I’ve been running a little behind on these, but I’m trying to catch up. I’m also going to try to insert links to the actual presentations as they go up.
Quick takes:
“Is your IPhone Pwned?”: This was turned into a more general talk about the whole class of smartphones, including Windows mobile devices. They demonstrated one exploit that involves settings on Windows devices from some vendors. (Basically, the exploit involves misconfigured security settings that allow a remote computer to send malicious WAP push messages that the phone will accept.) Patching mobile vulnerabilities is difficult; there’s a lot of QA issues that have to be dealt with by each vendor for each platform, plus the FCC gets involved if you touch the radio code. Beyond that, the presenters spent a lot of time discussing the design of their Fuzzit tool for finding phone vulnerabilities. Key takeaway: the state of mobile security today is roughly equivalent to the state of network security as of 1999.
“Hacking With the iPod Touch”: Key takeaways:
- There’s a lot of tools available for penetration testing on the iPod Touch if you’re willing to jailbreak the device. (Wilhelm’s presentation includes a long list of available tools. Did you know that you can run Perl, Python, and Ruby on the iPod Touch? Neither did I.)
- Nobody gets suspicious if they see you fiddling with your iPod Touch. A full-sized laptop, or even a netbook, might be a different matter.
“That Awesome Time I Was Sued For Two Billion Dollars”: Jason Scott is a pretty good speaker, but this was sort of a “meh” talk. “Yeah, I got sued for two billion dollars by someone who is apparently mentally unbalanced (in the speaker’s opinion -DB) and the case got thrown out of court.” Key take away: Don’t let yourself be intimidated by legal (or legal-looking) documents.
“Three Point Oh”: Couldn’t get in to see Long’s talk.
“Something About Network Security”: Kaminsky’s talk this year concentrated on vulnerabilities in the PKI infrastructure, and specifically certificate attacks. I still think Kaminsky is the cat’s pajamas, but his talk this year seemed a bit off, compared to some of his previous talks (for example, the tunneling data over DNS hack).
This keeps showing up in my searches when I look for other things, so after the 24th time or so, I figured I’d jump in here. 🙂
The main purpose of the talk was to demystify and entertain about the process of being sued or pursued legally. For someone who has not experienced it, a takedown notice or a cease and desist, especially one where you don’t have a support network or the experience dealing with them, can be one of the scariest things you encounter. I’ve known people who, being sent a takedown notice, went and deleted their work and burned originals, trying to get away from what seems like a swirling black hole of destruction. It’s irrational, yes, but it comes from not having a support network or thinking you’re going through something very unique (because, say, your website is unique, even though the law itself isn’t). As was revealed during the closing plenary, a large percentage of people were coming to DEFCON for the first time this year – it was probably, for some of them, the first time they heard someone talking about a lawsuit like I was. That was the motivation. For some it’s old news, but that’s always the case with informing people of stuff – I just happened to have a relatively entertaining pair of cases to discuss it with.