What: RSA Conference

When: February 24-27, 2004

Where: San Francisco, California

Why: Zkb qrw?

The RSA Conference isn't a conference, it's an "event". To my mind, it's a bizarre hybrid between a technical conference and a trade show with a dash of Academy Awards-style restraint mixed in.

The theme of RSA 2004 (yes, this conference has a theme) had something to do with ancient China. Exactly what was unclear to me. I attended RSA Conference 2002 (and here's my trip report to prove it) which was similar in tone and style, but had a more comprehensible theme---something about Mary Queen of Scots. Diffie ridiculed the 2002 theme so maybe the organizers decided to make the 2004 theme so vague as to be ridicule-proof. The theme for 2005 will be "The Codes of Prohibition", which sounds intriguing. I wonder what Diffie will have to say about that.

The main conference hall included a large stage flanked by enormous fake Chinese statues and oversized fake bamboo. There was a surplus of loud throbbing music and an impressive lighting system worthy of a rock concert. The Great Wall was projected onto a screen that formed the entire background. The projected image could be changed by the speaker, though this wasn't put to good use in any of the talks I witnessed (imagine oversized Powerpoint enveloping the speaker).

The contrast between the RSA Conference and the hackers convention, Defcon, is worth mentioning. I attended Defcon 11 last summer (my report is here). Defcon is an extremely low-budget affair, with a fee of $75 (cash only, no names taken), whereas RSA charged a fee of $1200 to $1800, depending on the registration date. Fortunately for me, there was an academic rate of $600, or I would never have attended. Another contrast is in the attendees. Defcon has a large contingent of 16 year old hacker wannabes (pierced body parts, black leather, etc.), while RSA is filled almost exclusively with security professionals (a very small contingent of academics is also present).

Of course, all RSA Conference attendees received fancy bags stuffed full of free security magazines and RSA propaganda. There was also a nice RSA pen, a thin fleece jacket, a truly impressive notebook, and a thermos that looks cool (red with a gold dragon), but doesn't actually keep anything warm. Appropriately, it's made in China.

The actual conference included 11 keynotes, given by such tech luminaries as Cokie Roberts and P.J. O'Rourke. OK, there was also a keynote by some guy named Gates. In addition, there were three panel discussions, with the Cryptographers Panel being the highlight for me. More on this later.

There were also talks by mere mortals. These talks occurred in 13 "tracks" and two additional "tracklets", all presented in parallel sessions. I was unable to grasp the subtle distinction between tracks and tracklets, but I suspect the organizers deemed tracklets unworthy of full-fledged track status. Personally, I wish this kind of thinking was applied more widely. For example, in the next summer Olympics, maybe we should refer to the equestrian events as eventlets.

For the record, the tracks were

• Applied Security
• Business of Security
• Cryptographers'
• Developers'
• Hackers & Threats I
• Hackers & Threats II
• Identity & Access Management
• Implementers'
• Perimeter Defense
• Privacy, Law and Policy
• Security Solutions
• Standards
• Wireless & Embedded

• Government
• New Products

The keynote speakers were (with official titles)

• Bill Gates, Chairman and Chief Software Architect, Microsoft Corporation
• Art Coviello, President and Chief Executive Officer, RSA Security Inc.
• Robert A. Clyde, Chief Technology Officer, Symantec
• David Kahn, Ph.D., Best-selling Author
• Kip McClanahan, Chief Executive Office, Tipping Point Technologies, Inc.
• Ron Moritz, CISSP, Senior Vice President, ETrust Security Solutions, Computer Associates, Inc.
• P.J. O'Rourke, Best-selling Author, Leading Political Satirist
• Joe Pato, Distinguished Technologist, HP Labs, and Lab Scientist, HP Labs Trusted Systems Lab, Hewlett-Packard
• Cokie Roberts, ABC News Congressional Analyst, Former Co-Anchor, This Week with Sam Donaldson & Cokie Roberts
• Jonathan Schwartz, Executive Vice President, Software Group, Sun Microsystems, Inc.
• Stratton Sclavos, Chairman and Chief Executive Officer, VeriSign, Inc.

