13 comments

[ 2.4 ms ] story [ 39.9 ms ] thread
HN people with any interest in software security: submit to WOOT! I'm co-chairing it this year.

USENIX WOOT is the academic equivalent of Black Hat or CanSec. It's a software security conference with a special focus on "offensive" security: vulnerability research, exploit development, and technology failures that lead to those things.

If you were going to summarize the point of WOOT in one sentence: it's an effort to cross-pollinate academic research with industry research that works by getting the kind of work that would normally be submitted to Black Hat, CanSec, Defcon, RECON, and ShmooCon and also getting it into the academic cite record.

I'm trying to get WOOT to do a better job of engaging the open source and startup communities.

WOOT does a pretty good job of getting contributions from the "software security industry" (consultancies, security product companies, security research labs). But more and more interesting and relevant work is being done in the context of small projects. If you've built, say, a website that processes financial transactions, and had to build up countermeasures for fraud that's work that's relevant to WOOT, and WOOT is interested in publishing it. If you've build a NoSQL database and had to come up with a threat model to deal with new kinds of injection attacks, or to deal with malicious cluster nodes: totally WOOT-worthy. As long as the work focuses on the "attacker" side of the security problem, it's relevant to us.

You don't need to write a paper to submit! We're interested in outlines and sketches of work, and will help you turn that work into a paper. You don't have to write speculatively for us.

WOOT is relatively high profile. An accepted WOOT paper is a meaningful contribution to the academic literature. We'd like to see more of it come from the kinds of people who contribute to HN.

The proceedings from the previous 8 years of WOOT are available online. Check out last year's, which includes (for instance) some pretty great work from Dan Boneh, Grant Ho, Niels Provos and Lucas Ballard:

https://www.usenix.org/conference/woot14/workshop-program

Happy to answer questions!

I am incredibly thrilled to see you move the workshop in this direction. Also incredibly happy to see you team up with the PoC||GTFO crew to help shake things up. Academic publishing is in really bad need of it.

I am less excited however, that with these goals you decided to have the workshop so close to CCC Camp. I assume that was USENIX scheduling, but kinda rough for people going to CCC Camp to go to WOOT too.

Edit: I originally thought this was during CCC Camp and freaked out. My calendar was wrong, sorry about that.

Getting Travis Goodspeed involved was Aurelien's idea, not mine. :)

I'm glad what we're trying to do this year makes sense. Shoot me ideas for program committee members! We really want to get some new faces this year.

Are you all only interested in vulnerabilities and exploits, or can anything more high-level/weird be sent it?
The easiest answer I can give is, if you're interested in developing a paper for WOOT, you can shoot me some mail and I can give you a sense of how close it is to the target WOOT has.

The WOOT Program Committee selects papers; I'm just one of them. But I should be able to give pretty good feedback.

I'm having a hard time understanding the point of this. I mean, it sounds like you're collecting random projects by non-academics and rubber stamping them into an academic paper, which wouldn't be a meaningful contribution to academic literature. What does the data reporter get, a co-authorship on the paper that becomes a blurb on a resume? Will an academic institution take this seriously, or would it taint further research based on the paper? I must be missing something.
WOOT is the highest profile conference on "offensive security"†. The point of publishing in WOOT is the same as publishing in any other academic conference. WOOT has published, just in the past few years, Dawn Song, Matthew Green, Dan Boneh, Niels Provos, Thorsten Holz, Zakir Durumeric, Solar Designer, Joe Grand, Sergey Bratus, Ralf-Philipp Weinmann, Dionysus Blazakis, Julien Vanegue, Rolf Rolles, Collin Mulliner, Stefan Savage, Travis Goodspeed, Stephen Checkoway, and Felix Lindner. Those are just the names I personally recognize; they've published many, many more than that.

Unlike in theoretical CS, a lot of work in WOOT's domain is done in the industry. So WOOT makes an effort to solicit contributions from the industry.

Does that make more sense?

I hate that term, but look at the topics in the CFP to see what it means

You forgot to put your † somewhere.
I think I was reading too much into it, and conflating computer security research with hard science research. I assumed academic conferences required academics or academic students with peer-reviewed papers whose results would then be taken as serious scientific research, but it seems the opposite is more common. I'm still not really sure what the distinction between academic computer security research and industry computer security research is, other than one is more theoretical (?)
USENIX is peer reviewed just like every other academic conference. For each of the last ~8 years, you can go to the WOOT site and look at the program committee. The PC includes professors and university researchers, many of them renowned. I'm not sure what part of "high profile" I'm failing to get across here.
Also: we're still putting the Program Committee together. I'd love (in email, please) suggestions for PC candidates that aren't from the software security industry or academia.

Being on the PC isn't a huge time commitment; it's just reading papers and calling out the particularly interesting ones.