If you’re in the Bay Area and are interested in computing history, you should know about Vintage Tech. Sellam has put together a warehouse with the world’s largest private computer collection. He also put on the VCF computer fairs. However, now he is moving to a bigger warehouse in Stockton and needs help loading the truck in Livermore.
I was out at his place last week to help with the move. The sheer size of the whole thing is astounding. It feels somewhat similar to the last scene of Raiders of the Lost Ark, where the crate with the ark in it disappears into a giant warehouse full of boxes. There are shelves stacked high with all kinds of computer equipment, manuals, and disks. I saw IMSAI 8080s and a Be workstation, among thousands of others I couldn’t identify.
Sellam needs help moving. Work consists of loading computers and boxes onto a pallet or disassembling shelves so bring gloves if you have them. The heavy work is done with a forklift. If you’d like to help out and do a good deed, he is out there all day, every day. Sellam is a lot of fun to talk with. You can contact him here, phone or email.
The next Baysec meeting is June 23 at Kate O’Briens. Come out and meet fellow security people from all over the Bay Area. As always, this is not a sponsored meeting, there is no agenda or speakers, and no RSVP is needed.
See you Tuesday, June 23rd, 7-11 pm. We’ll be towards the back.
579 Howard St. @ 2nd, San Francisco
I have now posted slides for the talk I gave yesterday at Yahoo Security Week (see below). I also took this opportunity to upload the previous talks I have given since 2004 to Slideshare.
The talk was mostly an in-depth list of attacks against various crypto implementations. The good news is that developers seem to have gotten the message not to design their own ciphers. Now, we’re trying to get the message out that you shouldn’t be implementing your own crypto protocols or constructions, using low-level crypto libraries.
Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. You wouldn’t write a web application in assembly language. Why take the risk of implementing your own crypto constructions?
If you do end up designing/implementing your own construction, it is really important to get it reviewed by a third party. Since it can be expensive and time-consuming to gain assurance, it’s better in nearly all cases to use a high-level library. The alternative is a potential root key compromise. Are you willing to take that chance?
On June 9, I’ll be giving a talk on web crypto flaws at Yahoo Security Week. The talk is titled “When Crypto Attacks!” and will go into ways cryptography has been misapplied to solving web application problems. You can get a flavor for the talk by reviewing these recent posts.
I also wanted to mention another high-level API that is pretty good: Peter Gutmann’s cryptlib. It provides a simple API with a lot of internal validation of parameters and state. For example, you can’t send messages in the wrong order and keys have types associated with them.
If you are a Yahoo employee, you can attend the talk. For everyone else, I will post slides here afterwards.