There were also three panel discussions

• Cryptographers' Panel
• Informations Security Governance --- How Do We Get There?
• Information Security in the Hot Seat

The conference included an expo. In this context, an expo is a huge conference hall filled with vendors trying to sell their wares (security wares, that is). It seemed to me that the trend this years was toward "appliances" (a word that always makes me think of washing machines) that perform multiple functions. For example, there was an appliance that was a combination firewall, intrusion detection system, toaster and coffee maker (of course, I'm kidding about the toaster part). Vendors also offered some swag, but to get any of this you had to let them swipe your conference badge, which I feared would inevitably result in additional spam. So I passed on the swag, which seemed to consist mostly of cheesy junk (cheap pens, can holders, plastic, etc.) anyway.

The keynote talks were held at the Moscone Center and the tracks (and tracklets) were held, in parallel sessions, across the street in a movie theater. I'm not kidding. Imagine boring Powerpoint slides projected onto the entire "big screen" with the audience sitting in too-comfortable chairs in a darkened theatre. I didn't actually hear anybody snore, but I did see some drool-stained chairs. At least I think it was drool.

The following are brief descriptions of some of the talks I that I attended. I've included only a couple of the boring ones just to give a more balanced picture of the offerings.

[Keynote] Cokie Roberts

I only caught the end of this one, and I was forced to sit in overflow seating (not because Ms. Roberts' talk was so popular, but because the next speaker was Bill Gates). This talk apparently concerned election year politics. I can't understand why they'd pay to have such a speaker, since a few minutes of NPR or your favorite cable station would have yielded just as much insight.

RSA Conference Awards

This was strange. The presentations were Academy Awards style, lacking only the list of nominees and "the envelope, please". Some guy at the Bank of New York won an award, but he was not present to accept. That made me think that this must really be a prestigious award.

Next, they presented an award for public policy to Senator Bob Bennett of Utah. Senator Bennett was introduced by a former congressman who quoted Bob Dole, who, when he left the House after being elected to the Senate, said that he "raised the IQ of both".

Senator Bennett said that his "kids think it's hilarious that I'm the hi-tech Senator. I can't even program my VCR". He also said that the Senate is "very good at solving the problems of the 19th century" and he predicted that the Senate would only get interested in cyber-security after something happens that directly affect them, such as their email system getting hacked.

The next award was for mathematics and went to Burt Kaliski of RSA Labs. Professor Silvio Micali of MIT won an award but he too was not present. Then came a "lifetime achievement" award to Jim Bidzos. The only noteworthy thing about this is that the award was presented by Rivest, Shamir and Adleman. I've seen R and S several times before, but this was the first time I'd seen A in person. Well, technically, I didn't see him in person since I was in the overflow seating watching on an enormous TV screen. Mercifully, this ended the awards ceremony.

[Keynote] Bill Gates, Advancing Security in an Interconnected World

I've never seen Gates speak before, but this is certainly not what I had expected. There was no "vision", no bold roadmap for the future of security. Instead, we were treated to a "dog and pony show", where Gates would blab for a while, then bring out some peon to demo an upcoming security feature (read "bandaid") for Windows. Here are a few specifics points that made an impression on me.

