Posted by
michael
on Tuesday August 03, @12:57PM from the neuromancer dept. Joe Barr writes "NewsForge [ed. note: part of OSTG
along with Slashdot] is running its concluding piece on the week-long
Blackhat/DEFCON hackerfest in Las Vegas. Want to know how little our
police/intelligence agencies seem to have learned from their failures
prior to 9/11? Or how a very large goon known only as Priest prevented
outright political violence at a DEFCON presentation on Civil
Disobedience? Or which of the two conferences is right for you? It's
all here in the Blackhat/Defcon: Final report." Reader M. Curphey writes "The Web Application Security Consortium (WASC) announced at Blackhat the release of a 'Threat Classifications'
document. This document attempts to clarify web security terminology
such as Cross Site Scripting, Session Fixation, Cookie poisoning, and
HTTP response splitting (to name a few)."
Looks like the 503 Errors with Firefox are really slowing down discussions.
The
article mentioned that the new number range search feature in Google
could be particularly dangerous. Maybe I'm a little naive... why is it
so dangerous?
There have been a high number of occurances of 503's since the
zero-notice updates a few weeks ago. (at the same time, all web pages
started returning "no-cache" so simple brower navigation is forced to
redownload every byte on every mouse click. When I logged a bug about
this, it was immediately dismissed without comment.)
please turn yourself in to your nearest police station for exposing a
technology security flaw. you can car pool with the guy who discovered
the shift key if you like.
Geez, thanks for spoiling it for the rest of us.
Do you have ANY idea how hard it is to build a Lamborghini by mail
ordering all the parts to different addresses from different
Lamborghini dealers' repair shops?
I'm still missing the front hood, the bumpers, and the electrical
system...
(It's FUNNY, SMILE!)
I have been thinking of going to defcon for the last lil while, and
maybe will be able to next year. The trip would also need to include my
g/f, she knows a bit about computers, but not a whole lot. In your
opinion, would there be enough for her to do there, or should she
venture other places?
First off, there are females at DefCon, and not all of them are there,
because they think it's an easy place to pick up guys.
That
said, have her look at the program and see if any of the talks are
interesting to her. If she knows only a bit, maybe the technical talks
won't be that interesting, but the talks that delve into the overlap
between politics and technology might be of interest. I'm guessing if
she's not that into it, the contests wouldn't be very fun to her.
If
it's not her thing at all, have her look and see if Vegas is something
interesting to her, and she can join you later. But, I'd be more
inclined to say, if it's not her thing, plan a different trip that both
of you would enjoy before or after DefCon.
I've attended the past 7 defcons, and I'm starting to feel like it's
losing its magic. The first defcon I went to (defcon 3) had a crowd
that was much more focused on doing meaningful hacking (some ethical,
some otherwise) in the field...it seems like now it's a bunch of 20
year olds who think they're hackers because they know how to reprogram
their mac address on their linux labtop.
Maybe I'm just getting old, but it feels like the good old days are passing me by.
Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11?
I'm afraid we don't need Black Hat/Defcon to tell us this. Just
yesterday we had major terrorism alerts about specific targets and
today we find out the information was all years old. Does that mean the
buildings weren't targets still? Well seeing as some of the info went
back prior to 9/11 it would make it seem a fairly safe bet that the
seriousness of the threat was vastly overstated.
So we know what they haven't learned quite well and many of us keep
hoping they'll stop crying wolf without good reason. It's only so long
till most Americans start ignoring the terror alerts as things now
stand, something that would be very bad.
I'm sure there were plenty of more interesting things at Black Hat/Defcon though.:)
...it's easier to know how to break into a system/box/whatever, than it
is to learn exactly what happened and take measures to prevent it.
Sure,
some items are fairly obvious, but I'm willing to wager that there are
a lot of exploits that even dedicated security officials aren't aware
of, simply because the exploit was found and put to use, but never
reported.
As it applies to 9/11, I'm fairly certain that OBL and his boys
are more willing to shell out the cash for the folks who can find
undiscovered vulns than for scripters who get their rocks off by
passing around " 'sploits".
Given this, I doubt there is too awful much one can learn about securing the network completely against future attacks.
To paraphase Gene Spafford when he talked about the idea of hiring
hackers as security experts, an arsonist isn't necessarily
well-qualified to be on a fire department.
Questions were asked about what "going over the line" meant. Assclowns
like Crimethinc are exactly what you'd want to point at and say "that's
what I'm talking about." Disagreeing with the government (or even just
Republicans) is one thing, but going around encouraging people to
vandalize websites/etc is something else.
Jesus. No wonder he looked like he was expecting to be arrested.
