You are on page 1of 24

Santa Clara, CA • June 17–22, 2007

Don’t miss the latest in groundbreaking

research and cutting-edge practices in a wide
variety of technologies and environments.

6 days of training by 3-day technical

industry experts, including: Join us in Santa Clara, CA,
program, including:
June 17–22, for the 2007
• Richard Bejtlich on TCP/IP • The latest research in the
Weapons School, Layers 2–3 Refereed Papers Track USENIX Annual Technical
• Tom Christiansen on Advanced • Keynote Address by Mendel
Perl Programming Rosenblum, Stanford University

• Jacob Farmer on Next Generation • Expert-led Invited Talks

Storage Networking
• Guru Is In Sessions
• Steve VanDevender on High-
• BoFs, a Poster Session, and more
Capacity Email System Design
New in 2007:
• And over 30 other full- and half-
SANS Security Training
day tutorials

Register by June 1 and save! •
Join leading researchers and practitioners for
6 full days on the latest technology.

USENIX Annual Tech has always been the place to present groundbreaking
research and cutting-edge practices in a wide variety of technologies and envi-
ronments. USENIX ’07 will be no exception.
The 2007 USENIX Annual Technical conference will feature:
6-Day Training Program: Sunday–Friday, June 17–22, 2007
The training program at USENIX ’07 provides in-depth and immediately useful training on the
latest techniques, effective tools, and best strategies. The 37 half- and full-day sessions are
taught by well-known industry experts, selected for their ability to teach complex subjects.
Topics include:
• Hands-on Linux Security: From Hacked to Secure in Two Days, by Rik Farrow
• Solaris 10 Security Features Workshop, by Peter Baer Galvin
• Distributed Source Code Management Systems: Bzr, Hg, and Git (Oh My!), by
Theodore Ts’o
New in 2007: SANS at USENIX Annual Tech. In addition to the top-notch USENIX training,
TOP 5 REASONS TO ATTEND We’re partnering with the SANS Institute to offer two 6-day security classes:
• SANS Security 504: Hacker Techniques, Exploits, and Incident Handling
#1 Top-notch training • SANS Security 617: Assessing and Securing Wireless Networks
Highly respected experts pro-
vide you with new information Technical Sessions: Wednesday–Friday, June 20–22, 2007
and skills you can take back The 3-day technical program includes:
to work tomorrow. • The latest in cutting-edge research in the Refereed Papers Track
• Expert-led invited talks, including the keynote address by Mendel Rosenblum, Stanford
#2 Invited Talks University
Industry luminaries discuss
timely and important topics. • Guru Is In sessions, where you can get answers to your most urgent technical ques-
#3 You’ll hear it here first • The opportunity to mingle with colleagues and industry leaders at the Birds-of-a-Feath-
Check out the latest develop- er sessions and other evening social events, including poster and vendor sessions and
ments in cutting-edge receptions
research in the Refereed
Register today at
Papers Track and poster

#4 Answers
Industry experts address your
toughest questions in the
Guru Is In sessions.

1 USENIX ’07 Organizers
#5 The chance to mingle 2–3 Training at a Glance
Talk with industry leaders and
4–12 USENIX Training Program Register by June 1, 2007, at
network with peers in the
evening BoFs and receptions. 13–15 USENIX Training Instructors
16–19 SANS Training Program
20 Hotel & Travel Information
21 Registration Information & Fees


USENIX ’07 Organizers

Program Co-Chairs
Jeff Chase, Duke University
Srinivasan Seshan, Carnegie Mellon
Program Committee
Atul Adya, Microsoft Research
Matt Blaze, University of Pennsylvania
George Candea, EPFL
Miguel Castro, Microsoft Research,
Fay Chang, Google
Nick Feamster, Georgia Institute of
Marc Fiuczynski, Princeton University/
Every USENIX training program registration includes: PlanetLab
Terence Kelly, Hewlett-Packard Labs
• Admission to the tutorials you select
Eddie Kohler, University of California,
• Lunch on the day of your tutorials Los Angeles, and Mazu Networks
• Training program CD-ROM, including all available tutorial presentations and Z. Morley Mao, University of Michigan
Erich Nahum, IBM T.J. Watson Research
• Printed materials for your tutorials Center
• Admission to the receptions, BoFs, and other evening events Jason Nieh, Columbia University and
• Conference t-shirt
Brian Noble, University of Michigan
• Wireless connectivity in the conference session area
Timothy Roscoe, Intel Research, Berkeley
Every SANS training program registration includes: Emin Gün Sirer, Cornell University
• Admission to the tutorials you select Mike Swift, University of Wisconsin,
• Lunch on the day of your tutorials
Renu Tewari, IBM Almaden Research
• Complimentary one-year membership in the USENIX Association Center
• Printed materials for your tutorials Win Treese, SiCortex, Inc.
• Admission to the receptions, BoFs, and other evening events Andrew Warfield, Cambridge University
and XenSource
• Conference t-shirt
Matt Welsh, Harvard University
• Wireless connectivity in the conference session area
Yuanyuan Zhou, University of Illinois at
Our Guarantee Urbana-Champaign

If you’re not happy, we’re not happy. If you feel a tutorial does not meet the high Poster Session Chair
standards you have come to expect from USENIX, let us know by the first break Mike Swift, University of Wisconsin,
and we will change you to any other available tutorial immediately. Madison
The USENIX Association Staff


FULL DAY: 9:00 A.M.–5:00 P.M. HALF DAY MORNING: 9:00 A.M.–12:30 P.M.

S1 Simson L. Garfinkel NEW! Computer Forensics M5 Chip Salzenberg Regular Expression Mastery
S2 Dustin Whittle NEW! RAD 2.0: Developing Web M6 John Sellens Databases: What You Need to Know
Applications with Symfony
M7 Jacob Farmer Disk-to-Disk Backup and Eliminating
S3 Rik Farrow Hands-on Linux Security: From Hacked Backup System Bottlenecks
to Secure in Two Days (Day 1 of 2)
S4 Peter Baer Galvin Solaris 10 Administration Workshop HALF DAY AFTERNOON: 1:30 P.M.–5:00 P.M.

M8 Strata Rose Chalup Practical Project Management for

HALF DAY MORNING: 9:00 A.M.–12:30 P.M. Sysadmins and IT Professionals
S5 Chip Salzenberg NEW! Higher-Order Perl M9 Gerald Carter Ethereal and the Art of Debugging
S6 Strata Rose Chalup Problem-Solving for IT Professionals
M10 Jacob Farmer Next Generation Storage Networking
S7 Abe Singer Security Without Firewalls

SANS SANS security 6-day tutorials: pp. 16–19


S8 Chip Salzenberg Perl Program Repair Shop and Red

Flags TUESDAY, JUNE 19, 2007
S9 John Sellens NEW! Performance Tracking with Cacti
FULL DAY: 9:00 A.M.–5:00 P.M.
S10 Theodore Ts’o NEW! Distributed Source Code Man-
agement Systems: Bzr, Hg, and Git T1 Alan Robertson NEW! Configuring and Deploying
(Oh My!) Linux-HA
T2 Abe Singer NEW! Incident Response
SANS SANS security 6-day tutorials: pp. 16–19
T3 Peter Honeyman NEW! NFSv4 and Cluster File Systems
T4 Jim Mauro and Solaris 10 Performance, Observability,
Richard McDougall and Debugging
MONDAY, JUNE 18, 2007
T5 Æleen Frisch Beyond Shell Scripts: 21st-Century
FULL DAY: 9:00 A.M.–5:00 P.M. Automation Tools and Techniques

M1 Æleen Frisch Administering Linux in Production T6 John Sellens System and Network Monitoring:
Environments Tools in Depth

M2 Abe Singer Building a Logging Infrastructure and T7 Steve VanDevender NEW! High-Capacity Email System
Log Analysis for Security Design

M3 Rik Farrow Hands-on Linux Security: From Hacked

to Secure in Two Days (Day 2 of 2) SANS SANS security 6-day tutorials: pp. 16–19

M4 Marc Staveley System and Network Performance



FULL DAY: 9:00 A.M.–5:00 P.M.

W1 Richard Bejtlich Network Security Monitoring with Open

Source Tools
W2 Gerald Carter Using Samba 3.0
W3 Peter Baer Galvin Solaris 10 Security Features Workshop
W4 Theodore Ts’o Inside the Linux 2.6 Kernel

SANS SANS security 6-day tutorials: pp. 16–19


FULL DAY: 9:00 A.M.–5:00 P.M.

