DefCon 19, Day 3
Sunday was interesting — this was actually the first DefCon I have attended (and I’ve been to the last five) where Sunday was actually busy. Normally Sunday feels very empty — most people have gone home, and the ones that are still around are too hung over to go to the morning sessions. I was not quite hung over enough to miss the morning sessions, so off I went. I’d imagine a lot of people took advantage of DefCon TV, though.
I started the day with Whit Diffie & Moxie Marlinspike’s Q&A session in Track 1. There was no topic in the program; instead, they just both answered questions about SSL and cryptography. One interesting detail: one of the reasons RSA has become more successful (or at least frequently used) than Diffie-Hellman was that Diffie himself favored it, on account of certain attacks for which RSA is more favorable (though Diffie-Hellman is better against others.) A lot of the discussion, though, was about Moxie’s notary system proposal. I have to give Moxie credit here — though I’m still not sure that I agree with his proposal, I probably spent more time debating it with people than I spent talking about any other presentation this weekend. It certainly spawned a lot of conversation.
Paul Craig’s iKAT tool is always interesting, and he presented a new version. The previous one only attacked Windows kiosks, and now he’s cross-platform. Essentially, the principle is that Internet kiosks are designed with the threat model of defending the kiosk from the user… and not defending it from the Internet. Thus, iKAT is an Internet site that can be used by the user to attack his own machine, under the assumption that his own machine is some sort of locked-down Internet kiosk with restricted permissions. iKAT allows the user to take full administrative control of most of them, either just to get unrestricted Internet orb, if he’s less friendly, to Trojan the card-reader.
Next, Alva Duckwall presented A Bridge Too Far, a talk on bypassing 802.1x via creating a layer-2 transparent bridge. This was actually a rather cool talk, and coupled very well with yesterday’s talk on exploiting hotel VoIP via VLAN-hopping by cloning the phone. With all the focus being on Layer-3 protocols these days, it’s cool to see that you can still do some interesting stuff at Layer-2.
There was a talk in the afternoon on bit-squatting — essentially, a binary version of typosquatting wherein you register a domain that’s a 1-bit error off from a legitimate domain, not intending to catch user error but rather to catch hardware and network errors. 1-bit errors are fairly common, at least when multiplied by billions of Internet users. I didn’t attend the talk because I felt that all the interesting material was basically contained in the title — the moral of the story is going to be that you should probably register the 1-bit-off domain names of your own if you’re going to create a highly-targeted site like a banking site. Talking to people who did attend… the consensus was that it shouldn’t have been a 50-minute talk.
Instead, I visited datagram’s talk on tamper-evident devices. Most of them, well, aren’t tamper-evident, at least not against a skilled attacker. The attacks range from very obvious (stretching plastic, razoring up adhesive) to requiring more knowledge (dissolving adhesive with a wide variety of organic and inorganic solvents) to very clever. Note that during the Tamper Evident contest at DefCon, wherein people tried to bypass a wide variety of anti-tampering seals and devices… none of the seals or devices successfully resisted attack.
I followed this up with a talk by the DefCon NOC on Building the DefCon network. It’s an interesting challenge — building a high-bandwidth network, wired and wireless, for use by 12,000 people, many of whom will be actively attacking it, given only 3 days, using only hardware you can afford to keep in a box 51 weeks of the year. Considering their constraints they do a remarkable job. This year’s secure wireless was, so far as anyone could tell, actually secure… and possibly safer than using GSM or CDMA in this environment (GSM is definitely broken, and the not-quite-confirmed rumor is that CDMA users were hit by an 0day MitM this year, too.) DefCon TV was a huge hit, even though it did not successfully reach all rooms.
The last talk of the day was Jayson Street’s dramatically-titled “Steal Everything, Kill Everyone, Cause Total Financial Ruin!” It was sometimes amusing, but overall it was mostly a self-aggrandizing pentester talking about various (mostly physical) exploits he had pulled off. Not really any valuable content for a security pro, though your average non-security person would probably be shocked at how trivially exploitable most systems are.
