Code Auditing the Defcon Way

An anonymous reader writes "Last weekend at Defcon, the best and brightest hackers got together to play Capture the Flag, a weekend long hacking event that is the premier event of its kind. According to the results, Shellphish won (UC Santa Barbara students led by professor Giovanni Vigna). An article at SecurityFocus states that the competition was far more technical than in previous years, focusing on reverse engineering skills and code auditing." From the article: "The game required skills that are also required by both security researchers and hackers, such as ability to analyze attack vectors, understanding and automating attacks, finding new, unpredictable ways to exploit things...It's about analyzing the security posture of a system that is given to you and about which you initially know nothing."

More technical?

[Alex+P+Keaton+in+da]

Sort of like when extreme sports went mainstream... Seems like this is a better way for people to show of their skills for the ever growing, and ever more lucrative security business....

Re:More technical?

[kihjin]

http://www.extremeprogramming.org/ :-P

Re:More technical?

[xcentrics]

"What it takes to be an elite hacker is to find vulnerabilities in custom software," said the Kenshoto member. "It is not code auditing per se. They have to reverse engineer, and we have made it difficult to reverse engineer."

real-Reverse Engineering under linux ?!? forget about it.
i mean the system is free ,98% of software is free.Therefore there are no commercial _exe_packers_ (i've never heard about it) so RE is not as hard as under Win where anything can be packed in example with Asprotect.If there were new asprotect for unix systems then it would be real RE challenge...

Re:More technical?

http://protools.reverse-engineering.net/unpackers. htm

Sorry to tell you this, because just like Shrinker, some bunch of dorks has also broken AsPack (as far as Win32 Portable Executeable format packers/compressors)...

I use (or have used) both in the past not only to gain the faster loadtime off disk (or, even over LANS, because the decompression process only happens AFTER the read up off of the diskdrive into memory, & thus, runtime & today's modern VERY fast nearly 4ghz CPU's more than makeup for the decompress process 'slowdown' in memory as well as how fast memory is nowadays) but also to 'confuse' debuggers (disassembly tools imo more than anything) via 'obfuscation' of their code, which makes it harder on them.

You can do what I do though, which makes it HARDER STILL on them (and, as a bonus effect, builds in "native antivirus protection" into the app), which is, believe-it-or-not, hardcoding the application's compressed .exe filesize into the application @ it's initialization (either form/screen creation or show methods), & test it on disk.

If the Win32 PE file changes its size even 1 byte (less or more) from its on-disk compressed size? DO as you like!

After all, this IS what std. type "Virus" do, add size & code to the end of the .exe afaik, so this DOES function as a rudimentary form of virus protection & stops your apps from spreading infectors like those, potentially @ least, because they let you know something IS wrong!

This is what/how I do it in my code @ least. SO, what can you do IF the filesize changes? Well, limits of your imagination, or 'cruelty' I suppose...

E.G.-> Reboot their machines, shutdown the program being 'hacked' or potentially virus infected since it changed its size (what I do), or if you are crueler than myself, anything you like (i.e./e.g.-> Blow their bootsector, lol).

There is MORE you can do to protect against various "debuggers" like SoftIce &/or WinDbg for example RIGHT in your code though, even if they uncompress to attempt disassembly.

API calls like IsDebuggerPresent, or the presence of SoftIce via routines present all over the internet for it (there are many of these).

* :)

APK

P.S.=> It almost amazes me that folks build in .exe decompressors &/or stand-alone "debuggers" (hacker/cracker tools mostly imo), because they're like swords & double-edged, & often used to bypass password protected installers for the illegal filesharing circuits out there where you can get commercially produced software for ZERO cost...

How's that done?

Tools like SoftIce or Frog's Ice, WinDbg, & others like them OR techniques like DLL Injection as well! It's unfortunate, but, thievery abounds in this field...

There is nothing you can really do, but make it TOUGH on those that practice it, via ideas like I use above as an example... & I am sure someone could figure out a way around that too, if not eventually!

They do it by mis-using 'debuggers' like the ones I mention. I have NO respect for those that do that, by the by/personally... apk

Re:More technical?

[CryBaby]

I suspect that the motivation behind changing the game was to de-emphasize the growing commercial aspect. If you've attended DefCon in the past few years and watched Capture the Flag, it felt like it was slowly being taken over by corporate teams (several teams were named after their company and/or displayed large company banners in the game area).

This was still a "creeping" influence the last time I attended (not too long ago), but it sure felt like a trend.

I can understand why companies are upset by the change. If I had an OS company, I'd sure love to be able to advertise that my product had been used to win Capture the Flag. Under the current rules, you can't use your own OS so the opportunity for "product placement" is decreased.

Vendors are free to set up their own events for head-to-head product comparisons (and should), but having them at Defcon felt like having a BMW race team show up at a local gearheads' track event. It's not that the non-corporate participants can't compete - it just fundamentally alters the nature of the event.

Use a gun

1) Shoot all but one member of each team
2) Ask for "flag"
3)...
4) Profit!!!
5) Shoot remaining traitorous members of each team

Why do Defcon hackers prefer Linux?

I'm a small business woman and in order to control costs, I have looked
at open source software as an alternative to MS. As a non-technical
person, it has been a very frustrating journey.

