Archive for the ‘DEFCON’ Category

DEFCON 32: -184 day updates.

Tuesday, February 6th, 2024

DEFCON 32 is not – repeat, not cancelled.

It sounds like it was a near thing, though.

According to a post on the forums by Dark Tangent, “Caesars abruptly terminated their contract with DEF CON” seven months before the convention, leaving DEFCON with no location.

We don’t know why Caesars canceled us, they won’t say beyond it being a strategy change and it is not related to anything that DEF CON or our community has done. This kind of no-notice cancellation of a contract is unheard of in the conference business. The parting is confusing, but amicable.

The current plan seems to be to hold DEFCON at the Las Vegas Convention Center, “with workshops and training at the Sahara Hotel”. If you’re planning to go, it sounds like your best bet on a place to stay is probably a hotel on the monorail route.

There’s a pretty lively discussion, with a lot of speculation, in the Hacker News thread (where I first heard about this).

DEFCON 31 news flash.

Friday, September 8th, 2023

By way of Hacker News, and I only discovered this 15 minutes ago so I haven’t had time to go through all of it yet:

“Snoop unto them, as they snoop unto us”.

Here’s the original description:

BLE devices are now all the rage. What makes a purpose built tracking device like the AirTag all that different from the majority of BLE devices that have a fixed address? With the rise of IoT we’re also seeing a rise in government and corporate BLE surveillance systems. We’ll look at tools that normal people can use to find out if their favorite IoT gear is easily trackable. If headphones and GoPro’s use fixed addresses, what about stun guns and bodycams? We’ll take a look at IoT gear used by authorities and how it may be detectedable over long durations, just like an AirTag.

The first link will get you to slides, video of the talk, files, and code. As you know, Bob, Bluetooth is a thing for this blog, so this is relevant to my interests…

DEFCON 31 notes, part 3.

Monday, August 14th, 2023

There’s a story in The Register about the Johannes Willbold “Houston, We Have a Problem: Analyzing the Security of Low Earth Orbit Satellites” presentation at Black Hat.

But I’m not going to link it. Instead, I’m going to link the Hacker News discussion of the story, which I think is more interesting (and contains a link to the story itself).

There was a suspicious package discovered on Saturday night, and DEFCON was evacuated until it was dealt with. There’s a lot of speculation floating around that I don’t want to link to, so I’m only providing the official statement.

Here’s a really detailed and clear write-up of “A Pain in the NAS: Exploiting Cloud Connectivity to PWN Your NAS”.

And here’s more on “All Cops Are Broadcasting: Breaking TETRA After Decades in the Shadows”, including the team’s paper for the USENIX Security Symposium.

I know I pointed folks to the media server the other day for preliminary presentation slides, but I want to call this presentation out specifically: “Private Keys in Public Places”.

DEFCON 31 notes, part 2.

Friday, August 11th, 2023

Slides are up for Thursday’s Black Hat presentations. At least some of them, including:

Here’s a link to the DEFCON 31 presentations on the DEFCON media server.

Thursday’s DEFCON presentations that I was interested in:

As I noted earlier, the current state of Twitter makes it almost impossible for me to keep up with and provide presentation updates. Your best bet (and I feel like a lazy journalist saying this) might be to check out the decks on the media server for any presentations you are interested in, check out those folks Twitter or Mastodon feeds (if you’re on one of those services, and they’ve put that in their deck) and look for updates there.

Tips in comments are welcome.

DEFCON 31 notes.

Wednesday, August 9th, 2023

The Black Hat Briefings in Las Vegas started today.

DEFCON 31 starts tomorrow, though it seems like Friday is when things pick up.

Despite the recent, and much appreciated, shout-out from Borepatch, I’m feeling kind of ambivalent about trying to keep up with DEFCON this year.

My recent trip (write-up coming in the next few days, promise) blew a pretty big hole in my schedule. I haven’t had any time to do prep work for DEFCON/Black Hat. And I have a whole bunch of things I want to do, and so little time to do them in.

