Slashdot Mirror
Blackhat/Defcon Report
Joe Barr writes "NewsForge [ed. note: part of OSTG along with Slashdot] is running its concluding piece on the week-long Blackhat/DEFCON hackerfest in Las Vegas. Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11? Or how a very large goon known only as Priest prevented outright political violence at a DEFCON presentation on Civil Disobedience? Or which of the two conferences is right for you? It's all here in the Blackhat/Defcon: Final report." Reader M. Curphey writes "The Web Application Security Consortium (WASC) announced at Blackhat the release of a 'Threat Classifications' document. This document attempts to clarify web security terminology such as Cross Site Scripting, Session Fixation, Cookie poisoning, and HTTP response splitting (to name a few)."
Looks like the 503 Errors with Firefox are really slowing down discussions.
The article mentioned that the new number range search feature in Google could be particularly dangerous. Maybe I'm a little naive... why is it so dangerous?
--- There are two kinds of people, those who accept dogmas and know it, and those who accept dogmas and don't know it
I have been thinking of going to defcon for the last lil while, and maybe will be able to next year. The trip would also need to include my g/f, she knows a bit about computers, but not a whole lot. In your opinion, would there be enough for her to do there, or should she venture other places?
Boxing Equipment Reviews
I've attended the past 7 defcons, and I'm starting to feel like it's losing its magic. The first defcon I went to (defcon 3) had a crowd that was much more focused on doing meaningful hacking (some ethical, some otherwise) in the field...it seems like now it's a bunch of 20 year olds who think they're hackers because they know how to reprogram their mac address on their linux labtop.
Maybe I'm just getting old, but it feels like the good old days are passing me by.
Who is fighting to save slashdot?
-
Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11?
I'm afraid we don't need Black Hat/Defcon to tell us this. Just yesterday we had major terrorism alerts about specific targets and today we find out the information was all years old. Does that mean the buildings weren't targets still? Well seeing as some of the info went back prior to 9/11 it would make it seem a fairly safe bet that the seriousness of the threat was vastly overstated.So we know what they haven't learned quite well and many of us keep hoping they'll stop crying wolf without good reason. It's only so long till most Americans start ignoring the terror alerts as things now stand, something that would be very bad.
I'm sure there were plenty of more interesting things at Black Hat/Defcon though. :)
Sure, some items are fairly obvious, but I'm willing to wager that there are a lot of exploits that even dedicated security officials aren't aware of, simply because the exploit was found and put to use, but never reported.
As it applies to 9/11, I'm fairly certain that OBL and his boys are more willing to shell out the cash for the folks who can find undiscovered vulns than for scripters who get their rocks off by passing around " 'sploits".
Given this, I doubt there is too awful much one can learn about securing the network completely against future attacks.
Quo usque tandem abutere, Nimbus, patientia nostra?
Questions were asked about what "going over the line" meant. Assclowns like Crimethinc are exactly what you'd want to point at and say "that's what I'm talking about." Disagreeing with the government (or even just Republicans) is one thing, but going around encouraging people to vandalize websites/etc is something else.
Jesus. No wonder he looked like he was expecting to be arrested.
Can we get an official word on whats going on?
Sunny Dubey
One of the articles speaks about a guy who spoke at Defconf and promoted giving those attending the Republicats convention a hard time.
n ts .html
l ec t.html
What surprised me is that the journalist did not have any problems with having the guy thrown out simply because the guy's speech was controversial. They justified censorship by stating that they had to stop him for his protection. Since when does a person in America have to abdicate his own personal responsibility and be protected for his own speech?
As far as I can tell from their web site, Crimethinc does try to take people out of apathy, but their most important weapon is language:
http://www.crimethinc.com/library/english/conte
http://www.crimethinc.com/library/english/libse
from the article:
Christy had mentioned that one of the things they were doing at Defcon was recruiting. He went on to tell the crowd that if they were interested, and "had not gone over the line," to talk to him afterwards. The "had not gone over the line" comment became one of the hottest topics during the Q&A.
