Blackhat/Defcon Report 305
Joe Barr writes "NewsForge [ed. note: part of OSTG along with Slashdot] is running its concluding piece on the week-long Blackhat/DEFCON hackerfest in Las Vegas. Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11? Or how a very large goon known only as Priest prevented outright political violence at a DEFCON presentation on Civil Disobedience? Or which of the two conferences is right for you? It's all here in the Blackhat/Defcon: Final report." Reader M. Curphey writes "The Web Application Security Consortium (WASC) announced at Blackhat the release of a 'Threat Classifications' document. This document attempts to clarify web security terminology such as Cross Site Scripting, Session Fixation, Cookie poisoning, and HTTP response splitting (to name a few)."
Hmm... (Score:5, Interesting)
The article mentioned that the new number range search feature in Google could be particularly dangerous. Maybe I'm a little naive... why is it so dangerous?
Re:Hmm... (Score:4, Informative)
-
Looks like the 503 Errors with Firefox are really slowing down discussions.
They're not just in Firefox, they're affecting everyone. Slashdot's been more like SlashNOT this week so far.Re:Hmm... (Score:5, Informative)
Re:Hmm... (Score:3, Interesting)
Re:Hmm... (Score:2)
I've been giving serious thought as to writing a web page scraper for Slashdot so that you can browse it in a decent environment. The web front end is seriously beginning to suck.
Is there anywhere appropriate where I can send comments? There seems to be no webmaster link anywhere. The 'Bugs' link off on the l
Re:Hmm... (Score:5, Interesting)
visa 4356000000000000..4356999999999999
For example. Not saying this is the only way to find these, but it certainly is an interesting application of Google.
Re:Hmm... (Score:5, Funny)
Re:Hmm... (Score:2, Interesting)
Only on Slashdot... (Score:2, Interesting)
Would something like this get modded up to +5, Interesting.
Re:Only on Slashdot... (Score:2)
Re:Only on Slashdot... (Score:2, Informative)
Re:Only on Slashdot... (Score:4, Funny)
The glorious Department of "HomeSec" (how cute) might have an opening for you!
--
Re:Hmm... (Score:2, Interesting)
I knew google was quite powerful. Recently there was a post regarding how it was possible to retreive passwords hosted on websites due to negligence or simple Frontpage Extensions.
This one is outright dangerous. At least my number wasn't listed!!
Call the police
Re:Hmm... (Score:5, Funny)
LOL! (Score:2)
I mean, with security through obscurity, you have to at least make sure it's not making it to freaking google.
Re:LOL! (Score:2, Interesting)
Suppose:
1. you trust some website to be secure with the credit card info you send to them.
2. disgruntled employee dumps list of customers' info into plaintext file upon firing, then copies and pastes it all over the web.
Also, I think some of those pages are old, stale lists of previously compromised cards compiled by the people that did the compromising.
Re:Hmm... (Score:3, Funny)
Re:Hmm... (Score:2)
Re:Hmm... (Score:3, Informative)
Re:Hmm... (Score:2)
Since Slashdot hired set up a Ministry of Information? Of course, it is acting like Ministry of Silence, but a MoI might fit because it gives the silent treatment, and a MoS would be noisy.
Girls (Score:4, Interesting)
Re:Girls (Score:2, Funny)
I have been thinking of going to defcon for the last lil while, and maybe will be able to next year. The trip would also need to include my g/f, she knows a bit about computers, but not a whole lot. In your opinion, would there be enough for her to do there, or should she venture other places?
If she's Ceren [spilth.org], go for it. Otherwise, don't bother.
Re:Girls (Score:2)
Re:Girls (Score:4, Funny)
Bring a girl to defcon? Isn't that like bringing a pizza to a fat farm?
;-)
Seriously, bring her along. If she doesn't like the event, there's plenty for her to do nearby.
Re:Girls (Score:3, Funny)
Actually, it's precisely like bringing a girl to a fat farm.
Re:Girls (Score:4, Informative)
That said, have her look at the program and see if any of the talks are interesting to her. If she knows only a bit, maybe the technical talks won't be that interesting, but the talks that delve into the overlap between politics and technology might be of interest. I'm guessing if she's not that into it, the contests wouldn't be very fun to her.
If it's not her thing at all, have her look and see if Vegas is something interesting to her, and she can join you later. But, I'd be more inclined to say, if it's not her thing, plan a different trip that both of you would enjoy before or after DefCon.
Re:Girls (Score:2, Interesting)
2) if you fail to adhere to recommendation 1, don't bring your girlfriend. it's a very trying place as it is.
3) if you fail to go with either recommendation, make sure you have a strong liver and a desire to not get anything useful out of a very expensive weekend
Defcon died after 9, I'm just said it took me 'til 11 to fully realize it.
Re:Girls (Score:2)
I haven't been able to attend one yet, but what exactly has 'died' about the confrence? Content, quality?
Struggling... (Score:5, Interesting)
Maybe I'm just getting old, but it feels like the good old days are passing me by.
Who is fighting to save slashdot? [slashdot.org]
Re:Struggling... (Score:2)
What police/intelligence agencies have learned. (Score:5, Interesting)
-
Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11?
I'm afraid we don't need Black Hat/Defcon to tell us this. Just yesterday we had major terrorism alerts about specific targets and today we find out the information was all years old. Does that mean the buildings weren't targets still? Well seeing as some of the info went back prior to 9/11 it would make it seem a fairly safe bet that the seriousness of the threat was vastly overstated.So we know what they haven't learned quite well and many of us keep hoping they'll stop crying wolf without good reason. It's only so long till most Americans start ignoring the terror alerts as things now stand, something that would be very bad.
I'm sure there were plenty of more interesting things at Black Hat/Defcon though. :)
Re:What police/intelligence agencies have learned. (Score:3, Insightful)
I think all that means is that the terrorists are going on scouting missions. IOW, scout possible targets, determine some facts about them, etc. It's the same thing militaries have done for centuries: figure out what to attack and what impact it might have.
The question is whether the targets scouted are still considered relevant by the terrorists. This is the type of stuff intelligence services need to find out, and in a timely manner. And if it is s
Re:What police/intelligence agencies have learned. (Score:3, Insightful)
What do you mean start to ignore terror alerts? I haven't listened to one since the beginning!
Cue the Herman Goering quote about keeping people in fear. . .
Re:How could you? (Score:3, Insightful)
That's a debatable point, actually, and I think you're being a bit of a bigot (and this is from a guy who sometimes wishes much of the "South" would slip off into another dimension).
If I were a terrorist, I'd be looking for the *least* likely targets. I might even just throw a dart at a map. One of the aspects of terror is to, well, terrorize, and an implementation of random "can happen anywhere
Re:How could you? (Score:2)
It really depends.
If what you do is immediate, very visual and could happen anywhere then you have a good case.
But if its radiation in certain foods, which would only show years later, then it wouldn't have its "terrorist" effect.
Re:How could you? (Score:2)
but crashing a cropduster into a Waffle House isn't going to have the same kind of effect.
As if GA lives have less value than NYC lives? C'mon. And I live in DC, fwiw. btw: we were hit too. Why is that always forgotten by New Yorkers?
And if you think it'd have less impact, riddle me this: what would happen to the US Economy if a crop duster flew into the Mall of America a week before Black Friday (the Friday after Thanksgiving Day; the busiest retail shopping day of the year).
There goes Christma
Re:How could you? (Score:2)
First of all, I agree with you vis a vis the mall of america. It's a good target. Which is my point: for terrorism to occur and be effective, there must be a GOOD TARGET.
These massive, irresponsible blanket threats thrown around with ZER
Re:What police/intelligence agencies have learned. (Score:2)
Re:What police/intelligence agencies have learned. (Score:2)
Well I didn't jump up and say it but I've been wondering myself why we need one, as you point out, what's Tom Ridge for? I thought he, and his new department of Homeland Secu
Re:What police/intelligence agencies have learned. (Score:2, Informative)
Putting aside the question of whether either position is a good idea, I don't quite get what you guys are so puzzled about. Homeland Security is supposed to maintain domestic security operations and, as you say, filter relevant intelligence info. It's not supposed to
Re:What police/intelligence agencies have learned. (Score:2)
Personally, I mislike the idea intensely, as it reminds me a bit much of J Edgar back in the day....