I also rely heavily on Twitter for links to presentations. And the current state of Twitter makes that almost impossible.

It also feels like DEFCON has moved past me. It used to feel like a gathering of one of my tribes. Now it feels like…something else. I note that DEFCON admission is now $460. And you don’t get free admission, or even a discount, if you go to Black Hat.

Still, tradition is tradition. So let’s see how badly I can do this.

(more…)

DEFCON 30 notes.

Monday, August 15th, 2022

Lawrence (who I hope is feeling better) pinged me over the weekend about missing DEFCON 30 coverage. (At least, that’s what I think he was pinging me about: his email was kind of cryptic.)

There are some things going on here.

One is that, as I said last week, I was in a mood. It takes a lot of time and effort to pull together the preliminary list of DEFCON panels, the day to day coverage, and the post-DEFCON writeups. That effort is even harder now, because Twitter has pretty much removed the ability to view more than a couple of a person’s tweets without being signed in. I just didn’t have it in me last week.

Which kind of leads to the second reason: it just doesn’t seem that my DEFCON coverage gets the level of engagement that justifies the effort. As far as I can tell, people just aren’t all that interested in it. That may be (probably is) a flaw on my part as a writer, it may be that my audience just isn’t interested in computer security subjects, or it may be that I’m completely misreading what people are interested in.

It also feels like DEFCON has moved beyond me in the post-Wuhan Flu world. It used to feel like a gathering of one of my tribes. Now, it costs $360 (“with a processing fee of $9.66 added to online orders”). Masks are required. And supposedly, you may run into trouble with the hotel if you want to bring a legal firearm. (Hattip: McThag.) They’re also still doing that weird “semi-hybrid” model again, and I’m just not willing to spend a bunch of time hanging out on Discord.

(I’m pretty sure I stayed at that “s–tball” Travelodge on my last DEFCON trip. “they just want their $56 per night and prefer you to not leave used heroin works in the potted plants outside” seems pretty accurate.)

The last thing is: I’ve seen almost no other coverage or discussion of DEFCON 30 this year. At least not in the places I’d expect to see it: Wired, ArsTechnica, or HackerNews. ThreatGrid did a round-up post this morning if you want a different take than mine, but other than that, I’ve seen nothing.

I went and checked the schedule (which you can find here: I haven’t found the media server yet.) One thing that is really nice is that they’ve added much more information to the schedule entries, including links and references where available.

And…there just are not a lot of presentations this year that I find interesting. I can see why people would be interested in “Computer Hacks in the Russia-Ukraine War“, but at only 20 minutes, I have questions.

Maybe “Wireless Keystroke Injection (WKI) via Bluetooth Low Energy (BLE)” because Bluetooth, but that’s not so much breaking Bluetooth as it is pretending to be a legit Bluetooth device.

The PACMAN Attack: Breaking PAC on the Apple M1 with Hardware Attacks” and “Process injection: breaking all macOS security layers with a single vulnerability” probably have some relevance to Apple folks. So does “The hitchhacker’s guide to iPhone Lightning & JTAG hacking“. And I can see the interest in “Glitched on Earth by humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal“, but I don’t have a Starlink terminal to play with.

“You’re Muted Rooted” has the Zoom thing going for it. I’ll confess to a small amount of interest in “HACK THE HEMISPHERE! How we (legally) broadcasted hacker content to all of North America using an end-of-life geostationary satellite, and how you can set up your own broadcast too!” and no interest at all in this year’s “Hippy, please.” one.

“Defeating Moving Elements in High Security Keys” does sort of get my attention. And that’s the last thing that does.

It just feels smaller and less interesting. Perhaps DEFCON is still finding their footing again after the last two years. I don’t know. I also don’t know if I’m going to do anything next year.

Speaking of DEFCON…

Tuesday, April 27th, 2021

I’m sure many people have been asking the questions, “Is DEFCON happening this year? And will it be in-person or virtual?”

