Defcon 17 Roundup

By -
It hardly seems like Defcon 17 was only a week ago. Right now it alternately feels like I just got back from it, or it happened a million years ago. Ok, I admit it. That link has nothing to do with this post, defcon, or even the idea of "a million years ago", but I stumbled across it in my Google search for something more appropriate and I thought I should share. Librarian hackers: need I say more?

As I was saying, Defcon 17 occurred at some point in the past. I won't detail the parties that went on, though there were a few. The exception I will mention is the Toxic BBQ which was held on Thursday. Having skipped it the last two years due to various reasons, most of which involved the words "108 degrees", "outside", "off-site", and "laziness", I was truly amazed at how fun this event was. It also was the one event where you could relax, drink a few beers, (making sure to drink plenty of water as well - let me reference that 108 degrees again), and talk to people without music blasting in the background. All in all, I'm going to make sure I don't miss it next year.

Now on to the actual talks, which supposedly are the reason why everyone goes to Defcon in the first place.

Thursday:
I arrived too late to see any of these, but I heard good things about "Effective Information Security Career Planning", and "Hardware black Magic - Building Devices with FPGAs". I really wish I could have attended the FPGA talk since as you can imagine there are a few ways that can help my research.

Friday:
Talks I attended:
  1. Beckstrom's Law: I saw Rob Beckstrom speak at last year's Defcon panel "Meet the Feds", and I have to admit that I didn't have a very high opinion of him. Later when reading about his resignation from the post of Cyber-security chief I had to re-examine my previous evaluation as a lot of the points he made were very good. That being said, I managed to sit through about 10 minutes of this talk before I had to walk out. Between him promoting his book, explaining what DNS is, and warning us he might use "math", I realized he must have forgotten that he was giving this talk to Defcon attendees and not your typical office boardroom. That's a shame too since I looked at his slides afterwards, (the ones on the CD, not the ones he used), and there was a lot of good stuff in them. The problem he was covering is extremely important, and I think everyone agrees that the way we currently value networks and computer security falls into "pick some numbers that sound right." That's not acceptable and it's good to see someone trying to do something about it. I think in the future I need to focus on what Beckstrom writes, and skip any of his live talks.
  2. Asymmetric Defense: How to Fight off the NSA Red Team with Five People or Less: As the name implies, this talk detailed how the US Merchant Marine Academy goes about participating in NSA's Cyber Defense Exercise with a limited budget. It was a good talk, and one that I would recommend browsing through when it becomes available online. It also annoyed people from the other service academies to no end which was amusing as well.
  3. More Tricks for Defeating SSL: This was THE talk of Defcon. I'm sure you've heard about it already so I don't need to go into details. What made this talk amazing was not only did Moxie completely break SSL; not only did he do it a way that was totally l33t, (Pascal strings?!); not only did he show some scary attacks with it like completely owning any computer that was running Firefox, but he gave a great presentation as well. When he showed the blurry code segment and asked us to find the bug, (hint it's the part with all the nested If statements), I was blown away by his ability to convey this information to the crowd.
  4. The Year in Computer Crime Cases: Yay EFF. The most interesting part was hearing about the problems they had trying to set up a secure war-room at Defcon last year.
  5. Defcon Security Jam 2: I eventually ditched this talk and went to grab some lunch. I think part of the problem was the general setup of this hybrid talk/panel session. It wasn't bad, but eating food was a better use of my time.
  6. Computer and Internet Security Law - A Year in Review: Of the three "law" talks I went to, this one was the best. It really helped explain some of the reasoning behind certain rulings, such as why the cops can obtain a warrant and force you to open up a keyed safe, but they can't force you to open up a combination safe. In that case, it's all about attribution: aka if you know the combo, the safe is probably yours. With a key though, all the cops can "prove" is you knew where the key was. Yah, laws are weird.
  7. Malware Freak Show: I wasn't able to get into Johnny Long's talk so I went to this one instead. Looking back, it just goes to show that it's good that life doesn't always work out the way you want it to. I always wondered what computer security measures casinos use. Now I have a better idea, and I was shocked to find out that in at least one case the casino did such a poor job.
  8. Fragging Game Servers: I love to hear Bruce Potter talk, so it was entertaining, but he and Logan really needed another two to four months of work before this presentation should have seen the light of day. I feel sympathy for them as I've been in a similar situation myself. Most people don't realize it, but with these talks you need to submit a proposal around four months before the actual conference itself. This means the presenter usually has to make a few educated guesses about where they will be when the conference rolls around. Sometime those guesses don't match up with reality.
  9. Something about Network Security: So of course I had to go to the Kaminsky talk. I originally was going to see the talk by Travis Goodspeed, since I'm just blown away by his work, but with all the craziness of the zf0 hack I wanted to see what Kaminsky's reaction to it was. Pretty much everyone took the view of "but for the grace of god go I", with Dan being hacked. I have to admit, it wouldn't take much to completely 0wn me so reassessing my security setup is certainly on my to-do list when I get back to Tallahassee. The talk itself wasn't his best, but a lot of that can be attributed to Moxie covering much of it earlier. In short, it was a tough week for Dan, though my opinion of him hasn't been diminished at all.
And that was my Friday. I'll leave Saturday and Sunday for a later post.