Re:What police/intelligence agencies have learned. (Score:2)
My next big question is about why we keep announcing "czars" of any kind. Considering the overwhelming success of the drug czar and his friends, it seems we'd have moved on to queens or overlords or all-seeing grand poobahs by now.
Re:What police/intelligence agencies have learned. (Score:2)
His job title would probably Secretary of Intelligence, if it weren't for all the jokes the title leaves room for.
Re:What police/intelligence agencies have learned. (Score:2)
There's no such timing information. While they do expect some attack before the elections, that's unrelated to the current information. Which has been determined to have been largely generated pre-9/11 in any event. Read: this was an over-reaction to worthless intel; they were all excited about it because of it's specificity, but it's stale stale. The reconnaissance info that they acquired had no timing information included.
In fact, it made me think of the "intel" that Princess Leia gave to Darth ri
Just one thing that very few learn... (Score:5, Interesting)
Sure, some items are fairly obvious, but I'm willing to wager that there are a lot of exploits that even dedicated security officials aren't aware of, simply because the exploit was found and put to use, but never reported.
As it applies to 9/11, I'm fairly certain that OBL and his boys are more willing to shell out the cash for the folks who can find undiscovered vulns than for scripters who get their rocks off by passing around " 'sploits".
Given this, I doubt there is too awful much one can learn about securing the network completely against future attacks.
Re:Just one thing that very few learn... (Score:5, Insightful)
Re:Just one thing that very few learn... (Score:3, Insightful)
Re:Just one thing that very few learn... (Score:3, Insightful)
I'
Re:Just one thing that very few learn... (Score:2)
In Mozilla's case, it would be possible to track an exploit and write your own patch, thanks to F/OSS.
Open source brings up another point - how can an agency prepare for an attack, even knowing how they'll get attacked, if the OS/proggie vendor hasn't a patch out for it yet...
Crimethinc (Score:5, Insightful)
Jesus. No wonder he looked like he was expecting to be arrested.
This 503 stuff is getting nuts (Score:5, Interesting)
Sunny Dubey
Re:This 503 stuff is getting nuts (Score:2)
Re:This 503 stuff is getting nuts (Score:2)
Here's the bug entry on sourceforge.net (Score:5, Informative)
Re:This 503 stuff is getting nuts (Score:5, Funny)
Unfortunately, we will likely have these errors for quite a while, because now that they all have machines capable of running Doom 3, and since Doom 3 is now out (and undoubtedly in CmrdTaco and friend's hands), they'll be far too busy with that to even remember than they run a website.
The recommended way to deal with this is to go out and purchase Doom 3 yourself. It won't bring Slashdot back, but you'll be too busy fighting demons to care.
mods on crack? (Score:2)
Re:This 503 stuff is getting nuts (Score:2)
9/11 lessons (Score:5, Interesting)
Christy had mentioned that one of the things they were doing at Defcon was recruiting. He went on to tell the crowd that if they were interested, and "had not gone over the line," to talk to him afterwards. The "had not gone over the line" comment became one of the hottest topics during the Q&A.
It appears that the lessons the intelligence community has learned from 9/11 have not yet trickled all the way down through the federal bureaucracy -- particularly that bit about the failure of our intelligence pre-9/11 being primarily because of our loss of vital HUMINT owing to both budget and moral directives. When the CIA was told it could only use politically correct HUMINT operatives, it lost its most vital flow of intelligence.
Actually, I think the remark in question -- "had not gone over the line" -- meant no the criminal record, stable finances, etc. required of regular government employees who need clearances, like programmers and sys admins. IOW, they were looking for technical staffers for work at HQ.
The PC'ness at the CIA regarding HUMINT referred to who they could and couldn't hire as intelligence sources. E.g. (hypothetical examples here), several years ago, the CIA could hire a mid-level Iraqi military paper-pusher to smuggle out documents about what Saddam was up to, but at the same time couldn't hire a low-level al Qaeda operative to do the same because he's gone through terror training involving weapon experiments on animals. Even if the operative could give excrutiating details about the next terror strike (such as time/place/MO), he had done those evil experiments on animals, which somehow made him ineligible for the CIA payroll. (How such rules came into effect I dont know)
Whether or not US intelligence has changed this since 9/11 I dont know the answer. I do know that one such scenario I described above was something discussed at length by news orgs immediately after 9/11 as speculation for why the US intelligence failed. (IMO, there shouldn't be such silly restrictions on who the CIA can hire as sources. If the source gives good info, pay him for it to encourage more. If he don't, or the stuff he gives is turns out to be unreliable, stop paying him.)
But as for "going over the line" - for what the guy was looking for in personnel, he means things like ability to pee in a cup cleanly, unlike Ricky Williams, and not having a rap sheet.
Re:9/11 lessons (Score:2)
What they leave out the picture are grayer operations, where they do in fact work with criminals. But such actions are almost always intended to catch bigger fish and not to compromise the security of the country as a whole. Recall the American truck driver who was a foot soldier for al Qaeda. (This was in the l
Oxymoronic Priest Quote (Score:5, Insightful)
Civil disobedience is, by definition, illegal. That's the whole point of it.
Re:Oxymoronic Priest Quote (Score:2)
I know I shouldn't feed the AC trolls, but I can't resist:
I did not make any comment on the "whole point" of any particular law. I commented on the whole point of civil disobedience. Civil disobedience is not a law. It is the willful and public breaking (hence illegal) of an unjust law, in the hopes of receiving the corresponding punishment, as a means
Re:Oxymoronic Priest Quote (Score:5, Insightful)
In a country that has no problem jailing more of its citizens than any other nation, it seems like going to prison in protest doesn't really inconvenience anyone in power.
Re:Oxymoronic Priest Quote (Score:3, Insightful)
Yes, always to start with.
A group of people staging a sit-down isn't initially illegal (your police state may vary).
Then it isn't civil disobedience yet. It's a lawful protest. Why do people insist on using the term "civil disobedience" as a synonym for "protest"?
Again, the Left is inciting violence (Score:4, Interesting)
Crow T. Trollbot
Re:Again, the Left is inciting violence (Score:4, Insightful)
It's not as one sided as you make it out to be.
Re:Again, the Left is inciting violence (Score:2)
Re:Again, the Left is inciting violence (Score:5, Insightful)
You've never heard of militias, have you? Listen to some of the right-wing crud that they spew and you'll see how wrong your comment is.
Southern Michigan Regional Militia [michiganmilitia.org]
Militia of Montana [militiaofmontana.com]
Those are just two to get you started but feel free to do your own research.
Re:Again, the Left is inciting violence (Score:2)
There is no justification. Especially the "but, they did it too" phrase.
Re:Again, the Left is inciting violence (Score:2)
Re:Again, the Left is inciting violence (Score:2, Interesting)
Violence is both Leftist and Rightist (Score:5, Insightful)
For the same reason that the radical right are always the ones who seem to be inciting violence against their domestic enemies. Tim McVee is hardly unique in his political stance and aspirations, nor have you cited anyone on the left that equals his level of destructiveness or intent (there are such people, but CrimeThinc is hardly of that caliber. He is not advocating mass murder).
The reality is that the so-called political spectrum is more of a sphere than a line. The extreme right and far left meet and become one and the same. Consider the similiarities of Stalin and Hitler, for example. Kids blowing up toilets to protest vietnam bear a striking similiarity to skinheads defacing jewish tombstones. Republican thugs terrorizing librarians and volunteers during the Florida recount bear a striking resemblence to communists in China enforcing campus-wide political correctness vis-a-vis the One True Party(tm) system.
Radicalism is radicalism, whether dressed in a Liberal Left or Reactionary Right attire, just as religious fundamentalism is religious fundamentalism irrespective of its Christian, Jewish, or Islamic trappings.
You have simply chosen to filter your perceptions through your own political dogma, as many people on both sides of the aisle often do. However, the reality is that folks of all radical stripes, in all political, religious, social, and philosophical directions, employ similiar methods to achieve their goals, those methods correlating much more strongly to their degree of radicalism and fanaticism than their particular social, political, religious, or philosophical bent.
WILL SOMEONE PLEASE MOD UP PARENT? (Score:2)
Slight Correction in the interests of accuracy (Score:5, Insightful)
I apologize for the sloppy use of language.
If I had it to do over again, I would substitute zealotry for radicalism in the post above.
