I Think ICANN
Friday, June 27. 2008
It has finally happened. ICANN has approved the first major change to the DNS architecture since RFC-882 (November 1983). Specifically: ICANN has approved arbitrary gTLDs.
DNS uses a hierarchical naming system. The generic top-level domain name (gTLD) defines the category for the name. Historically, these have been limited to ".com", ".org", ".net", and 18 others. Some of the gTLDs are sponsored, like ".aero" for the aerospace industry and ".museum" for museum-related sites.
Along with the gTLDs are country code top level domains (ccTLDs). For example, ".us" for the United States, ".fr" for France, and ".tv" for the island nation of Tuvalu.
The new ICANN decision effectively permits anyone to sponsor a top-level domain.
The wider selection of gTLDs has some great potential for organization. Right now, banks, hotels, and other industries are all grouped in the same gTLD: ".com". Imagine if all financial institutions had to be vetted before being added to the ".bank" gTLD; casinos could be under ".casino" and hotels under ".hotel". This could make it much more difficult for fraud and phishing that relies on domain name impersonation. For example, if the bank's email does not come from a ".bank" domain, then it is much more likely to be a scam.
Unfortunately, there is also plenty of room for abuse -- particularly if the gTLD process is not well vetted. For example:
Hopefully ICANN will restrict gTLDs to words with multi-person usage. A gTLD like ".usatoday" will have very little use to anyone outside of their company. In contrast, I can understand wanting ".paris" or ".nyc" (for residents of Paris or New York City, respectively). I fully expect to see domains like .sex and .hotel be registered quickly (and probably used in hyperlinks on the same escort web sites). Services, such as .car, .train, .boat, and ubiquitous topics like .home, .rss, and .blog are certain to appear (and probably for a premium price tag). And as one Slashdot commentor remarked: "We are long overdue for a .sucks domain."
While this has a huge potential for abuse, I kind of suspect that nothing will change in the near future. Sure, there will be a fast land-grab for good gTLDs, but the average person will probably stick with ".com".
The one good outcome from ICANN's decision will likely be a reduction in the number of domains that most companies register. If everyone has their own gTLD, then there will be no need to register your name under .com, .net, and .org -- just in case someone tries to compete with your company. For example, Microsoft could get ".microsoft" and release microsoft.com, microsoft.net, microsoft.org, microsoft.info, microsoft.biz, microsoft.us, microsoft.it (Italy), microsoft.ru (Russia), and all of the other variations.
Apart from all of the vectors for abuse (both corporate and fraud), this ICANN decision has the potential for being a really good thing. For example, why should my domain be listed along with every ".com" when it could be listed as a ".forensics" or ".compsci" (computer science) or even ".hacker". And why should I use "nealkrawetz.com" when I could use "nealkrawetz.phd"?
Unfortunately, poor naming management and unenforced rules could quickly ruin this good decision and lead to hostname abuses unlike anything we have seen before. And sadly, ICANN has a long history of poor management, unenforced rules, and slow reaction (if any). For example:
ICANN's decision to permit arbitrary gTLDs has the potential to be a very good thing. However, it will take a conscious effort to deter abuse.
There are a few steps that ICANN can take to make this a very good thing:
While I am hoping for the best, I am expecting the worst. DNS has always had problems, but arbitrary gTLDs have the potential to make a bad situation unbearable.
DNS uses a hierarchical naming system. The generic top-level domain name (gTLD) defines the category for the name. Historically, these have been limited to ".com", ".org", ".net", and 18 others. Some of the gTLDs are sponsored, like ".aero" for the aerospace industry and ".museum" for museum-related sites.
Along with the gTLDs are country code top level domains (ccTLDs). For example, ".us" for the United States, ".fr" for France, and ".tv" for the island nation of Tuvalu.
The new ICANN decision effectively permits anyone to sponsor a top-level domain.
ICANN See Problems
The wider selection of gTLDs has some great potential for organization. Right now, banks, hotels, and other industries are all grouped in the same gTLD: ".com". Imagine if all financial institutions had to be vetted before being added to the ".bank" gTLD; casinos could be under ".casino" and hotels under ".hotel". This could make it much more difficult for fraud and phishing that relies on domain name impersonation. For example, if the bank's email does not come from a ".bank" domain, then it is much more likely to be a scam.
Unfortunately, there is also plenty of room for abuse -- particularly if the gTLD process is not well vetted. For example:
- If there is no vetting, then we can see lookalike domains, like ".c0m" (with a zero) impersonating ".com" domains, and ".mi1" (with a one instead of an ell) competing with the government's ".mil" domain.
- Finding good domain name can become significantly more difficult if everyone can register their own gTLD. Right now, it is hard to find a good domain name in the ".com" domain. All the good words are taken -- some by valid companies, and others by cyber-squatters. Imagine how hard it will be if ICANN allows people to register trademark names as TLDs. Suddenly, you won't be able to find a viable TLD to go with your good hostname.
- There is likely to be a race for phishing sites. Is the hostname "bank.of.america" owned by the real Bank of America or by a phisher? Too bad we cannot assume bad guys will stick to a ".fraud" domain.
- Malware frequently tries to cloak the executable name. What if someone registers ".exe"? Is "cmd.exe" a program or a hostname, and will it be blocked by your anti-virus system? The same goes for ".bat", ".scr", ".dll" and other executable names. (I'd also list ".sh" for shell programmers, but that is already taken as the country code TLD (ccTLD) for Saint Helena.) And you just know that some idiot will register the gTLD ".html".
Hopefully ICANN will restrict gTLDs to words with multi-person usage. A gTLD like ".usatoday" will have very little use to anyone outside of their company. In contrast, I can understand wanting ".paris" or ".nyc" (for residents of Paris or New York City, respectively). I fully expect to see domains like .sex and .hotel be registered quickly (and probably used in hyperlinks on the same escort web sites). Services, such as .car, .train, .boat, and ubiquitous topics like .home, .rss, and .blog are certain to appear (and probably for a premium price tag). And as one Slashdot commentor remarked: "We are long overdue for a .sucks domain."
While this has a huge potential for abuse, I kind of suspect that nothing will change in the near future. Sure, there will be a fast land-grab for good gTLDs, but the average person will probably stick with ".com".
My God, It's Full of Stars
The one good outcome from ICANN's decision will likely be a reduction in the number of domains that most companies register. If everyone has their own gTLD, then there will be no need to register your name under .com, .net, and .org -- just in case someone tries to compete with your company. For example, Microsoft could get ".microsoft" and release microsoft.com, microsoft.net, microsoft.org, microsoft.info, microsoft.biz, microsoft.us, microsoft.it (Italy), microsoft.ru (Russia), and all of the other variations.
Apart from all of the vectors for abuse (both corporate and fraud), this ICANN decision has the potential for being a really good thing. For example, why should my domain be listed along with every ".com" when it could be listed as a ".forensics" or ".compsci" (computer science) or even ".hacker". And why should I use "nealkrawetz.com" when I could use "nealkrawetz.phd"?
Unfortunately, poor naming management and unenforced rules could quickly ruin this good decision and lead to hostname abuses unlike anything we have seen before. And sadly, ICANN has a long history of poor management, unenforced rules, and slow reaction (if any). For example:
- It took ICANN years to address domain name tasting, where cybersquatters and phishers register domain names for the free trial period (5 days). After the free trial expires, they determine whether the name was good enough to keep. A related abuse, domain kiting, deletes the domain during the 5-day period and then re-registers it. Using this approach, a scammer can hold onto a domain indefinitely and for free. These abuses currently account for as much as 95% of the deleted domain names.
