Friday, February 17, 2006

RSA Conference 2006 Wrap-Up, Part 1

I'm using T-Mobile at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 San Francisco airport as I write this, on my way home from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RSA Conference 2006. Here are my thoughts on my first RSA conference: Holy vendors, Batman. This seemed to be a show by vendors, for vendors. In some ways cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presentations were afterthoughts, or just anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way for some vendors to describe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products or upcoming technologies. I plan to report on one or two cool products I encountered on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exposition floor, but for now I'll quickly mention cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talks I saw.

I began Tuesday be attending a briefing advertised as a discussion of wireless intrusion detection. Instead of learning something new, I heard an IBM employee describe wireless as if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience had never heard of it. Buddy, it's 2006, for Pete's sake. That was a wasted hour.

Next I listened to Chris Wysopal discuss static binary analysis to discover security vulnerabilities. In contrast to anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ex-@Stake/ex-L0pht member (mentioned later), Chris was coherent, informative, and worth seeing. He mentioned that compilers sometimes introduce vulnerabilities that were not intended by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coder. This is called What You See Is Not What You eXecute, or WYSINWYX (.pdf). For example, an older version of a Microsoft compiler decided that it was not necessary to clear memory before freeing it, as instructed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coder. Instead, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 compiler created an executable where passwords or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sensitive information could be found in memory.

Chris mentioned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Software Assurance Metrics and Tool Evaluation project, which I intend to visit. He also discussed why he would like to see an EnergyStar-like rating for software. The rating might say, "Of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 financial applications subjected to binary security analysis, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best score was 112, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 worst was 24, and this application rates 86. This program's estimated incident response and patching cost is $1600 per server per year when customer-facing, and $400 per server per year when kept in-house." He concluded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk by describing how defenders are being destroyed by adversaries who get inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir OODA loops.

After Chris I saw Dan Geer speak. That was certainly a valuable hour. He postulated that "data value and data mobility are conjoined," and that "it's not security if it's not cost-effective." Dr. Geer discussed relationships between predators and prey, and how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y evolve togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. He focused on data "as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point and focus of security," where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "perimeter must contract down to data." He believes data is at risk when it changes state, from when it goes from being at rest (in storage) to being in motion (in use). Dr. Geer believes data must be protected at that point of transition.

I was very pleased to hear and see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se thoughts: "Monitoring is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first priority. You cannot manage what you cannot measure. The unknown unknowns will kill you. Rumsfeld was right." Attacks which do not reveal cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves require preemption. Preemption requires intelligence. Intelligence requires surveillance. But what should you observe, people or data? Dr. Geer prefers observing data.

To perform that observation, he invoked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea of a reference monitor (citing Anderson, circa-1972) that watches all data access, and can intervene when necessary. It acts by analyzing "traffic" (ostensibly data manipulation, not packets) and does not use content inspection to make decisions. Dr. Geer concluded by saying that trusted computing can be implemented in software or hardware. Software implemention favors innovation with a default permit stance, while hardware favors safety and a default deny stance. I obviously cannot do eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se talks justice, but if you'd like to hear more cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se talks should be sold through RSA in audio format.

1 comment:

Christina Estenopolis said...
This comment has been removed by a blog administrator.