Re: IT Underground trip report

[David Maynor <dmaynor () gmail com>]

We are not gossipy. (did you see the tshirt Dave was wearing in Poland?)


On Mon, 18 Oct 2004 11:36:33 -0400, Dave Aitel <dave () immunitysec com> wrote:
> It's customary for people at Immunity to write trip reports. I share
> mine below.
>
> Download full version in OpenOffice format at
> http://www.immunitysec.com/downloads/IT-UNDERGROUND.sxw .
>
> -dave
>
> IT-UNDERGROUND Report
> Oct 18, 2004
> Dave Aitel
>
> In this picture are a bunch of speakers who were at the IT-UNDERGROUND
> conference in Warsaw. From left to right you have:
> Mike Shema, Paul Wouters, David "H1kari" Hulton, Thorston Holz, Dave
> Aitel, Rakan El-Khalil, Joanna Rutkowska.
>
> The particular location in this case is a dumpling house in Old-Town.
> Warsaw tends towards small, finely decorated places. Prices range from
> 10 Zloty to 15 Zloty for a plate. (3.5 Zloty to a Dollar).
>
> Overall, the conference went quite well, I think. A large part of this
> was no doubt because they had 2 translators in each of the three rooms,
> and so you could understand what the speaker was saying in Polish or in
> English, no matter what your primary language was. Unlike many
> conferences, most speakers gave more than one talk, and some gave up to
> three talks. It worked well. I would say there were 250 people at the
> conference – reasonably large.
>
> Speakers and Talks
>
> I didn't catch all the talks, so I'll only comment on the ones I did catch.
>
> Robert Lee Ayers is a Director for Critical National Infrastructure
> Defence for Northrop Grumman Mission Systems Europe
>
> A former US DoD official, Bob now is a UK citizen. He did the keynote:
>
> This presentation will examine the characteristics of an effective
> program for defending the nations Critical computing and communications
> systems. The audience will gain the knowledge required to understand how
> to construct a national CNI Defence programme.
> Target audience: Senior government officials.
>
> Interestingly he differentiated between a "conventional war" and a
> "logical war". In his words, there is a "clear indication of victor" in
> a conventional war. As well, a conventional war is, as Clausewitz would
> agree, between nation states, whereas a logical war is not.
>
> He uses this terminology, which some people may not be familiar with:
> Strategic warning: You are going to be attacked
> Tactical warning: You have been attacked
>
> An interesting point he made is that with a "logical war" you have
> difficulty knowing how bad the problem is.
>
> All good indicators are observable and measurable
> possess a state of normality
> are logically predictive of the anticipated event
> takes place sufficiently far in advance of the event to allow you to
> take an action
>
> "One indicator of a nuclear attack is a bright light in the sky.
> However, it is not a GOOD indicator because you don't have time to respond"
>
> He claims that logical attacks have no strategic warning and that
> tactical warning requires rapid data collection and effective reporting
> mechanisms, which are almost always missing.
>
> Offensive IW techniques occur prior to declaration of war.
>
> I would say that IW is also extremely hard to model - which means hard
> to train for! (The military motto of "train like we fight" is nearly
> impossible to achieve, in my opinion.)
>
> He also claimed that all of the major internal switches (Cisco boxes)
> were compromised and concocting a sniffing operation for up to 4 years
> in 1992-1994. He says CERT had published a report on this, but I can't
> find it.
>
> He mentions that all service providers hide problems – problems pose a
> risk to revenue. I would add that MS is a service provider...
>
> One weird statistic he posed is that "50% of all corporations have
> "offensive attack programs" ready to use." He claims a large percentage
> of them are "hacking back". I don't see it. I think some of them are
> hiring outside companies that do DoS attacks on phishing companies, but
> I don't see a "hack back" strategy.
>
> I would comment on his talk with two things I think are incorrect:
> 1.He claimed that there is no mobilization cost to "Logical" war.
> 2.He claims there is a low cost of entry to logical war.
>
> I think there are a lot of things that make a logical war expensive, and