- ICANN was extremely slow to react to complaints about front running. "Front running" is when a domain registrar permits users to lookup domain names, then quickly registers the names. If you don't buy it immediately, then it gets taken by a cyber-squatter (via the registrar). Companies like Network Solutions have been known to be doing this for over a decade, but it wasn't until 2007 that ICANN began to investigate the complaints.
- A report by KnujOn found that 90% of all spam sites are registered through ten (10) domain registrars. However, ICANN did not respond to this problem until after KnujOn went public and it was picked up by the mass media.
- ICANN cannot even be relied on to process complaint requests. While KnujOn was reporting spam domains that were lacking the required valid contact information, KnujOn repeatedly crashed ICANN's database.
- ICANN cannot even protect their own domain. Just this week ICANN had their domain name hijacked, leading to a web defacement. So far, nobody has managed to hijack a gTLD (as far as I know), but with management of the gTLDs pushed down to less reliable registrars, it is only a matter of time before these get hijacked.
Cross Your Fingers
ICANN's decision to permit arbitrary gTLDs has the potential to be a very good thing. However, it will take a conscious effort to deter abuse.
There are a few steps that ICANN can take to make this a very good thing:
- Hire a librarian. Every librarian that I have met has a blackbelt in information organization. (Did I mention that I've been to ALA's annual and midWinter conferences more than once?) The biggest problem with the naming system is a lack of organization. It would not be hard for a librarian to identify multiple methods for better organizing DNS. (When I spoke to some librarians about the newsgroup structure "alt.news..." and DNS organization, they were horrified.) Sadly, ICANN seems to be a group of techies -- engineers making engineering decisions that seem good to other engineers but not good for the rest of the world.
- Regulate the structure and vet members. If ".bank" is only for financial institutions, then reject non-banks. And if ".org" is for non-profit organizations, then reject anything that is not a registered non-profit. Unfortunately, as ICANN stated when they rejected the ".xxx" gTLD, ICANN is not a regulatory body. I truly expect lawsuits over who can control each custom gTLD (if for no other reason, then conflicting copyrights).
- Do not delegate. If ICANN passes the gTLD registration system to certified registrars, then there will certainly be abuse.
While I am hoping for the best, I am expecting the worst. DNS has always had problems, but arbitrary gTLDs have the potential to make a bad situation unbearable.
The End of Free Speech
Sunday, June 22. 2008
While we cheered the demise of the Protect America Act, we knew it was not going to be the end. President Bush was pushing for two key items: unrestricted ability to monitor telephone and electronic communications, and automatic forgiveness to any telephone company that assisted with warrantless wiretaps.
Last week, a compromise was reportedly reached. FISA passed the House of Representatives with a vote of 293 to 129.
The compromised FISA bill brings retroactive immunity to telcos that assist in warrantless wiretaps. (See page 15, line 17 of the FISA bill for "RELEASE FROM LIABILITY".) The bill effectively gives the government a 30-day window to evaluate collected information and to issue a warrant. Then there is a 30-day window for the courts to issue the warrant (page 21, line 7), and a 30-day window to address any issues found by the court (page 24, line 7). The cycle can actually repeat: issues are addressed, court reviews for 30 days, more issues are addressed and submitted 30 days after that, and repeat; and this is not counting the 60-day appeal process on Page 25, line 17 in case the court declines a warrant. Thus, the shortest duration without a warrant could be days, but the longest duration could allow the government to hold and review records for at least 90 days (30 days to submit plus 60 days to appeal) and possibly indefinitely -- as long as it is tied up in the court review process (30 days to find deficiencies, 30 days to address deficiencies, repeat).
The ability for the government to monitor communications is effectively the end of free speech. Should you mention anything online or over the phone that could be construed as a terrorist action, you could be arrested. It does not matter if it was a joke or banter taken out of context, or simply relaying a story you heard on CNN. The fact is, Big Brother is listening.