It appears that the lessons the intelligence community has learned from 9/11 have not yet trickled all the way down through the federal bureaucracy -- particularly that bit about the failure of our intelligence pre-9/11 being primarily because of our loss of vital HUMINT owing to both budget and moral directives. When the CIA was told it could only use politically correct HUMINT operatives, it lost its most vital flow of intelligence.
Actually, I think the remark in question -- "had not gone over the line" -- meant no the criminal record, stable finances, etc. required of regular government employees who need clearances, like programmers and sys admins. IOW, they were looking for technical staffers for work at HQ.
The PC'ness at the CIA regarding HUMINT referred to who they could and couldn't hire as intelligence sources. E.g. (hypothetical examples here), several years ago, the CIA could hire a mid-level Iraqi military paper-pusher to smuggle out documents about what Saddam was up to, but at the same time couldn't hire a low-level al Qaeda operative to do the same because he's gone through terror training involving weapon experiments on animals. Even if the operative could give excrutiating details about the next terror strike (such as time/place/MO), he had done those evil experiments on animals, which somehow made him ineligible for the CIA payroll. (How such rules came into effect I dont know)
Whether or not US intelligence has changed this since 9/11 I dont know the answer. I do know that one such scenario I described above was something discussed at length by news orgs immediately after 9/11 as speculation for why the US intelligence failed. (IMO, there shouldn't be such silly restrictions on who the CIA can hire as sources. If the source gives good info, pay him for it to encourage more. If he don't, or the stuff he gives is turns out to be unreliable, stop paying him.)
But as for "going over the line" - for what the guy was looking for in personnel, he means things like ability to pee in a cup cleanly, unlike Ricky Williams, and not having a rap sheet.
"We got the call for trouble in the room. The gentleman, I was told, was preaching sedition. I knew that we had to take some steps quickly preventing that. Defcon is definitely for free speech, definitely for legal civil disobedience. But not anarchy, not psychopathic destruction of property. " [Emphasis mine]
Civil disobedience is, by definition, illegal. That's the whole point of it.
How is it that the members of the most dovish American ideology when it comes to foreign policy always seem to be the ones for inciting violence against their domestic enemies? CrimeThinc (yes, I actually read the article) is just one of a long line stretching back to the Weatherman Underground and the SLA up to the Seattle WTO protestors smashing windows. Discounting lone nuts like Timothy McVee (and remember that the Oklahoma City bombing was universally condemned among conservatives), how is it that the half of America which owns guns is never the one calling for violence?
Crow T. Trollbot
So the guy who spoke at Defconf and argued for giving those attending the Republicats convention a hard time. So what?
n ts .html
l ec t.html
What surprised me is that the journalist did not have any problems with having the guy thrown out simply because the guy's speech was controversial. They justified censorship by stating that they had to stop him for his protection. Since when does a person in America have to abdicate his own personal responsibility and be protected in his person for his own speech?
As far as I can tell from their web site, Crimethinc does try to shake people out of apathy, but their most important weapon is language:
http://www.crimethinc.com/library/english/conte
http://www.crimethinc.com/library/english/libse
Possibly one of the highlights was getting pics of Woz and Mitnick standing a few feet apart from each other; with Woz on his Segway. Pretty cool.
-brain
I've heard of "hactivists" targeting child pornography sites. This makes a little more sense. But vandalizing a legal website, even one you disagree with, seems childish and malicious.
Yes, I RTFA, and somehow I didn't see much about our intelligence agencies "not learning much since 9/11". I suppose the summary is referring to not hiring crackers that have done illegal stuff, but that's moronic -- if the NSA would reject someone for a job breaking into things BECAUSE they know how to break into things, we are all in big trouble.
stuff |
Would something like this get modded up to +5, Interesting.
Having the wrong opinion and voicing it is generally okay.
Free speech ends when you're inciting violence.