> I think the proof is in the pudding: Al Qaida is using bombs. Bob's
> strict Clausewitzian ideology was weird to me. I thought most modern
> military thought had stepped away from Clausewitz. Religious wars are
> not between nation states, they are fundamentally between ideologies.
> And powerful non-religious ideologies are just as warlike – Communism,
> for example. Thinking of war as a purely nation-state endeavor is to
> think of the rightful collection of power as a purely nation-state
> endeavor. Most nation-states have little if any political legitimacy in
> the modern world, so a trend towards non-nation-state warfare makes more
> sense now than ever. Anyways, on to speakers. Not everyone gets a
> mention because I got really jet-lagged for the second day and can only
> attend one talk at a time.
>
> Rakan El-Khalil
>
> INFORMATION HIDING IN EXECUTABLE BINARIES
> Rakan El-Khalil is currently on sabbatical in France. He is a recent MS
> CS graduate from Columbia University. While he was there he worked on a
> variety of projects at the CS Research Lab, such as an IDS that uses
> machine-learned models to detect network threats and a syscall based
> permission system on OpenBSD [predating systrace].
>
> So I didn't see his talk, but I spoke to him a bit. The only thing I
> disagree with is that it's "not possible" to do a graph based
> stenographic implementation. I think it'd be fun for someone to try.
> Rakan thinks getting that much of a decompile would be prohibitive.
>
> Thorsten Holz
> His talk was on honeypot compromising. It was good. I don't have a lot
> of comments on it. Read his paper or something. There's some english
> errors in it I wanted to fix, but I don't remember any technical flaws
> or anything. Thorsten is a nice guy. The first night we got in, he
> walked with me through the Warsaw cold in search of food. We ended up in
> a tiny restaurant where we ordered a #1 and #2 (which turned out to be
> liver and onions and chicken). Polish isn't as easy to read as you'd think.
>
> David h1kari Hulton
> David thoroughly impressed me. He dresses like a Matrix fan, with a long
> leather coat, but I assume that's some sort of west coast thing. He's
> doing some generally solid work in a lot of different fields. For
> example, he wrote bsd-airtools, and actually improved on the WEP attacks
> in a way that makes sense. His work on embedded stuff was cool too. For
> example, he improved an attack on GSM cards to make it workable.
>
> Joanna Rutkowska
> Joanna Rutkowska is an independent security researcher. She focuses on
> various exploitation techniques, application and system protection
> against unknown exploits, system compromise methods and their detection.
>
> Joanna was one of the stand-outs from the conference. She's a native
> Polish person. A "Pole" I guess, although that sounds weird.
> Anyways, she gets "it" as far as I can tell. Her talks were on Linux and
> Win32 rootkits, and how to detect them. And, of course, the subtext was
> how to make them better. During lunch she schooled us in how to detect
> Vmware using one instruction. (In Immunity terms it's called "Sinan's
> Favorite Instruction" - we'll let the rest of you guess at that though.)
> Joanna actually asked questions during my talks, which is interesting in
> that the few women in this industry tend not to do so, since they
> already get more than enough attention.
> She also wins the "Speaker who tested the SideKick II camera out the
> most at the request of my friends" award. So if you're reading this in
> email, and not in .sxw, then you're missing out. No doubt the picture
> doesn't do her justice. There are a few more floating around. Contact
> your local haxor warez connection. She noticed that the infosec
> community is quite "Gossipy" which is definitely true. On one hand, this
> makes it quite a lame society, but on the other hand, a bit of chatter
> is good for finding leaks and bad nodes.
> There were a lot of other talks I missed. One in particular I always
> hate is the "panel discussion". Why people insist on these things I'll
> never know. Maybe there's a way to do it in a way that makes sense, but
> I've never seen it. Example questions "Is Linux or Windows security
> better?" Sheesh.
>
> As always, if you have additional comments, pipe them in.
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave