most defcon intro. the bottle drop was perfect moral of the story: don't fire your hackers for finding stuff. give them raises and they will gleefully fix it for you
@@JeanQPublique I think the bottle drop comes across more as performative (maybe it was a long day). The bottle drop was applauded, but I doubt machismo was what was being cheered.
@@Techfuse13 And just think there is someone out there who would love to charge them for seditious acts for doing that while discussing incompetent diplomatic relations. The irony.. o.0
One of the many reasons we need reliable, trusted journalists is because while we should absolutely fight for better legal protections, there will always be some risk associated with going public with this kind of information, so it will always be safer to drop an anonymous tip to a reputable news outlet rather than go directly to the government.
Don't trust MSM, on either side. You can trace their money back to the same characters. You can see clips people made of local news across the nation saying the exact thing, word for word, on the same day. Citizen journalists are where truth is. They want you to believe only the selected "experts" that appear on TV have the right to form an opinion about anything. Just shut up and do as you're told. Only learn enough knowledge to be competent in one filed. Do not learn about other topics and especially don't connect the dots. Nothing is connected. Everything is a coincidence. Spend what little free time you have with bread & circuses so you don't think deeply about life. No, shut those feelings and thoughts down with some booze and entertainment. It has worked for over 2,000 years on the people and they still haven't caught on for the most part. They assume their neighbor is out to get them and we'll protect them if they give up their rights and money. LOL. Rinse, repeat.
This is so funny, because I have a relatable case! I reported QR collisions to the Dutch government and got faced with the "these are non-issues" e-mail. Basically for the COVID QR code they used a TOTP based on first letter of name and first letter of surname plus date of birth. So any "SP" born on my birthday could use my QR codes with my credentials. Even worse was the fact that you could simply generate any QR code yourself, the app didn't use any API to fetch codes... no it just generated codes based on a secret bundled with the app. So much for "non"-issue, never heard anything from anyone. No cops tho, no cops!
kinda same, in our case it was the url ending they sent via email simply being a base64 encoded string of the firstname + lastname + date of birth. You could check, reschedule and cancel an appointment without any other credentials, it was completely nuts. Thinking about how this got approved made me lose some hope for all of us......
@@danielschmider5069 never has a rushed IT solution worked out. Some intern tests qrencode, slaps it onto a project and calls it a day. This stupidity always leads to silly things like this,.
"what are the problems here" it's frustrating how much 'laughing it off' there was about their two anecdotal experiences. How many people could survive being attacked by powerful systems, whether the banks or the government, losing your job suddenly, having to pay lawyers, etc... and even for these guys who have the social and financial support to survive those attacks, nothing was done to make it right. I'm sure lawyer fees were never reimbursed, and a government fine of 5k is nothing to sneeze at. Many people could not absorb that easily, although the lawyer fees dwarf it. Governments and these companies are effectively waving a gun around like a madman at anyone knowledgeable about security and hacking and making it clear that when you find a vulnerability you can't have a rational discussion with this nutjob. Your only option is to put on your black hat and monetize exploits otherwise nothing will ever be done to fix them. Anyway, great talk but it's a dark topic when you consider what might be happening to people with less voice or knowledge in navigating the corruption.
it's a fair point. I'm in the UK which has had a pretty severe cost of living crisis recently. As a dev with 7 or so years of experience I've ended up stopping eating takeaway out of financial necessity rather than health reasons. I could not survive a legal challenge. I was given a fine by (some organisation I won't name) for a public infraction. I had the choice to pay a fine or show up in court. I had a strong case, but I wasn't willing to pursue that route cause most of us are living paycheque to paycheque. If I'd got that $5000 fine it would have been devastating.
After all the shit LEOs have been caught doing in the past 5 years, and all the nothingburgers that have been done about it, I legit don't know if responsible disclosure is safe anymore. If I report a vuln and the cops show up to my house, I could very well get shot in my sleep over it.
The moral of the story, kids, is that when you discover a vulnerability you shouldn't report it and instead should sell it to shady folks on the dark web. Or at least that's what punishing well-meaning hackers causes.
Correct, although that's more a blackhat conclusion than one that you can say at fedcon. Don't even try to report, just sell it on the black market because if they're going to treat you like a criminal regardless, might as well get paid.
Well, if you "sell" it, you can be accused of having done it only for personal profit. If you however publish it anonymously, they might still find out who you are and you are in trouble, but they can neither accuse you having it done for personal profit, as you gave it away for free, nor can they blame you to have published it for fame, as then you wouldn't have done it anonymously, since you cannot gain fame if nobody knows who you are. And when I say anonymously, I don't mean pseudo-anonymously, like using some kind of hacker nick or hacker group name, I mean using no name or pseudonym at all. After you've published it, you may point some media to it (TV or radio stations, newspapers, etc.) but I would not give it to them first, as that will again change the way how this looks and you never know what they are doing to do with the information.
