IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.

Main | March 2005 »

Red faces all round

The organisers of the conference set the attendees a challenge at the start of the show. They gave delegates a string of numbers and asked them to crack the code and reveal the message. At stake was free admission to next year's conference.

Many of the 13,000 attendees, including the finest minds in the security industry, tried to break the code. I've heard discussion of it all over the show, with some outlandish ideas using higher mathmatics and one guy who was convinced the answer lay in statistical analysis of the speaker program. Still, as the show closed, no-one had cracked the code.

So there was justifiable shame for all when the encoding device was revealed - a Dick Tracy comic code book. It seems sometimes we can be too clever for our own good.

February 18, 2005 | Permalink | Comments (0)

Language matters

Veteran con man Frank Abagnale gave a riveting final keynote. He punctured some of the myths from the film ‘Catch me if you can’, for example he never saw his father after the age of 16 and he never flew with Pan Am. He made no money for the film and was barely involved in filming. Abagnale isn’t a hacker but is one of the finest social engineers of his time. He detailed how to bluff out administrators by using their language. For example pilots always refer to aircraft as ‘equipment’, simply using the correct language engenders trust. It was knowledge like this that saw him steal millions of dollars and fly over a million miles in the jump seat of various aircraft. Then he befriended a doctor who was going through a divorce and picked up the medical jargon and started reading medical textbooks. Then he posed as a doctor using that knowledge. He is also brutally honest. He said what he did was immoral, illegal and unethical but he is not a genius, just observant. There’s a whole generation of social engineers who have learnt his lessons, but sadly not his morality.

His talk ended with the only standing ovation of the conference, and he deserved it.

February 18, 2005 | Permalink | Comments (0)

Sly and the Simpsons

Sometimes this show can get downright surreal.

The National Security Agency, also known as No Such Agency in Washington due to their total secrecy, had a stand at the show and has enlisted celevbrities to make the point over security.

All well and good you might think but was Sylvester Stallone the best choice? He also needs some work on his scripts.

Anyone who knows the Simpsons will be familiar with Troy McClure’s tagline “You may remember me in such films as…” Yet with no trace of irony Sly used the same line to describe his previous films like Demolition Man.

The effect was more hilarious than informative. Several delegates were seen looking in their drinks to see if someone had spiked their drinks.

February 18, 2005 | Permalink | Comments (0)

The Teletubbies are evil

Simon Singh may be a great author but he may have overreached himself on his keynote speech.

First off he proved that the Teletubbies were evil. The thinking is this; the BBC spent time and money creating the Teletubbies. Everyone knows time equals money so the equation time and money becomes money and money. Since money is the root of all evil thus the Teletubbies are the

spawn of Satan.


There were more Satanic references later. He played Led Zepplin’s ‘Stairway to Heaven’ backwards as a demonstration of how humans can be fooled. At first it sounded like gibberish but after he displayed words about sad Satan hurting in a woodshed half the conference claimed to have heard the words.

February 17, 2005 | Permalink | Comments (6) | TrackBack

The women are coming

As I’ve mentioned the IT industry is very male dominated and security is especially true to this.

So it was encouraging to see at the chief security officers round table that women outnumbered men. Not only is the more even sex mix great news it also gives you hope that the glass ceiling could at last be breaking.

February 17, 2005 | Permalink | Comments (2)

Tools and tricks

The conference isn’t just about learning new technical tricks, there’s also a huge trade show attached. In order to lure potential customers to stands various companies have been trying some cool tricks to wind in the punters.

Patchlink’s t-shirts were being given away hand over fist, although the bright orange hue could only appeal to the fashionably challenged. Meanwhile Cyberlink resorted to the oldest trick in the book and had a very attractive young lady in a purple guard uniform on the stand with a very, very short skirt. The predominantly male audience swarmed in.

There were iPods aplenty to be won for the donation of a business card and Microsoft were giving away Xbox games in a Wheel of Fortune game for anyone who completed a questionnaire. They also sponsored a cryptolounge with video and pinball games, TV, table football and comfy seats that were a dream after the day’s walk.

Top marks however go to PGP for their strategy to draw people to the stand. Fresh cold beer was on tap at the stand – now there’s an incentive.

