|
Kurvi Tasch posted:Any suggestestions which 35C3 talks to watch?
|
#
?
Dec 27, 2018 17:39
|
|
|
|
| # ? Apr 25, 2024 12:55 |
|
|
Wiggly Wayne DDS posted:literally just got home from work, will start watching and throw up a batch later tonight thank you for your service.
|
|
#
?
Dec 27, 2018 19:19
|
|
|
lomarf https://twitter.com/zackwhittaker/status/1078289658872819715 https://twitter.com/zackwhittaker/status/1078311838167851009
|
|
#
?
Dec 27, 2018 19:31
|
|
|
hobbesmaster posted:the good news is that if you were a hacker you'd have no trouble answering those questions because the possible answers are all part of complete identities they sell! borat voice my life
|
|
#
?
Dec 27, 2018 20:20
|
|
|
Chris Knight posted:lomarf Did he just post the keys in that last screenshot?
|
|
#
?
Dec 27, 2018 22:25
|
|
|
Acer Pilot posted:Did he just post the keys in that last screenshot? is this a rhetorical question?
|
|
#
?
Dec 27, 2018 22:37
|
|
|
I love hardcoded creds
|
|
#
?
Dec 27, 2018 22:40
|
|
|
You can't forget or lose your creds if you hardcode them 
|
|
#
?
Dec 28, 2018 00:06
|
|
|
Chris Knight posted:lomarf incredible hope the like having a million ec2+gpu instanced mining bitcoin
|
|
#
?
Dec 28, 2018 00:10
|
|
|
Acer Pilot posted:Did he just post the keys in that last screenshot? as he should have.
|
|
#
?
Dec 28, 2018 00:14
|
|
|
Chris Knight posted:lomarf lol at not having any sort of middleware at all and just letting the devices upload straight to s3, what could possibly go wrong
|
|
#
?
Dec 28, 2018 00:22
|
|
|
abigserve posted:lol at not having any sort of middleware at all and just letting the devices upload straight to s3, what could possibly go wrong I’m personally a fan of all the test buckets in their prod account
|
|
#
?
Dec 28, 2018 00:40
|
|
|
Raere posted:You can't forget or lose your creds if you hardcode them woah woah woah look whos in the big iot league
|
|
#
?
Dec 28, 2018 00:42
|
|
|
LastInLine posted:you know theres someone else out there for whom it said toyota chevy ford and aston martin and that guy had the same reaction as you well duh, who in their right mind would buy a ford, chevy, or aston martin
|
|
#
?
Dec 28, 2018 00:44
|
|
|
dads friend steve posted:I’m personally a fan of all the test buckets in their prod account i'm a fan of 1) elastic beanstalk  2) no cloudtrail bucket (although it could be going to another account but lol if that's likely)
|
|
#
?
Dec 28, 2018 00:52
|
|
|
[pre-watch disclaimer] before i begin going from the schedule i don't expect lots of outstanding talks, or any really bad ones, so don't expect any major criticism. these are my opinions, so make your own assessments and say when a talk's poo poo that i think is good and vice versa [/pre-watch disclaimer] 35c3 day 1 talks: Locked up science by Claudia Frick (@FuzzyLeapfrog) (41:52) - quick runthrough of how academic publication occurs, and advances to encouraging free access to the publications. good watch if you're unfamiliar with the issues involved, but doesn't go that in-depth. q&a is pretty straightforward The Rocky Road to TLS 1.3 and better Internet Encryption by hanno (1:00:38) - audio issues go away a minute in. pretty thorough history lesson on how we got to 1.3 and the vulnerabilities along the way. a familiar email's in there. good q&a Mind the Trap: Die Netzpolitik der AfD im Bundestag by Noujoum (41:10) - deu->eng. good intro to the german parliament, the AfD's leverage as the biggest opposition party, and their current approach to hiding in plain view. doesn't go that in-depth though and q&a is light Going Deep Underground to Watch the Stars by Jost Migenda (47:03) - neutrinos: the talk. good talk to watch covering the design of detectors and future plans. q&a is good as well LibreSilicon by leviathan, hsank and Andreas Westerwick (1:00:13) - advances on the lightning talk from last year. very techncially dense talk. they're making good progress at recreating silicon compilers, and focus a lot more on the process side this time. great talk to watch if you want a refresher on circuit board optimisation. speakers get a bit nervous but given how dense the talk is that's hardly surprising. q&a is pretty good as well Election Cybersecurity Progress Report by J. Alex Halderman (59:39) - expands on the 2016 talk with the same speaker, this time they consider looking past the prior academic vacuum given the data that's came out since. it's worth watching this talk against what the speaker said in 2016 and where the strict denials suddenly vanish. q&a is good First Sednit UEFI Rootkit Unveiled by Frédéric Vachon (40:53) - uefi rookits in the wild! goes through discovery of the initial vector, exploitation and the features of the rootkit. relatively quick talk, good q&a SiliVaccine: North Korea's Weapon of Mass Detection by Mark Lechtik (52:45) - dprk's antivirus. lots of good highlights throughout the talk. strangely doesn't tie into the prior dprk talks. q&a is very short Frontex: Der europäische Grenzgeheimdienst by Matthias Monroy (41:38) - deu->eng light talk covers border security at the mediterranean. mainly focuses on the cooperation between different governments in working this in practice, and libya's involvement. q&a is long Taming the Chaos: Can we build systems that actually work? by Peter Sewell (58:53) - starts as a standard talk about formally defined systems focusing on C. moves onto showing off academic advances in proofing in practice, and progresses to almost functional in the real world. q&a is good and a large chunk of the talk. Censored Planet: a Global Censorship Observatory by Roya Ensafi (56:04) - talk is mostly about rediscovering how to abuse a sequential id in ip packets to infer connectivity between 2 uncontrolled machines. then it moves onto abusing open dns resolvers. certainly some strange ethics tests involved, and seems to be ignoring legal issues. i'd go on but it's strange how for the talk about adversarial research little seems to be done on pitfalls in the data collection and likely poisoning the sources listed. q&a brings this up, but the answers don't inspire confidence. "The" Social Credit System by Toni (1:01:17) - great talk on china's social scoring systems. in-depth on how its seen in china, how it came into existence, and all of the biases inherent in the different models. good q&a as well Scuttlebutt by Zenna / zelf (34:23) - "The decentralized P2P gossip protocol" no don't run away! actually maybe do they missed more buzzwords: blockchain, mesh network, sneakernet, it just goes on. really have a drinking contest for this talk if you dare. they start rediscovering using split shared secrets for recovery. their main talk must have no substance as they then proceed to talk about other projects doing actually interesting work that they must be trying to look competent by vague association? it's a short talk as well so enjoy this trainwreck. i want my time back. q&a is far too polite on trying to get anything technical about how this protocol exists at all. questions about sybil attacks and fake accounts result in pure bullshit in response. Hunting the Sigfox: Wireless IoT Network Security by Florian Euchner (Jeija) (38:03) - good introduction to low energy RF protocols. quick but covers a good amount of ground for newcomers. q&a is good as well Information Biology - Investigating the information flow in living systems by Jürgen Pahle (37:26) - intro to biochemical modelling, good luck live translators. great talk but get ready for lots of stats. q&a covers a lot of ground as well Introduction to Deep Learning by teubi (41:07) - great thorough talk on how deep learning functions that's very accessible. doesn't go in depth on training issues, just how the training functions works. q&a is worthwile to watch How does the Internet work? by Peter Stuge (50:09) - pretty basic intro to the common protocols, honestly not great for an introduction talk as speaker is a bit nervous with a black/white slideshow and talking about all the protocols in a very dry manner. really is about the internet in early 90s compared to now - talk briefly touches on that at the end. q&a is one polite question Compromising online accounts by cracking voicemail systems by Martin Vigo (42:02) - great talk going through automating bruteforcing voicemail attacks to break bad reset flows. lots of practical attacks in the presentation. q&a is really good and informative for carriers in 2018
|
|
#
?
Dec 28, 2018 01:04
|
|
|
Wiggly Wayne DDS posted:First Sednit UEFI Rootkit Unveiled by Frédéric Vachon (40:53) UEFI: turns out the only way to tell windows malware from windows commercial security software is reading the package lmao taming the chaos: the code flow integrity part of this talk is apparently fascinating! looking forward to watching this at work in a couple weeks
|
|
#
?
Dec 28, 2018 01:17
|
|
|
Rooney McNibnug posted:thank you for your service.
|
|
#
?
Dec 28, 2018 01:51
|
|
|
edit: china's social credit system was already posted. Can confirm it's A Good Talk though.
Jimmy Carter fucked around with this message at 03:37 on Dec 28, 2018 |
|
#
?
Dec 28, 2018 03:19
|
|
|
Acer Pilot posted:Did he just post the keys in that last screenshot? Hell yea. Hope this company get's totally owned and those were root keys.
|
|
#
?
Dec 28, 2018 03:21
|
|
|
Shame Boy posted:oh my god the fedex signup process keeps getting better this is the identity verification system that the IRS used to protect filing false tax returns a few years back, with predictable results
|
|
#
?