First of all, the term "free" seems misleading. It seems that you can
aquire a "starter" version of a Linux distro that is not production
ready for free. But if you want want that is tested and stable, one
needs to purchase an expensive yearly maitenance fee for each computer
it is installed on. My understanding is that one can aquire something
called "source" to the expensive linux distro version, but that the
source doesn't actually run the computer.

When researching, I read about "Redhat Linux" (sic ?). It seems that
they allowed one to download the complete "working" version for a while
but then they did a switchero and hid the working version download and
made it available to paying customers only. To pacify the rest, they
gave a "starter" ("Fredora" (sic?)) version to them. It seems they cut
off affordable support to those with the working version and replaced
it with something more expensive than MS.

My IT consultant put FireFox on my computer and it looks like another
switchero is in the works. With the members founding a corporation, it
looks like they will start charging for the good version and leave the
a "starter" version for the non-paying customers.

So is the business model of open-source to bait people with free
software when their software isn't as good as the commercial offerings,
and when it does become good or they get enough people on board, do
they just jack up the prices as much as possible? Seems to me this is
a poor business model, and I can't understand why a saleman recommended
it to me as a way to keep costs down. I would rather go with a vendor
where I can expect things to stay the same and a vendor that has a
clear business plan. That way they won't just change the rules halfway
like open source seems to.

Maybe it is a wrong impression, but that is what a good business woman
like myself sees.

Re:Why do Defcon hackers prefer Linux?

[Demogorgo]

i wish i had a dollar for every time some bearded lowlife tried to put firefox on my computer. who do they think they're fooling?

Re:Why do Defcon hackers prefer Linux?

i just use a can of deodorant, keeps the bearded sandal wearers at least 100m away, its like mosquito repellant only better smelling

Re:Why do Defcon hackers prefer Linux?

[TimMD909]

"... [bunch o bullshit omitted]... but this is what a good business woman like myself sees." - You

Well, years and years of feminism movements have just been killed. That argument is about as solid as my argument to my parents to pay for my marijuana habit... Sheesh

Re:Why do Defcon hackers prefer Linux?

[TimMD909]

Whoops forgot to mention that the test of whether a person should be allowed to make computer related decisions is......
(drum roll please)
CAN YOU FIND OUT HOW TO DL THE ISO FOR REDHAT!

Re:Why do Defcon hackers prefer Linux?

Carly ??
Carly Fiorina ???
Is it really you ??
here on /.

Re:Why do Defcon hackers prefer Linux?

[James+McGuigan]

The job of a linux distributor (such as Red Hat, Debian, Gentoo, Ubuntu etc) is primarily that of assembling a large quantity of free and open source software into an easy to use and pre-configured package. While they may write and contribute some of their own software to the mix, and do some customisation and bug fixes of their own, 95%+ of the software you see in a linux distro will be common to other distrabutions.

I don't use Red Hat or Fedora myself, so could be wrong about the below, but... Fedora is developed by the community (Red Hat also helps to develop it) and is kept fairly up-to date with new software releases. Red Hat Enterprise Linux uses snapshot of Fedora as a core, keeps it stable (ie doesn't update it that often, just bug fixes) and adds a few bits of proprietary software and adds in the support contract (most people buy Red Hat for the support). If you want Red Hat without the support, and the RH branding, then maybe CentOS is what you are looking for.

I would personally suggest Ubuntu Linux, which is Debian based, its fairly well polished and most things will work straight out of the box, so you shouldn't need too much in the way of support to get it setup (Though I have had some difficulties with the 64 bit version). Even things like Java, ATI/nVidia drivers and multimedia codexs can be gotten via apt-get (you may need the extras repository for some of these). If you need paid support, Canonical will support Ubuntu for $100 USD per computer per year (I haven't used them myself, so can't say how good they are).

If you want free support, then goggle is your friend, as is reading the documentation, searching goggle groups, asking on mailing lists and visiting IRC channels. The only cost is the time and effort to find the answers for yourself (which doubles as a good education in Linux). You are not guaranteed an answer, but will usually find one, nor a time limit on how long it will take to find or receive an answer. This is the method that most individuals actually use, though it does require that you are willing to learn. In a business where time is money, it is possible that paid support may work out cheaper than your own time in searching google (it depends on how much your time is worth compared to the time saved via a support contract), but in comparison, I will ask you when was the last time you phoned up Microsoft and had them tell you how to fix your problem.

As for the Mozilla Corporation, they are very new and haven't done anything that I could comment on, but I see it as very, very unlikely that its formation will have a detrimental effect to the development of free and open source Firefox. We already have Netscape as a commercial company that takes Firefox, gives a customised setup, adds alot of their own branding to the package and throws in a few proprietary components and calls it Netscape 8. Firefox is not the poor "free starter edition" cousin to Netscape 8. As long as people are intrested in Firefox, then it will continue to be developed and it will always remain free.

For businesses specialising in free and open source software, the "switchero" is fairly uncommon. FLOSS licences actually prevent people from doing a "switchero" on existing software, if its been releases as FLOSS then that version will be free forever. With non copyleft (ie GPL) licences (or when exceptions are made in the licence), then someone can make a proprietary fork of the project and future versions of that fork may not be free, though others are still free to continue to work on the FLOSS version. This can also happen with copyleft or GPL software when only one person, or one group, owns ALL the copyright to the software and can thus change the licence for future versions (such as PHPedit). In many cases, where the software has been developed by the community, there are too many copyright holders for this

Re:Why do Defcon hackers prefer Linux?

use a real linux distro.

i suggest : www.debian.org

try the netinstall disk.

http://cdimage.debian.org/debian-cd/3.1_r0a/i386/i so-cd/debian-31r0a-i386-netinst.iso

Re:Why do Defcon hackers prefer Linux?