Comments

Post a Comment

Popular posts from this blog

Tool Deep Dive: PRINCE

By -
Image
Tool Name: PRINCE (PRobability INfinite Chained Elements) Version Reviewed: 0.12 Author: Jens Steube, (Atom from Hashcat) OS Supported: Linux, Mac, and Windows Password Crackers Supported:  It is a command line tool so it will work with any cracker that accepts input from stdin Blog Change History: 1/4/2015: Fixed some terminology after talking to Atom 1/4/2015: Removed a part in the Algorithm Design section that talked about a bug that has since been fixed in version 0.13 1/4/2015: Added an additional test with PRINCE and JtR Incremental after a dictionary attack 1/4/2015: Added a section for using PRINCE with oclHashcat Brief Description:   PRINCE is a password guess generator and can be thought of as an advanced Combinator attack . Rather than taking as input two different dictionaries and then outputting all the possible two word combinations though, PRINCE only has one input dictionary and builds "chains" of combined words. These chains can have 1 to N wo
Read more

The RockYou 32 Million Password List Top 100

By -
But first, a quick responses to one of the previous comments, (since it really did merit a front-page post). Tfcx posted: The initial vulnerability was posted 29th November on a hacking forum called darkc0de here: http://forum.darkc0de.com/index.php?action=vthread&forum=11&topic=13082 Thanks, as that really helps narrow down the timeframe, (and reading that post and related posts was interesting if a bit depressing). The hack itself appears pretty straightforward once you see it, (like most things once the solution is presented to you it's easy, but finding it in the first place is hard). I'm still interested in the hacker Igigi, and have been tossing about all sorts of theories; but I'll refrain from posting them here since they are all pure WAGs right now. Now on to the main topic: Per Thorsheim wrote: I would like to see a comparison of Twitters 370 banned passwords against the top 370 or so passwords stolen from rockyou (http://www.techcrunch.com/2009/12/27/twi
Read more

Cracking the MySpace List - First Impressions

By -
Image
Alt Title: An Embarrassment of Riches Backstory: Sometime around 2008, a hacker or disgruntled employee managed to break into MySpace and steal all the usernames, e-mails, and passwords from the social networking site. This included information covering more than 360 million accounts. Who knows what else they stole or did, but for the purposes of this post I'll be focusing only on the account info. For excellent coverage of why the dataset appears to be from 2008 let me refer you to the always superb Troy Hunt's blog post on the subject . Side note, most of my information about this leak also comes from Troy's coverage. This dataset has been floating around the underground crime markets since then, but didn't gain widespread notoriety until May 2016 when an advertisement offering it for sale was posted to the "Real Deal" dark market website. Then on July 1st, 2016, another researcher managed to obtain a copy and then posted a public torrent of then entir
Read more