Dec 28, 2018 03:27
|
|
|
The IRS account setup this week had a list of special characters that was different than the list it checked against for strong password creation. Once I figured that out and set up an account, the site timed out when I tried to login. 
|
|
#
?
Dec 28, 2018 07:11
|
|
|
Wiggly Wayne DDS posted:good stuff Thanks! That's super helpful.
|
|
#
?
Dec 28, 2018 09:06
|
|
|
me, trying to get some NIST references into some documentation. thanks US Government. at least the banner works great with amberpos anyone know of copy of all the NIST documentation?
|
|
#
?
Dec 28, 2018 10:08
|
|
|
Wiggly Wayne DDS posted:Censored Planet: a Global Censorship Observatory by Roya Ensafi (56:04) eh, i'd expect that concerns over compromising sources and methods is probably overblown as long as they're technical--the adversaries in question are the policy arms of government, and while those will go after identifiable persons under their jurisdiction raising a stink (you, as a government, want to shut up individuals who complain to foreign media about censorship), covering up evidence of that censorship itself is probably a much lower priority. it's not exactly a secret that some governments censor the internet (hell, Roskomnadzor itself very much makes a queriable database of censored items open to the public, albeit through a broken-rear end garbage website), and that researchers can confirm this along with specific details through non-official means probably isn't much concern to the governments in question unless it provides a means of circumventing the block also.
|
|
#
?
Dec 28, 2018 10:21
|
|
|
edit
|
|
#
?
Dec 28, 2018 11:04
|
|
|
abigserve posted:lol at not having any sort of middleware at all and just letting the devices upload straight to s3, what could possibly go wrong afaik aws makes this trivial to do by locking a (cognito) user to a specific s3 subdirectory, no real need to increase surface area with additional middleware
|
|
#
?
Dec 28, 2018 12:41
|
|
|
geonetix posted:me, trying to get some NIST references into some documentation. maybe you can find some in their github? https://github.com/usnistgov i used one of their things for work this month & it worked as advertised
|
|
#
?
Dec 28, 2018 14:30
|
|
|
anatoliy pltkrvkay posted:eh, i'd expect that concerns over compromising sources and methods is probably overblown as long as they're technical--the adversaries in question are the policy arms of government, and while those will go after identifiable persons under their jurisdiction raising a stink (you, as a government, want to shut up individuals who complain to foreign media about censorship), covering up evidence of that censorship itself is probably a much lower priority. it's not exactly a secret that some governments censor the internet (hell, Roskomnadzor itself very much makes a queriable database of censored items open to the public, albeit through a broken-rear end garbage website), and that researchers can confirm this along with specific details through non-official means probably isn't much concern to the governments in question unless it provides a means of circumventing the block also.
|
|
#
?
Dec 28, 2018 15:12
|
|
|
geonetix posted:me, trying to get some NIST references into some documentation. i hope the atomic clock is still running and they paid their power bill for the month 
|
|
#
?
Dec 28, 2018 15:57
|
|
|
naively I would expect that this couldn't happen, but after all I've heard about unexpected dangers in date/time handling, I wouldn't really be surprised anymore if a neglected atomic clock somehow goes critical and makes large swaths of the calendar uninhabitable
|
|
#
?
Dec 28, 2018 16:04
|
|
|
is that why leap years exist? anyway fixed it with the help of the way back machine, thanks archive.org
|
|
#
?
Dec 28, 2018 16:08
|
|
|
Vanadium posted:naively I would expect that this couldn't happen, but after all I've heard about unexpected dangers in date/time handling, I wouldn't really be surprised anymore if a neglected atomic clock somehow goes critical and makes large swaths of the calendar uninhabitable lmao
|
|
#
?
Dec 28, 2018 16:35
|
|
|
Waze is going to stop working because NIST isn’t paying their power bills so no one can talk to GPS
|
|
#
?
Dec 28, 2018 16:38
|
|
|
more like “government ‘pology service”
|
|
#
?
Dec 28, 2018 16:44
|
|
|
quotin for later, thanks for the writeup
|
|
#
?
Dec 28, 2018 17:01
|
|
|
Vanadium posted:naively I would expect that this couldn't happen, but after all I've heard about unexpected dangers in date/time handling, I wouldn't really be surprised anymore if a neglected atomic clock somehow goes critical and makes large swaths of the calendar uninhabitable i lold
|
|
#
?
Dec 28, 2018 17:34
|
|
|
Wiggly Wayne DDS posted:[pre-watch disclaimer] good stuff! thanks as always
|
|
#
?