I haven't been to Def Con in a couple of years. I went the first year they were at the Alexis Park, and it was OK. Went back the next year, and they'd clearly outgrown the venue. Wasn't able to get a seat for ANY of the talks.
I don't know if they've signed some sort of long-term contract, or maybe they've just gotten kicked out of everywhere else, but I'm not going back until they get a considerably larger place.
No lie! I can't believe people are that STUPID!
I mean, with security through obscurity, you have to at least make sure it's not making it to freaking google.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
http://sourceforge.net/tracker/index.php?func=deta il&aid=1002056&group_id=4421&atid=1044 21
How is it that the members of the most dovish American ideology when it comes to foreign policy always seem to be the ones for inciting violence against their domestic enemies?
For the same reason that the radical right are always the ones who seem to be inciting violence against their domestic enemies. Tim McVee is hardly unique in his political stance and aspirations, nor have you cited anyone on the left that equals his level of destructiveness or intent (there are such people, but CrimeThinc is hardly of that caliber. He is not advocating mass murder).
The reality is that the so-called political spectrum is more of a sphere than a line. The extreme right and far left meet and become one and the same. Consider the similiarities of Stalin and Hitler, for example. Kids blowing up toilets to protest vietnam bear a striking similiarity to skinheads defacing jewish tombstones. Republican thugs terrorizing librarians and volunteers during the Florida recount bear a striking resemblence to communists in China enforcing campus-wide political correctness vis-a-vis the One True Party(tm) system.
Radicalism is radicalism, whether dressed in a Liberal Left or Reactionary Right attire, just as religious fundamentalism is religious fundamentalism irrespective of its Christian, Jewish, or Islamic trappings.
You have simply chosen to filter your perceptions through your own political dogma, as many people on both sides of the aisle often do. However, the reality is that folks of all radical stripes, in all political, religious, social, and philosophical directions, employ similiar methods to achieve their goals, those methods correlating much more strongly to their degree of radicalism and fanaticism than their particular social, political, religious, or philosophical bent.
The Future of Human Evolution: Autonomy
I would imagine that people by and large go to DefCon to learn HOW to do something not WHY. There appears to be a lot of faux anarcho posing going on as well as faux Fedcop speak in response.
Only another anarchist or Fedcop would ever think that what an anarchist or Fedcop has to say is remotely interesting. I can't imagine anyone at DefCon suddenly deciding that either breaking thinks is kewl or that diversity of opinion has to be tolerated. Nor would I think that the self professed Grey-Hats are going to come out in favor of the PATRIOT act.
When we all talk to a room full of people who are our clones it's got to get pretty boring.
when the government, specifically the supreme court, is the sole arbiter of where freedom of speech ends, you've already found yourself in a hell of a mess. (most people use the shouting fire example, but there are reasons you should restrain your freedom of speech even if entitled to it) The act of governing others needs to grow out of governing oneself, because until you can control yourself you're not capable of laying down the law for anyone else.
I might break the law by soap-boxing violent revolution, but I will do so knowing full well the consequences i am accepting if i fail to overthrow the government. Revolution is not meant to be easy, if it wasn't hard it wouldn't be effective; and regardless of lofty ideals, there is no such thing as justice - two forces collide and the stronger wins.
STFU Troll
Yellow, yellow, orange, yellow, yellow, orange, yellow, RED RED WE'RE ALL GOING TO DIE, yellow, yellow...
Are we supposed to continually crap our shorts because they arbitrarily raise and lower some spurious "threat status?" Yea, there may even BE threats, but, you know what, they are at about the same level they've been at for the last 10 years or longer.
Hell, even the rednecks aren't panicing anymore, and it doesn't take much to get them going about "Terrorist Threats." I moved down to Georgia in 2002, from being in New Jersey, and working in NYC, and I had to continually bite my tongue to keep from laughing in the faces of all these people who were forever telling me, "It could happen right here." Well sure it could, but crashing a cropduster into a Waffle House isn't going to have the same kind of effect.
