Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Oct 16, 2010

Some highlights from the RSA Euro conference '10

I just got back from London and the RSA Europe conference, I've had a great week! In addition to a solid program, the conference is a hotspot of highly skilled professionals. I ended up in a lengthy discussion at the Microsoft stand on the possibilities of the new Forefront Threat Management Gateway (TMG), and the Unified Access Gateway (UAG). One chat with a Microsoft professional, and I learned that the UAG is much more versatile than the official webpages indicate. Of course, I had many more interesting conversations with both sponsors and visitors to the conference. I have to mention that I was fortunate enough to bump into Steve Lipner from Microsoft while I was on my way from one session to another. I happened to be carrying around my SDL-book, he was kind enough to sign it. Good stuff!

I'll summarize some of my favorite sessions from the conference:

Schneier's keynote
Bruce Schneier's keynote on "Security, privacy, and the generation gap" was great. He touched upon many interesting aspects of privacy, like how we do our privacy decisions (how we give it up), or the social challenges we face when spending time on social networks. He referred some very interesting research, here's one of the examples: In group A each person is given an anonymous value coupon worth $8 with the option of exchanging it in a coupon worth $10 — but the $10 coupon would include the person's name and address. In group B the setting is reversed, each person receives a $10 coupon with their name and address on it, and gets the option of switching it for an anonymous $8 coupon. One would expect to find the same pattern in both groups. However, the group who received their anonymous coupons first were more reluctant to give up their privacy! I've tried to find an article on the study, without success. I'll add the link here if I can find it, it's thought provoking stuff.

My metric of a good keynote is to which extent it makes you think. After Schneier's talk, I had a lot to think about!

Application level DoS
Bryan Sullivan from Microsoft's SDL team gave an important talk: "When a billion laughs are not so funny: application-level denial of service". He discussed a class of very potent attacks, where a carefully crafted attack will consume server side resources to the point where the server resources are depleted. The interesting aspect of these attacks is the assymetry. By sending a request which is only a couple of hundred bytes, the server can be triggered to consume all of its memory and/or cpu. Sullivan made a point of the assymetry, and also the difficulties in detecting or preventing these attacks — other than writing secure code in the first place of course.

Sullivan gave two important examples, one for regex and another for XML parsers. To aid in the detection of vulnerable regex statements, the SDL team has released a Regex Fuzzer.  On that link, you'll also find references to how the vulnerability works. There's also an MSDN article on the challenges with XML parsing, check it out — especially if you're consuming untrusted XML!

Attacking mobile messaging
Another great session was the "Attacking mobile phone messaging" by Lackey and Miras. It was no surprise that the telephone system had major vulnerabilities. However, Lackey and Miras had set up an attack showing just how flawed the design of the administrative part of the mobile phone system is. Great presentation, a great demo, and they were both excellent speakers. And yeah, the mobile messaging system has major issues.

Flash security
Adobe's Peleus Uhley gave a great talk on the security model for flash content and how to develop more secure flash applications. I haven't been working on flash content security before, so this was a brave new world for me. Uhley gave a great overview on how the whole Flash-model worked and what the challenges are as a Flash designer/developer. In short, treat your Flash animations with as much care as your do with your web applications! Check out the Owasp Flash Security Project to get up to speed, it's run by Uhley and contains all the important references you need.

And the other stuff
There were a lot of other interesting sessions but — like always at a conference — you once in a while realize that you went to the wrong session. That's how it goes! Apart from the sessions mentioned above I attended the sessions that where either SDL oriented, or targeting more technical security.

There was of course a vibrant social life after the formal program ended, I had great fun. I'm not outing anyone here, so: Thanks guys, you know who you are! :)


  1. Thanks for sharing this text. Virtually satisfied to look at this newsletter and I will refer this website online to my buddies. custom dissertation writing service Extraordinary submit, loads interesting. Thanks for your submit. Keep up the coolest work. I surely appreciate your paintings and I wish in future I’m able to move returned for extra data. Like this one.

  2. you should be given your freshly-cooked educational cardstock inside the twinkling connected with an eyeball!

  3. So you know that we can have free jigsaw puzzles online in a random websites.

  4. Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.


  5. Although those who major in one of the physical sciences have an equal chance of acceptance when compared with “pre-pharmacy” students, pharmacy schools want to see evidence of a real interest in pharmaceuticals and the practice of the profession. A real interest is often due to a real interest in people, as pharmacists are in positions to education and influence patients. There is always the consideration of job security, but no one really goes to pharmacy school these days to become rich. There are easier ways to do that, like the entertainment industry or business administration. Make sure your reason for attending is the right reason. Click https://nursingessaywriting.com/pharmacy-personal-statement for detailed information.

  6. Our mission statement is to assist you every step of the way in finding the best writing services for your needs. Whether you need a 2 page essay or a 50-page dissertation, by using scamfighter you will find the most custom tailored writing solutions.

  7. The free roblox robux is very awesome game with lots of new adventures and thrill.

  8. If you are in need of Research Paper Writer Services, then you need a legit solution. With our professional writers ready for your paper, you can benefit from the Custom Research Paper Writing Services.

  9. There are Nursing Papers for Sale that are harder to complete than others. Thesis, dissertations, and research papers are some of them. Even if you are enthusiastic and capable student, you might need Thesis Proofreading Services in coping with your difficulties.

  10. It is understandable that one is more confident when their task is in the hands of the Research Writing Help than a novice; thus, one hires Custom Dissertation Writing Service who delivers the ideal Custom Term Paper Writing.

  11. Are you looking to hire the best Custom College Papers Writing Services? It is helpful to note that the content of Legitimate Custom College Paper are unique and non-plagiarized and each Custom College Paper should be verified meticulously by editors before it can be sent to you.

  12. Midwifery assignment writing service learners have an advantage of hiring the best midwifery research paper help writer that is familiar with midwifery coursework writing services for their Midwifery Writing Services.

  13. thanks a lot for the perfect information you have shared with us. I wish you the best.
    فروش اقساطی فاو 6 تن

  14. I strongly appreciate you for sharing such a good information and I wish you the best wishes.
    ساندویچ پانل سقفی

  15. the design and the content of your website is perfect and can not be ignored.
    کامیونت کاویانK1051

  16. This was nice and amazing and the given contents were very useful and the precision has given here is good.

    Apache Spark Training in Pune
    Spark Training Institute in Pune

  17. thanks a lot for sharing such a wonderful information wit us.
    کشنده کاویان

  18. The charming and attractive youthful Udaipur escort will be available to both the in call and the outcall. Seductive, you can definitely lose your control on my sex body Call / What's App, the time you see me. I'm on board and my hips are certified plane. My relationship organizations are slowly being searched in the city. There are a handful of people you might spot regularly coming to the town of Udaipur to contribute an incredible amount of time to Escort's mind in Udaipur.
    Udaipur escort service
    udaipur female escorts
    call girls service in udaipur
    escort service in udaipur
    udaipur call girls
    udaipur escorts
    escorts in udaipur
    udaipur russian escorts
    udaipur housewife escorts

  19. When did you start writing articles related to ? To write a post by reinterpreting the 메이저안전놀이터 I used to know is amazing. I want to talk more closely about , can you give me a message?

  20. As soon as I noticed this internet site I went on reddit to share some of the love with them. 먹튀


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts