Don’t miss the latest in groundbreaking research and cutting-edge practices in a wide variety of technologies and environments

.

6 days of training by industry experts, including:
• Richard Bejtlich on TCP/IP Weapons School, Layers 2–3 • Tom Christiansen on Advanced Perl Programming • Jacob Farmer on Next Generation Storage Networking • Steve VanDevender on HighCapacity Email System Design • And over 30 other full- and halfday tutorials

Santa Clara, CA • June 17–22, 2007

3-day technical program, including:

• The latest research in the Refereed Papers Track

• Keynote Address by Mendel Rosenblum, Stanford University • Expert-led Invited Talks • Guru Is In Sessions

• BoFs, a Poster Session, and more

Register by June 1 and save! • www.usenix.org/usenix2007

TRAINING PROGRAM
Conference. June 17–22, for the 2007 New in 2007: SANS Security Training USENIX Annual Technical

Join us in Santa Clara, CA,

TOP 5 REASONS TO ATTEND
#1 #2 #3 #4 #5 You’ll hear it here first Answers The chance to mingle
Industry luminaries discuss timely and important topics.

Top-notch training Invited Talks

6-Day Training Program: Sunday–Friday, June 17–22, 2007 The training program at USENIX ’07 provides in-depth and immediately useful training on the latest techniques, effective tools, and best strategies. The 37 half- and full-day sessions are taught by well-known industry experts, selected for their ability to teach complex subjects. Topics include:

USENIX Annual Tech has always been the place to present groundbreaking research and cutting-edge practices in a wide variety of technologies and environments. USENIX ’07 will be no exception.
Technical Sessions: Wednesday–Friday, June 20–22, 2007 The 3-day technical program includes:
The 2007 USENIX Annual Technical conference will feature:

Join leading researchers and practitioners for 6 full days on the latest technology.

New in 2007: SANS at USENIX Annual Tech. In addition to the top-notch USENIX training, We’re partnering with the SANS Institute to offer two 6-day security classes: • SANS Security 504: Hacker Techniques, Exploits, and Incident Handling • SANS Security 617: Assessing and Securing Wireless Networks
Register by June 1, 2007, at

Highly respected experts provide you with new information and skills you can take back to work tomorrow.

B • REGISTER TODAY: WWW.USENIX.ORG/USENIX2007

Check out the latest developments in cutting-edge research in the Refereed Papers Track and poster session.

Industry experts address your toughest questions in the Guru Is In sessions.

CONTENTS
1 2–3 4–12 13–15 16–19 20

Register today at www.usenix.org/usenix2007.

• Hands-on Linux Security: From Hacked to Secure in Two Days, by Rik Farrow • Distributed Source Code Management Systems: Bzr, Hg, and Git (Oh My!), by Theodore Ts’o

• Solaris 10 Security Features Workshop, by Peter Baer Galvin

• The latest in cutting-edge research in the Refereed Papers Track

• Expert-led invited talks, including the keynote address by Mendel Rosenblum, Stanford University • Guru Is In sessions, where you can get answers to your most urgent technical questions • The opportunity to mingle with colleagues and industry leaders at the Birds-of-a-Feather sessions and other evening social events, including poster and vendor sessions and receptions

USENIX ’07 Organizers Training at a Glance USENIX Training Program USENIX Training Instructors SANS Training Program Hotel & Travel Information Registration Information & Fees

Talk with industry leaders and network with peers in the evening BoFs and receptions.

www.usenix.org/usenix2007

SAVE!
EARLY BIRD DISCOUNT

21

Every USENIX training program registration includes: Every SANS training program registration includes: Our Guarantee
• Admission to the tutorials you select • Lunch on the day of your tutorials • Printed materials for your tutorials • Admission to the tutorials you select • Lunch on the day of your tutorials • Complimentary one-year membership in the USENIX Association • Printed materials for your tutorials • Admission to the receptions, BoFs, and other evening events • Conference t-shirt • Wireless connectivity in the conference session area

USENIX ’07 Organizers
Program Co-Chairs Jeff Chase, Duke University Srinivasan Seshan, Carnegie Mellon University Program Committee Atul Adya, Microsoft Research Matt Blaze, University of Pennsylvania George Candea, EPFL Miguel Castro, Microsoft Research, Cambridge Fay Chang, Google Nick Feamster, Georgia Institute of Technology Marc Fiuczynski, Princeton University/ PlanetLab Terence Kelly, Hewlett-Packard Labs Eddie Kohler, University of California, Los Angeles, and Mazu Networks Z. Morley Mao, University of Michigan Erich Nahum, IBM T.J. Watson Research Center Jason Nieh, Columbia University and VMware Brian Noble, University of Michigan Timothy Roscoe, Intel Research, Berkeley Emin Gün Sirer, Cornell University Mike Swift, University of Wisconsin, Madison
REGISTER BY JUNE 1 AND SAVE! • 1

• Training program CD-ROM, including all available tutorial presentations and materials

• Admission to the receptions, BoFs, and other evening events

• Conference t-shirt

• Wireless connectivity in the conference session area

Renu Tewari, IBM Almaden Research Center Win Treese, SiCortex, Inc.

Andrew Warfield, Cambridge University and XenSource Matt Welsh, Harvard University Yuanyuan Zhou, University of Illinois at Urbana-Champaign Poster Session Chair Mike Swift, University of Wisconsin, Madison The USENIX Association Staff

If you’re not happy, we’re not happy. If you feel a tutorial does not meet the high standards you have come to expect from USENIX, let us know by the first break and we will change you to any other available tutorial immediately.

TRAINING AT A GLANCE
SUNDAY, JUNE 17, 2007
S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 Theodore Ts’o
Dustin Whittle Rik Farrow
NEW! NEW! NEW! NEW! NEW!

2 • REGISTER TODAY: WWW.USENIX.ORG/USENIX2007

MONDAY, JUNE 18, 2007
Simson L. Garfinkel Peter Baer Galvin

M1 M2 M3 M4

HALF DAY MORNING: 9:00 A.M.–12:30 P.M. FULL DAY: 9:00 A.M.–5:00 P.M.
Chip Salzenberg Abe Singer Strata Rose Chalup Chip Salzenberg John Sellens Æleen Frisch Abe Singer Rik Farrow

HALF DAY AFTERNOON: 1:30 P.M.–5:00 P.M.

FULL DAY: 9:00 A.M.–5:00 P.M.

MONDAY, JUNE 18, 2007 (CONTINUED)
M5 M6 M7 M8 M9 T1 T2 T3 T4 T5 T6 T7

SANS SANS security 6-day tutorials: pp. 16–19

Computer Forensics

RAD 2.0: Developing Web Applications with Symfony Hands-on Linux Security: From Hacked to Secure in Two Days (Day 1 of 2) Solaris 10 Administration Workshop

Higher-Order Perl

Problem-Solving for IT Professionals

Security Without Firewalls

Perl Program Repair Shop and Red Flags Performance Tracking with Cacti

TUESDAY, JUNE 19, 2007
M10 Jacob Farmer
John Sellens Jacob Farmer Gerald Carter Chip Salzenberg Strata Rose Chalup
NEW! NEW! NEW! NEW!

HALF DAY MORNING: 9:00 A.M.–12:30 P.M. FULL DAY: 9:00 A.M.–5:00 P.M.
Alan Robertson Abe Singer

HALF DAY AFTERNOON: 1:30 P.M.–5:00 P.M.

SANS SANS security 6-day tutorials: pp. 16–19

Regular Expression Mastery

Databases: What You Need to Know

Disk-to-Disk Backup and Eliminating Backup System Bottlenecks

Practical Project Management for Sysadmins and IT Professionals

Ethereal and the Art of Debugging Networks Next Generation Storage Networking

Distributed Source Code Management Systems: Bzr, Hg, and Git (Oh My!)

Peter Honeyman

Jim Mauro and Richard McDougall Æleen Frisch John Sellens

Administering Linux in Production Environments Building a Logging Infrastructure and Log Analysis for Security Hands-on Linux Security: From Hacked to Secure in Two Days (Day 2 of 2) System and Network Performance Tuning

Steve VanDevender

SANS SANS security 6-day tutorials: pp. 16–19

Configuring and Deploying Linux-HA Incident Response NFSv4 and Cluster File Systems

Solaris 10 Performance, Observability, and Debugging Beyond Shell Scripts: 21st-Century Automation Tools and Techniques

System and Network Monitoring: Tools in Depth High-Capacity Email System Design

Marc Staveley

WEDNESDAY, JUNE 20, 2007
W1 W2 W3 W4 R1 R2 R3 R4 F1 F2

THURSDAY, JUNE 21, 2007 FRIDAY, JUNE 22, 2007
Richard Bejtlich Gerald Carter Peter Baer Galvin Theodore Ts’o Tom Christiansen Richard Bejtlich Gerald Carter Lee Damon
NEW! NEW!

