Slashdot Mirror
Domain: defcon.org
Stories and comments across the archive that link to defcon.org.
Comments · 168
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
-
New Tor attacks and anonimity attacks all the time
Attacking Tor at the Application Layer
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
Unmasking You
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Down the R
-
Guess who is INSIDE your pc/mac/etc?
Subject: Every computer hackable by Radio Freq?
- a global conspiracy?This lady claims to have found some strange things on her Windows PCs and Linux!
Subversionhack Archive
https://tagmeme.com/subhack/So, with modern blackboxed hardware components, are all of our PCs hackable via radio frequency / ham packet radio type of blackbox voodoo?
Dig deep, I've found no other site like this. Are Linux/BSD varieties vulnerable?
http://www.invisiblethings.org/code.html
http://www.invisiblethings.org/papers.htmlAND
This talk explores three possible methods that a hardware Trojan can use to leak secret information to the outside world: thermal, optical and radio.
In the thermal Trojan demo, we use an infrared camera to show how electronic components or exposed connector pins can be used to transmit illicit information thermally. In the optical Trojan demo, we use an optical-to-audio converter to show how a power-on LED can be used to transmit illicit information using signal frequencies undetectable by human eyes. Finally, in the radio Trojan demo, we use a radio receiver to show how an external connector can be used to transmit illicit information using AM radio transmission.
http://www.cvorg.ece.udel.edu/defcon-16/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Kiamilevfools laugh and cry tinfoil, others read and learn and decide for themselves
http://subversionhack.livejournal.com/1815.html
"I sincerely believe that Blue Pill technology will (very soon) allow for creating 100% undetectable malware, which is not based on obscurity of the concept. And I already stressed this in the description of my talk here (http://syscan.org/program.html) and here (http://blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Rutkowska). The working prototype I have (and which I will be demonstrating at SyScan and Black Hat) implements the most important step towards creating such malware, namely it allows to move the underlying operating system, on the fly, into a secure virtual machine."
- http://theinvisiblethings.blogspot.com/2006/07/blue-pill-hype.htmlhttp://rayer.ic.cz/romos/romose.htm
"The ROMOS is a stand-alone x86 code allows you to load and run your own binary code or 3rd-party code. ROMOS rely on BIOS functions only so it can be executed directly without any operating system. The main purpose of ROMOS is to be placed in a ROM, from where it can load/run other software (e.g. bootmanager, HW diagnostics, special controlling software...) during POST (Power-On Self Test) while your PC is booting up. It can also load DOS-based operating systems (may be other OSes) such as FreeDOS stored in ROM together with ROMOS. This mean that any floppy/harddisk/CD-ROM drive is not needed. It may be very useful in various embedded diskless systems. Or simply as reserve OS for rescue use. Other applications are on you."
mark this offtopic while you browse for porn to satisfy one more rub-one-off session, despite it containing more than the OP.
-
Re: WHY would you "secure" a WLAN?
SSL doesn't always mean secure either.
See the third video here: http://www.defcon.org/#earlyVids
-
Video Of The Defcon Talk
For more information about null-prefix attacks, the video is here.
-
Discussed at DefCon 14?
As far back as DC14, Riley "Caezar" Eller gave a talk on MANET, the possible uses such a network (or an analogue) could have if used for ad-hoc cellular networking, and possible attacks against it. I recall the example he gave was of a bar in Seattle which is constructed of materials that attenuate or completely block cell coverage... except near the door. He suggested that a hybrid cellphone, one that could use regular cellular infrastructure and fail over to ad-hoc networking would allow phones near the door to act as conduits for phones inside... or something like that. I'm too lazy to find the actual talk, but the DefCon website has a brief synopsis.
It was definitely an interesting talk, and apparently well before its time if this is just making news now.
-
Vcc/clock glitching
This is also an interesting development because Costis achieved the same goal as the decapping of the original GameBoy CPU, but with vastly cheaper equipment (< $100) and probably in less time (< 1 week).
Glitching is a neat technology; it's most famously used by "card unloopers" for smartcard hacking, and is also used by modern Wii modchips. Travis Goodspeed gave a neat presentation at DefCon 2009 about glitching, and has released some open-source hardware which will eventually support glitching target microcontrollers. Given the right software, that board alone would probably have been enough to perform this hack. -
Re:Right...
