Whelp, I’m finally back from the OWASP conference. I feel completely beat up (like I felt after DefCon this year). In a good way, of course, just too much stuff going on. Let’s focus on some highlights, shall we? There were tons of big names in the webappsec space there in full force. Not the least of which, that I had wanted to meet up with were Samy (a la Samy worm), pdp, Jeremiah Grossman, Dinis Cruz, Stefano Di Paola, Ryan Barnett, Shreeraj Shah, Tom Brennan and many more…
One noteworthy speech was from the work by Tom Stripling, where he was able to turn the gmodules.com XSS exploit into a Google.com exploit. I guess perhaps Google should read their own definition of cross site scripting that they quoted to me about this very same issue. Not to gloat too much but I really hope Google enjoys that slice of humble pie. I don’t consider myself to be Google’s enemy, but when companies don’t listen, they have no one to blame but themselves. That said, I did talk to Google while I was there, and they expressed an interest to work more closely together going forward. As always, I’m a sucker for level headed thinking, so hopefully something good will come of that (more on that in a minute). Hopefully Tom will send me some technical detail that I can publish to go into more detail about how it worked.
Ryan Barnett had a really interesting speech on how OWASP has set up a fairly large network of honeypot proxies to watch and log bad guys attacking others. It wasn’t that that part was interesting (we’ve known for a long time that you shouldn’t consider proxies to be a good way to anonymize yourself) but the data that he logged was really interesting - specifically the use of these networks for click fraud.
My speech went well - I thought it was supposed to be a 40 minute speech (all the others were scheduled for 40 minutes, but mine was scheduled for over an hour). So I had looots of time for Q&A. Whoops! My speech was about how browsers had been insecure in the past and how that evolved into what we know. I also gave some long term suggestions (which probably deserves a separate post, to be honest). There were some good questions asked, and I managed to convince everyone that I knew what I was talking about. What stuck me was that not that many people in the webappsec space really knew much about browsers. It’s the other half of what we work on, so I think it’s critical that we keep a close eye on what browsers are doing and how they are evolving to help us be secure.
While I was there several people asked me to head up a browser security group, probably with six or seven members (to keep it lean, mean and potent). But the likely people involved will be a representative from two or three browser manufacturers (IE, FF and maybe Safari if we can find someone who’s interested over there) as well as a few large companies with web presence (like eBay and Google - both of whom have expressed interest). Perhaps we can push forward some of the changes I have been talking about for three or more years.
Samy’s speech was by far the best one I attended - not for the technical meat, because I think we are all pretty educated on the technical details by now, but because the story was just hilarious. Jeremiah and I got a picture with him wearing “Samy is my hero” shirts. I haven’t laughed that hard in a long time! But to quote a sanitized version of what one guy said, “Samy knew nothing about webappsec and one day he walked in, dropped his pants and took a huge dump on our industry and then left again. And we just looked around at one another and said, ‘What just happened?’” Yup, he completely changed our industry in ways that will probably never be completely understood. He may have caused a lot of trouble, but he really did come out with a lot of friends (myself included). One funny quote was that at some time some police officer pulled him over and mentioned that he had been convicted of theft and something else, and Samy said, “The theft charge is BS - I didn’t steal a million friends!” Cracked me up. Samy was not allowed to touch the computer during the speech, which required some coordination so that other people write the power point deck and operated it during his speech. What a life!
The panel I was on (about vulnerability disclosure) was mostly uneventful although one comment made by Oracle set me off a little. They said they don’t work with people who do irresponsible vulnerability disclosure. I think that’s so backwards and something Microsoft has really gotten right. Companies need to understand that the only way they are going to get hackers on their side is to reach out to them and figure out what they know, what makes them tick and get the hackers to start working with them instead of against them. Not to pick on Oracle on that one, but I’ve seen that attitude a lot and I think it’s a dangerous route (one that I’ve seen fail countless times now).
Anyway, it was a great time, punctuated by lots of laughs, and I’m really looking forward to the next one in New York/New Jersey lead up by Tom Brennan. Having been to just a normal meeting there, I have high expectations for the next one. For everyone I met while I was there, thanks for taking the time to talk to me! It’s always nice to put faces to the names and have some interesting conversations with smart people.
In other quick news, there is an interview with me in (in)secure magazine and if you haven’t already seen it on Jeremiah’s blog, the WhiteHat roundtable was posted online. Also, there is a rumor that Fortify is releasing a 22 minute movie about hackers that I am in. Okay, maybe it’s not a rumor, but I’m not sure what the timelines are on that one or how they’re going to release it. I have gotten a sneak preview and it had a pretty interesting cast of characters in it. Lastly, id and I are doing a system migration this weekend, so if you notice(d) some downtime that’s what’s going on. Anyway, that is all for now!