R1 Tom Christiansen Advanced Perl Programming

R2 Richard Bejtlich NEW! TCP/IP Weapons School, Layers
2–3 (Day 1 of 2)
R3 Gerald Carter Implementing [Open]LDAP Directories
R4 Lee Damon Issues in UNIX Infrastructure Design

SANS SANS security 6-day tutorials: pp. 16–19

FRIDAY, JUNE 22, 2007

FULL DAY: 9:00 A.M.–5:00 P.M.

F1 John Arrasjid and Introduction to VMware Virtual

Shridhar Deuskar Infrastructure 3
F2 Richard Bejtlich NEW! TCP/IP Weapons School, Layers
2–3 (Day 2 of 2) EARLY BIRD
SANS SANS security 6-day tutorials: pp. 16–19
Register by June 1, 2007, at


SUNDAY, JUNE 17, 2007
• Plugins • The kernel: update, /etc/system
FULL DAY 9:00 A.M.–5:00 P.M. • Unit and functional testing • Crash and core dumps
• Performance and security • Cool commands you need to know
S1 Computer Forensics NEW!
• Project deployment • Zfs, the new endian-neutral file sys-
Simson L. Garfinkel, Naval Postgraduate tem
School Take back to work: All you need to
know to dive into your next Web 2.0 • N1 Grid Containers (a.k.a. Zones)
Who should attend: Anyone interested application. • DTrace
in forensics: recovering lost or deleted • FMA (Fault Management Architec-
data, hunting for clues, and tracking S3 Hands-on Linux Security: From ture)
information. Hacked to Secure in Two Days • Sysadmin best practices
(Day 1 of 2)
Topics include: Rik Farrow, Security Consultant Take back to work: All you need to
• Introduction to computer forensics consider in deploying, implementing,
Who should attend: System adminis- and managing Solaris 10.
• Disk forensics
trators of Linux and other UNIX sys-
• Network forensics
tems; anyone who runs a public UNIX
• Document forensics
HALF DAY 9:00 A.M.–12:30 P.M.
• Memory forensics
• Cell phone forensics Exercises include: S5 Higher-Order Perl NEW!

• Searching for hidden files (AM) Chip Salzenberg, Consultant and Author
Take back to work: An in-depth
• TCP/IP and its relation to probes
understanding of computer forensics, Who should attend: Programmers
and attacks
why forensic tools are possible, what involved in the development and main-
• Uses of ARP and Ethereal
they can do and their limits; modern tenance of large systems written partly
• hping2 probes
tools, and the legal environment that or mostly in Perl.
• nmap (connect and SYN scans)
governs U.S. forensics.
• Buffer overflows in sample C pro- Topics include:
grams • Dynamically replacing functions with
S2 RAD 2.0: Developing Web • Weaknesses in Web scripts (using a facades
Applications with Symfony NEW!
Perl example) • Iterators
Dustin Whittle, Yahoo, Inc. • Building complex parsers—easily!
Take back to work: How to determine
Who should attend: Technical project if a system has been exploited, use net- Take back to work: How to write func-
managers and engineers interested in work scanning/evaluation tools, improve tions that can manufacture or modify
learning how to build better Web 2.0 security of your systems, and check other functions, instead of writing ten
applications using symfony. Web scripts for weaknesses. similar functions that must be main-
Topics include: tained separately.
• Overview and foundations S4 Solaris 10 Administration
• Is symfony right for your project? Workshop S6 Problem-Solving for IT
• Design patterns and best practices Peter Baer Galvin, Corporate (AM) Professionals
• Project management Technologies Strata Rose Chalup, Project
• Installation Management Consultant
Who should attend: Solaris systems
• Project creation Who should attend: IT support people
managers and administrators interested
• Configuring your environment who would like to have a better grasp of
in learning the new administration fea-
• Setting up your project problem-solving as a discipline.
tures in Solaris 10 (and features in previ-
• Building your object model
ous Solaris releases that they might not Take back to work:
• Developing fast with scaffolding and
be using). • A solid grounding in the process of
• Controlling your model Topics include: solving problems
• Developing and managing views • Overview • A framework on which to build trou-
• Adding your favorite JavaScript • Solaris releases bleshooting techniques that are
framework • Installing and upgrading to Solaris specific to your environment
• AJAX and JavaScript helpers via 10 • Confidence in your ability to apply
Prototype • Patching the kernel and applica- logic and common sense to debug
• Command line interface tions problems in complex interacting
• Service Management Facility systems
See for complete training program information.

S7 Security Without Firewalls • User management and access con-

(AM) Abe Singer, San Diego Supercomputer HALF DAY 1:30 P.M.–5:00 P.M. trol
Center • Special cases: How to deal with
Who should attend: Administrators S8 Perl Program Repair Shop and Red interesting problems
who want or need to explore strong, (PM) Flags • Extending Cacti: How to write
Chip Salzenberg, Consultant and Author scripts or programs to extend the
low-cost, scalable security without fire-
walls. Who should attend: Anyone who functionality of the basic package
writes Perl programs regularly. • Security concerns and access con-
Topics include:
• The threat perspective from a data- Topics include:
• Ongoing operations
centric point of view • Families of variables
• How to implement and maintain • Making relationships explicit Take back to work: The information
centralized configuration manage- • Refactoring needed to immediately implement and
ment using cfengine, and how to • Programming by convention use Cacti to monitor systems and
build reference systems for fast and • Why you should avoid the “.” opera- devices on their networks.
consistent (re)installation of hosts tor
• Secure configuration and manage- • Elimination of global variables S10 Distributed Source Code
ment of core network services such • The “use strict” zombies (PM) Management Systems: Bzr, Hg, and
as NFS, DNS, and SSH • What can go wrong with “if” and Git (Oh My!) NEW!
• Good system administration prac- “else” Theodore Ts’o, IBM Linux Technology
tices • The Condition that Ate Michigan Center
• Implementing strong authentication • Structural vs. functional code
Who should attend: Developers, proj-
and eliminating use of plaintext • Boolean values
ect leaders, and system administrators
passwords for services such as • Programs that take two steps for-
dealing with source code management
POP/IMAP ward and one step back
systems who want to take advantage of
• A sound patching strategy • Programs that are 10% backslash-
the newest distributed development
• An overview of how we were com- es
promised, how we recovered, and • Unnecessary shell calls
what we learned • How (and why) to let “undef” be the Topics include:
special value • Basic concepts of distributed SCMs
Take back to work: How to build • Advantages of peer-to-peer sys-
effective, scalable host-based security Take back to work: How to improve
without firewalls. your own code and the code of others,
• How distributed SCMs work
making it cleaner, more readable, more
• Strengths and weaknesses of each
reusable, and more efficient, while at
distributed SCM
the same time making it 30–50% small-
• Guidance and suggestions on
choice criteria
Take back to work: An understanding
S9 Performance Tracking with Cacti of the basic concepts of distributed
SCMs, how these systems work, how
John Sellens, SYONEX
to use them, and the information you
Who should attend: Network and sys- need to choose the distributed SCM
tem administrators ready to implement that is most appropriate for your proj-
a graphical performance and activity ect.
monitoring tool, who prefer an integrat-
ed, Web-based interface.
Topics include:
• Installation: Basic steps, prerequi-
sites, common problems and solu-
• Configuration, setup options, and
how to manage larger and non-triv-
ial configurations
MONDAY, JUNE 18, 2007
Take back to work: How to get a han- Take back to work: Procedures and
FULL DAY 9:00 A.M.–5:00 P.M. dle on your log files, which can help you techniques for tuning your systems,
run your systems and networks more networks, and application code, along
M1 Administering Linux in Production effectively and can provide forensic with guidelines for capacity planning
Environments information for post-incident investiga- and customized monitoring.
Æleen Frisch, Exponential Consulting tion.
Who should attend: Both current HALF DAY 9:00 A.M.–12:30 P.M.
Linux system administrators and admin- M3 Hands-on Linux Security: From
istrators from sites considering convert- Hacked to Secure in Two Days M5 Regular Expression Mastery
ing to Linux or adding Linux systems to (Day 2 of 2) (AM) Chip Salzenberg, Consultant and Author
their current computing resources. Rik Farrow, Security Consultant
Who should attend: System adminis-
Topics include: Who should attend: System adminis- trators and users who use Perl, grep,
• Recent kernel developments trators of Linux and other UNIX sys- sed, awk, procmail, vi, or emacs.
• High-performance I/O tems; anyone who runs a public UNIX
Topics include:
• Advanced compute-server environ- server.
• Inside the regex engine
Topics include: • Disasters and optimizations
• High availability Linux: fault-toler-
• John the Ripper, password cracking
ance options Take back to work: Fixes for all your
• Misuses of suid shells, finding back-
• Enterprise-wide authentication and regexes: unexpected results, hangs,
other security features unpredictable behaviors.
• Uncovering dangerous network
• Automating installations and other
mass operations M6 Databases: What You Need to Know
• Searching for evidence of rootkits
• Linux performance tuning (AM) John Sellens, SYONEX
and bots
Take back to work: The knowledge • Sleuth Kit (looking at intrusion time- Who should attend: System and
necessary to add reliability and availabil- lines) application administrators who need to
ity to their systems, and to assess and • netfilter support databases and database-
implement tools needed for production- backed applications.
Take back to work: How to uncover
quality Linux systems.
the more subtle indicators of compro- Topics include:
mise such as backdoors and rootkits, • An introduction to database con-
M2 Building a Logging Infrastructure and improve the network security of cepts
and Log Analysis for Security your systems. • The basics of SQL (Structured
Abe Singer, San Diego Supercomputer
Query Language)
M4 System and Network Performance • Common applications of databases
Who should attend: System, network, Tuning • Berkeley DB and its applications
and security administrators who want to Marc Staveley, Soma Networks • MySQL installation, configuration,
be able to separate the wheat of warn- and management
Who should attend: Novice and
ing information from the chaff of normal • PostgreSQL installation, configura-
advanced UNIX system and network
activity in their log files. tion, and management
administrators, and UNIX developers
Topics include: • Security, user management, and
concerned about network performance
• Problems, issues, and scale of han- access controls
dling log information • Ad hoc queries with standard inter-
Topics include: faces
• Generating useful log information:
• Performance tuning strategies • ODBC and other access methods
improving the quality of your logs
• Server tuning • Database access from other tools
• Collecting log information
• NFS performance tuning (Perl, PHP, sqsh, etc.)
• Storing log information
• Network performance, design, and
• Log analysis Take back to work: A better under-
capacity planning
• How to handle and preserve log standing of databases and their use
• Application tuning
files for HR and legal folks and of how to deploy and support com-
mon database software and database-
backed applications.


