Dr. Christopher Kunz

Ich freue mich, an der Open Source Data Center Conference 2012 als Speaker teilnehmen zu dürfen. Den Ausrichter, Bernd Erk von Netways, kenne ich von einer früheren Heise-Konferenz als kompententen und netten Zeitgenossen und das macht es umso angenehmer.

Nachdem die SecTXL in Hamburg leider nicht stattfinden konnte, werde ich nun den Vortrag, den ich eigentlich dort angemeldet hatte, auf der OSDC exklusiv halten. Titel und Abstract lauten wie folgt:

CA failures and the future of Web authentication (EN)

In 2011, a number of Certification Authorities suffered catastrophic failures which showed that the SSL CA system, a cornerstone of the secure Web, has been undermined by attackers and corporate greed. These failures and malpractices may well lead to the eventual downfall of SSL certificates as we know them.

This talk will summarize the events which transpired last year (and continue to pop up in 2012) and show which alternatives are currently in the making. It will introduce concepts like DANE, Convergence, Sovereign Keys and show some interesting info about SSL certificates “in the wild”.

Im Wesentlichen geht es also zum Einen um eine Retrospektive der letzten Jahre und der Major Fails im CA-Markt, aber auch um die Frage: “Was machen wir in Zukunft mit SSL?”. Und die ist ebenso spannend wie ambivalent. Ganz abschaffen kommt nicht in Frage, denn dann macht Amazon pleite. Und alles so zu lassen, ist ebensowenig eine Option. Einige spannende Projekte haben sich auf die Fahne geschrieben, die CAs zu ersetzen oder zumindest etwas weniger zum “Single Point of Failure” zu machen - und diese Projekte möchte ich kurz vorstellen.

Wichtig ist mir auch, daß diejenigen CA-Alternativen vorgestellt werden, die von freier Software inspiriert und unterstützt werden - also Convergence als Firefox-Plugin, oder die Forschungs- und Entwicklungsarbeiten beim EFF.

Die OSDC12 findet am 25. und 26. April in Nürnberg statt. Ein Rundum-Sorglos-Paket inkl. 2 Hotelübernachtungen und Konferenzdinner ist für € 950,- erhältlich. Das ist ein sehr guter Preis für ein hochklassiges Konferenzprogramm, das von Puppet über IPv6 bis zu Cloud-Workshops alle Aspekte des “State of the Art” in Opensource-zentrierten Rechenzentren abdeckt.

Mein Vortrag ist übrigens am 25. April um 14:00 - ich freue mich auf möglichst viel Publikum und eine ergiebige Diskussion!

I will be moderator to the “WebSec Day” on the WebTech 2009 conference in Karlsruhe, Germany. The full-day workshop will consist of several, loosely thematically linked sessions regarding web security. See full entry for abstracts and speakers.


If you want to have a beer, I will only be in Karlsruhe on monday evening and tuesday during the day. You can follow me at twitter (@christopherkunz). I’m looking forward to seeing some of the PHP folks again during the few hours that I will spend in Karlsruhe.

I have recently installed SilverStripe to test if it fits into our shared hosting concept. Read after the break about my impressions.

As a project employee for GDI-Grid (spatial data infrastructure grid), I’ll go to OGF22, the Open Grid Forum later this month. We have organized a session slot of 90 minutes (thanks to Christian Kiehle for that) which is being filled with 3 sessions; one is held by yours truly while the other two are delivered by Christian Kiehle of lat//lon and Andreas Krüger of Technical University Berlin. The nice thing about this is that I finally get to visit the states, although only for a couple days (I’ll be in Boston from 22nd till 26th, return flight’s midday on the 27th).

So if anybody is in the vicinity of Boston/Cambridge, MA and cares to have a beer with me, just drop me a line.

Mein Kollege Jens Rehpöhler hat fleißig mitgefilmt und hier ist das Resultat:

Dieser Filmausschnitt ist der erste Teil meines Vortrags, die richtig fiesen Demos kamen später.

Without further ado: Hier die Slides im PDF-Format.

I already blogged this at our PHP Security Blog, but it is not (yet? hey Toby ) aggregated on planet-php, so here goes again.

You can now download my session slides for the full-day workshop on PHP security - unfortunately for my international readers, they are in German. If that doesn’t scare you (because you got taught lots of useful german phrases in the last days, right Caitlin? ), you can get them here:PHP Sicherheit Workshop.

If you need a little explanation on the PHP Security Quiz by Mayflower, just read the extended entry.

I already blogged this at our PHP Security Blog, but it is not (yet? hey Toby ) aggregated on planet-php, so here goes again.

You can now download my session slides for the full-day workshop on PHP security - unfortunately for my international readers, they are in German. If that doesn’t scare you (because you got taught lots of useful german phrases in the last days, right Caitlin? ), you can get them here:PHP Sicherheit Workshop.

If you need a little explanation on the PHP Security Quiz by Mayflower, just read the extended entry.

That was a weird week. I think I rarely changed locations that often, and I kinda lost track of what time zone, currency and/or event I was currently at. However, it turned out to be a very rewarding week, too.

All in all, I roughly travelled around 5600 km, which is probably quite a lot given the fact that I otherwise leave Hannover rarely. I changed timezones twice, currencies 4 times (including transit airports), and spoke at two different (un-)conferences. There were nights in school gyms, Sofia park bars, hostel dorms and for 2 nights, I even slept in my own home (tue->wed->thu).

My overall perception was that the security topic is still kinda “hot” and although most attendees (naturally, those at PHP Vikinger were more on top of things) seemed to have a firm grasp of what could go wrong with PHP applications, there is still a lack of trustworthy and well-designed solutions to the various security dilemmas. As Kris Köhntopp said on the PHP Vikinger, using stuff like mod_security, our Hardening Patch or other assorted security products is not a real solution, since there is no programmatical and wellformed approach to them. Instead of having a defined and limited outer and inner area for applications (like, an array of all possible URL entries to the application, as well as all possible output it generates), we are putting out fires as they emerge. Of course, we do that because we currently have no other way of keeping our boxes alive and the attackers out as long as possible, but still, Kris has a point.

For about 4 hours now, the PHP Vikinger is in full swing. Everyone arrived between 10 and 11, and together we hacked up a makeshift agenda. Remember that this is an “unconference”, so attendees are in full charge of the whole event. Our lead viking Zak, inspired by the mighty power of Thor himself, took it upon him to moderate the scheduling and get everything started. Now, everyone who wants gets up and does a presentation, starts a discussion or - as Kris is currently doing - stipulates brainstorming with the attending core developers and other PHP nerds.

The current discussion is even somewhat strategic, pointing things out that PHP still lacks, things that need to adopt to changes in our environment and stuff that is really good in comparison to other languages. Kris is creating a list of everything that’s thrown at him and every item so far has been diligently discussed.

After that, Ilia and me will do some security stuff, with him doing introductions and me likely focusing on the server side. My obsession with securing servers without touching apps is well-known, plus it’s a good place to show off the Hardening patch.

As usual, I will be in attendance of the International PHP Conference in Frankfurt/Germany again, marking my 7th (or 8th, including the Amsterdam conferences) participation in this event. This year, however, promises to be a very special conference. Exciting things are going to happen - read more in the extended entry.

Bruce Schneier schreibt in seinem Blog über eine Sicherheitslücke in Bluetooth, die nicht in der Theorie, sondern ganz praktisch in kürzester Zeit exploited werden kann und die Bluetooth-PIN (die zum Pairing zweier Geräte notwendig ist) innerhalb von wenigen Sekunden herausbekommen kann.

Er beruft sich auf ein Paper von den Israelis Shaked und Wool, das unlängst veröffentlicht wurde.

Ein netter Herr auf einer Mailingliste hat in seinen Mailformularen mit Botspam zu kämpfen und möchte das unterbinden. Da man ja allerorten diese lustigen Bildchen mit den verdrehten Buchstaben sieht, dachte er sich “mache ich sowas auch mal”.

Allerdings steht nicht unbedingt zu vermuten, daß er mit der von ihm getroffenen Maßnahme das Spamaufkommen drastisch reduzieren wird.