Monthly Archives: July 2013

Fun with QR codes

For Defcon 19 I wanted to see how many people I could get to scan a QR Code without it looking official or promising them anything. I wanted to see if I could get people to scan a non-descript QR code at a security conference.

In short I got a lot of people to scan a random QR code which sent them to goatse.

paul byrne
I worked at Microsoft for 7 years on .Net Compact Framework, Games for WIndows Live and Xbox 360.

Common Security Flaws in Search Engines

Java based CMS and other products often use the Lucene framework to implement the search functionality. In this talk, Jens explain the basics about search engines and describe the common issues in the implementation of this framework. He also talks about the potential of miss-using search engines by an example demo.

Jens Muecke
Jens is hacker from Hamburg, Germany. He’s co-founder of the attraktor hackerspace, CCC member and working in infosec. Earlier in his career, he worked in software development, architecture and analysis.

In his spare time, Jens solders with micro-controllers, listen to satellites and travel to hackerspaces and communities around the globe. He has also a special relation to Seattle.

Building Antibodies – The Phishing program at Twitter

I run the phishing program at Twitter. It’s not just an awareness program, the intention is to actually “build an immunity” to phishing. This is somewhat of a daunting task.

The numbers we’ve collected show improvements over time – we’re actually getting our employees to stop clicking things. Anyone who has ever done incident response will know – the fewer users you have running malware, the more hair you keep on your head.

This is a description of how the program is built, how you can implement one of your own, how to identify datapoints to measure and how to build the antibodies that will keep more of your employees safe, and keep more malware out of your environment.

Imagine a world where phishing didn’t work because everybody could recognize a phish. Sounds awesome, huh?

The intention here is to build antibodies – make phishing such a big deal that employees will help each other out – save each other from phishing. We’ve reached the point where our employees are actually coding chrome extensions to spot phishing scams in their browsers because of this program, and those extensions are stopping outside malware as well.

Viss
Dan Tentler freelances taking on Red Team and PenTest engagements. A For-Pay bad-guy, who works for the good guys.

Automatic Comprehension

Some interesting methods for automatic optimization, translation and comprehension of machine code, source code and external (black-box) APIs.

Christopher Abad
My favorite songs are “Chattahoochee” by Alan Jackson, “They Return to Their Earth” by Current 93 and Rhubarb” by Aphex Twin.

A digital currency with real value

We describe COMPLEXITY COIN, a digital currency which is backed by the high-frequency solving of difficult, useful computational problems. COMPLEXITY COIN achieves many of its goals via mechanisms which are abstractly-similar to BITCOIN, but which differ in that the “heat backing” is being applied to problems which are COMPLETE in various specific complexity classes (NP, #P, co-NP, etc). The problems which get solved are sourced from a mixture of random sources (similar to BITCOIN) and non-random sources (individuals who are willing to put up bounties on getting their problems solved). Datasets for these problems are shared via BitTorrent. The currency rewards miners for collaborating with others to solve problems quickly, which creates an incentive for miners to seed the datasets. Further, the currency includes a degenerate case where-in it is practical to pay miners for their contributions as seeders, and this degenerate case occurs as an emergent, natural property of the system. Lastly, COMPLEXITY COIN is better than Bitcoin because it’s not-yet too-late to get-in on it and make a digital fortune by paying higher energy bills.

broker
Broker is an Exploit Developer Level II for the Papal Swiss Guard. He is most known for the invention of “90’s-oriented programming,” which uses address within libc as return-points rather than requiring shellcode injection.