DEF CON on System Overlord

Returning to Hacker Summer Camp

david@systemoverlord.com (David Tomaschik) — Wed, 20 Jul 2022 00:00:00 +0000

It’s that time of year again – Hacker Summer Camp. (Hacker Summer Camp is the ~weeklong period where several of the largest hacker/information security conferences take place in Las Vegas, NV, including DEF CON and Black Hat USA.) This will be the 3rd year in a row where it takes place under the spectre of a worldwide pandemic, and the first one to be fully in-person again. BSidesLV has returned to in-person, DEF CON is in-person only, Black Hat will be in full swing, and Ringzer0 will be offerring in-person trainings. It’s almost enough to forget there’s still an ongoing pandemic.

I did attend last year’s hybrid DEF CON in person, and I’ve been around a few times, so I wanted to share a few tidbits, especially for first timers. Hopefully it’s useful to some of you.

Hacker Summer Camp 2019: The DEF CON Data Duplication Village

david@systemoverlord.com (David Tomaschik) — Thu, 05 Sep 2019 00:00:00 +0000

One last post from Summer Camp this year (it’s been a busy month!) – this one about the “Data Duplication Village” at DEF CON. In addition to talks, the Data Duplication Village offers an opportunity to get your hands on the highest quality hacker bits – that is, copies of somewhere between 15 and 18TB of data spread across 3 6TB hard drives.

I’d been curious about the DDV for a couple of years, but never participated before. I decided to change that when I saw 6TB Ironwolf NAS drives on sale a few weeks before DEF CON. I wasn’t quite sure what to expect, as the description provided by the DDV is a little bit sparse:

Hacker Summer Camp 2019: What I'm Bringing & Protecting Yourself

david@systemoverlord.com (David Tomaschik) — Sat, 27 Jul 2019 00:00:00 +0000

I’ve begun to think about what I’ll take to Hacker Summer Camp this year, and I thought I’d share some of it as part of my Hacker Summer Camp blog post series. I hope it will be useful to veterans, but particularly to first timers who might have no idea what to expect – as that’s how I felt my first time.

Since it’s gotten so close, I’ll also talk about what steps you should take to protect yourself.

Hacker Summer Camp 2019 Preview

david@systemoverlord.com (David Tomaschik) — Thu, 02 May 2019 00:00:00 +0000

Every year, I try to distill some of the changes, events, and information surrounding the big week of computer security conferences in Las Vegas. This week, including Black Hat, BSides Las Vegas, and DEF CON, is what some refer to as “Hacker Summer Camp” and is likely the largest gathering of computer security professionals and hackers each year.

Hacker Summer Camp 2018: Wrap-Up

david@systemoverlord.com (David Tomaschik) — Sat, 25 Aug 2018 00:00:00 +0000

I meant to write this post much closer to the end of Hacker Summer Camp, but to be honest, I’ve been completely swamped with getting back into the thick of things. However, I kept feeling like things were “unfinished”, so I thought I’d throw together at least a few thoughts from this year.

BSides Las Vegas

I can’t say much about BSides as a whole this year, as I spent the entire time Gold Teaming for Pros vs Joes CTF. (Gold Team is responsible for running the game infrastructure, scoreboard, etc.) It was a great experience to be on Gold Team, but I do miss having a team to support and educate. Overall, the CTF went fairly well, but there were a few bumps that I hope we can avoid next year.

I'm the One Who Doesn't Knock: Unlocking Doors From the Network

david@systemoverlord.com (David Tomaschik) — Fri, 10 Aug 2018 00:00:00 +0000

{:.right}

Today I’m giving a talk in the IoT Village at DEF CON 26. Though not a “main stage” talk, this is my first opportunity to speak at DEF CON. I’m really excited, especially with how much I enjoy IoT hacking. My talk was inspired by the research that lead to CVE-2017-17704, but it’s not meant to be a vendor-shaming session. It’s meant to be a discussion of the difficulty of getting physical access control systems that have IP communications features right. It’s meant to show that the designs we use to build a secure system when you have a classic user interface don’t work the same way in the IoT world.

