Guus Bosman

software engineering manager


You are here

Links & Technology

Image: 
internet

WOOT 2015

Monday and Tuesday I attended WOOT, a series of presentations on computer security attacks. It is part of the USENIX Security 2015 conference.

Two years ago I attended the same conference, and like two years ago, TLS and Android were favorite topics.

The keynote session by Adam Langley on TLS v1.3 was quite interesting. He also spoke about his practical experiences in disclosing vulnerabilities, and how difficult is is to 'manage' that process. He tried several approaches, including telling a small group of trusted companies first, only to be criticized by those outside of the "nice list". Later he tried to expand that circle but then the information started leaking out. His main conclusion was that there's just no good, clean, result you can expect.

I always like approaches like FLEXTLS. They created a framework that made it easy to test the state-machine in TLS. That way, the were able to systematically test which implementations allow the skipping of important steps. It ended up getting a price for the best paper at WOOT.

A presentation that stood out on the second day was about weaknesses in the routers provided by Dutch ISPs. They did some old-school reverse engineering to be able to crack the WPA2 passwords.

Very interesting new approach to attack is to abuse voice recognition.

During the lunches and breaks I spoke with several people. It was nice to meet Dr Lorenzo Cavallaro, the teacher of the online course I took a while ago.

internet

404 error at Craigslist login

We've been cleaning up the basement and I put some things for sale on Craigslist. Every time I tried to log in to the site with Firefox, I'd get a 404 error. I have Internet Explorer installed for situations like these, but it's not ideal.

Tonight, I discovered the culprit: Craigslist really wants the referer header to be set. I had switched it off in Firefox a while ago (with network.http.sendRefererHeader = 0); switching it back on fixed things.

internet

HTC One M8

After many years I said goodbye to Blackberry today. Yesterday the charging port of my Blackberry Storm 2 fell out of the phone.

Today I went to the Verizon reseller in the mall at my work and got the HTC One M8, an Android phone.

I am looking forward to installing apps I haven't been able to use, such as Waze, Uber and Anki SRS, and the phone has been nice to play with so far. My corporate email hasn't switched over yet, hopefully tomorrow.

It's been six years since my first smartphone, a BlackBerry Pearl.

internet

A supervisor of programmers

Today I talked with man who used to be a supervisor of programmers at the Pentagon. He looked fit -- but he was 90 years old, born in 1923.

We were in the mall and Nora was eating a pear while I listened to his stories about the first mainframes ("we upgraded from 20,000 tubes to 40,000 tubes"). He had teams working in 3 shifts, to use the machines 24/7. He said with a smile: "I would get calls at 2.00 or 3.00 am. The problems always got resolved but I got an ulcer."

He mentioned that he created a detailed flowchart for a new office in New York, which showed the connection between the various machines: CPUs, card readers, tape units, printer etc. He said: "the diagram was 15 foot long, on thick brown paper. My boss wanted to show it off, to Congress, but when he unrolled it they just said: 'oh sure, that looks fine' and approved it".

It was special to talk with someone who shares my profession -- but who did so 30 years before I was born.

Nora had finished her pear, and the man's wife --just as spry-- came back from shopping and we said goodbye.

Topic: 

The IDA Pro Book

Chris Eagle

Inspired by the course I took on malicious software, I spent some more time learning about disassembling and analysis executables.

I used IDA Pro as editor and the IDA Pro Book was a great manual.

I was using a trial version of IDA Pro which does not allow you to save your work. But it does allow you to run macro's, so I created scripts like these that allowed me to persist my comments and observations:

#include 

static main() {	
	rename_safely(0x0804896E, "main");
	rename_safely(0x0804892E, "disable_ptrace");
	rename_safely(0x8048AD6, "exit_program");

978-1593272890
/images/books/idaprobook.png
English for work
internet

LEET and WOOT '13

I attended two big workshops in DC this week: the ironically named "LEET" and "WOOT" workshops, organized by USENIX.

LEET: Large-Scale Exploits and Emergent Threats
LEET stands for Large-Scale Exploits and Emergent Threats and included 13 presentations on a broad range of talks, from DDoS to spam to phishing. I particularly enjoyed these three talks:

- Funny analysis of what low-end DDoS services ("booters") are typically used for (50% of the customers are gamers who want to bring down their enemies, typically in residential addresses). -- https://www.usenix.org/system/files/conference/leet13/leet13-paper_karam...
- These guys tried to find out which Botnet sinks are out there (and who is creating them). Sort of "hack the counter-hackers". -- https://www.usenix.org/system/files/conference/leet13/leet13-paper_rahba...
- Insight from a security researcher who specializes in DDoS tools on recent developments. -- https://www.usenix.org/conference/leet13/understanding-emerging-threat-d...

WOOT: Workshop on Offensive Technologies
The WOOT workshops on Tuesday were focused on offensive technologies. The emphasis at USENIX is more academic than at conferences like BlackHat or DEFCON and less on getting publicity which is nice. Still, there were some pretty scary results.

Here are my favorites:

- Very cool demo of a new DNS bind flaw against Chrome (overflowing the browser's 100-entry cache used for the defensive DNS pinning) - https://www.usenix.org/conference/woot13/firedrill-interactive-dns-rebin...
- Solid presentation on how the researchers looked for (and found) "sign out" flaws by truncating TLS sessions. Affects GMail and Hotmail, among other things, and a distributed voting tool. Shows you that even if the theoretical framework is secure, the implementation might have flaws. -- https://www.usenix.org/conference/woot13/truncating-tls-connections-viol...
- How to hack the ELF loader into doing calculations. Totally useless but very cool. -- https://www.usenix.org/conference/woot13/%E2%80%9Cweird-machines%E2%80%9...

These workshops were very interesting, and I'm currently attending the main part of the event: 3 more days of presentations. This conference has a relative large amount of downtime which is nice since it allows you to meet people.

internet

Paper: From Throw-away Traffic to Bots: detecting the rise of DGA-based malware

Well-written paper that outlines the Pleiades system which tries detect infected computers by looking at DNS traffic at the network-level. Pleiades combines a cluster of failed DNS lookups (NXDOMAIN results) with a cluster of nodes that tried to resolve failed DNS names. It filters out "well-known" domain names and is able to achieve high detection rates with very low false positive rates. Pretty cool.

It was funny that the system also detected (and got confused by) Chrome's "DNS hijacking detection" feature.

I read the paper as part of an online course I'm taking, Malicious Software and its Underground Economy: Two Sides to Every Story.

internet

Eventual Consistency Today: Limitations, Extensions, and Beyond

Interesting overview by Peter Bailis and Ali Ghodsi on what the current practices are in system architecture when dealing with eventual consistency of distributed data sources.

They discuss research that shows that eventual consistency is in practice often strongly consistent, and thus "good enough" for most practices.

The paper concludes with a short overview of research into pushing the limits of what is achievable with high availability.

http://queue.acm.org/detail.cfm?id=2462076

internet

Cloudera Sessions

Yesterday I attended the Cloudera Sessions, an event on using Hadoop, HBase and other "big data" tools organized by Cloudera.

Big Data is an interesting field and I enjoyed this well-organized day. Cloudera is a provider of commercial solutions around the open-source Hadoop stack. There were speakers from Cloudera and several of their commercial partners, talking about the practical experiences so far and plans for the future.

An event like this is meant to convince people to use Cloudera's stuff -- but it is also a good way to find out how people are actually using Hadoop in commercial applications. This is the part I liked best. There were several speakers who talked about their (very) recent experience with commercial roll-outs and I spoke to people at my table and over lunch about what they are doing with this technology.

Many companies are still experimenting, but there are several early adopters who have real production deployments. Unsurprisingly, the latter includes many starts-ups.

Topic: 

Liars and Outliers: enabling the trust that society needs to thrive

Bruce Schneier

In February of this year Bruce Schneier released his latest book, Liars & Outliers -- enabling the trust that society needs to thrive. This accessible book does a good job exploring the scientific theory of trust and collaboration and combines a theoretical framework with real-life examples. It does not bring many new insights to people who have followed Schneier's other work but the theoretical framework is useful and this is a book worth reading.

978-1-118-14330-8
/images/books/liarsoutliers.png
English for work

Pages

Recent comments

Recently read

Books I've recently read: