72 Hours of Pwnage: A Paranoid N00b Goes to Def Con
motherboard.vice.com > “Aren’t those the people who break into computers?”
>
> “Yes—also phones, cars, airplanes, and human bodies.”
>
> “I thought that stuff was illegal.”
[1] by "secure CPUs" I'm referring to ones that support signed bootloaders, facilitating good things like more-difficult-to-pwn-by-attackers and bad things like DRM and limiting code to proprietary walled garden app stores.
The trouble with "secure CPUs" is that they really only secure the boot process. It is then up to the OS (as usual) to secure itself which is where most failures of security occur anyway.
Consider all the phone "OSes" (aka ROMs) you can install on phones with locked boot loaders that just replace a few binaries/files here and there in an existing OS to change how it works/feels. The maker of said ROMs may not have the ability to replace the kernel but any vulnerability in said kernel will allow them to replace everything else which is precisely where userland security lives.
So the hardware may be "secure" from the perspective of the manufacturer but not from the perspective of the user. They can still be pwned.
Those are just restricted-boot CPU's, not secure CPU's. I agree secure CPU's will make attacks more difficult. Here's you a few examples of them with various tradeoffs:
http://www.crash-safe.org/assets/ieee-hst-2013-paper.pdf
https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
https://web.archive.org/web/20150315020829/http://palms.ee.p...
https://theses.lib.vt.edu/theses/available/etd-10112006-2048...
Original one that ran businesses which is still immune to lots of attacks vectors and reliability issues:
http://www.smecc.org/The%20Architecture%20%20of%20the%20Burr...
So, spread word on things like those, esp CHERI given FreeBSD support, instead of that DRM garbage that uses the word security but is more about marketing & control. ;)
He should have gone to BlackHat if he wanted to see anything really interesting. Def Con is mostly a big party with life style talks and people talking about old stuff.
Thats not to say there isn't neat stuff to do at Def Con (I've seen plenty of neat talks) but its mostly a big party. There's nothing really scary going on there.
I went to HOPE a few weeks ago, after having been to such things before, but not for a few years.
I had exactly the same impression - mostly a lifestyle / social / political thing, pretty light on in the way of talks with actual technical detail. Kind of like TED talks - well presented, entertaining, but not really actionable.
In years gone by, I went to some excellent events, with talks on really specific, useful things (kernel internals, gdb use, ELF dynamic loading, ltrace / strace use, that kind of thing). Can't help but wonder if those sorts of conferences still exist, or the whole scene has changed into something less practical and more lifestyle.
What talks did you attend at HOPE? There were tons of hard technical presentations. The two guys who cracked the Iridium satellite network in particular were amazing, going into deep detail on the techniques and methods used to decode the frequencies. The talk on medical device hacking was also awesome - I mean they showed you how to get on a radiology machine and other exploits. And after I saw the talk on hacking your cars internal computer I was able to go home and start futsing around with that stuff on my garage (after buying some hardware).
Maybe they don't do a lot of talks on the intricacies of C anymore (which is a bummer) but there is still a lot of technical knowledge going down at these events. I had s great time and learned so much
Saw the Iridium guys, agree they were great. Also, this guy's talk was superb:
https://xi.hope.net/schedule.html#-coding-by-voice-with-open...
There was definitely some good stuff, just seemed to me that overall, the mix of practical/technical vs cultural/lifestyle/political at events like this has changed a lot over the years. Either that, or my perception has changed, it's hard to tell.
Iridium satellite network Video: https://www.youtube.com/watch?v=cvKaC4pNvck
Get-drunk-in-shitty-hotel-con isn't really about the talks, it's about goofing off in NYC w/ friends from IRC.
Events are just mainstream now; unless there's a chance the FBI is going do a raid, likely nothing you're not going to hear about a day later on the net.
It sounds weird that they're selling key-logging sticks for $50 and spoofing routers for $100 at a convention where you'd think everyone can build that stuff by themselves for a much lower price.
Just to add to your point, I suppose.
At a convention you can pay cash (semi-)anonymously where if you had to build that stuff you'd leave a paper trail.
Many I know in this group of people (DefCon/HOPE attendees) do things like trade around craigslist-cash-purchased laptops.
It would also be a good place to anonymously buy Bitcoin for cash.
> everyone can build that stuff by themselves for a much lower price
At volume. But if you only need one (or ten), assuming your time has some non-trivial value, it's much cheaper to just buy off the shelf.
Even if you value your time as worthless then maybe you could build a hardware key logger for less than $50 in parts but I really doubt it.
There's no need to "build" anything for this purpose. Just buy a general-purpose microcontroller like this:
http://www.freetronics.com.au/products/leostick
...and stick it inside a generic keyboard (which has plenty of room).
I always thought that the fact that big corporations hand out the same keyboard to everyone enables these sorts of attacks. Any would-be spy could just make a handful of hardware key-logging generic HP and Dell keyboards and easily swap out any given keyboard at any given big company without having to even think.