FULL DAY: 9:00 A.M.–5:00 P.M. FULL DAY: 9:00 A.M.–5:00 P.M.

FULL DAY: 9:00 A.M.–5:00 P.M.
John Arrasjid and Shridhar Deuskar Richard Bejtlich

SANS SANS security 6-day tutorials: pp. 16–19 SANS SANS security 6-day tutorials: pp. 16–19

Network Security Monitoring with Open Source Tools Using Samba 3.0 Solaris 10 Security Features Workshop Inside the Linux 2.6 Kernel

SANS SANS security 6-day tutorials: pp. 16–19

Advanced Perl Programming

TCP/IP Weapons School, Layers 2–3 (Day 1 of 2)

Implementing [Open]LDAP Directories Issues in UNIX Infrastructure Design

Introduction to VMware Virtual Infrastructure 3 TCP/IP Weapons School, Layers 2–3 (Day 2 of 2)

www.usenix.org/usenix2007

Register by June 1, 2007, at

SAVE!
EARLY BIRD DISCOUNT

REGISTER BY JUNE 1 AND SAVE! • 3

USENIX TRAINING PROGRAM
FULL DAY 9:00 A.M.–5:00 P.M.
S1 S2 Computer Forensics RAD 2.0: Developing Web Applications with Symfony
Dustin Whittle, Yahoo, Inc.
NEW!

SUNDAY, JUNE 17, 2007

Simson L. Garfinkel, Naval Postgraduate School

Who should attend: Anyone interested in forensics: recovering lost or deleted data, hunting for clues, and tracking information. Topics include: • Introduction to computer forensics • Disk forensics • Network forensics • Document forensics • Memory forensics • Cell phone forensics Take back to work: An in-depth understanding of computer forensics, why forensic tools are possible, what they can do and their limits; modern tools, and the legal environment that governs U.S. forensics.
NEW!

S3 S4

• • • •

Take back to work: All you need to know to dive into your next Web 2.0 application.

4 • REGISTER TODAY: WWW.USENIX.ORG/USENIX2007

Who should attend: Technical project managers and engineers interested in learning how to build better Web 2.0 applications using symfony.

Take back to work: How to determine if a system has been exploited, use network scanning/evaluation tools, improve security of your systems, and check Web scripts for weaknesses.

Topics include: • Overview and foundations • Is symfony right for your project? • Design patterns and best practices • Project management • Installation • Project creation • Configuring your environment • Setting up your project • Building your object model • Developing fast with scaffolding and generators • Controlling your model • Developing and managing views • Adding your favorite JavaScript framework • AJAX and JavaScript helpers via Prototype • Command line interface

Solaris 10 Administration Workshop

Hands-on Linux Security: From Hacked to Secure in Two Days (Day 1 of 2)
Plugins Unit and functional testing Performance and security Project deployment
Rik Farrow, Security Consultant

Who should attend: System administrators of Linux and other UNIX systems; anyone who runs a public UNIX server.

Exercises include: • Searching for hidden files • TCP/IP and its relation to probes and attacks • Uses of ARP and Ethereal • hping2 probes • nmap (connect and SYN scans) • Buffer overflows in sample C programs • Weaknesses in Web scripts (using a Perl example)

S5 S6

(AM) Chip Salzenberg, Consultant and Author

Peter Baer Galvin, Corporate Technologies

(AM) Professionals

HALF DAY 9:00 A.M.–12:30 P.M.
• • • • • • • • Take back to work: All you need to consider in deploying, implementing, and managing Solaris 10.

Higher-Order Perl

Who should attend: Programmers involved in the development and maintenance of large systems written partly or mostly in Perl. Topics include: • Dynamically replacing functions with facades • Iterators • Building complex parsers—easily!

Take back to work: How to write functions that can manufacture or modify other functions, instead of writing ten similar functions that must be maintained separately.

Problem-Solving for IT

The kernel: update, /etc/system Crash and core dumps Cool commands you need to know Zfs, the new endian-neutral file system N1 Grid Containers (a.k.a. Zones) DTrace FMA (Fault Management Architecture) Sysadmin best practices

NEW!

Who should attend: Solaris systems managers and administrators interested in learning the new administration features in Solaris 10 (and features in previous Solaris releases that they might not be using). Topics include: • Overview • Solaris releases • Installing and upgrading to Solaris 10 • Patching the kernel and applications • Service Management Facility

Strata Rose Chalup, Project Management Consultant

Who should attend: IT support people who would like to have a better grasp of problem-solving as a discipline. Take back to work: • A solid grounding in the process of solving problems • A framework on which to build troubleshooting techniques that are specific to your environment • Confidence in your ability to apply logic and common sense to debug problems in complex interacting systems

S7

(AM) Abe Singer, San Diego Supercomputer
Center

Security Without Firewalls

See www.usenix.org/usenix07/training for complete training program information. HALF DAY 1:30 P.M.–5:00 P.M.
S8 Perl Program Repair Shop and Red (PM) Flags
Chip Salzenberg, Consultant and Author

Who should attend: Administrators who want or need to explore strong, low-cost, scalable security without firewalls. Topics include: • The threat perspective from a datacentric point of view • How to implement and maintain centralized configuration management using cfengine, and how to build reference systems for fast and consistent (re)installation of hosts • Secure configuration and management of core network services such as NFS, DNS, and SSH • Good system administration practices • Implementing strong authentication and eliminating use of plaintext passwords for services such as POP/IMAP • A sound patching strategy • An overview of how we were compromised, how we recovered, and what we learned Take back to work: How to build effective, scalable host-based security without firewalls.

Who should attend: Anyone who writes Perl programs regularly. Topics include: • Families of variables • Making relationships explicit • Refactoring • Programming by convention • Why you should avoid the “.” operator • Elimination of global variables • The “use strict” zombies • What can go wrong with “if” and “else” • The Condition that Ate Michigan • Structural vs. functional code • Boolean values • Programs that take two steps forward and one step back • Programs that are 10% backslashes • Unnecessary shell calls • How (and why) to let “undef” be the special value
NEW!

S9

(PM)

Take back to work: How to improve your own code and the code of others, making it cleaner, more readable, more reusable, and more efficient, while at the same time making it 30–50% smaller.

Performance Tracking with Cacti
John Sellens, SYONEX

S10 Distributed Source Code (PM) Management Systems: Bzr, Hg, and Git (Oh My!) NEW!
• • • • • User management and access control Special cases: How to deal with interesting problems Extending Cacti: How to write scripts or programs to extend the functionality of the basic package Security concerns and access control Ongoing operations Take back to work: The information needed to immediately implement and use Cacti to monitor systems and devices on their networks.
Theodore Ts’o, IBM Linux Technology Center

Who should attend: Developers, project leaders, and system administrators dealing with source code management systems who want to take advantage of the newest distributed development tools. Topics include: • Basic concepts of distributed SCMs • Advantages of peer-to-peer systems • How distributed SCMs work • Strengths and weaknesses of each distributed SCM • Guidance and suggestions on choice criteria Take back to work: An understanding of the basic concepts of distributed SCMs, how these systems work, how to use them, and the information you need to choose the distributed SCM that is most appropriate for your project.

Who should attend: Network and system administrators ready to implement a graphical performance and activity monitoring tool, who prefer an integrated, Web-based interface. Topics include: • Installation: Basic steps, prerequisites, common problems and solutions • Configuration, setup options, and how to manage larger and non-trivial configurations

REGISTER BY JUNE 1 AND SAVE! • 5

USENIX TRAINING PROGRAM
MONDAY, JUNE 18, 2007 FULL DAY 9:00 A.M.–5:00 P.M.
M2 Building a Logging Infrastructure and Log Analysis for Security
Æleen Frisch, Exponential Consulting Abe Singer, San Diego Supercomputer Center

M1 Administering Linux in Production Environments

Who should attend: Both current Linux system administrators and administrators from sites considering converting to Linux or adding Linux systems to their current computing resources. Topics include: • Recent kernel developments • High-performance I/O • Advanced compute-server environments • High availability Linux: fault-tolerance options • Enterprise-wide authentication and other security features • Automating installations and other mass operations • Linux performance tuning Take back to work: The knowledge necessary to add reliability and availability to their systems, and to assess and implement tools needed for productionquality Linux systems.