Having spent pretty much the whole weekend at DefCon events, I decided to go back down to the Strip, see a show, and have some delicious steak frites and wine at the Paris. It was a nice ending to a packed weekend.
Overall, DefCon this weekend was a huge success (I’m making a note here.) The Rio was a great environment, much better than the Riviera, with enough room to grow and real food to eat. Staying in the conference hotel and having a group to enjoy DefCon with made it a much more fun experience than past years; both will be things I’ll be sure to repeat. (Incidentally, Google Plus is a great tool for attending a con with a group — it’s like having your own private Twitter — though I can’t say that I have found much else it’s good for yet.) Speaking of Twitter, while it’s been indefensible for DefCon in prior years, at this point since everyone has a smartphone and a Twitter account the #defcon hashtag actually has so much traffic it’s almost impossible to keep track of. Every time you bring it up there are hundreds of new tweets.
I think the new non-electronic badges were a success. While perhaps less “cool” than the electronic ones, far more people participated in the badge contest this year than have ever participated in hacking the electronic badges, and while badge lines did run 2-3 hours, at least they were available before the con started. At some point, DefCon management needs to learn that the conference is growing 10%+ per year and that they need to order enough badges for growth; considering the much lower cost of non-electronic badges, perhaps they’ll do that next year. The lines are entirely unnecessary — they exist only because everybody knows that badges have been under-ordered and people at the back of the line won’t get one. Without this pressure to get badges first, the infamous LineCon could be avoided.
DC303 and Rapid7 threw great parties. However, most of the fun I had was around the Rio pools — having them open until 2am was great, though even later would be nice (and allowing alcohol instead of having everyone smuggle it in would be an improvement, though I’m not holding my breath on that one.) Finally, thanks to DC206 for a great time, a lot of very interesting conversation, and confusing the hell out of taxi drivers.
DefCon 19, Day 2
I slept in a bit on Saturday and missed the 10am panels. None of them seemed very relevant to me, though now I kind of regret missing the first panel. Apparently the former CEO of HBGary Federal, Aaron Barr, was scheduled to speak, but his former employer threatened him with a lawsuit, so at the last minute he was replaced with the mysterious masked pirate Baron von Arr. I’m certain no one has any idea who he might have been. I was also unable to make it to Schuyler Towne’s DIY Non-Destructive Entry talk on bypassing locks and doors, which is unfortunate as Schuyler is and interesting speaker; this is another one I’ll be sure to catch on video.
Mycurial gave an overview of High-Frequency Trading systems in the next talk. These are the systems by which computers trade stocks and other investments with other computers, as a form of arbitrage — they offer things for sale to fulfill trades before they actually have the items in question, then quickly buy them. It’s a speed game, with latency measured in nanoseconds, such that distance between the trader and the exchange matters (light can only go 11 feet per nanosecond, after all, so a few hundred yards might put you behind another trader, resulting in a loss.) As a result, conventional security measures are practically nonexistent. Networks run on custom, non-standards-compliant TCP/IP and Ethernet stacks. Firewalls and IDSs, which can add latency in microseconds, are absolutely prohibitively slow. These networks are “dedicated,” but these days no network connections are truly dedicated — leased lines are still packet switched and trunked. If someone managed to find their way into one of these networks they could do a lot of damage. For that matter, who’s to say the traders aren’t subtly attacking each other? We still don’t know for sure what caused the May 6th Flash Crash.
I did not manage to catch Richard Thieme’s Staring Into The Abyss at either BlackHat or DefCon, which is unfortunate; many attendees said it was the best talk of the conference. This will be another one to catch on video.
I went to a talk on the Metasploit vSploit Modules, which are modules intended to test IDSs, WAFs, and other network monitoring and filtering technology. Pretty neat code, but not really relevant to my interests.
Gus Fritchie’s Getting Fucked On The River explored vulnerabilities in online poker servers, and the arms race between cheaters and the poker sites’ attempts to stop them. There have been a host of exploits, from a predictable random number generator (if you seed your card-shuffling algorithm with a 32-bit number, there are only 4 billion possible decks of cards, which means someone can essentially build a deck rainbow table and predict draws with great accuracy), to back-door “cheat detection” code that actually leaked hole cards to an insider, to poker bots that play well enough to beat average players (and can beat even skilled players if many of them collude together, or be used to launder money.)