[kc0re]

I would like a team of totally mac users to jump in on this. Just to prove/see how secure macs really are.

Re:Why do Defcon hackers prefer Linux?

[Mechcozmo]

Let me simplify the above:
Linux is only free if your time is worthless.

That isn't to say Linux is bad-- but the setup of various components can be... trying at times.

Re:Why do Defcon hackers prefer Linux?

[James+McGuigan]

Assuming that you know what you are doing (ie have done it before), then setting up a linux machine (especally a fairly user friendly one like Ubuntu), can actually take less time overall than installing and configuring Windows, MS Office, Anti-Virus, Windows Updates and various other utilities.

apt-get install is actually a very easy way to install new software on linux. Alot quicker (human time and attention wise) than finding your MS Office CD, typing in the CD code, then going through the 15 minute install process.

However I will admit that some items outside the packaging system, such as Java on Debian proper, can be a little time consuming to setup. I'm actually fairly relieved that there is a copy of dvd::rip in the ubuntu extra's repository, attempting to get it setup on Debian proper was a nightmare, and even I gave up on that one (dvd::rip has about a dozen dependices outside of the debian repositories)

The other thing to note, is that while some people may be money rich but time poor, there are equally many more others who are time rich but money poor.

Re:Why do Defcon hackers prefer Linux?

[Mechcozmo]

The other thing to note, is that while some people may be money rich but time poor, there are equally many more others who are time rich but money poor.

And for those who are not money rich and not time rich, what options do we have? OS X is set up in less than 30 minutes. Windows is set up in a few hours. Linux has taken too long to get working and therefore not worth spending more time on it which is unfortunate since I'd like to use it.

Re:Why do Defcon hackers prefer Linux?

ubuntu. it's easier to install and use than windows, and takes less time to set up.

How to tell if you are a windows fanatic.

AKA a nazi fanatic loser.

1. You rejuvenate and dance when you hear a linux flaw exposed, but you conveniently ignore the thousands of security flaws exposed in windows.

2. You yell loudly TROLL! at any person's post or at any person you see posting facts that you do not want to hear about your oh so cool windows.

3. You know it's a classic case of penis envy, you don't have all the support, software and hardware available for windows and you have to let that anger out somewhere, but you don't have the brains to admit it.

4. You hate linux, hate Red Hat, but race to emulate linux, have programs to run linux from within windows, and spend a $300 on a linux emulator.

5. You cannot admit that you don't have professional usage of windows anywhere.

6. You cannot admit that most of the joe user out there when told that there is windows will respond, what is that?

7. You cannot admit that there is no professional printing capabilities in windows.

8. You cannot admit that you are a masochist (otherwise why would someone spend hours playing with scripts,
and recompiling programs that are available for linux?)

9. You cannot admit that there is no professional desktop publishing done on windows.

10. You cannot admit that no one in their right mind would do professional video editing in windows.

11. You cannot admit that windows sucks when it comes for gaming/home entertainment or education.

12. You have problems in understanding linux, and you will blame your own incompetence on linux.

13. You have problems in pointing a clicking, but have no problems in wading through cryptic scripts written by lunatics.

14. Nothing will get past that shit that fills your head, you will not admit to any facts.

15. You can't admit that naming of windows components, packages, and others are weird and fits profiles of troubled teenagers. longhorn,
me, xp ....

16. You feel angered because you were left out by linux's technologies, they support Mac, Sun sparc, but not windows.

17. You feel inferior deep inside but unable to admit it, you don't have a file system as easy and powerful as ext3.

18. You cannot tell that not a single office package outside Sun's is worth looking at or bothering with.

19. You don't know that your CD recorder software sucks.

20. You don't have DVD-RAM, DVD-R, DVD-RW support in your pathetic OS.

21. While the rest of the world moves on, you're stuck in a stone age technology that needs third party software to boot into GUI.

22. You act out of prejudice, you kill file domains and users of specific news readers while you ignore the bullshit that your fellow windows losers post.

23. You don't know commercial support in windows is almost non existent.

24. You miss the fact that companies are leaving windows because of the chaos, and the cheap windows pirate losers who are unwilling to pay and support hard work.

25. You are unaware that windows has no terminal services (there is a lame one that no one uses), and commercial support for it is not happening.

26. You are unaware that setting up servers on linux takes couple of minutes while on windows, good luck playing with configuration scripts.

27. You cannot admit that support for USB on windows is laughable at best.

28. You think that windows is better because Microsoft told you so.

29. You spend countless hours flaming people because they post their opinions about your oh so cool windows and your attitude, instead of researching things for yourself and understanding fact in order not to look this stupid.

30. You think that anyone who uses windows has a clue.

31. You think that windows cannot crash.

32. You think that everyone is interested in your conspiracy theories about Open Source (or should i say Open Sores in order for you, teenagers to understand?), and how they destroyed windows, ...etc.