Well, they presented it just a couple weeks ago at DefCon, so apparently their right hand isn't quite on speaking terms with their left hand. There were some...pointed questions from the DefCon crowd, though, which they didn't have good answers for. One big concern for me, which I didn't see them address well: how do you bootstrap this? (Ie, why not just block downloads of the application itself, or arrest everyone who does download it?)
-
If true, a SERIOUSLY broken opt-out...
If this is a true description of the opt-out, it is SERIOUSLY broken.
Simply put, any opt-out mechanism MUST enable the user's computer to properly receive an NXDOMAIN response. Because the problem is NOT the advertising web page on a web browser typo for http, but all the other things that do DNS lookups.
For example, NXDOMAIN wildcarding even snagged and confused Dark Tangent into thinking that someone was trying to MitM the Defcon forums!
I can accept an ISP doing this only under the following conditions:
a) The opt-out is a one-click item on the page
b) The opt-out is perminent and for all connected through that IP/customer link
c) The opt-out is a real opt-out which will cause NXDOMAIN responses to be properly returned as NXDOMAIN.
This clearly fails B and C.
-
There is a way around that.
Simple. Change this:
The court also ruled that, 'given the evidence that there is no wireless router involved in this case, the Court excludes Kim's opinion that it is possible that someone could have spoofed or hijacked Defendant's Internet account through an unprotected wireless access point.
To this:
The court also ruled that, 'given the evidence that there is no wireless router involved in this case, the Court excludes Kim's opinion that it is possible that someone could have spoofed or hijacked Defendant's Internet account.
Then a demonstration. Take a PC into the courtroom and hook it to a cablemodem. Then tell the guys at Defcon to give the judge a live demonstration of pwnage.
-
Re:Linux
I wonder if VMS was even allowed in the competition. Yeah, I know: "It wasn't banned, the rules were changed!"
-
You can lose if you don't play
A presentation by Nathan Hamiel & Shawn Moyer at DEFCON 2008 suggested that people who don't play are easier to spoof, as colleagues and family members may be tricked into accepting an imposter as the real you. They suggest creating a minimal presence, if not actually using the sites actively http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-hamiel-moyer.pdf
-
Re:When will people learn
-
Something to try:
Next time you think operating system XYZ is so secure that nothing unwanted can get in, go to defcon, turn on your laptop and it's wifi and connect to the local access point. I give you 10 minutes before someone is downloading all your porn.
People who think anything is immune on a network are laughable.
-
The Death Envelope: A Medieval Solution
Matt Yoder spoke at DEF CON 16 on this very problem, his talk was called "The Death Envelope: A Medieval Solution to a 21st Century Problem" His speech isn't on-line yet, but his presentation materials are here:
https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-yoder.pdfHere is what the talk was all about:
While many aftercare solutions and recommendations cover "average American" needs, none have tackled, full-on, the needs of the rapidly growing high tech segment of the population. As the amount of passwords and other secret "brainspace-only" information grows for many, many, individuals, it becomes obvious that a solution is needed for the dispensation of this information in the event of one's death or extreme disablement. It turns out that this solution may be the humble paper envelope.
This talk begins to examine an approach to handle this problem, offering many suggestions, from the extremely reliable low-tech end, through hybrid and high tech solutions to the problem. It covers, as well, recommendations for what to include in one's envelope, and how to ensure its safety, security, and integrity. It also discusses why a wax stamp, sealed by a signet ring, no less, may still offer the best envelope tamper detection that exists.
-
Open Source Framework released at DEFCON
These guys are late to the party.
FYI, Adam Bregenzer released an open source framework at DEFCON this year that provides pseudo-automatic multithreading, distributed password cracking capabilities AND takes advantage of existing commercial cloud computing services (ala Amazon, et. al.). The framework is easily adaptable to any number of computationally intensive applications, though he provided hard numbers and demonstrations from his work using coWPAtty and John the Ripper.
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Bregenzer
-
Re:Not much information
It seems to be a bit different from that. It's much more like classic syn cookies. They send REQUEST (syn) from any of many hosts without any need to keep state. They get back CHALLENGE (ack) to the host which they gave the IP address of in REQUEST. Looking at the data in the CHALLENGE, they have enough information to create RESPONSE and fully open the TCP connection. There's no link from one connection to another. That means that they have partially, but not completely broken the protection of syn-cookies. They can attack from many hosts whilst giving away only one of their IP addresses. Finally, from that stage, if they want to continue then according to their Unicornscan DefCon Presentation then they need to keep state.
