Search n00bz.net
Tuesday
Aug092011

Defcon Skytalks

I had the honor of speaking at Defcon Skytalks.  It was an awesome experience and I want to start off by saying Thank You to everyone involved (Bluknight, 303 and everyone else that volunteered to make this event happen.  You made Defcon the awesome experience it was. 

From the CFP

Do you have a topic that
* has to be cleared by a 3 (or 4) letter agency or department?
* would get you sued (or fired) if it were to show up on YouTube?
* discusses (un)ethical, dark, real world, ninja shit that can teach
people something useful?
* challenges the community and industry to fix "something that's broken?"
* demonstrates just how damn weak _________ is?
* -REMOVED FOR LEGAL REASONS-?
* discloses C-level exec's and lawyers' home addresses, phone numbers,
etc. for censoring the above?
* Can't be recorded? (NO AUDIO OR VIDEO RECORDING IS ALLOWED)

Yes Skytalks is what many of us are looking for from Defcon.  There is some talk that Defcon is too commercial.  With 15,000 people and more lines than Disney World, it felt that way to me.  As many veterans will tell you about cons, they post videos and slide decks so make sure you get the good stuff that can only be obtained by being there. 

A tip for the n00bz: Sure you saw Dan Kaminsky live, but you also waisted 90 min before hand waiting in line.  Not good ROI.

I gave my talk Friday and I though it went well.

A couple people that helped me by telling me to submit a talk, telling me to check my demo and dive deeper, not killing me as I kicked off an all night Ruby session, and saying at the end of it, "Good Job... now let's go to the bar!"

@bluknight

@tkrabec

@d1sc0rd1an

@jcran

@hdmoore

 

Click here for a link to all of this year's Defcon Skytalks.

 

 

Friday
Jul292011

Blackhat/BSidesLV/Defcon

I am super excited for next week. I will be attending Blackhat, BSidesLV and I will be speaking at Defcon Skytalks.

I hope to meet up with old friends as well as make new ones and share new ideas, learning, and good times.

Catch you all in the desert!

Friday
Jul012011

Revolutions and Hackers

 

 

I enjoy reading all sorts of things.  Last night I was reading Hackers: Hero's of the Computer Revolution by Steven Levy

In this book, Levy delivers the 7 commandments of the personal computer revolution. 

  1. Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total.
  2. Always yield to the Hands-on Imperative!
  3. All information should be free.
  4. Mistrust authority—promote decentralization.
  5. Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race or position.
  6. You can create art and beauty on a computer.
  7. Computers can change your life for the better.

It got me thinking about the colonial times and how the patriots saw something wrong with the world and decided to fight for what they believed were inalienable rights, self-evident and universal.  I also started thinking about the current state of information security.  As a security researchers we find flaws in technology and try to share some Common Sense.  We call them best practices.  We believe that companies will not patch unless it is trivial to exploit the flaws in the system.  We write exploits and PoC not to hurt the world (well most of us) but to help it.  Someone asked me if I go online because of all the "hackers."  I told them I go online knowing it is safe because of the hackers.  Knowing that we as a community police the internet.  In essence, we govern it ourselves.  

 

1. Access to anything that might teach you something is good.  I have learned more from a n00b then I ever did a ninja.  It wasn't about the information, but the new way of thinking.  We need more new blood.  InfoSec mentors are a great thing.  You get fresh perspective in exchange for sharing some of your knowledge.

2. Hands-On... you can read about writing exploits or hacking but unless you fire up a VM, you are as much a hacker as I am a member of the Delta Force because I read a book about them.  Good News, the ability to learn is available.  Jump in... the only thing stopping you is you.  Interject your ideas and try it.  Be careful though... as Dual Core says, "Yes there is a substance but it is different from addiction."

3. All information should be free... This is the Freedom of Speech.  If we censor new ideas, we only limit ourself and our abilities.  Share your research, don't share stolen databases. 

4. Mistrust Authority-  We are all AAA by our very nature.  The world asks why, hackers say why not!  Trust but verify.  After all, if not for this, we would not have Patch Tuesday!  However do what you can to educate them.

5. Certs have their place, but there is no substitution for knowledge.  I know many people who are smarter than a CISSP and I know a CISSP who asked "what is a shell?"  Read up at Jaded Security about what the CISSP wont teach you.

http://jadedsecurity.net/2011/06/28/what-the-cissp-wont-teach-you/

http://jadedsecurity.net/2011/06/30/what-the-cissp-won%e2%80%99t-teach-you-part-deux/

6.  Computers are extensions of people.  Garbage in- Garbage out.  However add goodness,  brilliance, insight, excellence, ideas and a little pwn-sauce on top and the outcome is limitless.

7.  Computers can change our life for the better.  I know it changed mine!

 

In the end, we as a community hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Root.

Everyone have a safe 4th of July weekend.

Remember all... Every Revolution begins with a single act of defiance.  Hack the plannet.

 

 

Tuesday
Jun212011

Trick the Trickster

I have been super busy but if anyone wants to mess with this guy, please fwd me some of the lulz.

Tuesday
Jun142011

Let's up the Ante

The Metasploit team is giving an incentive for the community for exploits, CASH!

The Metasploit team is excited to announce a new incentive for community exploit contributions: Cash! Running until July 20th, our Exploit Bounty program will pay out $5,000 in cash awards (in the form of American Express gift cards) to any community member that submits an accepted exploit module for an item from our Top 5 or Top 25 exploit lists. This is our way of saying thanks to the open source exploit development community and encouraging folks who may not have written Metasploit modules before to give it a try.

https://community.rapid7.com/community/metasploit/blog/2011/06/14/metasploit-exploit-bounty-30-exploits-500000-in-5-weeks

We at HackMiami love the framework and both Express and Pro versions.  We also love the exploit development community and we love CASH!

 

Hack Miami will add to $25 to the winners of the Top 5 list bringing the total cash to $525.

TOP 5 List ($500 $525 bounty)

 

CVE Description Owner
2011-1807 Google Chrome before 11.0.696.71 does not properly handle blobs execution of arbitrary code.
2011-1218 Lotus Notes - Autonomy Keyview(.zip attachment)
2011-1206 IBM Tivoli Directory Server
2011-0657 Vulnerability in DNS Resolution Could Allow Remote Code Execution
2011-0041 Vulnerability in GDI+ Could Allow Remote Code Execution

 

We also recognize being quick and knocking out exploit on demand. 

Hack Miami will add to $25 to the first person who gets any of the 30 exploits into the trunk.

 

https://community.rapid7.com/docs/DOC-1467

 

Good Luck All... Happy Coding!

Page 1 ... 3 4 5 6 7 ... 54 Next 5 Entries »