CanSecWest
Single track, super smart technical content (well, except maybe the idiot from McAfee), high quality attendees... This is a good conference.
Charlie Miller's talk on fuzzing was interesting from an analytic point of view, showing the curve that illustrates the point of diminishing returns for fuzzing and the volume of failures you will have in order to achieve a few successes (exploits). Key take away for vendors: keep fuzzing. A lot. Because if you don't, someone else will.
Pwn2Own was open its usual 3 days but all the exploits were on day 1 again. iPhone was the only phone that was hacked, and three of the four browsers were hacked (IE8, FireFox, Safari). I carry an iPhone, dammit. Thinking about switching from FF to Chrome though. I doubt it is bulletproof, but if no one is targeting it because it's market share is too small, I'm ok taking advantage of that security-through-obscurity for now.
Charlie Miller's talk on fuzzing was interesting from an analytic point of view, showing the curve that illustrates the point of diminishing returns for fuzzing and the volume of failures you will have in order to achieve a few successes (exploits). Key take away for vendors: keep fuzzing. A lot. Because if you don't, someone else will.
Pwn2Own was open its usual 3 days but all the exploits were on day 1 again. iPhone was the only phone that was hacked, and three of the four browsers were hacked (IE8, FireFox, Safari). I carry an iPhone, dammit. Thinking about switching from FF to Chrome though. I doubt it is bulletproof, but if no one is targeting it because it's market share is too small, I'm ok taking advantage of that security-through-obscurity for now.
Labels: cansecwest