|
Wiggly Wayne DDS posted:day 1 continued (i even skipped some talks!): I played the junior CTF and went to whisk[e]yleaks, a good day 2 also got doom running on a LED display
|
#
?
Dec 29, 2018 02:32
|
|
|
|
| # ? May 8, 2024 22:59 |
|
|
Whiskyleaks is good
|
|
#
?
Dec 29, 2018 02:34
|
|
|
the "going underground to watch the stars" talk was cool if you're into astronomy. not many technical details tho.
|
|
#
?
Dec 29, 2018 12:01
|
|
|
the fax talk is strong and hilarious
|
|
#
?
Dec 29, 2018 17:56
|
|
|
is it worth watching if I already saw the defcon talk
|
|
#
?
Dec 29, 2018 20:40
|
|
|
The least surprising part of the bitcoin hardware wallet talk was that it has a hardcoded value of F00DBABE in the code. A bitcoiner's dream girl
|
|
#
?
Dec 29, 2018 21:31
|
|
|
pleasantly surprised by this year's north korea talk not being a casual j/o sesh about how the regime isn't actually that bad guys trust us also seconding the fax one being phenomenal
|
|
#
?
Dec 29, 2018 22:00
|
|
|
america really shot itself in the foot by exempting faxes from HIPAA whatever now you have to maintain that old poo poo way past forever
|
|
#
?
Dec 29, 2018 23:40
|
|
|
its like how yall still used checks way past 2015 even. i remember seeing a check being cashed at one of my first shifts at the grocery in 1995, and that one time was literally also the last time i saw a check used holy lmao im almost 40 and i only learned about crossing checks from books. you all had to depend on that for decades
|
|
#
?
Dec 29, 2018 23:43
|
|
|
Krankenstyle posted:its like how yall still used checks way past 2015 even. "had"
|
|
#
?
Dec 29, 2018 23:47
|
|
|
spankmeister posted:"had" lol, lmao e: seriously sorry but thats hosed up
|
|
#
?
Dec 30, 2018 00:11
|
|
|
about 2 years ago i had to use a credit card carbon copier for a transaction, luckily my card still had the embossed digits for imprint
|
|
#
?
Dec 30, 2018 00:30
|
|
|
Trabisnikof posted:about 2 years ago i had to use a credit card carbon copier for a transaction, luckily my card still had the embossed digits for imprint Same but 4 years ago, at a Hilton Doubletree. Don't think I've been to a hotel since then that did that.
|
|
#
?
Dec 30, 2018 00:37
|
|
|
I remember using a zip-zap machine on my credit card once in like 1999?
|
|
#
?
Dec 30, 2018 00:48
|
|
|
let's continue with day 2 now that the archives are a bit more up to date: Lightning Talks Day 2 by too many people to list (2:06:49) - starts off strong tbh, not going to rate every 5m talk. there's some crazy talks in there but the majority are worth watching. Smart Home - Smart Hack by Michael Steigerwald (51:22) - deu->eng turns out IoT devices are bad?? good talk that goes through multiple devices. includes putting arbitrary firmware on a device, and disabling the cloud features. lots of q&a A Christmas Carol - The Spectres of the Past, Present, and Future by Moritz Lipp, Michael Schwarz, Daniel Gruss, Claudio Canella (1:01:29) - must watch talk on the attacks, mitigations and why they're still not enough. brilliant presentation throughout. q&a is good as well Attacking end-to-end email encryption by Sebastian Schinzel (1:00:38) - really good talk on efail and the variants, the disclosure process that happened and why everything's still hosed. q&a covers a lot more details Jailbreaking iOS by tihmstar (47:58) - rough historical talk on jailbreaking expanding on the talk from 2 years ago. the community's not changed so expect the same issues. the crypto and future work sections are p useless as well. q&a does try and point out that jailbreaking is inherently incompatible with securing the devices Wallet Security by Stephan Verbücheln (35:34) - another *coin enthusiast, joy. the talk is p rough as well, makes the mistake of trying to explain crypto when its not their expertise, nor are they good at explaining old well documented attacks. just watch the hardware wallet talk as it covers all of this but with practical demos as well. q&a is a bit comical as well The Layman's Guide to Zero-Day Engineering by Markus Gaasedelen, Amy (itszn) (57:04) - great intro talk on the realities of researching from scratch, and the non-tech side of building exploits from scratch. recommend it for anyone without experience in researching to get an idea of what happens behind the scenes. actually bothers