cat slave diary

Category: Conferences and Travel

  • OSCON

    Work: I owe my boss a huge beer (and a document) and an apology when I get back to Australia.

    Personal life: in the dog house. I got very little sleep these last few days, and I bet my other half is feeling far worse than me. Hopefully, she can come to Vegas so we can sort things out.

    OSCON: Awesome.

    My presentations went down well. I’ll upload the new presentations soon, but the Ajax Security demo went off really well. The room was overflowing with folks, so I’m really chuffed that so many of you decided to come.

    I’ll put up the Ajax XSS demo I did later, but please be aware that these demos are INSECURE by design, and only to test them on your internal systems. The trick is to:

    <img src="kitty.jpg" onLoad="... your javascript attack here ...">

    People forget there’s literally hundreds and possibly millions of ways to do XSS. Do NOT look for script or Javascript and think you’re done. That’s stupid. Make the output safe, it’s faster, it’s simpler, and it works.

    People

    I met so many folks who I had spoken to over the net, or e-mailed. Everyone is so nice and friendly, it’s incredible to meet the greats. I really enjoyed catching up with Chris and Laura, met the Schlossnagles for the first time (cool dudes, cute kids :), and of course, Wez.

    Unfortunately, due to the bad things going on in my personal life, I could not bring myself to hang out after hours as I was feeling extremely down, but life goes on. I was hoping to go out to Portland a bit more; maybe next time.

    Talks

    I went to a fair few webappsec related talks, and it’s truly gratifying to me that the developers had an entire stream dedicated to it. I really enjoyed the PHP Security hoe down – we had a wack job in the back row causing a bit of a stir, but after he left, the hour really flew.

    Portland

    I’ve never been here before. It’s a very nice city, great public transport. I’ll post some images soon as it’s very pretty this time of the year. It was a bit hot when I got here (about 40C) but it soon cooled down to mid 20’s and I’ve been happy with that. πŸ™‚

    A friend through newbeetle.org picked me up from the airport last Sunday, and we went to her place and hung out for a while. She invited over a friend of hers, and I got to see her and her hubbie’s New Beetles (a nice Turbo S and a unired NBC), and her friend’s green Gecko TDI New Beetle. Very nice – I wish we could get that color in Australia. We had breakfast on Friday morning even though I was extremely tired (no sleep) and a bit sad, and she picked me up this morning to take me to the airport. I’m so impressed, I wish I could say I was as good a host when I have folks visiting. Thanks, Debbie – you set the standard!

    Next steps

    I’m off to SF next. I’m at the airport now. I have to spend a few hours this weekend getting stuff together to meet the CSO of a major partner of work’s, like running through the ESA presentations and ensuring that we have something constructive to talk about. I might need to go to Kinkos tomorrow and print off a few things unless my hotel has a printer I can use.

  • OSCON 2006 – See you there!

    Just a quick note as to the quietness of the blog. I’m working on a few things:

    • my slides for OSCON (webappsec 150 tutorial, and updating my Ajax presentation to include the latest research and make it a bit more (ahem) controversial to liven things up)
    • doing demos for the above
    • my slides for OWASP Melbourne, July 2006 meeting (this coming Wednesday! Details)
    • reconstructing my work laptop
    • the OWASP membership packs and other executive director project items
    • administrating Aussieveedubbers
    • writing a fresh Ajaxy UltimaBB installer
    • writing a proposal for a workable security architecture for PHP 6 which I want to present to Chris when I go to OSCON, and maybe earn myself an audience with Rasmus and the other PHP luminaries to discuss it over a beer or two and thus decrease my trolliness to those folks.

    and plus Tanya would like my body sometime as well. I’ve given up TV. Woe is me!

    See you at OSCON 2006.

    I’m also making an appearance at BlackHat and Defcon, and will be in SF in between those two conferences, and possibly in Salt Lake City before OSCON (depends on work). If you want a Thawte Notarization for the Web of Trust (free *real* fully trusted S/MIME certificates!), please bring photocopies of your photo ID and I’ll do it for free.

  • Munich – Saturday (Deutsches Museum)

    We got up, had breakfast, and walked to the Deutsches Museum.

