Tuesday, August 18, 2009

Defcon Roundoup Part II

Saturday:
  1. Started out at Hacker vs. Disasters, but I bailed on the first speaker and instead went to the talk by Joe Grand on hacking parking meters. It just further reinforced my belief that society functions because there are not many talented bad guys. Or I should say, the effort to hack these systems outweighs the cost of using them legitimately. Still the ability to frame other people is scary. Also, you can buy ANYTHING on E-Bay.

  2. Then went back to Hacker vs. Disasters to see Renderman talk. Didn't learn much but had a great time. Favorite quote: "Most people will be absolutly useless in a disaster. Actually that's not true. They are mostly made of meat..."

  3. Of course I went to the Mythbusters talk. I was blown away by how good a speaker Adam Savage was, along with the great topic "Failure". Like everything else in his life, Adam's failures truely were epic, and I think they need to show a copy of that speach to every kid in Intermediate/High School. It's an important lesson that failure is normal, and you can bounce back from it.

  4. PLA Information Warefare Development Timeline. Quick disclaimer, I've worked with the person who gave this talk, (and I found it hillarious that he originally used his name but later decided to use his handle instead). The talk itself was jam packed with information, though I had a hard time being engaged by most of it. Quite honestly I'm not shocked that another country would A) Develop military plans to fight the US. and B) Develop information warfare capabilties. It would almost be the height of irresponsability if they didn't. This first half of the talk dealt with the rise of China's IW program, (along with the development of certain kinetic military capabilities). I really would have liked to stay around for the second half, but I needed to see the next talk since it corrolates with some of my research.

  5. Sniff Keystokes With Lasers/Voltmeters: I am in awe of these guys presenting ability. They could talk about the weather and I'd show up. Just check out this video they created to demonstrate one possible use of their research. From a practical standpoint, the ability to read PS/2 keyboards via signal leakage into the ground wire was really scary. It was something that I hadn't even considered before, (and honestly would have gone "That's impossible", if someone would have suggested it). I wouldn't be surprised if the laser exploit gets deployed at next year's Defcon CTF.

  6. I am Walking Through a City Made of Glass: This talk once again focused on the Chinese hacking scene, but was slightly more useful to me since it covered the non-state affiliated Chinese hacker groups. It was refreshing to finally hear someone say that in addition to the attacks coming from home-grown Chinese hacking groups, other countries/groups are buying Chinese botnets/proxies to launch their attacks from.

And that was it for Saturday, (I spent the rest of the day wanding the CTF room, Vendor booths, etc).

Sunday:

I was freaking out about my talk, so I wasn't the best audience member. That being said, here is what I went to

  1. Down the Rabbit Hole: This talk, (or at least the same title), has been given before at several other conferences, but I've always managed to miss it. It was fairly good, though as I said before I had a hard time concentrating.

  2. Hack the Textbook: I feel sorry for the presenters since it's hard to make a website that rates and corrects computer books sound interesting. That being said, this project has the potential to help the secuirty industy more than any of the other talks given this weekend. We need to teach people how to write secure code, and if it takes off, this project has a good chance of helping people do that.

  3. Unmasking You: This was a solid talk, and some of the user fingerprinting was really nasty. I don't know how much these attacks are going to show up in the wild though.

  4. Search and Seizure Explained: A solid talk going over the different search and seizure laws. I hope I will never need to know the legal requirements that need to be met before a body cavity search can be performed on me when I'm crossing the border. Of course, that's one of those pieces of information where you REALLY need to know it if the situation arises.

And that was it for me. The rest of the time I spent in the CTF room and the speaker ready room. As for my talk? I don't remember most of it, though I think it went well. My demo didn't crash which was the big thing ;) I had a real good group of people show up for Q/A afterwards, and I apologize since I was still hyped up on adrenaline from the talk. That's why I have to practice my talk a million times before I give it, but once I get off script, (aka Q/A), pretty much all everyone got was a direct stream of consciousness feed from me laced with a healty dose of profanity.

That was it for Vegas. I had a drink with some of the people, hopped on a cab with one of the Shmoo guys before the closing ceremonies were finished, and then spent the next two weeks googling my name trying to figure out what people thought of the talk ;)

I hope to see everyone at Defcon 18!

2 comments:

Steve said...

Reading signal leakage in a ground wire is pretty impressive. When you get to the van Eck phreaking scene, can you check to see if the author indicates whether Randy Waterhouse's laptop is plugged in?

You might enjoy this PDF:
http://applied-math.org/optical_tempest.pdf

Matt Weir said...

Yup, the laptop is plugged in. That's how they keep Randy from moving his laptop off the Van Eck reader. Regardless, the keyboard attack detailed in the Defcon talk only works with PS/2 keyboards. Laptop keyboards and USB keyboards currently are not vulnerable. That's why they developed the laser attack, (besides the fact that it's cool). The laser attack was specifically tailored to target laptops.