The common misconception is that innocent people have nothing to hide. This is a myth. In fact, statements such as "I have nothing to hide" always reminds me of a joke:
The fact is, you don't know what the government is looking for. You don't know which of your actions, if any, could be construed as a terrorist action. The only thing you do know is that they are looking. Your free speech is gone. If you say the wrong thing then you will be investigated.
My friend, T., relayed to me a joke that he heard on Comedy Central. A survey taker was asking people which of the US Amendments was most important. One person answered, "The Second Amendment". When asked why he thought the Right to Bear Arms was more important than the First Amendment's Freedom of Speech, the man replied, "If you are armed, then you have the freedom of speech." (This goes along well with Heinlein's famous quote: "an armed society is a polite society".)
One can only hope that the FISA bill is blocked by the Senate (unlikely), contested and denied as unconstitutional by the US Supreme Court, or that the next administration quickly stops FISA. Otherwise, it is time to support the NRA in their fight to save the Second Amendment. Meanwhile, learn to use PGP, and use it.
Last week, a compromise was reportedly reached. FISA passed the House of Representatives with a vote of 293 to 129.
The compromised FISA bill brings retroactive immunity to telcos that assist in warrantless wiretaps. (See page 15, line 17 of the FISA bill for "RELEASE FROM LIABILITY".) The bill effectively gives the government a 30-day window to evaluate collected information and to issue a warrant. Then there is a 30-day window for the courts to issue the warrant (page 21, line 7), and a 30-day window to address any issues found by the court (page 24, line 7). The cycle can actually repeat: issues are addressed, court reviews for 30 days, more issues are addressed and submitted 30 days after that, and repeat; and this is not counting the 60-day appeal process on Page 25, line 17 in case the court declines a warrant. Thus, the shortest duration without a warrant could be days, but the longest duration could allow the government to hold and review records for at least 90 days (30 days to submit plus 60 days to appeal) and possibly indefinitely -- as long as it is tied up in the court review process (30 days to find deficiencies, 30 days to address deficiencies, repeat).
The ability for the government to monitor communications is effectively the end of free speech. Should you mention anything online or over the phone that could be construed as a terrorist action, you could be arrested. It does not matter if it was a joke or banter taken out of context, or simply relaying a story you heard on CNN. The fact is, Big Brother is listening.
The common misconception is that innocent people have nothing to hide. This is a myth. In fact, statements such as "I have nothing to hide" always reminds me of a joke:
A doctor was heading to the hospital for his shift in the ER. At an intersection with a red light, he came to a stop. Unfortunately, the guy driving the pickup truck behind him was not paying attention and cause a slight fender bender. The pickup's driver hopped out of the car, looked at the damage, and then asked the doctor, "Are you alright?" The doctor replied, "How should I know. I'm not a lawyer."
The fact is, you don't know what the government is looking for. You don't know which of your actions, if any, could be construed as a terrorist action. The only thing you do know is that they are looking. Your free speech is gone. If you say the wrong thing then you will be investigated.
My friend, T., relayed to me a joke that he heard on Comedy Central. A survey taker was asking people which of the US Amendments was most important. One person answered, "The Second Amendment". When asked why he thought the Right to Bear Arms was more important than the First Amendment's Freedom of Speech, the man replied, "If you are armed, then you have the freedom of speech." (This goes along well with Heinlein's famous quote: "an armed society is a polite society".)
One can only hope that the FISA bill is blocked by the Senate (unlikely), contested and denied as unconstitutional by the US Supreme Court, or that the next administration quickly stops FISA. Otherwise, it is time to support the NRA in their fight to save the Second Amendment. Meanwhile, learn to use PGP, and use it.
Glass Half Full
Thursday, June 19. 2008
I attended Texas A&M during the birth of the Web. One of my office mates, Chris, really took to networking everything. At one point, he snagged a stepper motor from the Space Fill Project (aka storage room) and hooked it up to the window blinds. People could go to a URL and open/close the blinds with the click of a button. Initially students would come running by the office and shout down the hall "Hey! They really are opening!". Soon the blinds were moving 24x7. (It would have been really annoying if it wasn't so funny.)
