Another archival post from the Citylink blog

For those who've been under a rock, Kiwicon hit town over the weekend. Citylink sponsered Cafenet 'net access for attendees, and with talk titles like "Busting Carrier Ethernet Networks" it seemed prudent to toddle along and find out what they were up to.

Having never attended a security Con before, I don't really have a comparable benchmark, I have to say I was well impressed. 200 people through the door, and some talks that made me go "uuuhh?" - can't ask for more than that.

The organisers commented on how suprised they were at the breadth and quality of security investigation going on in NZ, and I certainly had no idea there were so many people so active on so many interesting things.

I didn't get to see all the talks, and domestic and work commitments prevented me assisting with the assault on Mt Bartab, of what I did see, here are the things that caught my attention:

  • Peter Gutmann talking about the Psychology of Insecurity was thought provoking - I particularly liked "if user education worked, it would have worked by now". His talk was the first of a fairly consistent meme of the conference, which is that security is increasingly not a network problem - the network guys have been harping on about using crypto and strong firewalling and whatnot for years, now everybody does it, so now the network guys go "ack, it's encrypted, sorry, you're on your own there". There was very little discussion of circumventing firewalls at Kiwicon - it was all about vulnerabilities further up the stack, or in the users.

  • Graham Neilson trojanning blackberries was great, not least of which because I immediately thought "fantastic, finally, a way to back up my Blackberry from Linux". I need to track him down and get a copy of redberry.

  • The aussie guy talking about trojaned hypervisors was just disheartening, particularly as he was quoting bits from the Intel spec where they discuss how they're trying to make it as hard as possible for a guest OS to determine if it is running under a hypervisor. He painted a future where it would be impossible to tell if your OS is running under a trojaned hypervisor.

  • The chap from google who wrote "dark elevator" made me feel positive about the future of security, in a perverse kind of way. It's a simple tool that doesn't know anything about any particular exploit, it just fossicks about inside windows looking for insecure files that might be run on startup, or by an admin, and if it does, eventually makes you an Admin user. It doesn't work on freshly installed boxes, but on anything that has a reasonable amount of the usual third party stuff installed (that you need to get anything done), it works pretty much all the time. So this wasn't doing anything fancy, it wasn't even bruteforcing, it just made it really easy to test for vulnerabilities. You have to hope that tools like these will make the default security stance of machines improve.

  • Metlstorm's talk about carrier ethernet security was a little bit of a let down, in that he'd been muzzled by the telcos. So he talked a little about the usual layer 2 attack vectors (CAM spoofing, CAM overflow, STP/802.1q abuse), none of which are particularly new, nor particular difficult to prevent with the correct switch settings. He then went on to talk about a hypothetical telco which used "vlan private edge" (that's cisco's term - insert your vendors logical equivalent) to provide security separation between users in the same VLAN. That any telco would do that beggared belief - it's such a stupid idea, it hadn't occurred to me that any telco in NZ would base a secure product on it. He didn't have any rinkydink new attack vectors, which in one sense was a relief, and in another a little bit of a let down.

So, something for everyone, and in several talks I sat there thinking "damn, so-and-so should have been here to hear this". Particularly, every programmer in Wellington should have been there. I came back from the con knowing more, and realising I know even less, which marked it as time well spent.

Cafenet didn't explode in a heap, but that's not altogether unsurprising - the nature of the Con means that lots of people didn't get their laptop out and run the risk of it getting 0wned. So unlike NZNOG, where when you present you see nothing but eyeballs above the serried ranks of notebook screens, at Kiwicon most attendees sat there with pen and paper and paid attention. Which was good.

The usage patterns for Cafenet over the weekend aren't markedly different from normal - they're so uninteresting, I'm not even going to post a graph. It's a shame that Dane and I didn't think of running a traffic analyser on Cafenet until halfway through the last presentation, we could have done a presentation on all the stuff folks got up to.

The venue (Rutherford House) was great - good aircon, excellent acoustics, reasonably comfy seats. The lack of power points was an issue (what was up with the guy at the back who played WoW all weekend - wouldn't it have been cheaper to go to an internet cafe?). All in all, I was well impressed - a terrific organisational job, and I'll definitely be back for the next one, whenever it may be. Well worth $50.