cat slave diary

In other news, all my talks for OSCON were rejected again. Why did I bother? I should have paid attention my last year’s rant. Most likely, I will have to give up on submitting papers to certain open source developer’s conferences as honestly, why bother doing the work of doing the research, creating the paper and slides only to be rejected? Luckily, two of my submissions were from colleagues, so I didn’t squander a lot of resources on those talks, even though for example, I’m working on porting ESAPI to PHP, which is the subject of one of the rejected talks.

I’ve identified the following security talks for those security folks still considering going to OSCON (although I’d recommend saving your money for OWASP USA as we already have a schedule of 45 web app sec talks in three tracks, and two full days of tutorials, including several two day courses where you’ve got an actual chance of learning something. Just saying.)

• Securing the PHP environment with phpsecinfo, by Ed Finkler. This should be good - I’ve used it before and it’s a pretty cool way to tie down PHP properly. And Ed has contributed Inspekt to OWASP, and therefore he’s cool by me.
• PHP: Architecture, Scalability and Security, by Rasmus. Rasmus knows what he is talking about, but I don’t know how deep the security aspect will be. Hopefully, enough as it’s a three hour talk.
• PHP Taint Tool: It ain’t a parser, by Luke Wellings, a friend of mine from Australia who now lives with his lovely wife in Columbia MD. I’d love to see this tool in action.
• Hack this App! PHP security workshop, the usual sort of scare the punters talk common in talks at conferences I attended about 5-10 years ago. I really hope there’s some solutions in this one. There’s no point in saying you have a problem unless you have a solution, which is what all three of my submitted talks were. Especially the one on securing PHP apps and ESAPI for Java (although we have a completed .NET and soon a PHP port now)
• Perl Security, three hour talk by Paul Fenwick, also an Australian of my acquaintance
• How to improve quality and security automatically in your open source projects with static analysis, by David Maxwell (Coverity). Hopefully, this is just not a vendor plug, but even if it is … it is about solutions, and I like that.
• Security 2.0: Emerging Trends in Web Application Security, by Chris Shiflett. Also a friend, but sadly, not Australian.

So five talks and two three hour longer talks. Here it is in graphical format for you:

A couple of the talks are likely to not offer that much in the way of solutions. Sadly, no Ruby, Python, administration, database, emerging topics, or people security talks. Worse, there are no Java security talks, which for an semi-incomplete track, I found sort of astounding, especially as I submitted two Java security talks and one PHP talk. The official “security” track has two three hour talks, both detailed above. Even if you look at it from the point of view of OSCON having 16 tracks, hopefully with equal time for all of the tracks assuming there was a lot of competition for speaking slots, there should be 215/16 = ~ 13.4 security talks, not 7.

Although I am glad my friends are accepted whilst talking about security, I think OSCON needs a new program committee. This one is broken.

What is it with “sporty” coupes and their drivers? We were nearly killed coming home from the hospital by 8CR J60, a Black Infinity of some description. There’s a complete fucktard behind the wheel, who will hopefully get a nice moving violation from the police tomorrow.  I hope with all my heart that this is the last few points on his license so they are off the road for a few months. Honestly, why drive if you’re going out there to kill yourself and others?  

A little while ago, I wrote a dejected post saying that OSCON, Black Hat, and Defcon all missed the greatest opportunity to speak to the right folks about securing their apps. Well, with the final schedules of Black Hat and Defcon up, we have:

• Fear - Pretty much every talk
• Uncertainty - you betchya
• Doubt - doesn’t the security industry work on creating doubt? Yep.
• Solutions - 10 out 444 talks == 2% of all talks

  We have to move past this. I am not asking for solutions to be even 50% of the talks, but dammit, it should be over 10% and it should be over 25%.

  The CIOs and CTOs and mid-level junketeers in our industry (who go to these events to pick up chicks of negotiable affection*) and go: “WHOA! I’m so screwed! What do I need to do to protect my assets from all this badness?” And the snake oil sales puke from the large security ISV will go: “let me show you this bridge I have for sale over here…”

  At Black Hat 3 of 5 potential security solution talks are the 20 minute turbo talks. How much can you learn in 20 minutes? Enough to be scared, or enough to learn a URL? In Defcon, there’s just one talk on using a tool as a shield around your crap. Of course that’ll work. Like anti-virus or IDS “works”. Not.

  The CIOs and CTOs and high level business folks don’t want horror stories. They get that enough of that from the snake oils sales pukes. They want solutions that work. They want to know what to do right. These solutions should not cost the earth and should be effective. None of which they’ll learn about at these conferences. Will this stop them going to conferences? Of course not! It’s Vegas, baby!

  The conferences will have to start being relevant or they’ll end up like being CES. CES started out small, grew immensely, changed to be vendor friendly, and no one came. They cancelled it. Now everyone goes to E3. They’ve changed the rules to be more industry friendly… and it’s only a matter of time before it, too, dies. “Our” industry conferences on the outside seem more popular than ever, but they are dead. I will not be submitting any more talks to them as they are irrelevant. They do not support solutions, only fear.

  * And occasionally, chicks with dicks of negotiable affection. But what happens in Vegas, stays in Vegas, eh baby!

I am at the SANS GSSP second face to face in Chicago (photos soon). SANS have chosen a nice hotel, the W Lakeshore right on Lake Michigan.

Until 10 pm tonight, it was awesome. But then at 10 pm… It was spoiled by the Richter level 4.0-4.9 bass drivers (seriously! - we’re feeling it in our waters - constantly - my diet Pepsi has ripples in it). It’s 1.30 am. I have to get up at 7.30 am - on a Sunday, a miracle not often seen - even with a good night’s sleep.

This hotel has forgotten its core duty: a good night’s sleep for ALL of its guests. We are the ones paying nearly US $400 per night, not the young things paying $10 for a drink at the nightclub.

Never come here - spread the word.

In 2035, I will be 65. Most likely, unless I was to take up photography or cat breeding, I will most likely still be in this industry doing pretty much what I’m doing today.

Why?

I submitted a bunch of “how to fix” talks to OSCON (the unconverted) and Black Hat (the converted). I’ve spoken at both before, and I know I don’t suck too badly at speaking. Knowing that you suck more than other folks is the first step to being a good speaker, and I learnt that many years ago and have been learning ever since. Nowadays, I get good reviews from my customers, got good reviews and write ups for my last talk at OSCON. Black Hat provided me with my feedback which indicate that most of the folks who returned the forms liked what I had to say and how I said it, although there is room for improvement. When I train professionally, I am probably my harshest critic. That said, everyone - including me - can always learn how to present better, and make presentations that don’t suck. But let’s put that aside for a moment, and look at our industry’s premier developer and security conferences.

Why you will not learn solutions at any major event this year

I know this might come across as sour grapes, but seriously, when the biggest “security” conference rejects my talk (which will show how to scale code reviews in large enterprises, a huge problem for the Fortune 500, government and defense types, who just happen to send a bunch of folks to said conferences) in favor of the same theoretical root kit talk as we saw last year and a meta-theoretical anti-root kit talk targeting that specific theoretical root kit talk, they’ve lost the plot. When the largest *developer* conference rejects three of my talk suggestions, two of which are teaching developers how to code more securely (including a advanced level 300 class - I’m sick of teaching “hey, this is htmlentities(). He’s your friend”), they’ve lost the plot, too*.

OSCON’s security track is a paltry seven talks, basically most of one day out of five. And only one, by my friend Chris Shiflett, will teach you how to avoid the most common problems in web apps and another reports on the use of a source scanning tool by the open source community. Each of those talks is less than an hour. The chance you’ll learn something you don’t already know about PHP security is pretty small. At Black Hat, so far, there’s plenty of announced talks, but it will take you until day two before you learn how to do something useful. There are no other how to fix talks at Black Hat. That’s very, very sad.

There are some fine speakers at each event, for sure. But some have been seen before. And before that, too. But when you’ve seen ten theoretical root kit talks, or the fiftieth hundred buffer overflow talk (the same attack since 1988? kill me now), or yet another XSS talk or eight, we get it. Software sucks.

How do we fix it? Show me the money!

Do I want to be fixing SQL injections, buffer overflows or cross-site scripting issues when I’m 65? Hell no. These are solved problems. We know the solution. They MUST be burnt into the APIs so that programmers (no matter what skill) CAN’T do it the wrong way. There are some fine researchers working in the field, and you’re not going to hear them talk about fixes at Black Hat or OSCON. It’s Fear Uncertainty and Doubt. Scare the punters so you’ll buy their products or services. That security sales method is so 1995 when we thought firewalls were kinda neat.

That sucks.

It’s the reason the security industry is little more than snake oil modulo a few gems here and there. Why don’t A/V vendors go white-list? Spend 10 minutes telling your computer about the programs you use and white list the behavior of those probably very common apps? No more virus infections as everything else is untrusted and doesn’t run. That’d kill their shakedown revenue stream.