    Unlike any other museum, this is a geek museum. It’s like geek heaven there. Except there’s so much to see and that entails a lot of walking. They have feet massagers, but they take 50 c coins, and I haven’t acquired any of those yet, only heaps of 20 euro cents.

    The first thing we checked out was the high energy lab, and that was amazing. Lots of noise, sparks and high energy!

    We took in (not nearly exhaustive to describe it!):

    • High energy lab
    • Planes, and lots of them!
    • Planetarium
    • Rockets, rockets, rockets!!!!!! And more rockets!
    • Chemistry … no explosions, doh!
    • Space exploration (astronautics)
    • Measurements and time
    • A temporary exhibition on German progress
    • Walked through the agricultural area, but checked out a complete house they’d reconstructed
    • A cave about neolithic art work. It was dark.
    • Nuclear physics and other physics
    • Paper and printing (look at real leading and type!)
    • Musical instruments (nearly missed out on this one, but it was awesome!)
    • Techno Toys – looking at all these early proto-legos from the late 19th century and early 20th century

    Check out the gallery of stuff here:

    After the techno toys, my feet were killing me, so we headed back to Steve’s place. We geeked out there for about an hour and watched a Coupling episode. I’d forgotten how cool that show is – I’ve only seen the one episode until then. Will need to get the DVDs when I get back to Australia.

    We had dinner at the Mexican restaurant near Steve’s friend Andi’s place. It was really good, particularly the half price Margaritas. Again, no Visa, and the prices at most European places are in ouchy land territory for earners in $AUD. At this stage, I’m nearly out of cash again. Need to find an ATM on Monday to deal with this if I run out of Steve’s hoard of cash (we’re trading at the correct rate, so he doesn’t need to be done over when he comes to Australia).

    Sloshed our way back to his place. Even at 10 pm, the public transport doesn’t take long, despite needing to change trains (and system) three times. You simply couldn’t rely on public transport in Melbourne to do this.

    We watched a few episodes of Coupling and I hit the sack.

  • Munich – Friday

    I landed in Munich and waited to pick up my luggage. The new airport feels like one big BMW ad. There’s BMW everywhere, so at least I had something to look at. Eventually my bag came, and I headed out. I met up with Steve Riehm, who is hosting me in Munich. When I was organizing the last minute trips, I did not know that Munich is hosting a goodly percentage of the soccer World Cup, so all the flights were full and mine was no exception. That’s why I had to travel to Munich a day earlier than I expected.

    The weather in Munich is even worse than that in St Anna, which is hard to top. Steve cranked on the heated seats in his beemer, and I was toasty in seconds. πŸ™‚

    After dropping my crap at his place, we geeked around a bit and then headed into town for a look see. I took heaps of photos, which can be found in the Gallery, here:

    After walking around Munich for a few hours, my footsies were a bit sore. Luckily, there was a pub only a little distance away, so we ended up eating there, and again, I was surprised to find that Visa is not accepted widely in this fairly first world nation. Unbelievable. After a few really nice beers and some roast suckling pig and crackling (the Germans know how to do pork!), Steve bundled me home on the excellent public transport here. If only Melbourne had such good public transport!

    We traded Euros for Australian dollars as the Travellex rate was insanely bad. My normal savings card didn’t work here, despite the ATM I used having a Cirrus logo. So beware if you come from a place like Australia where everyone uses electronic cash and come to a place like Munich, where it’s hard to use your own money. I wonder how many tourists to the World Cup are going to be bitten … coming here with only a tad of real money like me, and expecting to use ATMs and EFTPOS as per normal.

    We watched a movie – Sky Captain and the World of Tomorrow. Awesome film noir / comic / kitsch. Get it!

  • Meeting up with the family

    On Thursday morning, I took the very reasonably priced train up to my family near St Nicklaas. It looks a long way on the map, but it’s only 40 or so km. Europe is compact that way. The weather is still crappy and it barely makes it above 10 C.

    Met up with Eddy at the train station, and we had a good old conversation about geeky stuff. Eddy is a funny bloke – he didn’t know where the coffee was, so he rang his sister, who popped over with some coffee and a filter. Then when his better half (Viviane) came home, she showed us where the coffee was… it was right in front of the cupboard. The shame of it! πŸ™‚

    We had an awesome meal of witlof and ham and cheese sauce, much thanks to Viviane’s awesome cooking. Eddy broke out the wine, and we started getting merry.

