Revisiting the BlackHat BCard hack of 2018 (opens in new tab)

(hackaday.com)

29 pointssus_0076y ago5 comments

5 comments

I remember when I was a kid and thought that hacking was this intense activity of "breaking in". Movies like Hackers really captured my imagination. Some vulnerabilities and hacks truly are incredible like Stuxnet[0]. However, after creating software for many companies for many years you start to realize that most of the "hacks" were just someone not being careful enough. A PM dropped the ball on a project, security wasn't even informed of the project, there was no security team, or some other simple mistake. One of the companies I worked at hired security experts to train us how to write more secure code and you wouldn't believe how bored the room looked. Almost no one was paying attention, even the junior engineers who were the primary reason for the training.

Anyways, as long as humans are writing code and organizations function the way they do today these exploits are going to continue happening.

0: https://en.wikipedia.org/wiki/Stuxnet

yoloClin6y ago

> One of the companies I worked at hired security experts to train us how to write more secure code and you wouldn't believe how bored the room looked.

That's indicative of a bad/dry trainer. A good trainer should easily be able to captivate the room with interesting anecdotes, war stories and general humor while teaching good, factual, actionable information.

Security should be fun, especially when you're coming from a developer perspective and you get to break everything instead of fixing it for once.

It's a real shame you had that experience, because the world really needs more security oriented developers.

todd38346y ago

Personally I found it pretty captivating and actually have been friends with the trainer for years now. That part didn’t seem relevant but now it does. I think he was probably the best teacher on the subject I’ve ever met and was very entertaining to me.

I just think the audience wasn’t into learning. That might have been a culture problem at that company. It is hard to imagine something similar happening where I’m at now.

Also not sure why you got downvoted. I think it was a fair response.

yellow_lead6y ago

This is why Defcon doesn't ask for attendee information and only accepts cash. What an embarrassment.

BlueGh0st6y ago

>the range of valid IDs was between 100000-999999, and there were about 18,000 attendees

>Using Burp Suite, the task would take about six hours.

I really don't think you should be using Burp Suite for this number of requests. IME You're begging for a crash.

j / k navigate · click thread line to collapse

5 comments

todd38346y ago

Anyways, as long as humans are writing code and organizations function the way they do today these exploits are going to continue happening.

0: https://en.wikipedia.org/wiki/Stuxnet

yoloClin6y ago

> One of the companies I worked at hired security experts to train us how to write more secure code and you wouldn't believe how bored the room looked.

Security should be fun, especially when you're coming from a developer perspective and you get to break everything instead of fixing it for once.

It's a real shame you had that experience, because the world really needs more security oriented developers.

todd38346y ago

I just think the audience wasn’t into learning. That might have been a culture problem at that company. It is hard to imagine something similar happening where I’m at now.

Also not sure why you got downvoted. I think it was a fair response.

yellow_lead6y ago

This is why Defcon doesn't ask for attendee information and only accepts cash. What an embarrassment.

BlueGh0st6y ago

>the range of valid IDs was between 100000-999999, and there were about 18,000 attendees

>Using Burp Suite, the task would take about six hours.

I really don't think you should be using Burp Suite for this number of requests. IME You're begging for a crash.

j / k navigate · click thread line to collapse