Forgot your password?
typodupeerror
Programming Security The Internet Technology

Blackhat/Defcon Report 305

Posted by michael
from the neuromancer dept.
Joe Barr writes "NewsForge [ed. note: part of OSTG along with Slashdot] is running its concluding piece on the week-long Blackhat/DEFCON hackerfest in Las Vegas. Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11? Or how a very large goon known only as Priest prevented outright political violence at a DEFCON presentation on Civil Disobedience? Or which of the two conferences is right for you? It's all here in the Blackhat/Defcon: Final report." Reader M. Curphey writes "The Web Application Security Consortium (WASC) announced at Blackhat the release of a 'Threat Classifications' document. This document attempts to clarify web security terminology such as Cross Site Scripting, Session Fixation, Cookie poisoning, and HTTP response splitting (to name a few)."
This discussion has been archived. No new comments can be posted.

Blackhat/Defcon Report

Comments Filter:
  • Hmm... (Score:5, Interesting)

    by VeriTea (795384) on Tuesday August 03, 2004 @01:06PM (#9869746) Journal
    Looks like the 503 Errors with Firefox are really slowing down discussions.

    The article mentioned that the new number range search feature in Google could be particularly dangerous. Maybe I'm a little naive... why is it so dangerous?
  • Girls (Score:4, Interesting)

    by Klar (522420) <curchinNO@SPAMgmail.com> on Tuesday August 03, 2004 @01:07PM (#9869749) Homepage Journal
    I have been thinking of going to defcon for the last lil while, and maybe will be able to next year. The trip would also need to include my g/f, she knows a bit about computers, but not a whole lot. In your opinion, would there be enough for her to do there, or should she venture other places?
  • Struggling... (Score:5, Interesting)

    by perlglob (800781) on Tuesday August 03, 2004 @01:07PM (#9869755)
    I've attended the past 7 defcons, and I'm starting to feel like it's losing its magic. The first defcon I went to (defcon 3) had a crowd that was much more focused on doing meaningful hacking (some ethical, some otherwise) in the field...it seems like now it's a bunch of 20 year olds who think they're hackers because they know how to reprogram their mac address on their linux labtop.

    Maybe I'm just getting old, but it feels like the good old days are passing me by.

    Who is fighting to save slashdot? [slashdot.org]
  • by Maestro4k (707634) on Tuesday August 03, 2004 @01:08PM (#9869763) Journal
    • Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11?
    I'm afraid we don't need Black Hat/Defcon to tell us this. Just yesterday we had major terrorism alerts about specific targets and today we find out the information was all years old. Does that mean the buildings weren't targets still? Well seeing as some of the info went back prior to 9/11 it would make it seem a fairly safe bet that the seriousness of the threat was vastly overstated.

    So we know what they haven't learned quite well and many of us keep hoping they'll stop crying wolf without good reason. It's only so long till most Americans start ignoring the terror alerts as things now stand, something that would be very bad.

    I'm sure there were plenty of more interesting things at Black Hat/Defcon though. :)

  • by Penguinisto (415985) on Tuesday August 03, 2004 @01:08PM (#9869765) Journal
    ...it's easier to know how to break into a system/box/whatever, than it is to learn exactly what happened and take measures to prevent it.

    Sure, some items are fairly obvious, but I'm willing to wager that there are a lot of exploits that even dedicated security officials aren't aware of, simply because the exploit was found and put to use, but never reported.

    As it applies to 9/11, I'm fairly certain that OBL and his boys are more willing to shell out the cash for the folks who can find undiscovered vulns than for scripters who get their rocks off by passing around " 'sploits".

    Given this, I doubt there is too awful much one can learn about securing the network completely against future attacks.

    /P

  • by phoxix (161744) on Tuesday August 03, 2004 @01:16PM (#9869824)
    Can we get an official word on whats going on?

    Sunny Dubey
  • by Anonymous Coward on Tuesday August 03, 2004 @01:19PM (#9869844)
    One of the articles speaks about a guy who spoke at Defconf and promoted giving those attending the Republicats convention a hard time.

