Monday, August 10, 2009

Defcon 17 Roundup

It hardly seems like Defcon 17 was only a week ago. Right now it alternately feels like I just got back from it, or it happened a million years ago. Ok, I admit it. That link has nothing to do with this post, defcon, or even the idea of "a million years ago", but I stumbled across it in my Google search for something more appropriate and I thought I should share. Librarian hackers: need I say more?

As I was saying, Defcon 17 occurred at some point in the past. I won't detail the parties that went on, though there were a few. The exception I will mention is the Toxic BBQ which was held on Thursday. Having skipped it the last two years due to various reasons, most of which involved the words "108 degrees", "outside", "off-site", and "laziness", I was truly amazed at how fun this event was. It also was the one event where you could relax, drink a few beers, (making sure to drink plenty of water as well - let me reference that 108 degrees again), and talk to people without music blasting in the background. All in all, I'm going to make sure I don't miss it next year.

Now on to the actual talks, which supposedly are the reason why everyone goes to Defcon in the first place.

I arrived too late to see any of these, but I heard good things about "Effective Information Security Career Planning", and "Hardware black Magic - Building Devices with FPGAs". I really wish I could have attended the FPGA talk since as you can imagine there are a few ways that can help my research.

Talks I attended:
  1. Beckstrom's Law: I saw Rob Beckstrom speak at last year's Defcon panel "Meet the Feds", and I have to admit that I didn't have a very high opinion of him. Later when reading about his resignation from the post of Cyber-security chief I had to re-examine my previous evaluation as a lot of the points he made were very good. That being said, I managed to sit through about 10 minutes of this talk before I had to walk out. Between him promoting his book, explaining what DNS is, and warning us he might use "math", I realized he must have forgotten that he was giving this talk to Defcon attendees and not your typical office boardroom. That's a shame too since I looked at his slides afterwards, (the ones on the CD, not the ones he used), and there was a lot of good stuff in them. The problem he was covering is extremely important, and I think everyone agrees that the way we currently value networks and computer security falls into "pick some numbers that sound right." That's not acceptable and it's good to see someone trying to do something about it. I think in the future I need to focus on what Beckstrom writes, and skip any of his live talks.
  2. Asymmetric Defense: How to Fight off the NSA Red Team with Five People or Less: As the name implies, this talk detailed how the US Merchant Marine Academy goes about participating in NSA's Cyber Defense Exercise with a limited budget. It was a good talk, and one that I would recommend browsing through when it becomes available online. It also annoyed people from the other service academies to no end which was amusing as well.
  3. More Tricks for Defeating SSL: This was THE talk of Defcon. I'm sure you've heard about it already so I don't need to go into details. What made this talk amazing was not only did Moxie completely break SSL; not only did he do it a way that was totally l33t, (Pascal strings?!); not only did he show some scary attacks with it like completely owning any computer that was running Firefox, but he gave a great presentation as well. When he showed the blurry code segment and asked us to find the bug, (hint it's the part with all the nested If statements), I was blown away by his ability to convey this information to the crowd.
  4. The Year in Computer Crime Cases: Yay EFF. The most interesting part was hearing about the problems they had trying to set up a secure war-room at Defcon last year.
  5. Defcon Security Jam 2: I eventually ditched this talk and went to grab some lunch. I think part of the problem was the general setup of this hybrid talk/panel session. It wasn't bad, but eating food was a better use of my time.
  6. Computer and Internet Security Law - A Year in Review: Of the three "law" talks I went to, this one was the best. It really helped explain some of the reasoning behind certain rulings, such as why the cops can obtain a warrant and force you to open up a keyed safe, but they can't force you to open up a combination safe. In that case, it's all about attribution: aka if you know the combo, the safe is probably yours. With a key though, all the cops can "prove" is you knew where the key was. Yah, laws are weird.
  7. Malware Freak Show: I wasn't able to get into Johnny Long's talk so I went to this one instead. Looking back, it just goes to show that it's good that life doesn't always work out the way you want it to. I always wondered what computer security measures casinos use. Now I have a better idea, and I was shocked to find out that in at least one case the casino did such a poor job.
  8. Fragging Game Servers: I love to hear Bruce Potter talk, so it was entertaining, but he and Logan really needed another two to four months of work before this presentation should have seen the light of day. I feel sympathy for them as I've been in a similar situation myself. Most people don't realize it, but with these talks you need to submit a proposal around four months before the actual conference itself. This means the presenter usually has to make a few educated guesses about where they will be when the conference rolls around. Sometime those guesses don't match up with reality.
  9. Something about Network Security: So of course I had to go to the Kaminsky talk. I originally was going to see the talk by Travis Goodspeed, since I'm just blown away by his work, but with all the craziness of the zf0 hack I wanted to see what Kaminsky's reaction to it was. Pretty much everyone took the view of "but for the grace of god go I", with Dan being hacked. I have to admit, it wouldn't take much to completely 0wn me so reassessing my security setup is certainly on my to-do list when I get back to Tallahassee. The talk itself wasn't his best, but a lot of that can be attributed to Moxie covering much of it earlier. In short, it was a tough week for Dan, though my opinion of him hasn't been diminished at all.
And that was my Friday. I'll leave Saturday and Sunday for a later post.

No comments: