I’ve just recently returned from REcon 2012 and while I heard a couple people express that they had “heard” that some people were more disappointed with this year’s conference compared to prior ones, I personally really enjoyed it and felt it was the best one yet. I saw and enjoyed more of the lectures this year than I have in the past and seemed to have better interactions with the other conference attendees, better conversations, and generally enjoyed myself more than years past. Perhaps it was because this year Montreal wasn’t in the middle of a heat wave with no air conditioning in the hotel and the conference hotel didn’t catch fire (:
Archive for the ‘opinion’ Category
On a recent trip to Orlando, I opted out of the full-body scan at AUS, as I always do at every airport security checkpoint. While waiting for my pat-down, I was lectured by the TSA gate agent about how safe they are, was subsequently questioned about my cellphone use as a radiation exposure comparison, and was subjected to repeated attempts to get me to change my mind and just go through the scanner.
After a two year absence due to unavoidable other obligations like good friends’ weddings, I finally made it back to one of my favorite hacker conferences, Toorcon. San Diego is always beautiful when I happen to be there with nice weather and a cool mix of people, both locals and visitors who are there for the conference, and this year was no exception.
Taking place over the last week was the CanSecWest 2010 security conference, with their now annual Pwn2Own contest. For those that are unfamiliar, the Pwn2Own contest presents a number of devices usually consisting of mobile or cellular devices and laptops as targets and allows contestants to attempt to compromise them in some way. These targets are patched up through the most recent vendor patches, and if a contestant is able to Pwn (compromise) the device, they get to Own (keep) it. This is always a nice publicity stunt as the contest is widely publicized by it’s sponsor, providing researchers with some fame and a prize as a bit of a return on their invested effort researching vulnerabilities and developing exploits. The Zero Day Initiative (ZDI) who sponsors the contest also offers to buy the vulnerabilities used by the winners and “responsibly disclose” them to the affected vendors, providing a bit of a cash incentive as well.
Over the past few years however, some things have drastically changed in the value and marketability of such vulnerabilities.
Yesterday I came across Cleverbot, an “AI” from icogno. As far as I can tell, it’s an incarnation of their jabberwacky AI which supposedly learns from it’s past interactions. I’m always skeptical of anything that is claimed to be AI, because actually creating a convincing fake AI, much less a real one, is an extremely hard problem to tackle. So, chatting up Cleverbot, my skepticism was quickly justified in my own opinion, but I’ll let you be the judge. Here’s the tail end of my conversation with Cleverbot:
Earlier today, this article from ComputerWorld came across my desk. The headline grabbed my attention, having indicated controversy and disagreement, which of course I’m going to look into. The article, which cites Microsoft’s semi-annual security intelligence report, claims that Microsoft has only been right in it’s vulnerability exploitability predictions about 27% of the time. Others quoted in the article purport that since their accuracy is so low, what’s the point?
They’re obviously missing the point, and I suggest that the premise of even trying to calculate such a metric as its accuracy is fundamentally flawed.
When a book is so well-received by your peers as The IDA Pro Book has been, even if reverse engineering isn’t a huge part of what you do every day, you pretty much have to give it a read. The creator of IDA Pro, Ilfak Guilfanov, even recommends it himself for a number of reasons, calling it “the most thorough and accurate IDA Pro book.” Even though I don’t do a whole lot of reversing, I do use IDA on occasion, so I thought it in my best interests to read this book. Authored by Chris Eagle, a co-author of one of my favorite security books, Gray Hat Hacking, I had fairly high expectations. I was not disappointed.
Most that know me know that I’m an avid gamer. I play video games, board games, card games, puzzles, pretty much anything I can get my hands on. Because I like puzzles and strategy games, I’ve regularly been asked what I think the most strategic game I’ve ever played is, and I’ve gotten more than the occasional odd look when I don’t respond with “Chess” or “Go”, but with “Magic: The Gathering“.
First let me say that this article is not meant to diminish the work that Alexander Sotirov et. all have been doing for the past 6 months. It’s good work, has brought about some awesome results, and has demonstrated what was once a theoretical attack on PKI certificates based on MD5 hash collisions. What I’m amazed at is that it had the impact that it actually did.
A number of years ago, Microsoft led the charge by moving away from a dynamic patch release schedule to a monthly patch release schedule, essentially creating an imposed monthly patch cycle for their customers. Since then, many other vendors have followed suit. There are opinions and arguments supporting both a release schedule philosophy as well as a release upon completion philosophy, and today I’m going to outline where I stand on the issue.