[SecurityRatty] tag: dino

Last HOPE Session Videos - Seeded by AoIS

Wed, 06 Aug 2008 22:57:47 +0000

To be honest, 2600’s The Last HOPE conference didn’t really catch my attention at first. But some of the sessions, especially ”Crippling Crypto: The Debian OpenSSL Debacle”. That presentation, by Jacob Appelbaum, Dino Dai Zovi, Karsten Nohl is a winner. Not only do they provide a fantastic and detailed description of how OpenSSL’s random number generator was accidentally lobotomized, they also demonstrate how to leverage cheap cloud computing to generate the set of bad keys that resulted. (All of them!)

At any rate, legit torrents of the video presentations are available from The Last HOPE Video Tracker. Art of Information Security is seeding torrents, and plans to do so for the next 10 days.

Check ‘em out.

Cheers, Erik

Last HOPE Session Videos - Seeded by AoIS

Missing the Point

Mon, 21 Jul 2008 18:19:57 +0000

A co-worker passed along this snapshot taken at the Karsten Nohl, Jake Appelbaum, and Dino Dai Zovi talk at HOPE this past weekend. The context, of course, is that the overzealous Debian developer who accidentally crippled OpenSSL back in 2006 said he did so because valgrind reported uninitialized memory use. Click through for the full-size version.

So automated software review is dangerous now? Perhaps that bullet should read “modifying code you don’t understand is dangerous.”

DNS Vulnerability Survives Scrutiny of Peer Review

Wed, 09 Jul 2008 21:30:48 +0000

The security community is cynical. So much so, that most of the chatter that’s taken place over the past 24-36 hours has suggested that Kaminsky’s DNS vulnerability was little more than a publicity stunt and that his BlackHat presentation would be an over-hyped rehash of prior art. Granted, one has to suspend disbelief to even consider that something monumental would be discovered in DNS — that’s the protocol itself — but hell, it’s always nice to give a guy the benefit of the doubt.

Faced with nearly a month of criticism and questioning, and understanding the persuasive power of a technical peer review, Dan decided to expand the inner circle, so to speak. Rich Mogull arranged a phone call with Tom Ptacek and Dino Dai Zovi so that Dan could spill the beans and let them decide for themselves whether it was spin or substance. Turns out there was substance.

Now we sit around and wait until August 6th to cram into a ballroom with a thousand sweaty conference-goers to hear the juicy details. And Dan’s presentations are usually packed to the brim even when he’s not announcing anything.

In the meantime… how about patching those servers?

Who Are the Information Security Experts?

Wed, 13 Feb 2008 16:12:03 +0000

Recently an executive at HP claimed that his company now employs 9 out of the top 11 security people due to HP’s acquisition of SPI Dynamics:

“Nine out of the world’s top 11 security hackers came to HP through the SPI Dynamics acquisition, he boasts, although it’s not immediately clear who ranked those top 11.”
- Mark Potts, CTO of Software, Hewlett-Packard

Now eWeek has produced a list of the 15 most influential people in security today. Here is the quick non-multimedia version:

Tavis Ormandy, Google Security Team
Ivan Krstic, One Laptop Per Child
Chris Paget, IOActive
Bunnie Huang, Bunnie Studios
Michal Zalewski, Google
Window Snyder
The MOAB Hackers
Dino Dai Zovi
Michael Howard, Microsoft
HD Moore, Metasploit
Dave Aitel, Immunity
Bronwen Matthews, Microsoft
John Pescatore, Gartner
Rob Thomas and Team Cymru
Stefan Esser, Hardened PHP Project

I don’t see any SPI Dynamics or HP people on this arguably less biased list. I do see 3 of my former collegues from @stake: Dave Aitel, Dino Dai Zovi, and Window Snyder. Seeing that giants Microsoft and Google only got 2 each on the list and @stake has 3 it lends credence that @stake was the place to be for hard core security people.

Wikipedia has a nice large list of computer security specialists.