M3 Hands-on Linux Security: From Hacked to Secure in Two Days (Day 2 of 2)
Rik Farrow, Security Consultant

Take back to work: How to get a handle on your log files, which can help you run your systems and networks more effectively and can provide forensic information for post-incident investigation.

6 • REGISTER TODAY: WWW.USENIX.ORG/USENIX2007

Who should attend: System, network, and security administrators who want to be able to separate the wheat of warning information from the chaff of normal activity in their log files. Topics include: • Problems, issues, and scale of handling log information • Generating useful log information: improving the quality of your logs • Collecting log information • Storing log information • Log analysis • How to handle and preserve log files for HR and legal folks

M4 System and Network Performance Tuning
Who should attend: System administrators of Linux and other UNIX systems; anyone who runs a public UNIX server. Take back to work: How to uncover the more subtle indicators of compromise such as backdoors and rootkits, and improve the network security of your systems.
Marc Staveley, Soma Networks

M5 Regular Expression Mastery
(AM) John Sellens, SYONEX

(AM) Chip Salzenberg, Consultant and Author

Topics include: • John the Ripper, password cracking • Misuses of suid shells, finding backdoors • Uncovering dangerous network services • Searching for evidence of rootkits and bots • Sleuth Kit (looking at intrusion timelines) • netfilter

M6 Databases: What You Need to Know
Take back to work: Procedures and techniques for tuning your systems, networks, and application code, along with guidelines for capacity planning and customized monitoring. Who should attend: System administrators and users who use Perl, grep, sed, awk, procmail, vi, or emacs. Topics include: • Inside the regex engine • Disasters and optimizations Take back to work: Fixes for all your regexes: unexpected results, hangs, unpredictable behaviors. Who should attend: System and application administrators who need to support databases and databasebacked applications. Topics include: • An introduction to database concepts • The basics of SQL (Structured Query Language) • Common applications of databases • Berkeley DB and its applications • MySQL installation, configuration, and management • PostgreSQL installation, configuration, and management • Security, user management, and access controls • Ad hoc queries with standard interfaces • ODBC and other access methods • Database access from other tools (Perl, PHP, sqsh, etc.)

HALF DAY 9:00 A.M.–12:30 P.M.

Who should attend: Novice and advanced UNIX system and network administrators, and UNIX developers concerned about network performance impacts. Topics include: • Performance tuning strategies • Server tuning • NFS performance tuning • Network performance, design, and capacity planning • Application tuning

Take back to work: A better understanding of databases and their use and of how to deploy and support common database software and databasebacked applications.

M7 Disk-to-Disk Backup and (AM) Eliminating Backup System Bottlenecks

See www.usenix.org/usenix07/training for complete training program information. HALF DAY 1:30 P.M.–5:00 P.M.
M8 Practical Project Management for (PM) Sysadmins and IT Professionals
Strata Rose Chalup, Project Management Consultant

Jacob Farmer, Cambridge Computer Services

Who should attend: System administrators involved in the design and management of backup systems and policymakers responsible for protecting their organization’s data. Topics include: • Identifying and eliminating backup system bottlenecks • Conventional disk staging • Virtual tape libraries • Removable disk media • Incremental forever and synthetic full backup strategies • Block- and object-level incremental backups • Information lifecycle management and nearline archiving • Data replication • CDP (Continuous Data Protection) • Snapshots • Current and future tape drives • Capacity Optimization (SingleInstance File Systems) • Minimizing and even eliminating tape drives • iSCSI Take back to work: Immediate ideas for effective, inexpensive improvements to your backup systems.

M9 Ethereal and the Art of Debugging (PM) Networks
Topics include: • Quick basics of project management • Skill sets • Problem areas • Project management tools
Gerald Carter, Centeris/Samba Team

Who should attend: System administrators who want to stay hands-on as team leads or system architects and need a new set of skills with which to tackle bigger, more complex challenges.

M10 Next Generation Storage Networking
Services

(PM) Jacob Farmer, Cambridge Computer

Take back to work: How to use the Ethereal protocol analyzer as a debugging and auditing tool for TCP/IP networks.

Who should attend: Sysadmins running day-to-day operations and those who set or enforce budgets. Topics include: • Fundamentals of storage virtualization: the storage I/O path • Shortcomings of conventional SAN and NAS architectures • In-band and out-of-band virtualization architectures • The latest storage interfaces: SATA (serial ATA), SAS (serial attached SCSI), 4Gb Fibre Channel, Infiniband, iSCSI • Content-Addressable Storage (CAS) • Information Life Cycle Management (ILM) and Hierarchical Storage Management (HSM) • The convergence of SAN and NAS • High-performance file sharing • Parallel file systems • SAN-enabled file systems • Wide-area file systems (WAFS) Take back to work: An understanding of general architectures, various approaches to scaling in both performance and capacity, relative costs of different technologies, and strategies for achieving results on a limited budget.

Take back to work: A no-nonsense grounding in methods that work without adding significantly to one’s workload. You will be able to take an arbitrarily daunting task and reduce it to a plan of attack that will be realistic, will lend itself to tracking, and will have functional, documented goals. You will be able to give succinct and useful feedback to management on overall project viability and timelines and easily deliver regular progress reports.

Who should attend: System and network administrators who are interested in learning more about the TCP/IP protocol and how network traffic monitoring and analysis can be used as a debugging, auditing, and security tool. Topics include: • Introduction to Ethereal for local and remote network tracing • TCP/IP protocol basics • Analysis of popular application protocols such as DNS, DHCP, HTTP, NFS, CIFS, and LDAP • How some kinds of TCP/IP network attacks can be recognized

REGISTER BY JUNE 1 AND SAVE! • 7

USENIX TRAINING PROGRAM
TUESDAY, JUNE 19, 2007
T1

FULL DAY 9:00 A.M.–5:00 P.M.
Configuring and Deploying LinuxHA NEW!
Alan Robertson, IBM Linux Technology Center

Who should attend: System administrators and IT architects who architect, evaluate, install, or manage critical computing systems. It is suggested that participants have basic familiarity with system V/LSB-style startup scripts, shell scripting, and XML. Topics include: • General HA principles • Compilation and installation of the Linux-HA (“heartbeat”) software • Overview of Linux-HA configuration • Overview of commonly used resource agents • Managing services supplied with init(8) scripts • Sample Linux-HA configurations for Apache, NFS, DHCP, DNS, and Samba • Writing and testing resource agents conforming to the Open Cluster Framework (OCF) specification • Creating detailed resource dependencies • Creating co-location constraints • Writing resource location constraints • Causing failovers on user-defined conditions
NEW!

8 • REGISTER TODAY: WWW.USENIX.ORG/USENIX2007

T2

Incident Response

T3

Topics include: • Goals: What results do you want? • Policies: Having the authority to do the job • Tools: Having the stuff to do the job • Intelligence: Having the information to do the job • Initial suspicion: Complaints, alarms, anomalies • The “oh, sh*t” moment: When you realize it’s a compromise • Gathering information on your attacker • Assessing the extent of the compromise • Communicating: Inquiring minds want to know • Recovery: Kicking ’em out and fixing the damage • Evidence handling • The law: Dealing with law enforcement, lawyers, and HR Take back to work: An understanding of how to prepare for security incidents and how to handle incidents in an organized, effective manner, without panicking.

NFSv4 and Cluster File Systems
NEW!

T4

Take back to work: Knowledge of the challenges and solutions in marrying NFSv4 with cluster file systems.

Solaris 10 Performance, Observability, and Debugging

Efficient client recovery and migration for NFSv4 on cluster file systems An introduction to pNFS, the emerging parallel extension to NFSv4, which offers the potential to deliver the bisectional bandwidth of a cluster file system to a single client.

Jim Mauro and Richard McDougall, Sun Microsystems

Who should attend: Anyone who supports or may support Solaris 10 machines. Topics include: • Solaris 10 features overview • Solaris 10 tools and utilities • Understanding memory use and performance • Understanding thread execution flow and profiling • Understanding I/O flow and performance • Looking at network traffic and performance • Application and kernel interaction • Putting it all together Take back to work: How to apply the tools and utilities available in Solaris 10 to resolve performance issues and pathological behavior, and simply to understand the system and workload better.

Peter Honeyman, CITI, University of Michigan

Take back to work: Both the basic theory of high-availability systems and practical knowledge of how to plan for and install and configure highly available systems using Linux-HA.

