[LOPSA-US-AZ] RSA conference report

[Rik Farrow]

I suggested that people include trip reports about conferences attended,
so am following through on my own suggestion. 

I am not fond of big vendor-fests, but did want to at least show up at
RSA, wander around the exhibit hall, and get to meet up with people. I
showed up late in the morning of the opening day (Tuesday), having
missed the Bill Gates and Scott McNealy keynotes. I wasn't really in
the mood for marketing, although I thought it would be cool to see
Gates fail at yet another demo. Turns out his demo worked this year,
so I didn't miss anything. Bill did pimp One Care, a MS product that
provides anti-virus plus a frontend to things that you already have
in Windows XP. Not only will One Care cost more than current AV, it
is also a tacit admission that Windows is not secure, and Windows
Vista will not be as well. Sigh.

The part of McNealy's talk I heard about tied in with the big "news"
of last week, where the Vice President shoots one of his friends
while hunting. McNealy allegedly started his keynote by saying that he
had missed Gates' presentation, but does try and be friendly with
him. He had even invited Gates to go hunting with him.  McNealy
paused, then mimes bringing a shotgun to his shoulder and firing
it. The audience found this funny (and I must admit I did as well).

I did catch a good portion of the cryptographers roundup, a panel
discussion with four wellknown crypto experts, including Whit
Diffie and Martin Hellman (think Diffie-Hellman), and Avi Shamir.
I missed the name of the first panelist, showing up late (not one
for driving in the usual, ridiculous, Silicon Valley traffic
at rush hour).  I took notes on my palm-based phone, and discovered
today just how bad I am at writing Graffiti. But I did manage to
decipher a couple of notes:

  Shamir said that the discovery of collisions in MD5 and SHA1 hashing
  algorithms is significant, but not a current cause for concern. That it
  is possible to compute collisions of hashes is important, but because
  getting this to work requires a set of random data, it is not important
  for current uses of hashes (big sigh of relief there).

 Hellman said that security would be much better if more crypto was
 used. I thought that he was completely ignoring the usability issues,
 for example, the USENIX published paper about how few people, out of
 a group of college students and professors, were actually able to PGP
 encrypt their email successfully.

 Diffie said that if security was as good as our current encryption,
 computers would be a lot more secure. He also said your wallet is a LOT
 more secure than your computer. Diffie managed to be the wittiest of
 the bunch, but in the context of a group of cryptographers, I am not
 sure that says much. I heard his USENIX security keynote bombed badly...

I then wandered the exhibit hall, usually my least favorite part. But
for some reason, I found myself enjoying things more than usual. My
interest was in finding companies using embedded Linux or BSD, and it
only took a few minutes to discover Montavista, who supports Linux
on embedded systems. They were in the Cavium booth, a company that
makes multi-core chips based on MIPS64 instruction sets, that run
fanless (the Montavista guy showed me that one core was executing
at 331 bogomips, so no GHz speed in his sample -- but that was just
one core). Cavium also does TCP in silicon, and is used in lots of
firewall and IDS hardware products (they had a stack of boxes in
the booth, missing Cisco, but covering most top firewall hardware).

I then wandered over to F5, who is adding firewall features to their
loadbalancers. It turns out their frontend runs Linux, but the actual
loadbalancing is done in custom hardware, so it can support GBit
speeds. Juniper uses both BSD and Linux. In their routers, BSD
handles the frontend, route calculations, and other work, and then
downloads route tables and other instructions into custom hardware
(pretty cool). They said they were expanding, just to keep up with
Cisco and their mad expansion, and that explained their appearance
at a security conference.

I ran into Avi Rubin, who said he and his students had started a
business (ISE) to vet/break security devices (see last USENIX
security for an example, first paper, 
http://www.usenix.org/events/sec05/tech/).

NSA and Cryptometrics both had working Enigma encryption hardware.
It was neat to press keys, watch the rotor turn (the second and
third rotors turn much less frequently, think of an odometer dial).
But the NSA guy didn't really seem to understand how his Enigma worked!

I caught several "tutorial tracks", really what I would call Invited
Talks, in the afternoon. Chris Wysopal, a L0pht founder, talked about
software he and his company are building to do static code analysis.
I have a lot of faith in anything Wysopal (Weld Pond) works on, and
he did explain the ups and downs of static vs dynamic code analysis.
One benefit of his approach is that it can be used to study the
security of code, coming up with a ranking. Wysopal showed an Energy
Star label, like you would see on a refrigerator or dryer, that
showed where a security score would fit into a range for a particular
product type. I liked that idea, and had fun imagining BSD vs
Windows on embedded systems.

Next, I found the room where the Chinese researcher who had found
weaknesses in the hash algorithms was speaking. I didn't expect
to understand much, but basically, she said they they had looked
for patterns wheere bits would be conserved throughout the multiple
rounds used in both MD5 and SHA1. Her English was amazing,
in that it was English, but sounded like a Chinese dialect, making
the discussion even harder to follow.

Finally, I listened to Richard Bejtlich. I had met Richard the
first time he had taught for USENIX, and was once again very
impressed with him and his presentation. Richard preaches about
Network Security Monitoring, NSM, a technique that involves collecting
network statistics, network transactions (argus), full packet
capture, and IDS. Using a frontend called SGUIL (sguil.sourceforge.net)
allows you to uncover security incidents on your networks with NSM
much better that forensics or IDS can do. NSM means that data get
stored on non-exploited systems, the multiple views into this
data make it possible to learn much more about an incident than
is possible with other approaches. Richard has a blog at 
taosecurity.blogspot.com, where you can read more about what he
has done, or at taosecurity.com (or you can read his books).

That's it. I didn't stay around for the rest of the conference, but
visited other Bay Area folks.  My RSA visit was something I arranged
at the last minute, so I didn't get a chance to visit with BayLISA
people, but did get a chance to experience rain (remember rain?).

Rik