Steven mentioned the Sybil attack, and I found the original paper here. Wikipedia's entry on information theory might be useful, assuming some joker hasn't corrupted it. Low-bandwidth covert channels are great ways to transmit AES keys. Steven's talk reminded me that calculus-like or -based methods, or basically thinking about measuring changes over time, is a powerful analytical method. Finally, Steven mentioned he wrote some of his tests in Lua, which has a FreeBSD port and a new Wrox book arriving next spring.
We've got several initiatives in mind. I'm going to need some help with these if we want them to go anywhere. If no one cares, that's cool too.
- Can anyone recommend future speakers? If you have an idea, please email me: taosecurity [at] gmail [dot] com. We're looking for anyone who would like to speak on a technical topic.
- Paul mentioned interest in setting up a distributed attack-and-defend network (AADN). You would provide one or more systems from which you would attack other people on this network, and which could be attacked by others. I believe establishing some sort of VPN among all participating nodes would be the best way to hide this activity from ISPs, and also guarantee that whomever is part of the VPN has really agreed to participate in this activity. If anyone is interested in this idea, please post a comment.
- Beyond an individually owned-and-operated AADN, there is some interest in collecting old gear for NoVA Sec learning and experimentation. For example, it would be nice to assemble a collection of Cisco equipment for those who want to gain some hands-on experience without potentially corrupting their production gear at work. I have a friend at Cisco who might be able to contribute old gear. We would also need a central location to house it and an equipment custodian.
On the communications side, our ability to communicate effectively is going to outgrow blog comments. A few ideas follow:
- Would anyone want to set up and maintain an IRC channel?
- Would anyone want to set up and maintain a mailing list?
- Is there a need for a Web site other than this blog?