Well, I'm sure that no one wants to admit it, but I know the truth
about why there have been so many 503 errors recently. CmdrTaco and
friends are trying to get their machines ready to run Doom 3, and
realizing that they need more horsepower in their gaming machines, have
been taking parts from the servers that host Slashdot.
Unfortunately,
we will likely have these errors for quite a while, because now that
they all have machines capable of running Doom 3, and since Doom 3 is
now out (and undoubtedly in CmrdTaco and friend's hands), they'll be
far too busy with that to even remember than they run a website.
The
recommended way to deal with this is to go out and purchase Doom 3
yourself. It won't bring Slashdot back, but you'll be too busy fighting
demons to care.
One of the articles speaks about a guy who spoke at Defconf and
promoted giving those attending the Republicats convention a hard time.
What
surprised me is that the journalist did not have any problems with
having the guy thrown out simply because the guy's speech was
controversial. They justified censorship by stating that they had to
stop him for his protection. Since when does a person in America have
to abdicate his own personal responsibility and be protected for his
own speech?
As far as I can tell from their web site, Crimethinc
does try to take people out of apathy, but their most important weapon
is language:
9/11 lessons (Score:5, Interesting)
by Anonymous Coward
on Tuesday August 03, @01:22PM (#9869858)
from the article: Christy
had mentioned that one of the things they were doing at Defcon was
recruiting. He went on to tell the crowd that if they were interested,
and "had not gone over the line," to talk to him afterwards. The "had
not gone over the line" comment became one of the hottest topics during
the Q&A.
It appears that the lessons the intelligence
community has learned from 9/11 have not yet trickled all the way down
through the federal bureaucracy -- particularly that bit about the
failure of our intelligence pre-9/11 being primarily because of our
loss of vital HUMINT owing to both budget and moral directives. When
the CIA was told it could only use politically correct HUMINT
operatives, it lost its most vital flow of intelligence.
Actually,
I think the remark in question -- "had not gone over the line" -- meant
no the criminal record, stable finances, etc. required of regular
government employees who need clearances, like programmers and sys
admins. IOW, they were looking for technical staffers for work at HQ.
The
PC'ness at the CIA regarding HUMINT referred to who they could and
couldn't hire as intelligence sources. E.g. (hypothetical examples
here), several years ago, the CIA could hire a mid-level Iraqi military
paper-pusher to smuggle out documents about what Saddam was up to, but
at the same time couldn't hire a low-level al Qaeda operative to do the
same because he's gone through terror training involving weapon
experiments on animals. Even if the operative could give excrutiating
details about the next terror strike (such as time/place/MO), he had
done those evil experiments on animals, which somehow made him
ineligible for the CIA payroll. (How such rules came into effect I dont
know)
Whether or not US intelligence has changed this since 9/11
I dont know the answer. I do know that one such scenario I described
above was something discussed at length by news orgs immediately after
9/11 as speculation for why the US intelligence failed. (IMO, there
shouldn't be such silly restrictions on who the CIA can hire as
sources. If the source gives good info, pay him for it to encourage
more. If he don't, or the stuff he gives is turns out to be unreliable,
stop paying him.)
But as for "going over the line" - for what
the guy was looking for in personnel, he means things like ability to
pee in a cup cleanly, unlike Ricky Williams, and not having a rap
sheet.
"We
got the call for trouble in the room. The gentleman, I was told, was
preaching sedition. I knew that we had to take some steps quickly
preventing that. Defcon is definitely for free speech, definitely for legal civil disobedience. But not anarchy, not psychopathic destruction of property. " [Emphasis mine]
Civil disobedience is, by definition, illegal. That's the whole point of it.
It
is the willful and public breaking (hence illegal) of an unjust law, in
the hopes of receiving the corresponding punishment, as a means of
protesting that law.
In a country that has no problem
jailing more of its citizens than any other nation, it seems like going
to prison in protest doesn't really inconvenience anyone in power.
How is it that the members of the most dovish American ideology when it
comes to foreign policy always seem to be the ones for inciting
violence against their domestic enemies? CrimeThinc (yes, I actually
read the article) is just one of a long line stretching back to the
Weatherman Underground and the SLA up to the Seattle WTO protestors
smashing windows. Discounting lone nuts like Timothy McVee (and
remember that the Oklahoma City bombing was universally condemned among
conservatives), how is it that the half of America which owns guns is
never the one calling for violence?
There are some anti-abortion groups (on the conservative end of the
spectrum) which advocate violence, and also militia groups (some of
which McVeigh had contact with) which also advocate violence. There
have been numerous other right-wing groups in America which have used
violence against their political enemies - in the sixties there were
more than a couple anti-war protesters that got their heads bashed in
with axe handles. Also don't forget the various Civil Rights workers in
the south during the 50s/60s who were murdered by folks who were
definitely on the right-wing end of the spectrum.
