Paid Advertising
web application security lab

BlueHat Pics

I’m finally finished with all the Microsoft talks for this week. It was a lot of fun this week - I had more and more fun as the week went on, which also coincidentally coincides with my health improving (had a bad cold this week). Thankfully, I was up for today, because I had a really good meeting, but let’s start from the beginning.

The first two talks went well. They were to the executives. Unfortunately they were also pretty short so I didn’t go into nearly as much technical meat as I would have liked to, but it was a nice high level overview on how small holes are really a big deal in the webappsec space. I ended up spending most of my time talking with a few key people in MSRC, and IE while I was there. There was a big reception party that night, which I barely remember because I was so sick, but I got to meet Dan Kaminsky from Ioactive amongst the sea of blue. There were actually a lot of hackers and security researchers there, it turned out. Caleb Sima from SPI, for instance was there. There were some good tech talk - but an elephant could have been in the room and I probably wouldn’t have noticed - I was that out of it.

The next morning I felt 1000x better. I was the last presenter. Rob Thomas kicked off the day with a talk on the hacker economics. It was a nice high level whirlwind of what bad guys are up to. The Flexilis guys demonstrated a bunch of bluetooth 0day and also demonstrated their bluetooth sniper rifle that can steal info off of a cell phone from over a mile away (how they got that thing on the plane still amazes me). David Maynor and Robert Graham had a really nice demo on reverse engineering exploits. It was fast and furious but very nicely done. I wasn’t the only one who was sick that day though, Bunnie was also recovering from some serious jetlag but those guys managed to pull of a really good speech on why DRM isn’t interesting. I would have to agree.

I was able to deliver my full presentation in the main convention hall (which incidentally looks a lot like the senate in Star Wars). Cool convention center. My speech went off without a hitch. I demonstrated some of the obvious holes, like the MHTML stuff, which they are very much committed to fixing now, among other known issues. Ultimately, it went really well. After it was over we all split up for the most part. Only a handful of us stayed. The Errata guys and I headed over to get some food with Caleb, Dragos and some of the Ioactive crowd. Funny stories, too much to go into but by the end of the night, it was just the Errata guys, Caleb and me. Not a crowd you want to bring home to mama.

I managed to crawl into bed around 3:30 after punching out some emails. Today I went over to MS again, solo this time. I met with the IE team so they could do a Q&A with me. And when I mean the IE team, I mean the whole IE team. It was such a good turn-out that we had to take multiple pictures to get everyone in it. See here and here (and that’s after a bunch of people bailed too). It was a really great showing and I think we got more work done in that hour than I did the entire time I was here this week.

After it was over I got a chance to sit down and watch a preso by Bob Fish on Microsoft’s XSS library. The interesting part is how serious they are taking this (thankfully). Bob’s speech basically laid down the law on the fact that MS was to use this framework for all it’s new websites and eventually retroactively start using it on every site. I’ve mentioned it before, but if you run ASP.NET go check out the anti-XSS library. Cool stuff.

After it’s all said and done, I really get a great deal of confidence in what MS is doing (not that it couldn’t deal with improvements here and there, but at least they aren’t going on the wrong path). Yes, like any massive company they have flaws, and some of those flaws are holy-crap type flaws but thankfully, it’s clear they’re committed to doing the right thing where possible. And since they control the vast population of unwashed internet users, they also have the most potential for fixing the problems. Anyway, feel free to check out the rest of the pics. I’ll be talking at Toorcon tomorrow.

10 Responses to “BlueHat Pics”

  1. maluc Says:

    Aww, did you really have to mention the mhtml one? It’s possibly my favorite bug to use ^^

    I’ll be sad to see it closed for good.. although in the big picture, that’ll be a very good thing.
    Sounds like you had quite the week

  2. chillervalley Says:

    hi Rsnake

    First this bluetooth-sniper-rifle thingy is a joke? Or is this weird shit real? if so, can you explane this weird stuff a little bit?
    also i want to post then something about it on my blog for the german community. Can i take your 2 photos for this thing?


  3. Alex Says:

    @ chillervalley: Perhaps you will find some more information about something similar right here:

  4. Sid Says:

    Looks sweet.
    Just for people wondering what the strange name for the hotel is, it’s Swedish for ‘change’.
    I’m loving that your bluehat badge had already expired, but it’s possible they got the date in the “wrong” format, printing dd/mm/yy as opposed to the US standard of mm/dd/yy. If this is the case then you still have a few months of access :).
    All looks awesome, some day I’ll want to be invited to similar events.

  5. RSnake Says:

    @chillervalley, sure, take whatever pics you need! And yah, the blue sniper rifle is real. I was chatting with Matt from and he had a good point. If you see someone on top of a building with that thing, there’s absolutely no way they wouldn’t call the cops. Maybe a lower profile device is in order. Though it is pretty damned cool to be only kid on the block stealing phone numbers from an executive’s phone a mile away.

  6. Frederick Young Says:

    I’m trying to find a good article on car whispering.

    Here’s a good link. I remember getting some briefings on it and it being the most hillarious stuff ever.

    That bluetooth sniper rifle would give you a long range to mess with people as they drove past if you didnt get arrested first.

  7. 0x000000 Says:

    Did they let you touch their computers Robert? and if so: had any chance of losing a keylogger or over there? what a perfect spot for it. :)

    I would be most tempted, I’m sure.

  8. RSnake Says:

    Hahah… no, I did hear a funny story though about how last year a bunch (30 or so from the story) of the bluehat haX0rs ended up social engineering their way past the security and ended up in some conference room in the security building and had already plugged into the wall before anyone noticed. Eesh!

  9. chillervalley Says:

    ahahahahaha LOL thats just great RSnake :D

  10. chillervalley Says:


    @RSnake i wrote something about the Bluetooth Sniper Rifle in my blog. Nothing special, only very short ;-)

    I wrote it in German, so you can’t understand it. You can look at it by translating it with babelfish ->

    But i think you can’t understand it either. This translation is crappy as hell.
    If you have any further information feel free to comment this (in english, i think everyone who wants to know something about it can understand english ;-) )

    Well, this translation of babelfish is just fucked up. But the base information are readable ;-)

    Thx for the fotos