Posts Tagged ‘dotSecurity2017’
[DotSecurity2017] Names and Security
Amid the internet’s inexorable expansion, where identities intermingle in a vast virtual bazaar, nomenclature emerges not merely as label but as linchpin of legitimacy and liability. Paul Mockapetris, the visionary architect of the Domain Name System (DNS), unraveled this nexus at dotSecurity 2017, positing names as the nascent nucleus of network nativity—superseding addresses in an era of fluid federation. From USC’s Information Sciences Institute to ThreatSTOP’s chief scientific stewardship, Paul’s provenance—DNS’s 1983 inception—imbues his insights with unparalleled pedigree, transforming arcane protocols into actionable armaments against cyber malfeasance.
Paul’s preamble pulsed with principles: network’s nectar in connectivity’s cornucopia, generative genius in repurposing relics—DNS’s domain, a namespace nexus granting granular governance amid global glue. Scaling’s saga: hierarchical hierarchies, root’s realm radiating to TLDs’ tributaries—federation’s finesse in delegation’s dance, authorities autonomous yet amalgamated. Security’s shadow: names’ nobility invites nefariousness—phishing’s phalanx, malware’s masquerade, DDoS’s deluge. Paul parsed perils: DNS amplification’s acoustic assault (amplifiers unwitting, queries quartered to quintupled payloads), cache’s corruption (poison’s payload, TTL’s tyranny), BGP’s brittleness (routes rerouted, traffic tunneled).
Countermeasures crystallized: DNSSEC’s digital deeds—RRSIG’s ratification, DS’s delegation—yet adoption’s anemia (1% in 2017) attenuates. Paul’s panacea: name-based bulwarks—reputation’s rubric (Sender Policy Framework’s sender scrutiny, Domain-based Message Authentication’s dominion), filtering’s firewall (blacklists’ ban, whitelists’ welcome). ThreatSTOP’s tapestry: DNS as sentinel, policies personalized—user’s umbrage over ISP’s imposition, EFF’s equivocation on censorship’s cusp. Kill chain’s kink: download’s dam, C2’s choke—malware muted mid-metamorphosis.
Paul’s prognosis: addresses’ atrophy, names’ ascendancy—chunked content’s cryptographic christening, bounties’ bounty for blemished bits. This nomenclature renaissance: security’s scaffold, internet’s integrity incarnate.
Nomenclature’s Nobility and Perils’ Palette
Paul proclaimed principles: network’s nexus, generative’s grace—DNS’s delegation, scaling’s symphony. Perils’ procession: amplification’s aria, cache’s contagion—BGP’s betrayal.
DNSSEC’s Deeds and Name’s Nativity
Signatures’ surety, adoption’s ache—reputation’s regime (SPF’s sieve, DMARC’s dominion). ThreatSTOP’s theorem: policies’ personalization, kill chain’s curtailment.
Bounties’ Beacon and Futures’ Forge
Addresses’ eclipse, chunks’ christening—bounties’ bite for blemish. Paul’s prophecy: names’ nativity, security’s scaffold.
Links:
[DotSecurity2017] DevOps and Security
In development’s dynamic deluge, where velocity’s vortex vanquishes venerable verities, security’s synthesis with speed spawns safer sanctums. Zane Lackey, Signal Sciences’ CTO and Etsy alumnus, shared this synthesis at dotSecurity 2017, recounting Etsy’s evolution from waterfall’s wane to DevOps’ dawn—100 deploys diurnal, security self-sufficiency’s sunrise. A sentinel schooled in scaling safeguards, Zane’s zeitgeist: shift from gatekeeper’s glower to enabler’s embrace, visibility’s vista vitalizing vigilance.
Zane’s zeitgeist zeroed on transformations: velocity’s vault (18 months to moments), infrastructure’s illusion (cloud’s churn, containers’ cadence), ownership’s osmosis (devs’ dominion over deploys). Security’s schism: outsourced obstruction to integrated impetus—feedback’s flux fostering fixes. Etsy’s ethos: blameless postmortems’ balm, chatops’ chorus—vulnerabilities vocalized via Slack’s summons, fixes’ fanfare.
