Security researcher Dan Kaminsky

Dan KaminskyDan Kaminsky is a 7 year veteran of Black Hat and Defcon in Vegas, and he was pretty much a fixture when I was there last year. His performance during Friday nights’ TCP/IP drinking game was hilarious, and his talk the next morning even more so. This year he’s presenting info on the under addressed issues dealing with Web 2.0 and its inherint in-security. “He’s looking at design bugs, which he cautions are not the same as pure vulnerabilities: “The system is doing exactly what it was built to do… People expect it to authenticate silently, and have a port open for everyone. But they don’t expect the bad guy to use it to do something malicious.” He worries about DNS rebinding, an example of a design flaw that can have serious consequences if manipulated nefariously. “I’m working on code that, if you come to my Website, I get to treat your browser as a VPN concentrator and browse your corporate network – with whatever magic IPsec credentials your machine has, incidentally.” Hmmm…interesting stuff for sure, and not something most web designers are thinking of as the write some more javascript to make a button draggable on the client’s homepage. I go to Defcon to hear thoughts and ideas like his, to learn from some very smart people that make me think in ways I never have before. I found a nice example on his site from a talk at Black Hat he did last year, taking a look at different ideas on how to rethink patterns in order to recognize data flows. He shows how different files, music, data and even written documents give up their internal stucture when viewed using DotPlots to visualize patterns within. Seeing how we can recognize patterns better than a string of HEX makes sense, but he presents very interesting/thought provoking examples. Very cool stuff, see ya tomorrow in Vegas.