Dec 28, 2018 18:10
|
|
|
day 1 continued (i even skipped some talks!): Digital Airwaves by Friederike (46:09) - SDR talk covering how each component functions, the basics of RF, and dives into signal processing. good, but keep in mind its an intro talk. q&a is short but good Space Ops 101 by sven (1:02:16) - great talk on mission planning and engineering. covers real world scenarios and diagnosing faults throughout the process. interesting, and a quarter of the video is devoted to q&a Transmission Control Protocol by Hannes Mehnert (39:13) - a rough intro to TCPIP, cares too much about explaining the minutiae rather than why the choices were made. talk is really about how they made a formal model on TCPIP rather than an introduction to beginners. few polite questions at the end. wallet.fail by Thomas Roth, Dmitry Nedospasov and Josh Datko (1:01:58) - downside: *coin enthusiasts. upside: 4 practical attack vectors on hardware wallets. really well done talk that covers a lot of ground quickly. q&a is alright as well What The Fax?! by Yaniv Balmas and Eyal Itkin (46:55) - must watch talk focusing on attacking all-in-one printers with fax functionality. full of lots of fun easter eggs. q&a is short A Routing Interregnum: Internet infrastructure transition in Crimea after Russian annexation by Xenia (44:38) - must watch citizenlab talk analysing what happened to all the communication infrastructure during the annexation. shows how russia improved their surveillance capabilities in crimea. q&a is long as well Quantum Mechanics by sri (57:30) - accessible crash course in quantum mechanics focusing on the experiments and fundamental equations. well it's accessible for people already extremely familiar with the maths behind quantum mechanics, so good luck. good amount of time for q&a Open Source Firmware by zaolin (49:39) - deu->eng good overview on designing firmware, and the current advances made. no real q&a after the talk Modchips of the State by Trammell Hudson (36:52) - great quick watch. starts off running through the bloomberg claims, and goes into how to build an implant in practice. q&a is relatively lengthy as well. All Your Gesundheitsakten Are Belong To Us by Martin Tschirsich (1:01:41) - deu->eng good talk focusing on health data mobile apps for medical records between doctor and patient. it covers a variety of apps, but fumbles a few times on the danger of specific issues. great other than that, and the sloppy translation. q&a is pretty long but doesn't cover much Inside the AMD Microcode ROM by Benjamin Kollenda, Philipp Koppe (37:21) - must watch reverse engineering talk, should be pretty familiar if you watched last years talks - same speakers on the same subject. lot of interesting advances this year. q&a has nice questions as well SD-WAN a New Hop by Sergey Gordeychik (49:04) - great talk covering software defined WANs, and the security issues across multiple vendors' products. q&a is light and doesn't cover much Day 2 Exploring fraud in telephony networks by Merve Sahin, Aurélien Francillon (1:02:05) - interesting talk. starts trying to classify the classic frauds, then brings in data to show how they work in practice and models some defenses. lots of q&a with good information mixed in A farewell to soul-crushing code by Mike Sperber, Nicole Rauch (1:00:57) - talk has good dynamics, but is effectively a rough intro to functional programming and haskell. 15m of q&a at the end but there isn't anything worthwhile in there Inside the Fake Science Factories by @sveckert, @tillkrause, Peter Hornung (1:01:36) - deu->eng worth watching. investigative journalists look into the other side of academic publishing. goes from publishing papers, to attending the conferences and analysing authors at 5 of the major predatory journals. good q&a Modern Windows Userspace Exploitation by Saar Amar (50:58) - shows off the progress of native mitigations by taking a ctf challenge and exploiting it on win7, 10(TH1), 10(RS5). really good runthrough of the newer protections and older ways of bypassing them. dense with lots of demos so no q&a. SymbiFlow - Finally the GCC of FPGAs! by Tim 'mithro' Ansell (1:02:04) - good talk. aims to make a open source toolchain for fpga development. mostly an overview of the current state of the various replacement attempts, and if you want more info on nextpnr check out the next talk. thorough q&a The nextpnr FOSS FPGA place-and-route tool by Clifford Wolf (46:52) - paired with the last talk. far more technical than the general overview of the last talk. q&a is alright Explaining Online US Political Advertising by Damon McCoy (1:01:22) - must watch talk on analysing the targeting of political ads since the 2016 election. grabs facebook/google/twitter public ads archives, talks about their approaches, and visualises the data. good q&a as well there's a lot more good talks left for day 2, but i've caught up with their archives at the moment, so taking a break Wiggly Wayne DDS fucked around with this message at 00:22 on Dec 29, 2018 |
|
#
?
Dec 29, 2018 00:14
|
|
|
|
| # ? Apr 25, 2024 12:55 |
|
|
that fax machine talk was good at defcon this year, check it out here for sure.
|
|
#
?
Dec 29, 2018 00:17
|
|