See for complete training program information.

M7 Disk-to-Disk Backup and Take back to work: How to use the

(AM) Eliminating Backup System HALF DAY 1:30 P.M.–5:00 P.M. Ethereal protocol analyzer as a debug-
Bottlenecks ging and auditing tool for TCP/IP net-
Jacob Farmer, Cambridge Computer M8 Practical Project Management for works.
Services (PM) Sysadmins and IT Professionals
Who should attend: System adminis- Strata Rose Chalup, Project
Management Consultant M10 Next Generation Storage
trators involved in the design and man- Networking
agement of backup systems and policy- Who should attend: System adminis- (PM) Jacob Farmer, Cambridge Computer
makers responsible for protecting their trators who want to stay hands-on as Services
organization’s data. team leads or system architects and
need a new set of skills with which to Who should attend: Sysadmins run-
Topics include: ning day-to-day operations and those
• Identifying and eliminating backup tackle bigger, more complex challenges.
who set or enforce budgets.
system bottlenecks Topics include:
• Conventional disk staging • Quick basics of project manage- Topics include:
• Virtual tape libraries ment • Fundamentals of storage virtualiza-
• Removable disk media • Skill sets tion: the storage I/O path
• Incremental forever and synthetic • Problem areas • Shortcomings of conventional SAN
full backup strategies • Project management tools and NAS architectures
• Block- and object-level incremental • In-band and out-of-band virtualiza-
Take back to work: A no-nonsense tion architectures
backups grounding in methods that work with-
• Information lifecycle management • The latest storage interfaces: SATA
out adding significantly to one’s work- (serial ATA), SAS (serial attached
and nearline archiving load. You will be able to take an arbi-
• Data replication SCSI), 4Gb Fibre Channel, Infini-
trarily daunting task and reduce it to a band, iSCSI
• CDP (Continuous Data Protection) plan of attack that will be realistic, will
• Snapshots • Content-Addressable Storage
lend itself to tracking, and will have (CAS)
• Current and future tape drives functional, documented goals. You will
• Capacity Optimization (Single- • Information Life Cycle Management
be able to give succinct and useful (ILM) and Hierarchical Storage Man-
Instance File Systems) feedback to management on overall
• Minimizing and even eliminating agement (HSM)
project viability and timelines and easily • The convergence of SAN and NAS
tape drives deliver regular progress reports.
• iSCSI • High-performance file sharing
• Parallel file systems
Take back to work: Immediate ideas M9 Ethereal and the Art of Debugging • SAN-enabled file systems
for effective, inexpensive improvements (PM) Networks • Wide-area file systems (WAFS)
to your backup systems. Gerald Carter, Centeris/Samba Team
Take back to work: An understanding
Who should attend: System and net- of general architectures, various
work administrators who are interested approaches to scaling in both perfor-
in learning more about the TCP/IP pro- mance and capacity, relative costs of
tocol and how network traffic monitor- different technologies, and strategies for
ing and analysis can be used as a achieving results on a limited budget.
debugging, auditing, and security tool.
Topics include:
• Introduction to Ethereal for local
and remote network tracing
• TCP/IP protocol basics
• Analysis of popular application pro-
tocols such as DNS, DHCP, HTTP,
• How some kinds of TCP/IP network
attacks can be recognized


TUESDAY, JUNE 19, 2007

FULL DAY 9:00 A.M.–5:00 P.M.

T1 Configuring and Deploying Linux- Topics include: • Efficient client recovery and migra-
HA NEW! • Goals: What results do you want? tion for NFSv4 on cluster file sys-
Alan Robertson, IBM Linux Technology • Policies: Having the authority to do tems
Center the job • An introduction to pNFS, the
Who should attend: System adminis- • Tools: Having the stuff to do the job emerging parallel extension to
trators and IT architects who architect, • Intelligence: Having the information NFSv4, which offers the potential to
evaluate, install, or manage critical com- to do the job deliver the bisectional bandwidth of
puting systems. It is suggested that par- • Initial suspicion: Complaints, a cluster file system to a single
ticipants have basic familiarity with sys- alarms, anomalies client.
tem V/LSB-style startup scripts, shell • The “oh, sh*t” moment: When you Take back to work: Knowledge of the
scripting, and XML. realize it’s a compromise challenges and solutions in marrying
• Gathering information on your NFSv4 with cluster file systems.
Topics include:
• General HA principles
• Assessing the extent of the com-
• Compilation and installation of the T4 Solaris 10 Performance,
Linux-HA (“heartbeat”) software Observability, and Debugging
• Communicating: Inquiring minds
• Overview of Linux-HA configuration Jim Mauro and Richard McDougall,
want to know
• Overview of commonly used Sun Microsystems
• Recovery: Kicking ’em out and fix-
resource agents
ing the damage Who should attend: Anyone who
• Managing services supplied with
• Evidence handling supports or may support Solaris 10
init(8) scripts
• The law: Dealing with law enforce- machines.
• Sample Linux-HA configurations for
ment, lawyers, and HR Topics include:
Apache, NFS, DHCP, DNS, and
Samba Take back to work: An understanding • Solaris 10 features overview
• Writing and testing resource agents of how to prepare for security incidents • Solaris 10 tools and utilities
conforming to the Open Cluster and how to handle incidents in an • Understanding memory use and
Framework (OCF) specification organized, effective manner, without performance
• Creating detailed resource depen- panicking. • Understanding thread execution
dencies flow and profiling
• Creating co-location constraints • Understanding I/O flow and
T3 NFSv4 and Cluster File Systems
• Writing resource location con- NEW! performance
straints Peter Honeyman, CITI, University of
• Looking at network traffic and
• Causing failovers on user-defined Michigan performance
conditions • Application and kernel interaction
Who should attend: System builders • Putting it all together
Take back to work: Both the basic developing storage solutions for high-
theory of high-availability systems and end computing, system administrators Take back to work: How to apply the
practical knowledge of how to plan for who need to anticipate and understand tools and utilities available in Solaris 10
and install and configure highly available the state of the art in high performance to resolve performance issues and
systems using Linux-HA. storage protocols and technologies, pathological behavior, and simply to
and researchers looking for an intensive understand the system and workload
introduction to an exciting and fertile better.
T2 Incident Response NEW!

Abe Singer, San Diego Supercomputer area of R&D.

Center Topics include:
Who should attend: Security folks, • Features of NFSv4 and cluster file
system administrators, and operations systems
staff (e.g., help desk). Examples are pri- • Major coordination issues of lock-
marily from UNIX systems, but most of ing, delegation, and shares, giving
what is discussed will be operating sys- special attention to fair queuing for
tem neutral. NFSv4, NLM, and POSIX locks
See for complete training program information.