Summary: Syncookies protects you against people who can't afford to give their own IP address (as it always did) but it doesn't protect you against people who can afford to give their IP address (as it never did) even if they only want to give a few IP addresses (this is new) or have very small memory resources (this is new too). Most importantly; if you start responding only to certain requests in the hope of driving up the resource utilisation for a DDOS, they can now handle that efficiently. DDOS has become a bit more accessible. They claim to have some other attacks which link with this. Those are more likely to be a large problem.
-
Re:How useful is DNSSEC w/o top-level signed?
I've been told that DNSSEC is basically just a proof of concept when it's done on a single TLD, not providing much real security. [...] If so, then when your ISP queries one of the thirteen root servers for the
That would be my exact understanding as well.
The details are these: Every node in the DNS tree has a key pair. Everybody knows the public key of the root. Every response to a request contains an answer, and a signature on that answer. As an additional request, you can ask for public keys too.
So, here's the scenario for going to whitehouse.gov, assuming full deployment of DNSSEC:
- Ask root for whitehouse.gov
- Receive IP of nameserver for
- Ask
- Receive IP of whitehouse.gov [check sig]. Also,
- Connect, now you know where to go
This secures step 4. Step 2 is still not secured. Paul Vixie has given some good talks on DNSSEC and everything else that's wrong with the interwebs
-
Re:So?
They do not however, have any right to deny people their fair use rights
Fair use is a defense, not a right.
IANAL, TINLA; see http://en.wikipedia.org/wiki/Fair_use. I've heard those words spoken by a female lawyer in a slashdotter-friendly context. I think it was Cindy Cohen, either relating to EFF, Defcon or both, but I may be wrong; check http://www.defcon.org/html/links/defcon-media-archives.html (check it even if you don't care, you might learn something really fucking awesome).
What does it mean that fair use is a defense and not a right? It means that someone can prevent you from doing the things permitted under the fair use doctrine without limiting your ability to exercise your rights (as I understood and remember it).
Also, when assessing whether something is legal, take current and recent findings of the judiciary body into account; they may be more relevant than what the US Code says.
-
Don't appluad the PI statutes.
Scott Moulton gave an excellent talk about Computer Forensics professionals needing Private Investigator (PI) licenses at Defcon 16. Basically the Private Investigator lobby has been pressing state legislatures to classify computer forensics as PI work. This does little to guarantee that the public is protected against poor/shoddy computer forensic work, and it does everything to increase the number of dues-paying members to the PI licensing body.
The law may be making the online community happen, in this instance, where it is causing the RIAA grief. But on the whole, laws like the Michigan law are not good for the computer forensic and computer security community.
Scott Moulton's talk at Defcon 16: http://defcon.org/html/defcon-16/dc-16-speakers.html#Moulton -
Re:I don't get it.
You don't got to *do* hacking, you go to learn about hacking from people in the same building (thus requiring little to no B/W).
You have clearly never been to defcon, and/or miss the point of the con altogether. Sure, there are great speakers giving talks about important and relevant topics. Some of them are even useful...
But the larger part of con the for a lot of the attendees is to get together with like-minded individuals and...wait for it...hack.
Here are some examples of the hacking that went on at this year's defcon. The Lost@con Mystersy Challenge results aren't there, and as a participant I can tell you that it required breaking crypto, circumventing physical security measures, debugging code, hardware hacking skills, and trick-or-treating, among other things. I don't know what your definition of "hacking" is, but it should probably include a few of those.
This also doesn't mention some of the cool things going on in the lock-picking village, the hardware hacking village, the wi-fi village, etc...
And from what I have heard about Defcon you are best to not bring any of your own devices at all, lest you end up hacked yourself and on the wall of shame.
Most people I know wipe and reimage their machines after spending any time at all on the defcon network. They call it the most hostile network environment on the planet for good reasons. That being said, the Wall of Sheep has absolutely nothing to do with being "hacked", it simply displays usernames and (partial) passwords for people who are too stupid or lazy to use encrypted protocols. If you show up at a hacker convention and can't be bothered to use TLS or SSL for your email, you deserve to be shamed.
-
I was at DEFCON - the author is confused
The author of this post seems to be really, really confused. There were multiple presentations on ways to hack your Google accounts and Google security flaws, etc.
There was a presentation on howto exploit Google Gadgets (which have access to your local javascript), a few presentations on Cross-Site Request Forgery (CSRF)(which you can do to send your own HTTP requests as the visitor if you have your own image or iframe on the page), and a presentation on hijacking your sessions if you ever access a site over plain-text (non-SSL), and putting the password page on SSL doesn't help (this requires the attacker to be on your local network!!!!!!!).