A talk called VoIP Hopping The Hotel was one of the very few technical exploit talks I saw at DefCon this year. Luxury hotels are starting to put VoIP phones in rooms, using the same Ethernet lines as the in-room Internet. If you plug into the phone’s port, though, you see nothing on the network, and can’t get an IP — 802.1q VLAN trunking is used so the phones exist on a different virtual network than the Internet connections, and only the phones can see it. Now, properly used, 802.1q trunking is secure… but “properly used” means never allowing an untrusted user access to a “trunk port” (a single port which hosts multiple VLANs.) Since the hotel port does just this — both the VoIP VLAN and the Internet VLAN — it’s possible to use some tools demonstrated in this talk to gain access to the VoIP VLAN with a computer, puzzling out the VLAN ID for the VoIP VLAN and cloning the phone’s MAC and IP addresses. It takes some skill — send one wrong packet on the VoIP VLAN and you’ll trigger port security and get the whole connection shut down at the switch — but with proper tools isn’t very hard. So why would you want to be on the VoIP VLAN? Well, network designers tend to be lazy… and that VLAN tends to be the hotel’s internal network.
Finally, This is REALLY Not The Droid You’re Looking For was another good exploit talk. On Android devices, it’s possible to craft an application that uses only common permissions (“Read Phone State”) and uses only “safe” APIs (meaning automatic approval for publication in the Android Market) that spawns a service that watches for a specified list of apps, and (upon seeing one) foregrounds itself silently over the app in question. So someone can make a game which, after you have played it once, silently lies in wait and when I load up Facebook, or my bank’s app, or my password manager, pops up a fake login screen over the real one and intercepts the password. As a user, there is no defense and no detection; there may be no fix for this short of a significant overhaul of Android’s UI APIs and permissions.
Also back this year (for the first time in many years) was DefCon TV — the talks were broadcast over the hotel’s internal cable system to all the rooms. So when a talk filled up, you could just go back to your room and watch it there if you were staying in the Rio. It was quite convenient, though in some rooms (including mine) not all 5 tracks were available. Still, according to the DefCon Goons this helped a lot with crowding, since many people would watch talks from their rooms and only come down to the conference floor for more social activities.
For the evening, I met up with the DC206 group again, ate over at the Gold Coast hotel, and then dropped into the IOActive Freakshow (yet another pool party), followed by the DC303 party (featuring Dual Core and C64, playing a mostly drum-and-bass set in lieu of the usual nerdcore, albeit still with some rapping) and finally the DefCon White Ball (with Miss Jackalope playing more drum-and-bass.) There was a lot of dancing and not a small amount of drinking, with the usual discussion of hacking, infosec, and reasons to make a Tesla coil out of DefCon badges. All in all, it was another good night.
DefCon 19, Day 1
Having finished with BlackHat, I checked out of the Flamingo and moved to DefCon’s new location this year, the Rio. This was an enormous upgrade from the Riviera, the previous location. For one, the conference center is nearly 50% bigger, and it’s beautiful. Traffic flow was greatly improved, despite record attendance (~12,000, from estimates I’ve heard, up 20% from last year.) It was crowded, but it was a manageable crowd, and I managed to get into everything I wanted to, save for a talk in Track 2 (by far the smallest of the 5 presentation rooms.) What’s more, the DefCon Goons improved things as the conference went along (they always do), so Saturday went even better than Friday.
I started the first day with 1o57′s talk on the new DefCon badge. This year’s badges were non-electronic (for the first time in several years) — they were antiqued titanium discs with the Eye of Ra and various codes inscribed in them with a water knife. Apparently making the 10,000 DefCon badges actually used the entire supply of sheet titanium in the United States at the time. Bright side of them being non-electronic: they actually had them before the con started! There has been a history of the badges getting hung up in customs on the way from China, but the non-electronic badges were produced in the USA. 1o57 designed an elaborate puzzle contest around the badges, but I can’t say much about it as I didn’t participate this year. There was, however, a very nice-looking code wheel on the floor of the Rio convention center rotunda that was key to the game and gave the room a nice DefCon look, so it was appreciated even by non-participants.
