Change to 4 space indent for standard markup list compatibility

talks/beyond-anti-evil-maid.md

@@ -11,49 +11,49 @@ Matthew Garrett
 ## Talk notes
 
 - Trusted Platform Module
-  - Signing of code.
-  - Each module calculates the checksum of the next module the next before execution.
-  - Creates a chain of hashes H_n = H(H_(n-1), V), which is verified upon use.
-  - TPM keys can be restricted to PCR state.
-  - Data is not hashed.
-  - Signing needs to be verified against a certificate chain, leading up to the hardware vendor.
+    - Signing of code.
+    - Each module calculates the checksum of the next module the next before execution.
+    - Creates a chain of hashes H_n = H(H_(n-1), V), which is verified upon use.
+    - TPM keys can be restricted to PCR state.
+    - Data is not hashed.
+    - Signing needs to be verified against a certificate chain, leading up to the hardware vendor.
 - TPM features.
-  - Can create and store crypto keys.
-  - Only stored in TPM; not memory or on disk.
-  - Storage is dependent on TPM state.
-    - Each stored value depends on all the previous values.
-    - Uses "incremental" hashing -- the stored value together with the previous hash.
-  - Can be used to create disk crypto keys.
-  - There's no authentication; the system will just boot.
-    - Doesn't prevent booting from disk as there's no password prompt.
-    - Introducing password prompts is hard; no way of telling if the system is still trustworthy.
+    - Can create and store crypto keys.
+    - Only stored in TPM; not memory or on disk.
+    - Storage is dependent on TPM state.
+        - Each stored value depends on all the previous values.
+        - Uses "incremental" hashing -- the stored value together with the previous hash.
+    - Can be used to create disk crypto keys.
+    - There's no authentication; the system will just boot.
+        - Doesn't prevent booting from disk as there's no password prompt.
+        - Introducing password prompts is hard; no way of telling if the system is still trustworthy.
 - Anti evil maid.
-  - Encrypt a phrase known only to the user, store in TPM.
-  - Show on screen at boot, which proves that the system hasn't been tampered with.
-    - Unless the entire system has been compromised.
-  - What about a time-dependent one-time password?
-    - Same systems banks use for logins through tokens.
-    - Have the system show a six-digit code.
-    - Compare to an external system, like your cellphone.
-    - If the numbers match on both systems, the system is correct.
-    - Time-dependent secret will exist in RAM though.
-      - Use IOMMU to be more secure?
-    - TPM can sign with time of day; code can now be verified on the system level.
-    - Can be done with an externally generated crypto key shared between the TPM and mobile phone.
-      - External key can be extracted from TPM through a design flaw.
-      - Might be over-complicating things.
+    - Encrypt a phrase known only to the user, store in TPM.
+    - Show on screen at boot, which proves that the system hasn't been tampered with.
+        - Unless the entire system has been compromised.
+    - What about a time-dependent one-time password?
+        - Same systems banks use for logins through tokens.
+        - Have the system show a six-digit code.
+        - Compare to an external system, like your cellphone.
+        - If the numbers match on both systems, the system is correct.
+        - Time-dependent secret will exist in RAM though.
+            - Use IOMMU to be more secure?
+        - TPM can sign with time of day; code can now be verified on the system level.
+        - Can be done with an externally generated crypto key shared between the TPM and mobile phone.
+            - External key can be extracted from TPM through a design flaw.
+            - Might be over-complicating things.
 - TPM execution can be tied to specific GPIO pins.
-  - Can be used to turning on a LED.
-    - Susceptible to easy hardware hacks.
-  - Can be used to read data from NFC.
-    - Store private key on NFC; system won't boot without NFC unit.
+    - Can be used to turning on a LED.
+        - Susceptible to easy hardware hacks.
+    - Can be used to read data from NFC.
+        - Store private key on NFC; system won't boot without NFC unit.
 - Attacks.
-  - "Managment Engine" still has access to memory through DMA.
-  - TPM can be attacked physically.
-  - Can't trust hardware designed and fabricated by others.
-  - Even with open source CPU designs, who controls the fabrication process?
+    - "Managment Engine" still has access to memory through DMA.
+    - TPM can be attacked physically.
+    - Can't trust hardware designed and fabricated by others.
+    - Even with open source CPU designs, who controls the fabrication process?
 - Open source.
-  - https://github.com/mjg59/shim
-  - https://github.com/mjg59/grub
-  - https://github.com/mjg59/tpmtotp
+    - https://github.com/mjg59/shim
+    - https://github.com/mjg59/grub
+    - https://github.com/mjg59/tpmtotp
 