FULL DAY 9:00 A.M.–5:00 P.M.

T5 Beyond Shell Scripts: 21st-Century • Extending the tools: How to write

Automation Tools and Techniques scripts or programs to extend the ATTENTION MANAGERS: WHY
Æleen Frisch, Exponential Consulting functionality of the basic package YOU SHOULD SEND YOUR
Who should attend: System administra- • Dealing effectively with network EMPLOYEES TO USENIX ’07
tors who want to explore new ways of boundaries and remote sites
Hiring the best and the brightest is
automating administrative tasks. Shell • Security concerns and access control the ultimate goal for any employer.
scripts are appropriate for many jobs, but • Ongoing operations However, keeping current employ-
more complex operations will often bene- Take back to work: The information ees up to par is just as important.
fit from sophisticated tools. needed to immediately implement, Technology continues to evolve:
truly to stay ahead of the game,
Topics include: extend, and manage popular monitoring
your employees must continue to
• Cfengine configurations, sample tools on your systems and networks.
enhance their skills.
uses, and limitations
The training program at USENIX ’07
• Expect: Automating interactive T7 High-Capacity Email System Design offers a cost-effective, one-stop
processes NEW!
shop for training current IT and
• Bacula, an enterprise backup man- Steve VanDevender, University of Oregon development employees. Over 35
agement facility full- and half-day tutorials taught
Who should attend: Anyone who needs
• Network and system monitoring by the most respected leaders in
to design a high-volume, secure email
tools: SNMP overview, Nagios, RRD- the field provide an unparalleled
system or upgrade an existing one.
Tool, Ethereal opportunity to learn from the best.
Topics include: Tutorials cover a multitude of topics
Take back to work: You will be ready to
• Mail system architecture and compo- including open source technologies,
begin using these packages in your own system administration, and security.
environment, and to realize the efficiency,
• MTAs and SMTP Combining full days of training with
reliability, and thoroughness that they offer
• Spam! days of technical sessions on
compared to traditional approaches.
• LDAs and the mail store groundbreaking research makes the
• POP, IMAP USENIX ’07 experience even more
T6 System and Network Monitoring: • Coping with MUAs valuable. Additionally, the recep-
Tools in Depth tions, Poster Session, and Birds-of-
• Scaling and reliability methods
John Sellens, SYONEX a-Feather sessions provide your
Take back to work: An overview of staff with a chance to network with
Who should attend: Network and sys- available choices in software and meth- peers and industry leaders to gain
tem administrators ready to implement ods, with their tradeoffs and domains of that all-important insider IT knowl-
comprehensive monitoring of their sys- applicability. edge that will keep your company
tems and networks using the best of the current and running smoothly.
freely available tools. Keeping up with technology can be
Topics include, for each of Nagios, costly and time-consuming in this
Cricket, MRTG, and Orca: unforgiving economy: take full
advantage of this opportunity to
• Installation: Basic steps, prerequi-
have your staff learn from the top
sites, common problems and solu- researchers, practitioners, and
tions authors all in one place, at one
• Configuration, setup options, and time.
how to manage larger and nontrivial
• Reporting and notifications, both
proactive and reactive
• Special cases: How to deal with inter-
esting problems



FULL DAY 9:00 A.M.–5:00 P.M.

W1 Network Security Monitoring with • How to integrate Samba with Active best practices. Also covered is the sta-
Open Source Tools Directory tus of each of these new features, how
Richard Bejtlich, TaoSecurity • How to enable Samba as a Domain stable it is, whether it is ready for pro-
Who should attend: Anyone who Controller in its own domain duction use, and expected future
wants to know what is happening on Take back to work: You will under- enhancements.
their network. I assume command-line stand not only how to configure Samba
knowledge of UNIX and familiarity with in a variety of environments, but also W4 Inside the Linux 2.6 Kernel
TCP/IP. Anyone with duties involving how to troubleshoot the unpredictable Theodore Ts’o, IBM Linux Technology
intrusion detection, security analysis, glitches that occur at the most inoppor- Center
incident response, or network forensics tune times. Who should attend: Application pro-
will profit from this course.
grammers and kernel developers.
Topics include: W3 Solaris 10 Security Features Topics include:
• NSM theory Workshop • How the kernel is organized
• Building and deploying NSM sen- Peter Baer Galvin, Corporate (scheduler, virtual memory system,
sors Technologies
filesystem layers, device driver lay-
• Accessing wired and wireless traffic
Who should attend: Solaris systems ers, networking stacks)
• Full content tools: Tcpdump, Ethe-
managers and administrators interested • Ground rules of kernel program-
real/Tethereal, Snort as packet log-
in the new security features in Solaris 10 ming (races, deadlock conditions)
(and features in previous Solaris releas- • Implementation and properties of
• Additional data analysis tools:
es that they might not be using). the most important algorithms
Tcpreplay, Tcpflow, Ngrep, Netdude
Topics include: • Comparison between Linux and
• Session data tools: Cisco NetFlow,
• Overview UNIX kernels, with emphasis on
Fprobe, Flow-tools, Argus, SANCP
• N1 Grid Containers (a.k.a. Zones) differences in algorithms
• Statistical data tools: Ipcad, Traf-
• RBAC: Role Based Access Control • Details of the Linux scheduler
show, Tcpdstat, Cisco accounting
• Privileges • The requirements for portability
• NFSv4 between architectures
• Sguil (
• Case studies, personal war stories, • Flash archives and live upgrade Take back to work: An overview and
attendee participation (automated system builds) roadmap of the kernel’s design and
• Moving from NIS to LDAP functionality.
Take back to work: You will immedi-
• DTrace
ately be able to implement numerous
• FTP client and server enhance-
new techniques and tools to discover
ments for security, reliability, and
normal, malicious, and suspicious net-
work events.
• PAM enhancements for more
detailed access control
W2 Using Samba 3.0 • Auditing enhancements
Gerald Carter, Centeris/Samba Team • BSM (the Basic Security Module)
Who should attend: System adminis- • Service Management Facility (a
trators who are currently managing replacement for “rc” files)
Samba servers or are planning to • Solaris Cryptographic Framework
deploy new servers this year. This • Kerberos enhancements
course will outline the new features of • Packet filtering with IPfilters
Samba 3.0, including working demon- • BART (Basic Audit Reporting Tool)
strations throughout the course session. Take back to work: During this explo-
Topics include: ration of the important new features of
• How to provide common file and Solaris 10, you’ll not only learn what it
print services does and how to get it done, but also


See for complete training program information.


FULL DAY 9:00 A.M.–5:00 P.M.

R1 Advanced Perl Programming how to interpret network traffic by ana- consultant or company?
Tom Christiansen, Consultant lyzing packets generated by network • Homogeneous vs. heterogeneous:
Who should attend: Anyone with a security tools and how to identify secu- Homogeneous is easier, but will it
journeyman-level working knowledge of rity events on the wire. do what your users need?
Perl programming who wants to hone R3 Implementing [Open]LDAP • The essential master database:
Perl skills. Directories How can you keep track of what
Gerald Carter, Centeris/Samba Team you have?
Topics include:
• Policies to make life easier
• Symbol tables and typeglobs Who should attend: Both LDAP direc- • Push vs. pull
• Modules tory administrators and architects. • Getting the user back online in 5
• References
Topics include: minutes
• Fancy object-oriented programming
• Replacing NIS domains • Remote administration: Lights-out
• Managing exceptions and warnings
• Integration with Samba file and print operation; remote user sites; keep-
• Regular expressions
servers ing up with vendor patches, etc.
• Programming with multiple
• Integrating MTAs such as Sendmail • Scaling and sizing: How do you
processes or threads
and Postfix plan on scaling?
• Unicode and I/O layers
• Creating customized LDAP schema • Security vs. sharing: Your users
Take back to work: With a much rich- want access to everything. So do
er understanding of Perl, you will be the crackers . . .
• Examining scripting solutions for
better able to make it part of your daily • Single sign-on: How can you do it
developing your own directory
routine. securely?
administration tools
• Single system images: Can users
Take back to work: Comfortable with see just one environment, no matter
R2 TCP/IP Weapons School, Layers
LDAP terms and concepts, you will how many OSes there are?
2–3 (Day 1 of 2) NEW!
understand how to extend that knowl- • Tools: The free, the purchased, the
Richard Bejtlich, TaoSecurity
edge to integrate future applications homegrown
Who should attend: Junior and inter- with it into your network.
mediate analysts and system adminis- Take back to work: The answers to all
trators who detect and respond to the questions you should ask while
R4 Issues in UNIX Infrastructure designing and implementing the mixed-
security incidents.
Design architecture or single-architecture UNIX
Topics for Day 1 include: Lee Damon, University of Washington
environment that will meet your needs.
• Layer 2
Who should attend: Anyone who is
• What is layer 2?
designing, implementing, or maintaining
• Ethernet in brief
a UNIX environment with 2 to 20,000+
• packet delivery on the LAN
hosts; system administrators, archi-
• Ethernet interfaces
tects, and managers who need to main-
• ARP basics, ARP request/reply, ARP
tain multiple hosts with few admins.
cache, Arping, Arpdig, Arpwatch
• VLANs Topics include:
• Dynamic Trunking Protocol • Administrative domains: Who is
• Layer 2 attacks responsible for what, and what can
• MAC address trickey users do for themselves?
• MAC flooding: Macof • Desktop services vs. farming: Do
• ARP denial of service: arp-sk you do serious computation on the
• Port stealing: Ettercap desktop, or do you build a compute
• Layer 2 man-in-the-middle: Ettercap farm?
• Dynamic Trunking Protocol attack: • Disk layout: How do you plan for an
Yersinia upgrade? Where do things go?
• Free vs. purchased solutions:
Take back to work: The fundamentals
Should you write your own, or hire a
of TCP/IP networking. You will learn
FRIDAY, JUNE 22, 2007

