Blackhat/Defcon Report 305
Joe Barr writes "NewsForge [ed. note: part of OSTG along with Slashdot] is running its concluding piece on the week-long Blackhat/DEFCON hackerfest in Las Vegas. Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11? Or how a very large goon known only as Priest prevented outright political violence at a DEFCON presentation on Civil Disobedience? Or which of the two conferences is right for you? It's all here in the Blackhat/Defcon: Final report." Reader M. Curphey writes "The Web Application Security Consortium (WASC) announced at Blackhat the release of a 'Threat Classifications' document. This document attempts to clarify web security terminology such as Cross Site Scripting, Session Fixation, Cookie poisoning, and HTTP response splitting (to name a few)."
Hmm... (Score:5, Interesting)
The article mentioned that the new number range search feature in Google could be particularly dangerous. Maybe I'm a little naive... why is it so dangerous?
Girls (Score:4, Interesting)
Struggling... (Score:5, Interesting)
Maybe I'm just getting old, but it feels like the good old days are passing me by.
Who is fighting to save slashdot? [slashdot.org]
What police/intelligence agencies have learned. (Score:5, Interesting)
So we know what they haven't learned quite well and many of us keep hoping they'll stop crying wolf without good reason. It's only so long till most Americans start ignoring the terror alerts as things now stand, something that would be very bad.
I'm sure there were plenty of more interesting things at Black Hat/Defcon though. :)
Just one thing that very few learn... (Score:5, Interesting)
Sure, some items are fairly obvious, but I'm willing to wager that there are a lot of exploits that even dedicated security officials aren't aware of, simply because the exploit was found and put to use, but never reported.
As it applies to 9/11, I'm fairly certain that OBL and his boys are more willing to shell out the cash for the folks who can find undiscovered vulns than for scripters who get their rocks off by passing around " 'sploits".
Given this, I doubt there is too awful much one can learn about securing the network completely against future attacks.
This 503 stuff is getting nuts (Score:5, Interesting)
Sunny Dubey
About one of the articles posted... (Score:1, Interesting)
What surprised me is that the journalist did not have any problems with having the guy thrown out simply because the guy's speech was controversial. They justified censorship by stating that they had to stop him for his protection. Since when does a person in America have to abdicate his own personal responsibility and be protected for his own speech?
As far as I can tell from their web site, Crimethinc does try to take people out of apathy, but their most important weapon is language:
http://www.crimethinc.com/library/english/conte
http://www.crimethinc.com/library/english/libse
9/11 lessons (Score:5, Interesting)
Christy had mentioned that one of the things they were doing at Defcon was recruiting. He went on to tell the crowd that if they were interested, and "had not gone over the line," to talk to him afterwards. The "had not gone over the line" comment became one of the hottest topics during the Q&A.
It appears that the lessons the intelligence community has learned from 9/11 have not yet trickled all the way down through the federal bureaucracy -- particularly that bit about the failure of our intelligence pre-9/11 being primarily because of our loss of vital HUMINT owing to both budget and moral directives. When the CIA was told it could only use politically correct HUMINT operatives, it lost its most vital flow of intelligence.
Actually, I think the remark in question -- "had not gone over the line" -- meant no the criminal record, stable finances, etc. required of regular government employees who need clearances, like programmers and sys admins. IOW, they were looking for technical staffers for work at HQ.
The PC'ness at the CIA regarding HUMINT referred to who they could and couldn't hire as intelligence sources. E.g. (hypothetical examples here), several years ago, the CIA could hire a mid-level Iraqi military paper-pusher to smuggle out documents about what Saddam was up to, but at the same time couldn't hire a low-level al Qaeda operative to do the same because he's gone through terror training involving weapon experiments on animals. Even if the operative could give excrutiating details about the next terror strike (such as time/place/MO), he had done those evil experiments on animals, which somehow made him ineligible for the CIA payroll. (How such rules came into effect I dont know)
Whether or not US intelligence has changed this since 9/11 I dont know the answer. I do know that one such scenario I described above was something discussed at length by news orgs immediately after 9/11 as speculation for why the US intelligence failed. (IMO, there shouldn't be such silly restrictions on who the CIA can hire as sources. If the source gives good info, pay him for it to encourage more. If he don't, or the stuff he gives is turns out to be unreliable, stop paying him.)
But as for "going over the line" - for what the guy was looking for in personnel, he means things like ability to pee in a cup cleanly, unlike Ricky Williams, and not having a rap sheet.
Again, the Left is inciting violence (Score:4, Interesting)
Crow T. Trollbot
Re:Hmm... (Score:5, Interesting)
visa 4356000000000000..4356999999999999
For example. Not saying this is the only way to find these, but it certainly is an interesting application of Google.
