Unofficial Report on Toorcon 2003 Information Security Conference
align="middle" border="0" />
These notes are on a conference I attended last weekend (on my dime, or
actually 500 dimes and tax-deductible). This is an annual conference for
people interested in computer security. This includes the whole range of
hackers, computer hobbyists, professionals, security consultants, press,
law enforcement, prosecutors, FBI, etc. I'm told by someone who also goes
to Defcon in Las Vegas that it's like Defcon but without the rowdyness.
Toorcon had an open bar party until 3 am, which is way past my bedtime.
I've only summarized what I felt were the best of the talks I've attended.
The "con" was held at the Hyatt downtown. Nice place on the bay and
the largest coastal hotel in Southern California. Next to us, a local
Iranian group was having a banquet. Since I can't read Arabic, I couldn't
tell what it was about, but I wish they had a few extra meals :-).
SAIC setup a "root wars" contest where they had various systems,
including Solaris, set up with vulnerabilities open. It took the
contestents several hours to own the systems, but I think all were had.
They gave points for owning systems and took points away for excessive
The following are not necessarily my views nor of my employer.
I have not verified anything below.
I could have easily misquoted or misparaphrased also.
These are my notes, so it has typos and isn't highly polished.
I may have misinterpreted other people's words or ideas.
Keynote: Past, Present, & Future of Security, Robert X. Cringely
I've read many of his columns, but I've never heard him. He's a funny
speaker with a long perspective in the computer industry.
Robert invented the Trashcan for the Lisa. This was motivated by
accidentally deleting his book manuscript after it was 2/3's complete
on an IBM word processing system that had broken backups.
The main point of his talk was that people worry too much about
logical security but forget about physical security. For example, one
software company they had a good firewall, but haven't even considered
"screening"---capturing screen content from a van that may be parked
outside. Social engineering is more common and a lot easier than
breaking in through a network.
An idealistic attitude among some people was that "information is
power." Information will liberate people from oppressive governments
and corporations. However, that's not true. Information is not power,
but power is power. Lawsuits and court orders to reveal ISP customers
is a reality. Another example is China. Robert asked ChinaNet how can
you possibly firewall 1 billion Chinese? They said it will probably
never work completely, but they will keep trying until it does work.
Perfection is not a requirement.
Keynote: Security Has Little to do With Security, Bruce Schneier
The next keynote speaker (How can you have more than one keynote?) was by
Bruce Schneier, of Counterpane, on why security has so little to do with
(technical) security. His main points was there was to much immediate
emotional reactive solutions to security and too much focus on logical
security over good planning and also worrying about physical security.
There are also tradeoffs--is the solution worth it? Also, security
is not always in your control or your decision. For planning, some
good questions to ask are: 1) What assets do you need to protect, 2)
what are the risks to the assets, 3) how will these risks be mitigated,
4) what is the impact of proposed solutions, and 5) what are the costs
Bruce was asked about Cyber warfare. He said there's much more concern
about physical warfare. That's because cyber warfare (or actually cyber
inconvenience) brings unpredictable results. You never know the impact
of the disruption in advance, and it's really a inconvenience--and not
anything like real terrorism.
Encryption and the DMCA law is being used to lock people into proprietary
software. For example, MS is encoding Word documents for it's next
version, making attempts by 3rd-party software to read Word documents,
such as StarOffice illegal, just like playing DVD movies with open
software is illegal now.
He was also asked about his colleague Daniel Geer who was fired from
@stake for saying what everyone knows--a monoculture of MS software
is a security risk, because security breaches impact almost everyone.
He was fired, even though everyone should know what he said is his
personal opinion and not any companies he works for. MS is a major
client for he company he works for. But, he said, he will have no problem
getting a job and the firing gave more attention to the report, especially
to the mainstream media, than if the company would have just ignored it.
Top 75 Hacker Tools by Justin Lundy, www.tegatai.com.
Cavaet: some tools sometimes give warnings which require analysis--not
Vulnerability Reporting and Legal Liability
By Jennifer Granick, director of Stanford's Center for Internet
Remember, IANAL and I may be mis-paraphrasing. Jennifer reviewed various
legal issues, such as full disclosure and DMCA. It was a unique
experience to hear a lawyer who's technically competent :-).
Full vulnerability disclosure. There's a dual nature of full
disclosure--to exploit systems and protect systems. Disclosure can be
protected by free speech rights because disclosure tools are software,
which is considered a form of speech. However, it's also a tool that can
be used for harm. One important question is is the vulnerability (and
software) disclosed with an agreement or intention to be used for illegal
acts. If so, it's considered conspiracy and therefore an illegal act.
DMCA goes beyond copyright in that it controls how you use copyrighted
works, not just restricting you against making copies.
Security testing is OK and not a violation if in good faith and done
with authorization and the results are not distributed to cause harm.
Spyware is illegal unless all parties consent (need a Federal warrant).
This includes keyboard monitors, for example.
Reverse engineering is OK for enabling software interoperatability.
Jennifer made a general point that rights in the "real" world have been
erroded in the "electronic" world. For example, you can take your car
apart and add or modify parts. Do that to an XBox, for example, may
get you in jail.
802.11 TGi Proposal by Laurent Butti & Franck Vieysset, France Telecom,
802.11 has a infamously weak security protocol. Proposed workarounds
break wi-fi interoperability.
802.11 TGi proposal authenticates with IETF EAP. WPA subset of IEEE
802.11 TGi. Intended for ratification Q2/2004. Goals are a new framework
with high-flexibility authentication methods independent of protocol.
EAP has multiple methods, e.g. TLS tunnel, and was originally for PPP.
Avoid man-in-middle attacks with handshake protocol. WPA is an existing
standard now. Avoids HW upgrades, backward compatible, and may be
Electronic Freedom Foundation,
Cory Doctorow talked about civil liberties, Internet, and copyright.
He's a science fiction and technology writer.
EFF won ruling that email is like phone conversations--can't tap without
a warrant. Lost that with recent Homeland Security Act, where any
government employee with an excuse can look at your email.
EFF lost copyright ruling, where the Supreme Court said copyright is
renewable forever, as long as it's for incrementally limited times.
Previous fears against new technology reducing income to artists
unfounded. Piano music rolls, radio, VCRs, and cable TV all had new
micro-payment models that resulted in more income to artists than before.
RIAA lawsuits will only result in tools with better anonymity and
encryption and higher use of these technologies. Russian State Dept. is
telling scientists not to come to America because they put people in
jail for talking about the wrong thing.
/dev/erandom -- Provably Secure PRNG
Seth Hardy, tsumega.com
Improves Linux /dev/random and /dev/urandom,
including removing unneeded operations.
Discussed random, pseudorandom, quasirandom, uniform distribution,
entropy measurement, extractors. Entrophy gathering currently lacks
in Linux--keyboard/mouse oriented and not good for servers--but that's
another area. /dev/random blocks, urandom doesn't.
Extractor takes "bad" distribution and "smooths" distribution to a
"good" one. This is hard, and part of Seth's academic work. Warning:
"Provable" does not mean the implementation is unbreakable or bug free.