Following the online blinds... and the webcam of the bonfire collapse (this was pretty much the view from our office window; video taken by a different office mate also named Chris), and the horrible radio (that played low quality Mexican music and still gives me nightmares), we tried to put other things online. We really wanted to network the elevators. Our idea was to see where the elevators were located, direction, speed, and even put a call button on the web. However, the building engineers said that playing with the elevator was a safety hazard (wimps!).
There are many benefits for putting traditionally non-computer items online. For example, data related to energy use can be aggregated from different sources, leading to lower energy bills. When I switched my home's thermostat from a fixed dial to a non-networked programmable system that changes the temperature based on the time of day, my heating bill dropped dramatically. The thermostat paid for itself in a few months. If I could network my thermostat and give it information such as outside temperature and weather, or link it to my location ("he's coming home, turn up the heat now"), then I am certain that my bill could drop even more.
I can even see the desire to network other household appliances. For example, a networked washing machine could page me when it finishes. On a cold, rainy day, I could leave a towel in it and start the drier right before I get home (nothing beats a warm towel after a cold rain).
Having a networked refrigerator makes serious sense. Besides keeping track of my shopping list, it can track recipes. Based on the refrigerator's contents, it could suggest meals.
My oven already has a timer; I can tell it to start cooking the food at a specific time. However, sometimes I get home late. An Internet-enabled wall oven could pre-heat the oven for the pizza or start the cooking before I get home.
Totally networked houses are currently customized. I like the idea of commercial-off-the-shelf (COTS) appliances with network access.
The downside of online appliances concerns security. Since these appliances really are computers, they are vulnerable to attacks. Viruses, malware, or even malicious attackers all pose threats. Nobody wants a phone call like, "Sir, your refrigerator is sending out 10,000 spam messages per hour", "Miss, your oven is part of a botnet", or "Bob, your washing machine is hosting a porn site and illegally downloading music." At minimum, these appliances need to be upgradable and offer basic network, system, and account protection.
Recently a networked coffee maker has been exposed as being vulnerable. The Jura Impressa F90 expresso maker has an optional Internet Connection Kit. This provides desirable network access, but also a remote attack vector.
There are many reasons to want to network your commercial-quality expresso system. For example, you can:
Unfortunately, the embedded computer actually runs a version of Windows XP that is vulnerable to remote attack. According to the advisory, an attacker can create physical issues, such as changing cup volume (under-fulling, or overfilling and spilling hot coffee), alter the flavor, or create settings that physically damage the Impressa F90. More importantly, the system runs XP and permits a remote attacker to access it as any other XP system. Malware, spam, and botnets are all real threats.
Of course, the humor has already started. The Register reports a rumor of Al Qaeda targeting the Internet-enabled expresso machines.
While reading over Jura's FAQ, I found other issues of concern with their products. For example, their FAQ about "Problems and solutions for IMPRESSA Web Pilot" says:
Does their system really require solitary access to the Bluetooth subsystem? Or is this only for diagnostics. They don't say to ever re-enable the devices... (I suspect that this is strictly for diagnostics and the FAQ only describes half of the necessary steps.)
Between the manual that describes functionality but not why you would want it, and the FAQ that gives partial instructions, it is no wonder that their software is vulnerable to exploitation. They seem to have a pattern of only partially completing tasks. (I can only hope that the machine creates more than a half-cup of coffee.)
This example appliance exploit makes me wonder about other online devices. For example, I'd hate to see an attacker hijack an Internet-enabled microwave oven and start a fire.
Following the online blinds... and the webcam of the bonfire collapse (this was pretty much the view from our office window; video taken by a different office mate also named Chris), and the horrible radio (that played low quality Mexican music and still gives me nightmares), we tried to put other things online. We really wanted to network the elevators. Our idea was to see where the elevators were located, direction, speed, and even put a call button on the web. However, the building engineers said that playing with the elevator was a safety hazard (wimps!).
