Just because I’m not going to DEFCON 21 doesn’t mean I can’t try to cover it. From 1,500 miles away. Sort of half-assedly.
DEFCON hasn’t even started yet, but Black Hat is going on, and some stuff is coming out. The biggest story so far has been Barnaby Jack’s death. I haven’t mentioned it previously because I’ve felt like it was well covered elsewhere (even FARK).
Another “big” (well, I think it is) story that I haven’t seen very much coverage of is the phone cracking bot. Justin Engler (@justinengler on Twitter) and Paul Vines, according to the synopsis of their talk and the linked article, built a robot for under $200 that can brute force PINs. Like the one on your phone.
This is one I’ll be keeping an eye on.
Borepatch is in Vegas this year, attending both Black Hat and DEFCON. He’s got a couple of posts up: a liveblog of the NSA director’s presentation at Black Hat, and another post about the links between black hats and political candidates.
So the DEFCON schedule is up. If I was going, what would get me excited? (I’ve included the Twitter handles of the speakers from the DEFCON 21 schedule information; I figure this gives a central source for looking up someone’s feed and getting copies of their presentation.)
From Thursday’s talks: I’d probably go to “Hacker Law School“, as I’m a frustrated wanna-be lawyer anyway. Why not?
Anch’s (@boneheadsanon) “Pentesters Toolkit” talk makes my heart skip a beat:
Push some more of my buttons, please.
The Aaron Bayles (@AlxRogan) “Oil and Gas Infosec 101” talk kind of intrigues me, but it would depend on my mood at the time as to whether I went to that one, or skipped out for a break.
Likewise with the Beaker and Flipper talk on robot building: yeah, robot building is something I’m interested in doing, but I might just be in a mood to visit the Atomic Testing Museum instead, and read your slides later. Nothing personal: I’m sure it will be a great talk.
I’m intrigued by the ZeroChaos (@pentoo_linux) panel on the Pentoo LINUX distribution for penetration testing. I’m not sure how that differs from, say, BackTrack, but I’d probably show up just so I could find out.
The “Wireless Penetration Testing 101 & Wireless Contesting” talk by DaKahuna and Rick Mellendick (@rmellendick) hits yet another of my hot buttons. I can’t tell from the description how much of this is going to be describing contests in the Hacker Village, and how much will be practical advice, but I’d show up anyway.
That takes us into Friday. Just from a preliminary look at the schedule, it looks like the big thing this year is hacking femtocells. Doug DePerry (@dugdep) and Tom Ritter (@TomRitterVG) are doing a talk on “I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell”:
The Charlie Miller (@0xcharlie) and Chris Valasek (@nudehaberdasher) talk, “Adventures in Automotive Networks and Control Units“, sounds interesting as well. I’m just slightly more interested in femtocells than automotive hacking, so apologies to Mr. Miller and Mr. Valasek: if the two weren’t in conflict, I’d hit your talk for sure.
And if you haven’t been to a software defined radio talk, Balint Seeber’s (@spenchdotnet) sounds promising.
“The Secret Life of SIM Cards” by Karl Koscher (@supersat) and Eric Butler (@codebutler) intrigues me the most out of the 11:00 talks. And I’m kind of interested in the Ryan W. Smith (@ryanwsmith13) and Tim Strazzere “DragonLady: An Investigation of SMS Fraud Operations in Russia” presentation because, well…
There’s not much that intrigues me after Benjamin Caudill’s (@RhinoSecurity) presentation on “Offensive Forensics: CSI for the Bad Guy“. If I was at DEFCON, this is the time where I’d probably be browsing the dealer’s room, though I might go to the Amir Etemadieh (@Zenofex)/Mike Baker (@gtvhacker)/CJ Heres (@cj_000)/Hans Nielsen (@n0nst1ck) Google TV panel: these are the same folks who did the Google TV talk at DEFCON 20.
I feel kind of conflicted at 4:00. The Daniel Selifonov talk, “A Password is Not Enough: Why Disk Encryption is Broken and How We Might Fix It” sounds interesting. But I’m also intrigued by the “Decapping Chips the Easy Hard Way” with Adam Laurie and Zac Franken. Decapping chips is something I’ve been fascinated by, and it looks like Adam and Zac have found methods that don’t involve things like fuming nitric acid (and thus, are suitable for an apartment).
This is also the time when we, once again, present the “Hippie, please!” award to Richard Thieme for “The Government and UFOs: A Historical Analysis“.
I’m slightly intrigued by Nicolas Oberli’s (@Baldanos) talk about the ccTalk protocol, “Please Insert Inject More Coins”:
Saturday morning, we have the second femtocell talk, “Do-It-Yourself Cellular IDS”, by Sherri Davidoff (@sherridavidoff), Scott Fretheim, David Harrison, and Randi Price:
Opposite that, and worth noting, are the annual Tobias/Bluzmanis lock talk, and the David Lawrence et al talk on using 3D printers to defeat the Schlage Primus.
More than likely, I’d hit the Daniel Crowley et al (@dan_crowley) talk, “Home Invasion 2.0 – Attacking Network-Controlled Consumer Devices“, and the Philip Polstra (@ppolstra) presentation “We are Legion: Pentesting with an Army of Low-power Low-cost Devices“. I’m particularly intrigued by the Polstra talk, as one of my areas of interest is how small can we make devices that can still do useful hacking? What’s the smallest feasible wardriving system, for example?
I do want to give Jaime Sanchez (@segofensiva) a shout-out for his talk on “Building an Android IDS on Network Level“. This is worth watching.
I’d have to go to the Phorkus (@PeakSec)/Evilrob “Doing Bad Things to ‘Good’ Security Appliances” talk:
Because, tape! But the Wesley McGrew “Pwn The Pwn Plug: Analyzing and Counter-Attacking Attacker-Implanted Devices” talk also interests me.
The PIN cracking device talk is on Saturday, opposite Amber Baldet’s (@AmberBaldet) talk on “Suicide Risk Assessment and Intervention Tactics“. I’m glad DEFCON accepted her talk, and I am looking forward to seeing the presentation online.
Also noteworthy, I think: James Snodgrass and Josh Hoover (@wishbone1138) on “BYO-Disaster and Why Corporate Wireless Security Still Sucks“.
Todd Manning (@tmanning) and Zach Lanier (@quine) are doing a presentation on “GoPro or GTFO: A Tale of Reversing an Embedded System“. I don’t have a GoPro (yet) or much of a use for one (yet) but I think they are interesting devices, so I’ll be watching for slides from this talk. Same for the conflicting Melissa Elliott talk, “Noise Floor: Exploring the World of Unintentional Radio Emissions“.
This takes us to Sunday. There’s not a whole lot that really turns me on early, though I admit to some interest in the Jaime Filson/Rob Fuller talk on harvesting github to build word lists:
I like the idea behind John Ortiz’s “Fast Forensics Using Simple Statistics and Cool Tools“, and he teaches at the University of Texas – San Antonio, so I’d probably go to that.
Now is when things start heating up from my perspective. Joseph Paul Cohen is giving a talk on his new tool, “Blucat: Netcat For Bluetooth“:
Holy crap, this sounds awesome. All I ask for is code that compiles.
(Unfortunately, this is up against the Eric Robi (@ericrobi)/Michael Perklin talk on “Forensic Fails“, which sounds like fun. But Bluetooth hacking is a big area of interest for me; sorry, guys.)
Speaking of Bluetooth hacking, Ryan Holeman (@hackgnar) is doing a talk on “The Bluetooth Device Database”. Which is exactly what it sounds like:
Dude lives in Austin, too! Holy crap^2!
And that takes us through to the closing ceremonies and the end of DEFCON 21. I will try to link to presentations as they go up, significant news stories, other people’s blogs, and anything else I think you guys might be interested in. If you have specific requests or tips, please either let me know in comments or by email to stainles at mac dot com, stainles at gmail dot com, or stainles at sportsfirings dot com.
, that I’ve been thinking about.