Real hackers go to Usenix

By Carole Fennelly, Unix Insider |  Operating Systems Add a new comment

I don't attend very many conferences, mostly because I have to cover the expense myself. However, the 9th Annual Usenix Security Symposium held this past August in Denver looked too good to miss.


I wasn't disappointed. In fact, I wondered why I'd waited so long to attend a Usenix conference. It was probably because I felt that I could just read the research papers instead of actually attending, but that's like shunning a concert with backstage passes because you can buy a CD. There's so much more to the live conference than the purely technical presentations.


This article describes my view of the conference -- it's by no means a complete picture, as it's impossible for one person to attend every talk. For a complete review of the conference, I urge you to get the November 2000 issue of ;login magazine (a publication of Usenix and SAGE).



Keynote address



Dr. Blaine Burnham presented an interesting keynote address, "Design Principles of Simplicity." "Why do buffer overflow attacks still work?" he wondered. He went on to stress that security should not be an add-on. In some ways, Dr. Burnham was preaching to the choir. I know several managers and developers who refuse to accept that security needs to be designed into the architecture from the start.


As an example to illustrate his point, he referred to weeds indigenous to the American Southwest known as goatheads. These nasty little weeds produce spiked seeds that are the bane of bicyclists. Dr. Burnham pointed out that experienced cyclists quickly learned to take countermeasures to protect their tires. Why hasn't the software industry learned to take appropriate countermeasures that protect systems before they're flattened? he asked. Security must be designed into the system, not added on later. Intrusion-detection systems (IDSs) and patches are a last resort.



Tracks



The two major tracks for the Technical Sessions were invited talks and refereed papers.


"Computer System Security: Is There Really a Threat?" Dave Dittrich, University of Washington: http://www.usenix.org/publications/library/proceedings/sec2000/invitedtalks/dittrich_html/index.html


Dave Dittrich is sometimes referred to as "the DDoS guy" because of the expert analysis he provided during the infamous distributed denial-of-service attacks earlier this year. Dave's talk was perfectly timed after Dr. Burnham's keynote, as he continued to berate poor software quality that leads to security vulnerabilities. He noted that the attacker community communicates and works faster than the security industry. The security community (vendors especially) needs to work together faster, instead of posturing for commercial advantage.


Dave provided a timeline of the DDoS attacks that clearly demonstrated that there was plenty of warning about the threat of DDoS attacks in the open source community. Yet people were still unprepared to respond. Attacked sites focused on quick restoration of service, not forensics. Dave stressed the importance of preserving evidence for potential law enforcement use, and of understanding how the system was compromised.


Businesses must develop good incident response procedures and forensic skills, he pointed out. "The business community must acknowledge security as the cost of doing business, not just overhead," Dave emphasized. He recommended that every software organization have a chief hacking officer to test the quality of developers' code before it's released, especially for buffer overflow errors. Dave also recommended that more resources be directed towards system administration as well as system testing. He compared software architecture to building standards, and observed that anyone who constructs an unsafe building is held criminally liable for damage or injuries caused by buildings that don't meet these standards. Builders factor the cost of adhering to safety codes into their budget. Why isn't this done in the software industry?


After lunch, we decided to check out the exhibitor's floor. Brian Martin (a.k.a Jericho of Attrition.org) dragged me in so that he could pick up freebies from the vendors.


The products I describe here happen to be those that made me pause to get more information.

    Add a comment

    Post a comment using one of these accounts
    Or join now
    At least 6 characters

    Note: Comment will appear soon after you have activated your account.
    Obscene/spam comments will be removed and accounts suspended.
    The information you submit is subject to our Privacy Policy and Terms of Service.

    ITworld LIVE

    Operating SystemsWhite Papers & Webcasts

    White Paper

    Microsoft Enterprise Agreement Program Overview

    Discover how flexible the Microsoft Enterprise Agreement Program is to help you build the right software solution agreement for your business. This paper highlights all the available options-from on-premise software and cloud service solutions, to payment options and enrollment programs, and more.

    White Paper

    Watson - A System Designed for Answers. The future of workload optimized systems design

    Watson is a workload optimized system designed for complex analytics, made possible by integrating massively parallel POWER7 processors and DeepQA technology. Read the white paper about Watson's workload optimized system design.

    See more White Papers | Webcasts

    Ask a question

    Ask a Question