• Microsoft has the largest R & D budget in the known universe, at $6 billion, with security getting the "largest part" of that.
• Security experts are "very valuable", but "malicious people take public information and exploit it".
• Gates spoke about the need to get patches--and an upcoming major security update known as SP2--out to virtually 100% of users. He was a little vague on the specifics as to how this might occur.
• Some guy gave a demo of SP2. To my mind it looked overly complex (see the Cryptographers' Panel, below). I suspect that most users will simply turn off the features that were shown, since they get in the way. I know I would if I was stuck in the Windows world.
• Gates mentioned some additions to Visual Studio that make it easier to develop apps that can be run in normal user mode (a common security problem is that everybody tends to run everything as admin, negating any benefit that might derive from distinguishing between normal and admin users). They've also included some tools that scan for common vulnerabilities.
• The topic of spam came up next. Gates mentioned a "caller ID" for email and a couple of interesting research topics (e.g., require email to include something that is hard to compute but easy to verify, thus causing great pain to the spammer, without placing undo burden on non-spammers). It wasn't clear that any of this would have any effect anytime soon.
• Gates said that the top security-related research areas at Microsoft are
  • Cryptography
  • Watermarking
  • Code access
  • Hardware integration (see the NGSCB talk, below)
• He also stated the obvious, namely, that passwords are a big security problem. Microsoft requires its employees to have smartcards.

Intermission

After Gates' talk I managed to get into the main auditorium just in time for the annoying (and loud) theme music. Yes, the RSA Conference even has theme music. Before the next keynote, the MC came out (yes, they also have an MC) and he got a "volunteer" from the audience. He asked the volunteer to think of a number greater than 35 and less than 100 and write it on a small piece of paper. Apparently without seeing the number Mr. MC then wrote the following numbers on a large board

   39     1   12    7   
   11     8   38    2   
     5   10     3   41   
     4   40     6    9

The selected number, 59, was then revealed and the MC pointed out that the rows all sum to 59, as do the columns, as well as the diagonals (not just the main diagonals). The middle four number sum to 59 as do other blocks of four (upper-left 4, upper right, etc.). Very impressive...

[Keynote] Art Coviello, President RSA

The speaker joked that Bill Gates was his warmup act. Mr. Coviello mostly talked about a paper that appeared in the Harvard Business Review titled "IT Doesn't Matter". The point of this paper apparently is that information technology has reached the point of being ubiquitous, so there is little or no competitive advantage to be had from IT spending. This thesis obviously irritated Coviello a lot. Nevertheless took the high road, stating "it's the application, stupid".

Much of the talk dealt with railroads. I've always found the railroad analogy to technology to be compelling, though Coviello presented it in a different way than I'd heard it previously. His point was that railroads reached the point of ubiquity in the late 1870's, yet the most significant changes due to railroading were "applications" that came later. He also drew a similar (if less convincing) analogy to automobiles.

Of course, the speaker also plugged security as being the critical technology required to unleash the full potential of the Internet (what a surprise). And he seemed to be stuck in the bubble mentality as he exhorted people to jump on the bandwagon in order to avoid getting "left behind". He actually insisted that his talk was "not self-serving", which, to my mind, just reinforced the fact that his comments were very self-serving.

The best part of the entire talk was when Coviello mentioned that Al Gore invented the Internet, which got a good laugh. A speaker can never go wrong with that one. Overall, this was an interesting and worthwhile talk, with a nice historical angle to it.

[Panel] Cryptographers' Panel

The Cryptographer's Panel brought together 2/3rds of RSA (Rivest and Shamir), along with Diffie and Paul Kocher, with Bruce Schneier as the moderator ("instigator" might be more appropriate). In case you've been living in a cave for the past quarter century, Rivest and Shamir are probably the leading cryptographers of modern times. As if discovering (or more precisely, rediscovering) RSA were not enough, they've each had many other major accomplishments in the field. Diffie is famous for his paper "New Directions in Cryptography", which suggested that public key crypto should be possible (without giving a viable system), and for the Diffie-Hellman key exchange algorithm. As far as I am aware, Diffie has not had any major security-related accomplishments since. I've heard Diffie speak at least a half-dozen times and I even met him briefly at a conference several years ago. (I had just presented a talk on my PhD dissertation work and it was the last talk of a session. After I'd finished, everyone else left the room except for one person who said, "I actually posed that problem several years ago", to which I cleverly responded, "And you are?" It was clear he was surprised by the question, but he politely replied, "Why, I'm Whitfield Diffie".)

