...making Linux just a little more fun!

Away Mission

By Howard Dyckoff

SD West Conference

Now run by the Dr. Dobb's arm of CMP Media, the annual West Coast version of the Software Development Conference has emerged as a leading venue for the discussion of Agile Methods in IT and software development and is also becoming a developer-oriented resource for security. See www.sdexpo.com/2007/west/

SD West 2007 Searchable Conference Program is here: https://www.cmpevents.com/SDw7/a.asp?option=C

First, you didn't need a full conference pass to enjoy many of the sessions and events at SD West. Many vendors - including Adobe, Amazon, Intel, and Sun - hosted free technical sessions in separate rooms during the expo days and many were worth driving down to the Expo without the promise of free beer at an Expo party. The Intel presentation, "Performance Tuning for Multi-Core Processors", focused on Threading Building Blocks, a new library that enables use of task patterns instead of threads by mapping logical tasks into physical threads.

Here's a list of the free tech sessions for SD West 2008: http://sdexpo.com/2008/west/tech_sessions.htm

Social and networking activities abounded. There were the 2007 Jolt Awards and the Dr. Dobb's Awards for excellence in programming. SD West has a history of great match-ups with its Developer Bowl quiz-show in which teams from the top technology companies are tested on their knowledge of the history, technology, and traditions of software development.

There is also the usual party with food and libations for the opening of the Expo. This past year, the fine Expo event transitioned into a later party hosted by Google. However, Google booked the space rather late and had only one third of a main ballroom. The lines were long and the food scant because of other demands at the hotel. It was a near disaster for Google and left several developers grumbling, since Google is legendary for the fine food and snacks at its campuses.

This is a mid-sized conference and notably smaller than it was in the go-go 1990's. But it gets A-level presenters and has a wide range of tracks. That can make it a little hard to target the best sessions because interesting sessions in C++ or Java or Ruby or Security may be happening at the same time. The conference CD has many of the sessions, but never all of the ones you might consider and the hottest topics are the ones least likely to have presentations submitted early enough for the conference CD. This is why I prefer getting a jump drive with most sessions on it and having locations to update the jump drive as presentations become available - this is what you get at EclipseCon.

This is also a pricey conference, with early-bird rates from the $1695 and $1895 (conf and tutorials) to the $2395 conference and tutorials rate at the door. All conference registration includes a one-year subscription to Dr. Dobb's Journal. There is also the $95 'SD On Demand' add-on that provides access to conference session audio and PowerPoint (a so-called $595 value) for 365 days after the event. There are good sessions, but not all of them are on the conference CD or in the post-conference archive.

Speaking of good sessions, the folks from SPI Dynamics usually give a good security presentation and Dennis Hurst did not disappoint on the last day of SD West. His presentation, "The Hackers Goldmine: Methodologies and Automation for Gaining Access to Confidential Information Through Defects in Web Applications" had a long title but was succinct in reviewing the spectrum of Web app deficiencies, especially emerging threats. Topics covered included SQL injection, cross-site scripting, parameter manipulation, and session hijacking.

The presentation was given at the last hour of the conference on the last day but was heavily attended, showing the growing importance of securing Web applications. You can view the entire presentation here: http://portal.spidynamics.com/blogs/dennis//attaqchemenets/27960.aspx

Geof Hoglund presented "Exploiting Online Games". His thesis was that games represent a showcase of cutting-edge tech and also have the financial motivation to bring out the best and worst in skillful programmers. He discussed memory cloaking, hyper-spacing threads, shadow branching and kernel-to-user code injection. This was very scary stuff and he repeatedly suggested that advanced techniques used to subvert multi-player games would find its way into the exploits of tomorrow. (This idea came up again at IT SEC World, reviewed below.)

I was disappointed to discover that these presentations and a few others I was interested in did not make it into the archive for SDWest 2007 even after months of waiting. Fortunately, some authors post their presentations to public Web sites afterwards, sometimes to guarantee they are not locked away.

