Category Archives: Conferences

keynote: security: i think we can win – app sec usa

Posted on by
Reply

speaker: Bill Cheswik

  • the sci fi authors of the 50’s didn’t come close to reality
  • Advanced persistent threats aren’t advanced. Buffer overflow, etc are known
  • the order of things is to make something new work and then figure out security – predicts security problems in Obamacare data handling
  • UI is sill evolving. touch is only a decade old
  • Old Microsoft menus are too slow. Can’t get faster at them like with UNIX. [lesson: support multiple levels of skill]
  • prefers “grapes to raisins” instead of “apples and oranges”
  • You don’t have to be a mechanic to use a car. But now adding a computer to your car. CAN bus “it just works” can be hacked by bad mp3 files. [Eek!]

Current state of affairs

  • The fact that we do banking and shopping (money) online shos the internet is working,
  • The current state of affairs is still lousy
  • Certain thing needs to work regardless of “what grandma does wih the keyboard”. It isn’t grandmas fault. She shouldn’t be ABLE to do something wrong.
  • We are all “grandma” at some point
  • Checklists , virus checking, strong user passwords and user education aren’t enough to solve bad engineering.
  • A virus checker finds evil software on a machine. It’s too late at that point.
  • Shared and dynamic libraries meant to save memory when we were memory constrained to share common OS binaries. We aren’t memory constrained anymore. Don’t need these binaries considered trusted as side effect of this anymore.

What does victory look like

  • OS that can’t be changed or subverted regardless of app or user action
  • Apps can’t tained OS can limit to signed and approved apps

Metrics

  • People want a number. But what is it measured in? Lines of code? Connectivity to Internet. (reference “an attack surface metric”)

    Metric 1 – setuid

  • Kernels talk to the world. Programs talk to the kernel. The diagram is usually shown th eother way
  • Quick way to rate UNIX system security: look for setuid programs as root that aren’t needed. Why need etra holes at the bottom of the boat.
  • Considers this # (5 in this case) to be a measure. [one is su though which seems like a door to anything]

Metric 2 – number of network services available to outside

  • Again, more than you think

Metric 3 – how muc will someone pay for a zero day exploit

  • Adobe Reader and MAc are low. iOS tops list with Firefox and Chrome blelow it
  • This is a factor of how security it is (how hard to find an issue) plus how desirable he platform is to find an error in
  • Predicts Android will have more issues because open source and hard to have displine when too many people finger in it.

Keep it small

  • Keep software simple/li>
  • Google’s Go language uses this small/fast is better principle

What works

  • CPU speed is a tool
  • Could use ores as separate machines with separate cache and memory
  • Personal responsibility for the code. Such a Kunth’s personal checks for finding a bug. [I actually did this at work. I wanted to prove i was possible to fix a certain issue reliabily. I offered my teammates $1 for each issue they found in that space. It cost me exactly $1.]
  • Literate programming.
  • Software”annealing” – just fix bugs and don’t make other changes for a long time. This is why sendmail and other old programs are stable
  • Strong type checking. Pascal style, not C
  • Virtual machines where line is between kernal and hardware
  • If you have other controls, a 4 digit PIN is fine

Excuses

    li>People write buggy code. Too many requirements. Too much change

  • Governance is a big concern
  • Still have DDOS
  • We have home field advantage
  • Believe we can win

Reference to Dean Kamen for doing security well in products – insulin pumps and wheelchairs [and segways]

Tool:
CertPatrol on Firefox – see what certs used

My take on this:
Good start to the conference. This situation is part of why my mother’s computer is a Chromebook. You can’t install software. If you mess up, you can easily reimage and not lose data or settngs. It’s not perfect, but it is closer.

blogging from app security usa with my ipad

Posted on by
Reply

Presuming the internet holds out, I’ll be blogging from the App Security USA conference for the next two days. Scott and I tried this at The Server Side Java Symposium a few years ago. I have a newer iPad (air) now with keyboard so it will be interesting to see how the iPad blogging experience differs.

Adding a link
I didn’t realize right away that Safari now shows you only the domain name unless ou click on the location bar to see the real link.

Typing
New keyboard. Need to get used to it. I seem to have to press harder on the keys than I like.

WordPress

  • The visual view isn’t working for me in the iPad WordPress browser editor. Since I have a real keyboard, at east I can type HTML to make it happen in text view.
  • As with last time, two finger scroll helped.
  • Additionally, control arrows helped with end of line and end of text area

Case/stand
I have the Kensington keyboard and folio. The idea is that the iPad screen is propped up at a nice angle as you type. That works. The problem is that my lap isn’t the most stable surface for this to be sitting on. It mostly works. However twice so far (within the first two hours),the iPad slipped out an started to fall. Luckily, the folio is magnet supported so nothing bad happened. And Safari considered my catching it to be a delete message and prompted me for whether I want to delete or cancel. This seems like an accident waiting to happen so I’ll make sure to save often! And try to get to sessions early enough to get a table seat.

