Guus Bosman

Monday and Tuesday I attended WOOT, a series of presentations on computer security attacks. It is part of the USENIX Security 2015 conference.

Two years ago I attended the same conference, and like two years ago, TLS and Android were favorite topics.

The keynote session by Adam Langley on TLS v1.3 was quite interesting. He also spoke about his practical experiences in disclosing vulnerabilities, and how difficult is is to 'manage' that process. He tried several approaches, including telling a small group of trusted companies first, only to be criticized by those outside of the "nice list". Later he tried to expand that circle but then the information started leaking out. His main conclusion was that there's just no good, clean, result you can expect.

I always like approaches like FLEXTLS. They created a framework that made it easy to test the state-machine in TLS. That way, the were able to systematically test which implementations allow the skipping of important steps. It ended up getting a price for the best paper at WOOT.

A presentation that stood out on the second day was about weaknesses in the routers provided by Dutch ISPs. They did some old-school reverse engineering to be able to crack the WPA2 passwords.

Very interesting new approach to attack is to abuse voice recognition.

During the lunches and breaks I spoke with several people. It was nice to meet Dr Lorenzo Cavallaro, the teacher of the online course I took a while ago.