Visibility’s vanguard: dashboards’ dawn, signals’ symphony—Signal Sciences’ sentry sensing surges. Feedback’s finesse: CI’s critique, pull requests’ probes—vulnerabilities voiced in vernacular. Zane’s vignette: researcher’s rapport, exploits eclipsed by ephemeral emends—positive parleys from proactive patches.
DevOps’ dividend: safety’s surge in speed’s slipstream—mortals empowered, mishaps mitigated.
Transformations’ Tide and Security’s Shift
Zane zeroed on zeal: velocity’s vault, cloud’s churn—ownership’s osmosis. Gatekeeper’s glower to enabler’s embrace.
Visibility’s Vista and Feedback’s Flux
Dashboards’ dawn, chatops’ chorus—CI’s critique, pull’s probes. Zane’s vignette: researcher’s rapport, ephemeral emends.
Links:
[DotSecurity2017] The Digital Battle
In the digital domain’s relentless ruckus, where innovation’s influx intersects with iniquity’s ingenuity, safeguarding society’s sinews demands diligence beyond devices. Mikko Hypponen, F-Secure’s chief research officer, surveyed this skirmish at dotSecurity 2017, chronicling connectivity’s costs—from Nokia’s nadir to IoT’s insurgency. A Finnish fixture in antivirus annals since 1991, Mikko’s métier—malware’s myriad manifestations—manifests in missives that marry menace with mitigation, urging unity against ubiquitous threats.
Mikko’s meditation meandered through time: 2007’s iPhone ingress, internet’s ingress into pockets—privacy’s payment in profiles. Youth’s yen: videos’ vista via Google’s gaze, data’s donation. Privacy’s plight: perhaps perished, yet security’s skirmish salvageable—society’s stake superseding screens. Criminality’s calculus: crime’s commoditization, ransomware’s rise—CryptoWall’s coffers crammed $325M, victims’ vigil via NoMoreRansom’s nexus.
IoT’s incursion: Mirai’s maelstrom, 600,000 conscripts cascading DDoS—Dyn’s downfall, Krebs’ knockout. Mikko’s maxim: defaults’ delinquency, patches’ paucity—devices’ disposability dooms defense. Refrigerators’ reconnaissance, lamps’ liabilities—cloud’s collapse cascades chaos, AWS’s outage orphaning ovens.
Hope’s harbinger: IKEA’s integrity, investment’s imperative—security’s sanctity secures society.
Innovation’s Influx and Privacy’s Peril
Mikko mapped metamorphosis: Nokia’s nosedive, iPhone’s incursion—privacy’s price, data’s dues.
Malware’s Myriad and IoT’s Insurgency
Ransomware’s ransom, Mirai’s muster—Dyn’s deluge, defaults’ danger. Cloud’s crumble, chaos cascades.
Links:
[DotSecurity2017] Verifiable Lotteries
In realms where randomness reigns—visas’ vagaries, audits’ allocations, tournaments’ tabulations—authorities’ assertions of equity often echo empty, bereft of corroboration. Joseph Bonneau, a cryptographer and researcher at Stanford’s Applied Crypto Group, demystified this domain at dotSecurity 2017, championing verifiable randomness as algorithmic accountability’s anchor. Formerly of Google and the Electronic Frontier Foundation, Joseph’s journey—Bitcoin’s blockchain to privacy’s precincts—culminates in constructs that compel proof from the capricious, from dice’s clatter to cryptographic commitments.
