26 July 2006

OSCON day 3

Started the day by learning that my workstation at work probably has a bad hard drive. When my officemate rebooted it, he saw those two magic words...

kernel panic

Oh, well. I've (probably) got good backups.

I attended several sessions today. The first was about compiling a kernel to improve speed (only the drivers you need) and security (so a cracker can't load kernel modules--the speaker advocated a monolithic kernel, if possible). The speaker (Steve Suehring) mentioned a security-related patch called grsecurity, which sounds interesting. I wonder how it compares to the openwall kernel patch (hmmm, guess that's just for 2.4).

Next was "Maximum Netfilter" by Michael Rash of Solirix. He talked about several netfilter-related programs. fwknop does something called single-packet authentication, which is a more secure (albeit less convenient) version of port-knocking.

Then I went to "The Madness of AJAX" by Andrew van der Stock (it was about AJAX security). That was actually a little scary. Not because of anything that I've coded or something a co-worker has coded (I don't feel the need to run home and rewrite a bunch of AJAX), but the speaker did several demonstrations which were just spooky. Looks like several of the PHP AJAX toolkits have significant input validation problems, which are a little too reminiscent of register_globals. I'd like to buy a book on the subject, but there don't really seem to be any books on AJAX security (too new, I guess).

I finished out the day by attending the Perl lightening talks (a bunch of 5-minute presentations). It was sort of a strange potluck, punctuated by a rather bizarre performace called "A Perl module installation in 5 unnatural acts". But it gave me a few things I'll want to read about later: App::Ack (source code searches), Perl::Critic ('use strict' on methamphentimines), and stubmail.com (a re-implementation of SMTP by the SPF guy).

And I got voicemail from an old high school buddy of mine. Haven't heard from him in nearly 5 years. I suspect that he's renewing contact to send me a wedding invitation (good for him, if that's the case [good for him, in any case]). Maybe we'll be able to stay in touch this time.

1 comment:

Andrew van der Stock said...

Thanks for the compliment. I'm writing an Ajax Security book (http://www.ajaxsecurity.info) and it should be out in the new year.