Chump Change

I stole a page from your book, and a line from your page

And flew into a lesbian rage...

"Chump Change", The New Pornographers

Friday morning was Dan Fucking Kaminsky's talk, which I'd really been looking forward to. I dragged Ricky to it, telling him he rilly rilly needed to go, kthxbye.

My notes could not possibly do justice to his presentation, which was both funny and awe-inspiring. Anyway, Dan also makes the best slide shows I've seen; they're a whole textbook on their own. Go read all his stuff. And go see him talk! He's intelligent and friendly on rye bread.

Some random observations/quotes:

• When he takes questions from the audience, he thinks about what they're saying for a minute before replying. One question prompted the reply, "Man, you're gonna put me on an entire research path."
• When he mentioned the (FIXME: include link) auto paper generation tool, he described it as "a fuzzer that exploited a conference."
• On why SSH host keys suck: "You're looking at a bunch of random characters, comparing them, and if you're one character off that's it. One character off!
• On how easy it is to include a bank (say) login form, so that you end up posting to an HTTP form instead of an HTTPS form: "My grandmother could do that. She'll 0wn you." (laughter) "You laugh, but she's been to the last three Black Hat conferences. Have you?" (Note: I had originally conflated this point and the last one (SSH keys), but Wout set me straight. Next time I promise not to take so long to make corrections. :-)
• "Remember, there's nothing a bank wants less than hearing from you or seeing you in person."
• "Humans seem to have hardware acceleration for remembering names."

Ricky allowed as how Dan Fucking Kaminsky might have been worth getting up early for.

Okay, but after that the bitter pill of (FIXME: full name, title) Dmitri. This was a depressing, scary talk about network threats and how they're driven by very, very successful criminals. I'd heard this before, but the facts and stats he brought in were enough to just crush your soul.

The usual list:

• Spammers probably want anti-spam companies to stay in place. That protects the channel they're abusing. Otherwise, like a parasite that goes too far, they'll end up killing the thing they're exploiting.
• Most trojans/bots/whatever just ask the user to click...and it works. You don't need to go looking for a zero-day if you don't want to.
• Trojans that are sent out in small numbers will almost certainly never get sent to an AV company for analysis...which means AV software will almost certainly never detect it.
• Speculation about future uses of zombie networks: distributed computing, or distributed file systems.
• Image spam is already defeating many anti-spam programs. And to get around it, it wouldn't take much more than something like this: (FIXME: Add image)
• Many/most zombie networks will be active (spamming, say) for a few hours...then go silent for another month. Good luck trying to detect that.
• Some zombies will check blacklists before spamming, to see if their IP is listed. If the list supports it, they'll submit a request to get their IP delisted.
• His company is working on a way of filtering traffic, not just email, based on reputation. Push the responsibility to the user: your bank says "We're not accepting traffic from you because your IP address has a bad rep."

Dan Kaminsky asked if maybe the answer was to abandon persistence on the desktop, and just hand out Knoppix disks to everyone. Dmitri replied that would just push the attack to web databases and such that held the user's settings. DK pointed out that would mean a much smaller number of machines to secure, which Dmitri conceded.

Q: I work for a web farm; what can we do? A:: watch your netflows carefully and learn your normal traffic. (cf Dan Klein's presentation).

Q: I use fuzzy OCR plugin for SA and it works fine. A: you might not be seeing adaptation yet, but you will. OCR is bound to fail; too easy to trick.

He closed his talk by saying the obvious: he's very, very pessimistic, he sees no magic bullet, and he can't see any light at the end of the tunnel.