Joseph’s journey juxtaposed physical proofs’ pitfalls: lottery balls’ bias, dice’s deceit—transparency’s theater, yet tampering’s temptation. Cryptography’s counter: commitments’ covenant—hash’s hideaway, revealing randomness post-participation. Verifiable delay functions (VDFs) vex velocity: computations’ chronology, proofs’ promptness—adversaries’ acceleration averted. Joseph’s jewel: lottery’s ledger—participants’ pledges, commitments’ concatenation, hash’s harvest yielding winners’ wreath.
Applications amplify: H1B visas’ vagaries verified, elections’ audits authenticated—overbooked flights’ farewells fair. Joseph’s jibe: FIFA’s football fiascoes, fans’ fury—verifiability’s vindication. Blockchain’s boon: Bitcoin’s beacons, stock quotes’ surrogates—delay’s defense against traders’ tempo.
Challenges chime: VDFs’ verification velocity, parallelism’s peril—research’s realm ripe. Joseph’s rallying cry: demand documentation—dashlane’s draws, FIFA’s fixtures, governments’ gambits—cryptography’s capability calls.
Randomness’ Riddles and Physical Pitfalls
Joseph juxtaposed balls’ bias, dice’s deceit—commitments’ cure, delay’s deterrent.
Constructs’ Craft and Applications’ Ambit
Hash’s haven, VDFs’ vigil—lotteries’ ledger, visas’ verity. Blockchain’s bastion, stocks’ surrogate.
Links:
[DotSecurity2017] Collective Authorities: Transparency & Decentralized Trust
In the labyrinthine landscape of digital governance, where singular sentinels succumb to sabotage or subversion, the paradigm of collective oversight emerges as a bulwark of resilience and reliability. Philipp Jovanovic, a cryptographer and postdoctoral researcher at EPFL’s Decentralized and Distributed Systems Lab, expounded this ethos at dotSecurity 2017, advocating for cothorities—cooperative clusters that distribute dominion, diminishing dependence on solitary stewards. Drawing from his expertise in provable security and distributed systems, Philipp illustrated how such syndicates safeguard services from time synchronization to software dissemination, fostering proactive transparency that eclipses centralized counterparts in robustness and accountability.
Philipp’s exposition began with authorities’ ubiquity: time servers calibrating clocks, DNS resolvers mapping monikers, certificate issuers endorsing identities—each pivotal yet precarious, vulnerable to breaches that cascade into chaos. A compromised chronometer corrupts certificates’ cadence; a DNS defector diverts domains to deceit. Traditional transparency—audits’ afterthoughts—proves reactive and rife with risk, susceptible to suppression or subversion. Cothorities counter this: constellations of collaborators, each holding shards of sovereignty, converging via consensus protocols to certify collective conduct.
At cothorities’ core lies collective signing: a threshold scheme where k-of-n nodes must concur, thwarting unilateral usurpation. Philipp probed protocols like ByzCoin, blending proof-of-work with practical Byzantine fault tolerance—blocks bolstered by collective endorsements, thwarting 51% sieges. Applications abound: randomness beacons via verifiable delay functions, sharded secrets yielding bias-resistant beacons; decentralized updates where pre-releases procure co-signatures post-verification, ensuring binary fidelity. EPFL’s instantiation—CoSi’s cascade—scales signatures sans synchrony, enabling efficient endorsements for vast validations.
This framework fortifies federated fabrics: software sanctums where binaries bear blockchain-like blessings, users verifying via viewer tools. Philipp’s prototype: Update Cothority, developers dispatching drafts, nodes nurturing builds—collective attestation attesting authenticity. Scalability’s symphony: logarithmic latencies, sub-minute settlements—throughput trouncing Bitcoin’s bottleneck.
Cothorities’ creed: decentralization’s dividend, transparency’s triumph—authorities augmented, trust atomized.
Singular Sentinels’ Susceptibility
Philipp parsed perils: time’s tampering topples TLS; DNS’s duplicity dupes domains. Audits’ inadequacy: reactive, repressible—cothorities’ corrective: syndicates’ synergy, threshold’s thwarts.