@@xcoder1122 To be clear, I don't think anyone should be selling 0days. but the point of the comment was that if no matter how nicely you report you risk having your life ruined, it makes it a lot more attractive to have a reward for all that risk...
When hackers realize en masse that the government is lying when it says it cares about security is when this changes. There is no reasoned argument that will convince an apparatchik that a real problem is more important than the governments reputation. If you report something embarrassing or issue an ultimatum to those people, most will respond with guns ( police and prosecution ).
god, the canadian government is such a joke sometimes. Sometimes i think we have it bad in the states, then I see stories like this, where a guy gets fined $7500 for reporting a freaking vulnerability... jesus. They act like he published the info online and didn't save their butt.
This should be pinned. I was in the state at the time, and I remember hearing about this. I really enjoyed the talk. Thanks for shortening the amount of head scratching for me @MyThreeLivesASMR. St. Louis Mississippi would be good reference to drop in Shadowrun.😀
At the end he says he claims ignorance as he's Canadian, but I don't think he should even say sorry, he's just being Canadian - who here could point to the Yukon, or Nunavut, or Seskatechahaka, or any of the other provinces Canada claims to have on the map? Sure these places probably don't exist, but we should at least try and remember their names before Mississippi-shaming them for confusing two real places.
“A hacker with time on their hands is dangerous” yeh in 2005ish I knew what Snowden reported. I’ve basically only ever had one job. Go figure. But it was really a bad idea for society to punish me by preventing me from having a job. They really assume that if they destroy your career early in, that you’ll never become anything. They undervalue talent and natural intelligence, thinking that (as it was in earlier decades), if they just prevent you from ever being respected/employed in society then somehow you won’t be intelligent. We have things like github, Wikipedia, free online education…
@@SamTheEnglishTeacher 42 Also, the democrats are going to win the presidency by coercion & legal obstructionism, in which case the global economy will get BRICS’d
@@SamTheEnglishTeacher whenever some factors constituting an economic perfect storm are set in motion, Russia/China will attempt to force the rest. More specific questions will maybe get you more specific answers.
I wish I could say any of this was a surprise or is different in the UK where the law states that even intending to hack a system that is not yours or you do not have explicit permission to, is a bad time for you. Crazy. It's like they do not understand that criminals dint care about the law.
The problem is stated succinctly at the beginning - the lawyers. The attorneys told the CISO that they HAD to be heavy-handed from the jump, otherwise if it turned out to be a LEGITIMATE THREAT, then they (the government) would be liable. The problem is that attorneys have ZERO CLUE about what constitutes a legitimate threat versus "responsible disclosure." Hence the talk. Bottom line, educate the attorneys (and their minders) to recognize the difference between responsible disclosure and "Yuri the Ransomware Czar."
when your slides literally contain all the things you're going to say, they are bad slides. read up on how to make good presentations. Slides like these cause people to read ahead and become impatient, because they want to learn more. Use bullet points, and don't show them at once, fade them in when you're talking about it.
most defcon intro. the bottle drop was perfect
moral of the story: don't fire your hackers for finding stuff. give them raises and they will gleefully fix it for you
It seems odd to start a talk with an act of machismo only to call it out in researchers a few minutes later...
moral of story don’t hire hackers at all . fuck off with your revenge fueled existance
@@JeanQPublique I think the bottle drop comes across more as performative (maybe it was a long day). The bottle drop was applauded, but I doubt machismo was what was being cheered.
@@Techfuse13 And just think there is someone out there who would love to charge them for seditious acts for doing that while discussing incompetent diplomatic relations. The irony.. o.0
God Bless Dan Kaminsky - R.I.P. - missed but never forgotten
One of the many reasons we need reliable, trusted journalists is because while we should absolutely fight for better legal protections, there will always be some risk associated with going public with this kind of information, so it will always be safer to drop an anonymous tip to a reputable news outlet rather than go directly to the government.
Don't trust MSM, on either side. You can trace their money back to the same characters. You can see clips people made of local news across the nation saying the exact thing, word for word, on the same day. Citizen journalists are where truth is. They want you to believe only the selected "experts" that appear on TV have the right to form an opinion about anything. Just shut up and do as you're told. Only learn enough knowledge to be competent in one filed. Do not learn about other topics and especially don't connect the dots. Nothing is connected. Everything is a coincidence.
Spend what little free time you have with bread & circuses so you don't think deeply about life. No, shut those feelings and thoughts down with some booze and entertainment. It has worked for over 2,000 years on the people and they still haven't caught on for the most part. They assume their neighbor is out to get them and we'll protect them if they give up their rights and money. LOL. Rinse, repeat.
This should be required watching for all bug researchers.
This is so funny, because I have a relatable case!
I reported QR collisions to the Dutch government and got faced with the "these are non-issues" e-mail. Basically for the COVID QR code they used a TOTP based on first letter of name and first letter of surname plus date of birth.
So any "SP" born on my birthday could use my QR codes with my credentials.
Even worse was the fact that you could simply generate any QR code yourself, the app didn't use any API to fetch codes... no it just generated codes based on a secret bundled with the app.
So much for "non"-issue, never heard anything from anyone. No cops tho, no cops!
I have to add that the date check didn't even check the year, only day and month...
kinda same, in our case it was the url ending they sent via email simply being a base64 encoded string of the firstname + lastname + date of birth. You could check, reschedule and cancel an appointment without any other credentials, it was completely nuts.
Thinking about how this got approved made me lose some hope for all of us......
@@danielschmider5069 never has a rushed IT solution worked out.
Some intern tests qrencode, slaps it onto a project and calls it a day.
This stupidity always leads to silly things like this,.
you should be really thankful for being handed such an easy way out of the cage.
"what are the problems here"
it's frustrating how much 'laughing it off' there was about their two anecdotal experiences. How many people could survive being attacked by powerful systems, whether the banks or the government, losing your job suddenly, having to pay lawyers, etc... and even for these guys who have the social and financial support to survive those attacks, nothing was done to make it right. I'm sure lawyer fees were never reimbursed, and a government fine of 5k is nothing to sneeze at. Many people could not absorb that easily, although the lawyer fees dwarf it.
Governments and these companies are effectively waving a gun around like a madman at anyone knowledgeable about security and hacking and making it clear that when you find a vulnerability you can't have a rational discussion with this nutjob. Your only option is to put on your black hat and monetize exploits otherwise nothing will ever be done to fix them.
Anyway, great talk but it's a dark topic when you consider what might be happening to people with less voice or knowledge in navigating the corruption.
it's a fair point. I'm in the UK which has had a pretty severe cost of living crisis recently. As a dev with 7 or so years of experience I've ended up stopping eating takeaway out of financial necessity rather than health reasons. I could not survive a legal challenge. I was given a fine by (some organisation I won't name) for a public infraction. I had the choice to pay a fine or show up in court. I had a strong case, but I wasn't willing to pursue that route cause most of us are living paycheque to paycheque. If I'd got that $5000 fine it would have been devastating.
After all the shit LEOs have been caught doing in the past 5 years, and all the nothingburgers that have been done about it, I legit don't know if responsible disclosure is safe anymore. If I report a vuln and the cops show up to my house, I could very well get shot in my sleep over it.
"Governments and these companies are effectively waving a gun" well, I rather have a picture of a monkey with a razor blade in my mind.
The moral of the story, kids, is that when you discover a vulnerability you shouldn't report it and instead should sell it to shady folks on the dark web.
Or at least that's what punishing well-meaning hackers causes.
Correct, although that's more a blackhat conclusion than one that you can say at fedcon. Don't even try to report, just sell it on the black market because if they're going to treat you like a criminal regardless, might as well get paid.
Well, if you "sell" it, you can be accused of having done it only for personal profit. If you however publish it anonymously, they might still find out who you are and you are in trouble, but they can neither accuse you having it done for personal profit, as you gave it away for free, nor can they blame you to have published it for fame, as then you wouldn't have done it anonymously, since you cannot gain fame if nobody knows who you are. And when I say anonymously, I don't mean pseudo-anonymously, like using some kind of hacker nick or hacker group name, I mean using no name or pseudonym at all. After you've published it, you may point some media to it (TV or radio stations, newspapers, etc.) but I would not give it to them first, as that will again change the way how this looks and you never know what they are doing to do with the information.
@@xcoder1122 To be clear, I don't think anyone should be selling 0days. but the point of the comment was that if no matter how nicely you report you risk having your life ruined, it makes it a lot more attractive to have a reward for all that risk...
THIS is how I find out Kevin Mitnick is dead?? RIP
When hackers realize en masse that the government is lying when it says it cares about security is when this changes. There is no reasoned argument that will convince an apparatchik that a real problem is more important than the governments reputation.
If you report something embarrassing or issue an ultimatum to those people, most will respond with guns ( police and prosecution ).
Still have one of these service medals pinned to my Def Con bag.
