The second day started with getting up “early” so I could see Christofer Hoff discuss the vulnerabilities associated with outsourcing your prized possessions to cloud computing networks. It was definitely worth dragging myself out of bed. Chris is another AWESOME presenter. Peppered with a few early morning f-bombs (which, according to one of my students, is KEY to getting venture capital financing [?]), it was a riveting presentation and had visually appealing slides. I can take guidance from his method of presenting when he spoke to Twitterers in the crowd declaring that none of his 75 slides contained more than 160 characters per slide (and eerie, cool pictures of frogs). Most significantly, what I took from his presentation were some ideas about securely storing and accessing intellectual property from cloud computing networks. Some of those ideas I abstracted into search and seizure principles and incorporated some new research ideas into the CFP abstract for Brucon which, incidentally, was submitted at a witching hour Sunday night by me and my research partner, Myrcurial, in Toronto. Thanks for the inspiration, Chris!
Later that day, the disclosure panel was one of the talks I really wanted to see at Source. I have done research on this topic and was delighted to hear Ryan Laraine asking Dan Kaminsky, Ivan Arce, Dino Dai Zovi, Alexander Sotirov, and Katie Moussouris debatable topics such as:
· What’s enough time to give the vendor?
· Should there be a partial disclosure committee to prevent the purgatory Kaminsky endured with his DNS bug?
· Should there be civil liability for companies putting out insecure products?
· What about disclosing security vulnerabilities that effect devices where lives could be at stake?
· What if people discover vulnerabilities in safety-critical software such as in cars?
o What if someone reverse engineers the protocols in cars and hacks car computer networks? (gasp!)
These are all topics I have researched and debated with my colleagues. That’s another blog posting, but I was delighted to see some independent researchers debating this issues along side representatives from large companies. The resources and vulnerability response time small and large companies can respectively allocate toward patching a vulnerability is significantly different and was evident in the way the panelists answered these questions.
I left the panel after an hour into it so that I could show off OpenOtto’s hacked car computer that was in the garage of the Seaport. (I had to silently laugh and saw Dan steal a glance at me in the crowd during all of the hacked car computer discussion during the disclosure panel when, all along, there was one sitting in the hotel’s garage! The “what if” discussion is now moot.) I drove the hacked Land Rover to the Source conference to share this open source project with some like minded hackers like Joe Grand and Travis Goodspeed and demoed it before Joe left for the airport.
I showed Joe and Travis how the OpenOtto team reverse engineered the protocols in car computers allowing us to access any car’s computer. Automotive networks follow an OSI model, so OpenOtto was designed to be like an operating system for the car—all developers have to do is write high-level applications on top of the stack and they will operate with the car’s computer using OpenOtto hardware and software.
Source was the debut of OpenOtto’s prototype board which successfully outputted a handful of performance characteristics to a laptop connected, via the prototype board, to the OBD 2 port. This is more than a scan tool and can be used to tweak performance and output A LOT of real-time parameters about the performance and error codes for all cars. This particular prototype board could output 1 of 4 of the ISO 9141 physical layer. In a couple of weeks, a device will be complete that will run all 4 physical layers using an ARM processor. (Note: At the conference, it was MOST car computers except for GM, Ford, Chevy and cars newer than 2008, but soon it’s EVERY car. Only 1 of 4 physical layers were done at the conference, but all are being done now).
After the disclosure panel, I dumped my computer equipment in Dan Kaminsky’s room and went to join him, Travis, Ian Robertson and a co-worker from RIM for dinner at the
We didn’t get to see Dan Kaminsky, savior of the Internet…in his super hero tights, but we did finish the night by getting my computer equipment and busting in on Dan in his hotel room while he was dorking out on his computer just a few hours before he had to catch a flight somewhere. From there, I was happy to crash for an hour of sleep on a couch in a suite before I had to drive back to
Until next year, thanks SOURCE
(Picture, by Travis Goodspeed, is of OpenOtto's demo board on the upper left corner on console. Toy Story Alien is not part of OpenOtto)