And if people down HERE are sick of it, I can only imagine what its like in the rest of the country. There are only so many times you can cry wolf, and still be believed.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Or, they won't buy it because they already have it? Think a little.
Oh, that's right, Slashbots have to make endless justifications for illegal activities that hurt the gaming industry. As a result, id Software will be eyeing console gaming more than ever now for their next game...
It's so well said, it deserves to be seen by more people...
I wish one could go back and edit old posts. :-)
... his detractor's rhetoric notwithstanding). Women's suffurage was at one time radical, but most of those persuing it were not fanatical and virtually everyone non-violent. This in contrast to those who fanatically defended the status quo and physically attacked and even murdered women for daring to insist on the same basic civil rights afforded the men of their day.
I apologize for the sloppy use of language.
If I had it to do over again, I would substitute zealotry for radicalism in the post above.
There are many people with radical notions (where radical = divergence from the society's mainstream assumptions) who are not at all fanatical and would never resort to violent means to achieve those changes (Richard Stallman is an example of someone who is radical and stubborn, but not zealous or fanatical in any real sense of the word
So, to recap: the reality is that folks of all fanatical stripes, in all political, religious, social, and philosophical directions, employ similiar methods to achieve their goals, those methods correlating much more strongly to their degree of zealotry and fanaticism than their political, social, relgiious, or phisophical bent, or their degree of divergence from the political "mainstream."
The Future of Human Evolution: Autonomy
Yeah, the right wing is just *so* peaceful.
"Seven Deadly Sins? I thought it was a to-do list!"
says who?
or are you just too old?
My thinking exactly.
and the small demonstration nuclear power plant there is ... not safe. There are no armed guards that i've ever seen and i've been there several times. if you really wanted to fuck with america, blowing that plant up (i think it only produces a megawatt at peak, however) would still be plenty sufficient. There are students there from 48 different states (maybe more now) and its not in the most accessible location for response teams. Would it kill thousands of people? doubtfully, but there'd be a WHOLE shitload of terror.
of course, maybe ill end up hanging myself three years from now when they really do attack state college...
I wonder how much money Dark Tangent and his goons make from this con each year...
http://66.90.75.92/suprnova//torrents/2308/D OOM3(1).torrent
LMFAO. I read that and a switch went off. I know that kid.
Last year I did some development on a website whose owner spoke often of going to Defcon in Vegas. He also spoke of Anarchy, and causing Civil Disobedience at the Democratic convention. It didn't take me long to figure out he was using his site not to teach admins how to spot vulnerabilities in their web code, but to spread his own political agenda, and gather a willing army of script kiddies.
Needless to say our beliefs on hacking weren't the same. Whoever this person was at Defcon, he is an embarassment to the hacking community, both whitehats and blackhats.
I stopped in on the sites IRC server to see what was up with some old friends, turns out this guy has a court date not too far off something about striking a police officer.
I would bet it's the same guy.
His politics, and genuine lack of interest in teaching admins the skills necessary to find and fix flaws in thier code is why I left.
I'm all for hacking code, but the art would be better suited to securing systems and spreading the knowledge of how to secure, instead of teaching an army of script kiddies to be a leet hax0rz.
I am Bennett Haselton! I am Bennett Haselton!
"Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11?"
Wow - everyone except law enforcement has the answers it seems.
Or maybe the reality is they've learned to NOT tell you what they've learned, finally.
first mod me -1 offtopic. then, explain to me why this is listed as "informative"? i'm assuming this is a joke (please?). i'd likely have given it a +1 funny, too. what's up?
i speak for myself and those who like what i say.
If you are going to post this, at least post a link to a torrent.
There has to be a hierarchy.
Some people are just better/more capable/ more deserving of certain limited resources.
It isn't just money or power, it's Friday night at the local bar, some guys get the hot chicks, and others don't.
