BlogFish

May is going to be a busy month, with several conferences and events lined up.

On May 14 I will be giving a lecture on Web 2.0 technologies for the Web 2.0 Start-Ups - Vom Entrepreneur zum Business Angel seminar at the Technical University of Berlin. This seminar, organized by Timo Glaser, is packed with German Entrepreneurs, Venture Capitalists, and founders. My lecture will cover why start-ups nowadays are able to deliver great services and products so fast. Amazons Web Services, Google App Engine, Ajax, Ruby on Rails, and Open Source tools will be part of the story.

	On May 27 -28 I will be at the Dynamic Languages World Europe conference in Karlsruhe. With speakers like Neal Ford, Jason Seifer, Stefan Tilkov or Gregg Pollack there is some interesting line-up. I will be talking about Ruby on Rails Security, from deployment security to CSRF or XSS in Rails.
	May ends for me with Linuxtag 2008 here in Berlin (May 28 - 31). There I will also talk about Ruby on Rails Security. Further, it seems like a very interesting project I'am part of will present a sneak peak.

The conference season is starting again for me and I wanted to note where I will be/speak during the next couple of weeks.

First, there is Ruby Fools Copenhagen (April 1st and 2nd) where I will speak in the Ruby Performance track about Rails on AWS and how to leverage EC2, S3, and SQS in your application. The lineup at Ruby Fools looks really good with speakers like Glenn Vanderburg, Michael Koziarski, Evan Phoenix, Dr. Nic Williams, Dave Thomas, and Matz himself. Unfortunately I will not have too much time in Copenhagen as I have to leave early for Scotland on Rails in Edinburgh.

I'm really looking forward to be in Edinburgh again. After living, studying, and working there it feels like a second home. At Scotland on Rails (April 4th and 5th) I will talk about Rails Patterns: typical problems and scenarios in Rails applications like asynchronous operations (image processing, calculations, ..), authentication or deployment and common solutions and best practices.

In Mai I will be at Linuxtag 2008 in Berlin and hopefully talk about Ruby on Rails Security, but this talk has not been confirmed yet. Further, there is a chance that I will be speaking a the iX Cebit Forum 2008 about our internal Software Development Process and Agile Development.

The slides and a video of my Ruby on Rails Security session are now online. The 24C3 was a lot of fun, unfortunately I couldn't spend all 4 days there.

My talk covered most of the common web application vulnerabilities like Cross Site Scripting and Cross Site Request Forgery, SQL and Code injection, and deployment security and how they apply to Rails. Further Ruby on Rails specific issues like Rails plugin security, JavaScript/Ajax security, and Rails configuration were be examined and best practice solutions were introduced.

| View | Upload your own

The is also a Google video version: Ruby on Rails Security.

Get the slides (PDF - 1.6 MB) or the video (mkv - 95 MB). Other formats are available from the official mirrors or the torrent site.

The 22nd Chaos Communication Congress (22C3) is a four-day conference on technology, society and utopia. The Congress offers lectures and workshops on a multitude of topics including (but not limited to) information technology, IT-security, internet, cryptography and generally a critical-creative attitude towards technology and the discussion about the effects of technological advances on society.

So the 22nd CCC is not far away and I wanted to help to spread the word. I’ll certainly be there as the congress will be held in my hometown Berlin, Germany. I was thinking about presenting something about Rails and in particular about security issues and default settings in Rails but when I finally decided to do so it was to late.

There is now an official 22C3 blog, a public wiki and the artwork is also finished.

See you in december!

UPDATE:
The schedule was released.

As I could not attend RubyConf2005, I am eager for slides, audio streams and video captures.

On RubyConf for Stragglers you can find mp3s/oggs for each presentation while Gluttonous has notes that should suffice until the presenters will update their slides (thanks for the effort!).

Of special note are David Heinemeier Hansson’s The State Of Rails (mp3/ogg/notes) and Yukihiro “Matz” Matsumoto’s keynote (mp3/ogg/notes).

David said that the Rails 1.0 release candidate is due the next days and spoke about the next steps after releasing 1.0. Apparently he wants to focus on the “platform”, meaning that the main development effort will go into building tools that support development and management of Rails applications. SwitchTower, the deployment manager is one example that is already available. Gauge will be a monitoring application for distributed/clustered Rails applications while Conductor will help people manage their domain models and manipulate the database like CocoaMySQL.

If somebody has other sources, please post them in the comments.

UPDATE:
Deirdre Saoire Moen has some notes on David’s Rails 1.0 session here.
You can get a RedHanded and the sildes are available here.
A RubyConf 2005 Wrapup Conversation (mp3) by Obie Fernandez and Matt Pelletier can be found here.
Further, there is Planet Ruby Conf.

UPDATE 2:
Nearly all slides are available at Zenspider

I’m back home now. Yesterday was the last official day of What The Hack. The whole day was rainy again but luckily nothing of our stuff got wet.

At 12 a.m. Joerg Platzer held a talk about intellectual selfdefense. Joerg was actually one of the guys that were traveling with me. The talk was about PR agencies, media, and politics and about how they cooperate since 1920 in order to leave the decision making to the elite. Like Henry Kissinger said: “Democracy is too important to leave in the hands of the public.” Regular training like in physical selfdefense is needed in order to develop you own opinion and not adopting the inflicted point of view.