to talk about cleaning up post-exploit. no q&a - dense talk A deep dive into the world of DOS viruses by Ben Cartwright-Cox (38:13) - must watch talk covering the less well known DOS viruses, how they function and lots of fun examples. q&a is great as well The year in post-quantum crypto by djb, Tanja Lange (1:10:01) - must watch on what's happened in the past year across all of the NIST submissions. check last year's talk for more context. q&a is worth watching that's all the talks for day 2, so let's start with day 3: From Zero to Zero Day by Jonathan Jacobi (48:29) - good talk on getting into security research focusing on JITs. goes a bit too in-depth to be good for beginners, so watch if you're interested in JIT vulns. q&a does a lot to fill in the background of the talk Provable Security by FJW, Lukas (59:06) - good intro to proofs in crypto. uses ElGamal as a basis to show how proofing works in practice. q&a is good Self-encrypting deception by Carlo Meijer (58:43) - must watch talk covering the ssd crypto issues. first demo issue of the conference, but it gets sorted quick. lot of good q&a afterwards Viva la Vita Vida by Yifan Lu, Davee (56:37) - great console hacking talk covering software and hardware. has a great visual explanation of voltage glitching. great Q&AAA Russia vs. Telegram: technical notes on the battle by Leonid Evdokimov (darkk) (40:53) - great talk. covers some prior attempts at censorship, how the blacklist is implemented, and what's happened with the blocking attempts. video doesn't focus enough on the slides sadly. dense in info and a good watch. q&a has some good questions Safe and Secure Drivers in High-Level Languages by Paul Emmerich, Simon Ellmann, Sebastian Voit (1:01:57) - great academic talk expanding on last year. covers a lot of languages, but sadly doesn't talk about the bash implementation. deep dive into the go and rust implementations. great q&a Enclosure-PUF by Christian Zenger, David Holin, Lars Steinschulte (1:01:21) - must watch talk on creating high security physical tamper proofing systems via rf. the concept's came up before but it's good to see it demonstrated. q&a makes sure to tackle as many problems as possible in the timeframe, questionable applicability Truly cardless: Jackpotting an ATM using auxiliary devices. by Olga Kochetova, Alexey Osipov (35:06) - must watch that goes through practical attacks that were previously under nda. q&a is good as well Web-based Cryptojacking in the Wild by Marius Musch (39:26) - good talk, has the best walkthrough of mining so far and in a portion of the time. good runthrough of the impact on the internet, and how much could have been earned. good q&a Attacking Chrome IPC by nedwill (54:13) - great intro talk for getting into fuzzing with no experience. if you're wanting to try into research it's a must watch. q&a is p light Modeling and Simulation of Physical Systems for Hobbyists by (38:17) - really rough intro to how to model and simulate that goes with excel rather than the tools they mentioned? sticks with too basic physics examples, and doesn't go into how to actually do anything beyond visualising the most basic functions. no real q&a The Mars Rover On-board Computer by breakthesystem (43:19) - great talk. focuses on the software side, and how the rover functions in practice. doesn't go very in-depth, and the q&a doesn't give many answers that'll be it for now. lot more talks left for day 3 but the uploads are spotty and they're a bit behind. had to take a few hour pause earlier for them to catch up
|
|
#
?
Dec 30, 2018 01:33
|
|
|
svenkatesh posted:Same but 4 years ago, at a Hilton Doubletree. a lot of places had them or backup in case of a phone line failure or whatever i assume they’d just write down your number now
|
|
#
?
Dec 30, 2018 01:40
|
|
|
Lot of good talks this year! Gonna take me a long time to watch them all.
|
|
#
?
Dec 30, 2018 02:14
|
|
|
secfuck-adjacent, i used to be able to overdraft my debit card without prior agreement until like 2007ish (no credit, see) --- trick was to run between the various banks' machines because they didnt sync immediately. Then hungover me has the problem (i also remember abusing the days longer ch-chunk machine delay but it was made illegal here in like 1997ish) now everything has been synced for a decade+
|
|
#
?