How
is it that the members of the most dovish American ideology when it
comes to foreign policy always seem to be the ones for inciting
violence against their domestic enemies?
For the same reason
that the radical right are always the ones who seem to be inciting
violence against their domestic enemies. Tim McVee is hardly unique in
his political stance and aspirations, nor have you cited anyone on the
left that equals his level of destructiveness or intent (there are such
people, but CrimeThinc is hardly of that caliber. He is not advocating
mass murder).
The reality is that the so-called political
spectrum is more of a sphere than a line. The extreme right and far
left meet and become one and the same. Consider the similiarities of
Stalin and Hitler, for example. Kids blowing up toilets to protest
vietnam bear a striking similiarity to skinheads defacing jewish
tombstones. Republican thugs terrorizing librarians and volunteers
during the Florida recount bear a striking resemblence to communists in
China enforcing campus-wide political correctness vis-a-vis the One
True Party(tm) system.
Radicalism is radicalism, whether dressed
in a Liberal Left or Reactionary Right attire, just as religious
fundamentalism is religious fundamentalism irrespective of its
Christian, Jewish, or Islamic trappings.
You have simply chosen
to filter your perceptions through your own political dogma, as many
people on both sides of the aisle often do. However, the reality is
that folks of all radical stripes, in all political, religious, social,
and philosophical directions, employ similiar methods to achieve their
goals, those methods correlating much more strongly to their degree of
radicalism and fanaticism than their particular social, political,
religious, or philosophical bent.
If I had it to do over again, I would substitute zealotry for radicalism in the post above.
There
are many people with radical notions (where radical = divergence from
the society's mainstream assumptions) who are not at all fanatical and
would never resort to violent means to achieve those changes (Richard
Stallman is an example of someone who is radical and stubborn, but not
zealous or fanatical in any real sense of the word...
his detractor's rhetoric notwithstanding). Women's suffurage was at one
time radical, but most of those persuing it were not fanatical and
virtually everyone non-violent. This in contrast to those who
fanatically defended the status quo and physically attacked and even
murdered women for daring to insist on the same basic civil rights
afforded the men of their day.
So, to recap: the reality is that
folks of all fanatical stripes, in all political, religious, social,
and philosophical directions, employ similiar methods to achieve their
goals, those methods correlating much more strongly to their degree of
zealotry and fanaticism than their political, social, relgiious, or
phisophical bent, or their degree of divergence from the political
"mainstream."
...killing civil rights demonstrators, blowing up black girls attending
churches and like as right wing violence your stats are pretty good. Oh
yeah, and shooting abortion doctors, bombing the Olympics, killing Jewish schoolchildren [cnn.com], attacking gays [cnn.com], the OKC bombing....
CrimeThinc
(yes, I actually read the article) is just one of a long line
stretching back to the Weatherman Underground and the SLA up to the
Seattle WTO protestors smashing windows.
Setting bombs and robbing banks is hardly the same as smashing windows (not that I approve of either).
Discounting lone nuts like Timothy McVee
McVeigh.
(and remember that the Oklahoma City bombing was universally condemned among conservatives)
"condemned" like when Ann Coulter said "My only regret with Timothy McVeigh is he did not go to the New York Times Building." ?
how is it that the half of America which owns guns is never the one calling for violence?
In my limited experience, the vast majority people who shoot other people tend to be in possession of guns at the time.
It
seems you've never heard of (to only quote a few examples from the last
20 years, long after the Weather Underground and the SLA went out of
business):
DC12 was my first DefCon, my only two gripes were the heat (us
northerners are wimps) and the chronic lack of seating. It seeed that
by Saturday afternoon much of the crowds had subsided, but there were
still issues nonetheless. I'll definitely be going back next year with
a bigger group.
Possibly one of the highlights was getting pics of Woz and Mitnick
standing a few feet apart from each other; with Woz on his Segway.
Pretty cool.
Yes, I RTFA, and somehow I didn't see much about our intelligence
agencies "not learning much since 9/11". I suppose the summary is
referring to not hiring crackers that have done illegal stuff, but
that's moronic -- if the NSA would reject someone for a job breaking
into things BECAUSE they know how to break into things, we are all in
big trouble.
I haven't been to Def Con in a couple of years. I went the first year
they were at the Alexis Park, and it was OK. Went back the next year,
and they'd clearly outgrown the venue. Wasn't able to get a seat for
ANY of the talks.
I
don't know if they've signed some sort of long-term contract, or maybe
they've just gotten kicked out of everywhere else, but I'm not going
back until they get a considerably larger place.