Abe Singer, San Diego Supercomputer Center

Who should attend: System builders developing storage solutions for highend computing, system administrators who need to anticipate and understand the state of the art in high performance storage protocols and technologies, and researchers looking for an intensive introduction to an exciting and fertile area of R&D. Topics include: • Features of NFSv4 and cluster file systems • Major coordination issues of locking, delegation, and shares, giving special attention to fair queuing for NFSv4, NLM, and POSIX locks

Who should attend: Security folks, system administrators, and operations staff (e.g., help desk). Examples are primarily from UNIX systems, but most of what is discussed will be operating system neutral.

T5 T6

FULL DAY 9:00 A.M.–5:00 P.M.
System and Network Monitoring: Tools in Depth
Æleen Frisch, Exponential Consulting John Sellens, SYONEX

Beyond Shell Scripts: 21st-Century Automation Tools and Techniques

See www.usenix.org/usenix07/training for complete training program information.
T7 High-Capacity Email System Design
NEW!

Who should attend: System administrators who want to explore new ways of automating administrative tasks. Shell scripts are appropriate for many jobs, but more complex operations will often benefit from sophisticated tools. Topics include: • Cfengine configurations, sample uses, and limitations • Expect: Automating interactive processes • Bacula, an enterprise backup management facility • Network and system monitoring tools: SNMP overview, Nagios, RRDTool, Ethereal Take back to work: You will be ready to begin using these packages in your own environment, and to realize the efficiency, reliability, and thoroughness that they offer compared to traditional approaches.

• •

Extending the tools: How to write scripts or programs to extend the functionality of the basic package Dealing effectively with network boundaries and remote sites Security concerns and access control Ongoing operations

ATTENTION MANAGERS: WHY YOU SHOULD SEND YOUR EMPLOYEES TO USENIX ’07
Hiring the best and the brightest is the ultimate goal for any employer. However, keeping current employees up to par is just as important. Technology continues to evolve: truly to stay ahead of the game, your employees must continue to enhance their skills.

Take back to work: The information needed to immediately implement, extend, and manage popular monitoring tools on your systems and networks.

Steve VanDevender, University of Oregon

Who should attend: Anyone who needs to design a high-volume, secure email system or upgrade an existing one. Topics include: • Mail system architecture and components • MTAs and SMTP • Spam! • LDAs and the mail store • POP, IMAP • Coping with MUAs • Scaling and reliability methods Take back to work: An overview of available choices in software and methods, with their tradeoffs and domains of applicability.

The training program at USENIX ’07 offers a cost-effective, one-stop shop for training current IT and development employees. Over 35 full- and half-day tutorials taught by the most respected leaders in the field provide an unparalleled opportunity to learn from the best. Tutorials cover a multitude of topics including open source technologies, system administration, and security. Combining full days of training with days of technical sessions on groundbreaking research makes the USENIX ’07 experience even more valuable. Additionally, the receptions, Poster Session, and Birds-ofa-Feather sessions provide your staff with a chance to network with peers and industry leaders to gain that all-important insider IT knowledge that will keep your company current and running smoothly. Keeping up with technology can be costly and time-consuming in this unforgiving economy: take full advantage of this opportunity to have your staff learn from the top researchers, practitioners, and authors all in one place, at one time.

Who should attend: Network and system administrators ready to implement comprehensive monitoring of their systems and networks using the best of the freely available tools. Topics include, for each of Nagios, Cricket, MRTG, and Orca: • Installation: Basic steps, prerequisites, common problems and solutions • Configuration, setup options, and how to manage larger and nontrivial configurations • Reporting and notifications, both proactive and reactive • Special cases: How to deal with interesting problems

REGISTER BY JUNE 1 AND SAVE! • 9

USENIX TRAINING PROGRAM
WEDNESDAY, JUNE 20, 2007 FULL DAY 9:00 A.M.–5:00 P.M.
W1 Network Security Monitoring with Open Source Tools
Richard Bejtlich, TaoSecurity

10 • REGISTER TODAY: WWW.USENIX.ORG/USENIX2007

W2 Using Samba 3.0

Who should attend: Anyone who wants to know what is happening on their network. I assume command-line knowledge of UNIX and familiarity with TCP/IP. Anyone with duties involving intrusion detection, security analysis, incident response, or network forensics will profit from this course. Topics include: • NSM theory • Building and deploying NSM sensors • Accessing wired and wireless traffic • Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger • Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude • Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP • Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records • Sguil (sguil.sf.net) • Case studies, personal war stories, attendee participation Take back to work: You will immediately be able to implement numerous new techniques and tools to discover normal, malicious, and suspicious network events.

W3 Solaris 10 Security Features Workshop
• •
Peter Baer Galvin, Corporate Technologies

How to integrate Samba with Active Directory How to enable Samba as a Domain Controller in its own domain

Take back to work: You will understand not only how to configure Samba in a variety of environments, but also how to troubleshoot the unpredictable glitches that occur at the most inopportune times.

W4 Inside the Linux 2.6 Kernel

best practices. Also covered is the status of each of these new features, how stable it is, whether it is ready for production use, and expected future enhancements.

Theodore Ts’o, IBM Linux Technology Center

Who should attend: Application programmers and kernel developers. Topics include: • How the kernel is organized (scheduler, virtual memory system, filesystem layers, device driver layers, networking stacks) • Ground rules of kernel programming (races, deadlock conditions) • Implementation and properties of the most important algorithms • Comparison between Linux and UNIX kernels, with emphasis on differences in algorithms • Details of the Linux scheduler • The requirements for portability between architectures Take back to work: An overview and roadmap of the kernel’s design and functionality.

Who should attend: Solaris systems managers and administrators interested in the new security features in Solaris 10 (and features in previous Solaris releases that they might not be using). Topics include: • Overview • N1 Grid Containers (a.k.a. Zones) • RBAC: Role Based Access Control • Privileges • NFSv4 • Flash archives and live upgrade (automated system builds) • Moving from NIS to LDAP • DTrace • FTP client and server enhancements for security, reliability, and auditing • PAM enhancements for more detailed access control • Auditing enhancements • BSM (the Basic Security Module) • Service Management Facility (a replacement for “rc” files) • Solaris Cryptographic Framework • Kerberos enhancements • Packet filtering with IPfilters • BART (Basic Audit Reporting Tool) Take back to work: During this exploration of the important new features of Solaris 10, you’ll not only learn what it does and how to get it done, but also

Gerald Carter, Centeris/Samba Team

Who should attend: System administrators who are currently managing Samba servers or are planning to deploy new servers this year. This course will outline the new features of Samba 3.0, including working demonstrations throughout the course session.

Topics include: • How to provide common file and print services

R1 R2

FULL DAY 9:00 A.M.–5:00 P.M.
Advanced Perl Programming
Tom Christiansen, Consultant

THURSDAY, JUNE 21, 2007
TCP/IP Weapons School, Layers 2–3 (Day 1 of 2) NEW!
Richard Bejtlich, TaoSecurity

See www.usenix.org/usenix07/training for complete training program information.
R3 R4 Implementing [Open]LDAP Directories

Who should attend: Anyone with a journeyman-level working knowledge of Perl programming who wants to hone Perl skills. Topics include: • Symbol tables and typeglobs • Modules • References • Fancy object-oriented programming • Managing exceptions and warnings • Regular expressions • Programming with multiple processes or threads • Unicode and I/O layers Take back to work: With a much richer understanding of Perl, you will be better able to make it part of your daily routine.

Who should attend: Junior and intermediate analysts and system administrators who detect and respond to security incidents. Topics for Day 1 include: • Layer 2
• What is layer 2? • Ethernet in brief • packet delivery on the LAN • Ethernet interfaces • ARP basics, ARP request/reply, ARP cache, Arping, Arpdig, Arpwatch • VLANs • Dynamic Trunking Protocol

Take back to work: Comfortable with LDAP terms and concepts, you will understand how to extend that knowledge to integrate future applications with it into your network.

Issues in UNIX Infrastructure Design
Topics include: • • • • •

how to interpret network traffic by analyzing packets generated by network security tools and how to identify security events on the wire.