Dec 30, 2018 02:46
|
|
|
Krankenstyle posted:secfuck-adjacent, i used to be able to overdraft my debit card without prior agreement until like 2007ish (no credit, see) --- trick was to run between the various banks' machines because they didnt sync immediately. Then hungover me has the problem here it took the economic meltdown and a federal law to make it so your bank couldn't just let you overdraft and then charge you insane fees for it. the law doesn't bar them from doing it, it just makes it opt-in, so now the banks repackaged it as some kind of service, like "gee if your account is out of money your card will be declined, but with Super Account Protection Plus the purchase will still go through and you can just pay us a $50 overdraft fee for the privilege, isn't that great???"
|
|
#
?
Dec 30, 2018 04:19
|
|
|
Shame Boy posted:here it took the economic meltdown and a federal law to make it so your bank couldn't just let you overdraft and then charge you insane fees for it. the worst is when they market it as "wouldn't it be so embarrassing for the charge to be declined? for a small fee we could just let it go through instead!"
|
|
#
?
Dec 30, 2018 04:28
|
|
|
Shame Boy posted:here it took the economic meltdown and a federal law to make it so your bank couldn't just let you overdraft and then charge you insane fees for it. oh but late/over/etc fees in general have been maxed out at 100dkk ~ 12-15usd at least since the 1990s, probably earlier
|
|
#
?
Dec 30, 2018 04:43
|
|
|
Krankenstyle posted:oh but late/over/etc fees in general have been maxed out at 100dkk ~ 12-15usd at least since the 1990s, probably earlier this would be a really good post in the international banking trivia thread
|
|
#
?
Dec 30, 2018 04:56
|
|
|
PCjr sidecar posted:this would be a really good post in the international banking trivia thread i think you're being sarcastic but now i want to read the international banking trivia thread dammit
|
|
#
?
Dec 30, 2018 07:18
|
|
|
Let's not pick on the Americans and their archaic banking system again guys.
|
|
#
?
Dec 30, 2018 11:04
|
|
|
spankmeister posted:Let's not pick on the Americans and their archaic banking system again guys. like kicking someone who's lying down
|
|
#
?
Dec 30, 2018 11:06
|
|
|
Wiggly Wayne DDS posted:Explaining Online US Political Advertising by Damon McCoy (1:01:22) an interesting talk but goddamn that verbal tick is distracting. thanks as always for posting ccc summaries, made my 6 hour layover much more bearable Feisty-Cadaver fucked around with this message at 14:46 on Dec 30, 2018 |
|
#
?
Dec 30, 2018 14:29
|
|
|
let's continue with day 3: Conquering Large Numbers at the LHC by Carsten Bittrich, Stefanie Todt (41:45) - great talk, unfortunately has audio issues. walks through trimming down what's worth storing, and how to analyse the data. lot of q&a Domain Name System by Hannes Mehnert (42:41) - good intro talk, but keep in mind it's a very basic overview of DNS. q&a covers a lot more detail Circumventing video identification using augmented reality by Jan Garcia (30:51) - must watch talk - turns out some banks think verifying an id over a webcam is fine? goes into a lot of detail on generating the id card. good q&a Internet of Dongs by Werner Schober (32:41) - must watch iot talk. very thorough analysis on off the shelf hardware, but unfortunately doesn't have enough time to talk about all the issues. not a lot of q&a due to this In Soviet Russia Smart Card Hacks You by Eric Sesterhenn (38:16) - must watch talk primarily focusing on open source implementations. the concept of a malicious card seems to have been overlooked by a lot of devs. great q&a and on to day 4: What the flag is CTF? by Andy (41:45) - good intro to participating in CTFs. goes through example challenges and the different styles of CTFs that exist. examples are a lot higher than a beginner would be expected to solve, so don't get dismayed by it at all. Kernel Tracing With eBPF by Jeff Dileo, Andy Olsen (54:08) - must watch talk on improving tracing in linux kernels, or rather trying to make ebpf functional. it, uh, doesn't go well. not much q&a Dissecting Broadcom Bluetooth by jiska, mantz (43:03) - must watch talk focusing on analysing the link layer. tl;dr stop using bluetooth. lots of good q&a and that's the talks. there's still a few left on day 3 but they've not been uploaded yet. any talk suggestions just yell overall the conference was as expected, the intro talks should help people get involved though and 2018 wasn't that crazy a year for the sec community. now someone go run the numbers on # of talks i've watched
|
|
#
?