I spent the next couple of hours exploring the non-talk aspects of DefCon (none of the sessions in those slots were particularly interesting to me) and bought up some DefCon shirts and a couple of 2600 Hacker Calendars. I also donated $170 to the Electronic Frontier Foundation in my name and my wife’s, though I didn’t actually end up going to the party to which that entitled me admission (the donation and not the party was the primary purpose anyway.)
I dropped into Mark Weber Tobias’s physical security talk, called Insecurity: An Analysis Of Current Commercial And Government Security Lock Designs, which involved some hilarious attacks on “high-security” physical locks. You know those locks with 5 vertically-arranged pushbuttons you see in every airport or government building? They pop right open if you stick a neodymium-iron-boron magnet on the side. A keycard/keypad electronic lock with a USB port on the bottom for reprogramming is impervious to electronic attacks… but opens if you shove a paperclip to the back of the USB port. This sort of attack was ubiquitous — simple modifications that made sophisticated electronic locks open in purely mechanical ways. The overall point is that to get through a door, you do not have to open the lock — you have to actuate the mechanism that the lock actuates. Sometimes this is really easy.
The next talk was entitled Why Airport Security Can’t Be Done FAST, about the TSA’s Future Attribute Screening Technology. This project intends to detect malicious intent, based on biometrics and facial cues, kind of like an electronic Cal Lightman. The problem, in short, is the standard Bayesian statistical issues that always come up when trying to detect something vanishingly rare like terrorism. The top 10 airlines in the world carry a billion passengers per year — the top 5 US carriers alone carry 500 million per year. How many of these are terrorists who actually intend to blow up a plane that flight? Let’s be very conservative and pretend 100 people try to board an American plane with the intent to blow it up every year (probably an enormous overestimate.) Now let’s imagine my FAST system is 99.9% accurate at detecting terrorists — sounds great, doesn’t it? Let’s get that into our airports immediately! But wait… 99.9% accurate means it will probably catch all 100 terrorists. It’ll also catch 500,000 innocent people — 0.1% of the 500 million passengers. So if FAST points you out as a terrorist, there’s a 0.0002% chance it’s right! Due to the base rate fallacy, a 99.9% accurate terrorist detector’s alarms are false positives 99.9998% of the time. Oops.
What do you bet the real FAST isn’t 99.9% accurate, either?
I next attended the EFF Year in Civil Liberties panel for a summary of legal issues in information security, privacy, and free speech. This was followed by the Hackerspace Panel, about hackerspaces and DefCon groups around the country and what they do to encourage innovation and bring hackers, makers, and other interested people together. Both panels went very well, especially given that the Q&A nature of panels often makes them hit-or-miss.
Friday night at DefCon is surprisingly free of events — about all that’s going on is the Black Ball and the DefCon Pool Party. I met up with the DC206 group again, had some dinner, and mostly hung out at the pool party for the evening and discussed the day’s events and other topics in hackerdom. Frankly, talking about interesting topics (in a hot tub outside with DJs spinning techno in the background, no less) beats most parties anyway.
BlackHat USA 2011, Day 2
The second day of BlackHat started out with a keynote by Mudge. I attended this one despite the normally-dull nature of BlackHat keynotes, because while Mudge is a Fed now (he works for DARPA), he has a long history as a contributor to hacker culture and I wanted to hear what he had to say. He introduced a DARPA program called Cyber Fast Track (it’s not government if it doesn’t have “cyber” in the name, after all) that allows small companies and even hackerspaces to receive grants to do infosec research, without having to jump through the hoops and fill out the forms for traditional government financing, all of which are designed for huge government contractors like Lockheed Martin and are nigh-impossible for individuals and startups. I appreciate the work he’s doing, and especially the fact that accepting these grants involves giving DARPA only government-use rights and not signing over the IP for the research.
