22 Nov 2000 »
I’m going to AOSS2 to do the SAGE-AU presentation. Mail me your presentation as a backup mechanism – it can come across on mr laptop. Also, I’m reasonably certain that Michael Paddon et al (ie the organisers) will look after it for you as well.
work: Win2K security tute
I gave my Win2K security tute another run today. A Microsoft dude was in the crowd. Low attendance – about 10 people fewer than RSVPs I had managed to get. The people there were probably taught to suck eggs, which is not always that pleasant – particularly as it’s a three+ hour tute.
I did manage to get across the idea that NT/Win2K security is about using the integrated form of authentication, which is key. Every single time people go away from it, they suck at it. I have some other examples as well, but this is just one of the more recent and visible ones.
Working on getting the VNC thing fixed (as well as is possible). I’m going to kerberize VNC into the current developvnc.org CVS code and also work on revamping the current authentication scheme to something that’s a little bit more secure from Applied Cryptography. Too much effort, and we have a kerberos like scheme. I’m thinking Wide Mouth Frog at this stage. It’s about the same complexity as NTLM. Trent will be the VNC server.
A possible nice thing is that VNC includes 3des C++ class helpers. I’m going to look into extending that implementation to 3des-cbc and encrypting the stream. Avoids the use of SSL or ssh entirely for relatively low cost. Trick is that the initial setup can be done quite badly.