Please see The Next Hope Part 1 - Friday Notes for the first day and summary of the HOPE conference.
Behind the Padlock: HTTPS Ubiquitous and Fragile - This was a talk was given by Seth Schoen
Some interesting topics were brought up, the Moxie Marlinspike null termination hack on SSL:
http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf
CN NIC root edition was a interesting bit.
http://yro.slashdot.org/story/10/02/02/202238/Mozilla-Accepts-Chinese-CNNIC-Root-CA-Certificate
Check out Carnegie Mellon perspectives as a tool
http://www.cs.cmu.edu/~perspectives/firefox.html
as well as cert lock and HTTPS Everywhere - https://www.eff.org/https-everywhere
The author noted that DNSSec has now signed the root zone, which we hope will improve security there: http://gcn.com/articles/2010/07/19/dnssec-fully-deployed-at-internet-root.aspx
The Keynote Speech
This speech was given by one of the developers at the Tor project who also works at http://wikileaks.org/
That is the end of my notes on this topic.
How to make a living doing what you love -- this topic was given by Mitch Altman
The summary here was if you don't love you job, find a way to make money loving what you do. Mitch Altman is the inventor of TVBgone, and he shared with his story about how he came to create the product, get it to market, and how he made enough money to survive on it. Very close path to the Four Hour Work Week.
He was really gracious in sharing his time and seemed genuinely interested in helping anyone who wanted to "quit their job" and follow that dream.
The bottom line here was you are going to be spending a significant amount of time if you do follow your dream so why not love every minute of it and follow your passion! No real technical links here just a lot of inspiration.
Why you should be an Amateur -- this talk was given by Ben Jackson
At first my expectations for this talk were low, as I had no real interest in becoming an amateur radio operator. However as Ben Jackson is a very dynamic and humorous speaker, I must admit he got me curious about being an amateur radio operator, and if I find some time and little extra cash I may take him up on it.
One thing I had no idea about is that the "44-NET" IP address space is specifically for radio and are actually public routable IP addresses. Wow! Really cool: http://www.qsl.net/kb9mwr/projects/wireless/amprnet.html
To become an amateur radio operator, basically you need a basic radio kit, and to pass a test.
There are technician, general, and amateur classes, and they progress in difficulty and scope. However, most people with some basic understanding of electronics radio systems and so forth should be able to pass the first exam fairly easily: http://www.arrl.org/licensing-preparation-exams
Failing - Reach out and Touch Face - Johannes Grenzfurthne
This talk was about failing given by Johannes. I can not adequately describe exactly what I saw. Johannes is a combination of Carrot Top, Will Ferrell, and Gallagher. His talk was at once crazy, disheveled, awesome, and provoking. I really don't know what I saw but I know I was entertained!
He's the guy here: http://www.flickr.com/photos/laughingsquid/4803235314/
Social Engineering - this talk was presented by Bernie S. and other people who did not give their real first names and someone we all think of as a Legend.
Let's just say this was a talk about social engineering. That is all I'll say on the topic.
Radio reconnaissance and Penetration Testing - this talk was given by Matt Neely
This was a really fascinating talk, as Matt is penetration tester who's done a lot of on-site testing with radio equipment, wireless security and so forth.
One thing he brought up that was interesting is that jamming a signal is a illegal regardless if the statement of work you've obtained from your client says it's okay. Jamming is illegal as is illegally transmitting. Speak with your lawyer.
It's possible to relatively easily figure out what scanner frequency a company is using by simply googling for it. His suggestion for buying a good radio was first look for a good antenna, and then look for good radio.
Sunday
phone freaks - This talk was given by Phil Lapsley
This was another fascinating talk, it started from the incorporation and history of AT&T, Bell Labs, and the process that how hackers would initially social engineer the inward operator to make phone calls. The author is working on a book that hopefully will be out in 2011 regarding the history of phone freaking. It looks very interesting to me.
Some of the names he suggested to go to google were Joey Bubbles, John Draper and Evan Doreville.
This was a really well laid out talk as the author clearly has his thoughts together as he is soon to be published.
Track me not - This talk was given by Vincent Toubiana
Basically this utility will send queries to Google, using a DOM-based query that aims to replicate the exact usage of the user, making very hard to distinguish and profile a user's Web searches. A very interesting project with more information here: http://cs.nyu.edu/trackmenot/
The Freedom Box - this topic was given by James Vasile
This topic was raised to bring about a discussion to see if it would be possible to create some sort of Linux box, where all of the users' potentially sensitive data would be held such that it would be then somehow securely given out to only the proper parties. This was a interesting idea in theory, the author is looking for input on the actual deliverable.
Distributed Denial of Service - this talk was given by Alessio Pennasilico
This author, with a great Italian accent, shared his story about how his client was attacked through a distributed denial of service attack and his efforts to thwart it. The Long story really short he installed an open BSD firewall using the SYN-proxy feature and PF sync tools.
Unfortunately the author had bit of trouble as the ISP really had no interest in helping or were ill-equipped to do so. He also contacted some vendors to help scrub the traffic, but to no avail.
He noticed that the IP's kept changing every 15 minutes or so, so even if blocking were a valid solution, they would simply change after 15 minutes, and approximately 200 IP addresses were in the mix.
What I really liked is that the author really built up the story from 100 to 200 to 300 to 850 Mb per second of traffic and shared the actual technical challenges met and solutions employed to finally defeat the attacker. He had a really great attitude about it and was really willing to share his story.
The Black Suit Plan Isn't Working - Now What? - this talk was given by James Arlen
Basically this talk was suggested as a means to break an information security professional out of their funk. I liked that the author suggested that "we" were the ones that need to change (I.E look in the mirror first), and don't look at a business person to understand you, you should look at the business person and try to understand where they're coming from, and to speak in their language.
Only when we understand others and speak their language will we ever create a bridge of communication (my addition).
0 comments:
Post a Comment