Fun with QR codes

For Defcon 19 I wanted to see how many people I could get to scan a QR Code without it looking official or promising them anything. I wanted to see if I could get people to scan a non-descript QR code at a security conference.

In short I got a lot of people to scan a random QR code which sent them to goatse.

paul byrne
I worked at Microsoft for 7 years on .Net Compact Framework, Games for WIndows Live and Xbox 360.

Common Security Flaws in Search Engines

Java based CMS and other products often use the Lucene framework to implement the search functionality. In this talk, Jens explain the basics about search engines and describe the common issues in the implementation of this framework. He also talks about the potential of miss-using search engines by an example demo.

Jens Muecke
Jens is hacker from Hamburg, Germany. He’s co-founder of the attraktor hackerspace, CCC member and working in infosec. Earlier in his career, he worked in software development, architecture and analysis.

In his spare time, Jens solders with micro-controllers, listen to satellites and travel to hackerspaces and communities around the globe. He has also a special relation to Seattle.

Building Antibodies – The Phishing program at Twitter

I run the phishing program at Twitter. It’s not just an awareness program, the intention is to actually “build an immunity” to phishing. This is somewhat of a daunting task.

The numbers we’ve collected show improvements over time – we’re actually getting our employees to stop clicking things. Anyone who has ever done incident response will know – the fewer users you have running malware, the more hair you keep on your head.

This is a description of how the program is built, how you can implement one of your own, how to identify datapoints to measure and how to build the antibodies that will keep more of your employees safe, and keep more malware out of your environment.

Imagine a world where phishing didn’t work because everybody could recognize a phish. Sounds awesome, huh?

The intention here is to build antibodies – make phishing such a big deal that employees will help each other out – save each other from phishing. We’ve reached the point where our employees are actually coding chrome extensions to spot phishing scams in their browsers because of this program, and those extensions are stopping outside malware as well.

Viss
Dan Tentler freelances taking on Red Team and PenTest engagements. A For-Pay bad-guy, who works for the good guys.

Automatic Comprehension

Some interesting methods for automatic optimization, translation and comprehension of machine code, source code and external (black-box) APIs.

Christopher Abad
My favorite songs are “Chattahoochee” by Alan Jackson, “They Return to Their Earth” by Current 93 and Rhubarb” by Aphex Twin.

A digital currency with real value

We describe COMPLEXITY COIN, a digital currency which is backed by the high-frequency solving of difficult, useful computational problems. COMPLEXITY COIN achieves many of its goals via mechanisms which are abstractly-similar to BITCOIN, but which differ in that the “heat backing” is being applied to problems which are COMPLETE in various specific complexity classes (NP, #P, co-NP, etc). The problems which get solved are sourced from a mixture of random sources (similar to BITCOIN) and non-random sources (individuals who are willing to put up bounties on getting their problems solved). Datasets for these problems are shared via BitTorrent. The currency rewards miners for collaborating with others to solve problems quickly, which creates an incentive for miners to seed the datasets. Further, the currency includes a degenerate case where-in it is practical to pay miners for their contributions as seeders, and this degenerate case occurs as an emergent, natural property of the system. Lastly, COMPLEXITY COIN is better than Bitcoin because it’s not-yet too-late to get-in on it and make a digital fortune by paying higher energy bills.

broker
Broker is an Exploit Developer Level II for the Papal Swiss Guard. He is most known for the invention of “90’s-oriented programming,” which uses address within libc as return-points rather than requiring shellcode injection.

Last Chance to Register!

ToorCon Seattle is coming up in just a couple of weeks and we’ve received many requests from people to come that don’t have Challenge Coins so we’ve decided to start a waiting list for them in case we have extra tickets available. Make sure to register or join the waiting list before July 1st so we can issue tickets to people on the waiting list. Hope to see you all there in a couple weeks!

ToorCon Seattle CFP and Registration Open!

5914184353_77ca78f4b3_mToorCon Seattle was created as a small get together for ToorCon staff, supporters and past speakers to meet up and have fun in Seattle. To try and keep it a small conference we made it invite only and limited the number of people who have received challenge coins from previous events. If you feel like you contributed to ToorCon and didn’t get a challenge coin, please let us know. Otherwise, ToorCon in San Diego has always been open to the general public is extremely affordable and does not have a cap on attendance.

This year ToorCon Seattle will be happening once again! We’re scheduling the conference for the weekend of July 5th-7th where we’ll kick off the event with a block party at Ada’s Technical Books and Metrix Create:Space on Friday night, talks once again at Neumos on Saturday with festivities at the lo-fi on Saturday night, and we’ll finish off the weekend with hands-on workshops at various locations around the city on Sunday as well as other social activities happening around town.

So this is your chance to submit the newest cutting edge research you want to present to your peers or register to be one of the 150 attendees of ToorCon’s most exclusive security conference.