Caps lock
The keyboard is very clear on when caps lock is on. There is a red light. I think I’m accidentally turning on the iPad caps lock at times though as sometimes caps lock appears “backwards” on the keyboard

live blogging – web 2.0 thursday keynotes

Posted on by
Reply

See table of contents for full list of web 2.0 expo posts

Last day of keynotes. I will clean up this post and add an index tonight.

Opening Remarks Brady Forrest (O’Reilly Media, Inc.), Sarah Milstein (TechWeb)

8/9 speakers today live in NY – shows web 2.0 has good NY presence (and that people who have to travel home prefer not to speak last day)

  • Her company doesn’t need an office. Work out of apartments, coffee shops, hotel lobbies and client sites.
  • No set business models. Can decide how want to make money.
  • What you are passionate about is always high on your job spec. Know what like to do and under what conditions (time, location, people). If you can design a job like that, it doesn’t feel like work. This makes you more competative and cost effective. This is the opposite of the 4 hour work week because assumes work is something is to be suffered.
  • She is a great speaker. Lots of passion and energy. Uses her whole body to make points and shows it is her essence.
What Computers Can Learn From Popsicle Sticks Nora Abousteit (BurdaStyle.com)
  • “The power of making”.
  • Key phrases: Passing on a skill. Sharing an experience. Reality escape. Original opem source movement. making tranformed he web. New companies exploded with tagging and web 2.0. Making grew online but decreased in the physical world.
  • Maker Faire got a slide – 100K makers gather
  • And i was wrong earlier in the week. Notes are rare but not unheard of at a keynote.
  • However, they were less obvious for this speaker.
  • New normal is personal tech progresses much faster thean enterprise tech
  • IT experts are no longer just in IT. Put training wheels on users.
  • Allow users to express how work best
  • Security inherently makes personal/enterprise tech different. Different risk levels and models. Goal: secure consumer tech
  • Google’s computing cost is such a driver that they put data centers near cheap electricity.
  • Cloud provides benefit if give ps you access to economy of scale.
  • IT needs to focus on differentiating company rather than logistics/operations
  • I haven’t heard the word crowdsourcing in a while.
  • Combining new tech and old/popular is more compelling because draws on what people liked the first time.
  • his project was having people recreate 15 seconds of video recreating the movie but funnier. He showed a minute of video. It was weird seeing the scene/characters change every 15 seconds butnot disconcerting.
  • Community sourcing because people working on shared goal. And ok that was lot of work for little rewarded.
  • First time online only production won an emmy
  • Starwarsuncut.com
Crowdsourcing the Brooklyn Museum Shelley Bernstein (Brooklyn Museum)
  • Improve user experience in the real world – signs, seats, readable labels, friendly floor staff, allow photos (not all shows, still trying to get artists to agree)
  • Visitors improve by leaving electonic comments to post on web and email to curators
  • Collection online with tagging and comments, give people cred for contributions
  • Book: Blink – split second decisions are powerful
  • Made activity online to see which like better and ask questions about it online.
  • Learned: some works universal, limiting time made complex images more favored, people liked images with labels/description/context
  • Common sense is implicit human intelligencd for navigating concrete everudat situations. We follow a ton of rules just to choose clothes and get to work without thinking about it.
  • The problem is using common sense for comolicated situations like politics.
  • We match “obvious” by choosing facts that match provided answer.
  • “everything is obvious once you know the answer”
  • Post hoc “explanations” are really stories. Tell us what happened, but not why. We are tempted to generalize the stories to make predictions.
  • In complex systems, history never really repeats in subtle but important ways.
  • policy, stategy and marketing can benefit from this now because we can measure social things.
  • Book: everything is obvious once you know the answer
How Are Brands Using Facebook Right Now? Michael Lazerow (Buddy Media)
  • Half of facebook users log in every day. More facebook likes/comments than google searches per month
  • 31% of all ad impressions in US are on Facebook – wow
  • What next: businesses reorg around people/connections
  • Must offer something of value – coupon, discount content, access

What’s next?

  • car as an app? Car knows where you are and when stop. [four square like]. [NYers don’t have cars. Phones are more universal here]
  • Ask friends for advice from dressing room before buy clothes

This is “social commerce”

A New Dimension for Google Maps Brian McClendon And Evan Parker (Google)
  • google Earth downloaded 1 bikkion times as of last week
  • Google maps – first map site to use ajax
  • On android, uses open gl to make 3d maps
  • Today announcing 3d maps on desktop without a plugin
  • Click try it now in bottom left corner
  • Now every line of frame in every frame drawn with gl
  • Smooth zooming
  • Labels fade in and out smoothly as zoom
  • See 3d skyscrapers as zoom in and move around – cool!
  • Showed zooming into collesium in rome – really does look like seeing from a plane
  • If keep zooming in switches to street view
  • Showed the High Line park in 3d
  • Works in chrome and firefox 8 beta. More coming
The Internet Baratunde Thurston (The Onion)
  • He wrote a book based on a stray thought that became a meme on twitter (#howtobeblack)
  • #livewriting let people watch while wrote the end and went better than expected
  • And nice to end with humor