In the article, there was a section discussing "Meet the Feds." From that section, I quote: "The Patriot Act was also called into question by attendees. The FBI representative asserted that just because the act had been passed didn't mean they had carte blanche to surveil anyone they wanted, that judges still had approve their requests. That reasoning only flew so far, however, as the questioner pointed out that such requests by the FBI are always approved, never denied."
What we tend to forget is that, even in the Judicial system, there is a check-and-balance--especially when it comes to warrants. While a judge may allow a warrant, if a case ever goes to trial then a jury has an opportunity to nullify the value of any evidence obtained via a warrant. I know that sounds a little naiive, but this is one purpose of the jury--injecting the People into the judicial process to protect an accused from the Government. The jury is the key point in the process that is not absolutely Government controlled.
However, the attendees brought issue with the fact that "judges always approve." There was a landmark case (granted, it was in the early 18th C. in England) that allowed a victim to bring suit. The victim in question owned a printing press that printed pamphlets hostile to the Crown (or was it Parliment?). The Government responded by obtaining an ill-gotten warrant to wield as a weapon to silence him. However, the man suied and won a substancial sum. I think the right words were something to the effect of "a suitably painfully high sum to deter the Government from pursuing that line of action again."
Anyway, I'd like to point out that there are recourses of action for virtually anybody mis-treated by a ill-gotten warrant that are built into our legal system. Even if the judge always approve, there is the jury to help shield, and the precedence to file suit when abused. (I'd also like to point out that this is a common tactic by those justly prosecuted to try to wear down the government by attrition.)
What those who want activist courts fear is rule by the people.
All those pages that were indexed were put there on purpose by somebody (usually it's a message board, or an IRC log, containing a list of "CC"s). This isn't google doing something that it normally doesn't do.
Moreover, I would wager if you try any of these CCs (provided the expiration isn't past already) that they won't work.
Google, and anyone searching google, are seeing those CCs late in the game, after they've all been defrauded.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I'm all for hacking code, but the art would be better suited to securing systems and spreading the knowledge of how to secure, instead of teaching an army of script kiddies to be a leet hax0rz.
How do we know how to secure systems if someone isn't trying to crack them?
-- We live in a kakistocracy.
Senator, you can have my answer now if you like. My offer is this: nothing. Not even the fee for the gaming license, which I'd appreciate if you would put up personally.
Shop as usual. And avoid panic buying.
Sounds like a PhD all to itself. Maybe to make it hard to tabulate the list one could divide the amount of 'terrorism' by the square of the power of the state, since power corrupts.
Top Eleven in no Particular Order:
China
Iran
United Kingdom
U.S.A
Columbia
Russia
Sri Lanka
North Korea
Pakistan
France
Israel
I am not sure is it easier to consider where there are 'freedom fighters' and pick the state involved, or pick where there are the most active 'intelligence' agencies.
For our purposes we can pick the one where it is easiest to hire a car.
Be Free: Free Software Tuition
Defcon isn't going downhill, it's still a great place to buy t-shirts!
Oh, there's something else going on there?
HaXXXor.com - Naked Chicks Teach You How To Ha
I can't believe I'm feeding this troll, but here goes. How can you equate what this crimethinc guy is advocating, which is the destruction/defacement of property with committing physical violence? Property damage and murder, while both wrong, are quite different crimes. Shooting someone in the face is not the same as smashing the windows at the McDonalds they own. The nuts on the left seem more inclined to advocate property damage while the nuts on the right seem more inclined to kill you.
I had originally thought the site was intended to teach semi secure code, by that I mean as secure as it could be.
I thought the idea was to teach common methods and vulnerabilities so admins could pen test their own systems, but alas I was wrong.
I am Bennett Haselton! I am Bennett Haselton!
Do you know who else advocated illegal acts? How about Gandhi and Martin Luther King? How about Malcolm X?
When you live in a racist, sexist, imperialist country engaged in illegal, immoral, imperialist wars, illegal acts are a moral necessity.
Would you condemn someone for calling for illegal acts in nazi germany?
In an immoral country, legal action is immoral.
