I’ve just recently returned from REcon 2012 and while I heard a couple people express that they had “heard” that some people were more disappointed with this year’s conference compared to prior ones, I personally really enjoyed it and felt it was the best one yet. I saw and enjoyed more of the lectures this year than I have in the past and seemed to have better interactions with the other conference attendees, better conversations, and generally enjoyed myself more than years past. Perhaps it was because this year Montreal wasn’t in the middle of a heat wave with no air conditioning in the hotel and the conference hotel didn’t catch fire (:
Archive for the ‘technology’ Category
REcon 2012
June 19, 2012ExploitHub
February 29, 2012
A few years ago, following the failure of WabiSabiLabi’s 0day auction site, I gave some thought to how to create a public marketplace for exploits that actually works. Obviously given the example of WabiSabiLabi and a little common sense that any vulnerability researcher worth their salt would know, you can’t have a public market for 0day vulnerabilities. As WabiSabiLabi quickly found out, by disclosing enough information about the vulnerability so that a potential customer can make a determination about whether or not to buy it, you’re likely giving up enough information about the vulnerability for them to find it themselves, given varying levels of time and effort. Thus, you can really only market 0day to trusted customers and when your marketplace is open to the public, your customers are most definitely not trusted and consists of various demographics who have lots of disposable time on their hands to go hunt down your vulnerabilities. So, what if we remove 0day from the equation entirely I thought? Could an open market for exploits of public vulnerabilities work? Would anyone actually buy such exploits? ExploitHub was born, and it turns out the answer is yes.
TSA Lectures, Lies, and Rude, Dismissive Behavior
February 21, 2012On a recent trip to Orlando, I opted out of the full-body scan at AUS, as I always do at every airport security checkpoint. While waiting for my pat-down, I was lectured by the TSA gate agent about how safe they are, was subsequently questioned about my cellphone use as a radiation exposure comparison, and was subjected to repeated attempts to get me to change my mind and just go through the scanner.
Toronto, October 2010
November 2, 2010This post was originally entitled “SecTor 2010″, however I never actually attended the conference, so it’s not really about the conference but rather my short stay in Toronto during the SecTor 2010 conference.
ToorCon 12
October 27, 2010After a two year absence due to unavoidable other obligations like good friends’ weddings, I finally made it back to one of my favorite hacker conferences, Toorcon. San Diego is always beautiful when I happen to be there with nice weather and a cool mix of people, both locals and visitors who are there for the conference, and this year was no exception.
Cleverbot Not So Clever
December 29, 2009Yesterday I came across Cleverbot, an “AI” from icogno. As far as I can tell, it’s an incarnation of their jabberwacky AI which supposedly learns from it’s past interactions. I’m always skeptical of anything that is claimed to be AI, because actually creating a convincing fake AI, much less a real one, is an extremely hard problem to tackle. So, chatting up Cleverbot, my skepticism was quickly justified in my own opinion, but I’ll let you be the judge. Here’s the tail end of my conversation with Cleverbot:
SmartPhone Unlock Screens: Moving in the Wrong Direction
November 10, 2009I recently purchased the Motorola Droid from Verizon, and am so far very happy with it. Other than finding the physical keyboard a bit lacking from being extremely spoiled by the Sidekick’s physical keyboard to which no other physical keyboard could ever hope to live up to, I’ve really had no complaints with the device or the Android 2.0 operating system that runs on it. I have however, noticed that touch-screen smart-phone unlock screens (not just the Droid’s) are getting progressively less secure.
Four-factor Authentication
November 21, 2008It’s common understanding these days that the more factors of identification that a user has to provide to an authentication system, the more trustworthy and secure it likely is. Single-factor authentication is usually accomplished by providing something you know, like a password or PIN number.
As two-factor authentication became more and more mainstream, the two factors involved have usually been something you know, and something you have, like a credit card, crypto-key USB device, a code generated every so often by a electronic card you keep in your wallet, a smart-card that can respond directly to cryptographic challenges, or an RFID or other radio device. The most common use of two-factor authentication is how bank customers authenticate to an ATM machine; they must provide something they have, their bank card, and something they know, it’s PIN.
As cheap ways to collect biometrics have begun to emerge, these two factors have begun to shift from something you know and something you have, to something you know and something you are. This notion of something you are, generally referred to as biometrics, include things like your finger or palm print, iris pattern, voice print, or even your DNA. Using something you are to authenticate is obviously more inexpensive than providing users with something they need to have, however some more advanced authentication systems now require all three-factors for authentication.
Enter the fourth factor of authentication: somewhere you are.
Formal Degrees vs. Certification
August 18, 2008I’ve never been a fan of most certifications. I’ve always been even less a fan of formal degrees in education, at least for technology-centric industries. I’ve always argued that my body of work is my credential, and if a potential employer were to reject my application on the basis that I didn’t have a certain piece of paper, that short-sighted employer wasn’t the type that I wanted to work for anyway.
This article, however, goes even further to suggest that College is a waste of time for an even larger group of people than just the technology-centric industries, and hints at what certifications can accomplish, given that they evolve past most of my objections with them, which are echoed throughout the article.
Does backwards compatibility stifle innovation and progress?
September 1, 2005Upon beginning my new job, I’ve been thrown head-first into the world of Internet Telephony security, a sector that I’ve not really paid much attention to, much less followed. I’m currently in the process of getting acquainted with all of the various protocols and technologies involved, and in doing so I’ve signed up to the VoIPSec mailing list. After following the current discussion threads there for a few weeks, I see a recurring problem that I’ve seen in other growth sectors before, and unfortunately will probably see again.
