What I Learned At DEVCON
What I Learned At DEVCON
The 11th FileMaker Developer Conference concluded the other day. It was held in Orlando, Florida, this year at a venue leagues improved from its last East Coast outing in 2001.
I learned quite a few things at this DEVCON, and I thought I’d share some of them, in no particular order of significance.
1. Developers voted with their feet and chose workshops rather than more formalized sessions except for the three “Under the Hood” ones. This is no surprise to those in the developer community. Several of the workshops were oversubscribed by factors of 150% to 200%, even while some formal sessions were 75% empty. Special kudos to Chris Moyer for doing an unanticipated v-rev of his workshop when he had to turn away over 100 folks from the first version.
2. The three “Under The Hood” sessions done by various of the engineers were excellent, and they imparted a good deal of useful information. And I will excerpt some of that in a separate entry.
3. Andy Gaunt of FMPUG fame is possibly the greatest showman since the late Phineas T. Barnum. His FileMaker Excellence Award is also extraordinarily well–deserved. See http://www.fmpug.com
4. The unfortunate theft of a laptop computer during the conference lead to detailed discussions of laptop and software security. Laptop computers are attractive items to steal. This is very bad for their owners. Such computers need multiple layers of protection for their contents and for their FileMaker Pro databases, including strong OS-level passwords and hardening and strong FileMaker Pro-level Accounts and passwords.
5. There appears to be an infinite variety of ways to serve chicken at conference meal functions, save only Southern fried. The latter style is, of course, the one much beloved from a childhood in the mountains of East Tennessee and the one most longed for today.
6. Several FileMaker, Inc. Engineers and Product Managers could give up their careers in the software industry and become highly successful emcees of television shows or comedians in nightclubs. Some of these guys are really funny, and they are really good performers.
7. Some conference organizers cannot correctly count the number of conferences held over time. On the other hand, an Exacto knife and a strip of clear tape can convert a 10 year badge to an 11 year badge, proving that the Village Elder can still improvise when needed.
8. I think I am a very honest fellow with the ability to safeguard all manner of (sometimes very highly) confidential information. That said, and even when other people agree with my glowing opinion of my own trustworthiness, I doubt that many developers would just walk up and give me their server administrative passwords, email passwords, PIN numbers, and similar information. I doubt they would even if they know that I can be trusted with this information. Given that, why then did some people broadcast that very same information in clear text over an unsecured wireless network and make it susceptible to interception by some war zoner who could have been sitting outside in the guest parking lot? If they weren’t using a VPN or some method of encryption, their Account Names and passwords could have been intercepted.
9. A lightening strike on a conference center is not conducive to the proper and effective functioning of switches and Internet connections. Nor apparently does it enhance the ability of technically trained personnel from the relevant ISP to repair them and restore Internet access functionality in a reliable fashion. In the information security profession we refer to a concept called “defense–in–depth” that provides overlapping and redundant defenses against various threats. Perhaps this concept ought travel over to the ISP community in Orlando as well.
10. Finally, there is supersonic. And there is also hypersonic. And then there is Andrew LeCates, Senior Director of System Engineers. Even if you can only catch every tenth word of a LeCates presentation, it’s still worth more than every word of 99 percent of other presentations. There will be a special pre-DEVCON Seminar in 2007 on Hyper Listening techniques. Andrew LeCates is beyond a treasure to the FileMaker Developer community; he is beyond a core asset. He is the true linchpin.
Steven H. Blackwell
Some additional info on Steven’s item number 8.
Ever since this summer’s DefCon (a hacker conference in New York City) I have been amazed at just how easy it is to “Snif” a net work and hear what people are saying. Remember, the internet is not a private phone line unless you make it a private phone line. By default it is a PARTY LINE.
http://www.tgdaily.com/2004/08/02/defcon_12/index.html
I was hoping to set up a “Wall of Sheep” but felt it might be better to just listen first and see how many developers in the FMP community are not aware of how insecure networking really is, especially open wireless.
Over the course of devcon, I downloaded, compiled and ran a free open source program called ettercap. I did no decrypting of wep/SSL/or any opther encryption scheme, just data packet sniffing, I only filtered out packets and reported on packets with clear-text account/passwords. I used FMP to control ettercap and store the results of these sniffs. I have scrambled the passwords after running the stats below. I sniffed during lunch time on Tuesday and Wednesday, and during a few sessions.
252 Total Accounts captured
165 POP
48 IMAP
33 HTTP Why are they not using SSL on their web sites?
5 FTP
1 LDAP
33 mail accounts were for mac.com, so presumably there iDisk is at risk also.
1 Password was the same as account name!
1 password was “Password”
156 unique passwords, so many people are using the same password across multiple servers/accounts.
45 Number of passwords that are in the Dictionary (easily cracked by brute force
9 Passwords 4 or less characters
74 Passwords 6 or less characters
On the happy side , there were many folks who were cautious…
400 + Folks used MD5 or Kerberos encryption for Server logon (mostly large corporate users, something to be said about corporate IT folks, they know their stuff.)
Lots of Users , Impossible to count because it was encrypted used ssl and VPN’s. Good going Folks.
0 FMI employees used clear text accounts/passwords (and there were lots of them there! Way to go!)
I just noticed that the last line of my previous mesg was not as clear as I had intended it to be. It should read to say that I captured zero FMI accounts and that all FMI employees (and there were lots there) are using vpn/encrytption or not checking their mail from insecure locations. Good Job FMI