Protocols’ Pantheon and Applications’ Array
ByzCoin’s blend: PoW’s prelude, PBFT’s pact—CoSi’s cascade, sharding’s shards. Randomness’ radiance: beacons’ bias-bane; updates’ utopia: co-signed sanctity.
Links:
[DotSecurity2017] Counter-spells and the Art of Keeping Your Application Safe
In the arcane atelier of application assurance, where user whims whirl into wicked whimsy, wielding wards against web’s wicked whims demands diligence and dexterity. Ingrid Epure, a frontend alchemist at Intercom, invoked this incantation at dotSecurity 2017, transmuting tales of Ember’s exigencies into elixirs for Ember’s endurance. A Romanian expatriate ensconced in Dublin’s digital demesne, Ingrid’s immersion—four-year Ember opus, Rails’ rearward rampart—yields yarns of 55 scribes scripting 2,000 shifts, 100 deploys diurnal.
Ingrid’s invocation opened with Intercom’s incantus: real-time runes for messaging’s mosaic, 250 commits cascading 30K additions—vulnerabilities’ vortex in velocity’s vortex. XSS’s xanthic xanthoma: inline sorcery (Ember’s {{}} incantations) inviting injection’s infestation—’s sorcery, CSP’s countercharm. Ingrid illuminated Ember’s ember: helpers’ hygiene (HTML-escapers’ aegis), bindings’ bulwark (triple braces’ taboo). Tools’ talisman: npm’s audit, ember-cli’s eldritch eyes—vulnerabilities’ vigil, dependencies’ divination.
CSRF’s chicanery: Ember’s CSRF tokens, Rails’ requiem—double-submit’s duality, synchronizer’s sentinel. Ingrid invoked interceptors: Ember’s data’s dominion, Rails’ requital. Content Security Policy’s codex: v2’s vigilance (nonces’ nebula, hashes’ heraldry), v3’s valor—scripts’ scrutiny, inline’s inquisition. Ingrid’s imprecation: Ember addon’s aegis, Node’s nexus—alerts’ alarum, anomalies’ augury.
This conjury: clean code’s creed, tools’ tome—CSP’s citadel, vulnerabilities vanquished.
Vulnerabilities’ Vortex and Wards’ Weave
Ingrid invoked Intercom’s incantus: Ember’s exigencies, XSS’s xanthoma—helpers’ hygiene, bindings’ bulwark.
CSRF’s Chicanery and CSP’s Codex
Tokens’ talisman, interceptors’ insight—v2’s vigilance, v3’s valor. Ingrid’s imprecation: addon’s aegis, Node’s nexus.
Links:
EN_DotSecurity2017_006_009.md
[DotSecurity2017] Encryption vs. Inspection
The perennial pugilism pitting privacy’s palladium against oversight’s oracle unfolds in encrypted ethers, where safeguards clash with scrutiny’s siren song. Nick Sullivan, Cloudflare’s cryptography luminary, navigated this nautical narrative at dotSecurity 2017, tracing TLS’s tumultuous trajectory from 1990s’ munitions to 2017’s ubiquity—HTTPS’s hegemony, yet hobbled by proxies’ perfidy. A cryptographic cartographer charting Cloudflare’s cipher seas, Nick’s narrative—Netscape’s bifurcated builds to Clipper’s clandestine key—unveils encryption’s emancipation and inspection’s inexorable incursion.
Nick’s nautical nod to 1990s’ neuroses: crypto’s classification as contraband, 128-bit’s embargo—Netscape’s nativity, domestic duos versus export’s enfeebled editions. Clipper’s chimera: escrowed escrow, law enforcement’s latchkey—EFF’s excoriation eclipsing its eclipse. PGP’s philippic, Zimmermann’s zenith—crypto’s commoditization, DES’s desuetude via DES Cracker’s deluge. SSL’s sunrise: 1994’s blueprint, 1995’s beta—TLS’s transmutation, 1.0’s 1999 nativity, 1.2’s 2008 augmentation.
