Archive for the 'Uncategorized' Category
Friday, July 11th, 2008
Married in Maui!
I’ve been Maui for the last two weeks and it was AWESOME. My girl and I had our wedding ceremony on a beach in Kihei and our reception “upcountry” in Kula. It was great being back on the islands, catching up with friends and family.
For some reason, I feel energized… Maybe it was the Hawaii sun or may all those late night hacking sessions were finally catching up… or maybe I’m just getting old :p … but I feel good now!
I was pretty much offline for the entire time, so if you’ve sent me an email within the past week I’ll eventually catch up on my email and respond, otherwise I’ll SEE YOU IN VEGAS!!!
Saturday, June 21st, 2008
Clarification for “BK on Safari, hunting Firefox…”
Whose fault is this? That’s the whole point of the post. We have interaction between different software from different vendors. In isolation, the behaviors that are being abused here are not a high risk. It’s only when you combine the behaviors does it constitute a risk. Who should we blame? I don’t know, I don’t think anyone really knows… lots of people have their opinions though. 
Saturday, June 14th, 2008
3rd Annual Symposium on Information Assurance
I was recently given the honor of delivering a keynote talk for the 3rd Annual Symposium on Information Assurance, which was held in conjunction with 11th Annual New York State Cyber Security Conference. It was a great conference and I want to thank Sanjay Goel for inviting me!
The conference was VERY academic… which I love. Academics present with an eye to the future so I listened as PHD candidates talked about securing nano networks, sensor based wifi networks and a slew of other topics… Academics also seem to have an boldness and fearless approach to the topics they present, which I admire…
While I enjoyed most of the talks I attended, there was one that perked the ears of the blackhat in me. John Crain of ICANN gave a talk on “Securing the Internet Infrastructure: Myths and Truths”. If you don’t know, ICANN basically owns the root DNS servers that the world relies on everyday. He gave a great explanation of how ICANN goes about creating a heterogeneous ecosystem of DNS servers. These DNS servers use multiple versions and types of DNS software, multiple versions and types of operating systems, and even go so far as to use various pieces of hardware and processors. The reasoning behind this logic is… if a vulnerability is discovered in a particular piece of software (or hardware) is discovered, it would only affect a small part of the entire root DNS ecosystem, whose load could be transferred to another. It’s an interesting approach indeed. After the talk, someone asked me why enterprises/corporations don’t adopt a similar strategy. I thought about it some and I don’t think this approach could enterprise environment… here’s why (other than the obvious costs and ungodly administration requirements):
ICANNs interest is primarily based on preventing hackers from modifying a 45k text file (yes the root for the Internet is a ~45k text file). Now, if a hacker happens to break into a root DNS server and modifies the file, ICANN can disable the hacked system, restore the file and go about their business. As long as ICANN has a “good” system up somewhere, they can push all their traffic to that system. Businesses on the other hand, aren’t not primarily interested in preventing the modification of data (not yet at least), they are more interested in preventing the pilfering of data. So if you own a network of a million different configurations, a vulnerability in any one of those configurations could allow an attacker to steal your data. Once the hacker has stolen your data, what does it matter that the 999,999 other systems are unhacked?
This brings up the heart of the argument, should we be worried about our systems being compromised or should we be worried about our data being stolen? These are actually two different problems as I don’t necessarily have to compromise your system to steal your data…