Computer Science Colloquium: You Can Be A Winner In The Game Of Vulnerability Research

Speakers

• Thomas H. Ptacek
  Researcher, Matasano Security LLC
• Cory Scott
  Vice President - Technical Security Assessment, ABN Amro

Abstract

In this classic game of fortune, your goal is to dodge bad luck and make a buck. Along the way, you'll also earn valuable zero day vulnerabilities by doing good deeds, reverse engineering protocols, or just selling fake security holes to secret vulnerability markets! Retire with fame and fortune and become a great security hero or go rogue and leave destruction in your wake... there's so many ways you can win! Each game square is a different adventure, so you'll get a whole new game every application you look at. What does Vulnerability Research have in store for you? Take a spin and find out! Game includes: all the software ever written by mankind, six plastic car pawns, a hex editor, compiler theory, spinner and bridge, secret ATM passcodes, a deck of 36 cards, insurance policies, bank loans, and no instruction sheet. Player tokens include developers, system administrators, IT managers, security vendors, lawyers, criminals, and the unsuspecting public. Topics We'll Cover:

• Vulnerability Research in a Nutshell: How, where, why, how, when, and how security holes are found in software.
• Reverse Engineering: Why the closed-source vs. open-source security argument is irrelevant in 2006.
• Vulnerability Markets: What kinds of software vulnerabilities will make you $10,000, why, and why that's a bad thing.
• Web Security: Why web applications runing on Java and .NET are no less terrifying than any other kind.
• Vulnerability Response: Why patches, even zero-day patches, still leave customers doomed.
• Real-World Vulnerabilities: Voting machines, ATMs, smart cards, DRM: when everything's a computer, everything's vulnerable.

Along the way, we'll try to touch on the places where vulnerability research draws on fundamental computer science, and why you want to pay extra attention in classes for compiler theory, graph theory, complexity, distributed systems, and concurrency.

Bio sketches

• Thomas Ptacek is a veteran security researcher and a principal at Matasano Security. Thomas has owned technical operations at Chicago's most popular ISP, authored Insertion, Evasion, and Denial of Service [citeseer], a landmark paper which broke every shipping intrusion detection product on the market, and at Arbor Networks led the development of a security product deployed on the backbone of virtually every tier-1 ISP worldwide.
• Cory Scott performs technical security assessments for the Global Information Security Team at ABN AMRO. Experienced in the techniques of both attack and defense of critical information technology assets, he works to secure the bank's infrastructure and applications. Prior to joining ABN AMRO, he was the Technical Director for @stake's Chicago security consulting practice and joined Symantec's consulting team after acquisition. On behalf of his clients, he has identified numerous vulnerabilities in third-party products and in-house applications. He has spoken at numerous conferences and events, including Blackhat Briefings, SANS, and USENIX, on topics ranging from web application security to intrusion detection.