33. You keep ignoring the fact that thousands of windows servers get hacked every day, but it takes one linux server hacked to get you and your fellow windows idiots to dance and celebrate.

Monkeys

A monkey can set up a secure network, but can a thousand monkeys at a thousand terminals break that network?

Re:Monkeys

No because it's (like you said) secure. Actually I doubt that a monkey can even set up a network at all. Mix some cross and straight cables and see if a monkey figures it out, I don't think so!

"According to the results"

[Armchair+Dissident]

"According to the results, Shellphish won"

Who wants to be that Shellphish hacked the results...

Re:"According to the results"

[Armchair+Dissident]

be? be?! Bet!

Re:"According to the results"

[uberchicken]

It was still funny! I just thought it was some new fangled youth/ghetto-speak.

The Cult of Linux

Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.

It's been 35 minutes since you last successfully posted a comment

A synopsis of why Linux is a cult religion.

There are four basic steps to establishing a cult religion. They are;

Step 1: Pick a ridiculous icon.
Step 2: Choose a name for your cult.
Step 3: Define yourself.
Step 4: Write down your tenets.

A comprehensive history of how the linux penguin came to be can be found at
http://www.sjbaker.org/tux/. This is the main reference site for this
article. All quotes have been obtained there, unless otherwise stated.

It is important to note that the opening words of the Holy Bible are "In the
beginning..." Genesis 1:1. The reference site opens with the words, "In the
beginning..." This is no mere coincidence, as will be shown.

Detail
======

Step 1: Pick a ridiculous icon.

Checking out the opposition was an absolute must for Linus. Every Tom, Dick and Harry was out there with a cult. It wasn't going to be easy to find an icon for the linux cult, so the linuxfux had to do some research. They were competing with ancestors, cosmic schemes, cows, rats, the sun, the moon, the earth, stars, snakes, turtles, planets, aliens, crystals, ufo's, light, dark, evil spirits, crying and/or bleeding statues, and goodness knows what else.

The hard part was to pick something that hadn't been used before. Heck, even the atheists have an invisible pink unciorn. They tried trombones, grand pianos, accoustic guitars, commodes, Marilyn Monroe's underwear, and even Linus Torvald's underwear. The last one was not very good good because Linus Torvalds was, at that stage, a pipsqueak of an excuse for a human being, and
most linuxfux are very fat, and very pimply. That last point will not be lost on those familiar with the more recent appearance of Torvlads.

Now, you may think that using Linus' underwear as an icon a bit strange. You may also wonder how people could bring themselves to believe that Linus' underwear is the font of all spiritual knowledge, but just think! Linus wore them, they gave him spiritual enlightenment and, of course, everyone who knows Linus Torvalds has heard the harmonious tunes coming from that
direction.

In the end, the linuxfux chose a paunchy, naked penguin. Yes, the penguin is naked! Just like Didney's fantasy character, Porky Pig. The Linux Penguin has no pants.

So, how was the ridiculous, gormloos looking, naked, pauchy penguin chosen?

Linus Torvalds: "Yes, I was bitten by a penguin, but it wasn't actually very ferocious. It was really just a pigmy penguin about 6 inches tall or something, and it was more of a timid nibble ("is this finger a see before me a small fish, or what?"). Even so, I like penguins a lot."

So, there you have it. A mind-association between "pigmy," "timid nibble" and Linux. All well-balanced people, that is, Windows users, will see the irony in that Freudian association.

Some quotes from Linus on the penguin;

Thu, 9 May 1996 17:48:56 +0300 (EET DST)

"Anyway, this one looks like the poor penguin is not really strong enough to
hold up the world, and it's going to get squashed. Not a good, positive
logo, in that respect.."

As you can plainly see, Linus is attempting to place the penguin on a pedestal. The very same pedestal as the three great religions of Christianity, Islam and Judaism, that "hold up the world."

In the same usenet post, and in the very next paragraph, Linus exhorts is eager new cult recruits thus;

"Now, when you think about penguins, first take a deep calming breath, and then think "cuddly". Take another breath, and think "cute". Go back to "cuddly" for a while (and go on breathing), then think "contented"."

Compare that exhortation with the following quote from

Better

[theamazingflyingshee]

I suppose it is better than attacking computer systems and cause thousands of dollars worth of damage(not that all hackers do that)

Anyone parse that as professor Vagina?

Damn, I need to get laid.

Re:Anyone parse that as professor Vagina?

silly ... yes, get laid, please.

Defcon One?

Ten to doomsday, moving fast...
Heads up! Mind that blast.
No time to sleep, it's Defcon One
Can't get no sleep as the ticking ticks on,
No time for fear, it's Defcon One,
No time to eat but get me some

CHORUS
Big Mac, fries to go...
Big Mac, fries to go...
Get me Big Mac, fries to go...
Get me Big Mac, get me fries to go...
Watchman!
We love you all...
Hup! Hup!

Heads up! Ground floor coming up...
How sick is Dick?
How gone is Ron?
How sick is Dick?
How gone is Ron?
What's the time?
It's Defcon One...
Say, what's the time?
Just get me some

CHORUS

Goodbye city, hello moon,
Hands up! Vote Dr. Doom!
"You know it makes sense"...
It's Defcon One, hey! What's occuring? What goes on?
"It's the only choice..."
So get me some

CHORUS

How much is your data worth?