Gerald Carter, Centeris/Samba Team

Who should attend: Both LDAP directory administrators and architects. Replacing NIS domains Integration with Samba file and print servers Integrating MTAs such as Sendmail and Postfix Creating customized LDAP schema items Examining scripting solutions for developing your own directory administration tools

• • • •

• •

• •

consultant or company? Homogeneous vs. heterogeneous: Homogeneous is easier, but will it do what your users need? The essential master database: How can you keep track of what you have? Policies to make life easier Push vs. pull Getting the user back online in 5 minutes Remote administration: Lights-out operation; remote user sites; keeping up with vendor patches, etc. Scaling and sizing: How do you plan on scaling? Security vs. sharing: Your users want access to everything. So do the crackers . . . Single sign-on: How can you do it securely? Single system images: Can users see just one environment, no matter how many OSes there are? Tools: The free, the purchased, the homegrown

Lee Damon, University of Washington

Take back to work: The answers to all the questions you should ask while designing and implementing the mixedarchitecture or single-architecture UNIX environment that will meet your needs.

Who should attend: Anyone who is designing, implementing, or maintaining a UNIX environment with 2 to 20,000+ hosts; system administrators, architects, and managers who need to maintain multiple hosts with few admins. Topics include: • Administrative domains: Who is responsible for what, and what can users do for themselves? • Desktop services vs. farming: Do you do serious computation on the desktop, or do you build a compute farm? • Disk layout: How do you plan for an upgrade? Where do things go? • Free vs. purchased solutions: Should you write your own, or hire a

Layer 2 attacks
• MAC address trickey • MAC flooding: Macof • ARP denial of service: arp-sk • Port stealing: Ettercap • Layer 2 man-in-the-middle: Ettercap • Dynamic Trunking Protocol attack: Yersinia

Take back to work: The fundamentals of TCP/IP networking. You will learn

REGISTER BY JUNE 1 AND SAVE! • 11

USENIX TRAINING PROGRAM
FRIDAY, JUNE 22, 2007
F1

FULL DAY 9:00 A.M.–5:00 P.M.
Introduction to VMware Virtual Infrastructure 3

F2

TCP/IP Weapons School, Layers 2–3 (Day 2 of 2) NEW!

John Arrasjid and Shridhar Deuskar, VMware

Richard Bejtlich, TaoSecurity

Who should attend: System administrators and architects who are interested in deploying a VMware Virtual Infrastructure, including ESX Server and VirtualCenter, in a production environment. No prior experience with VMware products is required. Knowledge of Linux is helpful; basic knowledge of SANs is useful but not required. Topics include: • Virtual Infrastructure overview • ESX Server and VirtualCenter overview • Installation and configuration • Virtual machine creation and operation • Migration technologies such as VMware Converter • Operations and administration best practices • Advanced configuration (SAN and networking)
12 • REGISTER TODAY: WWW.USENIX.ORG/USENIX2007

Who should attend: Junior and intermediate analysts and system administrators who detect and respond to security incidents. Topics for Day 2 include: • Layer 3
• What is layer 3? • Internet Protocol • Raw IP: Nemesis • IP options: Fragtest • IP time-to-live: Traceroute • Internet Control Message Protocol: Sing • ICMP Error Messages: Gnetcat • IP Multicast: Iperf • IP Multicast: Udpcast • IP fragmentation: Fragtest

CONTINUING EDUCATION UNITS (CEUS)
USENIX provides Continuing Education Units for a small additional administrative fee. The CEU is a nationally recognized standard unit of measure for continuing education and training and is used by thousands of organizations. Each full-day tutorial qualifies for 0.6 CEUs. You can request CEU credit by completing the CEU section on the registration form. USENIX provides a certificate for each attendee taking a tutorial for CEU credit and maintains transcripts for all CEU students. CEUs are not the same as college credits. Consult your employer or school to determine their applicability. WANT MORE INFO?

Layer 3 attacks
• IP IDs: Isnprober • IP IDs: Idle Scan • IP TTLs: LFT • IP TTLs: Etrace and Firewalk • ICMP Covert Channel: Ptunnel • IP fragmentation: Fragroute and Pf

Take back to work: How to deploy a VMware virtual infrastructure effectively on your own site.

Take back to work: The fundamentals of TCP/IP networking. You will learn how to interpret network traffic by analyzing packets generated by network security tools and how to identify security events on the wire.

For full tutorial desccriptions, see www.usenix.org/usenix07/training.

USENIX TRAINING INSTRUCTORS
F1

John Arrasjid

John Arrasjid has 20 years of experience in the computer science field, including work with AT&T, Amdahl, 3Dfx Interactive, Kubota Graphics, Roxio, and his own company, WebNexus Communications, where he developed consulting practices and built a cross-platform IT team. John is currently a senior member of the VMware Professional Services Organization.
M9, W2, R3

W1, R2, F2

Strata Rose Chalup has been leading and managing complex IT projects for many years. She has written a number of articles and has volunteered for BayLISA and SAGE. Strata has built a successful consulting practice around being an avid early adopter of new tools. Another MIT dropout, Strata founded VirtualNet Consulting in 1993.
R4

Richard Bejtlich

R1

S6, M8

Strata Rose Chalup

Shridhar Deuskar has over 10 years of experience in system administration of UNIX and Windows servers. He has consulted with companies such as Caterpillar, HP, and EMC. Currently he is a Consulting Architect in VMware’s Professional Services organization and is responsible for delivering services tied to virtualization to clients worldwide.
S3, M3

Tom Christiansen

M7, M10

F1

Shridhar Deuskar

Jacob Farmer

Richard Bejtlich is founder of TaoSecurity LLC (http://www.taosecurity .com), a company that helps clients detect, contain, and remediate intrusions using network security monitoring (NSM) principles. Richard wrote the Tao of Network Security Monitoring: Beyond Intrusion Detection and the forthcoming Extrusion Detection: Security Monitoring for Internal Intrusions and Real Digital Forensics.

Tom Christiansen has been involved with Perl since day zero of its initial public release in 1987. Author of several books on Perl, including the Perl Cookbook and Programming Perl from O’Reilly, Tom is also a major contributor to Perl’s online documentation. He holds undergraduate degrees in Computer Science and Spanish and a Master’s in Computer Science. He now lives in Boulder, Colorado.
Lee Damon

Jacob Farmer has written numerous papers and articles and is a regular speaker at trade shows and conferences. In addition to his expert advice column in the “Reader I/O” section of InfoStor Magazine, Jacob serves as the publication’s senior technical advisor. Jacob has over 18 years of experience with storage technologies and is the CTO of Cambridge Computer Services, a national integrator of data storage and data protection solutions.
REGISTER BY MONTH JUNE 1 AND SAVE! • 13

Gerald Carter

Rik Farrow

Gerald Carter has been a member of the Samba Development Team since 1998. He has been developing, writing about, and teaching on open source since the late 1990s. Currently employed by Centeris as a Samba and open source developer, Gerald has written books for SAMS Publishing and for O’Reilly Publishing.

Lee Damon has been a UNIX system administrator since 1985 and has been active in SAGE (U.S.) and LOPSA since their inceptions. He assisted in developing mixed environments at IBM Watson Research, Gulfstream Aerospace, and QUALCOMM. He is currently leading the development effort for the Nikola project at the University of Washington Electrical Engineering department. He is past chair of the SAGE Ethics and Policies working groups, and he was the chair of LISA ’04.

Rik Farrow provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many U.S. and European user groups. He is the author of UNIX System Security and System Administrator’s Guide to System V. Farrow is the editor of ;login: and works passionately to improve the state of computer security.

TRAINING INSTRUCTORS
Æleen Frisch has been working as a system administrator for over 20 years. She currently looks after a pathologically heterogeneous network of UNIX and Windows systems. She is the author of several books, including Essential System Administration (now in its 3rd edition from O’Reilly). Æleen was the program chair for LISA ’03 and is a frequent presenter at USENIX events, as well as presenting classes for universities and corporations worldwide.
Peter Baer Galvin
S1 S4, W3 M1, T5

Æleen Frisch

14 • REGISTER TODAY: WWW.USENIX.ORG/USENIX2007

Peter Baer Galvin is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR. He has written articles for Byte and other magazines. He wrote the “Pete’s Wicked World” and “Pete’s Super Systems” columns at SunWorld. He is currently contributing editor for Sys Admin, where he manages the Solaris Corner. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks.

Peter Honeyman is Research Professor of Information at the University of Michigan and Scientific Director of the Center for Information Technology Integration, where he leads a team of scientists, engineers, and students developing the Linuxbased open source reference implementation of NFSv4 and its extensions for high end computing. With 25 years of experience building middleware for file systems, security, and mobile computing—including Honey DanBer UUCP, PathAlias, MacNFS, Disconnected AFS, and WebCard (the first Internet smart card)—Honeyman is regarded as one of the world’s leading experimental computer scientists.