Benefits of Online Appliances
There are many benefits for putting traditionally non-computer items online. For example, data related to energy use can be aggregated from different sources, leading to lower energy bills. When I switched my home's thermostat from a fixed dial to a non-networked programmable system that changes the temperature based on the time of day, my heating bill dropped dramatically. The thermostat paid for itself in a few months. If I could network my thermostat and give it information such as outside temperature and weather, or link it to my location ("he's coming home, turn up the heat now"), then I am certain that my bill could drop even more.
I can even see the desire to network other household appliances. For example, a networked washing machine could page me when it finishes. On a cold, rainy day, I could leave a towel in it and start the drier right before I get home (nothing beats a warm towel after a cold rain).
Having a networked refrigerator makes serious sense. Besides keeping track of my shopping list, it can track recipes. Based on the refrigerator's contents, it could suggest meals.
My oven already has a timer; I can tell it to start cooking the food at a specific time. However, sometimes I get home late. An Internet-enabled wall oven could pre-heat the oven for the pizza or start the cooking before I get home.
Totally networked houses are currently customized. I like the idea of commercial-off-the-shelf (COTS) appliances with network access.
Online Appliance Downtime
The downside of online appliances concerns security. Since these appliances really are computers, they are vulnerable to attacks. Viruses, malware, or even malicious attackers all pose threats. Nobody wants a phone call like, "Sir, your refrigerator is sending out 10,000 spam messages per hour", "Miss, your oven is part of a botnet", or "Bob, your washing machine is hosting a porn site and illegally downloading music." At minimum, these appliances need to be upgradable and offer basic network, system, and account protection.
Recently a networked coffee maker has been exposed as being vulnerable. The Jura Impressa F90 expresso maker has an optional Internet Connection Kit. This provides desirable network access, but also a remote attack vector.
There are many reasons to want to network your commercial-quality expresso system. For example, you can:
- Download the latest coffee flavors.
- Request remote maintenance and diagnostics. Rather than shipping the huge system back for maintenance, they can remotely access it and diagnose problems.
- Communicate between your coffee maker and your PC. Unfortunately, the manual does not say why you would want this. One of their other web pages says "On the PC, coffee specialities can be chosen and their settings memorized in the machine electronics." (i.e., you can program the coffee settings.)
Unfortunately, the embedded computer actually runs a version of Windows XP that is vulnerable to remote attack. According to the advisory, an attacker can create physical issues, such as changing cup volume (under-fulling, or overfilling and spilling hot coffee), alter the flavor, or create settings that physically damage the Impressa F90. More importantly, the system runs XP and permits a remote attacker to access it as any other XP system. Malware, spam, and botnets are all real threats.
Of course, the humor has already started. The Register reports a rumor of Al Qaeda targeting the Internet-enabled expresso machines.
While reading over Jura's FAQ, I found other issues of concern with their products. For example, their FAQ about "Problems and solutions for IMPRESSA Web Pilot" says:
Under Windows XP, proceed as follows: Start -- Run-- enter msconfig - select System Startup tab - now deactivate ANY programs which have anything to do with Bluetooth or mobile phones. Click Apply and Restart.
Does their system really require solitary access to the Bluetooth subsystem? Or is this only for diagnostics. They don't say to ever re-enable the devices... (I suspect that this is strictly for diagnostics and the FAQ only describes half of the necessary steps.)
Between the manual that describes functionality but not why you would want it, and the FAQ that gives partial instructions, it is no wonder that their software is vulnerable to exploitation. They seem to have a pattern of only partially completing tasks. (I can only hope that the machine creates more than a half-cup of coffee.)
This example appliance exploit makes me wonder about other online devices. For example, I'd hate to see an attacker hijack an Internet-enabled microwave oven and start a fire.
