RSA Conference, Day 4
Feb. 18th, 2005 11:38 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
fishsupremeI woke up at 7:50, and this time had to add packing to my list of morning things to do. I ended up with a lot more stuff (mainly conference crap, documents, books, and a shirt) than I came with, and my suitcase had already been tightly packed using ![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
sheeplass's magic stuff-compressing powers. Luckily, among the conference crap was a satchel (backpack/briefcase/laptop-carrier/thing), which I used to hold all the things that didn't fit in the suitcase. It was still tight. This means I have to check luggage this time (since the satchel has to count as my carry-on, rather than the suitcase), but that's not really a problem.
This last day is kind of an odd conference day -- a lot of people leave on Day 4, or go to the Cryptographers' Gala and thus drink too much and miss Day 4, and thus it has lower-priority sessions and no morning keynote. So the day started out with a session on "Advancements in Malware and Rootkit profiling." A guy from Symantec talked about rootkits, and the three basic ways they're detected -- antivirus software, HIPS (host intrusion protection systems -- hooking system APIs to provide checkpoints that catch rootkits as they're installed), and execution path analysis (which profiles how long various instructions and system calls usually take, and thus notices if these are altered.) These all have issues -- antivirus is basically unable to detect kernel-mode rootkits, API hooks in an HIPS are easy to evade (see Phrack 62 for how), and EPA hurts performance by about 30% and is thus useless on production systems.
The lecturer, a guy from Symantec, looked like Tyler Durden.
For those that aren't familiar with the term, a rootkit is something a hacker installs on a system once he gains full administrative (root) access to it. It patches into the deepest levels of an OS and basically makes sure that once the hacker is in, nobody is ever getting him out. Once your system has a rootkit, the only way to be truly sure it's gone is to level the machine -- reformat the hard disk and install from scratch. And occasionally (very rarely, thankfully) even that isn't enough. Rootkits can not only hook APIs (so that when you try to, say, detect or delete them, it fails), but also install filter drivers (like an AV or firewall product) at an even lower level to evade detection. Super-geekness follows: this guy's proposal was to detect rootkits in Windows by instead overwriting the Open callbacks for interesting kernel objects in Object Manager. These happen even after kernel API calls, only for successful calls, and you can overwrite the callbacks only for things you care about, so the performance impact is minimal, and it gives you superior control over the system to all current rootkits. He admitted that this is just another step in the arms race, as if his detection mechanism is used, new rootkits will be written to work around it. His detector had a good bit of self-preservation code in it to make this very difficult, but it's still in theory possible, so some hacker will find a way eventually. What he didn't say, but was immediately obvious, is that rootkits themselves could overwrite these callbacks -- his rootkit detector is actually a very good prototype for new kind of rootkit. I'm imagining he knows this but didn't want to give anybody ideas -- after all, "self-preservation code" is something normally associated with rootkits, not detection software, and there's no way he could have written that without thinking about the implications.
The next session was called "Attacking the Heart of Distributed Computing: The Emerging Threat to RPC." It sucked. The lecturer basically gave us a painfully basic introduction to the RPC protocol, which we were almost all quite familiar with, and all the threats he discussed were implementation issues, not fundamental issues of the protocol. So the "emerging threat" to RPC is that some versions of RPC implementations (e.g. Microsoft, Sun, IBM) might have bugs in them. Wow, never would have thought of that. He was asked many questions by the audience, all of which were obfuscated versions of "Tell us something we don't know, dumbass."
The last session of the day was called "Securing the Enterprise Against the Converging Threats of Viruses and Spam," by a guy from MessageLabs. MessageLabs is this company that you contract with to filter your email, and all your company's incoming mail goes to them first, before it even reaches your servers, and they sanitize it. Apparently they do this quite well. However, this also puts them in a unique position for research -- they get 100 million emails a day. One in 32 are viruses, 85% are spam. Basically, he's advocating centralizing spam-destruction -- he thinks the ISPs need to target spam at the source, doing filtering along the lines of what MessageLabs does, rather than letting companies filter spam themselves. He made an analogy to the water company -- you don't have to boil your water yourself and keep up on the latest strains of botulism; you trust the water company to deliver water to you in a usable form. So why do we allow ISPs to deliver us a stream of sewage? He also mentioned that old viruses never die -- they still catch about 100 copies per day of Melissa. Melissa, for those who don't recall, was the first big email worm, which went around in 1999.
With the end of the sessions, it was time for lunch again. Takingrhiannonstone's advice, I went to the Metreon. The Metreon is an interesting place; it's an ultramodern food court and movie theater complex that also contains a Sony Style store, a Games Workshop store, and a variety of teenager-focused things. It was filled with hip teenagers, even though it was noon on a school day. I had a Cajun Wrap at Luna Azul. I then headed back to the conference, where I posted the first part of my Day 3 update before needing to go off to a panel on consumer confidence in the Internet.