I've heard each of R and S speak a few different times. Paul Kocher is the President of Cryptography Research, based in San Francisco. He's famous for his relatively recent work on timing attacks and similar clever techniques which defeat security without taking the expected line of attack. I'd never heard Kocher speak before. Schneier is the author of the book Applied Cryptography, which is the crypto bible for real-world developers (unfortunately, in my opinion). I've only seen Schneier speak once before, but it's impossible to read much about crypto without coming across his opinionated articles. He's a prolific writer and the author of the Blowfish crypto algorithm and an AES finalist algorithm, Twofish.

Each of the gang of 5 was given a few minutes to talk about anything at all. This clearly took longer than it should have. In the remaining minutes, Schneier asked the panelists questions. Here are some of the highlights.

Shamir spoke first. "No major cryptosystem was proposed or broken this year." He then went on the proclaim the "death of stream ciphers" which "used to be the king of crypto". In his view, the demise of stream ciphers began when the US government chose a block cipher for the Data Encryption Standard, DES, in the mid-70's. Today, RC4 is the only stream cipher that is used widely in the commercial world (though, I might add, it is very widely used), and it's "showing its age". In the past, "stream ciphers where necessary since it was impractical to buffer a block of data prior to encryption". Today that's not an issue. And it is "much harder to build a good stream cipher". With a block cipher, it is possible to do many operations to a single block, whereas a stream cipher can only do a few operations between output, making it inherently easier to analyze, at least in Shamir's view. Shamir suggested using a block cipher in counter (CTR) mode whenever a stream cipher is needed.

Rivest was next. Schneier introduced Rivest with, "So Ron, do you want to tell Adi (Shamir) about your new stream cipher?" You see, Rivest invented the stream cipher RC4. In his brief comments, Rivest talked about voting technology. It seemed that he went out of his way not to offend anyone, which made for a not-exactly-riveting monologue. This was certainly not as interesting as his topic at RSA 2002, where he talked about RFID at a time when nobody had heard of it.

The next speaker, Paul Kocher, had some truly insightful comments. Kocher discussed "market failure" in the context of security. For example, the market incentives are clearly all wrong to prevent spam. His prediction was that we would continue to see progress in security areas where the market incentives make sense (e.g., corporate security) but not in areas of market failure, such as privacy and spam. He then pointed out that the usual response to market failure is government regulation. Given the audience, he was brave to even raise this point. He didn't vigorously advocate for more regulation, but he did ask, rhetorically, whether there is any realistic alternative.

Diffie started with an obituary for Dick Leibler, who was a leader in cryptology at NSA and the IDA Communication Research Division (now IDA Center for Communications Research). He then launched into "the strange saga of AES". AES can now be used within the US government (with specified key lengths) to encrypt SECRET and TOP SECRET communications. In Diffie's view it was remarkable that a secure (as far as anyone knows) algorithm designed in Europe was now a US government standard. He then went on to say that he felt there would be a big controversy over digital rights management (I agree; see the NGSCB talk, below). And he mentioned the FBI wants wiretapping capabilities for voice over IP (VoIP) comparable to those available for traditional land lines. Overall, this was a pretty tame talk by Diffie's standards.

Schneier then launched into a long spiel about some fairly basic security issues, which I didn't feel was particularly interesting. In the process, he wasted a lot of valuable time in an already too-brief session. Schneier then got to the questions. The first question dealt with the recent leak of Microsoft Windows source code.

Kocher said that for legal reasons, "We cannot look at the code to defend against possible attacks, but attackers are free to look at it".

Shamir said, "I also did not look at the source code, but not for fear of legal reprisals. I didn't look because it's boring".

Rivest interjected, "But one bug has been found...", to which Shamir retorted, "So now Windows has N-1 bugs." This comment got a round of applause.

Then Schneier asked a question about security and non-technical issues, such as training users not to click on email attachments. Schneier added that, "My mother has a computer and she cannot not click on an attachment."

At this point, Diffie seemed to veer off on a tangent. "President Johnson used to push the button on his microphone harder and harder, so they eventually made him a special microphone with a button that was really hard to push." After a very pregnant pause where people had to be wondering where he was going with this line of reasoning, Diffie added, "Maybe they should make computer buttons harder to push". Now that was a classic Diffie-ism.

Kocher then mentioned another significant topic. "We can either add complexity or remove complexity". He pointed out that complexity is the enemy of security and "Gates only talked about adding complexity". That got another solid round of applause from the audience.

Unfortunately, that was about it. They should let this panel go on for two hours, as it's the highlight of the entire conference.

Spyware vs Antispyware, Bob Baldwin, Plus Five Consulting, and Kevin Kingdom, Intellitrove

Spyware is stealthy software that can do unpleasant things such as capturing keystrokes, taking screen snapshots, or even turning on your microphone and recording any sounds in the room. These guys discussed a few spyware programs and various anti-spyware programs. The spyware program discussed most was SpyAgent; the anti-spyware programs were Spybot and SpyCop.

One interesting point regarding commercial spyware is the marketing. According to the speakers the emphasis is on spying on your cheating spouse, or spying on your kids. Apparently, this is considered more socially acceptable than spying on your employees.

This talk left me with the impression that the speakers had downloaded a few freeware programs off the web and played with them for a couple hours. They didn't seem to have any inside knowledge or deep insights. They also spoke to each other throughout and put on goofy white hats and black hats (depending on the topic). I have nothing against goofy talks, but with the lack of substance, this one just became annoying.

Effects of Internet Worms on Routing, Ido Dubrawsky, Cisco

This was an excellent talk concerning the effect on BGP routing of Internet worms. BGP is the routing protocol used on the backbone of the Internet. Worms are self-propagating so they tend to create a lot of traffic as they try to spread their infection and it's therefore sensible to consider the effect of such traffic on BGP routing.

The speaker was especially interested in "flash worms" or "Warhol worms", which try to spread as rapidly as possible. The name derives from the fact that such a worm might be able to infect the entire Internet in 15 minutes (I've heard it claimed that a well-designed worm could actually affect the entire Internet in as little as 15 seconds.) The speaker gave a very nice and concise introduction to several recent worms: Code Redv2, Nimbda, SQL Slammer and MS Blaster. SQL Slammer was the first true flash worm, with more than 250,000 infections within 10 minutes. It had taken Code Red 14 hours to achieve a similar level of infection. Slammer was so successful, in part, due to the fact that it consists of a single 376 byte UDP packet.

The speaker had some nice insights. For one thing, he claimed that if Slammer had slowed down a little bit, it would have been much more successful, that is, it would have ultimately infected many more systems. Slammer essentially "burned itself out" by gobbling up the available bandwidth too fast. This was pretty fascinating stuff, well-supported by his analysis. I'm sure the worm writers have taken note.

WLANs: Ready to Roll Out?, Mark Stevens, WatchGuard

This talk was a typical RSA Conference presentation. The speaker was reasonably knowledgeable about the topic of WLANs and he gave out solid advice about how to protect a wireless network. But there was nothing here that an attendee couldn't have learned in a couple hours of reading.

The story with wireless security is that 802.11b (i.e, WiFi) has a security protocol known as WEP that is extremely insecure. This can be upgraded to something known as WPA, which is better, though certainly not flawless. The future belongs to 802.11i, which promises real security, but won't be compatible with current 802.11b devices. So, regardless of what happens with 802.11i, there will be millions of 802.11b devices around for the foreseeable future.

The speaker identified the security threats to wireless as

1. Jamming --- it's relatively easy to do a denial of service attack (For example, there is a "disassociate" frame that disconnects you from the network. It is possible for a hacker to send such a frame on behalf of a legitimate user.)
2. Data Interception --- The signal is easily accessible, so this is a real concern
3. Snooping --- Again, the signal is available, so someone can passively intercept it, and
4. Piggybacking --- An attacker might get free Internet access via your wireless access point.

The speaker's suggested using the weak security of WEP, if that's all you have available. Given that WEP is so weak, why would he offer this advice? He used the following analogy. Two guys in the woods see a bear charging at them. One guy drops his pack and starts running. The other guy says, "What are you doing? You can't possibly outrun a bear". The first guy responds, "No, but I can outrun you". So if you use WEP, the attacker might just go down the street and use a totally unprotected wireless network.

The speaker also suggested turning off the SSID broadcasts, only allow specified MAC addresses, etc. These are standard suggestions, which are not hacker-proof, but, in the speaker's view, still worthwhile. Of course, this doesn't help if a knowledgeable attacker is specifically targeting your network.

His conclusion was that all of the threats in wireless have been seen before and can be dealt with. Specific, he suggested

1. Firewall/DMZ --- Separate wireless users from the LAN and treat wireless network as untrusted.
2. VPN --- This is a way to get strong encryption (e.g., IPSec)
3. Authenticate --- Use Radius to authenticate and implement logging
4. SSL
5. Personal Firewalls

The Next Generation Secure Computing Base (NGSCB), Ellen Cram, Microsoft

This talk was of particular interest to me, since NGSCB (formerly known as Palladium) has implications for digital rights management (DRM). My ill-fated startup company, MediaSnap, Inc., developed a DRM product. The goal of DRM is provide some restrictions on the use of digital content after it has been delivered. In contrast to, say, encryption, DRM protection is primarily aimed at limiting the actions of the legitimate recipient. The RIAA (and "Hollywood") would like strong DRM, since it would facilitate the sale of copyrighted material over the Internet, without opening the door to piracy. This is a fairly controversial subject---read on and you'll get a hint as to why.

NGSCB is not advertised as having anything to do with DRM. However, one of the basic problems in DRM is that of protecting a secret (such as a key) from the legitimate user of a system. NGSCB would be very useful in this regard.

A few moments thought should convince you that on a modern PC it is essentially impossible to hide a secret from a user if that user has full admin privileges. But, if we could store a secret in tamper-resistant hardware, which the user could not directly access, then we would have made progress (or regress, depending on your point of view) toward a viable DRM system.

The Trusted Computing Group (TCG) is an industry consortium that has the goal of building tamper resistant hardware into a future generation of computer chips. Of course, Microsoft would need to develop software to work with the TCG (formerly, the Trusted Computing Platform Alliance) chips, and that is what NGSCB is all about.

At least some of the NGSCB code has to run in the protected space provided by the TCG, and this raises some concerns. Such software would be inaccessible to users, yet it is in a position to see much (if not all) that is happening on the system. Such code might reasonably be viewed as a security guard who can monitor what is happening in a computer system (thanks to Clark Thomborson for this analogy). Of course, a security guard could always take notes on what he observes and pass that information on to someone else. You can see the "big brother is watching" implications. These sorts of issues have led many to question the value of NGSCB/TCG to end users---though nobody questions the potential value to the RIAA. For further information on this and related topics, see Ross Anderson's excellent Trusted Computing FAQ.

This talk did not deal with any of the issues mentioned above. Instead it was focused on the implementation, i.e., the integration of Microsoft's NGSCB software with the (future) TCG hardware. There were several questions and most of the answers were, essentially, "We haven't figured that out yet". So this is relatively preliminary work, and I give Microsoft a lot of credit for being willing to talk about it so openly at such an early stage of development. Apparently, you can test out the current version for yourself (with simulated hardware)---just go to Microsoft's NGSCB website.

The speaker argued that the real goal of NGSCB/TCG is to maintain the flexibility of modern multi-user operating systems, while creating a "special place" where there is no need to worry about all of the security issues that such systems create (e.g., the separation of users and/or applications). She then got into the heart of NGSCB. All of Windows that we know and love today lives in the "left half", while the TCG/NBSCB lives in the "right half", i.e., the protected space. The NGSCB provides for

• Strong Process Isolation --- an execution space that other processes cannot step on
• Attestation --- so that you can be sure the code you think is running is actually running. Ditto for data. This can be accomplished via hashing, though it was claimed that there is also support for zero knowledge proofs.
• Sealed Storage --- for example, a root key lives here, and never ever goes outside of the sealed storage, making it inaccessible to the user.
• Secure Path to User --- as I understand it, encrypt the data to and from the secure hardware so that it cannot be read or tampered with in transit

The speaker claimed that the following threats are mitigated in version 1 of NGSCB

• Tampering with data --- thanks to process isolation and sealed storage
• Information disclosure -- thanks to sealed storage
• Repudiation --- thanks to attestation
• Spoofing Identity --- thanks to secure path

One point I found particularly interesting is that the NGSCB does not allow DLLs (dynamic link libraries---these are loaded as needed when a program is running) since you "can't do attestation" on DLLs. In other words, you cannot be certain that the DLL that is supposed to running is the DLL that is actually loaded and running. I can attest (pun intended) to the fact that DLLs are well-nigh impossible to properly tamper check, since one of my jobs at MediaSnap was to figure out how to do so. In spite of much effort, we were never able to devise a satisfactory way to accomplish this feat.

The speaker also gave a nice example of an application that would benefit from TCG/NGSCB. Suppose that you want to digitally sign a Word document. In this case, there is a "trusted path" issue. That is, how can you be sure that the document displayed on your screen is the same one that is digitally sign? In other words, it would be easy to write software that presents you with one document, but signs a different document. With NGSCB this could be avoided by moving the document to the "right side" (i.e., the trusted space), reading it over carefully there, and signing it there.

This was a good talk. It'll be very interesting to see how this develops over the next couple of years---both technically and politically.

An Analysis of Attacker Counter-Forensic Methodologies, Gary Golomb, Dragon IDS

This was an altogether excellent talk by a very knowledgeable speaker. The guy also had a good sense of humor. He began with "I'll do a book signing afterwards. I haven't actually written any books, but I'll sign any books you've got. And it doesn't even have to be my signature. I do a pretty good Kobe Bryant. I could even sign your copy of Hacking Linux as Bill Gates."

In computer forensics, an investigator analyzes a computer system searching for evidence. Such evidence is often for use in a criminal investigation. Analysts look for things like deleted files and/or directories, overwritten files and/or directories and residual data in the swap space.

Apparently, computer forensics has only recently come under attack by hackers. The bad guys have taken several approaches. On the one hand, they know what information the analysts will be looking for, so they can attempt to overwhelm the analyst with false or meaningless (but legitimate-appearing) information. This creates a "needle in the haystack" effect and, with luck (from the bad guy's perspective) the analyst will be unable to separate the useful data from the junk.

A second approach that hackers have taken is to exploit flaws and weaknesses in forensic analysis tools. This is potentially devastating since such an attack could make it impossible to find certain evidence. The focus of this talk was more on this latter approach, as it is apparently a relatively new phenomenon.

The speaker cited the article Defeating Forensic Analysis on Unix by The Grugq. He also mentioned tools for data destruction (Necrofile, Klismafile) and a data hiding program (Runefs) that he claimed would allow a user to hide up to 150M from forensic tools.

There were two things that I found particularly interesting about this talk. First, forensic tools are often used to obtain evidence for trials. If these tools have serious flaws, can that evidence be considered reliable? I would be surprised if there were no defense lawyers in the audience.

Second, in security there is usually an "arms race" of sorts between the good guys and the bad guys. The good guys develop a system, the bad guys break it, the good guys develop an improved system, the bad guys break it, and so on. In most of the developed areas of security, there have been several generations of such attacks and countermeasures. Computer forensics, however, has not been subjected to such attacks until recently. Apparently, it has not stood up well to such attacks, and yet these tools are of critical importance to law enforcement. Arguably, the lesson here is that not being attacked is not necessarily a good thing.

Intermission

Prior to the last pair of keynotes, the MC performed another amazing trick. He first walked into the audience to select a volunteer. After standing uncomfortably close to me, he mercifully selected a different victim. The MC gave his volunteer a copy of David Kahn's new book Reader of Gentlemen's Mail (Kahn gave a keynote which unfortunately I had to miss) and asked him to randomly select a word having at least 8 letters. The MC then ascertained that the last letter of the word was "r" and the first letter was "p". The MC also tried to trick the poor volunteer into leaking additional information about the word, but the volunteer was not playing along. This was pretty entertaining, since the volunteer was not intimidated and kept his wits about him. The MC who made some comment about having memorized 400 words from the book last night, to which the volunteer commented, "You didn't go to the Gala, did you?" (The Gala was a huge banquet/party held the previous night.) The MC replied, "Those who paid to come here were at the Gala while those who got paid to come here were up all night memorizing 400 words." Eventually, the MC got the additional information that the word had an "e" in between the initial "p" and final "r". It didn't seem like much to go on, but he correctly guessed the word, photographer, on his first try. I was impressed.

[Keynote] Kip McClanahan, CEO, Tipping Point Technology

For me, this was a boring talk with lots of hand waving, network "clouds" and little or no substance. Like too many other talks at the RSA Conference, it could be boiled down to marketing hype.

[Keynote] An Evening with P.J. O'Rourke, P.J. O'Rourke

If anyone in the audience mistakenly thought they were at an academic conference, this talk would have put such thoughts to rest. P.J. O'Rourke is a "political satirist" who is a self-proclaimed Republican and just about as politically incorrect as is humanly possible. According to his promo material, he "has more quotes in the Penguin Dictionary of Humorous Quotations than any other living writer". His talk consisted primarily of a bunch of one-liners, mostly read in rapid-fire succession. Here are a few that stuck with me.

He started with the requisite, "From a cryptologic point of view, this conference has been totally successful on me. I haven't understood a word of it."

"I was a liberal arts major, or what you would call an idiot."

"As far as I know, a prime number is something Bill Clinton got off the bathroom wall in the West Wing."

"But I'm not just stupid. I'm a student of stupidity. You cannot get away from the fact that 50% of all people are below average intelligence, and we live in a democracy. You may run the world, but idiots rule it."

"Al Qaeda and the Democratic Party both have the same message. We're going to fix America."

"I'm a Republican for one very good reason: Republicans are stupider."

"Republicans drink. Democrats smoke pot and get all sensitive."

He then got into the current political scene. "Kerry was in favor of threatening to use force in Iraq, but against the actual use of force. In politics there's a word for that. It's bullshit."

"It took 1400 pages to outline the Clinton health care plan. The entire US Constitution can be printed on 5 pages... If you think health care is expensive now, wait until it's free."

"What is American healthcare supposed to learn from Canada, a country filled with hockey injuries and nasal infections due to trying to pronounce French vowels?"

"The Democrats say that government can make you richer, taller,... while Republicans say that government doesn't work. Then they get elected and prove it."

He then launched into a tirade against the $180 billion farm bill. "My agricultural experience is limited to growing pot in my dorm room back when I was a sensitive Democrat." He then described an experience he had helping to artificially inseminate a cow. He held the head of the cow. "I'll never forget the look on that cow's face. It was the same look I had on my face, and for the same reasons, when I read the farm bill."

He talked about the "social security chain letter" and added "Consult American Indians for the value of government promises."

There is "no ACLU for your wallet".

"The economic system tells you to make more money, while the political system tells you that the income gap is unfair."

"Wealth is not a Domino's Pizza. You won't have to eat the box if I get another slice."

"People fear that Bill Gates will buy the weather and not allow sunshine on weekends."

A mugger is "just practicing freelance politics".

He finished with a discussion of the 10th Commandment (You shall not covet your neighbor's house. You shall not covet your neighbor's wife, or his manservant or maidservant, his ox or donkey, or anything that belongs to your neighbor.) "How did `don't covet your neighbor's donkey' make the top 10?"

"God's message to those who want to take your money and share the wealth is simple and unambiguous: go to hell".