Words of Advice
Sunday, June 15. 2008
The GovernmentSecurity.Org forum (GSO) just announced a new contest. For this contest, you must write a hacking related paper. Sample topics include exploits, policies, penetration testing, compliance, and network security. According to their guidelines, the paper must be original work. After submitting your article, GSO members "vote" on the papers and the winner gets $100 USD.
Here's my thought: $100 is not very much. If your goal is the win the contest, then ignore the prize money and enter. However, if your real goal is something else -- peer respect, public acknowledgment, wide spread distribution, or financial return for your time -- then there are many other forums that seem a better fit. This GSO contest is not necessarily the best match.
For example, the contest wants you to write an original paper. In return, you have a slim possibility (all things being equal) of winning the $100. In contrast, if you can write a 2000-2500 words paper, then outlets like Security Focus and IBM's DeveloperWorks may buy the paper. These will give you a very wide distribution, true peer comments, and more than $100. And more importantly: it isn't a contest. Every good paper has a chance at being picked up.
If your focus is on revenue for exploit disclosure, then consider places like iDefense's VCP program. The pay rate depends on the severity of the exploit, and $100 is the minimum. Who needs a full paper or the hassle of a contest? In the past, I've received good money from iDefense for write-ups as short as a paragraph. (I have no direct experience with the ZDI program, but I found their lack of direct answers for "how much will you pay" to be a little disturbing.)
If you are more interested in the full peer-review process, consider some of the IEEE or ACM publications.
Finally, there are always conferences. Many conferences want you to submit a paper along with your presentation. (If you can write a paper, then it usually isn't hard to turn it into a presentation.) Forums like Black Hat, Defcon, CSI, and HOPE either require papers or prefer papers to include in the conference proceedings. These forums are hard to get into (it is like a contest, but with multiple winners) but they have excellent rewards (at minimum: publicity, financial return, reputation development, and respect from your peers).
While the GSO contest is a cute idea, it may not be worth the effort. If you have enough of an idea for a security-related paper, consider shopping around first and finding the best place to present the information. A contest in a small forum for relatively little reward may not be your best option. (Then again, they only have one submission so far. That gives you a 50% chance of winning if you submit right now and nobody else enters. You will have an even higher chance of winning if you register a bunch of fake accounts and use them all to vote for yourself.)
ps. The above list of publication outlets and conferences is nowhere near complete. They are just the ones that I could recall in 30 seconds. Look around and you will find plenty of opportunities.
Here's my thought: $100 is not very much. If your goal is the win the contest, then ignore the prize money and enter. However, if your real goal is something else -- peer respect, public acknowledgment, wide spread distribution, or financial return for your time -- then there are many other forums that seem a better fit. This GSO contest is not necessarily the best match.
For example, the contest wants you to write an original paper. In return, you have a slim possibility (all things being equal) of winning the $100. In contrast, if you can write a 2000-2500 words paper, then outlets like Security Focus and IBM's DeveloperWorks may buy the paper. These will give you a very wide distribution, true peer comments, and more than $100. And more importantly: it isn't a contest. Every good paper has a chance at being picked up.
If your focus is on revenue for exploit disclosure, then consider places like iDefense's VCP program. The pay rate depends on the severity of the exploit, and $100 is the minimum. Who needs a full paper or the hassle of a contest? In the past, I've received good money from iDefense for write-ups as short as a paragraph. (I have no direct experience with the ZDI program, but I found their lack of direct answers for "how much will you pay" to be a little disturbing.)
If you are more interested in the full peer-review process, consider some of the IEEE or ACM publications.
Finally, there are always conferences. Many conferences want you to submit a paper along with your presentation. (If you can write a paper, then it usually isn't hard to turn it into a presentation.) Forums like Black Hat, Defcon, CSI, and HOPE either require papers or prefer papers to include in the conference proceedings. These forums are hard to get into (it is like a contest, but with multiple winners) but they have excellent rewards (at minimum: publicity, financial return, reputation development, and respect from your peers).