To be a smart security vendor today, you provide value to the customer by showing them how to architect a secure solution, how to build secure software (by training their devs - we can’t write all the software), how to test and review software (or indeed provide these services as an external audit function), so they don’t have to worry about spending *more* money on useless controls or worse case, notifying the regulators and their customers that they’ve screwed up and “gee, we’re sorry! we tried our best. Here’s $100 bucks”. Value folks, value. We’re here to provide secure business, not scare money out of folks. Once the horse has bolted, it’s far, far too late. That’s why I think forensics and a lot of compliance is a total WAFTAM. Dead money.

Providing solutions is exactly what we’ve been doing at OWASP. We provide value. Some of the solutions are actually getting towards voting age. We just need to get it out there so you don’t make the same mistakes, time after time. I’ve dedicated the last four - five years to researching, describing and educating how to fix things at OWASP. And yet, we don’t get no love at major conferences. And here’s why - they don’t want to tell you how to fix it. They want headlines in the meeja. The meeja only know about attacks, “hackers”, and people losing money to organized crime gangs, or their daughters to the nasty pedos across state lines. So the conferences provide that. We all lose with this approach. Luckily, with OWASP, we run the conferences, so this year, I will speak, and hopefully it will be useful to those who attend.

But realistically, the folks we want to talk to are at BlackHat and OSCON, not at OWASP (yet). So let’s learn …

How to write a successful talk submission

First off, and foremost, be honest about why you’re going. You’re a conference whore, and so am I. The hallway track is their raison d’etre, and best experienced with booze and lots of it. But how to get there… write a submission!

0. The title must be snappy. “Attacking OMG PONIES!111 2.0″ All good talks have 2.0 in them somewhere.
1. Subject matter must ONLY be about attacks, exploits, or bragging. The more esoteric the subject of your attacks, the better. I’m talking to you, side channel attacks.
2. Reading poetry to the attendees is only acceptable if it’s accompanied by images of death and you’re dressed in a funny hat, so try to come up with a reasonable approximation of how much your new tool (P0NIE PWNER) haxxors the badness (OMG PONIES!!111) you claim to attack. You don’t need to provide the tool, just claim it exists. No tool / exploit == no attendance.
3. Don’t include anything - ever - about how to fix the problem. That’d ruin the the “hacker” image of the conference.
4. Profit!

Conclusion

So screw them. See you at Black Hat. I’m the one who looks like a trans-gender lady of negotiable affections and I’m lovin’ it.

–

* OSCON has a talk on PHP security, by Zeev Suraski, one of PHP’s founders. The talk (PHP Security: Fact and Fiction) which sounds pretty defensive. Hopefully, it will say something like “gee, sorry about that!” to all the attendees. I’m very hopeful about the claimed agenda - it talks about what is changing in PHP to fix their previous stupid insane security decisions and lack of a security architecture. PHP *must* move in that direction, and fessing up to current and past indiscretions is the first of at least 12 steps to resolving the issue. Look at ASP -> ASP.NET. Same thing.

One of the worst self-serving, money grubbing ($200m a year), homophobic, Teletubby hating (seriously!), hypocrites on the planet has died.

Jerry Falwell dead at 73

This venal black heart tried to blame 9/11 on pagans, feminists and the (at least) 50% of the population who happen not to share his particularly hateful religionpolitics. He hid his bigotry behind his “religion”, the last bastion of the weak minded social deadbeats. Voters from the other camp are not the enemy. Falwell forgot that in his desire to grasp power for himself. He coveted others’ happiness and only wished that folks not in his personal “in group” had an awful time. And you know what? He failed.

What would Jesus think? If the New Testament is true as Falwell hopes, he will have a long soak in Hell.

His hate mongering fanaticism will not be missed. My only wish is that the media would stop publicizing his passing. Good riddance to bad rubbish - may he be forgotten quickly and his legacy of divisive hatred healed within a few years of his death.

Mark Curphey, a really smart guy I respect for his work founding OWASP and creating the first edition of the Guide, lost a goodly percentage of my respect today:

I did some patent review work in Dallas recently. I traded my security consulting time to a company who in return provided their legal firms time for my patents. I have been living and breathing patent strategies for the last few weeks.

One of our advisors sent me back comments to a provisional “elevator pitch” I put together. As always brilliant feedback and very valuable suggestions. Surround yourself with brilliant people and its hard to fail!

As a customer of many companies, the thing I worry about the least is whether they’ve spent effort on things which add no value to me. I worry extensively about small companies that invest valuable time and money on worthless pursuits, such as patents or marketing when there’s no products to be had. Of course, this list is missing the vast majority of the real wasters.

There is no point in investing in or buying into any company who burns valuable startup resources on worthless evil patents. Focus on beating your competition by simply being better than them or offering a unique service… and then do it again a little later so your competition still has to catch you. The world does not owe you a 17 year license to sit on your arse, milk consumers and stifle competition.