FULL DAY 9:00 A.M.–5:00 P.M.

F1 Introduction to VMware Virtual F2 TCP/IP Weapons School, Layers

Infrastructure 3 2–3 (Day 2 of 2) NEW!
John Arrasjid and Shridhar Deuskar, Richard Bejtlich, TaoSecurity
Who should attend: Junior and inter-
Who should attend: System adminis- mediate analysts and system adminis- USENIX provides Continuing
trators and architects who are interest- trators who detect and respond to Education Units for a small addi-
ed in deploying a VMware Virtual Infra- security incidents. tional administrative fee. The CEU
structure, including ESX Server and is a nationally recognized stan-
Topics for Day 2 include:
VirtualCenter, in a production environ- dard unit of measure for continu-
• Layer 3
ment. No prior experience with VMware ing education and training and is
• What is layer 3?
products is required. Knowledge of used by thousands of organiza-
• Internet Protocol
Linux is helpful; basic knowledge of tions.
• Raw IP: Nemesis
SANs is useful but not required.
• IP options: Fragtest Each full-day tutorial qualifies for
Topics include: • IP time-to-live: Traceroute 0.6 CEUs. You can request CEU
• Virtual Infrastructure overview • Internet Control Message Protocol: credit by completing the CEU
• ESX Server and VirtualCenter Sing section on the registration form.
overview • ICMP Error Messages: Gnetcat USENIX provides a certificate for
• Installation and configuration • IP Multicast: Iperf each attendee taking a tutorial for
• Virtual machine creation and opera- • IP Multicast: Udpcast CEU credit and maintains tran-
tion • IP fragmentation: Fragtest scripts for all CEU students.
• Migration technologies such as • Layer 3 attacks CEUs are not the same as college
VMware Converter • IP IDs: Isnprober credits. Consult your employer or
• Operations and administration best • IP IDs: Idle Scan school to determine their applica-
practices • IP TTLs: LFT bility.
• Advanced configuration (SAN and • IP TTLs: Etrace and Firewalk
networking) • ICMP Covert Channel: Ptunnel
Take back to work: How to deploy a • IP fragmentation: Fragroute and Pf
VMware virtual infrastructure effectively Take back to work: The fundamentals WANT MORE INFO?
on your own site. of TCP/IP networking. You will learn For full tutorial desccriptions, see
how to interpret network traffic by ana-
lyzing packets generated by network
security tools and how to identify secu-
rity events on the wire.


John Arrasjid Strata Rose Chalup Shridhar Deuskar
F1 S6, M8 F1
John Arrasjid has 20 years Strata Rose Chalup has Shridhar Deuskar has
of experience in the com- been leading and manag- over 10 years of experi-
puter science field, includ- ing complex IT projects ence in system adminis-
ing work with AT&T, for many years. She has tration of UNIX and Win-
Amdahl, 3Dfx Interactive, written a number of arti- dows servers. He has
Kubota Graphics, Roxio, and his own com- cles and has volunteered consulted with companies such as Caterpil-
pany, WebNexus Communications, where for BayLISA and SAGE. Strata has built a lar, HP, and EMC. Currently he is a Consult-
he developed consulting practices and built successful consulting practice around being ing Architect in VMware’s Professional Serv-
a cross-platform IT team. John is currently a an avid early adopter of new tools. Another ices organization and is responsible for
senior member of the VMware Professional MIT dropout, Strata founded VirtualNet Con- delivering services tied to virtualization to
Services Organization. sulting in 1993. clients worldwide.

Richard Bejtlich Tom Christiansen Jacob Farmer

W1, R2, F2 R1 M7, M10
Richard Bejtlich is founder Tom Christiansen has Jacob Farmer has written
of TaoSecurity LLC been involved with Perl numerous papers and
(http://www.taosecurity since day zero of its initial articles and is a regular
.com), a company that public release in 1987. speaker at trade shows
helps clients detect, con- Author of several books and conferences. In addi-
tain, and remediate intru- on Perl, including the Perl tion to his expert advice
sions using network security monitoring Cookbook and Programming Perl from column in the “Reader I/O” section of InfoS-
(NSM) principles. Richard wrote the Tao of O’Reilly, Tom is also a major contributor to tor Magazine, Jacob serves as the publica-
Network Security Monitoring: Beyond Intru- Perl’s online documentation. He holds tion’s senior technical advisor. Jacob has
sion Detection and the forthcoming Extru- undergraduate degrees in Computer Sci- over 18 years of experience with storage
sion Detection: Security Monitoring for Inter- ence and Spanish and a Master’s in Com- technologies and is the CTO of Cambridge
nal Intrusions and Real Digital Forensics. puter Science. He now lives in Boulder, Col- Computer Services, a national integrator of
orado. data storage and data protection solutions.
Gerald Carter
M9, W2, R3
Lee Damon
Rik Farrow
Gerald Carter has been a S3, M3
member of the Samba Lee Damon has been a
Rik Farrow provides UNIX
Development Team since UNIX system administra-
and Internet security con-
1998. He has been devel- tor since 1985 and has
sulting and training. He
oping, writing about, and been active in SAGE
has been working with
teaching on open source (U.S.) and LOPSA since
UNIX system security
since the late 1990s. Currently employed by their inceptions. He assist-
since 1984 and with
Centeris as a Samba and open source ed in developing mixed environments at IBM
TCP/IP networks since 1988. He has taught
developer, Gerald has written books for Watson Research, Gulfstream Aerospace,
at the IRS, Department of Justice, NSA,
SAMS Publishing and for O’Reilly Publish- and QUALCOMM. He is currently leading
NASA, US West, Canadian RCMP, Swedish
ing. the development effort for the Nikola project
Navy, and for many U.S. and European user
at the University of Washington Electrical
groups. He is the author of UNIX System
Engineering department. He is past chair of
Security and System Administrator’s Guide
the SAGE Ethics and Policies working
to System V. Farrow is the editor of ;login:
groups, and he was the chair of LISA ’04.
and works passionately to improve the state
of computer security.


