While I’m away, I’m not completely away.
You see, I do have a day job, and my day job is less and less about the kind of things that are described or discussed at blackhat and defcon. Due to this, I’m in the position this week of continuing to “work” on office stuff while I’m trying to get my geek on.
Departure: I left on Tuesday morning in order to arrive here on Tuesday morning. The flight was not too bad – middle seat was empty, other seat mate was a jerk about it.
Arrival: Got here, got a room early (thanks nice lady at the CP desk), got up to my room just in time for a concall. There’s something surreal about being in a Vegas hotel room rather than a normal business hotel while trying to work. I’ve got internet, I’ve got a desk(ish thing), and I’m sort of able to work, but I’m surrounded by the weirdness of Vegas – my shower stall is almost as big as one of the 3 piece baths at home!
Tuesday Afternoon and Evening: I’m trying to balance being in two time zones. I’m working on “work” stuff early in the day and doing the conference stuff in the evening… except today, my work bleeds into the evening. I make the time to get to registration and pick up my badge and bag-of-materials. Otherwise, I was working right through until about 7:30pm local (10:30 my time). I went outside for a bit of fresh air, then went upstairs and collapsed.
Wednesday Morning: Early start. Too freaking early. Let the phone calls begin. Seriously – three and a half hours on the phone. Glad I remembered the handsfree. Glad that it’s not a bluetooth one. Seriously pissed off about spending that long on the phone. I arrived downstairs in time to go find coffee. Hotel coffee generally sucks so bad. This hotel is not any better. I’m hungry. It’s mid-afternoon my time. Mental note, get room service for breakfast.
First session: I missed the keynotes. This first session is “Kick Ass Hypervisoring: Windows Server Virtualization” with Brandon Baker of Microsoft. Interesting (if dry) discussion of where Microsoft thinks that they might be going with the Viridian technologies. I’m not convinced that MS has thought through the security realities of what they’re up to – they have thought of the right things in terms of structure, but I’m not sure that they’re lateral enough to do the right things. Too many issues are hand-waved over under the guise of “Deployment Considerations”. They keep trying to do brittle technical preventative controls, then backslide into “but you’ll have to cover this with people/process”. http://blogs.technet.com/virtualization/
Second session: I’m in “Anonymous Authentication – Preserving Your Privacy Online” with Andrew Lindell. Not sure where he’s going with this. Currently pointing out that there are user related issues that can create the preconditions necessary to hook personas together (creating hooks between what they post/say and who they are). How to move from the current state through to a future state where neither the user nor the server can cheat the system and the system allows for ‘revokable’ anonymity while providing useful authentication.
Lunch: It is possible to seat and serve 5000 people in less than an hour. I didn’t think so, but damn. Food was ok – I’m more impressed by the fact that it was hot. And interestingly, iced tea is supposed to be pre-sweetened. Providing a sugar packet is not sufficient.
Third session: I’m in the XML one “Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity” with Brad Hill – should be interesting, the presenter has broken it up into both executive level material and technical details. “XML is the most popular interconnection technology since ones and zeros”. XML has reduced the number of “broken parsers” out there by reducing the need to write one off parsing engines. Really good session. Really good. I’m even more convinced now that the XML WS-* group is on crack.
Fourth session: “Premature AJAX-ulation” with Bryan Sullivan and Billy Hoffman – I’m a little late. Oops. Just getting up to speed – two guys presenting and not terribly well – they keep stomping each other. Oh, and please stop with the synchronized hand movements. Reasonably good content, however, it was a “101” session and I’m sorry to say that many of the BH sessions have had this problem (discussions with other attendees show the same issue is widespread).
Fifth session: my brain is tapioca at this point. “Vulnerabilities in Critical Evidence Collection” by Chris Palmer and Alex Stamos – new tool releases! Not really sure why they couldn’t get into a good groove with the audience – may have something to do with using the phrase “We didn’t test that” repeatedly. They finally pointed out a flaw, and it’s a serious edge case. The downside of doing “independent testing” of applications that cost more than $100k is that you need to have the $100k to blow and from what I can tell, they didn’t actually have a copy of the software to test with, they were working from indications and time spent utilizing other people’s systems. High end security research is hard.
And that was the end of my first day at Blackhat 2007. Wonder what today will bring?
[tags]blackhat, blackhat 2007, hypervisor, microsoft, authentication, anonymity, privacy, XML, Web Services Security, AJAX, Encase, forensics[/tags]