The answers are: yes, yes, and yes.

DEF CON 29 will be a hybrid conference, partially in-person, and partially online. DEF CON will not be a “normal” con, but more like DEF CON “Different.” The situation we face this year is unique and will require us to do things differently, simplify our plans, and in a fast-moving environment be flexible to change.

Summarizing:

  • Masks.
  • Vaccinations.
  • Social distancing.
  • “For the first time ever, we will have conference pre-registration for the in-person conference.”

Link to the full statement.

Obit watch: April 26, 2021.

Monday, April 26th, 2021

Les McKeown, of the Bay City Rollers.

I have not found a mainstream source for this yet, but it seems to have been confirmed in various places: Dan Kaminsky, noted security researcher.

His politics were not mine, and he was not a personal friend or even acquaintance of mine. But I was lucky enough to see him speak at DEFCON and Black Hat a few times, and the guy was wicked smart. Especially when it came to TCP/IP and DNS: man probably forgot more about DNS than I’ll ever know. (One of my favorite talks involved him demonstrating how he could run streaming audio, in real-time, over the Internet…by embedding data in DNS queries. I believe this was that talk.)

There’s a good Hacker News thread here, and an obit from The Register here.

When your Register hack asked Kaminsky why he hadn’t gone to the dark side and used the flaw to become immensely wealthy – either by exploiting it to hijack millions of netizens’ web traffic, or by selling details of it to the highest bidders – he said not only would that have been morally wrong, he didn’t want his mom to have to visit him in prison.

The Reg obit also includes a link to a playlist of Mr. Kaminsky’s talks on YouTube.

“What you gonna do when you get out of jail?…” part 140

Monday, August 17th, 2020

A while back, I summarized a DEFCON presentation on gun safe insecurity. I thought it might be fun today to post some demos, by way of the LockPickingLawyer channel on the ‘Tube.

First up, the “SnapSafe’s TrekLite TSA Gun Lockbox”, a case designed for airline transport of firearms. To summarize the video, this case is so bad that, if it worked as designed, it would actually be illegal to use. But because the design is so awful, it probably actually is technically legal. Still not secure, but technically legal.

Next up, the “Vaultek LifePod Gun Safe”, a waterproof gun safe endorsed by a prominent gun guy. You may remember Vaultek from almost three years ago, when it turned out their Bluetooth enabled product wasn’t secure. Turns out that the LifePod has a problem as well: the type of problem that you can exploit with a fork.

“Don’t read the comments.” But in fairness, Vaultek did respond in the comments and state that they are offering a fix for this problem.

You know what irony is, though? Irony is like 10,000 spoons when all you need is a knife. Okay, that’s not really ironic, that’s just stupid. But it sets up this: the Stack-On RFID Gun Safe.

But what if you don’t have a fork? Or a spoon? What if you just have a broken milk carton an orange juice bottle?

Coat hanger?

And now we know why the Knights Who Say “Ni!” wanted a shrubbery:

DEFCON 28 preliminary update: May 8, 2020.

Friday, May 8th, 2020

I will not be going to DEFCON this year.

News: nobody will be going to DEFCON this year. At least not the in-person version.

Will I try to cover the remote DEFCON remotely? I don’t know right now. I want to see what form the remote conference takes, and how it fits in to my schedule, before I commit to anything. If I can, I will, but no promises yet.

Black Hat/DEFCON 27 links: August 16, 2019.

Friday, August 16th, 2019

Apologies for being behind on this: I’m also working on another project that’s taking up a lot of my blogging time, but I hope to be done with that soon.

Black Hat/DEFCON 27 links: August 13, 2019.

Tuesday, August 13th, 2019

I had a lot of trouble finding this on the site, but: the DEFCON 27 media server is here.

I’ve got to wrap this up for now, as my lunch hour is almost over. I may try to do a second post tonight, if I find enough additional material to justify one. Otherwise, please share, enjoy, comment, and thank any presenters whose work you found particularly enjoyable or valuable.