2017’s inflection: HTTPS’s half-century, inspection’s intensification—proxies’ prying, AV’s antivirus autopsies—MITM’s masquerade, certificates’ counterfeit. Nick nixed naivety: downgrade’s danger (POODLE’s peril, BEAST’s bite), padding’s ploy (Lucky Thirteen’s laceration). TLS 1.3’s talisman: 0-RTT’s alacrity, ephemeral’s eternity—forward secrecy fortified, inspection’s impasse. Chrome’s crusade: February’s field trial fracturing BlueCoat’s barricades—TLS 1.3’s triumph truncated by proxies’ protest.
Nick’s nexus: society’s schism—inspection’s imperative or encryption’s ethic? This dialectic: data’s dominion, decided in deployment’s dawn.
Munitions to Mainstream: Crypto’s Chronicle
Nick navigated 1990s’ neuroses: Clipper’s cloister, PGP’s proclamation—SSL’s sunrise, TLS’s transfiguration.
Inspection’s Incursion and TLS 1.3’s Triumph
Proxies’ perfidy, AV’s autopsy—downgrade’s dread, padding’s peril. 1.3’s aegis: 0-RTT’s rush, ephemeral’s edge—Chrome’s clash with BlueCoat.
Links:
[DotSecurity2017] Secure Software Development Lifecycle
In the forge of functional fortification, where code coalesces into capabilities, embedding security sans sacrificing swiftness stands as the alchemist’s art. Jim Manico, founder of Manicode Security and erstwhile OWASP steward, alchemized this axiom at dotSecurity 2017, furnishing frameworks for fortifying the software development lifecycle (SDLC) from inception to iteration. A Hawaiian hui of secure coding savant, Jim’s odyssey—from Siena’s scrolls to Edgescan’s enterprise—equips his edicts with empirical edge, transforming tedious tenets into tactical triumphs that temper expense through early engagement.
Jim’s jaunt journeyed SDLC’s stations: analysis’s augury (requirements’ rigor, threats’ taxonomy), design’s delineation (architectural audits, data flow diagrams), coding’s crucible (checklists’ chisel, libraries’ ledger), testing’s tribunal (static sentinels, dynamic drills), operations’ observatory (monitoring’s mantle, incident’s inquest). Agile’s alacrity or waterfall’s wash notwithstanding, phases persist—analysis’s abstraction a month or minute, testing’s tenacity from triage to telemetry. Jim jabbed at jargon: process’s pallor palls without practicality—checklists conquer compendiums, triage trumps torrent.
Requirements’ realm reigns: OWASP’s taxonomy as talisman—access’s armature, injection’s inveiglement—blueprints birthing bug bounties. Design’s domain: threat modeling’s mosaic (STRIDE’s strata: spoofing’s specter to tampering’s thorn), data’s diagram (flows fortified, endpoints etched). Coding’s canon: Manicode’s missives—input’s inquisition (sanitization’s sieve), output’s oracle (encoding’s aegis)—libraries’ litany (npm’s audit, Snyk’s scrutiny). Testing’s tier: static’s scalpel (SonarQube’s scan, Coverity’s critique—rules’ rationing for relevance), dynamic’s delve (DAST’s dart, IAST’s insight). Operations’ oversight: logging’s ledger (anomalies’ alert), patching’s patrol (vulnerabilities’ vigil).
Jim’s jeremiad: late lamentations lavish lucre—early excision economizes, triage tempers toil. Static’s sacrament: compilers’ cognizance, rules’ refinement—devops’ deployment, developers’ deliverance from deluge.
SDLC’s Stations and Security’s Scaffold
Jim mapped milestones: analysis’s augury, design’s diagram—coding’s checklist, testing’s tier. Operations’ observatory: monitoring’s mantle, incident’s inquest.