Dec 30, 2018 20:05
|
|
|
What's the consensus on running AV on Macs (for myself)? Do they just increase the attack surface like they tend to do on PCs, or is it actually a useful extra layer of defense?
|
|
#
?
Dec 30, 2018 20:54
|
|
|
TDO is back, looks like they're trying to ransom a US government agency this time. FAA maybe? https://pastebin.com/fyyBT9W8
|
|
#
?
Dec 30, 2018 22:09
|
|
|
Raere posted:What's the consensus on running AV on Macs (for myself)? Do they just increase the attack surface like they tend to do on PCs, or is it actually a useful extra layer of defense? it's not useful unless you are specifically trying to disinfect some old rear end file from 1996 that isn't available without the malware anymore.
|
|
#
?
Dec 30, 2018 22:22
|
|
|
Daman posted:TDO is back, looks like they're trying to ransom a US government agency this time. too bad there's no money
|
|
#
?
Dec 30, 2018 23:25
|
|
|
Nobody's checking the FAA's inbox at the moment anyway.
|
|
#
?
Dec 30, 2018 23:32
|
|
|
Midjack posted:it's not useful unless you are specifically trying to disinfect some old rear end file from 1996 that isn't available without the malware anymore. if it’s from 1996 the malware won’t run under X anyway
|
|
#
?
Dec 30, 2018 23:40
|
|
|
fax number on one of those matches Kreindler and Kreindler which does aviation disaster, maritime, and general business law work. which would explain the random assortment of subjects in the release. not sure exactly what a plaintiff's law firm would have that could have earth shattering consequences if it were released.
|
|
#
?
Dec 31, 2018 00:09
|
|
|
Vanadium posted:naively I would expect that this couldn't happen, but after all I've heard about unexpected dangers in date/time handling, I wouldn't really be surprised anymore if a neglected atomic clock somehow goes critical and makes large swaths of the calendar uninhabitable This is the plot of Ninefox Gambit by Yoon Ha Lee
|
|
#
?
Dec 31, 2018 00:27
|
|
|
Raere posted:What's the consensus on running AV on Macs (for myself)? Do they just increase the attack surface like they tend to do on PCs, or is it actually a useful extra layer of defense? I'm not aware of any Mac AV that's anything other than snake oil which causes kernel panics. Maybe get yourself a Little Snitch license if you want to increase your paranoia. Install software updates, don't disable SIP and that's about it.
|
|
#
?
Dec 31, 2018 01:52
|
|
|
Jimmy Carter posted:I'm not aware of any Mac AV that's anything other than snake oil which causes kernel panics. Maybe get yourself a Little Snitch license if you want to increase your paranoia. Install software updates, don't disable SIP and that's about it. we had to install them at work for PCI compliance because our auditor's an idiot so i had it installed for all of a week until he went away and then promptly removed it ...and it's loving root certificate that it left behind
|
|
#
?
Dec 31, 2018 06:42
|
|
|
little snitch owns bones
|
|
#
?
Dec 31, 2018 07:55
|
|
|
Jimmy Carter posted:I'm not aware of any Mac AV that's anything other than snake oil which causes kernel panics. Maybe get yourself a Little Snitch license if you want to increase your paranoia. Install software updates, don't disable SIP and that's about it. Someone could make a lot of money if they launched a homeopathic A/V for Mac/Linux that literally did nothing. It would be a step up from the stuff currently on the market. The number of checkbox features would staggering: Receives updates by probing the aura of nulls received from /dev/null, works even in air-gapped environments! Absolutely no user data is ever uploaded to any servers Uses only extended Orgone CPU Cycles, and so has no impact on OS performance! ErIog fucked around with this message at 08:21 on Dec 31, 2018 |
|
#
?
Dec 31, 2018 08:18
|
|
|
|
| # ? May 8, 2024 22:59 |
|
|
Has someone said 'Oh, we have XProtect' to pass a compliance audit yet? related: how does PCI compliance deal with iOS, where there is no AV at all?
|
|
#
?
Dec 31, 2018 08:28
|
|