I never use my employer's provided mouse/keyboard combo. Mostly because they're always absolute crap but also because I want to give any potential attackers a hard time. I can only imagine the look on some attacker's face when they show up at my desk and see custom hardware everywhere =)
You can buy them from china really cheaply for a couple bucks.
I'm sure a lot of people there has better projects to spend their time on than rebuilding commodity hardware.
hmm not sure I'd say that Blackhat would in any way be a better option for "something interesting", it's a very expensive corp. focused conference these days.
Last time I went most of the interesting Blackhat talks were getting re-run at Defcon, so really not a lot of point in paying out for the Blackhat option, just go to Defcon and see them there.
rather the inverse, I'm not scared of getting pwned when I go to blackhat, in Defcon people are just acting crazy.
TL;DR: author did some gambling in casinos and got drunk in strip clubs, barely attended any talks because he doesn't understand the jargon, almost got pwnd by connecting to the wrong WiFi.
Not really worth the time to read.
Things like this make me wonder if paid writers for (in this case) Motherboard ever know what the fuck they're talking about.
As an active DEF CON attendee and seeing the press coverage over the years, I can start to "see the matrix" of how to lazily assemble a news story. He even links to the Hacker Manifesto FFS. I thought VICE was aiming higher than this kind of trash.
It makes me distrust reporters. Do they just turn off the "I'm a noob" angle, assume the standard authoritative tone they always use and cover other topics with just as flimsy of an understanding?
>Do they just turn off the "I'm a noob" angle, assume the standard authoritative tone they always use and cover other topics with just as flimsy of an understanding?
Yes. See [Murray] Gell-Mann Amnesia:
“Briefly stated, the Gell-Mann Amnesia effect is as follows. You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them. In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know.”
― Michael Crichton
https://www.goodreads.com/quotes/65213-briefly-stated-the-ge...
Rather ironically, you can get the same effect reading Michael Crichton ;-)
At least it's supposed to be fiction.
I have never been to def con so to me it was still an interesting read on an outsiders take on what def con is.
still entertaining. :0
There ought to be a way, at the OS level, to configure a machine so no network traffic goes in or out over an unsecured link except for the VPN application's traffic.
Then, if you configure secure links to be WPA at work, WPA at home, and your VPN, there should be little risk to joining an open network to bring up a VPN.
In high-assurance security, they go further by putting that functionality into a dedicated device with minimal components, a separation kernel (or RTOS), and strong isolation of networking. Idea being it always, by static design, forces networking traffic to go through the encryptor with almost no attack surface from external network. External network stack usually in own partition, too.
Examples:
http://www.friendsglobal.com/papers/High_Assurance_Wireless_...
http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=BF0...
You can do that with the routing table.
Interesting - links/details?
This is a must read if you're interested in non-standard Linux networking: http://lartc.org/lartc.html
Look for "Split access", it's pretty similar to what you're talking about. Basically you'd just send all your traffic on your default routes table to 127.0.0.1 (nowhere), and all the traffic on your VPN routes table to the VPN. That way when the VPN isn't active all your traffic gets blackhole'd, when your VPN is active it'll all get sent over the encrypted tunnel though.
Thanks
Have the default route point to your VPN client, and a static route for the VPN server pointing to the internet. Most VPN clients do this already.
I think OP means prior to connecting to VPN so you are minimally exposed during the interim VPN setup.
Same technique could work, just more annoying (static route for VPN provider IP to your LAN gateway, and static routes for your trusted DNS provider, then only allow a default route to be established once VPN is connected).
It's pretty easy (at least on Linux) to firewall all inbound/outbound traffic on your physical network interfaces, allowing only the bare minimum necessary to connect to the VPN server (DHCP to get a local ip + an udp/tcp connection to a single ip:port).
Last I checked, it was a bit more difficult to do on Windows, because it didn't allow interface-specific rules, and because software installers had a habit of opening holes for themselves in the firewall without asking you.
The OpenVPN client on android has something like this. See "Seamless Tunnel" in the preferences. I've used it at DefCon on the secure network in the past.
If you can't afford Def Con or can't be arsed then https://www.reddit.com/r/netsec is fun.
Vegas smells like cigarettes and garbage. Skip the long lines and absurd Vegas expenses and watch the talks from YouTube.
Or still suffer Vegas, but do all of the contests at DEF CON instead of the talks.
Venture there with just one piece of non-hackable soft and hardware - a key generator that renews its key every h. If you are the only holder and perciver of the key after the next hour while this laptop stays on the internet -the money on a anonymous account is yours. Else The money returns into the jackpot.
In greed we thrust.
I can't find anywhere in the article that says those photos were taken with permission.
I was under the impression that photographs were not allowed.
I see Defcon doesn't have quite as stringent a media policy as HOPE, which booted Vice in response to blatant violation of the signed-consent requirement.
First I've heard of demonsaw. I can't tell from quickly perusing the website. Is it open source? Has anyone tried it?
Really boring article