Are you willing to go to the grave to protect it? Is the data worth so much that you would die before it fell into the wrong hands?

No?

Then why protect it at all?

Posture =)

[PlasticMonkey]

Haha, he said posture! - Nope, I don't get it either - hey it's early!

Erm on a serious note, how did the Defconhackers get an overal score of 0?

Why are they even *on* there? Randomness.

-Phil

Re:Posture =)

They only scored 3 points, which was multplied by their service level percentage. This put them (well) under 1 point, which got floored to 0.

Re:Posture =)

[PlasticMonkey]

Yeah, but it's still crazily low! The next runner up is like way ahead :p

Re:Posture =)

[viega]

Well, they pretty much didn't play. First, only one of their team members showed up. Then, he recruited some people, but by the time he did, the green team had totally owned them. They sat there the whole time, but they might have even been helping out the green team.

X (Hackers) Games

[KarMax]

IMHO there is nothing WRONG about this kind of "x hacker games" there is a lot of this kind of stuff, Hollywood movies, popcorn books (like Davinci Code by Dan Brown), among others.

The problem is when begins to be a serious "news" or "event".

The article try to remark that the event is "pro" or "serious", dont get it...

Its just a game!

Re:X (Hackers) Games

[Segfault666]

I'm not really flailing in either direction on the 'pro' or 'serious' stances which you are attemptint to allude to, but similarly to winning a gold in the olympics, is it just a game?

Which is alot more than can be said about running through some imaginary terrain and shooting virtually everything.

But for the most part; contests / events like this can grant fablous employment opportunities aswell (ie: Olympic Athelets on that box of wheaties).

the better you are, the more you can gain. whether it be prize money a rare/unique employment opportunity free beers

there's incentive to improve.

Re:X (Hackers) Games

Most of the people there were professionals, trying to learn, improve or refine their skills. Just because it was a competition doesn't mean you should be denigrating the people who were playing by saying they can't be part of something "pro" or "serious". There is a reason why the Defcon competition is the premiere such competition.

Re:X (Hackers) Games

[b0urn3]

Actually, considering the amount of data that is collected from both wargames and the DC wireless network for research use, it is pretty "serious." Too bad next year's Defcon has been cancelled.

Re:X (Hackers) Games

[KarMax]

Maybe you missunderstud me

Im _NOT_ denigrating them, they are playing and this is good!, i play to!
I use "Davici Code" in the example, becouse its a "best seller" book, fictional novel, who was taken seriously as if we were talking about a SERIOUS book.

Olimpic games its a bad example, to discuss becouse i dont aprove olimpic games, i think its stupid (medaling stuff).

I dont share your point of view... i mean, be better all the time is what i want, but becouse i want to be better, not becouse i want something for someone, that doesnt makes me better.

You must understand that i dont denigrate them, im putting thing in place, thats the problem i was talking about you and of course some CEOs among others who look at some guy who shoot a LOT of things in an "ambiented" game (sound good ;)), to do things he isnt ready.

Menawhile this guy was shooting, there is another, studiyng the birds (he knows everything about it), and nature, and a lot of different weapons.

Both are doing what they want to do, there is nothing wrong or somethig like things on them, but some peopple are taking the guy shooting as he was the other guy.

Hope my point be more clear.
C ya

Well, as for myself, my PC runs OT/NT

[RedLaggedTeut]

Well, as for myself, on my PC the operating systems installed are OT(old testament) and NT(new testament).

While I like how the OT is handling faults from a theoretical point of view, in practice I mostly use the NT, since applications keep on running and work together well.

Re:Well, as for myself, my PC runs OT/NT

[Exluddite]

Yes and things have really improved from OT to NT. Used to be that when the system crashed, you were down for 40 days, with NT you're back up and running in 3.

Re:Well, as for myself, my PC runs OT/NT

Too bad it doesn't interact well with other systems some of the time.

Re:Well, as for myself, my PC runs OT/NT

I gave up the OT/NT system some time ago because it's outdated and restrictive. There are also several logic errors, and it hasn't yet found a good way to interface with the current standards of Science. I've seen some very creative third-party work on these problems, but usually they're clunky and work poorly because of the closed nature of this system.
That's why I've switched to BN*UT based on the Skeptic kernel. With Belive Nothing *Until Tested, I can recompile my operating system as needed.

I parsed it as professor Mangina.

I need to quit getting laid.

Security Posture?!?

[birge]

Is anybody else disturbed by the growth of meaningless, self-aggrandizing jargon in this field? Attack vectors, security posture... Give me a break. These guys do good work, they don't need to puff themselves up with this kind of fantasy verbage like some social scientist or art historian. When did people's egos get so big they need to invent cool sounding words for everything? We've got a serious arms race going on in the "my profession is cooler than yours" wars.

Re:Security Posture?!?

[duffbeer703]

I'm glad that I'm not the only one to notice and be annoyed by it. I find the compulsion to substitute "ph" for "f" everywhere even more obnixous.

The worst is the growth of "dark" words, darkmail, darknet, darkphish, argh... enough already!

Re:Security Posture?!?

Are you just bitter because you don't understand the terminology? The author of the article and the guy quoted are using pretty common terms with well-defined meaning. They're not doing any self-aggrandizement, just using the terminology that they're used to using.