Re:Hmm... (Score:2, Interesting)
Only on Slashdot... (Score:2, Interesting)
Would something like this get modded up to +5, Interesting.
Re:Girls (Score:2, Interesting)
2) if you fail to adhere to recommendation 1, don't bring your girlfriend. it's a very trying place as it is.
3) if you fail to go with either recommendation, make sure you have a strong liver and a desire to not get anything useful out of a very expensive weekend
Defcon died after 9, I'm just said it took me 'til 11 to fully realize it.
Re:Again, the Left is inciting violence (Score:2, Interesting)
Re:Again, the Left is inciting violence (Score:1, Interesting)
You don't consider war violent? I'm pretty sure I know which group of Americans is in favor of killing people. Oh, wait, I mean, "Supporting our Troops" (TM) ClearChannel.
Re:Hmm... (Score:3, Interesting)
Re:Hmm... (Score:2, Interesting)
I knew google was quite powerful. Recently there was a post regarding how it was possible to retreive passwords hosted on websites due to negligence or simple Frontpage Extensions.
This one is outright dangerous. At least my number wasn't listed!!
Call the police
Re:Oxymoronic Priest Quote (Score:1, Interesting)
Re:Too crowded (Score:1, Interesting)
Re:About one of the articles posted... (Score:2, Interesting)
Also, don't forget how close that vote was. Gore won the popular vote. We're a divided country, "we" didn't really choose one way or the other.
The problem with 3rd party politics is that if you choose the party that best suits you, you may lose to a united enemy. If nader voters had voted gore, bush would have lost. Do you really want another 4 years of Bush? Maybe you don't think Kerry is better, but we've seen what Bush will do, lets give someone else a chance.
Re:About one of the articles posted... (Score:2, Interesting)
During the debate over the McCain-Feingold 1st Amendment Muzzling Act, one supporter said, "we've got to get the money out of politics." To which I respond: the only way to get the money out of politics is to get the politics out of money. Once the federal government cannot rob Peter to pay Paul, the "price" of a congressional seat will go way down.
-paul
Re:While Priest was only doing his job (Score:4, Interesting)
Last year I did some development on a website whose owner spoke often of going to Defcon in Vegas. He also spoke of Anarchy, and causing Civil Disobedience at the Democratic convention. It didn't take me long to figure out he was using his site not to teach admins how to spot vulnerabilities in their web code, but to spread his own political agenda, and gather a willing army of script kiddies.
Needless to say our beliefs on hacking weren't the same. Whoever this person was at Defcon, he is an embarassment to the hacking community, both whitehats and blackhats.
I stopped in on the sites IRC server to see what was up with some old friends, turns out this guy has a court date not too far off something about striking a police officer.
I would bet it's the same guy.
His politics, and genuine lack of interest in teaching admins the skills necessary to find and fix flaws in thier code is why I left.
I'm all for hacking code, but the art would be better suited to securing systems and spreading the knowledge of how to secure, instead of teaching an army of script kiddies to be a leet hax0rz.
Re:LOL! (Score:2, Interesting)
Suppose:
1. you trust some website to be secure with the credit card info you send to them.
2. disgruntled employee dumps list of customers' info into plaintext file upon firing, then copies and pastes it all over the web.
Also, I think some of those pages are old, stale lists of previously compromised cards compiled by the people that did the compromising.
What are you talking about? (Score:2, Interesting)
Wow - everyone except law enforcement has the answers it seems.
Or maybe the reality is they've learned to NOT tell you what they've learned, finally.
On the Subject of Warrants and the Patriot Act . . (Score:5, Interesting)
What we tend to forget is that, even in the Judicial system, there is a check-and-balance--especially when it comes to warrants. While a judge may allow a warrant, if a case ever goes to trial then a jury has an opportunity to nullify the value of any evidence obtained via a warrant. I know that sounds a little naiive, but this is one purpose of the jury--injecting the People into the judicial process to protect an accused from the Government. The jury is the key point in the process that is not absolutely Government controlled.
However, the attendees brought issue with the fact that "judges always approve." There was a landmark case (granted, it was in the early 18th C. in England) that allowed a victim to bring suit. The victim in question owned a printing press that printed pamphlets hostile to the Crown (or was it Parliment?). The Government responded by obtaining an ill-gotten warrant to wield as a weapon to silence him. However, the man suied and won a substancial sum. I think the right words were something to the effect of "a suitably painfully high sum to deter the Government from pursuing that line of action again."
Anyway, I'd like to point out that there are recourses of action for virtually anybody mis-treated by a ill-gotten warrant that are built into our legal system. Even if the judge always approve, there is the jury to help shield, and the precedence to file suit when abused. (I'd also like to point out that this is a common tactic by those justly prosecuted to try to wear down the government by attrition.)
apples and oranges (Score:1, Interesting)