February 17, 2005 | Permalink | Comments (1)

Future fortunes to be made

It was the venerable Chairman Mao who coined the phrase “Build windmills not windbreaks” in the little red book that was much loved by faux socialists in my early years.

He might have had a point though. I heard just that quote from a good capitalist today describing how to profit from technology. Futurologist Paul Saffo used the example of a silicon valley engineer who was given the task of designing microwave relay stations.

Once he realised what the technology would do to communications he looked one step beyond he realised that there was a retirement fund to had here. He rented the tops of mountains across the country and now makes a fine living sub-letting them to communication companies.

February 17, 2005 | Permalink | Comments (0)

The hardest thing to say

When I saw that there was a debate on the security merits of open source software and Microsoft I, and many others, figured “Debate, what debate.”

Hardly a day seems to go by without another virus or hack attack against Redmond’s software while Linux users nearly match Apple devotees for smugness over their code’s hardness.

So when Microsoft came out on top we all had to eat a little humble pie – it was almost as if Santa had turned out to be Satan.

Nevertheless don’t dismiss this study out of hand. One of the authors seemed genuinely upset at his results and he urges us all to try and mind flaws in his methodology. Please do so, because today’s finding left most delegates deeply disturbed.

February 17, 2005 | Permalink | Comments (4)

It’s not the caffeine, it’s just me

This morning’s roundtable on regulation was a lively affair. The panellists went at each other hammer and tongs, an impressive feat considering it was 8am and most of the rest of us were feeling very sluggish.

Bruce Schneier was on excellent form as usual but may have been chemically assisted. He walked on stage with a small thermos and sipped repeatedly from it during the debate.

I caught up with him after the show and asked him about its contents. It turns out he’s a tea drinker and is seldom without his thermos of the sacred leaf. On the other hand he denied it had given him the edge that morning.

“That wasn’t the caffeine talking, that was me as normal,” he said.

“I haven’t had that much fun in ages.”

February 17, 2005 | Permalink | Comments (1)

Hypocrisy anyone?

Microsoft’s Spynet network has gained less than positive reviews at the show.

This is a company that has consistently said that open source can’t be taken seriously because it relies on amateurs to do its tech support.

Yet what is their answer to spyware? Not take the Symantec/McAfee route and invest in laboratories around the world to deal with new security threats but to rely on beta test volunteers as source material. Plenty of people are smelling a rat.

February 16, 2005 | Permalink | Comments (6)

Hail the conquering hero..

You know the IT industry is getting mature when delegates start talking about the good old days when passwords were the ultimate and mainframe security was the main issue.

So when Gartner’s Victor Wheatman took the stage he was greeted with cheers and the geek equivalent of Shakespeare’s “Hail stout yeoman, well met” – in this case more shouts of “Where’s my client server software you dog!”

But the excitement of seeing someone who’s fun, intelligent and has seen it all for the last twenty years can’t be feigned. We may be a young industry by the standards of some but there’s an esprit de corps among those in the know that recognises someone who spots the trends before they happen.

February 16, 2005 | Permalink | Comments (1)

The gloves are off

Crypto folks are naturally cagey and by the standard of the IT industry they are very reserved. As the old joke goes how do you tell an extrovert geek? He looks at YOUR shoes.

So it was encouraging to see the first genuine enthusiasm among the audience for John Thompson from Symantec. He’s an exciting speaker, with enough charisma to wipe the floor with most other players in the industry.

But the conference thus far has been low on passion so when he put the boot into Microsoft we got the first genuine round of applause of the day and it was gratifying to hear. Symantec and Microsoft used to be best buddies on the IT circuit but now they’re fighting over the same turf the gloves are off it seems.

February 16, 2005 | Permalink | Comments (14)

Jottings and dashing

Bill Gates was on jocular form during his keynote this morning. He mentioned the infamous memogate when he left a page of scribblings at the conference that were wrongly attributed to Tony Blair.

Thankfully he said one note wasn’t on there – why was Bill Clinton the one who got to sit next to Angelina Jolie?

