Could you introduce yourself?
Sure. My name is Dan Kaminsky, and I am a security researcher focusing on applied mechanisms for analyzing and understanding very large scale networks. I have been working and speaking professionally in this field for a little more than six years, first at Cisco where I focused on the mechanisms required to secure network monitoring systems, and later at Avaya where I consulted for their Enterprise Security Practice. I recently departed Avaya, and am exploring new opportunities. I've contributed to several books, including "Stealing the Network: How To Own The Box" and "Aggressive Network Self Defense", but I'm most well known for my talks at the Black Hat Briefings and Defcon. Themed "Black Ops," they tend to twist standard protocols such as SSH, DNS, and TCP in new and unexpectedly useful directions. Tools discussed have included Scanrand, a surprisingly simple piece of code that nonetheless increased network scanning speeds by an order of magnitude, and the OzymanDNS suite, which most recently has been expanded to streaming video over the Domain Name System.
I'd like to think I contributed a bit towards people seriously doubting MD5, but Xiaoyun Wang's team out of China had way more to do with that than I did.
You were guest at the Microsoft Blue Hat event. Did you find anything surprising or unexpected?
I ain't Nixon, and Microsoft ain't China, but I did go and Microsoft...well, they got the memo: insecurity could bring it all crashing down.
But Service Pack 2 showed this isn't inevitable.
Not that the upgrade is perfect. One of the talks at Blue Hat was specifically on how imperfect the compiler buffer overflow protection mechanism was, but:
- It shipped
- It worked
- It didn't break everything
A few things broke, yes. But not everything; certainly not on the scale of 98->XP migration. And all this seems to have given those who've been fighting the good fight at Microsoft quite a bit of credibility -- both at the top of the food chain, and amongst the rank and file.
That Microsoft's Window Snyder -- one of the main organizers of the entire Blue Hat event -- told us in no uncertain terms that the executive briefings were not to be, err, "Executive Briefings" (devoid of all technical content; simply "run 'n gun" summaries) was a bit of a surprise. That the executives actually kept up was... a bit more. Not too many companies where that would happen.
People really don't grasp how... non-technical upper management is at many [organizations] and pretty much every time a serious complaint was made in the main auditorium by one of the speakers, you'd end up with an engineer or product manager standing up, assuming responsibility for the fault in question, and discussing what could be done to address the matter given technical constraints.
Now, it's certainly possible that this attitude may change, particularly with Longhorn so far behind schedule. But delivering a wildly insecure Longhorn would probably be worse than delivering nothing at all.
Microsoft has been telling people for some years that security is a priority. Did you see this priority shift among engineers during Blue Hat?
Corporations are not monolithic -- there is no hive mind that can one day change every opinion towards some sort of "rightthink". Microsoft has said the right things about security for years, but then, who hasn't? Security requires more than PR, or even proclamations from C-levels.
My sense is that a combination of respect for SP2 and growing fear of Google (which has an entirely different, and arguably more managable security posture than Microsoft can achieve) has really pushed people towards seeing security in 2005 as stability was in 2000/2001. Blue Screen of Death jokes just aren't funny anymore; people leave their laptops on for months (with standby) without so much as a reboot. As long as they avoid spyware, it works.
Actually talking to the engineers was interesting. There was some annoyance at how easy Metasploit was making it to transform a particular exploitable service into a remotely accessible display, but by in large the attitude was one of: surprise (wow, people can reverse engineer my architecture without access to source code), interest (so this is the process that's used to attack us), and simple engineering fault reaction (OK, these are the things that we need to be concerned about, lets mitigate them). What there was nothing of was, "Why should I care about this; it'll add a month to dev time and it's not like anyone's going to attack it anyway." This is quite nearly a reflex rebuttal for corporate developer types, so it was very nice not to hear it -- not even in private.
[This] doesn't mean everything out of MS is going to be perfect, of course. But there's been a definite priority shift. Interestingly, this is why I'm not at all worried that Microsoft is going to buy Gator/Claria. Who would spend billions of dollars investing in security technologies, only to turn around and become part of the problem? Indeed, corporations are not monolithic, and I'm sure somebody's quite tempted by all that advertising data. But the viability of the platform is at risk (or else, why spend so much?), and there's no way to compete with "Don't Be Evil" Google when you've purchased, "We're so evil, we had to change our name" Claria.