The title of the post sounds like they're talking about The Middler, a Ruby-based proxy by Jay Beale for intercepting all user data on a shared network, such as a coffee shop, where you can get users to go through your proxy.
If the author is talking about The Middler
Jay Beale's talk was the one the mentioned SSL the most, so I'm gonna guess that the author is talking about that, even tho the article seems to mix everything up.
To see the descriptions of the actual talks and whatnot, visit the DEFCON schedule: https://www.defcon.org/html/defcon-16/dc-16-schedule.html
-
Re:I fail to see what's so spectacular about this
seriously, what is so special about this ?
Wow... Someone has a serious lack of Imagination. Here is what is special about this:
These guys manage the most actively hostile network on the planet. Just bringing your laptop/cell phone/PDA within wireless range of this event is asking for trouble. These are the people that put your username/password up on a giant wall of sheep if you choose to use an unencrypted connection for e-mail/web browsing.
Have you considered the challenges of maintaining a server in this environment? You are one giant target for the world's largest collection of black/grey/red-hats in the world. Let's just say that there would be a substantial amount of "iStreet-cred" if you were to 0wn the firewall.
Now, if you read the article, they describe how they setup their wireless network. They keep things very simple and maintain centralized configurations. If you are setting up a network in a potentially hostile environment, their model is a good one to follow. Why? Here are a few reasons:
- Users: 2,226 and 3,801 DHCP leases issued
- 22 Access Points deployed
- Man-in-the-Middle Attacks detected: 215
- DoS Attacks: ~80
- Rouge AP's Detected and Destroyed: 130
- Wireless Bridges Detected: 300
- ARP MAC Spoofing Attempts: 836
- Traffic for the last 30 hours: IN 12gb / OUT 1.2gb
Think your network can handle that? Let's take a look at one of the interesting ones - the Rogue AP's.
The people that run defcon (and many of the attendees) eat these attacks for lunch. These people triangulate wireless signals within a high-em noise environment with enough multipath to give K-9 a headache. They manage to actively seek and destroy rogue AP's (not to mention the ARP spoofing!) while maintaining a healthy network. You don't think that's special!?
Now, what about hardware reliability? Heck, if I had a choice between two pieces of gear and one of them had a "Survived DefCon 2008" sticker on it, I could tell you what I would be picking up. They had a nice Cisco fiber switch (no real surprise) but I have never heard of the Aruba AP's before. I know I'll at least check them out now. Do you not think that exposing battle-proven hardware to electronics-consuming people is special?
Look at the software too. BSD & pf. No real surprise there either. When you want ungodly-stable network filtering - that is the way to go. Don't take my word for it. Heck, don't take BSD's word for it. The setup survived the hacker Olympics with no downtime. THAT is what is special about it.
-
Re:The mandatory comment
Well, considering they can get Linux to run on a toaster, you'd think that would be a no-brainer...
-
Re:How about reprogramming it as a CPU?
I beg to differ...I seen it run at Defcon... http://pics.defcon.org/showphoto.php?photo=53&cat=512
-
Re:SImple, blackhole the IP space
It really isn't that simple. I'd refer you to my own work (http://www.usenix.org/media/events/lisa07/tech/videos/josephsen.mp4, and http://media.defcon.org/dc-15/video/Defcon15-Dave_Josephsen-Homeless_Vikings.mp4 ) or that of Nick Feamster at Georgia tech. They've been hijacking address space via short-lived BGP prefix hijacks for at least 5 years now, and It is exactly the attitude of "we'll just block X" that got us here in the first place. If you use RBL's and make the arms race about IP's , then the most direct response is to attack the network layer and/or IP space. Further there are real world reasons why IP filters just aren't going to work on a global scale. For that I'd refer you to the work of Mohit Lad at UCLA. There is an economic layer on top of BGP. The effect of no-valley routing is that you're going to get route propagation from folks you think you can trust but cannot. It's a bit much to get into here, but off-handedly blacklisting more shit isn't the answer here, it's the problem.
-
Darknet Routing
Did they ever address the attack on their darknet routing algorithm that was presented at http://www.defcon.org/html/defcon-15/dc-15-speakers.html#Evans?
-
Re:Frog giggingWhat happens when you cut its strings(jam the signal)? Will it have a hover failsafe, or will it fall straight to the ground?
It doesn't matter unless they somehow use a mechanical failsafe - not impossible but so unlikely it doesn't actually even bear mentioning.
It doesn't matter, because you can use a HERF weapon (search for "HERF", watch the video... I haven't, but anyway) to confuse the thing. Just point a sufficiently strong HERF at it, the antenna will pick up the signal nicely, and channel the information straight into the receiver, which will deliver it unto the rest of the system. Radio controlled vehicle gyros are all electronic.
-
Re:DespicableReporters are paid to go and get the story. The only ethical lines they have are to report the truth in a fair manner. If the losers at DefCon really weren't doing anything wrong, they'd invite reporters in, with cameras and tape recorders and all the rest. Not to everything, but to enough that the press could see the complete and utter lack of a black-hat trading show.
(And if it IS a black-hat trading show -- well, then I've got no respect for them.) The media *can* go in, they just have to admit to being part of the media; From the Defcon FAQ: Q: I'm press, how do I sign up, why can't I get in for free (I'm just doing my job)?
A: Please email press[at]defcon[dot]org if you wish press credentials. Lots of people come to DEFCON and are doing their job; security professionals, federal agents, and the press. It wouldn't be fair to DEFCON attendees if we exempted one group from paying. If you are a major network and plan on doing a two minute piece showing all the people with blue hair, you probably shouldn't bother applying for a press pass - you won't get one. If you are a security writer or from a real publication please submit, and someone will respond with an answer. -
Am I really surprised?
Not at all, consider for a moment that 90% if not more of these people are more paranoid then the average paranoid person, and as part of the annual event they have "Spot the FED" contest ( http://defcon.org/html/defcon-15/dc-15-stf.html ) one would think this would be a pretty stupid idea. If they had sent in a tech that actually fit the part they might have had a slim chance, but sending a pretty girl in there was pretty much doomed from the beginning. Too bad for her now, likely within the week her entire life will be on the world for display. Congrats NBC for ruining someones else's life.
-
Re:Heh.
I'm more amused by the fact that Symantec seems to think that repeating 4-month-old DefCon presentations and claiming them as thier own is somehow "newsworthy" or "dangerous."
-
Kid programming
-
Re:Okay, its about time...
Reply: I beg to differ. I have [cough] friends that download movi^H^H^H^H^H content from the internet, and some dvd rips^H^H^H^H^H^H^H database files can be larger than 4GB! Even at a good (cheap) DSL line of 1KBPS it still takes quite alot longer to download content than it would take to go to blockbuster^H^H^H^H^H^H^H the office and pick up physical media with the data on it.
Of course it's going to take forever on Cup-Net!. I have a 10mbs/800kbps cable connection and it's quicker for me to DL a movie than to go to the video store (or order pizza and wait for it to arrive, though I still do that on occasion). My ISP (RCN) even offers a 20mbps/2mbps connection in some areas now. The bandwidth is there, you just have to be willing to pay for it. -
Re:This is why...
This has been mentioned before here and here. One wonders why it took a Wired article to put forth what has been mentioned by CNN among other sources.
-
Re:First Of All, Congrats
There is more history here than meets the eye. Yes, Window used to work for MS but before that she worked for @Stake. . You remember them? The security company founded by a bunch of hackers! Window herself was involved with similar groups before then such as New Hack City and Messiah Village. She has a been a regular attendee at Defcon and other hacker cons such as Pumpcon and Summercon. Even now she has tight relations with group that was formed by old hackers from @Stake and earlier Matasano.com.
What does all this mean? It means that Mozilla is getting one smart person to work on thier security. -
Re:deadlocks
I met this girl at Defcon at the "Things That Go 'Bump' in the night" talk. These guys say it works on pretty much every USPS and Mail Boxes Etc. mail box in the US as well, not just doors. You can put a deadbolt on a house, but AFAIK you can't do anything about your mailbox (except get one elsewhere or not have one at all.)
-
Banned from DefCon for being Cool and UnhackableBanned from DefCon every one,
Banned from DefCon just for having a little fun,
We brought a little Alpha there
Just a crew of four
But DefCon doesn't want us any more
I wonder why. .
OpenVMS was banned uninvited with quick rules change. Only those less secure operating systems need show up. Microsoft will always be welcome. -
re
When exploits require administrator/root access in the first place in order to function, interest level drops to 0.