    What surprised me is that the journalist did not have any problems with having the guy thrown out simply because the guy's speech was controversial. They justified censorship by stating that they had to stop him for his protection. Since when does a person in America have to abdicate his own personal responsibility and be protected for his own speech?

    As far as I can tell from their web site, Crimethinc does try to take people out of apathy, but their most important weapon is language:

    http://www.crimethinc.com/library/english/conten ts .html

    http://www.crimethinc.com/library/english/libsel ec t.html

  • 9/11 lessons (Score:5, Interesting)

    by Anonymous Coward on Tuesday August 03, 2004 @01:22PM (#9869858)
    from the article:
    Christy had mentioned that one of the things they were doing at Defcon was recruiting. He went on to tell the crowd that if they were interested, and "had not gone over the line," to talk to him afterwards. The "had not gone over the line" comment became one of the hottest topics during the Q&A.

    It appears that the lessons the intelligence community has learned from 9/11 have not yet trickled all the way down through the federal bureaucracy -- particularly that bit about the failure of our intelligence pre-9/11 being primarily because of our loss of vital HUMINT owing to both budget and moral directives. When the CIA was told it could only use politically correct HUMINT operatives, it lost its most vital flow of intelligence.


    Actually, I think the remark in question -- "had not gone over the line" -- meant no the criminal record, stable finances, etc. required of regular government employees who need clearances, like programmers and sys admins. IOW, they were looking for technical staffers for work at HQ.

    The PC'ness at the CIA regarding HUMINT referred to who they could and couldn't hire as intelligence sources. E.g. (hypothetical examples here), several years ago, the CIA could hire a mid-level Iraqi military paper-pusher to smuggle out documents about what Saddam was up to, but at the same time couldn't hire a low-level al Qaeda operative to do the same because he's gone through terror training involving weapon experiments on animals. Even if the operative could give excrutiating details about the next terror strike (such as time/place/MO), he had done those evil experiments on animals, which somehow made him ineligible for the CIA payroll. (How such rules came into effect I dont know)

    Whether or not US intelligence has changed this since 9/11 I dont know the answer. I do know that one such scenario I described above was something discussed at length by news orgs immediately after 9/11 as speculation for why the US intelligence failed. (IMO, there shouldn't be such silly restrictions on who the CIA can hire as sources. If the source gives good info, pay him for it to encourage more. If he don't, or the stuff he gives is turns out to be unreliable, stop paying him.)

    But as for "going over the line" - for what the guy was looking for in personnel, he means things like ability to pee in a cup cleanly, unlike Ricky Williams, and not having a rap sheet.
  • by Anonymous Coward on Tuesday August 03, 2004 @01:28PM (#9869878)
    How is it that the members of the most dovish American ideology when it comes to foreign policy always seem to be the ones for inciting violence against their domestic enemies? CrimeThinc (yes, I actually read the article) is just one of a long line stretching back to the Weatherman Underground and the SLA up to the Seattle WTO protestors smashing windows. Discounting lone nuts like Timothy McVee (and remember that the Oklahoma City bombing was universally condemned among conservatives), how is it that the half of America which owns guns is never the one calling for violence?

    Crow T. Trollbot
  • Re:Hmm... (Score:5, Interesting)

    by Anonymous Coward on Tuesday August 03, 2004 @01:33PM (#9869912)
    Try googling:

    visa 4356000000000000..4356999999999999

    For example. Not saying this is the only way to find these, but it certainly is an interesting application of Google.
  • Re:Hmm... (Score:2, Interesting)

    by Xshare (762241) on Tuesday August 03, 2004 @01:44PM (#9869999) Homepage
    That's just scary... and crazy. I can't believe it.
  • Only on Slashdot... (Score:2, Interesting)

    by RickHunter (103108) on Tuesday August 03, 2004 @01:44PM (#9870001)

    Would something like this get modded up to +5, Interesting.

