Monday, February 20, 2006

This is part 4 of my RSA Conference 2006 wrap-up. I started with part 1. I'm writing this in Brussels, Belgium, where I'm teaching my Network Security Operations class to a private group.

I started my final day of RSA presentations last Thursday by wasting over an hour with Peiter "Mudge" Zatko. I should have walked out during the first fifteen minutes, but my respect for his previous work kept me in my chair. That was a huge mistake. In a haze Mudge rambled (for a quarter of his allotted time) about "The Aristocrat's Joke" while pleading with the audio guy to disable the recording of his talk. Eventually he half-turned his attention to his slides, and struggled to make the point that internal intruders don't launch exploits when they can simply browse sensitive information using native file sharing options. He was also really excited by a paper Vern Paxson published in 2000 about detecting stepping stones, and we heard other historical tidbits of no real significance.

I saw Mudge present to the AFIWC eight years ago, when he had something intelligent to add to the security discourse. Those of us who suffered through his "presentation" last Thursday should get a refund for that talk. It was unprofessional, uninformative, and in many ways plain sad, in vast contrast to the great presentation by fellow ex-L0pht member Chris Wysopal. Am I bitter? Sure, I had high expectations, and I missed listening to other speakers in the same time slot.

The RSA conference redeemed itself when I attended a presentation by Peter Woods from Microsoft. He described the new User Account Control architecture in Windows Vista. (UAC has its own blog too!) In a nutshell, UAC means everyone runs as a Standard User -- even administrators. If a user with administrator powers logs on, he or she operates with a "filtered token." When an action requires administrative powers, it will be displayed with a "shield" icon, as seen in the image above. Peter described a variety of security features in Windows Vista, many of which will be familiar to Unix users of sudo and programs implementing privilege separation. I was a little worried when Peter described Microsoft's Assistive Technology (AT) features. These are designed to help people who cannot use a mouse and keyboard. Microsoft is trying to ensure that the same techniques that help an AT user cannot be used by malware to install itself without the user's consent.

Peter briefly discussed Internet Explorer 7, which he said runs in a protected mode that is at a lower trust level than the desktop. He mentioned Software Restriction Policies (not new).

Overall I was very impressed by Peter's presentation. Microsoft seems to be getting its act together. (I personally plan to buy a new laptop late this year once Vista is available. Of course I will dual-boot with FreeBSD!) Call me naive, but I believe (and have heard from exploit developers) that it is getting more difficult to find vulnerabilities in the Windows OS. I will be curious to see the results of the latest iDefense program. Based on work I've seen by eEye and others, intruders are going to spend more time on the low-hanging fruit of poorly coded embedded devices like SOHO routers and related gear. They will also continue to target applications as the OS becomes more resilient.

I finished Thursday with John Pearce, a consultant with Booz Allen Hamilton. He presented his impressions of IPv6, including an overview of tunneling methods and packet captures. John reinforced that I have a lot of learning to do, like being able to instantly recognize certain prefixes. I also need to see if my preferred session tools will notice IP Protocol 41, used for carrying IPv6 inside IPv4. IP Protocol 47 (GRE) is another option to check. John made the interesting point that even after IPv6 is widely adopted, "there's a fairly good chance that IPv4 will never go away." John recommended we read Sean Convery's paper on IPv6 security.

Overall I enjoyed the RSA conference, but I will probably not attend again. I may attend if I am accepted to speak there. As a paying customer, I can't justify the price for the number of presentations available. I do not consider the morning keynotes to be worthwhile, and there are only three presentations in the afternoon each day. It was cool to walk the exposition floor, where identity management and endpoint security were everywhere, but that doesn't justify a flight to California.

What did you think of RSA?


Anonymous said...

I found the expo was interesting. I was not able to attend any of the sessions, which is what I was really interested in. So my impression of RSA was that it was more product oriented rather than informative about trends in information security. Thank you for the over view you gave, it really helped me know what I missed.

Joe said...


It was good to see you at the sessions. I attended many of the same ones you did.

I don't think I want to attend RSA any more either. I don't feel I got my money's worth.

I did bring a coworker (unix sysadmin who just got cissp) this time and he enjoyed your presentation the most. He liked it because of what you said in the beginning about not trying to sell a product or change everything.

RSA has become a conference for vendors. I was so bored in so many of the sessions.

I think Mudge is so arrogant and that he had no business presenting. It was such a waste of time. And the whole "aristocrat" thing...I too almost left, but didn't want to get locked out, so I just tuned him out for a few minutes.

I'm going to stick to BlackHat/DefCon and maybe replace RSA with CanSec or Shmoocon.

You should post a review or something about the various conferences and who they may be geared to. I think it's safe to say that people who read your blog probably won't find RSA very useful, except for CPE credits.

Jim said...

I thought your talk was one of the better ones I attended. As Joe's associate mentioned, it was nice to hear something that wasn't a marketing spiel. While I will most likely attend RSA again next year I was a bit disappointed with the emphasis that was placed on vendor solutions instead of vendor-independent ideas.