Tenets’ Triumph and Tools’ Temperance
OWASP’s oracle, threat’s taxonomy—static’s scalpel, dynamic’s delve. Jim’s jewel: early’s economy, triage’s temperance—checklists conquer, compendiums crumble.
Links:
[DotSecurity2017] Post-Quantum Cryptography
In the shadowed corridors of computational evolution, where qubits dance on the precipice of unraveling classical safeguards, the specter of quantum supremacy looms as both marvel and menace. Tanja Lange, a pioneering cryptographer and chair of the Coding Theory and Cryptology group at Eindhoven University of Technology, confronted this conundrum at dotSecurity 2017, elucidating the imperative for encryption resilient to tomorrow’s quantum tempests. With a career illuminating the interstices of mathematics and machine security, Tanja dissected the vulnerabilities plaguing contemporary ciphers—RSA’s reliance on factorization’s fortress, ECC’s elliptic enigmas—while heralding lattice-based bastions and code-theoretic countermeasures as beacons of post-quantum fortitude. This discourse transcends abstraction; it charts a course for safeguarding secrets sown today from harvests reaped by adversaries armed with tomorrow’s arithmetic.
Tanja’s treatise commenced with cryptography’s ubiquity: the browser’s lock icon, a talisman of TLS’s aegis, enshrines RSA or Diffie-Hellman duos, their potency predicated on problems polynomials presume intractable. Yet, Shor’s quantum sleight—factoring in factorial fractions, discrete logs dispatched—threatens this tranquility. Grover’s oracle amplifies: symmetric keys halved in fortitude, AES-256’s bulwark bruised to 128-bit equivalence. Retroactive peril compounds: “harvest now, decrypt later,” state actors stockpiling streams for quantum quelling. Tanja tallied timelines: Google’s Sycamore’s supremacy in 2019, IBM’s 2023 roadmap to 1,000+ qubits—2025’s horizon harbors harbingers capable of cracking 2048-bit RSA in hours.
Post-quantum’s pantheon pivots on presumptions quantum-proof: lattices’ learning with errors (LWE), multivariate quadratics’ mazes, hash’s hierarchies. Tanja traversed LWE’s labyrinth: vectors veiled in noise, decoding’s dichotomy—structured sparsity succumbing sans trapdoors, randomness repelling revelation. McEliece’s mantle, code-based cryptography’s cornerstone since 1978, endures: Goppa codes’ generator matrices, encryption as error-infused syndromes—decryption’s discernment demands secret scaffolds. Tanja touted standardization’s sprint: NIST’s 2016 clarion, 2022’s Kyber crystallization (lattice largesse), Dilithium’s digital signatures—round three’s rites refining resilience.
Challenges cascade: key sizes’ kilobyte burdens (Kyber’s 1KB public, McEliece’s megabyte monoliths), signatures’ sprawl—yet optimizations orbit: hybrid harbingers blending classical clutches with quantum cautions. Tanja tempered trepidation: current crypto’s continuum, migration’s mosaic—signal spikes, certificate cascades. Her horizon: PQC’s proliferation, from Chrome’s 2024 infusions to IETF’s interoperability—ensuring enclaves eternal against entanglement’s edge.
Quantum’s Quandary and Classical Cracks
Tanja traced threats: Shor’s sieve shattering RSA’s ramparts, Grover’s grope gnawing symmetric sinews—harvest’s haunt, 2025’s qubit quorum. ECC’s edifice echoes: elliptic’s enigmas eclipsed, Diffie-Hellman’s duels dissolved.
Lattice Locks and Code Crypts
LWE’s veil: noise’s nebula, trapdoors’ trove—McEliece’s matrices, Goppa’s girth. NIST’s novelties: Kyber’s kernels, Dilithium’s declarations—hybrids’ harmony, keys’ curtailment.
Migration’s Mandate and Horizons
Tanja’s timeline: signal’s surge, certs’ cascade—Chrome’s convergence, IETF’s accord. PQC’s promise: enclaves enduring, entanglement evaded.