Æleen Frisch Peter Honeyman Richard McDougall
M1, T5 T4
Æleen Frisch has been Richard McDougall, had
Peter Honeyman is
working as a system he lived 100 years ago,
Research Professor of
administrator for over 20 would have had the hood
Information at the Univer-
years. She currently looks open on the first four-
sity of Michigan and Sci-
after a pathologically het- stroke internal combus-
entific Director of the Cen-
erogeneous network of UNIX and Windows tion gasoline-powered
ter for Information Technology Integration,
systems. She is the author of several books, vehicle, exploring new techniques for mak-
where he leads a team of scientists, engi-
including Essential System Administration ing improvements. These days, McDougall
neers, and students developing the Linux-
(now in its 3rd edition from O’Reilly). Æleen uses technology to satisfy his curiosity. He is
based open source reference implementa-
was the program chair for LISA ’03 and is a a Distinguished Engineer at Sun Microsys-
tion of NFSv4 and its extensions for high
frequent presenter at USENIX events, as tems, specializing in operating systems
end computing. With 25 years of experience
well as presenting classes for universities technology and system performance. He is
building middleware for file systems, securi-
and corporations worldwide. co-author of Solaris Internals and Resource
ty, and mobile computing—including Honey
DanBer UUCP, PathAlias, MacNFS, Discon-
Peter Baer Galvin nected AFS, and WebCard (the first Internet

S4, W3 smart card)—Honeyman is regarded as one Alan Robertson
of the world’s leading experimental comput- T1
Peter Baer Galvin is the er scientists.
Chief Technologist for Cor- Alan Robertson founded
porate Technologies, Inc., the High-Availability Linux
a systems integrator and James Mauro (Linux-HA) project in 1998
VAR. He has written arti- T4 and has been project
cles for Byte and other leader for it since then.
James Mauro is a Senior
magazines. He wrote the “Pete’s Wicked He worked for SuSE for a
Staff Engineer in the Per-
World” and “Pete’s Super Systems” columns year, then in March 2001 joined IBM’s Linux
formance and Availability
at SunWorld. He is currently contributing Technology Center, where he works on it full
Engineering group at Sun
editor for Sys Admin, where he manages the time. Before joining SuSE, he was a Distin-
Microsystems. Jim’s cur-
Solaris Corner. Peter is co-author of the guished Member of Technical Staff at Bell
rent interests and activities
Operating Systems Concepts and Applied Labs. He worked for Bell Labs for 21 years
are centered on benchmarking Solaris 10
Operating Systems Concepts textbooks. in a variety of roles. These included provid-
performance, workload analysis, and tool
ing leading-edge computing support, writing
development. This work includes Sun’s new
software tools and developing voicemail
Simson L. Garfinkel Opteron-based systems and multicore per-
S1 formance on Sun’s Chip Multithreading
(CMT) Niagara processor. He spent most of
Simson L. Garfinkel is an his spare time in the past year working on
Associate Professor at the second edition of Solaris Internals. Jim
the Naval Postgraduate co-authored the first edition of Solaris Inter-
School in Monterey, CA, nals with Richard McDougall.
and a fellow at the Center
for Research on Computa-
tion and Society at Harvard University. He is
also the founder of Sandstorm Enterprises,
a computer security firm. Garfinkel writes a
monthly column for CSO Magazine and is
the author or co-author of fourteen books
on computing. He is perhaps best known
for his book Database Nation: The Death of
Privacy in the 21st Century.


Chip Salzenberg Abe Singer Steve VanDevender
S5, S8, M5 S7, M2, T2 T7
Chip Salzenberg is Princi- Abe Singer is a Computer By once not knowing to
pal Engineer at Cloud- Security Researcher in the be afraid of Sendmail,
mark, where he fights Security Technologies Steve VanDevender has
spam with flair and Group at the San Diego ended up specializing in
aplomb. Chip is also chief Supercomputer Center. In email system administra-
coder (“pumpking”) of the his operational security responsibilities, he tion for much of his system administration
Parrot virtual machine (http://parrotcode participates in incident response and foren- career. At between 1994 and 2002,
.org), with which he plans to bring all sics and in improving the SDSC logging he ended up managing a mail system that
dynamic languages together and, in the infrastructure. His research is in pattern grew to 10,000 users; at the University of
darkness, dynamically bind them. He was analysis of syslog data for data mining. He is Oregon since 1996, he has helped manage
pumpking for Perl release 5.4. He created co-author of of the SAGE booklet Building a a mail system that has grown from 20,000
the automated Linux install-and-test system Logging Infrastructure and author of a forth- to 30,000 users and, more important, has
for VA Linux Systems and was VA’s Kernel coming O’Reilly book on log analysis. grown even more in message volume and
Coordinator. Chip has been published by user activity, with many corresponding
O’Reilly and Prentice Hall on Perl and other changes to cope with that growth. Since
topics. Marc Staveley 2000, he has taught a popular course in
M4 system administration for the University of
John Sellens Marc Staveley works with Oregon’s Department of Computer and
S9, M6, T6 Soma Networks, where Information Science.
he is applying his many
John Sellens has been

years of experience with
involved in system and Dustin Whittle
UNIX development and
network administration S2
administration in leading
since 1986 and is the
their IT group. Previously Marc had been an Dustin Whittle is a Techni-
author of several related
independent consultant and also held posi- cal Yahoo in the Social
USENIX papers, a number
tions at Sun Microsystems, NCR, Princeton Search Group at Yahoo!.
of ;login: articles, and the SAGE Short Top-
University, and the University of Waterloo. He is also a contributing
ics in System Administration booklet #7,
He is a frequent speaker on the topics of developer on the symfony
System and Network Administration for
standards-based development, multi- project and the developer
Higher Reliability. He is the proprietor of
threaded programming, system administra- of several plugins. Before joining Yahoo!, he
SYONEX, a systems and networks consul-
tion, and performance tuning. was a self-employed technology consultant,
tancy, and is currently a member of the sys-
working around the world to make the Web
tems team at Magna International. From
a better place for everyone and was the lead
1999 to 2004, he was the General Manager Theodore Ts’o developer at The Web Freaks. As a consult-
for Certainty Solutions in Toronto. Prior to S10, W4 ant and trainer, Dustin has taught tutorials
joining Certainty, John was the Director of
Theodore Ts’o has been a and given talks at many conferences and
Network Engineering at UUNET Canada and
Linux kernel developer institutions on such topics as enterprise
was a staff member in computing and infor-
since almost the very Web development and symfony.
mation technology at the University of
Waterloo for 11 years. beginnings of Linux: he
implemented POSIX job
control in the 0.10 Linux
kernel. He is the maintainer and author of
the Linux COM serial port driver and the
Comtrol Rocketport driver, and he architect-
ed and implemented Linux’s tty layer. Out-
side of the kernel, he is the maintainer of the
e2fsck filesystem consistency checker. Ted
is currently employed by IBM Linux Technol-
ogy Center.


USENIX is pleased to partner with SANS at USENIX ’07 to offer two 6-day training courses focused on security.

SUNDAY–FRIDAY, JUNE 17–22, 2007, 9:00 A.M.–5:00 P.M.

SANS Security 504: • Containment This section covers the attacks in

Hacker Techniques, Exploits, • Eradication depth, from the details of buffer over-
• Recovery flow and format string attack tech-
and Incident Handling • Special actions for responding to niques to the latest in session hijack-
John Strand, Northrop Grumman
different types of incidents ing of supposedly secure protocols.
Overview: Instead of merely teaching a few • Incident record keeping For each attack, the course explains
hack attack tricks, this course includes a • Incident follow-up the vulnerability, how various tools
time-tested, step-by-step process for exploit it, the signature of the attack,
responding to computer incidents, a MONDAY, JUNE 18, 2007 and how to harden the system or
detailed description of how attackers under- application against the attack.
mine systems so you can prepare, detect, 504.2 Computer and Network Hacker
Exploits: Part 1 Topics include:
and respond to them, and a hands-on work- • Network-level attacks
shop for discovering holes before the bad Seemingly innocuous data leaking • Gathering and parsing packets
guys do. Additionally, the course explores from your network could provide the • Operating system and application-
the legal issues associated with responding clue needed by an attacker to blow level attacks
to computer attacks, including employee your systems wide open. This day- • Netcat: The attacker’s best friend
monitoring, working with law enforcement, long course covers the details associ- • Hands-on exercises with the follow-
and handling evidence. ated with reconnaissance and scan- ing tools:
Who should attend: Individuals who lead ning, the first two phases of many • Sniffers, including Tcpdump
or are a part of an incident handling team; computer attacks. If you don’t have • Sniffer detection tools, including
system administrators and security person- the skills needed to understand these ifconfig, ifstatus, and promiscdetect
nel; ethical hackers/penetration testers. critical phases of an attack in detail, • Netcat for transferring files, creating
you won’t be able to protect your net- backdoors, and setting up relays
work. • Format string vulnerabilities in Win-
SUNDAY, JUNE 17, 2007 Topics include: dows
504.1 Incident Handling Step-by-Step • Reconnaissance
and Computer Crime • Scanning WEDNESDAY, JUNE 20, 2007
Investigation • Intrusion detection system evasion
• Hands-on exercises with the follow- 504.4 Computer and Network Hacker
The first part of the course looks Exploits: Part 3
at the invaluable Incident Handling ing tools:
Step-by-Step model. This section is • What is layer 3? This course starts out by covering one
designed to introduce the incident • NetStumbler for wireless LAN discov- of the attackers’ favorite techniques
handling process, using the six steps ery for compromising systems: worms.
(preparation, identification, contain- • Nmap port scanner and operating We’ll analyze worm developments
ment, eradication, recovery, and les- system fingerprinting tool over the past two years and get a feel
sons learned) needed to prepare for • Nessus Vulnerability Scanner for the Super Worms we’ll face in the
and deal with a computer incident. • Enum for extracting Windows data future. Then the course turns to
through null sessions another vital area often exploited by
The second part examines case stud- attackers: homegrown Web applica-
ies to understand what works in iden-
tifying computer attackers. This sec-
TUESDAY, JUNE 19, 2007 tions. Attackers exploit these targets
using SQL injection, cross-site script-
tion provides valuable information on 504.3 Computer and Network Hacker ing, session cloning, and a variety of
the steps a systems administrator can Exploits: Part 2 other mechanisms discussed in detail.
take to improve the chances of catch- Computer attackers are ripping our
ing and prosecuting attackers. The course also presents a taxonomy
networks and systems apart in novel of nasty denial of service attacks, illus-
Topics include: ways, while constantly improving their trating how attackers can stop servic-
• Preparation techniques. This day-long course cov- es or exhaust resources and how to
• Identification ers the third step of many hacker prevent their nefarious deeds.
attacks: gaining access.
See for complete training program information.

