As soon as we got checked in I had made reservations at the Stinking Rose ("we season our garlic with food" - wow, it was really great, if you like garlic) so we took a walk through Chinatown there and saw what Bob called the "Bun de Soleil" in the Transamerica bldg, walked around and windowshopped a lot, and all bought Wassabi peas. Some of the street vendors have the wierdest stuff that they sell for Chinese folk medicine! We went in search of a coffeeshop after dinner and found a real dive of a joint by the art school and our hotel, they were playing Eminem loudly, but the coffee was good, and the coasters said "Conker's Bad Fur Day", I think an ad for some X-rated videogame. Then Paul and I stayed up talking and watching people in the hotel bar. I saw in the paper that the Psychedelic Furs were playing at the Filmore, thurs 8pm, so Paul, Bob, and I made plans to go, both because it's a historic place, and the band is cool!
Sunday AM we went for fantastic Dim Sum at New Asia in Chinatown. Ming's idea, it helps that he is Chinese, that was a great idea! Then there was the opening reception with a "where the wild things are" theme, sort of like a mini-amusement park thing. Really fun, with tunnels to go through, a band outside, and some wonderful sushi and chocolate covered strawberries. I saw Bruce and Karen, and we sort of snuck her in, which might've been a problem because they were checking badges even after we got her in, until the VP of RSA came over to schmooze with Bruce and it suddenly became no problem! Karen's interested in very small-print run, rare books, and was going to go check one out the next day... they seem to be a perfect couple, who enjoys sharing their interests and have their own cool interests to keep occupied!
Monday I went to an industry track talk which had a good point, that Alice & Bob, the typical paradigm for explaining PKI, is way too complicated to sell, we should be selling it like a modem: how fast is it, how dependable is it? There was a talk by Bruce, the crypto-deity, I sat with Karen and chatted a bit,
Bruce Schneier -met a guy who was working on SIGGRAPH, and trying to offer Bruce and Karen free memberships to something else (not sure what, but I didn't want to butt in, even if it sounded cool), Paul (who's now my ex-boss) was talking the same time as Bruce, which I hated in the first place, and then really hated, because Bruce was so popular that they were lined up packing the halls, so the conference organizers decided to switch them, because Paul had the biggest room, the IMAX theatre. So they took the two most popular talks, and suddenly had 1000 people shoving by each other in the halls, twice, because then the tracks switched back, and both talks had to be cut short. Diffie, Rabin, and Shamir, crypto guys that are even more famous than Bruce, talked,
Attacks are important - they increase risk of being online public image, loss of brand, perception, shareholder lawsuits will soon be a reality for losing face through getting hacked!
the future sucks, we're losing this battle- the internet is too complex to secure
When NASA lost the mars orbiter, this isn't good martian air def, it's buggy code buffer overflows easy to fix, stuff like pure, won't go away even though they've been fixable since 1960
testing your config has very important security ramifications - put 2 secure java apps together - it's insecure.
Read Normal Accidents by Perault - systems have emergent properties it's an arms race & you have to keep up to do business if you didn't patch, you get blamed, that's blaming the victim ramen, lion, napster bug vulnerability
hacking your fridge is quite possible, they're selling a lot of IP-connected fridges in Scandinavia now (not to mention hottubs) "my fridge has been hacked and I must scream!"
Security becomes barrier to business, we're in the business of saying no a lot - that isn't what we should be doing, it's risk management, procedures, mitigate, transfser risk - there's a sweet spot in the middle where we should really be aiming. prevention & prophylactic = not real!
Can we rate like a safe? 1hrMil? Takes an hour to break, detect & respond in that time? Security personnel in ideal position to break system - how to monitor? Must SeOS!
Need security response people in far east ILoveYou proved that, call, wake up, patch.
Best we can do is manage risk, doing okay. 24x7 monitoring (heh, this is what he sells) & prosecution important
hacker tools to bypass IDS?
Crypto panel -we had a lunch meeting with RSA where we met our new boss for the first time (she came out to the conference too) then had the official opening of the conference, with Pat Benatar up on stage singing a take-off on her own song "you're a codebreaker, file breaker, risk taker, don't you mess around with me... you're the right kind of hacker to release my new technology....?!" heheh, seriously! They always get some famous band... then went to the expo reception before going to a bar called the Boom Boom Room, owned by the old bluesman John Lee Hooker, and saw a band called Peanut and the Apocalypse, that were just great... played a little bit of everything from blues to reggae, mostly rock/funk/blues. The leader, peanut, played an electronic sax/synthesizer. We even all got up and danced, all of us! We left after they did their version of Red House... decided it's hard to top that, I think they were better than Hendrix. What a fantastic way to meet your new boss! I keep thinking what a cool bunch of coworkers I have, I'm really lucky, most people don't work with brilliant people who are just incredibly fun! Paul started talking about how Bob had scored a bullseye with BoomBoom, Ming with dim-sum, and me with Garlic, and he needed to catch up, and we pointed out that he was responsible for the whole trip, convincing us to come because he said it was such a good conference, and he was right!
Secure protocol + secure component = insecure system (reiterating Bruce's comments!)
complexity - security epidemic
aes is Belgian!
Privacy companies fail
sacrifice complexity, pay cost, or lose security
Tuesday on the way in I saw a street beggar wearing a sun java hat... wow, the .com crash is pretty bad! That or it's a fashion statement like the beggars in Paris, that dress better than Mike.