Patents are evil on so many fronts, it’s hard to list them all. Here’s some that come to mind:

• Money is wasted on patent lawyers. Patent lawyers are a pestilence on society. Sorry, Jeff, but I’m so glad you got out of that game
• Patents add no value to the economy of ideas or the general economy. They produce no value to a nation’s GDP, but hold back competition and a natural market’s growth
• Patents are an anticompetitive weapon to squish competition who came up with fundamentally the same idea as you but foolishly or bravely chose not to patent the patently obvious
• Patents are not assets until they earn income by squishing the competition or milking other companies for licensing fees, milking the consumer or pure extortion cos they have no choice but to buy from a limited, stifled market. Patent battles are only useful after point (1) has wasted a six figure to seven figure sum for your average fight on worthless patent lawyers and mucky court battles.
• Sooner or later, all the patentable ideas will have been patented (many patents already significantly overlap), and it’s just who has the most serious patent lawyers and deepest pockets who can dictate who can innovate or provide services.

This is wrong. Imagine how many schools and hospitals could be built in third world countries for the value of the patent battles and licensing fees in the Valley alone. Patents are an insufferable evilness and must not be allowed to pass.

Mark, there’s no point in trying to ensure you don’t fail, you’ve already failed for being the latest sucker to take the poisoned patent chalice. You founded OWASP on the basis of openness and inclusion in an industry notorious for its secretive and proprietary ways. Reconsider before joining the dark side.

For the second time, I helped SANS compile their Top 20. I don’t know about the other sections, C1 is primarily my section. As always, there will be knockers. However, I was a bit surprised about one contrarian, the normally interesting and challenging Richard Bejtlich. Richard writes:

As far as the nature of the list goes, it’s important to realize that it’s based on a bunch of people’s opinions.

Actually, no. My section is based upon hard core data from MITRE, as will the forthcoming OWASP Top 10.

The only entry which I forced into SANS Top 20 is CSRF because it’s REALLY important to fix over the next 12 months. We only get so many chances to speak to this particular audience and CSRF deserves attention. The OWASP Top 10 also has CSRF. Remote File include, which affects PHP more than most, is EXTREMELY heavily attacked. It’s actually the primary attack vector for PHP stacks. It belongs in the list. My mum can discover XSS - it belongs in there. SQL injection can be found via automated means and this is the worst bit - we have methods to utterly avoid it - if only devs would stop using vulnerable API! rdbms_query() should simply not be supported in future PHP releases. And ditto for other languages and frameworks.

Worse still, Richard misses the forest completely when he says that “… it’s called an ‘attack targets’ document, since there’s nothing inherently ‘vulnerable’ about …”. It doesn’t really matter if it’s a weakness, action item, vulnerability or attack. If it’s something you should know about, it belongs in there. Like phishing, like webappsec, and so on. Don’t play semantics when people are at risk. That’s the job of cigarette and oil companies.

It’s basically impossible to find out how much certain types of attacks net criminals, or how much pain identity theft victims suffer, or how much a life is worth when an attack takes out vulnerable biomedical equipment. I’d rather have my blog spammed by hundreds of scripts than one single skilled and motivated attacker take over the host this blog resides on due to security defects in WP. A simple numerical attack number is useless. A simple $$$ figure is going to be wrong and misleading. It’s impossible to *rate* attacks.

We must do it via vulnerabilities discovered, and I’ve done that.

So for us, MITRE data is as good as it’s going to get, and I’ve used that for the top 4, plus one item which is going to be the major form of weakness/vulnerability/attack as folks work out how horrible it is to use CSRF resistant software, and it’s going to get worse when Ajax enabled apps do *everything* via XHR, rather than just a subset of their functionality.

Rohit did a great job herding many, many cats. I really wanted 10 things in there for developers to check and do as web app sec vulnerabilities are now the Top 11 or so attacks. But SANS is a system administration resource, and thus they turned the focus around for system administrators. Fair enough. That’s why we have links to OWASP for those folks who need it.

For Richard to state that the SANS document is my opinion, I don’t think so. I concentrated heavily on fact. In other related news, the OWASP Top 10 is nearing that happy point when it will need peer reviewing. If you’re interested, come join the Top 10 mail list at OWASP.

ps. that graph above although it is the MITRE data does not indicate the Top 10 headings. We’ve got something special for you all!

The other day, WGA decided that my volume licensed copy of Visio was a pirated copy. This is laughable… and annoying. Luckily, the situation sorted itself out; I have Visio 2007 installed and I was able to use that until Microsoft used the rubber hose on WGA’s servers.