Topics include: FRIDAY, JUNE 22, 2007

• Password cracking
504.6 Hacker Tools Workshop
• Web application attacks
• Denial of service attacks This workshop lets you put what you
• Hands-on exercises with the following have learned over the past week into
tools: practice. You will be connected to one
• John the Ripper password cracker of the most hostile networks on planet
Earth. This network simulates the Inter- LAPTOP REQUIRED
• Web application attack tools, including
Achilles net and allows students to try actual See
attacks against live machines and learn /training for more information.
how to protect against these attacks.
THURSDAY, JUNE 21, 2007 This workshop will give students flight
504.5 Computer and Network Hacker time with the attack tools to better
Exploits: Part 4 understand how they work. Additionally, PLEASE NOTE
This course covers the fourth and fifth students can participate in the work- Each SANS class runs for 6
steps of many hacker attacks: maintain- shop’s Capture the Flag event. By pene-
days. Attending a SANS
ing access and covering their tracks. In trating systems, discovering subtle
course precludes attending
this course, we’ll analyze the most com- flaws, and using puzzle-solving tech-
niques, you can test the skills you’ve
USENIX training courses or
monly used malicious code specimens,
built over the week in this engaging con- technical sessions. See p. 22
as well as explore future trends in mal-
ware, including BIOS-level and combo test. The Capture the Flag victors will for registration information.
malware possibilities. This course gives win a prize.
you the tools and techniques you need Topics include:
to detect and respond to these activities • Hands-on analysis SATISFACTION
on your computers and network. • General Exploits GUARANTEED
Topics include: • Other attack tools and techniques
If you feel a SANS tutorial
• Maintaining access
does not meet your needs, let
• Covering their tracks John Strand
• Putting it all together
us know by the first break and
John Strand started working in information we will change you into any
• Hands-on exercises with the following
security at Accenture Consulting at the Depart- other available SANS or
ment of the Interior, where he worked incident USENIX tutorial immediately.
• Virtual Network Computing (VNC) and
response, vulnerability assessment, and intru-
Shovelling GUI
sion detection. He is currently employed with
• RootKits and detection
Northrop Grumman in Denver doing Information
• Detecting backdoors with Netstat, Lsof,
Assurance. John currently holds the CISSP and
and Fport
GIAC GCIH and GCFW certifications.
• Hidden file detection with LADS
• Covert Channels using Covert_TCP


USENIX is pleased to partner with SANS at USENIX ’07 to offer two 6-day training courses focused on security.

SUNDAY–FRIDAY, JUNE 17–22, 2007, 9:00 A.M.–5:00 P.M.

SANS Security 617: • Calculating signal gain and loss Topics include:
Assessing and Securing • Wireless organizers and standards • Exploring how rogue APs can be
bodies used against your organization
Wireless Networks • Antenna signal propagation and • Wireless-side techniques for identi-
James Tarala, Enclave
characteristics fying and locating rogue APs
Overview: Few fields are as complex as • Building home-brew antennas from • Automating centralized wired-side
wireless security. This course breaks down parts scanning for rogue APs
the issues and relevant standards that affect • Conducting effective site surveys • Triangulation techniques for locating
wireless network administrators, auditors, transmitters
and information security professionals. With MONDAY, JUNE 18, 2007 • Understanding the RC4 cipher used
hands-on labs and instruction from industry in WEP security
wireless security experts, you will gain an 617.2 Auditing Wireless Networks— • Weaknesses in WEP and dynamic
intimate understanding of the risks threaten- Hands-on WEP implementations
ing wireless networks. After identifying risks This day examines the process of • Evaluating your network using pop-
and attacks, we’ll present field-proven tech- auditing wireless networks through ular hacker tools
niques for mitigating these risks, leveraging passive network analysis using popu-
powerful open-source and commercial tools lar sniffer tools. We’ll also examine the WEDNESDAY, JUNE 20, 2007
for Linux and Windows systems. various threats that target wireless
networks, take an in-depth look at the 617.4 WLAN Hacker Tools and
Who should attend: Operations profes- Techniques, Part II—Hands-on
sionals who are responsible for designing 802.11 MAC layer, and leverage tools
and implementing secure wireless networks; such as Kismet to map the range and This second of three days exploring
security professionals who are concerned exposure of wireless networks. tools and techniques focuses on the
about the weaknesses of wireless networks; Topics include: threats and mitigation techniques for
penetration testers who want to include • Common misconceptions about outdoor wireless MAN networks,
wireless network security assessments in wireless security Cisco LEAP networks, networks using
their organization’s services offerings; audi- • Using satellite maps to document VPN, and WPA pre-shared key imple-
tors who must evaluate wireless networks wireless signal leakage mentations.
to ensure they meet an acceptable level of • Understanding 802.11 addressing Topics include:
risk and are compliant with organizational • Passive WLAN traffic sniffing • Understanding different types of
policy. Students should have a working • Leveraging TCPDump, Ethereal, wireless MAN networks
knowledge of wireless networks, with expe- and Kismet • Software and hardware for sniffing 5
rience in the design or deployment of wire- • Analyzing wireless traffic with post- GHz networks
less technology. processing tools • Evaluating WMAN information dis-

SUNDAY, JUNE 17, 2007 TUESDAY, JUNE 19, 2007 • Weaknesses in MS-CHAPv2 and
MD4 hashing techniques
617.1 Wireless Architecture, RF 617.3 WLAN Hacker Tools and • Operation and weaknesses in Cisco
Fundamentals Techniques, Part I—Hands-on LEAP Networks
The field of wireless networking is With the flurry of wireless standards • Recovering user passwords from
vastly complex, with umpteen proto- and specifications has come a flurry of LEAP transactions
cols, standards, and nonstandard attack tools that leverage protocol and • Common vulnerabilities in wireless
software packages. This day intro- implementation weaknesses to com- IPSec/VPN deployments
duces the architecture of wireless net- promise wireless security. This first of • Leveraging IP-over-DNS to bypass
works, varying wireless protocols, and three days exploring tools and tech- VPN security
radio-frequency concepts. niques focuses on the threats and mit- • Understanding the TKIP algorithm
igation techniques surrounding rogue and pre-shared key vulnerabilities
Topics include: APs, WEP-based security, and 802.1x
• Radio frequency characteristics with dynamic WEP security.
• Interference in wireless networks


See for complete training program information.