    Those were taken around 7 pm… the sun finally came out, and it was still cold, but at least I’ve seen the sun whilst I was overseas! It’s supposedly summer, but it’s colder than Melbourne.

    More family came around after dinner, and we had some awesome beer, West Vleteren. Eddy thinks it’s best beer in the world, and I think he could very well be right. I stayed with the family overnight, pushing Michael out of his room. Sorry about that Michael! πŸ™‚

    In the morning, I left for Munich. Europe has awesome integrated public transport. Even though the train for the airport had been cancelled, I made my checkin at the airport with ages to spare. The new part of the airport is shiny and new. They really need to demolish the old bit as it makes a terrible impression, and I’m sure with 97 gates in the new bit, they can afford to get rid of the crusty old terminal.

  • Updated Ajax Security presentation

    I’ve updated the Ajax presentation to the slide deck I gave at OWASP EU. New pictures. More content. More size! (4.3 MB)

    Get it here:

    Ajax Security (4.3 MB PDF)

  • OWASP EU – Day 2

    Excellent day again.

    I’m still waking up far too early, but that’s okay, particularly since I had still to complete my Day 2 keynote slides, much to Dave’s disgust.


    – Leuven University

    The keynote went well, but I finished what I thought was early, when in fact, it was dead on time. This left Ivan Ristic with much less time than he had intended. πŸ™

    Ivan’s talk was pretty cool – he went through the stuff you’d expect of the author of the open source web application firewall, mod_security, discussing the four major features of the software. I’ve used it before in a DDoS attack, and it worked well.

    After the morning break, I went to the invited papers track. I think this was a good idea, and the quality of the ideas was good. I think it allowed people who are not conference whores like myself to get up and speak. And considering that only a small percentage of the attendees are native English speakers, I was pleasantly surprised at the quality of the English at the conference. Awesome.

    The session riding talk was cool, but again, they’re using a non-mainstream technology to fix the problems. I think people really need to start using the major technologies which are weak rather than using esoteric languages which take their fancy. PHP needs a lot of help, for example.

    After lunch, I went to Dinis’ tool heavy presentation on the stuff he’s made this last year. Awesome tools. Might see if they work under Mono on the Mac. Except for the report generator, which is basically a waste of time. As a customer I HATE (and I mean I will return your report and not pay you HATE) getting nessus or other tool output auto-gen’d from XML into PDF. I don’t pay the pound for my reports. I prefer short (10-20 page) reports which tell me what is wrong, carefully considered and rated. This is something that can be done in Word more easily than Dinis’ tool. I’m sure Dinis’ report writing tool (he’s a total XML freak πŸ™‚ works for his customer, but I’m not interested. If it gets out in the big bad world, I hope it doesn’t catch on. Our value is our skilled interpretation, not 1000 page automated reports.

    After the last break, there was a panel discussion, which was far more lively than the previous day when everyone agreed with each other. It was hard as Gunnar let people speak who had more than their turn. There was one particular lady who just butted in all the time. I had my hand up for half an hour before I could a word in edge ways, thus not allowing me to state a couple of points about user security education which I vehemently disagreed with, but couldn’t as the flow had moved on. Oh well. I’ll butt in next year – being a good guy does not pay off if you want to be heard. Despite this, it was a good and lively session.

    Dave finished the conference up. After we had finished, Pravir Chandra and I went out to dinner. I wished a few more could hang around, but many needed to get on flights home, and several wanted to go back to Brussels for food. We had a good meal in the center of the old city. Awesome food.

    I think it was extremely valuable as a conference. If I can, I’ll be back next year.

  • OWASP EU: Day 1

    Great day yesterday.

    Dinis’ keynote went off great, but he got rid of all my images and loaded it up like an essay. Might need to encourage the OWASP presentation template to only contain a limited number of words per page, and increase the visual appeal of the slide pack. We don’t read slides, we present them.

