterson, Artec Group
• Elizabeth Nichols, ClearPoint Metrics
• Pete Lindstrom, Spire Security
• Dan Geer,Verdasys