"The FBI representative asserted that just because the act had been passed didn't mean they had carte blanche to surveil anyone they wanted, that judges still had approve their requests. That reasoning only flew so far, however, as the questioner pointed out that such requests by the FBI are always approved, never denied."[Emphasis mine, statement mine :-) ]
;)
Actually, I didn't ask the original question, merely responded to the FBI guy's bullshit answer about them not being able to march right up and get warrants for whatever they want in terrorism cases (or rather cases they claim are related to a terrorism investigation - which means anything and everything they want it to mean). I threw my hand up about halfway through his answer (which he bumbled through briefly before resorting to more bullshit) to mention that an FBI agent had been barred from appearing before the FISA court ever again because he was blatantly lying to the court, and to talk a bit about National Security Letters (NSLs), which require 0 judicial oversight and which get a whole lot of non-content information from communications providers (like ISPs). Unfortunately for me, and fortunately for the poor FBI guy, they never called on me again after that. (It was a fed who was deciding who to call on).
If anyone saw who I am, forget who you saw - I don't exist.
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
I was the one who pointed out that the FISA court has only denied a single request for a warrant since its inception, and that the denial was overturned in the only time the FISA appeals court has ever had to meet.
Now let me ask you this: you mention that there is potentially recourse against the government for those who've had an ill-gotten warrant issued against them - what is the recourse if you're never told that the warrant was issued, and if it is "served" while you're at work, in secret, without your consent or knowledge? What is the recourse against a National Security Letter, whose very existence must be kept from you by the communications provider who receives it, even though it compels them to release a boatload of information about your communications through them? What is the recourse for those who've been hit with certain provisions of the PATRIOT Act when any precedent in their favor is automatically kept secret by virtue of the fact that all cases brought against the act are sealed, with no party being legally allowed to reveal who brought the suit, why they brought the suit, what the facts are in the case, or that there are facts in the case?
You can't fight what you can't see. You can't challenge what doesn't "exist".
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
That's just downright scary though. I hope you're right in saying they are past expiration...
"Hmm. I am to metaphor cheese as metaphor cheese is to transitive verb crackers!"
how about the virus guy who basically gave a 50 minute drunken rant about how stupid and worthless current viruses are.
Worst talk ever.
Overall it was a pretty good show I thought. Some excellent talks. It was pretty sedate overall, at least what I saw. I guess everybody is getting older.
click here [google.com] to get 20000 pages with real credit cards numbers with names, addresses and expiration dates
Hmmmm indeed.
Just a thought:
If you Google your own card number, presumably that'll help you check your details aren't compromised and posted online this way?
You raise a fair enough question--a question that partly encouraged me to enroll in law school. Now, I won't know the answer right away . . . law school takes three years. But, I'll try to find the answer.
What those who want activist courts fear is rule by the people.
All right, I was there so I know this for a fact. I interviewed both the guy involved AND Priest immediately after it happened - I was producing a documentary film about Hackers and therefore this was important to get right.
The 'guy' who was 'preaching sedition' was 19 years old and really fired up about trying to make a difference in the world. He's been involved in protests and unfortunately, as is the case with many young people, he took 'direct action' a little too far, got a little too amped up and ended up saying things in the heat of the moment that have basically screwed him for life, at least if he ever wants to get a state job. He was allowed to finish his speech and immediately afterward, there was a lot of unrest in the crowd. A guy from the audience pulled himself up on stage and attempted to attack the kid who had just finished speaking. DefCon Goons restrained the man and removed the kid for HIS OWN PROTECTION, and kept him safe in the NOC for a few hours while things calmed down. This comes directly from Priest and the DefCon Goons who were involved in the incident. There is also video footage.
Furthermore, the kid was NOT arrested by NSA, SS or FBI, or at least he wasn't at DefCon. I interviewed him Saturday night sometime after midnight and watched him get into his car and drive off-site with his girlfriend at approximately 11:00am on Sunday morning.
Your gimmick sucks.
However, the KKK certainly were organized right-wing violence.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks