72 Hours of Pwnage: A Paranoid N00b Goes to Def Con (opens in new tab)

(motherboard.vice.com)

117 pointspieter19769y ago45 comments

45 comments

    > “Aren’t those the people who break into computers?”
    >
    > “Yes—also phones, cars, airplanes, and human bodies.”
    > 
    > “I thought that stuff was illegal.”

While I think they're truly innovative and inevitable, the advent of "secure CPUs" [1] over the last decade or two will eventually become the norm. And once they do -- lookout, brother. The woman who was having this conversation scoffs at how Def Con can even take place if the subject matter is what she thinks it is. In a short time, the computer attacks which cause embarrassing leaks and expensive losses will add up to legislators deciding something must be done. At that time, the number of us who will still like and prefer to be able to run whatever code on whatever processor we care to will be so small that it won't matter.

[1] by "secure CPUs" I'm referring to ones that support signed bootloaders, facilitating good things like more-difficult-to-pwn-by-attackers and bad things like DRM and limiting code to proprietary walled garden app stores.

riskable9y ago

The trouble with "secure CPUs" is that they really only secure the boot process. It is then up to the OS (as usual) to secure itself which is where most failures of security occur anyway.

Consider all the phone "OSes" (aka ROMs) you can install on phones with locked boot loaders that just replace a few binaries/files here and there in an existing OS to change how it works/feels. The maker of said ROMs may not have the ability to replace the kernel but any vulnerability in said kernel will allow them to replace everything else which is precisely where userland security lives.

So the hardware may be "secure" from the perspective of the manufacturer but not from the perspective of the user. They can still be pwned.

nickpsecurity9y ago

Those are just restricted-boot CPU's, not secure CPU's. I agree secure CPU's will make attacks more difficult. Here's you a few examples of them with various tradeoffs:

http://www.crash-safe.org/assets/ieee-hst-2013-paper.pdf

https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/

https://web.archive.org/web/20150315020829/http://palms.ee.p...

https://theses.lib.vt.edu/theses/available/etd-10112006-2048...

Original one that ran businesses which is still immune to lots of attacks vectors and reliability issues:

http://www.smecc.org/The%20Architecture%20%20of%20the%20Burr...

So, spread word on things like those, esp CHERI given FreeBSD support, instead of that DRM garbage that uses the word security but is more about marketing & control. ;)

a2tech9y ago

He should have gone to BlackHat if he wanted to see anything really interesting. Def Con is mostly a big party with life style talks and people talking about old stuff.

Thats not to say there isn't neat stuff to do at Def Con (I've seen plenty of neat talks) but its mostly a big party. There's nothing really scary going on there.

tacostakohashi9y ago

I went to HOPE a few weeks ago, after having been to such things before, but not for a few years.

I had exactly the same impression - mostly a lifestyle / social / political thing, pretty light on in the way of talks with actual technical detail. Kind of like TED talks - well presented, entertaining, but not really actionable.

In years gone by, I went to some excellent events, with talks on really specific, useful things (kernel internals, gdb use, ELF dynamic loading, ltrace / strace use, that kind of thing). Can't help but wonder if those sorts of conferences still exist, or the whole scene has changed into something less practical and more lifestyle.

stephancoral9y ago

What talks did you attend at HOPE? There were tons of hard technical presentations. The two guys who cracked the Iridium satellite network in particular were amazing, going into deep detail on the techniques and methods used to decode the frequencies. The talk on medical device hacking was also awesome - I mean they showed you how to get on a radiology machine and other exploits. And after I saw the talk on hacking your cars internal computer I was able to go home and start futsing around with that stuff on my garage (after buying some hardware).

Maybe they don't do a lot of talks on the intricacies of C anymore (which is a bummer) but there is still a lot of technical knowledge going down at these events. I had s great time and learned so much

2 more replies

wcummings9y ago

Get-drunk-in-shitty-hotel-con isn't really about the talks, it's about goofing off in NYC w/ friends from IRC.

nxzero9y ago

Events are just mainstream now; unless there's a chance the FBI is going do a raid, likely nothing you're not going to hear about a day later on the net.

tronje9y ago

It sounds weird that they're selling key-logging sticks for $50 and spoofing routers for $100 at a convention where you'd think everyone can build that stuff by themselves for a much lower price.

Just to add to your point, I suppose.

busterarm9y ago

At a convention you can pay cash (semi-)anonymously where if you had to build that stuff you'd leave a paper trail.

Many I know in this group of people (DefCon/HOPE attendees) do things like trade around craigslist-cash-purchased laptops.

1 more reply

mseebach9y ago

> everyone can build that stuff by themselves for a much lower price

At volume. But if you only need one (or ten), assuming your time has some non-trivial value, it's much cheaper to just buy off the shelf.

pmorici9y ago

Even if you value your time as worthless then maybe you could build a hardware key logger for less than $50 in parts but I really doubt it.

2 more replies

marcosdumay9y ago

I'm sure a lot of people there has better projects to spend their time on than rebuilding commodity hardware.

raesene69y ago

hmm not sure I'd say that Blackhat would in any way be a better option for "something interesting", it's a very expensive corp. focused conference these days.

Last time I went most of the interesting Blackhat talks were getting re-run at Defcon, so really not a lot of point in paying out for the Blackhat option, just go to Defcon and see them there.

baby9y ago

rather the inverse, I'm not scared of getting pwned when I go to blackhat, in Defcon people are just acting crazy.

LeonM9y ago

TL;DR: author did some gambling in casinos and got drunk in strip clubs, barely attended any talks because he doesn't understand the jargon, almost got pwnd by connecting to the wrong WiFi.

Not really worth the time to read.

forgottenpass9y ago

Things like this make me wonder if paid writers for (in this case) Motherboard ever know what the fuck they're talking about.

As an active DEF CON attendee and seeing the press coverage over the years, I can start to "see the matrix" of how to lazily assemble a news story. He even links to the Hacker Manifesto FFS. I thought VICE was aiming higher than this kind of trash.

It makes me distrust reporters. Do they just turn off the "I'm a noob" angle, assume the standard authoritative tone they always use and cover other topics with just as flimsy of an understanding?

rhaps0dy9y ago

>Do they just turn off the "I'm a noob" angle, assume the standard authoritative tone they always use and cover other topics with just as flimsy of an understanding?

Yes. See [Murray] Gell-Mann Amnesia:

“Briefly stated, the Gell-Mann Amnesia effect is as follows. You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them. In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know.”

― Michael Crichton

https://www.goodreads.com/quotes/65213-briefly-stated-the-ge...

1 more reply

sgarman9y ago

I have never been to def con so to me it was still an interesting read on an outsiders take on what def con is.

touristtam9y ago

still entertaining. :0

jjnoakes9y ago

There ought to be a way, at the OS level, to configure a machine so no network traffic goes in or out over an unsecured link except for the VPN application's traffic.

Then, if you configure secure links to be WPA at work, WPA at home, and your VPN, there should be little risk to joining an open network to bring up a VPN.

nickpsecurity9y ago

In high-assurance security, they go further by putting that functionality into a dedicated device with minimal components, a separation kernel (or RTOS), and strong isolation of networking. Idea being it always, by static design, forces networking traffic to go through the encryptor with almost no attack surface from external network. External network stack usually in own partition, too.

Examples:

http://www.friendsglobal.com/papers/High_Assurance_Wireless_...

http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=BF0...

dec0dedab0de9y ago

You can do that with the routing table.

u02sgb9y ago

Interesting - links/details?

2 more replies

Wilya9y ago

It's pretty easy (at least on Linux) to firewall all inbound/outbound traffic on your physical network interfaces, allowing only the bare minimum necessary to connect to the VPN server (DHCP to get a local ip + an udp/tcp connection to a single ip:port).

Last I checked, it was a bit more difficult to do on Windows, because it didn't allow interface-specific rules, and because software installers had a habit of opening holes for themselves in the firewall without asking you.

secabeen9y ago

The OpenVPN client on android has something like this. See "Seamless Tunnel" in the preferences. I've used it at DefCon on the secure network in the past.

ianpurton9y ago

If you can't afford Def Con or can't be arsed then https://www.reddit.com/r/netsec is fun.

cypherg9y ago

Vegas smells like cigarettes and garbage. Skip the long lines and absurd Vegas expenses and watch the talks from YouTube.

TD-Linux9y ago

Or still suffer Vegas, but do all of the contests at DEF CON instead of the talks.

Pica_soO9y ago

Venture there with just one piece of non-hackable soft and hardware - a key generator that renews its key every h. If you are the only holder and perciver of the key after the next hour while this laptop stays on the internet -the money on a anonymous account is yours. Else The money returns into the jackpot.

In greed we thrust.

outworlder9y ago

I can't find anywhere in the article that says those photos were taken with permission.

I was under the impression that photographs were not allowed.

throwanem9y ago

I see Defcon doesn't have quite as stringent a media policy as HOPE, which booted Vice in response to blatant violation of the signed-consent requirement.

krupan9y ago

First I've heard of demonsaw. I can't tell from quickly perusing the website. Is it open source? Has anyone tried it?

brotoss9y ago

Really boring article

j / k navigate · click thread line to collapse

45 comments

wyldfire9y ago

    > “Aren’t those the people who break into computers?”
    >
    > “Yes—also phones, cars, airplanes, and human bodies.”
    > 
    > “I thought that stuff was illegal.”

riskable9y ago

The trouble with "secure CPUs" is that they really only secure the boot process. It is then up to the OS (as usual) to secure itself which is where most failures of security occur anyway.

So the hardware may be "secure" from the perspective of the manufacturer but not from the perspective of the user. They can still be pwned.

nickpsecurity9y ago

Those are just restricted-boot CPU's, not secure CPU's. I agree secure CPU's will make attacks more difficult. Here's you a few examples of them with various tradeoffs:

http://www.crash-safe.org/assets/ieee-hst-2013-paper.pdf

https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/

https://web.archive.org/web/20150315020829/http://palms.ee.p...

https://theses.lib.vt.edu/theses/available/etd-10112006-2048...

Original one that ran businesses which is still immune to lots of attacks vectors and reliability issues:

http://www.smecc.org/The%20Architecture%20%20of%20the%20Burr...

So, spread word on things like those, esp CHERI given FreeBSD support, instead of that DRM garbage that uses the word security but is more about marketing & control. ;)

a2tech9y ago

He should have gone to BlackHat if he wanted to see anything really interesting. Def Con is mostly a big party with life style talks and people talking about old stuff.

Thats not to say there isn't neat stuff to do at Def Con (I've seen plenty of neat talks) but its mostly a big party. There's nothing really scary going on there.

tacostakohashi9y ago

I went to HOPE a few weeks ago, after having been to such things before, but not for a few years.

stephancoral9y ago

2 more replies

wcummings9y ago

Get-drunk-in-shitty-hotel-con isn't really about the talks, it's about goofing off in NYC w/ friends from IRC.

nxzero9y ago

Events are just mainstream now; unless there's a chance the FBI is going do a raid, likely nothing you're not going to hear about a day later on the net.

tronje9y ago

It sounds weird that they're selling key-logging sticks for $50 and spoofing routers for $100 at a convention where you'd think everyone can build that stuff by themselves for a much lower price.

Just to add to your point, I suppose.

busterarm9y ago

At a convention you can pay cash (semi-)anonymously where if you had to build that stuff you'd leave a paper trail.

Many I know in this group of people (DefCon/HOPE attendees) do things like trade around craigslist-cash-purchased laptops.

1 more reply

mseebach9y ago

> everyone can build that stuff by themselves for a much lower price

At volume. But if you only need one (or ten), assuming your time has some non-trivial value, it's much cheaper to just buy off the shelf.

pmorici9y ago

Even if you value your time as worthless then maybe you could build a hardware key logger for less than $50 in parts but I really doubt it.

2 more replies

marcosdumay9y ago

I'm sure a lot of people there has better projects to spend their time on than rebuilding commodity hardware.

raesene69y ago

hmm not sure I'd say that Blackhat would in any way be a better option for "something interesting", it's a very expensive corp. focused conference these days.

Last time I went most of the interesting Blackhat talks were getting re-run at Defcon, so really not a lot of point in paying out for the Blackhat option, just go to Defcon and see them there.

baby9y ago

rather the inverse, I'm not scared of getting pwned when I go to blackhat, in Defcon people are just acting crazy.

LeonM9y ago

TL;DR: author did some gambling in casinos and got drunk in strip clubs, barely attended any talks because he doesn't understand the jargon, almost got pwnd by connecting to the wrong WiFi.

Not really worth the time to read.

forgottenpass9y ago

Things like this make me wonder if paid writers for (in this case) Motherboard ever know what the fuck they're talking about.

It makes me distrust reporters. Do they just turn off the "I'm a noob" angle, assume the standard authoritative tone they always use and cover other topics with just as flimsy of an understanding?

rhaps0dy9y ago

>Do they just turn off the "I'm a noob" angle, assume the standard authoritative tone they always use and cover other topics with just as flimsy of an understanding?

Yes. See [Murray] Gell-Mann Amnesia:

― Michael Crichton

https://www.goodreads.com/quotes/65213-briefly-stated-the-ge...

1 more reply

sgarman9y ago

I have never been to def con so to me it was still an interesting read on an outsiders take on what def con is.

touristtam9y ago

still entertaining. :0

jjnoakes9y ago

There ought to be a way, at the OS level, to configure a machine so no network traffic goes in or out over an unsecured link except for the VPN application's traffic.

Then, if you configure secure links to be WPA at work, WPA at home, and your VPN, there should be little risk to joining an open network to bring up a VPN.

nickpsecurity9y ago

Examples:

http://www.friendsglobal.com/papers/High_Assurance_Wireless_...

http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=BF0...

dec0dedab0de9y ago

You can do that with the routing table.

u02sgb9y ago

Interesting - links/details?

2 more replies

Wilya9y ago

secabeen9y ago

The OpenVPN client on android has something like this. See "Seamless Tunnel" in the preferences. I've used it at DefCon on the secure network in the past.

ianpurton9y ago

If you can't afford Def Con or can't be arsed then https://www.reddit.com/r/netsec is fun.

cypherg9y ago

Vegas smells like cigarettes and garbage. Skip the long lines and absurd Vegas expenses and watch the talks from YouTube.

TD-Linux9y ago

Or still suffer Vegas, but do all of the contests at DEF CON instead of the talks.

Pica_soO9y ago

In greed we thrust.

outworlder9y ago

I can't find anywhere in the article that says those photos were taken with permission.

I was under the impression that photographs were not allowed.

throwanem9y ago

I see Defcon doesn't have quite as stringent a media policy as HOPE, which booted Vice in response to blatant violation of the signed-consent requirement.

krupan9y ago

First I've heard of demonsaw. I can't tell from quickly perusing the website. Is it open source? Has anyone tried it?

brotoss9y ago

Really boring article

j / k navigate · click thread line to collapse

​72 Hours of Pwnage: A Paranoid N00b Goes to Def Con (opens in new tab)

45 comments

​72 Hours of Pwnage: A Paranoid N00b Goes to Def Con (opens in new tab)

45 comments

72 Hours of Pwnage: A Paranoid N00b Goes to Def Con (opens in new tab)

72 Hours of Pwnage: A Paranoid N00b Goes to Def Con (opens in new tab)