There are many people with radical notions (where radical = divergence from the society's mainstream assumptions) who are not at all fanatical and would never resort to violent means to achieve those changes (Richard Stallman is an example of someone who is radical and stubborn, but not zealous or fanatical in any real sense of the word
So, to recap: the reality is that folks of all fanatical stripes, in all political, religious, social, and philosophical directions, employ similiar methods to achieve their goals, those methods correlating much more strongly to their degree of zealotry and fanaticism than their political, social, relgiious, or phisophical bent, or their degree of divergence from the political "mainstream."
Re:Violence is both Leftist and Rightist (Score:2)
This is extremely well said, and bears repeating. Extremists are always the ones most willing--even eager--to use violence to achieve their ends, no matter what those ends may be--and just because they're nominally "on your side" doesn't mean they merit support. Be it a nut blowing up an abortion clinic (I'm pro-life, and I still think they're nuts) or a
If you don't count... (Score:5, Insightful)
Yeah, the right wing is just *so* peaceful.
Re:Again, the Left is inciting violence (Score:2)
Re:Again, the Left is inciting violence (Score:2)
Another example of the need for a -1 Ignorant flag.
As opposed to, say....
Re:Again, the Left is inciting violence (Score:5, Insightful)
Setting bombs and robbing banks is hardly the same as smashing windows (not that I approve of either).
Discounting lone nuts like Timothy McVee
McVeigh.
(and remember that the Oklahoma City bombing was universally condemned among conservatives)
"condemned" like when Ann Coulter said "My only regret with
Timothy McVeigh is he did not go to the New York Times Building." ?
how is it that the half of America which owns guns is never the one calling for violence?
In my limited experience, the vast majority people who shoot other people tend to be in possession of guns at the time.
It seems you've never heard of (to only quote a few examples from the last 20 years, long after the Weather Underground and the SLA went out of business):
Re:Again, the Left is inciting violence (Score:2)
By your view it's, "Hey, nobody's paying attention to me. It's ok to burn stuff."
Re:Again, the Left is inciting violence (Score:2)
I suggest, if you truly wanted to understand this, that you read Eric Alterman's "What Liberal Media?
And here's the introduction to it:
http://www.whatliberalmedia.com/intro.pdf
Pretty Decent (Score:2)
Possibly one of the highlights was getting pics of Woz and Mitnick standing a few feet apart from each other; with Woz on his Segway. Pretty cool.
um... how little did we learn since 9/11? (Score:4, Insightful)
Too crowded (Score:3, Informative)
I don't know if they've signed some sort of long-term contract, or maybe they've just gotten kicked out of everywhere else, but I'm not going back until they get a considerably larger place.
Hmm lots of pretending going on (Score:5, Insightful)
Only another anarchist or Fedcop would ever think that what an anarchist or Fedcop has to say is remotely interesting. I can't imagine anyone at DefCon suddenly deciding that either breaking thinks is kewl or that diversity of opinion has to be tolerated. Nor would I think that the self professed Grey-Hats are going to come out in favor of the PATRIOT act.
When we all talk to a room full of people who are our clones it's got to get pretty boring.
What are you talking about? (Score:2, Interesting)
Wow - everyone except law enforcement has the answers it seems.
Or maybe the reality is they've learned to NOT tell you what they've learned, finally.
On the Subject of Warrants and the Patriot Act . . (Score:5, Interesting)
What we tend to forget is that, even in the Judicial system, there is a check-and-balance--especially when it comes to warrants. While a judge may allow a warrant, if a case ever goes to trial then a jury has an opportunity to nullify the value of any evidence obtained via a warrant. I know that sounds a little naiive, but this is one purpose of the jury--injecting the People into the judicial process to protect an accused from the Government. The jury is the key point in the process that is not absolutely Government controlled.
However, the attendees brought issue with the fact that "judges always approve." There was a landmark case (granted, it was in the early 18th C. in England) that allowed a victim to bring suit. The victim in question owned a printing press that printed pamphlets hostile to the Crown (or was it Parliment?). The Government responded by obtaining an ill-gotten warrant to wield as a weapon to silence him. However, the man suied and won a substancial sum. I think the right words were something to the effect of "a suitably painfully high sum to deter the Government from pursuing that line of action again."
Anyway, I'd like to point out that there are recourses of action for virtually anybody mis-treated by a ill-gotten warrant that are built into our legal system. Even if the judge always approve, there is the jury to help shield, and the precedence to file suit when abused. (I'd also like to point out that this is a common tactic by those justly prosecuted to try to wear down the government by attrition.)