T4

T3

Peter Honeyman

Richard McDougall, had he lived 100 years ago, would have had the hood open on the first fourstroke internal combustion gasoline-powered vehicle, exploring new techniques for making improvements. These days, McDougall uses technology to satisfy his curiosity. He is a Distinguished Engineer at Sun Microsystems, specializing in operating systems technology and system performance. He is co-author of Solaris Internals and Resource Management.

James Mauro

Simson L. Garfinkel

Simson L. Garfinkel is an Associate Professor at the Naval Postgraduate School in Monterey, CA, and a fellow at the Center for Research on Computation and Society at Harvard University. He is also the founder of Sandstorm Enterprises, a computer security firm. Garfinkel writes a monthly column for CSO Magazine and is the author or co-author of fourteen books on computing. He is perhaps best known for his book Database Nation: The Death of Privacy in the 21st Century.

James Mauro is a Senior Staff Engineer in the Performance and Availability Engineering group at Sun Microsystems. Jim’s current interests and activities are centered on benchmarking Solaris 10 performance, workload analysis, and tool development. This work includes Sun’s new Opteron-based systems and multicore performance on Sun’s Chip Multithreading (CMT) Niagara processor. He spent most of his spare time in the past year working on the second edition of Solaris Internals. Jim co-authored the first edition of Solaris Internals with Richard McDougall.

Alan Robertson founded the High-Availability Linux (Linux-HA) project in 1998 and has been project leader for it since then. He worked for SuSE for a year, then in March 2001 joined IBM’s Linux Technology Center, where he works on it full time. Before joining SuSE, he was a Distinguished Member of Technical Staff at Bell Labs. He worked for Bell Labs for 21 years in a variety of roles. These included providing leading-edge computing support, writing software tools and developing voicemail systems.

FPO

T1

T4

Richard McDougall

Alan Robertson

S5, S8, M5 S9, M6, T6

Chip Salzenberg

Chip Salzenberg is Principal Engineer at Cloudmark, where he fights spam with flair and aplomb. Chip is also chief coder (“pumpking”) of the Parrot virtual machine (http://parrotcode .org), with which he plans to bring all dynamic languages together and, in the darkness, dynamically bind them. He was pumpking for Perl release 5.4. He created the automated Linux install-and-test system for VA Linux Systems and was VA’s Kernel Coordinator. Chip has been published by O’Reilly and Prentice Hall on Perl and other topics.
John Sellens

Abe Singer is a Computer Security Researcher in the Security Technologies Group at the San Diego Supercomputer Center. In his operational security responsibilities, he participates in incident response and forensics and in improving the SDSC logging infrastructure. His research is in pattern analysis of syslog data for data mining. He is co-author of of the SAGE booklet Building a Logging Infrastructure and author of a forthcoming O’Reilly book on log analysis.
S10, W4

M4

S7, M2, T2

Abe Singer

Marc Staveley

John Sellens has been involved in system and network administration since 1986 and is the author of several related USENIX papers, a number of ;login: articles, and the SAGE Short Topics in System Administration booklet #7, System and Network Administration for Higher Reliability. He is the proprietor of SYONEX, a systems and networks consultancy, and is currently a member of the systems team at Magna International. From 1999 to 2004, he was the General Manager for Certainty Solutions in Toronto. Prior to joining Certainty, John was the Director of Network Engineering at UUNET Canada and was a staff member in computing and information technology at the University of Waterloo for 11 years.

Marc Staveley works with Soma Networks, where he is applying his many years of experience with UNIX development and administration in leading their IT group. Previously Marc had been an independent consultant and also held positions at Sun Microsystems, NCR, Princeton University, and the University of Waterloo. He is a frequent speaker on the topics of standards-based development, multithreaded programming, system administration, and performance tuning.

By once not knowing to be afraid of Sendmail, Steve VanDevender has ended up specializing in email system administration for much of his system administration career. At efn.org between 1994 and 2002, he ended up managing a mail system that grew to 10,000 users; at the University of Oregon since 1996, he has helped manage a mail system that has grown from 20,000 to 30,000 users and, more important, has grown even more in message volume and user activity, with many corresponding changes to cope with that growth. Since 2000, he has taught a popular course in system administration for the University of Oregon’s Department of Computer and Information Science.

FPO

T7 S2

Steve VanDevender

Theodore Ts’o

Theodore Ts’o has been a Linux kernel developer since almost the very beginnings of Linux: he implemented POSIX job control in the 0.10 Linux kernel. He is the maintainer and author of the Linux COM serial port driver and the Comtrol Rocketport driver, and he architected and implemented Linux’s tty layer. Outside of the kernel, he is the maintainer of the e2fsck filesystem consistency checker. Ted is currently employed by IBM Linux Technology Center.

Dustin Whittle is a Technical Yahoo in the Social Search Group at Yahoo!. He is also a contributing developer on the symfony project and the developer of several plugins. Before joining Yahoo!, he was a self-employed technology consultant, working around the world to make the Web a better place for everyone and was the lead developer at The Web Freaks. As a consultant and trainer, Dustin has taught tutorials and given talks at many conferences and institutions on such topics as enterprise Web development and symfony.

FPO

Dustin Whittle

REGISTER BY MONTH JUNE 1 AND SAVE! • 15

USENIX is pleased to partner with SANS at USENIX ’07 to offer two 6-day training courses focused on security.

SANS Security 504: Hacker Techniques, Exploits, and Incident Handling SUNDAY, JUNE 17, 2007
John Strand, Northrop Grumman

SUNDAY–FRIDAY, JUNE 17–22, 2007, 9:00 A.M.–5:00 P.M. MONDAY, JUNE 18, 2007
• • • •

SANS TRAINING PROGRAM
504.2 Computer and Network Hacker Exploits: Part 1
Containment Eradication Recovery Special actions for responding to different types of incidents • Incident record keeping • Incident follow-up

Overview: Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents, a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them, and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Who should attend: Individuals who lead or are a part of an incident handling team; system administrators and security personnel; ethical hackers/penetration testers.

16 • REGISTER TODAY: WWW.USENIX.ORG/USENIX2007

504.1 Incident Handling Step-by-Step and Computer Crime Investigation

The first part of the course looks at the invaluable Incident Handling Step-by-Step model. This section is designed to introduce the incident handling process, using the six steps (preparation, identification, containment, eradication, recovery, and lessons learned) needed to prepare for and deal with a computer incident.

The second part examines case studies to understand what works in identifying computer attackers. This section provides valuable information on the steps a systems administrator can take to improve the chances of catching and prosecuting attackers.

TUESDAY, JUNE 19, 2007

504.3 Computer and Network Hacker Exploits: Part 2

Seemingly innocuous data leaking from your network could provide the clue needed by an attacker to blow your systems wide open. This daylong course covers the details associated with reconnaissance and scanning, the first two phases of many computer attacks. If you don’t have the skills needed to understand these critical phases of an attack in detail, you won’t be able to protect your network.

Topics include: • Reconnaissance • Scanning • Intrusion detection system evasion • Hands-on exercises with the following tools:
• What is layer 3? • NetStumbler for wireless LAN discovery • Nmap port scanner and operating system fingerprinting tool • Nessus Vulnerability Scanner • Enum for extracting Windows data through null sessions

WEDNESDAY, JUNE 20, 2007

504.4 Computer and Network Hacker Exploits: Part 3

This section covers the attacks in depth, from the details of buffer overflow and format string attack techniques to the latest in session hijacking of supposedly secure protocols. For each attack, the course explains the vulnerability, how various tools exploit it, the signature of the attack, and how to harden the system or application against the attack.

Topics include: • Network-level attacks • Gathering and parsing packets • Operating system and applicationlevel attacks • Netcat: The attacker’s best friend • Hands-on exercises with the following tools:
• Sniffers, including Tcpdump • Sniffer detection tools, including ifconfig, ifstatus, and promiscdetect • Netcat for transferring files, creating backdoors, and setting up relays • Format string vulnerabilities in Windows

This course starts out by covering one of the attackers’ favorite techniques for compromising systems: worms. We’ll analyze worm developments over the past two years and get a feel for the Super Worms we’ll face in the future. Then the course turns to another vital area often exploited by attackers: homegrown Web applications. Attackers exploit these targets using SQL injection, cross-site scripting, session cloning, and a variety of other mechanisms discussed in detail. The course also presents a taxonomy of nasty denial of service attacks, illustrating how attackers can stop services or exhaust resources and how to prevent their nefarious deeds.

