Tutorial Programme

Writing Secure Software, by Michael Paddon

Today, it is more important than ever that the software we are writing is designed and built with security as a primary goal.  The ubiquitous global connectivity of the Internet has created unparalleled opportunities for malicious attack and compromise of our systems.  Most compromises occur through the exercise of bugs, limitations and unintended functionality.

This tutorial covers the fundamentals of designing and implementing systems that are secure from the ground up.

Areas covered:

Internet services - discovery and use, by Jan Newmarch

Internet services - some new middleware systems

This tutorial looks at some of the recent middleware systems that have been given publicity, and examines them from the point of view of architecture, stability and programming APIs. These include

• Jini - mobile objects based on Java
• Web services - based on SOAP, WSDL and UDDI, these use a traditional RPC mechanism
• JXTA - an infrastructure for building peer-to-peer systems e.g. file sharing

The APIs discussed will be for Java as these are the most stable for these systems. A basic knowledge of Java (or C++) will be assumed.

This tutorial will give a basic grounding in these middleware systems, enough for further exploration. More importantly, it will give enough knowledge to properly evaluate these middleware systems and see past the extravagant claims that are sometimes made.

Installing a FreeBSD Server, by Warren Toomey

The aim of this workshop is to try and complete most of the following objectives:

Introduce you to FreeBSD, what it is and why you should use it; Install FreeBSD on a PC; Perform basic system configuration, including user accounts and packages; Recompile the kernel to suit the hardware configuration;

Compile some sample ported applications: SSH and others; Compile and configure some large server applications: Apache, Samba; Tighten the system's security; and Anything else that you would like me to cover.

There are some caveats with this workshop.

You need to have reasonable experience with using Unix, navigating around the filesystem, editing files, monitoring processes, setting file permissions etc.  I am hoping to cover all of the above, but I would rather cover some topics well than cover all of the topics poorly.

Hot Topics in System Administration, by Evi Nemeth

Topics include:

• LDAP: We'll tell you what it is and why it might be time to implement it.  From client to server, we will survey how LDAP can strengthen your organization internally and externally.  The major focus will be on choosing a UNIX server that's right for your organization.
• DHCP: Short on address space?  Sick of configuring each and every one of your users' machines?  We'll talk about making DHCP work for your organization.  We will cover servers and clients, on both UNIX and NT and hosts.
• Disaster planning: In planning for disasters, whether they are physical incidents, security incidents, or just sysadmin errors, hindsight and good backups are invaluable.  We will provide some guidelines and a checklist of some of the documentation that you need to maintain to make disasters more recoverable.
• Security tools: A new generation's worth of security management tools are on the loose, and we'll help you understand how to use them to your advantage.  We'll examine new scanning tools such as Nessus and nmap, as well as looking at new tools to facilitate security forensics.
·
• BIND9: BINDv9 includes a long laundry list of features needed for modern architectures, huge zones, machines serving a zillion zones, co-existence with PCs, security, and IPv6--specifically, dynamic update, incremental zone transfers, DNS security via DNSSEC and TSIG, A6, and DNAME records.

Solaris 64-bit programming, by David Purdue

The Ultra-SPARC processor, a 64-bit architecture, has been around for a number of years, and 64-bit programming features have been available in Solaris since version 2.5.1.  However, it was only in Solaris 7 that a full 64-bit address space was made available to programmers.

This tutorial looks at how to construct 64-bit programs for Solaris 8.  The topics covered include:

• 64-bit computing and when to use it.
• Compilers for 64-bit programs and how to drive them.
• 64-bit API's.
• 64-bit gotchas

A Cryptography Primer, by Lawrie Brown

Data encryption algorithms form an important technical component in providing secure and authenticated electronic security and communications.  This workshop is designed to provide attendees with a brief overview of the field of cryptography, the terms, techniques, and algorithms.

It starts by introducing the classical cryptographic techniques which form the foundations of the field.  We then survey modern private key ciphers, widely used for bulk and link data encryption, from DES to the new AES encryption algorithm Rijndael.  Next we consider public key encryption algorithms and signature schemes, essential for the use of cryptography in large scale, wide area communications.  We conclude with a brief look at a couple of cryptographic applications, illustrating the different ways these components are combined to build a security solution.

Contents

Firewalls, by Lawrie Brown

With the ever increasing growth and pervasiveness of the Internet, more and more organisations find that they need to connect to the Internet in order to fulfil their goals.  However, there are persistent security concerns with such a connection.  The usual approach to reducing these concerns is to install a firewall to provide perimeter defence around private networks which supplies a single controlled and monitored point of connection.  The design, installation, and ongoing management of a firewall though, is a non-trivial task.  This workshop will provide an overview of this process.  This starts with the determination of an appropriate security policy, and then the specification of services to be supported and policy applied.  From this a suitable firewall architecture can be selected from the range available, specific equipment chosen and configured.  Then there is the ongoing management of the firewall, maintaining its safe configuration, responding to security events, and monitoring its ongoing use.  The workshop will not discuss particular products, rather it is aimed to assist those who need to manage this process.

Contents

POSIX Threads Programming, by Liam Widdowson

This tutorial will provide an introduction to multi-threading and the specifics of developing and debugging threaded software based on POSIX 1003.1c with UNIX variants.  The POSIX 1003.1c API will be explained in detail with many 'real code' examples.  Significant time will also be spent covering the threading architecture of most popular UNIX variants and the many idiosyncrasies of each operating system.  Case studies will be provided to illustrate where threads should and should not be used.  Emphasis will also be placed on producing portable, high-performance software.

The intended audience is developers or administrators with basic-strong c programming skills and no prior knowledge of POSIX threads is assumed.

Introduction to Perl for Programmers, by Rob Kolstad

This tutorial introduces those who already know some programming to the powerful Perl programming language.  Data structures, control structures, input/output, and programming paradigms will highlight this interactive course.  After this full-day introduction, students should have all the skills they need to write all but the most complex stand alone Perl scripts.

Practical IPSec, by Adrian Close

Networks on the Internet are increasingly turning to firewalls as a means of protecting themselves against external network-based attacks, creating their own small islands of trust.

However, the increasing need for secure, inter-network communications requires extending that trust across the Internet itself - a risky proposition in an increasingly hostile network environment.

Implementing IPSEC is one plausible solution and this tutorial will cover the fundamentals of doing this in the real world.

Practical demonstrations of the technology involved will be given throughout the tutorial, which will include debugging techniques useful for successful deployment and interoperability of various IPSEC implementations.

Topics:

Linux Security Tools, by Richard Keech

This presentation provides an overview of available security tools for the Linux platform; both Open Source and proprietary.  The scope includes firewalls, log monitoring tools, intrusion detection tools, mail virus scanners, VPN tools, system hardening tools, and secure communication facilities.

The presentation will feature live demonstrations of some of the more important security tools.

Audience :This talk is aimed at managers and administrators considering the use of Linux in a security role.

NTP, by John Warburton

Your first web site, by Peter Moulding

Peter Moulding, author of PHP Black Book, and creator of 50+ sites, will lead the group from beginning your first page through to tying the pages together in a large web site.  The tutorial assumes you understand the basics of HTML and the basics of programming or scripting in any language.  If you have used a <font> tag, you are ready to rip in to PHP.

Section 1
A run through planning web sites, selection of technology, and development planning.  An overview of writing code yourself versus downloading open source versus buying a commercial product.  The installation and setup of minimum development, test, quality assurance, and production steps.

Section 2
Code functions and techniques related to page production.  Detailed explanation and examples of the code needed every day.  Quick examples of advanced techniques.

Section 3
Database design and use in PHP.  Sessions and other PHP features related to Web sites.  Code examples, tips and techniques.

Section 4
Discussion with students about your web sites, your special problems, and solutions.

Computer History: Methods and Problems, by Peter Salus

"Doing" computer history, especially over the past 60 years, seems really simple.  Nearly everyone important, whether in hardware or software, is still alive.  You go and talk to them.  You read the publications.

But two instances (one hardware, the other software) will suffice to illustrate the problems.

(1) The First Computer
In 1997 I was telephoned by a reporter from "The Economist."  He wanted to know what the first computer was.  Sounds simple.  You say: "It was the XYZ built by so-and-so in 19xx."  I asked him what he meant by "computer."  While he responded by asking me what I meant, I pointed out that Turing had written about requirements and algorithms, that Atanasoff had designed a programmable computer, but never built it; that the storied Aiken Mark I at Harvard (funded by IBM) wasn't truly electrical or electronic, but electro-mechanical; that Zuse's original work had gone nowhere; that the Philadelphia and Princeton work wasn't fully programmable.  And so forth.  He finally came down to asking about a fully electronic computer that was programmable.  I told him that Britain took pride of place there:  Wilkes at Cambridge was the clear winner.  I then pointed out that George Stibitz of Bell Labs had built and demonstrated the first remote calculator in 1941.  The reporter wasn't happy without a clear response.

(2) The 50 Bug Fixes
By 1976, Ken Thompson had accumulated a number of bugs and fixes for V6.  AT&T's legal department said it couldn't be made available.  By October it was widely available.  In the late spring of 1993, while I was working on my Unix history book, I decided to talk to all five of the "participants":  Ken, Lou Katz, Greg Chesson, Mike O'Brien, and Bob Kridle.  I tape recorded all of them.  I got four discrepant stories.

"Doing" history involves more than recording tales and gossip and more than reading other folks' publications.  This tutorial will discuss problems like the ones listed and methods of approaching reality.