Re:About one of the articles posted... (Score:2, Informative)
Wrong opinions (Score:3, Insightful)
Free speech ends when you're inciting violence.
Re:About one of the articles posted... (Score:2)
Still, I wish people would quit focusing so exclusively on the evils of the current administration, and acting like John Kerry would be so much better. It's exactly the kind of thinking that got us W four years ago. Remember? Clinton was corrupt to the core, Gore was see
Re:About one of the articles posted... (Score:2)
Re:About one of the articles posted... (Score:2, Interesting)
Also, don't forget how close that vote was. Gore won the popular vote. We're a divided country, "we" didn't really choose one way or the other.
The problem with 3rd party politics is that if you choose the party that best suits you, you may lose to a united enemy. If nader voters had voted gore, bush would have lost. Do you really want another 4 years of Bush? Maybe you don
Re:About one of the articles posted... (Score:2, Interesting)
During the debate over the McCain-Feingold 1st Amendment Muzzling Act, one supporter said, "we've got to get the money out of politics." To which I respond: the only way to get the money out of po
Re:About one of the articles posted... (Score:2)
Still, I wish people would quit focusing so exclusively on the evils of the current administration, and acting like John Kerry would be so much better. It's exactly the kind of thinking that got us W four years ago. Remember? Clinton was corrupt to the core, Gore was seen
Re:About one of the articles posted... (Score:3, Insightful)
"Who defines what's sedition?"
Not you, and here's why.
"...Republicats are guilty of treason..."
"...for misleading Americans into war..."
"...selling the country to the Chinese..."
"...passing the Patriot Act..."
Someone who doesn't understand the errors in those phras
Re:About one of the articles posted... (Score:2)
And claiming to be some old hippy doesn't get you any points in my book, but thanks for playing.
Re:About one of the articles posted... (Score:2)
"...Republicats are guilty of treason..."
Definition of Repubilicats is too vague and encompasses perfectly law-abiding Republicans.
"...for misleading Americans into war..."
Current information indicates that Americans weren't "meslead", as that implies deceit.
"...selling the country to the Chinese..."
As pointed out by another, it was the Dem's, if anybody.
"...passing the Patriot Act..."
Read the act and refer to the sections that are in contention, not just the entire act de
Re:About one of the articles posted... (Score:2)
Current information indicates that Americans weren't "mislead", as that implies deceit.
Does that mean its okay to lead a country to war if...you don't have your information together....because it would be really really hard? "We'll totally have the evidence AFTER the war..."
Lets face it, the president went to war without having a solid case. If he would have asked so much as "What WMDs do they have?" there would have been no answer and we wouldn't have gone in.
Re:About one of the articles posted... (Score:2)
Fortunately, the US population at that time had better sense than to become milit
Re:About one of the articles posted... (Score:2)
And the jury is still out on the "misleading Americans into war" and the evidence currently points to the war being the best call on the information currently available.
What jury are we going by? It seems that much of the government has admitted to extremely poor intelligence on the matter. Also, you must prove a case for war with solid evidence. You can run around invading countries because you can't prove they don't have large weapon systems until you sieve every grain of sand.
Weapons of Mass Destr
Re:While Priest was only doing his job (Score:4, Interesting)
Last year I did some development on a website whose owner spoke often of going to Defcon in Vegas. He also spoke of Anarchy, and causing Civil Disobedience at the Democratic convention. It didn't take me long to figure out he was using his site not to teach admins how to spot vulnerabilities in their web code, but to spread his own political agenda, and gather a willing army of script kiddies.
Needless to say our beliefs on hacking weren't the same. Whoever this person was at Defcon, he is an embarassment to the hacking community, both whitehats and blackhats.
I stopped in on the sites IRC server to see what was up with some old friends, turns out this guy has a court date not too far off something about striking a police officer.
I would bet it's the same guy.
His politics, and genuine lack of interest in teaching admins the skills necessary to find and fix flaws in thier code is why I left.
I'm all for hacking code, but the art would be better suited to securing systems and spreading the knowledge of how to secure, instead of teaching an army of script kiddies to be a leet hax0rz.