  • Re:Girls (Score:2, Interesting)

    by junk (33527) on Tuesday August 03, 2004 @01:50PM (#9870047)
    1) don't go to defcon, it's over. there hasn't been a good con for years

    2) if you fail to adhere to recommendation 1, don't bring your girlfriend. it's a very trying place as it is.

    3) if you fail to go with either recommendation, make sure you have a strong liver and a desire to not get anything useful out of a very expensive weekend

    Defcon died after 9, I'm just said it took me 'til 11 to fully realize it.
  • by Anonymous Coward on Tuesday August 03, 2004 @01:56PM (#9870113)
    Seattle WTO protestors smashing windows
    those weren't wto protestors, those were opportunistic vandals.
  • by Anonymous Coward on Tuesday August 03, 2004 @01:59PM (#9870150)
    how is it that the half of America which owns guns is never the one calling for violence?

    You don't consider war violent? I'm pretty sure I know which group of Americans is in favor of killing people. Oh, wait, I mean, "Supporting our Troops" (TM) ClearChannel.

  • Re:Hmm... (Score:3, Interesting)

    by DAldredge (2353) <SlashdotEmail@GMail.Com> on Tuesday August 03, 2004 @02:03PM (#9870181) Journal
    Hell, when I asked about it the remaining views on my /. sub went to ZERO. I had several hundred left and BOOM they where gone.
  • Re:Hmm... (Score:2, Interesting)

    by rafelbev (194458) on Tuesday August 03, 2004 @02:04PM (#9870203) Homepage Journal
    Ok...

    I knew google was quite powerful. Recently there was a post regarding how it was possible to retreive passwords hosted on websites due to negligence or simple Frontpage Extensions.

    This one is outright dangerous. At least my number wasn't listed!!

    Call the police ... seriously
  • by Anonymous Coward on Tuesday August 03, 2004 @02:12PM (#9870284)
    Priest is a Fed and everyone knows it. I have always assumed his role at DefCon is to keep things from going "over the line," and to keep the kiddies happy and thinking they're at some rebellious event. In reality of course it's all just a show put on by the Man to keep control over wannabee hacker/cracker community.
  • Re:Too crowded (Score:1, Interesting)

    by Anonymous Coward on Tuesday August 03, 2004 @02:25PM (#9870411)
    After talking to one of the Goons at the end of the con, it's a little of both. Nobody else is willing to put up with the shenanigans, and the DefCon crew had signed a multi year deal. Priest had mentioned in one fo the talks that they've "got a solution" for the space issues and that next year there'll be "more seats than people".
  • by mattkime (8466) on Tuesday August 03, 2004 @02:45PM (#9870586)
    Maybe much of the country thought Clinton was corrupt - and what was it over? A blow job! Is this comparable to failing to justify war?

    Also, don't forget how close that vote was. Gore won the popular vote. We're a divided country, "we" didn't really choose one way or the other.

    The problem with 3rd party politics is that if you choose the party that best suits you, you may lose to a united enemy. If nader voters had voted gore, bush would have lost. Do you really want another 4 years of Bush? Maybe you don't think Kerry is better, but we've seen what Bush will do, lets give someone else a chance.
  • by crimethinker (721591) on Tuesday August 03, 2004 @02:54PM (#9870683)
    Yes, I've seen what Bush has done, and I don't like almost all of it. And I don't think Kerry would be better; in fact, based on his senate voting record, I'm pretty sure he would be worse. I agree with your sentiment "let's give someone else a chance." Yes, indeed, how about a Libertarian or a Constitutionalist?

    During the debate over the McCain-Feingold 1st Amendment Muzzling Act, one supporter said, "we've got to get the money out of politics." To which I respond: the only way to get the money out of politics is to get the politics out of money. Once the federal government cannot rob Peter to pay Paul, the "price" of a congressional seat will go way down.