This exploit-requiring-admin reminds me of another recent speech, namely http://www.defcon.org/html/defcon-14/dc-14-speaker s.html#Lin0xx which was quite boring.
*yawn* -
DEFCON!
-
The Security Industry Does Not Want Security
There's an entertaining presentation from Defcon X given by Gobbles (with help from Silvio Cesare and The Unix Terrorist) - 'Wolves Among Us' - the video is worth watching for a laugh, several laughs, at the expense of many so called experts. http://www.defcon.org/html/links/defcon-media-arc
h ives.html
Silvio: "The Security Industry Does Not Want Security, They Want Insecurity" -
Re:Nothing New
Sounds like the presentation by Lukas Grunwald at defcon 12.
(more resources here (and video!) -- just search for "smart-labels") -
Re:Nothing New
Sounds like the presentation by Lukas Grunwald at defcon 12.
(more resources here (and video!) -- just search for "smart-labels") -
Re:Nothing New
Sounds like the presentation by Lukas Grunwald at defcon 12.
(more resources here (and video!) -- just search for "smart-labels") -
My Profession
I am an American.
I love to code.
Do I take pride in my code? Sure I do. Is it world class? Probably not.
I'm also a gainfully employed and working on my masters in--you guessed it--computer science. And I log on to Slashdot today to find someone saying that my country failed to 'represent' at some "TopCoder" world-wide coding contest.
Oh well. I don't think I would need to study for this competition, in college I never studied for a computer science exam. It was my theory that if I couldn't deduce the problem on the fly, then I shouldn't be coding at all. Coding isn't about regurgitation or memorization, it's about how you instinctively attack a problem. Certain courses can't make you memorize stuff to be a better coder but they can give you a bag of tricks or arsenol with which to attack problems. The stuff I hate about computer science--documentation, systems integration, etc.--that stuff is memorization.
I'm busy and I would bet that our nations top coders are also busy. We don't have a month of vacation a year and if we did, we'd probably spend it around finals time to relax while our exams are hammering us.
Sorry, Carl Bialik from WSJ (who has had 20 of his own stories posted on Slashdot since March 14! <sarcasm>For Christ's sake, just give Slashdot's frontpage a "Carl RSS news feed" already!</sarcasm>) but I wasn't there to represent my country. I noticed that it was held in Las Vegas. You know what would be interesting? If they held it the same weekend as DefCon in Las Vegas.
I know this sounds hilarious and backward but I believe most of the best coders thrive on the "bad guy" image and would hate to win a competition that makes them look like an AMD (TopCoder sponser) poster boy tool. They'd rather have their hacking alias spray painted all over the RIAA's frontpage than a blue ribbon at a coding contest. Does anti-social behavior come hand in hand with gifted coding? It would seem so, but I haven't done/seen any studies on it.
So what if I went to this competition and was "Sixth best coder"? I probably wouldn't get much for prizes, my coworkers would just view it as proof that I am utterly socially inept, I would spend money and time on the trip with little to gain. I don't see my employer encouraging it or offering raises based on it. Sounds like fun but I'm not going out of my way to attend it. -
FreeNet
The safest and most anonymous protocol I've seen is Freenet. If anyone was lucky enough to see the Freenet presentation at DEFCON, they illustrated how a message could theoretically be sent over a trusted social network, location-independent and subsequently anonymous. The theory proposed that instead of a massive random anonymous freenet node network, Freenet would begin to integrate normal human-like social networks, allowing users to "validate" the identity of other users without compromising anonymity (Somewhat like a PGP-key signing party). Each user would pick a random number, and based on their social network of trusted friends, their number would be switched with other users, giving the illusion of proximity. Not only was the proposed theory location-independent, they also illustrated how a man-in-the-middle attack couldn't happen without being completely obvious (In the presentation, it was illustrated that a message to a false "John Kerry" would take a large and noticable amount of hops (if the message got there at all) because "John Kerry" doesn't have a normal social network that would be apparent with a prominent political figure). Of course, I do see how this method could possibly be vulnerable (As we all know how easy social engineering can be): A) A "trusted" person who is being used as a hop point could intercept the message and compromise security. (A risk you take when trusting friends, and friends-of-friends) B) The message sender or receiver could be compromised, and a person could theoretically follow the chain of hops to the other party involved.
-
What's changed in Freenet?
There's not much meat in the abstract of Clarke's Defcon presentation, and no clues on the Freenet site. Can anyone explain the new routing algorithm or point me to some documentation?