Then I went to an introduction to mesh routing and the Optimized Link State routing protocol in specific by Thomas Lopatic who organizes a mesh network in Berlin and is a developer of www.olsr.org. Wikipedia explains quite good what a mesh network is:

Mesh networking is a way to route data, voice and instructions between nodes. It allows for continuous connections and reconfiguration around blocked paths by “hopping” from node to node until a connection can be established. Mesh networks are self healing: the network can still operate even when a node breaks down or a connection goes bad. As a result, a very reliable network is formed.

Again, very interesting and as there is a mesh network in Berlin I will definitely have a closer look on OLSR and mesh networking.

What The Hack ended for me with the closing session by Rop Gonggrijp. Rop thanked a lot of people for their work and talked about the problems with the local authorities. They had many problems with the police and had to follow many regulations. There was a mobile HQ police vehicle near the registration center and a helicopter landing zone had to be reserved for the police. Officially there were nearly 20 police officers on the camp while I heard rumors that unofficially there were nearly one hundred. A local security guy told me that the police !! tried to sniff all the traffic but then realized that it was just too much. The is a site on the wiki called spot the cop were people made pictures of suspected police officers.

Rop also said that the authorities stated that next time the camp had to pay the police deployment but could not determine how much police force they want. If this had been applied to this year’s camp, the costs would have been twice as high. Because of these problems the next camp might not be in the Netherlands, maybe in Germany.

Concluding, I spent some nice days in the Netherlands, fine talks, interesting stuff, and nice people. Oh, and rain…

The third day is not over yet but for me the interesting presentations are over.

Today I was at the talk about the OpenWrt Project by Waldemar Brodkorb and Felix Fietkau. OpenWrt is a Linux distribution for wireless lan routers, such as Linksys WRT54G and Asus WL500g. The talk gave an overview of the Project and the upcoming development work.

The next talk on my list was BGP in practice, an introduction to BGP by Sabri Berisha. Some very useful hints were presented and Sabri also hinted out http://www.virt-ix.net/, the virtual internet exchange. This IX is a sort of training platform for internet backbone engineers who use the Border Gateway Protocol on their routers. If you join, you will receive a /29 delegation out of 195.149.88.0/24, 193.17.225.0/24 or 194.126.235.0/24, which are real live netblocks assigned by RIPE for this project.

A nice way to play with BGP if you do not have a big network at hand.

Then I went to a presentation about a vulnerability in the TCP/IP stack of many OS:

After an established connection, a specially crafted packet with the ACK/FIN flags set, a corrected Sequency Number but with an incorrected Acknowledge Number will trigger a massive flush of packages with zero size and only the ACK flag set. Ethereal logs showed that the keep alive state was occuring and this flow kept going for approximately 3 minutes and a few million packets. It was clearly observed that CPU and network performance was severed decreased due to this misbehave. Potential attacks includes DoS and DDoS. Applications and services that depends on quality of services (QoS) such as H323 applications (VoIP) and video streamming will suffer dramatic performance downgrade.

The presenters could not state if the problem lies in the implementation of the RFC or in the standard itself. The only OS they tested that is not effected is of course OpenBSD.

The last presentation was by Ruediger Weis. Hashing the Longhorn was about Trusted Computing, Longhorn, and in particular the SHA-1 hash. From the abstract:

Microsoft (Longhorn) and the Trusted Computing Group are working on thebiggest change of the information landscape since decades.One of main problems with these plans is that the computer owner is seenasan adversary. To make DRM ‘successful’ users should no longer have thefull control over their own computers anymore.Because of this cryptographic flaws in the TCG/Longhorn design have to beconsidered exceptionally harmful.Even though cryptographers have warned since many years TCG Longhornspecifications are using SHA-1 as standard hash function.Recent cryptographic results have shown additional a remarkablenumber of new serious security problems and practical attacks.Exemplarily we present new attacks on the digital signatures andthe boot check values which are used in Longhorn/TCG that canfundamentallycompromise ‘trusted’ systems.We warn Microsoft the TCG not to establish a security infrastructurebased on a broken hash algorithm.

Very interesting but a little hard to follow acoustically. The conclusion was that the SHA family is broken and PKI systems that rely on MD5 or SHA-1 are in (near) danger by large organizations and governments.

Apart from the interesting stuff we had to cope with the rain again. My sleeping bag and half of my clothes are wet.

Now we will probably go to the BSD village and check out the Humppa and pray for a dry night with no rain.

I went to some presentations yesterday, unfortunately Niels Provos could not held his Honeyd presentation but it was still interesting. I also was at Reyk Floeter’s wireless support in OpenBSD presentation that included information on hostapd. Hannes Mehnert and Andreas Bogk gave a talk titled Phasing out UNIX before 2038-01-19 that concluded that C and Unix shoulb be replaced by a new OS written in Dylan that could load a Linux kernel for compatibility. Later I was at the THC Olympic Quiz Game that ended with the release of Phrack Hardcover.

We had nice weather until the evening. Then it started to rain and continued to rain the whole night. Our tent got wet from the bottom as we must have some tiny leaks in the ground mat of the tent. Everything that was located on the ground is wet and we have to figure out how to dry it. I hope that it will not rain today…

I uploaded my Ruby presentation that I held at the Juniter Workend back in March.

The presentation is an introduction and overview to Ruby in German. There is also a small part about Ruby on Rails but the focus is on the features on Ruby.

You can find the presentation here.

There seems to be an issue with Safari and the link to the PDF. If you get a File not found try to reload the page.