Dude, I am tired. I’ll just cap the rest of day 2 in this single entry.
Alex Stamos
Title: “Attacking Web Services”
Attacks on XML, SOAP, and AJAX.
You owe it to yourself to grab the presentation from
https://www.isecpartners.com/speaking.html
This is mandatory reading for anyone looking for soft tissue to penetrate.
People, you need to understand this stuff in order to secure yourself.
Regardless if you believe me or not, somewhere right now in the world, some highly critical and sensitive information is going over a insecure web-service infrastructure.
I am tempted to go on and on but I’ll let the presentation speak for itself.
It will blow your mind. If you just can’t wait to have nightmares, check out
http://en.wikipedia.org/wiki/UDDI
This talk could have been called “New protocols that take the guess work out of hacking sites”
Christopher Abad
Title: “Advancement in Anonymous e-Annoyance”
I am going to have to get a little personal on this posting. Abad worked for me at nCircle for a little while and a lot of people including myself miss the guy. First off, you will not find someone more genuine on the planet. Abad is who he is and does not make excuses. He is the real deal.
His topic was built on the fact that the Internet he knows is not about computers, it is about people and social dynamics. Just like the writer transcends the keyboard, the social creature called a human transcends all of this technical crap. Ask my kid about CPU, RAM, ‘sploits, TCP/IP and you get nothing, ask my kid about mySpace and MMORPG’s and you get more detail than you can handle.
Early in my life, as you have already heard I worked for Broderbund Software. Anyway, in Oct 1993 I opened the doors to a MOO called Baymoo. I still run it and if you are interested, check it out.
telnet://baymoo.org:8888
For anyone who has read any early research on these electronic communities (as they were called) knows that they are like human ant farms. As a designer, the first thing you must do is relinquish control. Give it up. Your job is to create communication and trust and from those two factors, everything else will follow. As long as both communication and trust are present, non-zerosum relationships emerge. Take away either and zero-sum relationships will form. I could competely relate to what he was communicating with his presentation.
The talk covered ways in subverting some of the safeguards these social worlds have in place and thus abusing the trust models. That was the essense of the talk.
Even when you get to the masses and ask them what is security, they will tell you something that has more to do with the hearts and minds of the society than they will tell you about firewalls and crypto. ☹
*****My last notes on the show*****
Marty Roesch was wearing the funniest t-shirt at the show. It read:
“I got acquired by Checkpoint and all I got was this lousy shirt”
He got up and showed snorts new architecture. It is awesome and his passion for snort is infectious. The new stuff is basically taking advantage of multi-proc since everyone is going multi-core. Great move. Rock on Marty!
Dan Kaminsky never disappoints. He did some really impressive visualization demos. ‘xovi’ can be found on his site:
http://www.doxpara.com.nyud.net:8090/xovi/xovi_02.zip
He also suggests an awesome book:
http://www.boost.org/libs/graph/doc/
Seriously, how can you not get totally excited about graphs!
To me, graphs represent the language of the gods.
I might not have much to say about Day 3 of Cansecwest because I’m not sure about my travel back to Austin. Thanks for listening.
--tk
Comments (2)
Many of my African-American friends mentioned their disapproval of the racially denigrating portrayal of blacks in Mr. Abad's presentation. It was completely unacceptable for a professional environment.
I sympathize with Mr. Dan Kaminsky whose face Christopher drew upon with a sharpie. Also Theo deRaadt who was physically assaulted with a finger blow to the nose after
Christopher falsely informed him that there was 'something on his shirt'. Overall the type of juvenile behavior shown from Christopher during Cansecwest would be less ill fitting on a playground or perhaps a manual labor envrionment but not among qualified security professionals.
Posted by Dave Aitel | April 9, 2006 9:38 PM
Posted on April 9, 2006 21:38
Dave, point taken. I was commenting purely on some of the research he had done regarding social networks and the anthropological phenomenon he was trying to surface.
I was completely unaware of these incidents you note in your comment about Theo and Dan. These are unacceptable in ANY setting be it security conference or any conference for that matter.
I have worked with Abad before and his creative contribution is always a bit on the edge but I've never seen him be malicious. When I say that he is the real deal, I mean that you are never talking to the fake Abad, you always get the real person. He never puts up a front, he just is. Crass and sometimes obnoxious? Embarrassedly yes. Stunning creative contribution? Embarrassedly yes.
If you think about it, this thread we are having right now points to some of the exact 'brand' protection like issues Abad spoke of in his talk. In fact, without a proper digital signature on this posting, it would be Abad himself authoring it. (it is not but I am just trying to make the point)
The best way to deal with all of this is directly. He put his contact stuff up at the show but here is his mathclub link.
http://www.the-mathclub.net/index.php/About_Me
Just to be clear, I am not defending Abad or his actions at all, I am just looking at the science he was trying to present at the conference which is why I suspect he was asked to present in the first place.
--tk
Posted by tk | April 10, 2006 8:17 AM
Posted on April 10, 2006 08:17