Black Hat 2008
Five more days until three more conferences.
Yep — SIGGRAPH finally deigned to not conflict with Black Hat this year, which means I get to stage a return trip to LA and see pretty pictures. I probably won’t end up with a conference pass, but Emerging Technologies is worth the entire trip. So much awesome stuff to play with!
So, everyone’s making lists of stuff they want to see. Here’s some stuff I haven’t heard people talking about:
Concurrency Attacks in Web Applications — Scott Stender
Anyone ever notice how none of the scripting languges have decent threading support — not Perl, not Python, not PHP, not anything? No? It’s because maintaining concurrent access to shared resources is really, really hard — one of the hardest problems in computer science. Theoretically, the problem shouldn’t affect the web, because HTTP is “stateless”.
Well, what’s the first thing every Web Application Framework adds? State. And is concurrent access required to this state?
Not usually…users just have a single browser window open…so, it works! Ship it!
Long term, I suspect Scott’s talk here has significant potential to change web application auditing.
C++ objects, scripted with a language that won’t usually crash — the only way to write a GUI.
It’s even a lot more secure than it gets credit for. Really, which would you rather parse:
2. Java Bytecode
Sure, you can import all sorts of crazy things into the sandbox, but the sandbox itself is pretty good.
The problem with visualization is simple: 99% of it is crap. 1% of it is so amazingly good, it makes the other 99% worth digging through. Greg’s been working on security visualization for years, and I’m interested in seeing what he’s up to here.
New Classes of Security and Privacy Vulnerabilities for Implantable Wireless Medical Devices — Tadayoshi Kohno, Kevin Fu
Remember when every juice was being mixed with Cranberry — CranApple, CranGrape, etc — because, oh man, people just can’t get enough of that Cran tang? RFID is the Cran of Technology.
Bruce Dang is a badass. You people don’t even know.
Encoded, Layered, and Trancoded Syntax Attacks: Threading the Needle past Web Application Security Controls — Arian Evans
If you have no idea how redonkulous securely filtering content really needs to be, you need to see this talk.
Passive and Active Leakage of Secret Data from Non Networked Computer — Eric Filiol
Tempest v. Web 2.0 — two technologies enter, one technology leaves — with the data.
Get Rich or Die Trying – “Making Money on The Web, The Black Hat Way” — Jeremiah Grossman, Arian Evans
It’s 2008, and seriously, it’s all about monetization. Good to see a talk that recognizes that.
Reverse DNS Tunneling Shellcode — Ty Miller
So, anyone monitoring for DNS exfiltration yet? Anyone?
REST for the Wicked — Bryan Sullivan
Seriously? Is it possible to do REST securely?
That’s enough for now. I’ll post in a bit on a few more things — there’s some really interesting Defcon-only talks this year, including a brings-tears-to-your-eyes-it-so-old-school stunt by Jonathan Brossard. And who knows, maybe I’ll even point out the talks I’d go see at SIGGRAPH if I could.
Well, it’s either that or do more work on DNS 🙂