I would imagine that people by and large go to DefCon to learn HOW to
do something not WHY. There appears to be a lot of faux anarcho posing
going on as well as faux Fedcop speak in response.
Only
another anarchist or Fedcop would ever think that what an anarchist or
Fedcop has to say is remotely interesting. I can't imagine anyone at
DefCon suddenly deciding that either breaking thinks is kewl or that
diversity of opinion has to be tolerated. Nor would I think that the
self professed Grey-Hats are going to come out in favor of the PATRIOT
act.
When we all talk to a room full of people who are our clones it's got to get pretty boring.
In the article, there was a section discussing "Meet the Feds." From
that section, I quote: "The Patriot Act was also called into question
by attendees. The FBI representative asserted that just because the act
had been passed didn't mean they had carte blanche to surveil anyone
they wanted, that judges still had approve their requests. That
reasoning only flew so far, however, as the questioner pointed out that
such requests by the FBI are always approved, never denied."
What
we tend to forget is that, even in the Judicial system, there is a
check-and-balance--especially when it comes to warrants. While a judge
may allow a warrant, if a case ever goes to trial then a jury has an
opportunity to nullify the value of any evidence obtained via a
warrant. I know that sounds a little naiive, but this is one purpose of
the jury--injecting the People into the judicial process to protect an
accused from the Government. The jury is the key point in the process
that is not absolutely Government controlled.
However, the
attendees brought issue with the fact that "judges always approve."
There was a landmark case (granted, it was in the early 18th C. in
England) that allowed a victim to bring suit. The victim in question
owned a printing press that printed pamphlets hostile to the Crown (or
was it Parliment?). The Government responded by obtaining an ill-gotten
warrant to wield as a weapon to silence him. However, the man suied and
won a substancial sum. I think the right words were something to the
effect of "a suitably painfully high sum to deter the Government from
pursuing that line of action again."
Anyway, I'd like to point
out that there are recourses of action for virtually anybody
mis-treated by a ill-gotten warrant that are built into our legal
system. Even if the judge always approve, there is the jury to help
shield, and the precedence to file suit when abused. (I'd also like to
point out that this is a common tactic by those justly prosecuted to
try to wear down the government by attrition.)
"The
FBI representative asserted that just because the act had been passed
didn't mean they had carte blanche to surveil anyone they wanted, that
judges still had approve their requests. That reasoning only flew
so far, however, as the questioner pointed out that such requests by
the FBI are always approved, never denied."[Emphasis mine, statement mine:-) ]
Actually,
I didn't ask the original question, merely responded to the FBI guy's
bullshit answer about them not being able to march right up and get
warrants for whatever they want in terrorism cases (or rather cases
they claim are related to a terrorism investigation - which means
anything and everything they want it to mean). I threw my hand up about
halfway through his answer (which he bumbled through briefly before
resorting to more bullshit) to mention that an FBI agent had been
barred from appearing before the FISA court ever again because he was
blatantly lying to the court, and to talk a bit about National Security
Letters (NSLs), which require 0 judicial oversight and which get a
whole lot of non-content information from communications providers
(like ISPs). Unfortunately for me, and fortunately for the poor FBI
guy, they never called on me again after that. (It was a fed who was
deciding who to call on).
If anyone saw who I am, forget who you saw - I don't exist.;)
how about the virus guy who basically gave a 50 minute drunken rant about how stupid and worthless current viruses are.
Worst talk ever.
Overall
it was a pretty good show I thought. Some excellent talks. It was
pretty sedate overall, at least what I saw. I guess everybody is
getting older.
LMFAO. I read that and a switch went off. I know that kid.
Last year I did some development on a website whose owner spoke
often of going to Defcon in Vegas. He also spoke of Anarchy, and
causing Civil Disobedience at the Democratic convention. It didn't take
me long to figure out he was using his site not to teach admins how to
spot vulnerabilities in their web code, but to spread his own political
agenda, and gather a willing army of script kiddies.
Needless
to say our beliefs on hacking weren't the same. Whoever this person was
at Defcon, he is an embarassment to the hacking community, both
whitehats and blackhats.
I stopped in on the sites IRC server to see what was up with
some old friends, turns out this guy has a court date not too far off
something about striking a police officer.
I would bet it's the same guy.
His
politics, and genuine lack of interest in teaching admins the skills
necessary to find and fix flaws in thier code is why I left.
I'm
all for hacking code, but the art would be better suited to securing
systems and spreading the knowledge of how to secure, instead of
teaching an army of script kiddies to be a leet hax0rz.
Blackhat/Defcon Report
All trademarks and copyrights on this
page are owned by their respective owners. Comments
are owned by the Poster.
The Rest © 1997-2004