Invited Talks — Wednesday, August 25

11:00am–12:30pm
The Burglar Alarm Builder's Toolbox
Marcus Ranum, CEO, Network Flight Recorder, Inc.
When you're protecting your site, don't ignore the home court advantage! One of the best ways to detect attackers is by instrumenting your system with unexpected booby traps and alarm bells. Make your system or network into a virtual minefield for hackers to play in. I will present a few useful tools and sick, twisted ideas for building burglar alarms.

2:00pm–3:30pm
ActiveX Insecurities
Richard M. Smith, President, Phar Lap Software, Inc.
Microsoft's ActiveX technology in the Internet Explorer browser is enough to give any person concerned about computer security the willies. Here we have binary executables being automatically downloaded and run by Web pages right past most firewalls. ActiveX controls do not execute in any sort of security sandbox and have complete access to a computer. Microsoft offers us their Authenticode technology to protect us from people creating malicious controls. So far, it's not hackers but major hardware and software vendors such as Microsoft, HP, Compaq, and MSNBC who have created clever methods of delivering questionable ActiveX controls and finding backdoors into Authenticode. Richard will describe Authenticode's inner workings. He'll demonstrate many of the problems he has found with different vendors' ActiveX controls and will show how these controls can be easily misused by anyone. He will also offer some potential solutions to problems created by ActiveX controls and weaknesses in the design of Authenticode.