The four panelists were from ETrade, Sony Online Entertainment (i.e. EverQuest, FFXI), J.P. Morgan Chase, and eBay/PayPal. The guy from ETrade was the ultimate expressionless accountant, complete with accountant-voice and large black-rimmed glasses. He never smiled, and should have been named Werner Brandes. Interesting points: to the financial services guys, spyware is a bigger problem than phishing. At least phishing only hits one person at a time. Federated authentication was not a popular idea with these people. The financial services people (ETrade, J.P. Morgan Chase) pointed out that they actually bear all the financial risk from Internet crime -- due to Regulation E, they're responsible for any electronic fraud, such as credit card fraud or people ripping off your bank account through the website. However, this has to be kept in perspective -- they actually prefer Internet crime to crimes involving phone, ATM, or physical banking because the reaction times are faster -- they become aware of and can correct fraud more quickly. It can take days to discovere phone, ATM, or physical fraud. In addition, more money is stolen each day through home burglaries than through electonic theft -- for all the talk about phishing, the actual financial losses aren't that large. And consumers don't really like most enhanced security measures -- which may well be quite reasonable for them since they don't bear any liability if their money is stolen. They prefer convenience over security. In Hong Kong and Singapore, consumers are liable for paying for fraudulent use of their accounts -- and those countries have robust 2-factor identification on practically everything, including smart cards as government IDs. And while consumers complain about security and say they don't trust the Internet with their financial information, Internet banking grows by over 30% per year. They're not putting their money where their mouth is. Interestingly, all the panelists opposed regulation, which is surprising since they bear all the risk -- usually companies are happy to be regulated if it means they can throw the risk off onto the taxpayers. They even consider "regulatory intervention risk" in their calculations -- they assign a cost according to the chances that some action or inaction will result in Congressional action. Also, the moderator of this panel sucked -- he kept asking them impossible, stupid questions like, "So, after phishing and malware, what totally unforseen thing do you think we'll be blindsided with?" Well now, if it's totally unforseen, they don't bloody know, now do they? He had three different questions along this line.
The last speaker of the day was Frank Abagnale. He gave a recap of his life, explaining where the book and movie added some embellishments. This said, they were mostly accurate, save for family relationships. He had a very strong relationship with his father, and deeply regretted that he never saw him again after running away at 16 (unlike in the movie.) After 30 years, however, Abagnale isn't interested in glorifying his exploits, as he's not proud of them, though we were all sure amused by them. He talked a lot about family, and said that what really turned around his life was not growing up or spending years in prison, but rather his wife. He ordered the men in the audience to love our wives and be faithful to them, and that being a good husband and father is the most important thing there is. I can understand that whole wife-loving thing, being quite into it myself. :)
After this, I walked back to my hotel, where I realized that when packing, I had forgotten my umbrella in my room. Now, this is unsurprising because I am notorious for losing or destroying every umbrella I get my hands on. I asked at the desk, and re-searched by room, but the room had already been cleaned and the umbrella was not in it, nor in the lost and found, so it appears to have fallen into the void that claims any umbrella in my hands. Too bad; it was a nice umbrella, too. And with a lifetime guarantee I intended to make the company regret with my umbrella-destroying powers.
Since it was then 3:30 and my flight was to leave at 5:30, I took a taxi to the aiport and breezed through checkin and security. Unfortunately, the plane I am to fly on is stuck in Mexico, and my flight was delayed by an hour, then two and a half hours. So I decided to write all these write-ups in the airport to give me something to do, even though I can't post them until I get home, since an airport in the heart of Silicon Valley is bafflingly missing any kind of Internet access whatsoever, wired or wireless. My flight is at this point to leave at 7:20, which will mean instead of getting in an hour before Anjela, I'll be getting in an hour later.
Overall, it was a very good trip, and quite educational, albeit not that educatational with regard to things that actually relate directly to my job. It was amusing being on the expo floor talking to other companies -- we all observed that companies, when they noticed you were from Microsoft, would have one of two reactions. They would either say, "Oh.", and then act as though you were a representative of the Galactic Empire there to interrogate them for their valuable company secrets, or they would be extremely friendly. The extremely friendly ones were, of course, from those companies who desired to be acquired ("Would you like a pen? Can I get you some coffee? Would you like to buy an Internet start-up?") This said, this was not true of all companies, and many of the people at the expo were quite professional and dealt with us as they would with representatives from any other company.