THURSDAY, JUNE 21, 2007 FRIDAY, JUNE 22, 2007

617.5 WLAN Hacker Tools and 617.6 Designing a Secure Wireless
Techniques, Part III—Hands-on Infrastructure—Hands-on
This third of three days exploring tools This sixth day of the course shifts from
and techniques focuses on the threats learning about different attack tech-
and mitigation techniques for assessing niques and vulnerabilities to the steps
PEAP networks using WPA security, we can take to design a secure infra- LAPTOP REQUIRED
DoS attacks against wireless networks, structure that will be resistant to attacks. See
hotspot security, and WLAN IDS moni- Using the knowledge gathered from the /training for more information.
toring techniques. previous days, we’ll review the deploy-
Topics include: ment or migration steps that organiza-
• Understanding RADIUS and key dis- tions can take to mitigate the weakness-
es in other architectures, using PLEASE NOTE
tribution in 802.1x networks
• Leveraging weaknesses to compro- commercial or open-source tools. Each SANS class runs for 6
mise PEAP+WPA security Topics include: days. Attending a SANS
• Evaluating the impact of WLAN DoS • Steps for migrating from WEP to WPA course precludes attending
attacks to WPA2 USENIX training courses or
• Understanding Layer 1 and Layer 2 • Introduction to public key infrastruc- technical sessions. See p. 22
WLAN DoS techniques ture (PKI) authentication
for registration information.
• Assessing hotspot security as a • Deploying PKI using low-cost tools
provider, subscriber, and security • Automating client setup and configu-
administrator ration for secure wireless
• Service theft risks on wireless • Integrating RADIUS with existing SATISFACTION
hotspots authentication databases GUARANTEED
• Rogue APs and hotspot networks • Securing 802.1x and RADIUS
• Compromising SSL security on authentication
If you feel a SANS tutorial
hotspot networks • Deploying PEAP for enterprise wire- does not meet your needs, let
• Designing and deploying WLAN intru- less security us know by the first break and
sion detection services • Deploying secure VPN connectivity we will change you into any
• Implementing WLAN intrusion preven- for wireless networks other available SANS or
tion services USENIX tutorial immediately.
• Open-source and commercial tools James Tarala
for WLAN monitoring
James Tarala is a principal consultant with
Enclave Hosting, LLC, and is based in Venice,
FL. He is a regular speaker and senior instruc-
tor with the SANS Institute, as well as a course-
ware author and editor for many of their audit-
ing and security courses. As a consultant
he has spent the past few years architecting
large enterprise IT security and infrastructure
architectures, specifically working with many
Microsoft-based, directory services, email, ter-
minal services, and wireless technologies.


Hyatt Regency Santa Clara
5101 Great America Parkway
Santa Clara, CA 95054
Tel: (408) 200-1234
Fax: (408) 980-3990
Hotel Reservation Discount Deadline: May 29, 2007
USENIX has negotiated special rates for conference attendees at the Hyatt Regency Santa Clara.
Please make your reservation as soon as possible by contacting the hotel directly. You must men-
tion USENIX to get the special group rate.
Special Attendee Room Rate
$169 per night, plus 9.5% state and local tax, $0.12 California State Tourism Tax, and $1.00 Dis-
trict Improvement Tax
Note: When the rooms in the USENIX block are sold out, requests will be handled on a space-
available basis at the hotel's standard rate. Make your reservations early!
Why should you stay in the headquarters hotel?
We encourage you to stay in the conference hotel and when making your reservation to identify
yourself as a USENIX conference attendee.
It is by contracting rooms for our attendees that we can significantly reduce hotel charges for
meeting room rental. When the sleeping rooms are not utilized, we face significant financial penal-
ties. These penalties ultimately force us to raise registration fees.
We recognize, however, that not everyone can afford to stay in the conference hotel, so we always
try to book venues that have some low-cost alternatives available near the conference.
With costs going higher and higher, we are working hard to negotiate the very best hotel rates and
keep other conference expenses down in order to keep registration fees as low as possible. We
appreciate your help in this endeavor.
Airports & Ground Transportation
The hotel is located 5 miles from San Jose’s Norman Y. Mineta International Airport (SJC) and 30
miles from San Francisco International Airport (SFO). Shuttle service from SJC to the hotel costs
approximately $16–21 per person, and taxi service costs approximately $15–30. Shuttle service
from SFO to the hotel costs approximately $36 per person, and taxi service costs approximately
$80–100. Valet parking at the hotel costs $10 per day and self-parking is complimentary. See for more information.
Traveling to USENIX ’07 from Outside the U.S.A.
See detailed advice from the National Academies about visiting the United States at http://www7
About Santa Clara
USENIX is pleased to bring the Annual Technical Conference to Santa Clara. Santa Clara and its
environs offer a wide array of activities to occupy your free time, including a vibrant cultural scene
and exciting amusement park. Here are just a few ideas:
• Paramount’s Great America,
• Intel Museum,
SANTA CLARA, • Tech Museum of Innovation,
CALIFORNIA • NASA Ames Exploration Center,
• Rosicrucian Egyptian Museum & Planetarium,
See the Santa Clara Convention & Visitor’s Bureau’s Web site,, for more.


Register or make a reservation on the Web today at REGISTRATION FEES USENIX is pleased to offer Early Bird Registration Discounts of up to
Pay today with a credit card, or make a reservation online and then pay $300 to those who register for USENIX ’07 by June 1, 2007. After June 1,
by check, phone, or fax. Have the best of both worlds: the convenience registration fees increase.
of online registration without the hassle of hand-written forms, and the
Before After
ability to pay as you want, when you want! Daily Rates
June 1 June 1
Early Bird Registration Deadline: June 1, 2007 1 day of technical sessions $260 $310
1 day of USENIX training $635 $685
1 half-day of USENIX training;
Every USENIX training program registration includes: $335 $385
second half-day only $300
• Admission to the tutorials you select
• Lunch on the day of your tutorials SAVE! Choose One of Our Special Before After
• Training program CD-ROM, including all available Discount Packages June 1 June 1
tutorial presentations and materials A. 3 Days of Technical Sessions SAVE $100! $680 $830
• Printed tutorial materials for your courses B. 2 Days of USENIX Training SAVE $50! $1220 $1320
• Admission to the evening activities C. 3 Days of USENIX Training SAVE $100! $1805 $1955
• Conference t-shirt
D. 4 Days of USENIX Training SAVE $200! $2340 $2540
• Wireless connectivity in conference session area
E. 5 Days of USENIX Training SAVE $300! $2875 $3125
Every SANS training program registration includes:
• Admission to the tutorials you select F. 6 Days of USENIX Training SAVE $600! $3210 $3510
• Lunch on the day of your tutorials G. 6 Days of SANS Training* $3210 $3510
• Complimentary one-year membership in the USENIX Association *Each SANS class runs for 6 days. Attending a SANS course precludes
• Printed tutorial materials for your courses attending USENIX training courses or technical sessions.
• Admission to the evening activities For maximum savings, combine Package A with Package B or C.
• Conference t-shirt If you are not a member of USENIX, EurOpen.SE, or NUUG, $120 will be
• Wireless connectivity in conference session area added to your technical sessions fees.
Optional Costs
TECHNICAL SESSIONS REGISTRATION Continuing Education Units (CEUs): $15 per training day
Every technical sessions registration includes: Registration Fees for Full-Time Students
• Admission to all technical sessions on the days of your choice USENIX offers full-time students special low registration fees for USENIX
• Copy of the Conference Proceedings (in print or on CD-ROM) ’07 that are available at any time. See
for more information.
• Admission to the evening activities
Students who are not members of USENIX: $45 will be added to your
• Conference t-shirt
technical sessions fee.
• Wireless connectivity in conference session area
Daily Rates for Full-Time Students
Multiple Employee Discount
We offer discounts for organizations sending 5 or more employees to 1 day of technical sessions $110
USENIX ’07. Please email for more details. 1 day of USENIX training $200
The group discount cannot be used in conjunction with any other dis- A limited number of USENIX tutorial seats are reserved for full-time
counts, and it cannot be applied retroactively—that is, refunds will not be students at this very special rate. Students must reserve their tuto-
rial seats before registering. If you plan to take half-day tutorials,
issued to those meeting the discount requirement after they have already
you must take both half-days to qualify for the student rate. There
is no special student rate for SANS training.

Workshop Registration
Please Read: This is not a registration form. Please use our online USENIX ’07 will be co-located with the 3rd Workshop on Steps to
form to register or make a reservation. If you choose to make a reser- Reducing Unwanted Traffic on the Internet (SRUTI ’07) and with the FAST-
vation and pay later by check or credit card, you will receive a print- OS PI Meeting and Workshop. Please see for
able summary of your session selections, the cost breakdown, and more information and to register for SRUTI ’07, and
the total amount due. If you are paying by check or phone, submit a /fastos07 for more information and to register for the FAST-OS workshop.
copy of this summary along with your payment or have it with you
when you call. Tutorial bookings cannot be confirmed until payment Refund/Cancellation Deadline: Monday, June 11, 2007
has been received. Purchase orders, vouchers, and telephone reser- All refund requests must be emailed to by
vations cannot be accepted. Monday, June 11, 2007. You may substitute another in your place.


Santa Clara, CA • June 17–22, 2007


Hewlett-Packard Labs ACM Queue

Dr. Dobb’s Journal
IEEE Security & Privacy
Linux Journal
No Starch Press
Sys Admin

Join leading researchers and practitioners for 6 full days on the latest technologies.

US Postage
2560 Ninth Street, Suite 215 Permit #110
Berkeley, CA 94710 Hopkins, MN

510.548.5738 fax

Register with the priority

code on your mailing label
to receive a $25 discount!

Register by June 1 and SAVE!