Black Hat 2008
Five more days until three more conferences.
Three?
Yep — SIGGRAPH finally deigned to not conflict with Black Hat this year, which means I get to stage a return trip to LA and see pretty pictures. I probably won’t end up with a conference pass, but Emerging Technologies is worth the entire trip. So much awesome stuff to play with!
So, everyone’s making lists of stuff they want to see. Here’s some stuff I haven’t heard people talking about:
Concurrency Attacks in Web Applications — Scott Stender
Anyone ever notice how none of the scripting languges have decent threading support — not Perl, not Python, not PHP, not anything? No? It’s because maintaining concurrent access to shared resources is really, really hard — one of the hardest problems in computer science. Theoretically, the problem shouldn’t affect the web, because HTTP is “stateless”.
Well, what’s the first thing every Web Application Framework adds? State. And is concurrent access required to this state?
Not usually…users just have a single browser window open…so, it works! Ship it!
Long term, I suspect Scott’s talk here has significant potential to change web application auditing.
Circumventing Automated JavaScript Analysis Tools — Billy Hoffman
Mobile code happened, and its name is Javascript. I was recently told of a 75K medical management application, written in JS. I refused to believe it until I realized that it probably was faster, and more stable, and written at less cost even, than the same code would have been in any other language.
C++ objects, scripted with a language that won’t usually crash — the only way to write a GUI.
It’s even a lot more secure than it gets credit for. Really, which would you rather parse:
1. x86
2. Java Bytecode
3. MSIL
4. JavaScript
Sure, you can import all sorts of crazy things into the sandbox, but the sandbox itself is pretty good.
Just don’t try to build another sandbox, a second sandbox, out of the sand inside. People want to do this — they want to let this Javascript run, but not that Javascript run, based on prior analysis. This, of couse, will not work. We know it will not work. Turing Completeness and the Halting Problem pretty much delare you hosed. But people try anyway, and now, oh look, it’s Billy Hoffman, standing by a fire truck, turning a valve…
Visual Forensic Analysis and Reverse Engineering of Binary Data — Greg Conti, Erik Dean.
The problem with visualization is simple: 99% of it is crap. 1% of it is so amazingly good, it makes the other 99% worth digging through. Greg’s been working on security visualization for years, and I’m interested in seeing what he’s up to here.
New Classes of Security and Privacy Vulnerabilities for Implantable Wireless Medical Devices — Tadayoshi Kohno, Kevin Fu
Remember when every juice was being mixed with Cranberry — CranApple, CranGrape, etc — because, oh man, people just can’t get enough of that Cran tang? RFID is the Cran of Technology.
Methods for Understanding Targeted Attacks with Office Documents — Bruce Dang
Bruce Dang is a badass. You people don’t even know.
Encoded, Layered, and Trancoded Syntax Attacks: Threading the Needle past Web Application Security Controls — Arian Evans
If you have no idea how redonkulous securely filtering content really needs to be, you need to see this talk.
Passive and Active Leakage of Secret Data from Non Networked Computer — Eric Filiol
Tempest v. Web 2.0 — two technologies enter, one technology leaves — with the data.
Get Rich or Die Trying – “Making Money on The Web, The Black Hat Way” — Jeremiah Grossman, Arian Evans
It’s 2008, and seriously, it’s all about monetization. Good to see a talk that recognizes that.
Reverse DNS Tunneling Shellcode — Ty Miller
So, anyone monitoring for DNS exfiltration yet? Anyone?
REST for the Wicked — Bryan Sullivan
Seriously? Is it possible to do REST securely?
Leveraging the Edge: Abusing SSL VPNs — Mike Zusman
You’ll see.
That’s enough for now. I’ll post in a bit on a few more things — there’s some really interesting Defcon-only talks this year, including a brings-tears-to-your-eyes-it-so-old-school stunt by Jonathan Brossard. And who knows, maybe I’ll even point out the talks I’d go see at SIGGRAPH if I could.
Well, it’s either that or do more work on DNS 🙂
Dan Kaminsky's Blog 
Wow!
I would really like to be on Black Hat… You are really lucky 😉
Bye!
I wish I could see the concurrency attacks talk myself (but no Defcon or Blackhat for me), it’s definitely been something in the back of my mind for a while (I had the same realisation; we have all these concurrency bugs in other apps, why not webapps?), so I’m quite surprised that so few people seem to be mentioning it given that it’s largely such an unexplored area which definitely has a lot of damaging stuff in there, I really hope he brings out the big guns and gets people looking more.
Black Hat sounds so sweet. I have worked with computers since about 1984 and started with programming on an IBM PCjr. I currently work in the IT Field and thanks to Dan K. my dreams and hopes are coming true. Windows 98 Second Edition Rules.
Hi, I´m a 16 years old boy and I would really like to contact you by email or anyway.. just to ask you some questions about security. But do not worry, it´s no anything about the DNS bug and so on..
My email is : ander_medal@hotmail.com
I hope we can speak 😉
Bye!
When are you getting in to BlackHat?
I am working BlackHat, so looking for a big guy, blue hair, with a staff badge. Goes by the names: Bert, Norwegian and or 0x58.
I replied to your email, but never got an answer back …
Dan, have you seen this: http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9111618 ?
Look’s like you’ve inspired somethings 🙂 !!
[…] Black Hat 2008 : DoxPara Research […]
Keep up the good work!
Thanks, Stan for the feedback.