part 1. I'm writing this in Brussels, Belgium, where I'm teaching my Network Security Operations class to a private group.
I started my final day of RSA presentations last Thursday by wasting over an hour with Peiter "Mudge" Zatko. I should have walked out during the first fifteen minutes, but my respect for his previous work kept me in my chair. That was a huge mistake. In a haze Mudge rambled (for a quarter of his allotted time) about "The Aristocrat's Joke" while pleading with the audio guy to disable the recording of his talk. Eventually he half-turned his attention to his slides, and struggled to make the point that internal intruders don't launch exploits when they can simply browse sensitive information using native file sharing options. He was also really excited by a paper Vern Paxson published in 2000 about detecting stepping stones, and we heard other historical tidbits of no real significance.
I saw Mudge present to the AFIWC eight years ago, when he had something intelligent to add to the security discourse. Those of us who suffered through his "presentation" last Thursday should get a refund for that talk. It was unprofessional, uninformative, and in many ways plain sad, in vast contrast to the great presentation by fellow ex-L0pht member Chris Wysopal. Am I bitter? Sure, I had high expectations, and I missed listening to other speakers in the same time slot.
The RSA conference redeemed itself when I attended a presentation by Peter Woods from Microsoft. He described the new User Account Control architecture in Windows Vista. (UAC has its own blog too!) In a nutshell, UAC means everyone runs as a Standard User -- even administrators. If a user with administrator powers logs on, he or she operates with a "filtered token." When an action requires administrative powers, it will be displayed with a "shield" icon, as seen in the image above.
Peter described a variety of security features in Windows Vista, many of which will be familiar to Unix users of sudo and programs implementing privilege separation. I was a little worried when Peter described Microsoft's Assistive Technology (AT) features. These are designed to help people who cannot use a mouse and keyboard. Microsoft is trying to ensure that the same techniques that help an AT user cannot be used by malware to install itself without the user's consent.
Peter briefly discussed Internet Explorer 7, which he said runs in a protected mode that is at a lower trust level than the desktop. He mentioned Software Restriction Policies (not new).
Overall I was very impressed by Peter's presentation. Microsoft seems to be getting its act together. (I personally plan to buy a new laptop late this year once Vista is available. Of course I will dual-boot with FreeBSD!) Call me naive, but I believe (and have heard from exploit developers) that it is getting more difficult to find vulnerabilities in the Windows OS. I will be curious to see the results of the latest iDefense program. Based on work I've seen by eEye and others, intruders are going to spend more time on the low-hanging fruit of poorly coded embedded devices like SOHO routers and related gear. They will also continue to target applications as the OS becomes more resilient.
I finished Thursday with John Pearce, a consultant with Booz Allen Hamilton. He presented his impressions of IPv6, including an overview of tunneling methods and packet captures. John reinforced that I have a lot of learning to do, like being able to instantly recognize certain prefixes. I also need to see if my preferred session tools will notice IP Protocol 41, used for carrying IPv6 inside IPv4. IP Protocol 47 (GRE) is another option to check. John made the interesting point that even after IPv6 is widely adopted, "there's a fairly good chance that IPv4 will never go away." John recommended we read Sean Convery's paper on IPv6 security.
Overall I enjoyed the RSA conference, but I will probably not attend again. I may attend if I am accepted to speak there. As a paying customer, I can't justify the price for the number of presentations available. I do not consider the morning keynotes to be worthwhile, and there are only three presentations in the afternoon each day. It was cool to walk the exposition floor, where identity management and endpoint security were everywhere, but that doesn't justify a flight to California.
What did you think of RSA?