yojimbo

Thoughts that should have a longer lifetime than my Mastodon posts ...

Purplecon 2019 william, banging fists on table state machines state machines, https://purplecon.nz/talks#william, https://www.youtube.com/watch?v=VbtsQjbnNw8&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=3

writing software is hard. really hard. almost impossible one would say. we can see this from . as we all are walking talking fleshy bug emitting machines that sometimes emit good code as a lucky side effect, we need all the help we can get to increase this luck factor. state machines help us to reason about our programs, how they work, how they wont work, and why they didn't work – and from there, how we can design programs to never fail at all. there are state machines all around us. let me show you how we can use them in code for security and robustness. area and assumed knowledge: area – secure software development. assumptions – some programming knowledge, but demos will be in rust and c. i will not use advanced or tricky code for any demo to make it as accessible as possible.

  • Not being a developer, I didn't get as much from this as others would have done.
  • But I'm familiar with state machines as descriptions of systems, the biggest example being the TCP/IP example (https://en.wikipedia.org/wiki/Transmission_Control_Protocol)
  • They require some rigor, which is in general a good thing!
  • They help you look at a problem from different perspectives
  • They're part of “document first, then code to the specification” rather than “open an editor and start hacking” iterative/explorational coding

Purplecon 2019, shahn harris, embracing empathy, https://purplecon.nz/talks/#shahn-harris, https://www.youtube.com/watch?v=bvB8nEVka80&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=2

empathy is a personality trait which is not often discussed in the world of infosec. in an industry with highly authoritative technical personalities, curious technical explorers and fully transparent decision makers empathy is the odd one out, why care about what other people think or feel when you have the mandate to enforce policy/solutions/architecture/technology as you have funding and “because security”. in this talk i will take you through how in my now near 20-year career predominately in the enterprise space i have tried to be anything but empathetic, the feeling of impostor syndrome i carried around for years as the way i worked and achieved results was not covered by any conference talks/certs/training/industry groups. and how through necessity i went from realizing that while my approach to infosec had always been classed as “pragmatic” it was empathetic. and that empathy worked wonders in the most trying time of my career.

  • mh
  • Defeating impostor syndrome by accepting being a different “type” from others
  • Perhaps the black hoodie death metal flames security image is harmful to more than just conferences?
  • 'Enterprise' personality profiling might not be “correct” (many of them are wildly inaccurate) but sometimes just being reminded that people are allowed to be different is importent

Purplecon 2019 sera, iam confused: a deep dive into how permissions work, https://purplecon.nz/talks/#sera, https://www.youtube.com/watch?v=t0wkQinlRso&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=4

one of the hardest things to understand in the world of cloud computing has to be iam – what is a role? what is a policy? how do i keep my engineers away from production systems? how do? the aim of this talk is to try and give some practical examples to help security teams understand whats going on, and how to use this to keep their infrastructure running smoothly and safely.

Purplecon 2019 sauramaia, how to human in groups, https://purplecon.nz/talks/#sauramaia, https://www.youtube.com/watch?v=rq6IWQbjdMI&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=2&t=0s

if you’ve ever tried to convince your high school friends that being racist is kinda terrible, or your work friends that they should use a password manager, this talk is for you. changing people’s minds is hard. each group has its own version of what’s normal. this talk is about how to work with the brain tools we’ve got to make the computer tools we want.

  • Change causes conflict and can hurt feelings
  • Security boundaries probably represent change ...
  • Join a group (perhaps via an advocate), consider the Overton Window of ideas, and using no negative language “should no must you etc” present your reasons

Purplecon 2019

An excellent and very refreshing infosec con, with an audience that was not made up of the usual suspects! Purplecon is constructive, similar to the OWASP standard that all talks need to have solutions or mitigations, and this is starting to creep into everyone's expectations elsewhere as well.

