Category Archives: Conferences and Travel

OSCON 2006 – See you there!

Posted on by
Reply

Just a quick note as to the quietness of the blog. I’m working on a few things:

  • my slides for OSCON (webappsec 150 tutorial, and updating my Ajax presentation to include the latest research and make it a bit more (ahem) controversial to liven things up)
  • doing demos for the above
  • my slides for OWASP Melbourne, July 2006 meeting (this coming Wednesday! Details)
  • reconstructing my work laptop
  • the OWASP membership packs and other executive director project items
  • administrating Aussieveedubbers
  • writing a fresh Ajaxy UltimaBB installer
  • writing a proposal for a workable security architecture for PHP 6 which I want to present to Chris when I go to OSCON, and maybe earn myself an audience with Rasmus and the other PHP luminaries to discuss it over a beer or two and thus decrease my trolliness to those folks.

and plus Tanya would like my body sometime as well. I’ve given up TV. Woe is me!

See you at OSCON 2006.

I’m also making an appearance at BlackHat and Defcon, and will be in SF in between those two conferences, and possibly in Salt Lake City before OSCON (depends on work). If you want a Thawte Notarization for the Web of Trust (free *real* fully trusted S/MIME certificates!), please bring photocopies of your photo ID and I’ll do it for free.

Munich – Saturday (Deutsches Museum)

Posted on by
Reply

We got up, had breakfast, and walked to the Deutsches Museum.

Unlike any other museum, this is a geek museum. It’s like geek heaven there. Except there’s so much to see and that entails a lot of walking. They have feet massagers, but they take 50 c coins, and I haven’t acquired any of those yet, only heaps of 20 euro cents.

The first thing we checked out was the high energy lab, and that was amazing. Lots of noise, sparks and high energy!

We took in (not nearly exhaustive to describe it!):

  • High energy lab
  • Planes, and lots of them!
  • Planetarium
  • Rockets, rockets, rockets!!!!!! And more rockets!
  • Chemistry … no explosions, doh!
  • Space exploration (astronautics)
  • Measurements and time
  • A temporary exhibition on German progress
  • Walked through the agricultural area, but checked out a complete house they’d reconstructed
  • A cave about neolithic art work. It was dark.
  • Nuclear physics and other physics
  • Paper and printing (look at real leading and type!)
  • Musical instruments (nearly missed out on this one, but it was awesome!)
  • Techno Toys – looking at all these early proto-legos from the late 19th century and early 20th century

Check out the gallery of stuff here:

After the techno toys, my feet were killing me, so we headed back to Steve’s place. We geeked out there for about an hour and watched a Coupling episode. I’d forgotten how cool that show is – I’ve only seen the one episode until then. Will need to get the DVDs when I get back to Australia.

We had dinner at the Mexican restaurant near Steve’s friend Andi’s place. It was really good, particularly the half price Margaritas. Again, no Visa, and the prices at most European places are in ouchy land territory for earners in $AUD. At this stage, I’m nearly out of cash again. Need to find an ATM on Monday to deal with this if I run out of Steve’s hoard of cash (we’re trading at the correct rate, so he doesn’t need to be done over when he comes to Australia).

Sloshed our way back to his place. Even at 10 pm, the public transport doesn’t take long, despite needing to change trains (and system) three times. You simply couldn’t rely on public transport in Melbourne to do this.

We watched a few episodes of Coupling and I hit the sack.

Munich – Friday

Posted on by
Reply

I landed in Munich and waited to pick up my luggage. The new airport feels like one big BMW ad. There’s BMW everywhere, so at least I had something to look at. Eventually my bag came, and I headed out. I met up with Steve Riehm, who is hosting me in Munich. When I was organizing the last minute trips, I did not know that Munich is hosting a goodly percentage of the soccer World Cup, so all the flights were full and mine was no exception. That’s why I had to travel to Munich a day earlier than I expected.

The weather in Munich is even worse than that in St Anna, which is hard to top. Steve cranked on the heated seats in his beemer, and I was toasty in seconds. :)

After dropping my crap at his place, we geeked around a bit and then headed into town for a look see. I took heaps of photos, which can be found in the Gallery, here:

After walking around Munich for a few hours, my footsies were a bit sore. Luckily, there was a pub only a little distance away, so we ended up eating there, and again, I was surprised to find that Visa is not accepted widely in this fairly first world nation. Unbelievable. After a few really nice beers and some roast suckling pig and crackling (the Germans know how to do pork!), Steve bundled me home on the excellent public transport here. If only Melbourne had such good public transport!

We traded Euros for Australian dollars as the Travellex rate was insanely bad. My normal savings card didn’t work here, despite the ATM I used having a Cirrus logo. So beware if you come from a place like Australia where everyone uses electronic cash and come to a place like Munich, where it’s hard to use your own money. I wonder how many tourists to the World Cup are going to be bitten … coming here with only a tad of real money like me, and expecting to use ATMs and EFTPOS as per normal.

We watched a movie – Sky Captain and the World of Tomorrow. Awesome film noir / comic / kitsch. Get it!

Meeting up with the family

Posted on by
Reply

On Thursday morning, I took the very reasonably priced train up to my family near St Nicklaas. It looks a long way on the map, but it’s only 40 or so km. Europe is compact that way. The weather is still crappy and it barely makes it above 10 C.

Met up with Eddy at the train station, and we had a good old conversation about geeky stuff. Eddy is a funny bloke – he didn’t know where the coffee was, so he rang his sister, who popped over with some coffee and a filter. Then when his better half (Viviane) came home, she showed us where the coffee was… it was right in front of the cupboard. The shame of it! :)

We had an awesome meal of witlof and ham and cheese sauce, much thanks to Viviane’s awesome cooking. Eddy broke out the wine, and we started getting merry.

Those were taken around 7 pm… the sun finally came out, and it was still cold, but at least I’ve seen the sun whilst I was overseas! It’s supposedly summer, but it’s colder than Melbourne.

More family came around after dinner, and we had some awesome beer, West Vleteren. Eddy thinks it’s best beer in the world, and I think he could very well be right. I stayed with the family overnight, pushing Michael out of his room. Sorry about that Michael! :)

In the morning, I left for Munich. Europe has awesome integrated public transport. Even though the train for the airport had been cancelled, I made my checkin at the airport with ages to spare. The new part of the airport is shiny and new. They really need to demolish the old bit as it makes a terrible impression, and I’m sure with 97 gates in the new bit, they can afford to get rid of the crusty old terminal.

OWASP EU – Day 2

Posted on by
3

Excellent day again.

I’m still waking up far too early, but that’s okay, particularly since I had still to complete my Day 2 keynote slides, much to Dave’s disgust.


- Leuven University

The keynote went well, but I finished what I thought was early, when in fact, it was dead on time. This left Ivan Ristic with much less time than he had intended. :(

Ivan’s talk was pretty cool – he went through the stuff you’d expect of the author of the open source web application firewall, mod_security, discussing the four major features of the software. I’ve used it before in a DDoS attack, and it worked well.

After the morning break, I went to the invited papers track. I think this was a good idea, and the quality of the ideas was good. I think it allowed people who are not conference whores like myself to get up and speak. And considering that only a small percentage of the attendees are native English speakers, I was pleasantly surprised at the quality of the English at the conference. Awesome.

The session riding talk was cool, but again, they’re using a non-mainstream technology to fix the problems. I think people really need to start using the major technologies which are weak rather than using esoteric languages which take their fancy. PHP needs a lot of help, for example.

After lunch, I went to Dinis’ tool heavy presentation on the stuff he’s made this last year. Awesome tools. Might see if they work under Mono on the Mac. Except for the report generator, which is basically a waste of time. As a customer I HATE (and I mean I will return your report and not pay you HATE) getting nessus or other tool output auto-gen’d from XML into PDF. I don’t pay the pound for my reports. I prefer short (10-20 page) reports which tell me what is wrong, carefully considered and rated. This is something that can be done in Word more easily than Dinis’ tool. I’m sure Dinis’ report writing tool (he’s a total XML freak :) works for his customer, but I’m not interested. If it gets out in the big bad world, I hope it doesn’t catch on. Our value is our skilled interpretation, not 1000 page automated reports.