Next I went to Chris Paget’s overview of the Final Security Review for Windows Vista. Since I’m someone who’s actually done Final Security Reviews for Microsoft and is part of the team that owns the Security Development Lifecycle, there was nothing here I didn’t know. However, Chris gave a very favorable review of Microsoft, and it was clear that she really appreciated the work Microsoft does in securing their products. For all the bad press Microsoft used to get in security, Microsoft has the most mature and complete security processes in the industry, and this is a remarkable turnaround when you look at where they were in 2001. It’s good to know that even on the much-maligned Vista they gave Chris and her team full access to everything and everyone remotely relevant, and got a very good return on investment in terms of security bugs fixed.
I missed the next session to pick up my DefCon badge. In my five years of attending DefCon, they have run out of badges every time, thanks to DT underestimating attendance (each DefCon has been much bigger than the last, recessions notwithstanding.) As a result, everyone queues up early to get one, making for hours-long lines. Though this year they went for a non-electronic badge, and thus at least had them on time, they did still run out by midday Saturday. Lines were about an hour at BlackHat, and apparently ran to over two at the Rio.
In the afternoon, I dropped into Moxie Marlinspike’s SSL and the Future of Authenticity. Moxie is worried about the constant compromises of SSL Certificate Authorities — many have had bugs in them that made it possible to get real, valid certificates issued to you for other people’s domains (e.g. google.com, or your bank), thus making it possible to eavesdrop on SSL communications in a man-in-the-middle scenario. One of the most-public breaches was the attack on Comodo that resulted in many false certificates being generated for some of the most important sites on the Web. But what happened to Comodo? Nothing! The CA system has no ability to change. Browsers trust Comodo, and even if we don’t like the idea of trusting them anymore — when they have been proven untrustworthy — there’s nothing to do about it. If browser vendors dropped Comodo, 20-25% of all secure sites on the Web would stop working. Moxie proposed a new system (he demonstrated it with a Firefox plugin called Convergence) wherein the user selects trustworthy parties, called notaries, which verify certificates for him. The notary system will prevent a man-in-the-middle attack just as well as the CA system does, and if you distrust a notary you can just switch to others, and nothing breaks. The user chooses who to trust. On one hand, this does give trust agility — the ability to change who you trust — which Moxie highly values, and it does prevent man-in-the-middle attacks unless the attacker is very close (from a network-topology standpoint) to the destination host (which is unusual — in most MitM attacks, the attacker is very close to the source host, not the destination.) On the other hand, I’m not quite convinced — the system does not prove authenticity, only that no MitM is present, so it doesn’t really substitute for the CAs. However, I’d say my friends and I spent more time discussing this talk than any other at BlackHat or DefCon, so right or wrong he got us thinking, which can only be good in the long run. The CA system really is broken, and it’s untenably fragile — if one CA has its private key widely distributed, everyone will be able to make fake SSL certificates forever. And there are thousands of CAs.
I went up to IOActive’s IOAsis suite at the top of the Forum Tower in lieu of the next BlackHat session. I’m not sure what actually happened between BlackHat and IOActive this year, but for the first time since I’ve attended the conference, IOActive had no official presence at the conference (whereas before they’ve been one of the top-tier sponsors) and ran their own parallel events at Caesars instead. I had a pass to IOActive’s events as well — spend five years in infosec in the Seattle industry and it’s hard not to know half of IOActive, particularly their CEO who seems to have the remarkable ability to remember everyone she meets, instantly and forever. I went to a talk they hosted about malware tools like Spy Eye and Zeus. Overall, they’re remarkable professionally-developed tools, with high-quality tutorials and documentation. They really make being a criminal easy, and if you happen to live in a non-extradition country like Russia, it turns out crime does pay.
Finally, I went to a talk about the latest Chip & PIN exploits. I have to admit, as an American, Chip & PIN exploits always seem kind of lame. They boil down to “with this amazing exploit, we can make European credit cards almost as insecure as American ones are all the time!” The fact that if you steal a credit card you can, you know, buy stuff with it until the cardholder notices it’s gone and calls the bank just doesn’t seem like a revelation. This said, it is interesting to see some of the dubious security decisions made in this “secure” payment system, and Chip & PIN will be coming to the U.S. in the near future. The worst threat here is not technical but legal — in most European countries, the fact that a transaction happened via Chip & PIN is considered prima facie proof that you authorized the transaction and are fully liable — either that, or you were negligent with your PIN and still fully liable. The fact that it’s possible to make these transactions without a PIN makes this dangerous.