    The panel I sat on after the keynote was amazing – Microsoft sent in a sacrificial victim in the form of Alex Lucas, and he did really well. The crowd was a bit restless, but honestly, I think they saw the light by the end. The funny thing was that Microsoft was arguing for more stringent safeguards than most of the panel members, but even more funny is that the panel members agreed with the SDL (for the most part). This got a laugh from the audience when it was brought up, but also demonstrates how far Microsoft has come over the last few years.

    Alex had a proof galley of the forthcoming SDL book from Lipner and Howard. I considered mugging Alex and stealing the book – it is totally awesome! This book is what everyone needs, particularly if you don’t have a strong security process today.

    I went to a bunch of presentations (including my own!), and learnt a lot. I was particularly freaked out by Amit Klein’s talk on HTTP Request / Response | Smuggling / Splitting and peripheral devices. Awesome research.

    My slides for my Ajax presentation are here.

    After the day finished, we had a chapter leads meeting, where we discussed what we want to do over the next twelve months. We prioritized, and I think it’s going to be great. I’ll blog more on this in the next few weeks.

    Last but not least, we had a fabulous dinner at the Faculty club. Leuven is very confusing, and the trip to the Faculty club was via taxi, leaving me confused where I was located. But that’s okay, a fine meal, good wine, and excellent company left me warm and fuzzy. I trundled into a taxi near 11 pm (when it was just going dark!) and made my way back to my hotel, where I promptly fell asleep.

  • OWASP EU – Day -1, the free day

    I got up nice and early again. 6.30 am. So so wrong. Alien Andrew has landed and it’s freaky time again.

    After breakfast, I retired to my room to work on my slides. Good move! They look great now.

    After lunch in my room, I felt a bit tired, so took a nap. Awesome sleep. Woke up just before I had to go out for dinner with Dave Wichers and a few others.

    We moved to The Troubadour and had a nice meal, followed by a trip to a nearby square and some more beer. Beeer! Around 11.30 pm I retired into the rain, and walked in the wrong direction. Leuven is a little town, so the cabs were hard to find. By the time I got one, I was thoroughly wet and cold.

    Got back to the hotel room – sore feet and wet and tired. Went to sleep straight away. Fantastic, productive day with friends, food and beer.

  • OWASP EU – Travel (MEL -> LHR so far, roughly 16000 km and 24 hours)

    I’m sitting in London Heathrow after a monumental flight. It’s so wrong. Even in business class there’s no avoiding the fact that it’s a long time to sit down. And as many of you know, I love a good sit down.

    After flying in business class to Europe for the first time, it’s definitely 1000% better than being in cattle class. The (hardish) seat folded down nearly flatly, or would have if it wasn’t designed for small women and children. My shoulders hit the sides of the capsule when my feet fit under the capsule in front of me. Now I know I’m a bit on the round side, but I doubt my shoulder girth will change if I ever become svelte. I’m not going to be less than 180 cm any time soon, so these seats need a little fine tuning. Even if the capsules had a soft side, it would be acceptable.

    After exhaustion set in, I took sleep where I could, and I must say I’m feeling much more awake and less tired than even the last time I travelled to Las Vegas.

    The flight was fun – we flew over many countries I’ve never set foot in – China, Tibet, bits of Nepal with the Himalayas in the distance with a fine dusting of snow, Russia (seemingly forever!) including flying near St Petersberg, Latvia (Riga), Ukraine, Finland, Denmark, Holland, Belgium (… I’ve been to those last two!). Unfortunately, although we flew during the day, it was clouds all the way from China through to landing with only a break or two when I bothered to open the blind.

    Landing in England brings back memories. Obviously, they laid the best English late spring weather on for us, with being 16 C and rainy. It was 17 C, sunny and fine on the day I left Melbourne, and that’s three days shy of winter proper. It’s going to be amusing if the weather doesn’t clear up in Belgium for the conference.

    I’m not feeling very hygienic right now – could definitely use a shower. Unfortunately, the little airline (BMI) I’m travelling on for my next leg doesn’t have a shower in their “Business” class lounge, so that will have to wait until I get to the hotel in a few hours.

    At least I’m having a good time with roaming and wireless networks. Have SMS from the fiancée (yay team!) and knowing that my cats are well and likely to get good tummy rubs whilst I’m away is all good.