Doors and corners, kid. Don't come into the room too fast.
god, the canadian government is such a joke sometimes. Sometimes i think we have it bad in the states, then I see stories like this, where a guy gets fined $7500 for reporting a freaking vulnerability... jesus. They act like he published the info online and didn't save their butt.
$5,000 usd fine!?!?!?
Yeah normally they get a life sentence
It was only a HIPPAA violation.
“Sorry!” -Canadian government, except without the apology.
plus "legal fees"...
Man I would have been enraged. You make me pay for YOUR mistake?!
say nothing to anyone, you will only get yelled at.
12:59 I think there was a mistake here. The HTML "hacking" case occurred in Missouri, not Mississippi.
This should be pinned. I was in the state at the time, and I remember hearing about this.
I really enjoyed the talk. Thanks for shortening the amount of head scratching for me @MyThreeLivesASMR.
St. Louis Mississippi would be good reference to drop in Shadowrun.😀
At the end he says he claims ignorance as he's Canadian, but I don't think he should even say sorry, he's just being Canadian - who here could point to the Yukon, or Nunavut, or Seskatechahaka, or any of the other provinces Canada claims to have on the map? Sure these places probably don't exist, but we should at least try and remember their names before Mississippi-shaming them for confusing two real places.
Ha HA@@cannaroe1213
The only thing I learned from this is "See something, shut tf up."
Phil Haney did not klll himself.
“A hacker with time on their hands is dangerous”
yeh in 2005ish I knew what Snowden reported. I’ve basically only ever had one job. Go figure. But it was really a bad idea for society to punish me by preventing me from having a job. They really assume that if they destroy your career early in, that you’ll never become anything. They undervalue talent and natural intelligence, thinking that (as it was in earlier decades), if they just prevent you from ever being respected/employed in society then somehow you won’t be intelligent. We have things like github, Wikipedia, free online education…
What's going to happen?
@@SamTheEnglishTeacher do you really want to know?
@@DavidConnerCodeaholic yes
@@SamTheEnglishTeacher 42
Also, the democrats are going to win the presidency by coercion & legal obstructionism, in which case the global economy will get BRICS’d
@@SamTheEnglishTeacher whenever some factors constituting an economic perfect storm are set in motion, Russia/China will attempt to force the rest.
More specific questions will maybe get you more specific answers.
I wish I could say any of this was a surprise or is different in the UK where the law states that even intending to hack a system that is not yours or you do not have explicit permission to, is a bad time for you. Crazy. It's like they do not understand that criminals dint care about the law.
The problem is stated succinctly at the beginning - the lawyers. The attorneys told the CISO that they HAD to be heavy-handed from the jump, otherwise if it turned out to be a LEGITIMATE THREAT, then they (the government) would be liable. The problem is that attorneys have ZERO CLUE about what constitutes a legitimate threat versus "responsible disclosure." Hence the talk. Bottom line, educate the attorneys (and their minders) to recognize the difference between responsible disclosure and "Yuri the Ransomware Czar."
Damn Renderman is still kicking, respekt
In the transcript around 00:16:38 it says "[inaudible 00:16:38]", he is saying the abbreviation "OSINT" there.
34:47 Language is just data too, starting with "i like to help" would be good
👏👏👏🤣 1 drink per hour rule
>The other guy at least had his own clothes...
>You don't have clothes!
>Yeah well, I'm not supposed to have clothes, it's how I look
From DHMIS
I can't believe how he disrespected a bottle of Knob Creek like that.
hell of an intro
Damn the Defcon audience has either gotten super stuffy or (impossible) they fixed the audio finally
jesus christ im never reporting anything
Timestamp 39:46 Dig your vibe. If you only get 15 minutes of fame... be a Rock Star.
It's NOT GOOD ENOUGH.
Ignoring the framerate, the sheer clarity of this 720 video is far above most 1080 videos I watch
Having faith in government to be anything other than self-serving was your mistake.
Amen
Awesome job guys. The world needs white hat hackers all the time.
1:48 AB MENTIONED
3:33
5:28
6:34
01:50 👽
Got a little alcoholic for a seccond there...
These health fraud pushers need to go to hell
when your slides literally contain all the things you're going to say, they are bad slides. read up on how to make good presentations. Slides like these cause people to read ahead and become impatient, because they want to learn more. Use bullet points, and don't show them at once, fade them in when you're talking about it.
lol, renderman calling your state "batshit insane".
These mens rea issues are so immature, it's embarrassing.
i wish defcon would screen their presenters so we dont get slide readers.
damn im actually 1st
I’m deeply grateful for your sacrifice.
zazazazazazzzzzzzzzzzzzork
Cringe
Ooh, you owned *HIS* ass.