But it got me to thinking how a hostile Trojan could cause massive disruption. Product IDs are easily tamperable. If the user is an administrator, all a Trojan or virus has to do is change the Product ID for Microsoft products (Windows, Office, etc) to random values. It doesn’t need to set it to known pirated Product IDs, but just random ones. These are unlikely to validate under WGA, and millions of folks will end up with software which can open, but not print or save documents. Or in Windows’ case, not boot after 30 days.

Microsoft’s only solution for this would be a massive program of issuing new ProdIDs to legitimate customers at a massive cost to everyone (including Microsoft), or to give up on WGA altogether.

If product IDs are susceptible to change, and they are, they must be better protected by the WGA process. If I’ve thought of this, and I’m not precisely hostile, imagine what the organized crime dudes can do.

I don’t know about you, but I find artists who know very little of what they complain about frustrating. I am not talking about irony and the lack of it in Ironic by Alannis Morrisette, but I wish I was a punk rocker (with flowers in my hair) by Sandi Thom. If you’re a fan of this song, please don’t get me wrong, it’s a nice song, but it’s woefully inaccurate.

In the olden days, scientist philosophers like Galileo, da Vinci, Newton and Franklin were masters not only in their respective fields and great minds, but accomplished authors, musicians, artists, and in Franklin’s case, statesmen. As with most of my geeky friends, we are passionate authors, voracious readers, keen collectors of music and often musicians in our own right, love museums and galleries and the arts. However, many “artists” do not respect our arts and sciences.

Let’s go through a few of the foibles of this song:

• “In 77 and 69, there was revolution in the air”    Where? In 1968, there was the France student riots and Prague Spring, of which only one, the French student riots made any difference with an election being called. In 1969, besides the Viet Nam war, very little revolution happened. Maybe she’s talking about Woodstock. 1977 was the beginning of the Sandinista revolution in Nicaragua, and the seeds of the Iranian revolution, but hardly progressive revolutions as the singer calls it out. The song’s main theme is punk (anarchy) and flowers in the hair (the hippy / free love movement), which is an expression of baby boomers “me me me” selfishness despite its best intentions. We owe a huge debt to the hippies for freeing up attitudes but little else. Anarchy exists today - see Darfur and a host of other hot beds of human misery and crimes against humanity. No one can claim to want anarchy without understanding what it truly represents. 1977 saw the release of Never mind the bollocks… by the Sex Pistols. Punks hated the hippies, so I’m unsure of why she wanted to be both. Anyway, disco / techno won the battle, not punk
• “Not everybody drove a car”    This is still true today, and if anything, anti-car choices in the major metropolises of London and so on make it very difficult for people to drive to where they’re going. The car is a symbol of freedom and personal mobility, so I’m not sure why this is a bad thing. The days of most people not owning a car or the ability to drive are long, long gone. This is more of a pre-World War II thing. My grand parents owned cars from the end of the war onwards. Certainly, by the end of the 1960’s most families had at least one car and it was an essential part of life.
• “When accountants didn’t have control”    This is especially amusing. A&R and accountants in the music industry have been entrenched for years. In Dirk Gently’s Holistic Detective Agency, written in the early 1980’s, the main protagonist fought against the A&R types and noted with extreme wit that music contracts were the devil’s work. This didn’t happen overnight. This is not a product of today’s society, but that of the exploitative music industry she so bitterly complains about.
• “And the only way to stay in touch was a letter in the mail”    This is also particularly funny. Although I’ve personally only written a couple of actual letters to friends, and none in the last 17 years of being on the Internet, the phone system has been around for quite some time. Telegrams predated the phone system by the some considerable time; the first Atlantic telegraph line was completed in 1858, some 111 years before 1969. It was possible to call internationally from the 1920’s onwards with the laying of submarine cables, and from the 1960’s onwards with the launch of Telstar in 1962.
• And the super info highway was still drifting out in space    The network that became the first nodes of the Internet were established in 1969 as ARPANET. It has only recently been extended to our local solar system - with a modified form of TCP/IP used to communicate with the Mars Orbiters to form the interplanetary internet (see http://www.ipnsig.org).
• When record shops were still on top/And vinyl was all that they stocked    This ignores the 8 track (from 1965 onwards) and the compact cassette (from onwards), both of which were popular in 1969 and 1977 respectively.

Although this song appeals to those hankering after a time long ago, the time the chanteuse desires never existed. I wish that artists were a bit more respectful of history and less hostile to modern life. I’d rather be alive now than living in the past; the world is a beautiful place and it is what you make of it.

Boomshanka, peace.