San Francisco has always been a somewhat odd but pleasant outpost with an appeal that attracts people from all over. It was so in the late 1840s, when the prospects of gold lured people to the area, in a short time transforming the small settlement of San Francisco to a boomtown. More recently, many in the IT field have been attracted to San Francisco because of the pleasant weather, even in winter. And last week at the Moscone Center, in the buzzing SoMa neighborhood, was brought to town one of the largest security conferences in the world: RSA.
RSA got its name from the very roots of what protects our data on the Internet. Rivest, Shamir and Adleman are a trio of cryptographers whose findings still underpin the vast majority of today's Internet and e-commerce transactions. Their public-key RSA algorithm is used to protect just about any information that is transferred securely across the Internet. It is one of the most widely used public key algorithms and applies in those cases where you don’t have the ability to exchange a unique password with every party you wish to communicate with in advance.
It is of no surprise then that RSA started 19 years ago as an event that focused heavily on cryptography. Over the years, it gradually changed, and today it is much wider in scope, with an especially remarkable vendor area. While this is not the place where we run into most of the security researchers we work with on a daily basis, it is a great venue to learn what is happening on the vendor end of things.
Talks at RSA can be divided in two categories: massive keynotes that attract a large audience and discuss some of the bigger topics of the day, and smaller breakout sessions that cover very specific issues and can be as technical as most of the more technical conferences. Breakout sessions are often accompanied by even smaller meetings, the ad hoc peer-to-peer sessions that are set up and bring together likeminded folks wanting to discuss a topic more in privacy and with a few beers.
A big thing for Microsoft was the presence of our corporate vice president of Trustworthy Computing, Scott Charney. He presented on the Microsoft vision for end-to-end trust: getting to a safer, more secure Internet. Scott’s talk exposed the interesting dilemma of choosing between two things that matter to us all: anonymity and accountability on the Internet. Talking to some of the attendees after his talk, I understood that they were especially intrigued by the U-Prove technology, which was announced during his talk. U-Prove allows people to disclose only minimal identifying information to applications and services when they access them using an ID-Token. This technology helps bridge that gap, and bring us closer to an Internet where attackers can get caught and individuals can maintain their anonymity.
Other interesting keynotes dealt specifically with that accountability question: how do we, as individuals, corporations, or nations deal with cyber attacks? Interestingly from that point of view was a large government presence. Any black hats in the audience would have felt intimidated in presentations by Howard Schmidt, the newly appointed US Cybersecurity Coordinator, and Janet Napolitano from the Department of Homeland Security.
Going back to the roots of the conference, I also really liked the Cryptographer’s Panel. Earlier on in the conference, whilst prowling the conference book store, I had picked up a little novel with a rather interesting title, “Tetraktys”. It turned out to be a very interesting read that fit in with the conference crowd perfectly, covering a young graduate that roves across lost temples, chases secret societies, and most aptly, attempts to prevent the factoring of the RSA protocol. To my surprise, the author’s name popped up as moderator of the panel. Ari Juels did a great job on the panel getting several cryptographic pioneers, Whitfield Diffie, Martin Hellman, Ronald Rivest, Adi Shamir, and Brian Snow (of NSA fame) to tell their often-amusing stories. Quite interesting was Brian Snow’s recommendation on slowing down the current SHA3 selection process. Given the rapid evolution in common hash functions such as MD5, this is of particular interest to us. An interesting discussion also erupted at the end about academic versus government research in cryptography. This inspired a lively war of words, a must see!
The breakout sessions also did not disappoint. Much more practically focused than the keynotes, several of them focused on modern malware and rootkits, and how they really pose a threat. While many did not directly cover product vulnerabilities, RSA presentations do tend to bubble up what the researcher community is looking at, and left us with some interesting ideas. While the cloud and the advanced persistent threat were readily present with many presenters, some of the more intriguing ones covered the backdooring of active code runtime applications and the time artifacts left on the file system when editing or viewing files.
I especially liked F-Secure’s discussion on the evolution of rootkits. They went back to Pakistani Brain, an old memory-resident boot-sector infecting virus, and showed how many of its techniques are very similar to those of more modern rootkits. This was especially interesting to me, as Brain’s reputation was one of the things that initially brought me into the information security community!
Microsoft actually had a pretty large presence at RSA. Katie Moussouris and Bryan Sullivan presented on the various tools Microsoft has written while building the Security Development Lifecycle. If you are interested in BinScope, MiniFuzz or the SDL Threat Modeling Tool, check out the preview of their presentation at the RSA web site. It was actually a big conference for the SDL team- Adam Shostack also launched a creative endeavor to threat modeling. Elevation of Privilege is a card game, designed to help anyone developing software get started threat modeling. Read more on how to play the game at the SDL blog.
On Wednesday, Katie also showed off her second hat, joining into a lively debate on the future responsible disclosure. Together with her work in the SDL team, she’s also been a long standing member of the MSRC, developing quite a bit of Microsoft’s own disclosure policies.
Alas- circumstances caused me to miss the latter deliberation. Jonathan Ness, Bruce Dang, and I also presented a break-out session at the same time on Wednesday, covering the changes in five years of content-based attacks. These are the targeted attacks you may often hear about that exploit vulnerabilities in common productivity applications or PDF readers. We got great feedback from the audience, and got lucky! An interested audience member had set up a peer-to-peer session to discuss some of the things we reviewed and we had a great follow-up discussion with attendees that had similar interests.
Needless to say, some of these discussions went way into the evening. One of the great things of RSA is how varied the audience is. While most attendees are either customers or developers of security software, this community has incredibly clever individuals! Probably the best evenings of the conference were spent with some of the lead developers behind the many security products, talking about the principles behind their software. In recent years I have sometimes felt that many of the security products released were too complex and prone to deployment issues. It was refreshing to see that many vendors are going back to the roots, applying numbers, big but reliable numbers, to solving hard security questions.
See you at CanSecWest!
*Postings are provided "AS IS" with no warranties, and confers no rights.*