It is quite annoying that my flights are so late, because I haven't hugged my wife for a week and this is most vexing. But now I have written all I have to say about the trip, so I'm going to get out a book and read for the next two hours, until my flight gets out of Mexico and lands.
sheeplass's magic stuff-compressing powers. Luckily, among the conference crap was a satchel (backpack/briefcase/laptop-carrier/thing), which I used to hold all the things that didn't fit in the suitcase. It was still tight. This means I have to check luggage this time (since the satchel has to count as my carry-on, rather than the suitcase), but that's not really a problem.This last day is kind of an odd conference day -- a lot of people leave on Day 4, or go to the Cryptographers' Gala and thus drink too much and miss Day 4, and thus it has lower-priority sessions and no morning keynote. So the day started out with a session on "Advancements in Malware and Rootkit profiling." A guy from Symantec talked about rootkits, and the three basic ways they're detected -- antivirus software, HIPS (host intrusion protection systems -- hooking system APIs to provide checkpoints that catch rootkits as they're installed), and execution path analysis (which profiles how long various instructions and system calls usually take, and thus notices if these are altered.) These all have issues -- antivirus is basically unable to detect kernel-mode rootkits, API hooks in an HIPS are easy to evade (see Phrack 62 for how), and EPA hurts performance by about 30% and is thus useless on production systems.
The lecturer, a guy from Symantec, looked like Tyler Durden.
For those that aren't familiar with the term, a rootkit is something a hacker installs on a system once he gains full administrative (root) access to it. It patches into the deepest levels of an OS and basically makes sure that once the hacker is in, nobody is ever getting him out. Once your system has a rootkit, the only way to be truly sure it's gone is to level the machine -- reformat the hard disk and install from scratch. And occasionally (very rarely, thankfully) even that isn't enough. Rootkits can not only hook APIs (so that when you try to, say, detect or delete them, it fails), but also install filter drivers (like an AV or firewall product) at an even lower level to evade detection. Super-geekness follows: this guy's proposal was to detect rootkits in Windows by instead overwriting the Open callbacks for interesting kernel objects in Object Manager. These happen even after kernel API calls, only for successful calls, and you can overwrite the callbacks only for things you care about, so the performance impact is minimal, and it gives you superior control over the system to all current rootkits. He admitted that this is just another step in the arms race, as if his detection mechanism is used, new rootkits will be written to work around it. His detector had a good bit of self-preservation code in it to make this very difficult, but it's still in theory possible, so some hacker will find a way eventually. What he didn't say, but was immediately obvious, is that rootkits themselves could overwrite these callbacks -- his rootkit detector is actually a very good prototype for new kind of rootkit. I'm imagining he knows this but didn't want to give anybody ideas -- after all, "self-preservation code" is something normally associated with rootkits, not detection software, and there's no way he could have written that without thinking about the implications.
The next session was called "Attacking the Heart of Distributed Computing: The Emerging Threat to RPC." It sucked. The lecturer basically gave us a painfully basic introduction to the RPC protocol, which we were almost all quite familiar with, and all the threats he discussed were implementation issues, not fundamental issues of the protocol. So the "emerging threat" to RPC is that some versions of RPC implementations (e.g. Microsoft, Sun, IBM) might have bugs in them. Wow, never would have thought of that. He was asked many questions by the audience, all of which were obfuscated versions of "Tell us something we don't know, dumbass."
The last session of the day was called "Securing the Enterprise Against the Converging Threats of Viruses and Spam," by a guy from MessageLabs. MessageLabs is this company that you contract with to filter your email, and all your company's incoming mail goes to them first, before it even reaches your servers, and they sanitize it. Apparently they do this quite well. However, this also puts them in a unique position for research -- they get 100 million emails a day. One in 32 are viruses, 85% are spam. Basically, he's advocating centralizing spam-destruction -- he thinks the ISPs need to target spam at the source, doing filtering along the lines of what MessageLabs does, rather than letting companies filter spam themselves. He made an analogy to the water company -- you don't have to boil your water yourself and keep up on the latest strains of botulism; you trust the water company to deliver water to you in a usable form. So why do we allow ISPs to deliver us a stream of sewage? He also mentioned that old viruses never die -- they still catch about 100 copies per day of Melissa. Melissa, for those who don't recall, was the first big email worm, which went around in 1999.
With the end of the sessions, it was time for lunch again. Taking
rhiannonstone's advice, I went to the Metreon. The Metreon is an interesting place; it's an ultramodern food court and movie theater complex that also contains a Sony Style store, a Games Workshop store, and a variety of teenager-focused things. It was filled with hip teenagers, even though it was noon on a school day. I had a Cajun Wrap at Luna Azul. I then headed back to the conference, where I posted the first part of my Day 3 update before needing to go off to a panel on consumer confidence in the Internet.The four panelists were from ETrade, Sony Online Entertainment (i.e. EverQuest, FFXI), J.P. Morgan Chase, and eBay/PayPal. The guy from ETrade was the ultimate expressionless accountant, complete with accountant-voice and large black-rimmed glasses. He never smiled, and should have been named Werner Brandes. Interesting points: to the financial services guys, spyware is a bigger problem than phishing. At least phishing only hits one person at a time. Federated authentication was not a popular idea with these people. The financial services people (ETrade, J.P. Morgan Chase) pointed out that they actually bear all the financial risk from Internet crime -- due to Regulation E, they're responsible for any electronic fraud, such as credit card fraud or people ripping off your bank account through the website. However, this has to be kept in perspective -- they actually prefer Internet crime to crimes involving phone, ATM, or physical banking because the reaction times are faster -- they become aware of and can correct fraud more quickly. It can take days to discovere phone, ATM, or physical fraud. In addition, more money is stolen each day through home burglaries than through electonic theft -- for all the talk about phishing, the actual financial losses aren't that large. And consumers don't really like most enhanced security measures -- which may well be quite reasonable for them since they don't bear any liability if their money is stolen. They prefer convenience over security. In Hong Kong and Singapore, consumers are liable for paying for fraudulent use of their accounts -- and those countries have robust 2-factor identification on practically everything, including smart cards as government IDs. And while consumers complain about security and say they don't trust the Internet with their financial information, Internet banking grows by over 30% per year. They're not putting their money where their mouth is. Interestingly, all the panelists opposed regulation, which is surprising since they bear all the risk -- usually companies are happy to be regulated if it means they can throw the risk off onto the taxpayers. They even consider "regulatory intervention risk" in their calculations -- they assign a cost according to the chances that some action or inaction will result in Congressional action. Also, the moderator of this panel sucked -- he kept asking them impossible, stupid questions like, "So, after phishing and malware, what totally unforseen thing do you think we'll be blindsided with?" Well now, if it's totally unforseen, they don't bloody know, now do they? He had three different questions along this line.
The last speaker of the day was Frank Abagnale. He gave a recap of his life, explaining where the book and movie added some embellishments. This said, they were mostly accurate, save for family relationships. He had a very strong relationship with his father, and deeply regretted that he never saw him again after running away at 16 (unlike in the movie.) After 30 years, however, Abagnale isn't interested in glorifying his exploits, as he's not proud of them, though we were all sure amused by them. He talked a lot about family, and said that what really turned around his life was not growing up or spending years in prison, but rather his wife. He ordered the men in the audience to love our wives and be faithful to them, and that being a good husband and father is the most important thing there is. I can understand that whole wife-loving thing, being quite into it myself. :)
After this, I walked back to my hotel, where I realized that when packing, I had forgotten my umbrella in my room. Now, this is unsurprising because I am notorious for losing or destroying every umbrella I get my hands on. I asked at the desk, and re-searched by room, but the room had already been cleaned and the umbrella was not in it, nor in the lost and found, so it appears to have fallen into the void that claims any umbrella in my hands. Too bad; it was a nice umbrella, too. And with a lifetime guarantee I intended to make the company regret with my umbrella-destroying powers.
Since it was then 3:30 and my flight was to leave at 5:30, I took a taxi to the aiport and breezed through checkin and security. Unfortunately, the plane I am to fly on is stuck in Mexico, and my flight was delayed by an hour, then two and a half hours. So I decided to write all these write-ups in the airport to give me something to do, even though I can't post them until I get home, since an airport in the heart of Silicon Valley is bafflingly missing any kind of Internet access whatsoever, wired or wireless. My flight is at this point to leave at 7:20, which will mean instead of getting in an hour before Anjela, I'll be getting in an hour later.
Overall, it was a very good trip, and quite educational, albeit not that educatational with regard to things that actually relate directly to my job. It was amusing being on the expo floor talking to other companies -- we all observed that companies, when they noticed you were from Microsoft, would have one of two reactions. They would either say, "Oh.", and then act as though you were a representative of the Galactic Empire there to interrogate them for their valuable company secrets, or they would be extremely friendly. The extremely friendly ones were, of course, from those companies who desired to be acquired ("Would you like a pen? Can I get you some coffee? Would you like to buy an Internet start-up?") This said, this was not true of all companies, and many of the people at the expo were quite professional and dealt with us as they would with representatives from any other company.
It is quite annoying that my flights are so late, because I haven't hugged my wife for a week and this is most vexing. But now I have written all I have to say about the trip, so I'm going to get out a book and read for the next two hours, until my flight gets out of Mexico and lands.
