Friday, August 15, 2014

ToorCamp redux, Upcoming IDF 2014

To lead off today, I was lucky to have the opportunity to speak at ToorCamp this summer, with my talk titled “Secure boot, network boot, verified boot, oh my” http://toorcamp.toorcon.net/talks/#16 and material posted to https://docs.google.com/file/d/0BxgB4JDywk3MdnRsbnh6NW9rYU0/edit
I especially liked my quotation

A reminder from the KGB school of cipher security: “You never attack the standard, you attack the implementation, including the process.” - Grugq



The locale is pretty remote, namely the western-most portion of the US
My talk was on a Thursday and I was swamped at the office, so I ended up making it a 'day trip' from Tacoma to Neah Bay.

Like 2012, the talks were all hosted in the dome

including the couch for chatting with the host

I have to admit that the speaker on bio-hacking and transhumanism didn't convince me to get an RFID injection into my hand this trip.

I gave my talk and followed up with some face to face discussions for a couple hours afterward. Invariably the question of key revocation came up as a question in response to the Secure Boot discussion. Then I scurried to the nearby beach, snapped a photo of the sunset, and then headed back home. Luckily the local tribesman selling smoked salmon hadn't closed up shop, so I picked up a few packages of the same and beat a hasty retreat.

Saying goodbye to the Makah reservation


and the hackers at Hobuck Beach



The next journey is the Intel Developer Forum in San Francisco.  My upcoming talk is “Firmware Flexibility  using Intel Firmware Support Package,” Talk STTS001, Intel Developer Forum, San Francisco, September 11, 2014 https://intel.activeevents.com/sf14/connect/sessionDetail.ww?SESSION_ID=1265 This should provide a deep dive responsive to the https://intel.activeevents.com/sf13/connect/fileDownload/session/DB60155205A8DF5837DA22D0FF90E3A3/SF13_STTS001_100.pdf presentation last year, along with a few other updates on ecosystems and open source. Drop me a line if you're in SF at this time.

On other progress, my issued US Patents continue to climb, albeit slowly. Now that I've crossed the 300 mark (303 this week for US Patent Families and 823 for INPADOC) maybe I'll get to join the list of 'Prolific Inventors' at http://en.wikipedia.org/wiki/List_of_prolific_inventors. I am curious how to site confirms the assertion: "However, this table currently has an arbitrary cut-off limit for inclusion of 300 patent families. This is purely for practical reasons – there are 81 inventors throughout history with more than 300 utility patent families, but tens of thousands of inventors with more than 15 patents."  Hmmm.

This summer has also witnessed a flurry of presentations on attacks against UEFI implementations, including http://www.mitre.org/sites/default/files/publications/14-2221-extreme-escalation-presentation.pdf. This reminds me of the importance of the Grugq quote above on 'implementation' and underscores the value of work like Chipsec https://github.com/chipsec/chipsec I mentioned in http://www.uefi.org/sites/default/files/resources/2014_UEFI_Plugfest_04_Intel.pdf and other developer guidance, such as 'best practices' in pages 34-35 of http://www-inst.eecs.berkeley.edu/~cs194-24/sp13/hand-outs/SF09_EFIS001_UEFI_PI_TCG_White_Paper.pdf, But there are many additional things we can do with respect to testing, guidance, and instances of best-practices on http://tianocore.sourceforge.net/wiki/EDK2. Speaking of edk2 and security practices, I'm happy to see a reference implementation of a signed capsule update implementation, including the https://svn.code.sf.net/p/edk2/code/trunk/edk2/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/ support code.

Another exciting open source action is the release of seL4 kernel http://sel4.systems/ and the Isabelle proofs. I mentioned this effort in http://vzimmer.blogspot.com/2013/12/better-living-through-tools.html and since that publication https://github.com/seL4/seL4 has gone live. Gernot and the NICTA guys are impressive. I was happy to see my ex-NICTA collaborator Leonid posted our driver synthesis paper http://www.nicta.com.au/pub?doc=7690 to NICTA's website http://ssrg.nicta.com.au/projects/TS/drivers/synthesis/ 

Regarding the latter paper, this is as close as I can get to a refereed conference, it would seem, as Mike Rothman and I were bounced from LISA '14. We posted the rejected manuscript at https://uefidk.com/sites/default/files/resources/uefi-manageability-security-white-paper.pdf.  Since I'm not an academic but an ordinary Joe who has been slogging away in industry for the last 20+ years, I cannot understand the publish-or-perish or other metrics around papers http://blogs.lse.ac.uk/impactofsocialsciences/2014/04/23/academic-papers-citation-rates-remler/ in academia. I see the value of peer review and appreciate the written-word, along with open source, to scale pedagogy and advocacy.  

Social media never ceases to fascinate me.

Pageviews by Countries

Graph of most popular countries among blog viewers
EntryPageviews
Malaysia
2

Pageviews by Browsers

EntryPageviews
Chrome
2 (100%)
Image displaying most popular browsers

Pageviews by Operating Systems

EntryPageviews
Macintosh
2 (100%)
Image displaying most popular platforms

represents the latest access to this blog.  Someone reading this blog while running Google Chrome on a Macintosh in Malaysia.  Fascinating.

Or on Twitter https://twitter.com/vincentzimmer when I get a re-tweet or message from famous mathematicians
 retweeted your Retweet
Jun 28
This is a geometry joke.

Great stuff.

1/7/2015 update -
A friend of mine from Houston just pointed out an update to http://en.wikipedia.org/wiki/List_of_prolific_inventors.
I'm now on the list, and not even the 'bottom-most' entry (and among the youngest who owns up to his/her age).
Vincent Zimmer312 USA8481970-Computer software and firmware[181][182]