    -paul

  • by g0bshiTe (596213) on Tuesday August 03, 2004 @03:31PM (#9870965)
    LMFAO. I read that and a switch went off. I know that kid.
    Last year I did some development on a website whose owner spoke often of going to Defcon in Vegas. He also spoke of Anarchy, and causing Civil Disobedience at the Democratic convention. It didn't take me long to figure out he was using his site not to teach admins how to spot vulnerabilities in their web code, but to spread his own political agenda, and gather a willing army of script kiddies.

    Needless to say our beliefs on hacking weren't the same. Whoever this person was at Defcon, he is an embarassment to the hacking community, both whitehats and blackhats.

    I stopped in on the sites IRC server to see what was up with some old friends, turns out this guy has a court date not too far off something about striking a police officer.

    I would bet it's the same guy.

    His politics, and genuine lack of interest in teaching admins the skills necessary to find and fix flaws in thier code is why I left.

    I'm all for hacking code, but the art would be better suited to securing systems and spreading the knowledge of how to secure, instead of teaching an army of script kiddies to be a leet hax0rz.
  • Re:LOL! (Score:2, Interesting)

    by MegaFur (79453) <wyrd0&komy,zzn,com> on Tuesday August 03, 2004 @03:36PM (#9871017) Journal
    It doesn't always happen that way.

    Suppose:
    1. you trust some website to be secure with the credit card info you send to them.
    2. disgruntled employee dumps list of customers' info into plaintext file upon firing, then copies and pastes it all over the web.

    Also, I think some of those pages are old, stale lists of previously compromised cards compiled by the people that did the compromising.
  • by Anonymous Coward on Tuesday August 03, 2004 @03:39PM (#9871039)
    "Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11?"

    Wow - everyone except law enforcement has the answers it seems.

    Or maybe the reality is they've learned to NOT tell you what they've learned, finally.
  • by Dausha (546002) on Tuesday August 03, 2004 @04:41PM (#9871759) Homepage
    In the article, there was a section discussing "Meet the Feds." From that section, I quote: "The Patriot Act was also called into question by attendees. The FBI representative asserted that just because the act had been passed didn't mean they had carte blanche to surveil anyone they wanted, that judges still had approve their requests. That reasoning only flew so far, however, as the questioner pointed out that such requests by the FBI are always approved, never denied."

    What we tend to forget is that, even in the Judicial system, there is a check-and-balance--especially when it comes to warrants. While a judge may allow a warrant, if a case ever goes to trial then a jury has an opportunity to nullify the value of any evidence obtained via a warrant. I know that sounds a little naiive, but this is one purpose of the jury--injecting the People into the judicial process to protect an accused from the Government. The jury is the key point in the process that is not absolutely Government controlled.

    However, the attendees brought issue with the fact that "judges always approve." There was a landmark case (granted, it was in the early 18th C. in England) that allowed a victim to bring suit. The victim in question owned a printing press that printed pamphlets hostile to the Crown (or was it Parliment?). The Government responded by obtaining an ill-gotten warrant to wield as a weapon to silence him. However, the man suied and won a substancial sum. I think the right words were something to the effect of "a suitably painfully high sum to deter the Government from pursuing that line of action again."

    Anyway, I'd like to point out that there are recourses of action for virtually anybody mis-treated by a ill-gotten warrant that are built into our legal system. Even if the judge always approve, there is the jury to help shield, and the precedence to file suit when abused. (I'd also like to point out that this is a common tactic by those justly prosecuted to try to wear down the government by attrition.)
  • apples and oranges (Score:1, Interesting)

    by Anonymous Coward on Tuesday August 03, 2004 @05:00PM (#9871965)
    I can't believe I'm feeding this troll, but here goes. How can you equate what this crimethinc guy is advocating, which is the destruction/defacement of property with committing physical violence? Property damage and murder, while both wrong, are quite different crimes. Shooting someone in the face is not the same as smashing the windows at the McDonalds they own. The nuts on the left seem more inclined to advocate property damage while the nuts on the right seem more inclined to kill you.

The meat is rotten, but the booze is holding out. Computer translation of "The spirit is willing, but the flesh is weak."

Working...