(If you’re at DEF CON, come check it out at 4:45PM on Friday, August 10 in the IoT Village.)

Hacker Summer Camp 2018: Cyberwar?

david@systemoverlord.com (David Tomaschik) — Thu, 19 Jul 2018 00:00:00 +0000

I actually thought I was done with the pre-con portion of my Hacker Summer Camp blog post series, but it turns out that people wanted to know more about “the most dangerous network in the world”. Specifically, I got questions about how to protect yourself in this hostile environment, like whether people should bring a burner device, how to avoid getting hacked, what to do after the con, etc.

The Network

So, is it “the most dangerous network in the world”? Well, there’s probably some truth to that in the sense that in terms of density of threats, it’s likely fairly high. In terms of sheer volume of threats, the open internet is obviously going to be a leader.

Hacker Summer Camp 2018: Last Minute Tips

david@systemoverlord.com (David Tomaschik) — Sun, 15 Jul 2018 00:00:00 +0000

This is an update to my planning guide as we get closer to Hacker Summer Camp. (We’re down to about 3 weeks now!)

Planning Your Time

Schedules and details for events have begun to be released. For example, we have:

BSides Las Vegas Schedule
DEF CON 26 Speaker List (No schedule yet!)
DEF CON 26 Villages
DEF CON 26 Demo Labs

It’s time to take a look at the lists of events and times and start making your “must do” list. Resist the temptation to try to plan every minute – first, you won’t be able to stick to it, and secondly, you’ll feel like it doesn’t leave you time for spur of the moment events. There will be conversations you want to have, people you want to meet, or unscheduled activities you want to check out.

Hacker Summer Camp 2018: Prep Guide

david@systemoverlord.com (David Tomaschik) — Sat, 26 May 2018 00:00:00 +0000

For those unfamiliar with the term, Hacker Summer Camp is the combination of DEF CON, Black Hat USA, and BSides Las Vegas that takes place in the hot Las Vegas sun every summer, along with all the associated parties and side events. It’s the largest gathering of hackers, information security professionals and enthusiasts, and has been growing for 25 years. In this post, I’ll present my views on how to get the most out of your 2018 trip to the desert, along with tips & points from some of my friends.

Hacker Summer Camp 2017: Lessons Learned

david@systemoverlord.com (David Tomaschik) — Mon, 07 Aug 2017 00:00:00 +0000

In addition to taking stock of how things went at Hacker Summer Camp, I think it’s important to examine the lessons learned from the event. Some of these lessons will be introspective and reflect on myself and my career, but I think it’s important to share these to encourage others to also reflect on what they want and where they’re going.

Introspections

It’s still incredibly important to me to be doing hands-on technical work. I do a lot of other things, and they may have significant impact, but I can’t imagine taking a purely leadership/organizational role. I wouldn’t be happy, and unhappy people are not productive people. Finding vulnerabilities, doing technical research, building tools, are all areas that make me excited to be in this field and to continue to be in this field.

Hacker Summer Camp 2017: DEF CON

david@systemoverlord.com (David Tomaschik) — Sat, 05 Aug 2017 00:00:00 +0000

DEF CON, of course, is the main event of Hacker Summer Camp for me. It’s the largest gathering of hackers in the world, and it’s the only opportunity I get to see some of the people I know in the industry. It’s also the most hands-on of all of the conferences I’ve ever attended, and the people running the villages clearly know their stuff and are super passionate about their area. Nowhere do I see so much raw talent and excitement for the hacker spirit as at DEF CON.

Hacker Summer Camp 2017 Planning Guide

david@systemoverlord.com (David Tomaschik) — Tue, 18 Jul 2017 00:00:00 +0000

My hacker summer camp planning posts are among the most-viewed on my blog, and I was recently reminded I hadn’t done one for 2017 yet, despite it being just around the corner!

Though many tips will be similar, feel free to check out the two posts from last year as well:

If you don’t know, Hacker Summer Camp is a nickname for 3 information security conferences in one week in Las Vegas every July/August. This includes Black Hat, BSides Las Vegas, and DEF CON.