At this point, BlackHat USA 2011 was over. I headed back up to IOActive’s IOAsis suite for their post-conference reception. I not only met up with several people from IOActive, but I also happened to strike up a conversation with someone who informed me that she was with the DC206 group — the local DefCon club here in Seattle that meets at The Black Lodge about 10 miles from here. We quickly found we had several friends in common, and she introduced me to the other DC206/Black Lodge people at the party. This worked out very well, as I ended up hanging out with them for the next three days of DefCon, and had a lot of great conversations with a very interesting mix of security pros, makers, and hackers as a result. Though I’ve been by the Black Lodge and DC206 events before, I plan to make an effort to be present for more of them in the future.
We went to the Microsoft party at the Haze nightclub in Aria, primarily because given the youth of the Aria property, none of us had ever seen it before. The party itself wasn’t bad — quite good compared to last year’s event — and they had a nerdcore rapper performing (I honestly don’t remember if it was DualCore or MC Frontalot, having encountered both of them multiple times during the week.) However, we stayed only briefly then moved to the Rio, where we hung out with other DefCon attendees at the pool. The Rio was kind enough to keep the pool open until 1am (much later than normal) for DefCon attendees, and even until 2am on subsequent nights, which was quite appreciated.
BlackHat USA 2011, Day 1
I spent last week in Las Vegas, for BlackHat USA 2011 and DefCon 19 — my annual security conference pilgrimage. Overall impression: the quality of the actual presentations was below-average this year, but it was still an educational experience, a good professional networking event, and probably the most fun I’ve had at DefCon so far.
BlackHat’s had the usual (for the last few years) dull government keynote speaker (Ambassador Cofer Black this year, who said “cyber” about 100 times, as only government speakers ever do) for the first day. I spent a bit of time at a WiFi Penetration Testing Workshop, followed by a very interesting talk on Google Chrome OS. The gist of it is that in Chrome OS, since the browser is the operating system, a cross-site scripting exploit (which is very common and very easy) becomes the equivalent of administrative remote code execution on a conventional OS like Windows or MacOS. Since an XSS can call Chrome OS’s APIs, clicking one malicious link can give an attacker full access to all data for all applications on the system. While I don’t use Chrome OS (and, frankly, neither does anyone else), rumors that Windows 8 will support DHTML-based applications (like all of Chrome OS’s apps are) make me hope that the Windows 8 team is considering exploits like this.
Next was Dan Kaminsky’s talk, Black Ops of TCP/IP 2011. While it sure beat last year’s Kaminsky talk (“Hey, let’s talk about DNSSEC! By the way, did I mention I started a new company that makes DNSSEC tools?”), the description was rather misleading — he spent a third of the talk talking about BitCoins (short-short version: the BitCoin system does not scale well, and unless used verycarefully is not anonymous), then talked a bit about various sequence-number prediction vulnerabilities (well, sort-of-vulnerabilities), and showed off a tool (“nooter”) that can detect non-neutral networks (i.e. networks, like your ISP, that may be favoring some companies over others for extra cash rather than providing you a straightforward Internet connection.) The nooter tool was kind of clever, though, and it really would detect non-neutral ISPs, which is a valuable public service even if, well, not all that interesting.
I missed a talk on femtocells that I’ll have to catch on video, as it sounds interesting. Femtocells are the cell-network extension terminals you can get put in your house if you have terrible cell reception, but since this amounts to the cell phone company giving you physical control of an extension of their network, they’re apparently eminently hackable. But instead, I went to a talk on post-exploitation forensics with Metasploit. He made a module for Meterpreter that allows you, the attacker, to remotely mount a block device from a compromised victim machine. As a result, you can actually access the disk as if it were local, even to the point of using forensic imaging tools like EnCase on it. It’s slow, of course, but this brings capabilities to every hacker that… well, that the FBI and NSA have probably been doing to people for several years now.
