I'm finally back from Black Hat and Defcon. For a short summary: it was a successful and very positive experience.
I really did not expect my talk at Black Hat to be such a huge success. I also didn't expect to be inundated with requests for information, analysis products, and interviews. It will probably take me a week to dig out from this avalanche. (Personally, I prefer to be known to the back-end researchers, but not to the general public. I like to surface every year or two with something mind-blowing, then return to public obscurity. Having seen the results of my talk, I'm thinking it is time to go back under the waves. My surfacing was a success.) I'll blog more about my presentation in the next few blog entries.
I usually learn as much from hallway chats, impromptu table demos, and lunch talks than from the seminars. So I didn't attend as many talks as I wanted to. Having said that, there were a few talks that I found truly exceptional:
- Black Hat: "Breaking Forensics Software: Weaknesses in Critical Evidence Collection" by Chris Palmer, Tim, Newsham, and Alex Stamos. They completely and thoroughly exposed vulnerabilities in forensic software packages like EnCase and The Coroner's Toolkit.
- Black Hat: "No-Tech Hacking" by Johnny Long. Extremely entertaining as well as informative. (Johnny needs his own comedy show!)
- Defcon: "CiscoGate" by Dark Tangent (Jeff Moss, the man behind both conferences). I knew he would be a good speaker, but... wow. Excellent. Jeff told the real story behind the Cisco and Michael Lynn fiasco of 2005. This makes me proud to wear my "Cisco hate me" t-shirt. (Actually, ISS are the bad guys here. Cisco was just going along for the ride.)
- Defcon: "Picking up the Zero Day: An Everyones Guide to Unexpected Disclosures" by Dead Addict. I like DA -- we go way back. For a non-technical talk, this was an excellent rant-based summary with a moral at the end. My favorite quote, "Lawyers do not make us safer."
- Defcon: "Greater than 1: Defeating 'strong' Authentication in Web Applications" by Brendan O'Connor. This was absolutely the best technical talk (both conferences included). He seriously tore apart bank login technologies from the client browser. I don't bank online because I don't trust it. Now I know why I don't trust it. He didn't cover card storage (see my paper "Point of Sales Vulnerabilities" being released later this month) nor registration attacks. To put it simply: online banking has no security. They are wide open. At minimum: if you must bank online, only do it from home. Don't use public terminals, don't do it from your coffee shop's wifi, and definitely don't do it at Defcon.
As an aside, Brendan was asking such great questions at the Internet Wars panel that Gadi Evron stepped down as moderator and made Brendan moderate. Very cool.
- Defcon: "Hacking UFOlogy: Thirty Years in the Wilderness of Mirrors" by Richard Thieme. Even if you don't believe in UFOs, this was a really excellent talk. Richard discussed how the media manipulates reports. And while he focused on UFOs, there are plenty of examples from other topics, from terrorism to politics.
Over the next few days I will be writing about other things from Black Hat and Defcon.