Many of the people involved with Capture the Flag stayed anonymous, anyway, including the organizers and some of the contestents. Seems to me people are really doing this for the sake of developing their own skills and having fun... not for stroking their egos.

Re:Security Posture?!?

Thorstein Veblen wrote that those who feel a need to invent new words were usually obsessed with make-believe.

Re:Security Posture?!?

[birge]

Yeah, I'm extremely bitter because I can't figure out what attack vector means... My point, sport, is that I know exactly what it means, because adding "posture" after security doesn't add any meaning. It's just, well, posturing; nerds playing cloak and dagger, painting themselves as agents in an engagement that's far less interesting in real life than they'd like to believe. Hence, all the dark-this and black-that, as if we were talking about something more important than a computer file.

Re:Security Posture?!?

I doubt they give a crap whether you think it is interesting or not. Most of them are there for their own enjoyment, not for yours. It is okay if you are so bitter because the SECURITY INDUSTRY has adopted terms that you feel to be pretentious or vacuous, but it is only assholish of you to take it out on people who use the terms, because they are widespread. Most people don't use terms like that because they are feeling haughty. They use them because they feel they are able to more clearly communicate with their peers. If you don't think adding "posture" to "security" helps in the slightest, that's your problem, not anyone elses (though pretty much an entire industry would tell you that 'security' is usually just an adjective... "what's your security" is meaningless unless you finish the sentence... "policy"? "posture"? Or what?).

But recognize that the people you're trying to flame didn't choose the terminology. They do find it easier to say "attack vector" than "ways in which someone could potentially try to attack a system". I'm sure many of them wouldn't mind if there were a better, widely used term that didn't sound pretentious to your disdainful ears, but I think the industry will sleep at night if you continue to be a grumbling ass.

Re:Security Posture?!?

[birge]

Wow. I never attacked anyone in particular. I think I pretty much addressed it as a general criticism, in fact one that is very common to other fields, so if you're just a minion going along with the flow, no need to feel picked on. What the heck did I do that constitutes "taking it out" on anybody?

Re:Security Posture?!?

So you weren't talking about the people in the article when you said, "These guys do good work, they don't need to puff themselves up with this kind of fantasy verbage like some social scientist or art historian." Or, when you said, "It's just, well, posturing; nerds playing cloak and dagger, painting themselves as agents in an engagement that's far less interesting in real life than they'd like to believe."

Even if you are just complaining in general, it is stupid to think that most people coining terms are doing so to "puff themselves up". Most terms in scientific realms come out of a need for a concise and more exact way to express something than otherwise exists. Show me the guy who coined the term "attack vector", and show me how it was self-aggrandizement for him to have coined the term.

I'm amazed that you would even complain, considering you're the guy who had the chance to call your 'resume' a 'resume', but called it a 'cirriculum vitae' like the pompous ass you are.

Re:Security Posture?!?

[birge]

I was talking about PEOPLE (i.e. an entire industry field), not a specific PERSON. You calling me a pompous ass is a personal attack, me faulting a group mentality isn't. If you had the stones to post under your own name, I'd have the chance to show you what a decent personal attack looks like.

I agree that CV is pretentious as a word. But, there's a difference between a CV and a resume. And CV comes about historically; it's an older phrase than resume and people trying to get academic jobs have called their list of papers, etc. a CV for as long as anybody knows. However, there's no real difference between attack and attack vector, and it's not something people inherited. Some guys just thought it would make their jobs sound cooler by using a technical word (vector) in what is really a non-technical context. Just try to show me a sentence where I won't understand what you mean by removing the word vector. Same thing for security posture. Anyway, if hackers want to emulate academics in terms of being pretentious dicks, then I guess I've won my argument.

Re:Security Posture?!?

Sorry, I'm not going to create an account here just so that you can be even more of an ass in a personal sense. I have nothing against you, just your inconsistent, meandering and insulting opinion. As quoted, your words clearly imply things about the people playing the game, whether you want to believe so, or not.

Guess what? An attack vector isn't the same thing as an attack. There are plenty of attack vectors that are never exploited through actual attacks.

And thanks for proving my point wrt. the whole CV thing. There *is* a point for the term, even though most people on the outside looking in don't see it. But, if you were really worried about stupid, pompous terms, that would be one, and you could certainly label your CV a "resume" and the rest of the world would understand. When some school or research lab asks for your "CV", then you send them a "resume" with the exact same content, nobody would care, but you'd look a lot better in the world of your own reasoning.

Re:Security Posture?!?

I'm not sure about security posture, but attack vector makes perfect sense, being as it is not always used in a technical sense.

Also, there is a quite large difference between an 'attack' and an 'attack vector'. May I refer you to the 5th definition for the word as provided by dictionary.com:

A course or direction, as of an airplane.

Thus, the attack vector would be referring, not to the attack it self, but the 'direction' of the attack, likely, in this context, to be refering to specific vulnerabilities in applications that the attack exploits to gain its objective or the particular series of exploits that could be used to perform an attack. This is in contrast to the attack itself which is an incident of a person utilising these vulnerabilities to achieve this directive.

I do tend to agree that many professions add a lot of unnecessary complications to their professional languages, however, attack vector isn't an example of this IMHO. 'Attack vector' as a phrase has long been used to refer to the approach one takes to achieve a goal -- in this case, causing a computer security incident.

Although I don't have a slashdot account, if you feel like harrassing me, feel free to contact me on the MTU lug irc server (lug.mtu.edu). CorenMajere or something similiar most of the time.

Re:Security Posture?!?

[birge]

Guess what? An attack vector isn't the same thing as an attack. There are plenty of attack vectors that are never exploited through actual attacks.

That's like saying there are a lot of pitches that haven't been pitched. I mean, pitch vectors that haven't been pitched.

Look, if you consider making fun of an entire industry tantamount to personally attacking each individual, then fine, give me that power. At any rate, I'm sorry if my argument isn't as tight as you'd like. Maybe if I summarized it more eloquently, you'd quit being so knee-jerk defensive?

Re:Security Posture?!?

Let's try this again, actually:

If you're talking about "an entire industry field", how can entire field be "pompus" or "self-aggrandizing" without the people in the field also sharing those traits to some degree? The industry has no brain of its own, it is moved forward by the people in it. When you said, "These guys do good work, they don't need to puff themselves up", who were you talking about? When you said, " It's just, well, posturing; nerds playing cloak and dagger, painting themselves as agents in an engagement that's far less interesting in real life than they'd like to believe.", who are those nerds, if not the people involved with the game?

Face it, you had people in mind, whether many people, or just a few. And these are people who are innocent of the charges you so are so cavalier in applying.

And you clearly don't know anything about the field if you think "attack vector" is the same as "attack", or if you think "security posture" and "security" refer to the same concept. You berate based on terms being the same, but then, when people point out that they actually talk about subtly different concepts you pretty much write it off as if the difference might not be important. YES, there are tons and tons of attack vectors that aren't attacked. And it sounds stupid for me to talk about all the attacks in a system when I really mean attack vectors.

When it comes to stuff you don't actually know anything about, you should stop being judgemental and condescending, whether it's to an entire industry, or just some of the people. You just reinforce the stereotype of undeserved arrogance that most people associate with MIT students that does the many great (and yet humble) people from that school a disservice.

Re:Security Posture?!?

[birge]

I think if you reread my first post, you'll see that I made a point of saying that I respected WHAT these folks do, and just thought the words were contrived. But you're right about MIT having a reputation for arrogance, and I really don't want to contribute to that. I didn't mean to sound arrogant, because my original point was that I don't like the way professions try to sound important by coming up with obfuscating phrases, when simple ones (or existing ones) will do. I was being accusatory, but I'm perfectly willing to admit my profession does it quite a bit, too.

The point is taken about attack vector. I understand the meaning now, I think. Still a bit hokey (couldn't just say attack method?) but I agree it has a specific meaning. But security posture? That's just indefensible. :-)

Re:Security Posture?!?

An "attack method" would be a method that someone uses to perform an attack, not a vector through which a system can be attacked. And, as I mentioned before, "security" is more an adjective. The term "security posture" has an obvious and well-defined meaning. It's been in use since before IT systems, and its etemology is from the military world. I don't buy into your premise in the first place, in that I think it is rare for anyone to choose intentionally obfuscating terms, and I'd love for you to give some evidence otherwise. However, either way, you were completely off-base, and no matter what group of people you were attacking, you were attacking them for no good reason.

Re:Security Posture?!?

[birge]

The term "security posture" has an obvious and well-defined meaning. It's been in use since before IT systems, and its etemology is from the military world.

Jeez, that makes it sound even more pretentious! Guys with guns who dodge morter rounds invented the term, and it's been adopted by pasty guys who wear sandals, write computer code and wake up around noon. (I'm one of the latter guys, so don't get too pissy about the insult.) Sure, call me a dick (and you'd be half right) but don't you see my point even a little bit?

Re:Security Posture?!?

See your point? Not in the slightest. There are tons of people with a military background in the security field. You clearly see an entire field fitting this geek stereotype that you have. But that's not how it is... terms have evolved naturally.

I would love to see network trace logs

[abulafia]

I haven't been to Defcon since the third one... no time (at least I have the t-shirts), and now that I don't live nearby, it is hard to justify the expense and time off. Hell, I can't even have normal vacations, let alone conference junkets. But damn, this seems like it would have been a great year to have gone.

I'm sure someone watched the wire for this event - if TCPdump (or whatever) traces of it are available anywhere, someone post a link. It would be a fascinating thing to waste my weekend on.

Re:I would love to see network trace logs

Supposedly there are many gigs of data, but it will eventually get posted. The problem is that a lot of the data will be useless, since most of the network traffic was over SSH.

You forgot

[woah]

..but the setup of various components can be... trying at times

...only for thick people.

Seroiusly though, buy only supported hardware. When you buy a Mac, you don't expect for all your existing PC peripherals to work with it. Same goes for Linux. Check to see what is supported. That's all there is to it.

What really gets me are all these whiny posts, "I installed Linux and now my camera's not working and my scanner's not working and blah blah bla..." - Get a clue, kids!

Re:You forgot

[Mechcozmo]

Actually all of my hardware was supported with Ubuntu. However, I could not get WINE to work. I was lost. I figured out to add the repository, searched for WINE, checked it and then told it to download and install, etc. I was happy that I didn't have to bother with a CD key, restart, etc through all of this. But then once it said it was done... nothing. How did I start WINE? Configure it? View a ReadMe file?