While the GSO contest is a cute idea, it may not be worth the effort. If you have enough of an idea for a security-related paper, consider shopping around first and finding the best place to present the information. A contest in a small forum for relatively little reward may not be your best option. (Then again, they only have one submission so far. That gives you a 50% chance of winning if you submit right now and nobody else enters. You will have an even higher chance of winning if you register a bunch of fake accounts and use them all to vote for yourself.)
ps. The above list of publication outlets and conferences is nowhere near complete. They are just the ones that I could recall in 30 seconds. Look around and you will find plenty of opportunities.
Coming to a Theater Near You
Monday, June 9. 2008
Not everyone can make it to Black Hat or Defcon. So I enjoy speaking at local events.
I currently have two presentations coming up. Both are variations of my "A Picture's Worth: Digital Image Analysis" presentation.
Tomorrow (Tuesday) evening, I will be giving the talk for the local Hacking Society and Northern Colorado Linux User's Group (NCLUG).
Following the NCLUG, I will be presenting at the University of Wisconsin's 8th Annual Lockdown conference next month. (Don't tell NCLUG, but they are my time test for the University presentation since I modified the talk and need to see how long it takes to present.)
I am going to hold off presenting at Black Hat this year. This year's speaking requirements have 75-minute time slots with separate question/answer sessions. While I like the format and separate Q&A sessions, the amount of material needed for 75-minutes is a lot of work. For me, a 45- to 60-minute talk followed by 10-15 minutes of Q&A is ideal. (The 75-minute Black Hat spots seem too long to me, and the 15-20 minute turbo talks are just too short for me to cover a topic with good case study. Although, I wouldn't mind doing a panel or debate-format some time.)
In case you have never seen any of my presentations... I'm part of the TV generation. I try to cover a new method or technology every 10-15 minutes. A 60-minute talk is usually 3-4 methods plus 1-2 large case studies that bring all of the different parts together. While other speakers talk slow, I usually race through the materials. I have been known to cover 60-80 slides in 45 minutes. (It sounds like a lot, but my talks are very visual, and many slides are minor changes to previous slides.) Finally, I have seen lots of talks that are dry. While the topic may be interesting, the presentation is monotone. In contrast, I try to keep my talks entertaining by including humor in the examples -- without detracting from the contents.
I currently have two presentations coming up. Both are variations of my "A Picture's Worth: Digital Image Analysis" presentation.
Tomorrow (Tuesday) evening, I will be giving the talk for the local Hacking Society and Northern Colorado Linux User's Group (NCLUG).
Following the NCLUG, I will be presenting at the University of Wisconsin's 8th Annual Lockdown conference next month. (Don't tell NCLUG, but they are my time test for the University presentation since I modified the talk and need to see how long it takes to present.)
I am going to hold off presenting at Black Hat this year. This year's speaking requirements have 75-minute time slots with separate question/answer sessions. While I like the format and separate Q&A sessions, the amount of material needed for 75-minutes is a lot of work. For me, a 45- to 60-minute talk followed by 10-15 minutes of Q&A is ideal. (The 75-minute Black Hat spots seem too long to me, and the 15-20 minute turbo talks are just too short for me to cover a topic with good case study. Although, I wouldn't mind doing a panel or debate-format some time.)
In case you have never seen any of my presentations... I'm part of the TV generation. I try to cover a new method or technology every 10-15 minutes. A 60-minute talk is usually 3-4 methods plus 1-2 large case studies that bring all of the different parts together. While other speakers talk slow, I usually race through the materials. I have been known to cover 60-80 slides in 45 minutes. (It sounds like a lot, but my talks are very visual, and many slides are minor changes to previous slides.) Finally, I have seen lots of talks that are dry. While the topic may be interesting, the presentation is monotone. In contrast, I try to keep my talks entertaining by including humor in the examples -- without detracting from the contents.
(Page 1 of 39, totaling 195 entries)
» next page
Calendar
|
July '08 | |||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 | ||
