Jan 21, 2010

CUSEC: Day 1

Today was the first day of CUSEC 2010, and despite being tired and hopped up on caffeine all day (this entry might sound really odd, and is susceptible to slight changes when I am more coherent) it was an excellent start - in fact the day hasn't finished yet, there are still drinks to be had this evening!

The speakers today were:
  • Matt Knox - You'd probably know him better as that guy who wrote adware that was posted on Slashdot a while back, and he'll probably be known as that for the rest of his programming career ;) The talk was quite interesting. He began talking about his adware career and how he basically was slowly talked into doing shadier and shadier things for the company. The most interesting part in this section was the various security exploits in Windows he spoke about (and they scared the shit out of me, it really rationalizes my decision to not use Windows anymore). One of them is CreateRemoteThreadEx, which to paraphrase Matt you say, "hey, process over there, please execute this arbitrary code!" So basically you don't even need your process running anymore to have your code still executing. The second one (that I can remember) was that while Windows stores strings internally as 16-bit unicode strings, the Win32 API uses null-terminated ASCII strings. So if you have a null byte in say, a filename or a registry entry, the programs written using the Win32 API can see the file/registry entry but can't actually do anything about it. I don't know if this is true or not, I'd have to do some research, but that is how I remember it.
    The talk then went to explain the Milgram experiment, which I will leave to the reader to explore further. He explained that basically these tests show that about 70% of people will do evil if they are made to by an authority figure, and described this as basically a remote security exploit in 70% of the installed base. But, he wondered, if people have security exploits that cause them to do evil, is it possible that people have security exploits to make them do good? It was an interesting question, but what makes you (or perhaps only me) wonder more is that if the people knew that they had an "exploit" that caused them to do good, would the exploit still work? So yes, it was an interesting moral speech, and Matt is an entertaining speaker so when they post the videos (if ever) I recommend checking it out.
  • Pete Forde (music warning) from Unspace was one of the corporate speakers. Unfortunately for these speakers, there are two going on at the same time so I can only see one of them speak, but oh well. Pete spoke about his life, risk-taking, doing new things, etc. I really enjoyed the talk, even though I wasn't paying attention for half of it because when he started talking about side projects I'd start thinking about my side projects and forget that I was in a conference. I enjoyed the talk and hope to get a copy of the notes since there was a lot of suggestions for books and blog articles that I'd like to read but couldn't remember.
  • Sergei Savchenko from EA (I don't know of a link to put for his stuff) - he gave a talk about video game programming, focusing on network topologies and various memory management techniques. It was pretty neat since I'm interested in that kind of thing, however I felt like it was a bit more of a lecture than a conference presentation.
  • Reg Braithwaite (slides)- it seemed they saved the best for last. While I did like all the presentations, this one was packed full of insight in Reg's style of taking your brain out and prodding at it to figure out what makes it work and how to make it better. I feel like that once they publish the recording of this one I could download it, cut it up into 10 minute slices, watch each slice individually and after watching each slice get a class of wine, sit down in my thinking chair (yes, I do have a thinking chair) and dig down into what he is saying and determine if he's "a guy who smoked too much weed in the 70's" or a guy with some really good advice to give. He started off with a Ruby example and how to use his extension methods to fix the problem. However he said that the important thing about the example was not the extension methods themselves, but the fact that they were necessary in the first place. Basically if we're having to put dirty patches onto things in order to make them work, it is a pretty good indication that those things are broken. Another point was that if you listen to the single responsibility principle, then by using extension methods or monkey-patching then you're breaking that principle; however by breaking that principle and successfully creating good software with it, you're showing that perhaps it is not you that is the problem, but that the single responsibility principle itself is broken. Or to be more general, how much of what is considered "good practice" isn't really good practice, but rather holding us back from creating something better? It makes you think, what else are we taking for granted? Not only in software, but in the rest of our lives? The issue is even once we decide that there are things that we can do better, how do we find those things?
    There was a lot more, however I will wait until the video comes out before I talk about it in any more detail (all that coffee is having an effect on my memory).
This gives me great hopes for what tomorrow will bring!

No comments: