Wednesday, August 06, 2003

Recent Security Conference Thoughts

Over the last three weeks, I've attended and/or spoken at events held by SANS, Black Hat, and USENIX. I was struck today by my perceptions of each group of attendees, which don't necessarily reflect the attendees of the past:



  • SANS is less of a "conference" and more a source of weekly classes, populated mainly by newbies. Some of the instructors, like Ed Skoudis and Eric Cole, rock. The SANS archive begins with SANS Network Security 99, which I attended. Back in 1998 and 1999, SANS was known for its "SANS" conference held in the spring, and its "Network Security" conference in the fall. The audience was much different then; people I only saw once a year met me at SANS. Now I confine myself to invited talks where I present my own material or niche courses lasting one or two evenings.

  • Black Hat was strictly an annual event from 1997 to 1999. In 2000 Black Hat branched out to Singapore and Amsterdam, and now 3-4 "conferences" are held each year. Still, Black Hat (at least in Las Vegas) has retained its "hacker image," with the audience consisting of assessment-minded white hats, brave gray hats, and lots of feds. This is now my favorite conference and I see most of my "once-a-year" colleagues here.

  • This week is my first USENIX Security symposium. What can I say -- it's all researchers. I'm surrounded by college kids with grants from DARPA, NSF, and other agencies! USENIX has quite an international flavor too, and acts more academic. For example, while SANS sells thick books of slides, and Black Hat provides all its slides on CD-ROM (smart), USENIX publishes "proceedings," complete with ISBN. Eventually they will be online, but I found these to be interesting:


    • Two by Niels Provos, who wins the "most-blacked-out-entries-on-a-web-site award" with "Preventing Privilege Escalation (.pdf) (think OpenSSH) and "Improving Host Security with System Call Policies" (.pdf) (think systrace)

    • "802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions" (.pdf.gz) -- props must go out to Mike Schiffman's libradiate, since he paved the way last year!

    • Andy Ellis of Akamai gave an awesome talk of administering 14,000 servers, but his slides aren't online. He described the Internet as being composed of "10,000 economic entities," NOT "dominated by seven or eight ISPs," and said "most traffic reaches users via small access networks," like T-1s and T-3s. He also said "BGP is all about screwing your neighbor," because ISPs want to get traffic off their pipes if the endpoint isn't on their network! So, they advertise high metrics and as a result BGP offers neither performance nor reliability. He related how Level 3 had a problem a few years ago, when they attracted all Internet traffic by mistakenly advertising a "negative metric." Andy described how Akamai maps out 50,000 "core points," where only two core points are used in every Internet session, every 12 hours via ping and traceroute. Akamai routes requests for content over an "overlay network," and maps users to the closest content based on the DNS server they used to resolve hostnames.



I'm interested in attending CanSecWest next spring. It's a small annual event which features interesting speakers, similar to Black Hat.

No comments: