March 29, 2001, 4:06 PM —
I don't attend very many conferences, mostly because I have to cover the expense myself. However, the 9th Annual Usenix Security Symposium held this past August in Denver looked too good to miss.
I wasn't disappointed. In fact, I wondered why I'd waited so long to attend a Usenix conference. It was probably because I felt that I could just read the research papers instead of actually attending, but that's like shunning a concert with backstage passes because you can buy a CD. There's so much more to the live conference than the purely technical presentations.
This article describes my view of the conference -- it's by no means a complete picture, as it's impossible for one person to attend every talk. For a complete review of the conference, I urge you to get the November 2000 issue of ;login magazine (a publication of Usenix and SAGE).
Keynote address
Dr. Blaine Burnham presented an interesting keynote address, "Design Principles of Simplicity." "Why do buffer overflow attacks still work?" he wondered. He went on to stress that security should not be an add-on. In some ways, Dr. Burnham was preaching to the choir. I know several managers and developers who refuse to accept that security needs to be designed into the architecture from the start.
As an example to illustrate his point, he referred to weeds indigenous to the American Southwest known as goatheads. These nasty little weeds produce spiked seeds that are the bane of bicyclists. Dr. Burnham pointed out that experienced cyclists quickly learned to take countermeasures to protect their tires. Why hasn't the software industry learned to take appropriate countermeasures that protect systems before they're flattened? he asked. Security must be designed into the system, not added on later. Intrusion-detection systems (IDSs) and patches are a last resort.
Tracks
The two major tracks for the Technical Sessions were invited talks and refereed papers.
"Computer System Security: Is There Really a Threat?" Dave Dittrich, University of Washington: http://www.usenix.org/publications/library/proceedings/sec2000/invitedtalks/dittrich_html/index.html
Dave Dittrich is sometimes referred to as "the DDoS guy" because of the expert analysis he provided during the infamous distributed denial-of-service attacks earlier this year. Dave's talk was perfectly timed after Dr. Burnham's keynote, as he continued to berate poor software quality that leads to security vulnerabilities. He noted that the attacker community communicates and works faster than the security industry. The security community (vendors especially) needs to work together faster, instead of posturing for commercial advantage.
Dave provided a timeline of the DDoS attacks that clearly demonstrated that there was plenty of warning about the threat of DDoS attacks in the open source community. Yet people were still unprepared to respond. Attacked sites focused on quick restoration of service, not forensics. Dave stressed the importance of preserving evidence for potential law enforcement use, and of understanding how the system was compromised.
Businesses must develop good incident response procedures and forensic skills, he pointed out. "The business community must acknowledge security as the cost of doing business, not just overhead," Dave emphasized. He recommended that every software organization have a chief hacking officer to test the quality of developers' code before it's released, especially for buffer overflow errors. Dave also recommended that more resources be directed towards system administration as well as system testing. He compared software architecture to building standards, and observed that anyone who constructs an unsafe building is held criminally liable for damage or injuries caused by buildings that don't meet these standards. Builders factor the cost of adhering to safety codes into their budget. Why isn't this done in the software industry?
After lunch, we decided to check out the exhibitor's floor. Brian Martin (a.k.a Jericho of Attrition.org) dragged me in so that he could pick up freebies from the vendors.
The products I describe here happen to be those that made me pause to get more information.