Under Windows it is a messy pain but you at least can run the program. Under OS X you control where the program is. But under Linux, nothing. I'd love to use Linux as my primary x86 OS but it frustrates me that the support out there is nearly nonexistant. The IRC help channel, Google, Ubuntu itself, none of them were able to help. And when I installed Windows 2000 and it overwrote the MBR... oh well. Firefox was broken anyway. There wasn't any QA work done before it was dumped into the update stream.

If you want to help me, just let me know. I'd love to know that the open source community is helpful towards new members without just saying "RTFM!" because the manual is for a different version and a different subset of something and is worth nothing.

Sorry for the rant, but that's a part of the reason why I believe Linux isn't ready for the desktop.

well fed

[capicu]

9 out of 10 top trolls recommend James McGuigan as a good person to have reply to your inflammatory posts

The game is quite different...

[lamj]

I was there playing CTF. This year's focus is definitely very different, unless you can dream assembly, you are not going to be very effective at attacking.

The way they setup the infrastructure also does not allow you to do a whole lot of defense against the attacks.

In terms of this being real-world... Honestly, how many security incidents are caused by hackers reversing the binary which lead to the intrusion? I would say 95% of intrusion are done by script-kiddie method.

I hope they will put more infrastructure related vulnerabilities into the game to make it more interesting. I am not suggesting the lame vulnerabilities that can be detected by Nessus and standard exploit tools but some that requires serious kung-fu to detect and exploit.

All in way, it was a very fun game. I am sure everyone enjoyed it. Congrats to all the winning team, see ya all there next year.

Re:The game is quite different...

There were plenty of infrastructure vulnerabilities, and there were also plenty of vulnerabilities that didn't require reverse engineering. I know that everybody missed some of them, but in general, this was the low-hanging fruit, and was the first stuff to go.
Also, I thought there was plenty you could do on defense. Several teams were running IDS. The challenge was to watch what people were doing to attack you effectively, so you could at least patch up the service if you couldn't figure out how to fix the problem.
You're right that the game didn't relfect the place of skript kidz in the world. If it was "reflecting real life", it was reflecting the real life of those people who feed exploits to those people... if you want to be like some wanker at the ISS XForce and find the sploits in Microsoft products, you can't wait for someone to hand you the source code...

Teams?

[geekp0wer]

Just like online gaming.... Teams were not balanced. From what I heard the top 3 teams all had 20+ people. Some 30..... 4th place had 7 people. Also heard the points system was a little skewed. Basicly if you owned someone else's server then you scored points for the length of time you owned it. B ut then the team that was being hacked would take it off line and you would be out of luck. The penalties for off line boxes were less sever than the rewards for owning someone. The contest was run by a group called Kenshoto. The story goes that they are an anonymous bunch and that is the alias they are using. I was there and the set up was ultra cool. A few improvements and next year will be even better. Check out this link for more info. http://www.securityfocus.com/news/11269

Re:Teams?

just to set the record straight, shellphish had (has) 12 people

Re:Teams?

Nice... you linked to the same article that the /. story linked to! :)

The top team only had 12 people. See: http://www.cs.ucsb.edu/~vigna/defcon/017%20Black%2 0badges,%20black%20jackets,%20and%20the%20competit ion%20banner%20are%200wned.html

The third place team had only 9 people. And, an individual beat this team, and several larger teams. The largest team (the second place team) only had one person who was doing reverse engineering. All in all, it had nothing to do with the size of the team, but more with the skills of the people.

Also, the point system wasn't skewed. Even if someone took all their services down, people and teams still got mega-points for finding bugs. And, while taking services down to keep other people from scoring additional points was certainly an intentional part of the game, people generally didn't take their services down unless they were 100% sure they were getting owned and couldn't do anything about it, because they would then lose points due to the services being down.

I heard that those Kenshoto guys are all wanted by the law, which is why they are using aliases!

Re:Teams?

[kenshotosnit]

The penalty for off-line boxes was MORE severe than the reward for an 0wn. You could basically score two points for an 0wn per 5-10 minutes. If you managed to take down all your services for the whole game, you'd end up with 0 points, because your attack score was multiplied by your uptime percentage. Let's say that you determined that you were getting pwn3d through the Alice service about 1/2 way through the game, so you just shut the thing off. The one team would probably fail to score two points every 20 minutes, for a loss of about 90 points (before you take the other team's uptime/SLA into account... a good team had a 60% uptime, so this is at most 54 adjusted points). But, what would you be giving up? IIRC, in this scenario, you'd probably fail about 150 polls due to Alice being down. This would move your SLA/uptime down at least 5%. The top teams were all scoring about 1000 points or more before SLA scaling. This would make it a wash versus the team that 0wned Alice, but you are losing points with respect to other teams, too. If you just leave Alice up, only one team gains ~50 points on you. If the team 0wning you makes it so that you don't score uptime points, then they deserve to have the service taken down on them... if they were good, they scored "breakthrough" points anyway. On the whole, though, you should have been trying to figure out HOW you were being owned, and use that to fix the service. It was part of the game. We gave "breakthrough" points for finding a problem at all, so if you were good at auditing, you would score (first people to report a breakthrough got a lot of points, but subsequent reporters got very few). Just to give you an example, the winning team wouldn't have won if they hadn't found a new vulnerability in the last hour of the game.

Doh!

[KnarfO]

Son of a B!