Well, I returned from DefCon 14. After being in the Vegas sun for a few days, I’m wiped out. But I had a great time. I did post the DefCon 14 photos for those of you who are interested. Anyway, here’s the jist of what happened there.
I met up with Jeremiah Grossman and TC who regailed me with the story of how the talk went. It sounds like it went great. We also came up with a few interesting ways to advance the attack vectors that will need some heavy research. I don’t see XSS port scanning as an attack, in the same way I don’t see nmap as an attack, but it definitely can be used to initiate an attack, and that is what needs a lot more research and development.
Almost immediately I ran into the SPI Dynamics guys who ended up taking us out for sushi to smooth everything over that happened last week. They are nice guys, and I think there is no further ill will there. Yes, I’m that cheap. We mostly kept it social until later that night, but I’m getting ahead of myself.
Mike Andrews from Foundstone, Jeremiah and I had a few beers and discussed some of the interesting part of the consulting world. We discussed his talk at Google (or what he was allowed to say anyway), and some of his current projects. Sometime soon he thinks he’ll be releasing some podcasts with some of the industry experts out there. Phil Zimmerman has already been a guest. So look out for that. Mike gave me a free copy of his book, while I’ll have to get to after the current one I’m on. I might be doing some reviews, but don’t hold your breath. I only read books when I have free time at home, which happens practically never.
Then I met up with Arian Evans and his girlfriend. Arian is the most hilarious guy I’ve met in a long time, by the way. (He recommended this movie to me) We actually got to see a working demonstration of one of the manual attack tools his team is building. I was really impressed, but I don’t want to spill the beans because I think they are still in development. I think the Casino was impressed too because they sicked security on us and made us put the laptop back up in the room. I guess having 5 guys wearing DefCon badges huddled around a computer saying things like “Whoah, this is awesome.” makes them nervous. Go figure.
We ended up getting ourselves up to the Foundation room at that Mandalay Bay at some point in the evening. We ended up having some good conversations with the SPI Dynamics guys about changes to browser technology. I don’t think we came up with any viable changes at that point, but it was also after my 11th beer of the day, so what do you expect? I met a couple of other interesting people while I was there, but we ended up retiring at about 4AM to get some waffles. Listening to Matt Fisher and Arian Evans talk together is a riot. I highly recommend it if you ever get the chance to hear it. It mostly involves Arian making fun of Matt, but it’s side splitting.
The next day I ended up meeting Andrew van der Stock and Dinis Cruz. Dinis and I ended up talking for the better part of the day about genetic algorithms and how an XSS warhol worm would propagate and how command and controll would work. Extremely interesting conversation. I’ll probably write something about this in the not too distant future. We also discussed ways to do better XSS fuzzing against browsers, and the future of web application firewalls. All super interesting and needs further research. I only saw a few talks, because I ended up talking to all the webappsec folks most of the day.
Then PT, Vladimir and another one of their co-workers and I headed over to the Steakhouse at Circus Circus. I found a hole in one application in just a few minutes, and we spent a good while talking about it, and attack surface area and password security. I’ll probably write more on that later too. After being completely filled to the brim with the best steak in Vegas, I headed over to the IOactive party.
Chris from IOactive had a goo cannon and he likened it to “shooting someone with sperm”. That and the pirate theme and the porn wall made it a rip snorting good time. I ran into a few people I know but it was too loud to talk. I was still suffering from the night before so I decided to call it an early night.
On the way back I ran into Oliver from Symantec who does a lot of their anti-phishing stuff and he cooerced me into going to the Caezar’s Challenge party. It’s ultra exclusive, and they have a passphrase but I managed to get myself in. The usual suspects were there, like Winn Schwartau and Dark Tangent. It was in the skybox and the drinks were great, but I was still dead tired so I took off early.
I ran into Digital Ebola and OverDose on my way out, but other than that the night was over by 2AM for me.
The only person who I didn’t hook up with was the Google Infosec guy who offered to buy me beers. Oh well, his loss, in the extreme. Lots more fun with Google to come. Lesson learned? Do not be a dead beat beer delivery man. A man needs his beer!
Anyway, if you haven’t been to DefCon, it’s completely worth the flight. I had a great time and met some very cool people. I almost lost my voice the second morning and got walked in on by the maid because she couldn’t hear me telling her to come back later. What a blast! Now, time to start researching all the stuff we came up with!