I’ve been absolutely buried since I got back. Let me try to race through the highlights. Firstly, if you haven’t seen Llana Grossman’s take on the con I suggest you do. It’s pretty funny actually. If you just want to jump to the pics, and avoid all the jibber jabber click here. So where to start?
id and I flew in on Tuesday, managed to find our way to our ghetto hotel (I do not recommend anyone stay at the Imperial Palace - although they do have a good Chinese place on the third floor). I ditched id who had to do work, and found my way over to Jeremiah’s room which vastly outclassed the Imperial Palace.
We all went down and got our badges, and managed to meet up with some Mozilla guys, some more WhiteHat guys and Robert E Lee from Outpost24 for dinner. Mozilla bought sushi for the table, as we talked about breaking the Internet. The speaker party was pretty fun, although I think a lot of people just wanted to bail to get a good night’s sleep. I know I did - we were second in the morning.
There was another good thought that came out of it here, talking about safe cookies although cookies are only part of the problem. Kerberos, NTLM, basic and digest auth are all huge problems as well. Plus in many cases I don’t need any form of authentication whatsoever - that’s how my demo worked as a matter of fact. So good thought, but it’s a long way from getting us to where we need to be.
After it was over, id and I were having some interesting conversations about some of the other information leakage problems. I’d like to propose that we consider getting plugin manufacturers (noscript seems like a likely candidate) that have a concept of an intranet zone that prohibits referrers from being sent to Internet zones. Just a thought. It could also work in the browser, but I have a feeling it would break stuff.
I saw some good speeches - DNS pinning galore. I was actually pretty impressed by Billy Hoffman’s take on detecting DHTML malware. In talking with some hardcore AV guys, I think it’s kinda a lost cause, but it was a good take on a tough problem that not a lot of people have put much thought into.
As I’m sure you saw if you read my last post, we spent quite a bit of time talking with the Mozilla guys. They were much more interested in talking about Content Restrictions (if you’re unfamiliar with it, it’s basically a way to programmatically tell the browser not to trust your site - a concept I came up with 4 years ago and asked Mozilla to implement). They did, however, ask for me to come up with a few good things to implement. I’ll start another post on this in the next day or two when I collect my thoughts on the most valuable portions of that.
I hung out quite a bit with Dinis Cruz and a number of the other high level OWASP guys. I’ll probably end up doing a few OWASP talks and maybe a whitepaper or two with Dinis, but that’s gotta wait for some of the other stuff to settle down. The Microsoft party was a lot of fun - they got the entire top floor of Pure. I met a lot of interesting people and probably will be working on some interesting projects there. Btw, they also mentioned us on their security researcher thank you page for some of the vulns we’ve disclosed to them.
I also met Lance James (author of the anti-phishing book) for the first time. We’ve exchanged lots of emails and both belonged to APWG, but it was good to put a face to a name. Likewise with Portswigger (who built Burp Proxy) and I had a good long talk. Hopefully there is a lot more being built into the tool in a not too distant future. Rain Forrest Puppy and I chatted a bit about disclosure stuff. I think there may be more coming there in the not too distant future. Lots to be done!
Anyway, I came back with a fist-full of business cards, about 200 urgent emails, three new tricks, four new things to research and a ruined liver. All in all, it was a great time. More follow-ups to come.