The non-content aspects of Purplecon deserve highlighting:

  • Ticket sales were staggered into three waves, so it wasn't all sold out in 5 minutes (like the 2018 edition), and gave time to people needing corporate signoff.
  • Ticket sales were split into two categories, with half of them explicitly reserved for people self-identifying as a marginalised group of some sort, any sort, don't tell us the details, we trust you.
  • The aesthetic was purple, flowery, sparkly rather than black hoodie death metal flames. We don't all have to rebel in the same way, as Alex said.
  • Instead of coffee, we had complementary bubble tea.
  • The afternoon break was a long one, with the explicit request to find new people to talk to, to ask & answer questions, and to keep an open space in circles to allow people to join easily ... I think this could have benefitted from being more structured, rather than being spontaneously successful.

The con was livestreamed, the talks are on Youtube (https://purplecon.nz/talks/, https://www.youtube.com/playlist?list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6) and every talk was a Keynote. On the topic of livestreaming – Purplecon consider the free streaming as a way to get more people to access infosec content, without having to take actual seats away from people who will benefit from being there live. At least one big org ran their own internal conference, with their content fitted in around the Purplecon stream – which was also available in two Wellington hostelries, Meow and Hashigo Zake ...

CHCon 2019 overall was, once again, an excellent infosec conference. Part of the appeal is the different audience, not everyone wants to be in Wellington, and not everything is an Internet-exposed service. There were a great broad range of topics, and perhaps because they're first off the rank in terms of dates my head (and notebook) were filling up with ideas faster here than during the next conferences.

But that's also been my takeout over the last few years as well – CHCon has a different type of energy than Kiwi/Kawaiicon, and a lower barrier to entry. The more people we get exposed to what infosec worries about, the more they might be able to reduce or fix things early.

Congrats to the crew, hope to see you next year!

Day 2 highlights from CHCon ...

Shaquin & Ben did a great job of getting the audience to get one step ahead of them every now and then, but still pulled out some surprises on the way. And included mitigations, like they should :–)

Adel's fingerprinting talk good, not only from the perspective that there is still unencrypted data out there but that traffic analysis even on its own is still a powerful too.

Sam sis well to remind us that even 5V is potentially enough to start a fire in a wall cavity, so hack safely! And if you leave evidence behind, it still won't ring any alarm bells if you do it professionally enough.

I liked Jed's talk because I'm approaching the same problems that he was showing a solution for, I've pinched a couple of his phrases and used them on management at $dayjob successfully!

CHCon SHAQUIN & BEN – SUPER SELF-SERVICE: HACKING KIOSKS USING BARCODES, https://2019.chcon.nz/talks/shaquin-ben/

Self-service kiosks with barcode scanners are everywhere – at supermarkets, visitor reception areas, airports, libraries, etc. Using the barcode scanner alone, it’s often possible to get an admin shell on a kiosk. We’ll explain the different types/modes of barcode scanners, show you how to reconfigure them, and how to exploit their features to escape kiosk software. We may even drop an app to help you in your adventures :)

  • So ... barcode scanners interpret the barcodes, and return representations back to the host computer.
  • There are config barcodes that reconfigure the scanners directly ...
  • Scanners can become “HID keyboards” ... and barcodes can encode keyboard keys, just like a rubber ducky
  • https://github.com/LateralSecurity/BarSploit will build a PDF for your attack chain; display it on a kindle perhaps?
  • Mitigations – don't put kiosks on the core network, perhaps run a 'real' lockdown machine as well?

CHCon KADE – PANOPTICON PROJECT, TRACKING STATE SPONSORED ACTORS AND WHY THAT'S IMPORTANT, https://2019.chcon.nz/talks/kade/

Kade will run through a project he started in 2017 for tracking advanced persistent threats (APTs) and other groups with similar capabilities. He will cover what he has learned about APTs, pathways for people to get involved in the project and reasons why tracking state sponsored actors is so important.

  • A mostly documentation project, relying on published data (OSINT)
  • Would like to be more machine-readable, needs help
  • Has a domain language less obscure than STIX

CHCon KARL BARRETT – INDUSTRIAL SENSORSHIP, https://2019.chcon.nz/talks/karl/

Sensors are a critical component within the realm of human-machine interfaces, but how do they work? This talk will review a few common sensors, their implementations, and how to deceive them.

  • How to subvert sensors – what are they really measuring vs what do we imply from them (i.e. 'IR motion sensors' are really tracking temperature changes)