Luna -Douglas Adams (the science fiction writer!) spoke,
Need for accel RSA 1024 CA's don't need acceleration
xkms valid needs... if ever
bandwith grows faster than cpu - don't need global data ctrs, need fast boxes.
Need no route to KMS box from net, fast connect from IIS box. Scale.
SSL is most deployed. Ocsp/xkms validation how diff?
Client side auth is just as fast as straight ssl? Speed not necs?
Private key ops slow
Need VPN tunnel to LDAP svr, ipsec? Need speed!
Douglas Adams -and there was a VIP reception at an art gallery and dinner. Weds is Mudge, Levy, a lunch, and the big Gala at the natural history museum with three bands and a string quartet, and Thurs Dana Carvey (Garth from Wayne's World) gave the closing talk... mostly hilarious! "RSA here to stay, NSA run away!" and "I asked my agent if I could follow a PhD from Pakistan, and he said this was the gig for me... you people all have really big brains... laughing at my jokes politely with a tiny bit of your brain while you're planning the mission to Mars..."
All that websites get are eyeballs. Try paying your grocery bill in eyeballs... if you're not Anthony Hopkins!
The hitchhikers' computer game deliberately lied to you- therefore Adams considers himself the father of artificial mendacity... you know when you hear "to serve you better" on at&t instant auto voice response system, you're in trouble... "we're about to launch a missile at you as a special customer service measure", "responses monitored for quality control purposes" has become so ubiquitous that we ignore it, but it isn't good!
bmw.com shows just exactly how sexy the car looks under certain lighting- but they pretend the rest of web doesn't exist
amazon works because of the footprints of other people, because it shows what someone else had to say, what they liked.
why don't we store customer interest in things you don't sell - colors, other companies! Search engines watching searches, asking what you Are looking for. You go into a store and ask, "do you have that in blue?" and they say no. Go to another store, same q/a. Third store, "have that in blue?" "No, there isn't any demand for it."!
Cars are information sharing devices moving thru an information rich world, what you're listening to on the radio, where you are, what you're interested in, what the road conditions are, all that could be shared with other, people, and is a lot more interesting than services that a service provider sells. You see someone else driving by that likes a certain kind of wine and food and is listening to the same radio station, ask them if they want to go for dinner.
let the people share data- that's what it is about!
The story about the man who blatantly stole half of his cookies right in front of him actually happened to him in a train station in England in 1973!
Have we got an easy way to share proceedings?
Thurs nt, I got together with a couple friends who live out there and a couple of the guys from work, we went to dinner to see the Psychedelic Furs at the Filmore. (yes, my coworkers are a pretty cool bunch of guys). It was a really cool venue, all kinds of old psychedelic posters, and real chandeliers! The band put on a great show too.
Passport - Not cert-based auth what apps req pki? Email y
welcome - hackers are terrorists if someone hurt China has the best econ in the world. The CA/Internet boom is over, but it won't be as bad as J privacy is an asset- makes customers do bus- 12pct don't care, 63 pragmat, 25 fundys Henry Ford quotes on privacy?
Sec Millen - 2 intel soln ctrs in china. Boeing pki don't let a vendor analyze & sell analyze the whole net & policy
sec .Net -Next day...
respone ctr notify billg when there's a security exposure weekly
ms.com/technet/security/tools.asp consumer security policy sec/priv summit p3p priv statement generator hailstorm affirmed consent model
code sign off, make sure right code rev is rolled, that our people can't crack- must have log review by outside group! SeOS
ms sec conf wizard
Passwds on palms can be caught easily, shouldn't be wsl os not sec if host compromised, palm is compromised, if synched at home you infect both
be aware of server apps. Turn off ir beaming
Gosling - Operating at the limits of our comprehension and always will, like a cathedral or bridge- compex systems, reliability, tape backup sys that turn into sat control systems, never designed to do what they do.
Securing the internet economy think of things only as one use- quarters as a tool, flipping = functional fixation
it makes good business sense to accept risk, mitigation understanding acceptance
business model defines what's important, upper management are the ones who know what you need to protect- next year's car designs
how does Ford run our business? What is most important, that's what we protect, watch the outside for any exposure
island hopping, personal vpn's on generic OS, scan cablemodem, isp, look for virtual tunnel and you're thru the firewall
sell security because understanding your traffic, what you need to spend do security as refininq the business model, counting, charging, tracking. Makes more money! Doesnt slow down business. Ask about pgsec
putting an extra ldap/oracle server in the dmz cuts traffic on the firewalls/ routers in half, cuts spikes on internal server, cuts costs, normalize traffic, incr performance everwhr, sec is just gravy! For free
Sell it as positives & known, can do more busins, can grok what we're spending money on
stop calling it security. Strategic Architecture. You understand your business, and Ford doesn't do business the same way as GM (or Cisco) so you can't outsource it. "I have to admit, I'm a major Ford bigot"
Systems integration -
Main vuln today=yest, inside employees, trash priv sector has always been into security
security shouldn't say no, it should make faster response times, policies to give you access to data, seamlessly, better performance, ease of use is vital
turn off IP checking and log it.
We need an open standard for wsl cookies! Identify fields internally, extensibly.
Proposed std- access control cookie - ldap for access control
PKI-aware apps, or that use it
keon suggests turn off passwd aging for PAC, which is totally wrong, need really strong passwd, changing handled automagic, maybe next version
web passport is totally immature, so convince them to use our standard for WSL cookies
bmc control sa- user access control mgmt