And that offers a segue of sorts to a review of security-themed conferences.

IT Security World 2007

MIS Training Institute (MISTI) offers audit and information security services and training and puts on conferences and symposia for the information security industry.

Currently, MISTI puts on the CIO Summit, the CSO Forum, InfoSec World, and IT Sec World, along with 10 other venues. The sessions are mainly focused on security, auditing and governance and regulatory issues. IT Sec World is an annual conference aimed at IT security professionals.

The two AM keynotes at IT SEC were stimulating and informative. These were the kickoff keynote with Peter Coffee, former Technology Editor at eWeek, now with Salesforce.com, "A Truly World Wide Web: Security on the Inter(national)net", and the second morning keynote with Gary McGraw, Chief Technology Officer at Cigital, and a co-author of the recent book on the subject, Exploiting Online Games.

Coffee's main point was that we live connected to a global Internet, and the threat profile is now also global. He noted that Chinese is second most used language on the net and its use is growing fast.

Consequently, Coffee emphasized that the real payoff for IPv6 was not address range, it was IPSec and source authentication as part of network forensics. Coffee also focused on the explosion of personal data and storage: "there's way too much storage, making it as easy to lose a major database as losing a stick of gum...." He also noted that 1GB jump drives are now given out as trade show swag and a lot of these are lost, misplaced, or stolen.

In summary, Coffee thinks there is too much data on too many devices with way too much access from anywhere. Coffee looks to Identity Management and forensics in depth to counter the efforts of hackers and crackers.

There were several excellent presentations on the technical side, particularly if you skipped most of the case studies. There were also industry-specific tracks (Healthcare, Banking, etc.) which may or may not have been everyone's cup of tea.

I found "Top 10 Web Attacks" by Jeremiah Grossman interesting and up to date on current exploits. It was Grossman who made the suggestion to segregate and compartmentalize Web browser use as a major defense against zero-day attacks - and I want to widely encourage this. Simply put, do casual browsing with one browser and do financials with a different one (and employment work with a third perhaps) to minimize the risk for malware vulnerabilities. It's a kind of a free firewall at the application level.

DNS SEC was a technical topic presented by Steve Pinkham and David Rhodes, both of Maven Security. An updated version of the presentation (for SD West 2008) is now posted in the resources section of the Maven Security Web site. There are also several other excellent presentations on security tools, wireless hacking, and Web application security, so please visit http://www.mavensecurity.com/presentations.

IT SEC World 2007 had a modest Expo with under 50 vendors, many of them leaders in their vertical niche. Most contributed to the end of conference drawing so over 30 items were given away to a crowd of under 300 (at least half of the attendees had already left for local offices or the SFO airport.)

The next MISTI IT Security World 2008 Conference Expo will be held on September 15-17, 2008, at the San Francisco Marriott, near the Moscone Convention Center. Last year, this conference was at the famous Fairmont hotel, a breathless walk up to the top of Nob Hill. The new venue is more accessible and much faster to get to.

Next time, we'll take up Digital IDs and the Identity Management (IdM) universe.

Talkback: Discuss this article with The Answer Gang

Bio picture

Howard Dyckoff is a long term IT professional with primary experience at Fortune 100 and 200 firms. Before his IT career, he worked for Aviation Week and Space Technology magazine and before that used to edit SkyCom, a newsletter for astronomers and rocketeers. He hails from the Republic of Brooklyn [and Polytechnic Institute] and now, after several trips to Himalayan mountain tops, resides in the SF Bay Area with a large book collection and several pet rocks.

Howard maintains the Technology-Events blog at blogspot.com from which he contributes the Events listing for Linux Gazette. Visit the blog to preview some of the next month's NewsBytes Events.

Copyright © 2008, Howard Dyckoff. Released under the Open Publication License unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 148 of Linux Gazette, March 2008