ShmooCon review
I spent this past weekend at ShmooCon. Getting there was a complete pain in the ass, as National airport was apparently fogged in for the better part of Friday. I was slated to take an 11:55 am flight down, which was delayed until 12:25 and then canceled. The fine folks at US Airways then rebooked me onto a 3:30 flight, which didn't actually get off the ground until about 6pm. I finally arrived at the hotel around 8pm, missing all of Friday's proceedings, which I'll have to watch when the Shmoo release the video torrents.
Saturday was chock full of interesting sessions, starting with Jennifer Granick's talk on FISA, CALEA and Executive "privilege". After the room split break, I attended Fyodor's talk on nmap. Nothing like learning tips and tricks for a tool straight from the mouth of the creator. From there I rolled into Elonka Dunin's presentation on Kryptos and the Cyrillic Projector. Elonka is an excellent speaker and has an obvious obsession with code breaking.
After lunch, I caught Abend's presentation on magnetic card reading and emulation. This was an awesome talk on a topic in which I've always been interested. Thanks to my super-smart question asking ability, I was gifted with a surplus magnetic card reader of my very own. Of course, now I have to build an interface for it.
I filled the rest of my afternoon with bits and pieces of Lance James' talk on Trojans, Botnets and Malware, Richard Bejtlich's talk on Sguil, and Shawn Merdinger's talk on WiFi VoIP phones. I also spent a little time playing Galaga in the hacker arcade, but not enough to accumulate enough tickets to get a prize. Next year, I'll have to build a game for the arcade, as the pickings were a little sparse.
Sunday was a short day with my main interest being the lock picking talk given by Deviant Ollam. The Shmoo folks were quite kind in giving him two hours for the talk instead of the usual one hour slot allocated to everyone else. It was an awesome talk, and I'm not just saying that because I won a t-shirt and a Swiss Army knife/USB memory drive. After that there was a room join and we all got to enjoy J0hnny L0ng's gut busting talk on 'Hacking Hollywood', in which he reviewed just how l33t the folks in Hollywood are when it comes to all this cool computer stuff. After that I had to bail, as I had a 3:30 flight back home. I probably could have managed to stick around for the last half hour, but then I would have been fighting with everyone else for a cab to the airport.
Thoughts for next year. Fly down the day before and bum around the city instead of getting stuck at the airport all day on the first day of the Con. I'll also plan on staying an extra day so I don't have to rush out before everything is over.
Posted by John on January 17, 2006 | Comments (0)
Claria/Gator VP appointed to DHS Data Privacy Committee
So, Claria (aka Gator) Vice President D. Reed Freeman, Jr. has been appointed to Department of Homeland Security's Data Privacy and Integrity Committe. What a joke! Claria has no interest in privacy, their business model is built around fucking spyware.
Claria Press Release from PR Newswire
News.com Article
This is so blatantly stupid that I had to write to my Senators and Representative. It probably won't do any good, but sometimes you just have to let the folks in D.C. know what's really going on.
Dear [Senator],
I must strongly urge you to object to the appointment of Claria Vice President D. Reed Freeman, Jr. as a member of the Department of Homeland Security's Data Privacy and Integrity Committee. Claria, formerly known as Gator Systems, is the most pervasive purveyors of computer spyware in the industry.
As a computer security professional, I can tell you that Claria/Gator has no interest in consumer privacy. Their primary concern is sneaking spyware onto unsuspecting users systems and collecting statistical data which they then sell to their corporate customers. Claria software is installed without user consent, often using current security holes in Microsoft's Internet Explorer.
It is a complete farse that a representative of Claria should be appointed to DHS Data Privacy committee. This appointment will only hurt the already shabby credibility of the DHS.
Sincerely
Posted by John on February 24, 2005
CSP: DYI Certificate Authority
Are you in need of X.509 certificates for your systems? Are you outraged by the expense of commercial CAs? You can be your own certificate authority.
I've tried out a bunch of different Open Source CA packages and found most of them to either be too rudimentary (e.g. the CA.sh script that comes with the OpenSSL distribution) or way too complex (OpenCA). However, I've finally managed to find a reasonable middle ground for a low volume CA. That package is Stockholm University's Certificate Service Provider (CSP).
CSP is a perl class and script for running multiple CAs. It uses OpenSSL for all operations and has a very simple command line interface. Once place it is lacking is in error handling. I have found that if you mis-type the password for the private key of the Root certficate when you are signing a cert, you don't get any error message telling you that it couldn't complete the operation.
Installation is a breeze as it uses the standard perl style make structure (perl Makefile.PL; make; make install.) I would recommend setting aside a standalone machine to be the CA host. An old pentium class laptop should suffice, giving you the added bonus of being able to lock it up in a safe or desk drawer for safekeeping. Be sure to keep backups of the root CA cert and key on a floppy, CD-R or some other medium.
The best part about CSP is the excellent documentation available. There is a 21 page user manual available in pdf and sgml formats that walks you all the way from installation to initialization of your CA to issuing and revoking certs. None of the other CA projects I've tried have had documentation even a quarter as good as this.
All in all, it's a great package for a low volume CA. I definately wouldn't try using it to outfit a large enterprise with certificates for all the users, but if all you need is a few certs for your servers, than this is definately the tool for you.
Posted by John on July 3, 2003