The Many Badges of DEF CON 25

david@systemoverlord.com (David Tomaschik) — Fri, 07 Jul 2017 00:00:00 +0000

If you follow DEF CON news at all, you’ll know that there’s been some kind of issue with the badges. But don’t worry, DEF CON will have badges, but so will the community!

What do I mean by this? Well, badge hacking has long been a DEF CON tradition, but in the past few years, we’ve seen more and more unofficial badges appearing at DEF CON. This year seems to be a massive upswing, and while I’m sure some of that was in progress before the badge announcement, ~~I believe at least some of it is the community response to the DEF CON badge issue~~. (Edit: All of the listed badges were apparently in the works before the DEF CON announcement. Thanks to @wbm312 for setting me straight.)

DEF CON Quals 2017: beatmeonthedl

david@systemoverlord.com (David Tomaschik) — Sun, 30 Apr 2017 00:00:00 +0000

I played in the DEF CON quals CTF this weekend, and happened to find the challenge beatmeonthedl particularly interesting, even if it was in the “Baby’s First” category. (DC Quals Baby’s Firsts aren’t as easy as one might think…)

So we download the binary and take a look. I’m using Binary Ninja lately, it’s a great tool from the Vector35 guys, and at the right price compared to IDA for playing CTF. :) So I open up the binary, and notice a few things right away. This is an x86-64 ELF binary with essentially none of the standard security features enabled:

Hacker Summer Camp 2015: DEF CON

david@systemoverlord.com (David Tomaschik) — Fri, 14 Aug 2015 03:11:12 +0000

So, following up on my post on BSides LV 2015, I thought I’d give a summary of DEF CON 23. I can’t cover everything I did (after all, what happens in Vegas, stays in Vegas… mostly) but I’m going to cover the biggest highlights as I saw them.

The first thing to know about my take on DEF CON is that DEF CON is a one-of-a-kind event, somewhere between a security conference and a trip to Mecca. It’s one part conference, one part party, and one part social experience. The second thing to know about my take on DEF CON is that I’m not there to listen to people speak. If I was just there to listen to people speak, there’s the videos posted to YouTube or available on streaming/DVD from the conference recordings. I’m at DEF CON to participate, meet people, and hack all the things.

DEF CON 22 Recap

david@systemoverlord.com (David Tomaschik) — Wed, 13 Aug 2014 05:45:33 +0000

I’m back and recovering with typical post-con fatigue. This year, I made several mistakes, not the least of which was trying to do BSides, Black Hat, and DEF CON. Given the overlapping schedules and the events occurring outside the conferences, this left me really drained, not to mention spending more time transiting between the events than I’d like.

BSides Las Vegas

B-Sides was a blast, but I spent most of the time I was there playing in the Pros vs Joes CTF run by Dichotomy. This is a particularly nice Capture the Flag competition, since it’s based on defending (and attacking) “real world” networks, rather than the typical Jeopardy-style “crack this binary” competitions. Most of the problems seen in the real world aren’t, in fact, 0-day produced by talented hackers, but in fact configuration weaknesses, outdated software, and insecure practices exploited by script kiddies. PvJ forces you to consider how to harden a “corporate” environment while still providing the same services. You get a Cisco ASA as your firewall, and can reconfigure services as needed to establish your perimeter and secure your systems. On Day 2, you also get to see just how good you are at breaking in, and just how good (or bad) your opponents are at securing their network.

Weekly Reading List for 8/2/14

david@systemoverlord.com (David Tomaschik) — Sun, 03 Aug 2014 02:02:20 +0000

This has been missing for a few weeks, but it’s back!

Why is CSP Failing?

Why is CSP Failing? Trends and Challenges in CSP Adoption. Despite being an “academic” paper, this actually has a lot to offer about why one of the most effective defenses against XSS isn’t yet getting widely implemented, and what the implementation costs and strategies are.

Safari Bites the Dust

Ian Beer of Google Project Zero recently popped Safari and then proceeded to pwn OS X. This post dives into exploiting a WebKit unbounded write bug, and makes it obvious just how many hoops an attacker needs to go through compared to the ‘buffer overflow to overwrite EIP’ bugs of the ‘good old days’. It’s a great read, especially if you’re new to browser/client exploitation.