He’s also got smarter about demonstrations, as a Dutch colleague pointed out. After his last encounter with the blue screen of death at he now leaves the stage with every demonstration and lets his staff do it instead. Wise PR strategy certainly, but it robs the watcher of much of the fun if things do go wrong.

February 16, 2005 | Permalink | Comments (1)

Gone phishing

The secret to a successful phishing scam is to have the right bait. And the secret to exposing a phishing scam and leaving it dead in the water is to make sure that this bait is not attractive.

This nefarious practice attempts to part unwary internet users from their sensitive financial details by tricking them into logging into a maliciously crafted website that is designed to look like their bank's log-in page.

It is testimony to the fast-growing threat that Microsoft, eBay, PayPal and Visa have clubbed together in a bid to pour cold water over the phishers.

The industry giants have created the Phish Report Network. Billed as the internet industry's first worldwide anti-phishing aggregation service, the service is to be applauded for taking at least a step in the right direction by effectively creating a blacklist of known phishing sites.

It's far from perfect as the phishers will inevitably just move on after a scam site is compromised, but at least it's a start.

February 15, 2005 | Permalink | Comments (2)

So many passwords, so little time

So many passwords, so little time - we can count at least a dozen different user names and passwords that I use to access systems on a regular basis. Plus a whole bunch for rarely used services that I've completely forgotten. So it is no surprise that a major focus at this year’s RSA Conference is the sorry state of password security. It seems that most of us are using fewer than five passwords for all our computer access. Easier to remember, although perhaps from a security point of view this is not the best practice, as it puts a few too many eggs in too few baskets. A lucky one in eight have even managed the tremendous feat of slimming down to one password for everything, which would have any self-respecting hacker rubbing their hands with glee. Of course, that password is almost certainly "password" or their own name. And it's probably written on a post-it note stuck to the side of their monitor.

February 15, 2005 | Permalink | Comments (2)

Online blues

The RSA conference kicks off in a couple of hours and already the news has started.

There’s a tendency for those at the bleeding edge of security to scoff over security fears – after all the right browser and intelligent passwords can protect against a lot of online crime. But if the results from the latest survey on ecommerce are anything to go by consumers are getting worried.

This is a serious problem. The internet is the most important technological innovation since the printing press, not only for linking disparate world communities but also for ecommerce. If people turn away from online business we’ll have lost a great asset and the world will be a poorer place in every sense of the word.

February 15, 2005 | Permalink | Comments (1)

Roll up, roll up for the biggest IT sec show on earth

The 14th annual RSA Conference is billed as the biggest and the best event in the world for information security professionals. A well-established fixture in the IT pro's calendar, this year's show is held in San Francisco, at the Moscone Convention Center between February 14 and 18.

In fact the scale of the conference makes it one of the more daunting regular events, as the 10,000 expected attendees fight it out to get the latest info on the services and solutions offered by over 250 exhibitors.

One thing's for certain: IT security professionals know that attacks are getting worse in terms of their nature, severity and frequency. In the face of this fast-moving and exponentially growing threat, the RSA event can provide valuable lessons by offering fresh approaches to security.

But all work and no play is no way for IT security pros to behave, or journalists for that matter. We'll keep you up to date will all the breaking news from the show. But there is another key benefit of the RSA bash: it's in San Francisco, one of our favourite towns.

February 15, 2005 | Permalink | Comments (1)

"Golden" Gates set to speak at RSA conference in San Francisco

The RSA Conference 2005 kicks off in San Francisco on later today. Keynote speakers include Bill Gates of Microsoft and fraud author Frank W Abagnale.

IT Week's Roger Howorth and VNUnet's Iain Thompson will be at the show and will be sending news and blogs back from the show floor, so keep checking back to see all the latest news and gossip from the show floor.

As Roger notes in his story currently on IT Week today, key issues likely to be discussed as the show will cover possible legislation affecting vendor liability for security products. But Roger thinks that this subject won't be touched on by the "Golden" Gates himself, who would probably prefer not to see another court case involving his software again.

Personal identity theft, compliance, cryptography, web services and new ideas about mobile & wireless security will also be covered at the show. For Roger's full report see

February 14, 2005 | Permalink | Comments (1)