I skipped the talk on bit-squatting, because I felt the description essentially encapsulated all there was to say about the topic. Due to quantum mechanics, thermodynamics, and other inescapable laws of physics, computers make one-bit errors pretty frequently. If you register a domain that is 1 bit off from a real domain, occasionally (very occasionally) someone who types in the real domain name perfectly fine will get sent to your domain instead. So if you are running a high-sensitivity business site, you might want to register all the valid 1-bit-off versions of your domain name, too, to keep malicious people from squatting it. It’s just typo-squatting with binary. From talking to people who went to the talk, they pretty much agreed that this could have been a 10-minute talk instead of 75.
Instead, I hit Aerial Cyber-Apocalypse. These people bought a cheap Army target drone, replaced the engine with electric, and added WiFi, GSM, and Bluetooth sniffers to it. The result: a tiny UAV, with GPS-guided autopilot, that can fly autonomously, circle an area, and eavesdrop on all the wireless networks and Bluetooth devices there, as well as hijacking nearby cell phones. Plus you can connect to the UAV via 900MHz radio and actually launch proactive attacks over the WiFi. Suddenly wireless networks inside a walled or fenced compound aren’t so safe. Though what this really made me think is “So, less than $2000 will make you a little aircraft, capable of carrying 20-50 pounds, that’s GPS guided and can take off, fly for over an hour, and land on its own on a 40-foot runway without any external control. Why exactly do drug smugglers build manned submarines instead of building these things by the dozen? 20-50 pounds of coke is not insignificant.”
Also during the day, Microsoft announced a $200,000 prize for development of the best new mitigation technology of the year. This is actually kind of neat — companies pay bug bounties all the time, but a prize not for finding something wrong but for finding a way to prevent exploits is new. They’re looking for things like StackGuard, DEP, and ASLR that have really made modern OSs much harder to exploit than older versions (well, except MacOS, which falls over if you blow on it.) On one hand, $200,000 is a lot of money, but on the other hand, you’d think someone who developed something like this would make a lot more money just starting a company to sell it instead of handing it to MS for a prize. Anticipating this, the terms of the contest say that collecting the prize gives MS the non-exclusive right to use the technology if they wish — including building a version of it into Windows if they think it appropriate — but does not sign over the IP to Microsoft. You retain ownership.
The evening’s Pwnie Awards included a well-deserved lifetime achievement award, and some very amusing award categories — all five nominees for “Most Epic Fail” were divisions of Sony, and the award for “Epic 0wnage” had nominees of Anonymous for the HBGary hack, LulzSec for hacking everyone, Bradley Manning, and Stuxnet. “Worst Vendor Response” went quite deservedly to RSA, for essentially losing the keys to the kingdom and then trying to cover it up, resulting in the Chinese breaking into Lockheed Martin.
For the evening, I went to the private Qualys reception at Yellowtail restaurant in the Bellagio and ate some sushi, while chatting with someone visiting from Germany. I then moved over to McAfee’s party atop Chateau at the Paris, where I spent a lot of time talking to security pros, as well as reminiscing about 1990s games with someone in a DOOM shirt (it said “IDDQD” and “IDKFA” on it.) Alas, I spent a little too much time there, as by the time I left to head to the WhiteHat Security/Accuvant Labs party (they had Crystal Method playing) at PURE, the club was full and they weren’t letting anyone else in, even those like me with invitations. So I took a taxi over to the Palms to drop into the Rapid7 party. Rapid7 (owners of the fantastic, indispensable, and free Metasploit tool) threw by far the best BlackHat party I’ve ever been to — normally these are fairly dull events (95% male, mostly standing around trying to talk over the music), but this was an actual party — I mean, people were actually dancing on the dance floor, which is unheard-of for a BlackHat party. Admittedly, part of what made it good was that Moon (the club on top of the Palms) is an incredible space — top of a skyscraper, roof open to the sky, balconies overlooking the Strip and the city on all sides, multiple levels so that there was both a “loud” area and a “quiet” (relatively) area so that both talkers & partiers could have a good time, etc. Still, it was a good time and pretty impressive for a vendor party. And thus ended Day 1.