After the last break, there was a panel discussion, which was far more lively than the previous day when everyone agreed with each other. It was hard as Gunnar let people speak who had more than their turn. There was one particular lady who just butted in all the time. I had my hand up for half an hour before I could a word in edge ways, thus not allowing me to state a couple of points about user security education which I vehemently disagreed with, but couldn’t as the flow had moved on. Oh well. I’ll butt in next year – being a good guy does not pay off if you want to be heard. Despite this, it was a good and lively session.

Dave finished the conference up. After we had finished, Pravir Chandra and I went out to dinner. I wished a few more could hang around, but many needed to get on flights home, and several wanted to go back to Brussels for food. We had a good meal in the center of the old city. Awesome food.

I think it was extremely valuable as a conference. If I can, I’ll be back next year.

OWASP EU: Day 1

Posted on by
Reply

Great day yesterday.

Dinis’ keynote went off great, but he got rid of all my images and loaded it up like an essay. Might need to encourage the OWASP presentation template to only contain a limited number of words per page, and increase the visual appeal of the slide pack. We don’t read slides, we present them.

The panel I sat on after the keynote was amazing – Microsoft sent in a sacrificial victim in the form of Alex Lucas, and he did really well. The crowd was a bit restless, but honestly, I think they saw the light by the end. The funny thing was that Microsoft was arguing for more stringent safeguards than most of the panel members, but even more funny is that the panel members agreed with the SDL (for the most part). This got a laugh from the audience when it was brought up, but also demonstrates how far Microsoft has come over the last few years.

Alex had a proof galley of the forthcoming SDL book from Lipner and Howard. I considered mugging Alex and stealing the book – it is totally awesome! This book is what everyone needs, particularly if you don’t have a strong security process today.

I went to a bunch of presentations (including my own!), and learnt a lot. I was particularly freaked out by Amit Klein’s talk on HTTP Request / Response | Smuggling / Splitting and peripheral devices. Awesome research.

My slides for my Ajax presentation are here.

After the day finished, we had a chapter leads meeting, where we discussed what we want to do over the next twelve months. We prioritized, and I think it’s going to be great. I’ll blog more on this in the next few weeks.

Last but not least, we had a fabulous dinner at the Faculty club. Leuven is very confusing, and the trip to the Faculty club was via taxi, leaving me confused where I was located. But that’s okay, a fine meal, good wine, and excellent company left me warm and fuzzy. I trundled into a taxi near 11 pm (when it was just going dark!) and made my way back to my hotel, where I promptly fell asleep.

OWASP EU – Day -1, the free day

Posted on by
Reply

I got up nice and early again. 6.30 am. So so wrong. Alien Andrew has landed and it’s freaky time again.

After breakfast, I retired to my room to work on my slides. Good move! They look great now.

After lunch in my room, I felt a bit tired, so took a nap. Awesome sleep. Woke up just before I had to go out for dinner with Dave Wichers and a few others.

We moved to The Troubadour and had a nice meal, followed by a trip to a nearby square and some more beer. Beeer! Around 11.30 pm I retired into the rain, and walked in the wrong direction. Leuven is a little town, so the cabs were hard to find. By the time I got one, I was thoroughly wet and cold.

Got back to the hotel room – sore feet and wet and tired. Went to sleep straight away. Fantastic, productive day with friends, food and beer.

OWASP EU – Travel (MEL -> LHR so far, roughly 16000 km and 24 hours)

Posted on by
Reply

I’m sitting in London Heathrow after a monumental flight. It’s so wrong. Even in business class there’s no avoiding the fact that it’s a long time to sit down. And as many of you know, I love a good sit down.