talks/breaking-honeypots.md

@@ -11,94 +11,94 @@
 DeanSysman, Gadi Evron, Itamar Sher
 
 - Cyber Deception.
-  - Find out what the bad guys are doing by tricking them.
-  - Attacks s attackers detection.
-  - Attackers have to search the target network for flaws.
-  - Observe, orient, decieve, attack (OODA).
-  - Considered in planning an intelligence operation.
-  - Requires a decoy.
-  - The decoy normally is receiving no traffic.
-  - If there's traffic, it means it's an attacker.
-  - Low interaction honeypots useful for malware and scanning detection.
-    - Limited by definition, as it's an emulation of another service to lure the attacker.
-  - High interaction honeypots are higly instrumented real services.
+    - Find out what the bad guys are doing by tricking them.
+    - Attacks s attackers detection.
+    - Attackers have to search the target network for flaws.
+    - Observe, orient, decieve, attack (OODA).
+    - Considered in planning an intelligence operation.
+    - Requires a decoy.
+    - The decoy normally is receiving no traffic.
+    - If there's traffic, it means it's an attacker.
+    - Low interaction honeypots useful for malware and scanning detection.
+        - Limited by definition, as it's an emulation of another service to lure the attacker.
+    - High interaction honeypots are higly instrumented real services.
 - Fingerprinting.
-  - Can be a vulnerability.
+    - Can be a vulnerability.
 - Low interaction honeypots.
-   - Scripting of default protocol behavior.
-   - Monitoring built into it.
+     - Scripting of default protocol behavior.
+     - Monitoring built into it.
 - High interaction honeypots.
-  - It's the actual network services/machines.
-  - Needs to be monitored.
-  - Difficult to properly implement.
+    - It's the actual network services/machines.
+    - Needs to be monitored.
+    - Difficult to properly implement.
 - Shodan.
-  - "Honeypot or not?" service.
+    - "Honeypot or not?" service.
 - "Artillery" project.
-  - A combination of a honeypot, monitoring tool, and alerting system.
-  - On github.
-  - Sends lots of random data to the attacker.
-  - No real deception.
-  - Detection is trivial.
-  - Can be used to block any IP internally in a network by spoofind source IP.
+    - A combination of a honeypot, monitoring tool, and alerting system.
+    - On github.
+    - Sends lots of random data to the attacker.
+    - No real deception.
+    - Detection is trivial.
+    - Can be used to block any IP internally in a network by spoofind source IP.
 - "BearTrap" project.
-  - Implements some services.
-  - Sends a default banner with status code 220.
-  - Easily detected.
-  - Waits for a user command, then returns status code 530.
-  - Can also be tricket into blocking a spoofed source IP.
+    - Implements some services.
+    - Sends a default banner with status code 220.
+    - Easily detected.
+    - Waits for a user command, then returns status code 530.
+    - Can also be tricket into blocking a spoofed source IP.
 - "honeyd" project.
-  - Configurable platform for honeypots.
-  - Default script detectable; has to be replaced.
-    - Spoofs IIS web server by default -- easily fingerprinted.
-    - Doesn't implement `DELE` command for FTP.
-    - Some SSH stuff detectable.
+    - Configurable platform for honeypots.
+    - Default script detectable; has to be replaced.
+        - Spoofs IIS web server by default -- easily fingerprinted.
+        - Doesn't implement `DELE` command for FTP.
+        - Some SSH stuff detectable.
 - "Nova"
-  - Detectable.
-    - Default windows config has no NetBIOS-service.
-    - ...
-  - Looking at _all_ services can fingerprint the honeypot.
+    - Detectable.
+        - Default windows config has no NetBIOS-service.
+        - ...
+    - Looking at _all_ services can fingerprint the honeypot.
 - "Kippo"
-  - Many commands aren't implemented.
-  - `wget` is implemented.
-  - Can be used for DDoS, port scan.
-  - Can be detected.
-    - Detecting can be achieved in the SSH connection.
-    - `uname` is always the same.
-      - Searching for the string gives lots of sysadmin questions in forums; "this machine on my network is weird".
+    - Many commands aren't implemented.
+    - `wget` is implemented.
+    - Can be used for DDoS, port scan.
+    - Can be detected.
+        - Detecting can be achieved in the SSH connection.
+        - `uname` is always the same.
+            - Searching for the string gives lots of sysadmin questions in forums; "this machine on my network is weird".
 - "Dionaea"
-  - Written with the goal to get a copy of the malware used in attacks.
-  - Can be detected.
-    - Portscan shows MS SQL server with "honeypot" in the name.
-    - HTTPS certificate is issued to a dionaea domain.
-  - Developers are aware of detection problems, but can't fix all of them with reasonable work.
-  - Attackers risk losing resources.
+    - Written with the goal to get a copy of the malware used in attacks.
+    - Can be detected.
+        - Portscan shows MS SQL server with "honeypot" in the name.
+        - HTTPS certificate is issued to a dionaea domain.
+    - Developers are aware of detection problems, but can't fix all of them with reasonable work.
+    - Attackers risk losing resources.
 - "Glstopf"
-  - Emulates thousands of known web security holes.
-  - Can be detected.
-    - Default web site front page needs to be customized.
-    - Implements directory traversal security hole. Returns default `/etc/shadow`.
-    - Directory traversal can be used to list `/proc/` -- if it's emulated you can see it. If it's a real machine, you can read out memory contents.
+    - Emulates thousands of known web security holes.
+    - Can be detected.
+        - Default web site front page needs to be customized.
+        - Implements directory traversal security hole. Returns default `/etc/shadow`.
+        - Directory traversal can be used to list `/proc/` -- if it's emulated you can see it. If it's a real machine, you can read out memory contents.
 - "KFSensor"
-  - Commercial Windows honeypot/IDS.
-  - Gives audio feedback for attacks.
-    - Default configuration gives lots of feedback for `broadcast requests`.
-  - Can be detected.
-    - Hosting a default web page.
-    - Limits conncetions to 40 before blacklisting.
+    - Commercial Windows honeypot/IDS.
+    - Gives audio feedback for attacks.
+        - Default configuration gives lots of feedback for `broadcast requests`.
+    - Can be detected.
+        - Hosting a default web page.
+        - Limits conncetions to 40 before blacklisting.
 - World honeypot deployment.
-  - Using zmap daily scan of port 443.
-  - Looking through HTTPS certificate domain results for dinoeae domain name.
-    - Taiwan, US, Japan the largest number of servers.
-    - Largest hosts are in a Taiwanese ISP, a US university, Taiwanese university.
-    - Random organizations around the world also deploys dioneae.
+    - Using zmap daily scan of port 443.
+    - Looking through HTTPS certificate domain results for dinoeae domain name.
+        - Taiwan, US, Japan the largest number of servers.
+        - Largest hosts are in a Taiwanese ISP, a US university, Taiwanese university.
+        - Random organizations around the world also deploys dioneae.
 - Lessons learned.
-  - Detection flaws are easy to find.
-  - Should deploy the service.
-  - Should deploy the whole service.
-  - Should make the set of services make sense for the specifik machine.
-  - Should make the service exploitable to unknown exploits.
-  - ...
-  - ...
+    - Detection flaws are easy to find.
+    - Should deploy the service.
+    - Should deploy the whole service.
+    - Should make the set of services make sense for the specifik machine.
+    - Should make the service exploitable to unknown exploits.
+    - ...
+    - ...
 
 EOT?
 

talks/buffering-sucks.md

@@ -11,29 +11,29 @@ Fredy Kuenzler
 ## Talk notes
 
 - Invented the "fastest internet in Switzerland" (init7, fiber7 in 2014)
-  - Doing internet/linux for 20-25 years.
-  - Politician for the social democrats. Part of the group of internet exports.
+    - Doing internet/linux for 20-25 years.
+    - Politician for the social democrats. Part of the group of internet exports.
 - Buffering root causes.
-  - Streaming video.
-    - Source can be too far away. CDNs are popular though.
-    - Adaptive streaming, but downgrades are not fun.
-    - Routing/algorithm matches; source or CDN server path.
-  - "The caller pays..."
-    - Who is making the call in an IP connection?
-    - 95% of traffic comes from server to client, even though client imitates transfer.
-    - There's no alternative way to reach a user; the user's ISP has to be involved.
-  - Broadband provides are not keen on upgrading interconnection capacity.
-    - Passive-aggressive behavior.
-    - Driven by financial gains, not technical reasoning.
-    - End-customers are suffering.
-    - Typical client:server traffic ratio is 1:5 to 1:10 (outbound:inbound).
-    - If the ration is not near an agreed 1:1, someone has to pay -- the content providers pays.
-    - ISPs can charge both content deliverers and end-users for more bandwidth -- double-sided market.
-  - Cost of traffic congestion.
-    - Car traffic congestion is costly -- 509€ per household per year -- according to official study.
-    - "Reservationslohn" is 5€ per hour; "minimum salary".
-    - 1 minute of waiting per day; 6 hours; 365/year; 30€ per year; 900M€ per year in Germany.
-    - ISPs slow interconnections are part of the traffic congestion problem.
-    - With the double-sided market, ISPs make a few million €. The loss is much higher.
-    - Should interconnections be regulated in the favor of the end-users?
+    - Streaming video.
+        - Source can be too far away. CDNs are popular though.
+        - Adaptive streaming, but downgrades are not fun.
+        - Routing/algorithm matches; source or CDN server path.
+    - "The caller pays..."
+        - Who is making the call in an IP connection?
+        - 95% of traffic comes from server to client, even though client imitates transfer.
+        - There's no alternative way to reach a user; the user's ISP has to be involved.
+    - Broadband provides are not keen on upgrading interconnection capacity.
+        - Passive-aggressive behavior.
+        - Driven by financial gains, not technical reasoning.
+        - End-customers are suffering.
+        - Typical client:server traffic ratio is 1:5 to 1:10 (outbound:inbound).
+        - If the ration is not near an agreed 1:1, someone has to pay -- the content providers pays.
+        - ISPs can charge both content deliverers and end-users for more bandwidth -- double-sided market.
+    - Cost of traffic congestion.
+        - Car traffic congestion is costly -- 509€ per household per year -- according to official study.
+        - "Reservationslohn" is 5€ per hour; "minimum salary".
+        - 1 minute of waiting per day; 6 hours; 365/year; 30€ per year; 900M€ per year in Germany.
+        - ISPs slow interconnections are part of the traffic congestion problem.
+        - With the double-sided market, ISPs make a few million €. The loss is much higher.
+        - Should interconnections be regulated in the favor of the end-users?