Black Hat

The first keynote speaker, Brian Snow with the NSA, was decent - and unintentionally funny. Two of us suggested within the same minute (separately) that Snow sounded just like Hal from 2001. Anyway, Snow was all about some assurance. In fact, the subtitle of his talk was "It's about assurance, stupid." His summary was that most attacks result from failures of assurance, not function.

At 10:30 we heard David LeBlanc, Senior Technologist with Microsoft Corporate Security, speak on real-world network security management techniques. He said that a box that's been hacked is like a pool that's been pissed in. What do you have to do? Drain the pool. His point was that once you know a system's been compromised, you take the compromised boxes offline (pull the cables), back it up, and put up a new box - that you should never just fix the immediate problem and keep running. He also talked about dependency loops, dependency chains, and how one needs to understand the scope of affected machines.

At 13:30 we saw Ron Gula w/ Network Security Wizards speak on bypassing intrusion detection systems (host-based and NIDS). It was good, but the guy to me left had taken off his shoes, so it smelled like feet.

We saw two more talks: Ron Moritz of Symantec Corp on proactive defense against malicious code, and Mark Kadric of Conxion Corp. on ID in high-speed networks. The general consensus, among Kadric and a couple of other speakers, was that commmercial IDSs weren't good enough yet, esp. for high speed networks (multiple OC3s and greater). He went over the types, and the drawbacks, and I'm really glossing over all of this, but it's a day log. :P

And that night we had dinner at Benihana then played craps.