Topics include: • Preparation • Identification

Computer attackers are ripping our networks and systems apart in novel ways, while constantly improving their techniques. This day-long course covers the third step of many hacker attacks: gaining access.

THURSDAY, JUNE 21, 2007

504.5 Computer and Network Hacker Exploits: Part 4

See www.usenix.org/usenix07/training for complete training program information. FRIDAY, JUNE 22, 2007
504.6 Hacker Tools Workshop

Topics include: • Password cracking • Web application attacks • Denial of service attacks • Hands-on exercises with the following tools:
• John the Ripper password cracker • Web application attack tools, including Achilles

This course covers the fourth and fifth steps of many hacker attacks: maintaining access and covering their tracks. In this course, we’ll analyze the most commonly used malicious code specimens, as well as explore future trends in malware, including BIOS-level and combo malware possibilities. This course gives you the tools and techniques you need to detect and respond to these activities on your computers and network.

This workshop lets you put what you have learned over the past week into practice. You will be connected to one of the most hostile networks on planet Earth. This network simulates the Internet and allows students to try actual attacks against live machines and learn how to protect against these attacks. This workshop will give students flight time with the attack tools to better understand how they work. Additionally, students can participate in the workshop’s Capture the Flag event. By penetrating systems, discovering subtle flaws, and using puzzle-solving techniques, you can test the skills you’ve built over the week in this engaging contest. The Capture the Flag victors will win a prize.

LAPTOP REQUIRED PLEASE NOTE SATISFACTION GUARANTEED

See www.usenix.org/usenix07 /training for more information.

Each SANS class runs for 6 days. Attending a SANS course precludes attending USENIX training courses or technical sessions. See p. 22 for registration information.

Topics include: • Maintaining access • Covering their tracks • Putting it all together • Hands-on exercises with the following tools:
• Virtual Network Computing (VNC) and Shovelling GUI • RootKits and detection • Detecting backdoors with Netstat, Lsof, and Fport • Hidden file detection with LADS • Covert Channels using Covert_TCP

Topics include: • Hands-on analysis • General Exploits • Other attack tools and techniques
John Strand

John Strand started working in information security at Accenture Consulting at the Department of the Interior, where he worked incident response, vulnerability assessment, and intrusion detection. He is currently employed with Northrop Grumman in Denver doing Information Assurance. John currently holds the CISSP and GIAC GCIH and GCFW certifications.

If you feel a SANS tutorial does not meet your needs, let us know by the first break and we will change you into any other available SANS or USENIX tutorial immediately.

REGISTER BY JUNE 1 AND SAVE! • 17

USENIX is pleased to partner with SANS at USENIX ’07 to offer two 6-day training courses focused on security.

SANS Security 617: Assessing and Securing Wireless Networks
James Tarala, Enclave

SUNDAY–FRIDAY, JUNE 17–22, 2007, 9:00 A.M.–5:00 P.M. MONDAY, JUNE 18, 2007 TUESDAY, JUNE 19, 2007

SANS TRAINING PROGRAM
617.2 Auditing Wireless Networks— Hands-on 617.3 WLAN Hacker Tools and Techniques, Part I—Hands-on
• Calculating signal gain and loss • Wireless organizers and standards bodies • Antenna signal propagation and characteristics • Building home-brew antennas from parts • Conducting effective site surveys

Overview: Few fields are as complex as wireless security. This course breaks down the issues and relevant standards that affect wireless network administrators, auditors, and information security professionals. With hands-on labs and instruction from industry wireless security experts, you will gain an intimate understanding of the risks threatening wireless networks. After identifying risks and attacks, we’ll present field-proven techniques for mitigating these risks, leveraging powerful open-source and commercial tools for Linux and Windows systems. Who should attend: Operations professionals who are responsible for designing and implementing secure wireless networks; security professionals who are concerned about the weaknesses of wireless networks; penetration testers who want to include wireless network security assessments in their organization’s services offerings; auditors who must evaluate wireless networks to ensure they meet an acceptable level of risk and are compliant with organizational policy. Students should have a working knowledge of wireless networks, with experience in the design or deployment of wireless technology.

18 • REGISTER TODAY: WWW.USENIX.ORG/USENIX2007

SUNDAY, JUNE 17, 2007

617.1 Wireless Architecture, RF Fundamentals

This day examines the process of auditing wireless networks through passive network analysis using popular sniffer tools. We’ll also examine the various threats that target wireless networks, take an in-depth look at the 802.11 MAC layer, and leverage tools such as Kismet to map the range and exposure of wireless networks.

WEDNESDAY, JUNE 20, 2007
617.4 WLAN Hacker Tools and Techniques, Part II—Hands-on

Topics include: • Exploring how rogue APs can be used against your organization • Wireless-side techniques for identifying and locating rogue APs • Automating centralized wired-side scanning for rogue APs • Triangulation techniques for locating transmitters • Understanding the RC4 cipher used in WEP security • Weaknesses in WEP and dynamic WEP implementations • Evaluating your network using popular hacker tools

Topics include: • Common misconceptions about wireless security • Using satellite maps to document wireless signal leakage • Understanding 802.11 addressing • Passive WLAN traffic sniffing • Leveraging TCPDump, Ethereal, and Kismet • Analyzing wireless traffic with postprocessing tools

This second of three days exploring tools and techniques focuses on the threats and mitigation techniques for outdoor wireless MAN networks, Cisco LEAP networks, networks using VPN, and WPA pre-shared key implementations.

The field of wireless networking is vastly complex, with umpteen protocols, standards, and nonstandard software packages. This day introduces the architecture of wireless networks, varying wireless protocols, and radio-frequency concepts.

Topics include: • Radio frequency characteristics • Interference in wireless networks

With the flurry of wireless standards and specifications has come a flurry of attack tools that leverage protocol and implementation weaknesses to compromise wireless security. This first of three days exploring tools and techniques focuses on the threats and mitigation techniques surrounding rogue APs, WEP-based security, and 802.1x with dynamic WEP security.

Topics include: • Understanding different types of wireless MAN networks • Software and hardware for sniffing 5 GHz networks • Evaluating WMAN information disclosure • Weaknesses in MS-CHAPv2 and MD4 hashing techniques • Operation and weaknesses in Cisco LEAP Networks • Recovering user passwords from LEAP transactions • Common vulnerabilities in wireless IPSec/VPN deployments • Leveraging IP-over-DNS to bypass VPN security • Understanding the TKIP algorithm and pre-shared key vulnerabilities

THURSDAY, JUNE 21, 2007

617.5 WLAN Hacker Tools and Techniques, Part III—Hands-on

See www.usenix.org/usenix07/training for complete training program information. FRIDAY, JUNE 22, 2007
617.6 Designing a Secure Wireless Infrastructure—Hands-on

This third of three days exploring tools and techniques focuses on the threats and mitigation techniques for assessing PEAP networks using WPA security, DoS attacks against wireless networks, hotspot security, and WLAN IDS monitoring techniques.

Topics include: • Understanding RADIUS and key distribution in 802.1x networks • Leveraging weaknesses to compromise PEAP+WPA security • Evaluating the impact of WLAN DoS attacks • Understanding Layer 1 and Layer 2 WLAN DoS techniques • Assessing hotspot security as a provider, subscriber, and security administrator • Service theft risks on wireless hotspots • Rogue APs and hotspot networks • Compromising SSL security on hotspot networks • Designing and deploying WLAN intrusion detection services • Implementing WLAN intrusion prevention services • Open-source and commercial tools for WLAN monitoring

This sixth day of the course shifts from learning about different attack techniques and vulnerabilities to the steps we can take to design a secure infrastructure that will be resistant to attacks. Using the knowledge gathered from the previous days, we’ll review the deployment or migration steps that organizations can take to mitigate the weaknesses in other architectures, using commercial or open-source tools.

LAPTOP REQUIRED PLEASE NOTE SATISFACTION GUARANTEED

See www.usenix.org/usenix07 /training for more information.

Topics include: • Steps for migrating from WEP to WPA to WPA2 • Introduction to public key infrastructure (PKI) authentication • Deploying PKI using low-cost tools • Automating client setup and configuration for secure wireless • Integrating RADIUS with existing authentication databases • Securing 802.1x and RADIUS authentication • Deploying PEAP for enterprise wireless security • Deploying secure VPN connectivity for wireless networks
James Tarala

Each SANS class runs for 6 days. Attending a SANS course precludes attending USENIX training courses or technical sessions. See p. 22 for registration information.

If you feel a SANS tutorial does not meet your needs, let us know by the first break and we will change you into any other available SANS or USENIX tutorial immediately.

James Tarala is a principal consultant with Enclave Hosting, LLC, and is based in Venice, FL. He is a regular speaker and senior instructor with the SANS Institute, as well as a courseware author and editor for many of their auditing and security courses. As a consultant he has spent the past few years architecting large enterprise IT security and infrastructure architectures, specifically working with many Microsoft-based, directory services, email, terminal services, and wireless technologies.

REGISTER BY JUNE 1 AND SAVE! • 19

HOTEL & TRAVEL
Hyatt Regency Santa Clara
Airports & Ground Transportation The hotel is located 5 miles from San Jose’s Norman Y. Mineta International Airport (SJC) and 30 miles from San Francisco International Airport (SFO). Shuttle service from SJC to the hotel costs approximately $16–21 per person, and taxi service costs approximately $15–30. Shuttle service from SFO to the hotel costs approximately $36 per person, and taxi service costs approximately $80–100. Valet parking at the hotel costs $10 per day and self-parking is complimentary. See www.usenix.org/usenix07/hotel for more information.
Note: When the rooms in the USENIX block are sold out, requests will be handled on a spaceavailable basis at the hotel's standard rate. Make your reservations early!

5101 Great America Parkway Santa Clara, CA 95054 Tel: (408) 200-1234 Fax: (408) 980-3990 http://santaclara.hyatt.com/hyatt/hotels/

Hotel Reservation Discount Deadline: May 29, 2007

20 • REGISTER TODAY: WWW.USENIX.ORG/USENIX2007

SANTA CLARA, CALIFORNIA

USENIX has negotiated special rates for conference attendees at the Hyatt Regency Santa Clara. Please make your reservation as soon as possible by contacting the hotel directly. You must mention USENIX to get the special group rate.

Special Attendee Room Rate $169 per night, plus 9.5% state and local tax, $0.12 California State Tourism Tax, and $1.00 District Improvement Tax

Why should you stay in the headquarters hotel? We encourage you to stay in the conference hotel and when making your reservation to identify yourself as a USENIX conference attendee.

It is by contracting rooms for our attendees that we can significantly reduce hotel charges for meeting room rental. When the sleeping rooms are not utilized, we face significant financial penalties. These penalties ultimately force us to raise registration fees. We recognize, however, that not everyone can afford to stay in the conference hotel, so we always try to book venues that have some low-cost alternatives available near the conference. With costs going higher and higher, we are working hard to negotiate the very best hotel rates and keep other conference expenses down in order to keep registration fees as low as possible. We appreciate your help in this endeavor.

Traveling to USENIX ’07 from Outside the U.S.A. See detailed advice from the National Academies about visiting the United States at http://www7 .nationalacademies.org/visas/Traveling_to_US.html.

About Santa Clara USENIX is pleased to bring the Annual Technical Conference to Santa Clara. Santa Clara and its environs offer a wide array of activities to occupy your free time, including a vibrant cultural scene and exciting amusement park. Here are just a few ideas:
• Paramount’s Great America, http://www.pgathrills.com • Intel Museum, http://www.intel.com/museum • Tech Museum of Innovation, http://www.thetech.org • NASA Ames Exploration Center, http://www.nasa.gov/centers/ames/home/exploration.html • Rosicrucian Egyptian Museum & Planetarium, http://www.egyptianmuseum.org

See the Santa Clara Convention & Visitor’s Bureau’s Web site, http://www.santaclara.org, for more.

REGISTRATION INFORMATION & FEES
Register or make a reservation on the Web today at http://www.usenix.org/usenix07/registration.
Pay today with a credit card, or make a reservation online and then pay by check, phone, or fax. Have the best of both worlds: the convenience of online registration without the hassle of hand-written forms, and the ability to pay as you want, when you want!

TRAINING PROGRAM REGISTRATION

Early Bird Registration Deadline: June 1, 2007

Every USENIX training program registration includes: • Admission to the tutorials you select • Lunch on the day of your tutorials • Training program CD-ROM, including all available tutorial presentations and materials • Printed tutorial materials for your courses • Admission to the evening activities • Conference t-shirt • Wireless connectivity in conference session area Every SANS training program registration includes: • Admission to the tutorials you select • Lunch on the day of your tutorials • Complimentary one-year membership in the USENIX Association • Printed tutorial materials for your courses • Admission to the evening activities • Conference t-shirt • Wireless connectivity in conference session area

TECHNICAL SESSIONS REGISTRATION
Multiple Employee Discount

REGISTRATION FEES
Optional Costs
A. B. C. D. E. F. G. Daily Rates SAVE!

USENIX is pleased to offer Early Bird Registration Discounts of up to $300 to those who register for USENIX ’07 by June 1, 2007. After June 1, registration fees increase.

*Each SANS class runs for 6 days. Attending a SANS course precludes attending USENIX training courses or technical sessions.

For maximum savings, combine Package A with Package B or C. If you are not a member of USENIX, EurOpen.SE, or NUUG, $120 will be added to your technical sessions fees. Continuing Education Units (CEUs): $15 per training day USENIX offers full-time students special low registration fees for USENIX ’07 that are available at any time. See www.usenix.org/usenix07/students for more information. Students who are not members of USENIX: $45 will be added to your technical sessions fee. 1 day of technical sessions 1 day of USENIX training $110 $200

Every technical sessions registration includes: • Admission to all technical sessions on the days of your choice • Copy of the Conference Proceedings (in print or on CD-ROM) • Admission to the evening activities • Conference t-shirt • Wireless connectivity in conference session area We offer discounts for organizations sending 5 or more employees to USENIX ’07. Please email usenix07_reg@usenix.org for more details. The group discount cannot be used in conjunction with any other discounts, and it cannot be applied retroactively—that is, refunds will not be issued to those meeting the discount requirement after they have already registered.

Registration Fees for Full-Time Students
1 day of technical sessions 1 day of USENIX training 1 half-day of USENIX training; second half-day only $300

Workshop Registration

Daily Rates for Full-Time Students
6 Days of SANS Training*

3 Days of Technical Sessions SAVE $100! 2 Days of USENIX Training SAVE $50! 3 Days of USENIX Training SAVE $100! 4 Days of USENIX Training SAVE $200! 5 Days of USENIX Training SAVE $300! 6 Days of USENIX Training SAVE $600!

Choose One of Our Special Discount Packages

Before June 1

After June 1

$260 $635 $335
Before June 1

$310 $685 $385
After June 1

$680 $1220 $1805 $2340 $2875 $3210 $3210

$830 $1320 $1955 $2540 $3125 $3510 $3510

A limited number of USENIX tutorial seats are reserved for full-time students at this very special rate. Students must reserve their tutorial seats before registering. If you plan to take half-day tutorials, you must take both half-days to qualify for the student rate. There is no special student rate for SANS training.

Please Read: This is not a registration form. Please use our online form to register or make a reservation. If you choose to make a reservation and pay later by check or credit card, you will receive a printable summary of your session selections, the cost breakdown, and the total amount due. If you are paying by check or phone, submit a copy of this summary along with your payment or have it with you when you call. Tutorial bookings cannot be confirmed until payment has been received. Purchase orders, vouchers, and telephone reservations cannot be accepted.

USENIX ’07 will be co-located with the 3rd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI ’07) and with the FASTOS PI Meeting and Workshop. Please see www.usenix.org/sruti07 for more information and to register for SRUTI ’07, and www.usenix.org /fastos07 for more information and to register for the FAST-OS workshop. Refund/Cancellation Deadline: Monday, June 11, 2007 All refund requests must be emailed to usenix07_reg@usenix.org by Monday, June 11, 2007. You may substitute another in your place.

REGISTER BY JUNE 1 AND SAVE! • 21

Santa Clara, CA • June 17–22, 2007
THANKS TO OUR SPONSOR

THANKS TO OUR MEDIA SPONSORS
ACM Queue Dr. Dobb’s Journal IEEE Security & Privacy ITtoolbox Linux Journal No Starch Press SNIA Sys Admin

Hewlett-Packard Labs

Register by June 1 and SAVE!
USENIX ASSOCIATION 2560 Ninth Street, Suite 215 Berkeley, CA 94710 510.528.8649 510.548.5738 fax

Join leading researchers and practitioners for 6 full days on the latest technologies.

Non-Profit Organization US Postage PAID Permit #110 Hopkins, MN

Register with the priority code on your mailing label to receive a $25 discount!

www.usenix.org/usenix2007