After flying in business class to Europe for the first time, it’s definitely 1000% better than being in cattle class. The (hardish) seat folded down nearly flatly, or would have if it wasn’t designed for small women and children. My shoulders hit the sides of the capsule when my feet fit under the capsule in front of me. Now I know I’m a bit on the round side, but I doubt my shoulder girth will change if I ever become svelte. I’m not going to be less than 180 cm any time soon, so these seats need a little fine tuning. Even if the capsules had a soft side, it would be acceptable.

After exhaustion set in, I took sleep where I could, and I must say I’m feeling much more awake and less tired than even the last time I travelled to Las Vegas.

The flight was fun – we flew over many countries I’ve never set foot in – China, Tibet, bits of Nepal with the Himalayas in the distance with a fine dusting of snow, Russia (seemingly forever!) including flying near St Petersberg, Latvia (Riga), Ukraine, Finland, Denmark, Holland, Belgium (… I’ve been to those last two!). Unfortunately, although we flew during the day, it was clouds all the way from China through to landing with only a break or two when I bothered to open the blind.

Landing in England brings back memories. Obviously, they laid the best English late spring weather on for us, with being 16 C and rainy. It was 17 C, sunny and fine on the day I left Melbourne, and that’s three days shy of winter proper. It’s going to be amusing if the weather doesn’t clear up in Belgium for the conference.

I’m not feeling very hygienic right now – could definitely use a shower. Unfortunately, the little airline (BMI) I’m travelling on for my next leg doesn’t have a shower in their “Business” class lounge, so that will have to wait until I get to the hotel in a few hours.

At least I’m having a good time with roaming and wireless networks. Have SMS from the fiancée (yay team!) and knowing that my cats are well and likely to get good tummy rubs whilst I’m away is all good.

DefCon Wrap Up

Posted on by
Reply

Well, I’m back. Alien Andrew has departed, and it’s a nice cool 14 C again.

Rolling back to Sunday afternoon…

After posting my crop dusting blog entry, Mike P rolled up and we went off to the cafeteria to deconstruct the last few days. It was good to catch up before I left.

At around 12.30, Chris and Jen from newbeetle.org rang, and we organized to go to the Hofbrauhaus a few doors away from DefCon. Well, was that a hoot! Lots of singing and being (very) merry care of copious quantities of good quality German beer, a decent meal, and I was ready to be poured on to the plane. Chris and Jen are the best! They even dropped me off at the airport.

It was a good thing I was a bit sozzled – the TSA screening process is awful in its mediocrity and not ameriloated in any way by the absurd queue lengths. They didn’t ask to see my laptop working, they just wanted to XRay it. They didn’t hand search my luggage to determine if I had any ninja tools or anything like that. They just processed us like as if it meant something. TSA searches are a complete waste of time and are completely ineffective against an even half arsed adversary.

I was waiting in the public lounge area for my flight when spontaneous applause from the public erupted when about 20 soldiers from Iraq returned on a flight. It’s good that even though the war is illegal and the actions of the US leadership dubious, the public still support their armed forces. I could see the smiles on the faces of the men and women returning, and I could see they appreciated the public’s support.

The five hour stop over in LAX was ordinary with only one saving grace – I didn’t have to be re-screened.

The flight home was long and terrible – United as per normal put their most elderly of planes on the LAX – Sydney route as only Qantas competes with them. Qantas also use retirement villa planes for this leg. Very uncomfortable thin seats, with no entertainment system in the seat backs to play with. My seat wouldn’t recline as far as the seat in front of me did, so I was squished most of the time. Plus, the seat pitch was tight – about the same as Virgin Blue’s domestic flights. I will not be travelling United again.

Once we hit Sydney, we were screened… twice. Once when we left the plane to go back into the sterile duty free area near the gates and again when I re-entered the gate area. This was the only time my baggage was hand searched. I don’t know what they’d find after being screened several times already. Oh well, screening passes the time.

I eventually hit home around 1 pm after travelling again for 32 hours. I missed Monday altogether. When the A380′s come out, I will fly whoever travels point to point: Melbourne – London non stop, bring it on! I hate being screened constantly and pointlessly.