lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hpr-knowledge-base/hpr_transcripts/hpr0420.txt

804 lines
42 KiB
Plaintext
Raw Permalink Normal View History

Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00
Episode: 420
Title: HPR0420: Defcon 17 Interview
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0420/hpr0420.mp3
Transcribed: 2025-10-07 20:13:44
---
what
Hello and welcome podcast listeners to another episode brought to you by Hacker Public
Radio.
I'm your host for today, Phoenix.
Well, I'm very lucky to be joined, not just by one guest, but by two, previous HPR
or interviewees, Christon Riley, who I personally interviewed myself for episode 315, and Frank
Brayjack, who fellow HPR hosts can fall in interviewed for episode 298.
Welcome guys.
Firstly, Frank, I'm sure I pronounce your surname, they're wrong.
How do you pronounce it again?
Is it Bray?
Frank Braydeck.
As HPR listeners know, the who have heard me interview people before, I'm absolutely
terrible at surname, so I do apologize.
Could I...
Could I...
I'm sure you're the only one mumbling it.
So I'm quite used to it.
So it's okay.
I'll just say Frank and I'll listen to you.
Don't worry.
That was my plan from now on in which it'll be Frank, maybe even Franky from time to time.
Firstly, could I ask you to introduce yourself to the HPR role?
Please, I'll start with you, Chris.
Well, yeah, my name's Chris Riley.
I work for a bank in Austria as an IT security analyst and penetration tester.
I was lucky enough to go over to the Black Hat Defcon events with a nice shiny press pass.
They let me go without paying and get into all the backstage areas and talk to the speakers.
So I thought it would be a good chance to come on and have a quick chat with you about what we saw and what the event was like.
And Frank, please introduce yourself to the HPR audience.
Yeah.
Well, let's head on from Greta.
I could work for Schubert Phillips as a security engineer.
I'm also the author of an open source program called Thornnesses, which was covered in the HPR podcast with Ken.
And I was lucky enough that my boss paid my make tickets to and entrance to Black Hat Defcon.
I picked up with Chris who I've met through Hacker Public Radio, interestingly enough.
There was a link between the two podcasts and yeah, we decided to hook up in Vegas and see what we could do.
Brilliant.
Well, just to give the HPR audience a quick idea about what we've got planned today is I've asked both Chris and Frank to jump on the line with us.
And just to kind of talk about a Hacker event that ethical hackers around the world will know as Defcon.
Defcon 17 was held in Vegas this year.
And as both the guests have already said that they both attended the event.
So what I've asked them to do is just come back and share what they found out for us for you guys.
So I suppose my first question is, you know, how would you describe Defcon to someone from the HPR audience?
Well, it's important to kind of tell the difference.
There was two conferences that went back to back.
There's Black Hat followed directly afterwards by Defcon.
The two events are kind of like polar opposites of each other.
You've got the first two day event, which is Black Hat, which is slightly more of a corporate event.
You get the people who come there from various different vendors around the world.
You know, they talk, they sit down in suits and talk about security issues.
Not quite as bad as it sounds.
I mean, there's a lot of very technical stuff going on at a Black Hat.
You have to sit down, meals and things like that.
And as soon as Black Hat finishes and winds up, the next day, Defcon Darts,
which is 10,000 people in jeans and Black T-shirts running around causing absolute mayhem.
And, you know, looking at very, very technical presentations.
As Chris said, it was the corporate conference.
But I think it's the most technical and most cutting edge, great groundbreaking conference in security.
There is, whereas the other ones, for instance, an RSA conference,
are more formal, far more, yeah, defense, compliance, that sort of thing.
It's really about how do we break stuff?
I mean, my feeling about Defcon really is that it kind of shows.
I mean, I've got to be honest with you.
I've never been in that.
I hope to get one Monday.
But my kind of feeling for Defcon is it's kind of like all the hackers go for a trip to Vegas.
And a conference broke out while they were there.
And from what you feel back, I mean, I know a lot of people put a lot of hard work into it.
It's like a chance for hackers to show other hackers the stuff that they found.
You know, that is to find an audience that's really interested in how this is broken,
or how we fix this, or how this is wrong.
Do you think I'm kind of fair in thinking that?
I mean, it really is kind of like the high point of the calendar for the year.
For people who work in IT, people who work in penetration testing,
or even the defense side, they tend to focus their entire year around Defcon
because that's when one of the big research comes out.
That's when all of the things that people have been working on for the last nine to 12 months,
suddenly come out, do a talk on it.
You get kind of like a lull for about a month before Defcon Black Hat,
because people don't want to talk about things until Black Hat hit and Defcon hit.
And then it's just all out mayhem for a couple of months.
Yeah, it's also the chance to, like he said,
it's one of a few chances to actually disclose this information in a legal way
and to show off it in a more legal way than to sit down with somebody
and actually break somebody, break into somebody's system.
Yeah, I mean, I think Defcon has a reputation for being a good place for disclosure.
I mean, each and Defcon that I can remember back to,
there's always been a big discovery announced at Defcon just to, you know,
from DNS issues to, you know, iPhone problems, you know,
is a prime example.
I mean, what was some of the highlights for you at the event at Frank?
Well, you touched on the iPhone one that was a very, very interesting talk,
talk to you, sit and watch also because it was, yeah, all over the news.
But I think the really biggest issues that were around SSL and SSL certificates,
really three talks, disclose vulnerabilities, both,
Moxie Modding Spike, and Dan Kinninski came up with the same exact same vulnerability,
although Dan admitted that Moxie's exploit for it was much better than his own.
Dan, they just seriously highlighted that you can't just say,
okay, if I've got this padlock and my browser doesn't say something's wrong,
I can trust the site.
Yeah, it's always been the case where people have kind of relied on SSL as the security for their website.
They don't care what's going on underneath that because SSL will always protect them.
And, you know, we've been trying to tell people people in the kind of our industry
have been trying to tell the developers, okay, look, SSL is not always going to be there to save you.
This kind of research comes back and says, look, we need to do more in regards to security and defense in depth
and not just rely on SSL to save everyone, which is kind of a good thing.
It's nasty that it's broken and it's not working like we wanted to be,
but it's nice that we actually can look back at this and say, well, that is the reason why we should be doing this better.
It's funny that we're talking about SSL and the iPhone.
There are probably two examples of why hacking conferences and disclosures are a very important thing.
You're talking about two, you know, iPhone as well.
The iPhone's a prime example of two weeks before, as far as the media has reported this,
two weeks before DEF CON, the Apple were told about the iPhone vulnerability and had done nothing
until it became breaking news at DEF CON.
And then all of a sudden within 48 hours of it hitting BBC News 24,
all of a sudden there's a patch available for iTunes to fix the problem.
And with SSL as well, I mean, security certificates, I mean,
it feels like for the past 12 months that's always been banging a drum about that there's problems here,
you know, as big disclosures, you know, we get to a hacking conference.
And, you know, and it's finally when it's almost like, you know,
why hamsters media attention for the other 11 months and three weeks.
You know what I mean?
You know, I miss this way.
I think these conferences are very good in that way.
It gives a podium for developers and hackers to be able to discuss issues in a probably broader context
with other people in the industry who probably may be appreciate the issues
slightly, you know, probably appreciate the issues that have been found a lot more
fuller than maybe accounts and so on and so forth.
I just have a very funny that, you know, the first two that we talk about are two that,
you know, I've been disclosed to the company prior to them being spoken to a hacking event.
I do have to correct you a little bit there.
I mean, Apple released the patch the day after the presentation in Black Hat,
because the first presentation.
Yeah, Frank, I mean, the BBC reported saying that actually the guys had spoken to the iPhone guys,
you know, two weeks before Daphne with regards to this.
Yeah.
Yeah, but these problems are not easy to fix.
I mean, it's not like they just have to turn around and just flick one bit.
It was, it was a fundamental issue with the iPhone.
There were, it's not just an iPhone-related issue.
They also attacked other SMS.
Yeah, I appreciate it.
I'm not saying that this is an easy fix.
I'm just saying that once, you know, if it hadn't been disclosed that Daphne
would have been such an imperative to get it fixed or fast.
Do you know what I mean?
And it's the disclosure aspect of it, that the point that I'm trying to raise.
Oh, yeah.
I mean, sometimes, sometimes without the disclosure, people don't do anything.
I mean, the perfect example is the, the Chaos Computer Congress last year,
where there was a demonstration on, you know, finally killing MD5
as a hashing algorithm, where they took 200 PlayStation 3s and created a false CA certificate.
And there was a lot of things that fell into place to make them do that.
But it was the final nail in the coffin of MD5,
and people have been saying for the last three to four years,
at least that MD5 is dead, please stop using it.
And it wasn't until that presentation that all of the CAs that were still using it
to have been said, okay, we won't use this anymore.
And it wasn't until that day where they said, okay, we've seen the presentation now.
Now we finally believe you can break it.
Now we're not going to use it anymore.
And it was one of those things where they've been told for years
and they just needed that proof before they were actually doing anything about it.
Just pressing.
Which is also part of Marlin, or of Moxie's talk,
about SSL, he said last year I did a presentation,
and then Microsoft came out and said, no, this is not an issue
because there's that, that and that.
So to prove that it was indeed an issue,
we created a fake Microsoft.com certificate.
And a sign in.line.com certificate.
And all of a sudden, the issue gets fixed in Microsoft products.
So it isn't, it isn't incentive for people to go and fix stuff.
On the other hand, you have to realize that there's disclosing
and there's disclosing.
There was a subtle but distinct difference between, for instance,
the iPhone talk and other talks,
which were about to take a, take an example,
USB attacks, to take the opposite end of the spectrum,
is it was this researcher of El Dominguez,
who was saying, well, yes, I have this exploitable function.
And he was the kernel driver in Linux.
I put my customized USB stick in it.
I own your computer, but I cannot disclose
where the actual vulnerability is.
Whereas if you looked at the iPhone presentation,
they literally have the SMSes they used
to do the compromise written on the bottom of the slides.
So anybody paying attention could piece the bits together.
We're kind of bunching some things together,
because it's very easy for us to kind of group together
the iPhone vulnerabilities that were talked about,
because there's more than one.
There was a discussion on the SMS, which was primary aimed at the iPhone.
There was also another discussion on SMS, which worked across multiple phones,
which wasn't so much of an exploit.
Yeah, it's basically where you receive an SMS and it fakes itself,
so it looks like a notification from your provider.
So sometimes you can get a notification from your provider that says,
would you like to update your settings? Yes, no.
And your average user is going to go, okay,
my service provider wants me to update my settings.
I'll click yes.
It doesn't look any different than a standard service provider,
but what that can do then is change settings on your phone.
So you can then just receive an SMS and change your proxy settings.
So all of your internet traffic goes through a third party proxy server,
which is obviously a big problem.
For me, the reason why maybe one vulnerability gets picked over another
is straight down to the basic media.
The vulnerability in iPhone sells papers.
Do you know what I mean?
Oh, yeah.
And you're absolutely right here.
Numbers of vulnerabilities discovered, but yeah,
BBC on the main, because it's a catchy title.
And it's a shame because you can see how lawyers get involved in disclosures
when it comes to information against the brand,
rather than against a service or a product itself.
And I think to touch back to what Frank said as well,
I think it's fair to say that I touched with this with Pete Woods
from first base when I interviewed him recently about,
people just don't believe it until they see it with their own eyes.
And I think that's where death on itself is good because it's a chance
for that sort of information to be shared.
I mean, you're right as well, Frank, the big issue as well is disclosure.
I mean, being having gagging orders put on you,
that does happen.
And that's not such a cool thing, but you're right as well.
You have to be responsible about how you disclose that information.
I mean, I don't know how you disclose an SMS vulnerability
without telling everyone in the world in one go,
because that seems to me that that's the only way,
rather than telling small pockets of people.
But you have to let the manufacturers know prior to that as well, I suppose.
Yeah, but the problem is, I mean, who do you tell the manufacturers of phones?
You tell the service providers in every single country?
There's always going to be someone who doesn't pay any attention.
And then when you finally do release it, then only that person is runnable.
So what's fair?
You can't, as an individual and as a security researcher,
make contact with, you know, 5,000 different contacts.
You can only say, well, I can tell you all at once or I can tell none of you.
Oh, I can try and tell you.
And if you don't listen, then I'll just go public with the information.
I mean, there's always issues that death on and back out with lawyers
and things that get pulled at the last minute.
There's only a certain amount of press coverage.
But I mean, prior to the event, all the press coverage was on Barnaby Jack's,
Jackpotting ATMs talk, which got pulled from death comp.
You know, there was a lot of room is going around about that.
And there was also a lot of bad press going around about Chris Gates's Oracle exploits
for MetaSploit, which was completely unfounded.
Everyone was saying he broke Oracle and now he's going public with all the information
and there was going to be chaos.
What he actually did wasn't find the vulnerabilities.
It was purely to make them easier to use during penetration testing,
to be able to prove to people that these vulnerabilities are already there.
And people were saying that he was a bad person for doing it, which I don't agree with at all.
Now that was a really unfair press.
Yeah, it was.
I mean, everyone who I know who went to the presentation thought the presentation was great,
loved the presentation.
I love the functionality and personally as someone who works and tests Oracle,
it's nice for me to be able to test it, exploit these systems and then say,
look, not only do we think these systems are exploitable,
we can now prove that they're exploitable.
Therefore, you must be patching this system.
You must make it better.
And as you said, people sometimes need to be proved to be proved wrong.
You need to be able to shove it in their face and say, look what we did.
And you need to make this better.
And if you can just say, well, we think we might possibly at some point in the future be able to do this,
there's not much incentive for them to fix it.
I think what it is is that people find it hard to visualize when you say,
oh, look, it's vulnerable to this exploit and this exploit and this exploit.
I think people find it hard to see the real life visual aspect of what you're talking about.
You know, oh, it's vulnerable to this sort of this sort of exploit.
Oh, but when's anyone going to do that to us?
And it's not until they see it in front of a screen and go, oh, my God,
someone really could do that very easily against us.
And I think that that's a fantastic, I think it was great that the ethical hacking communities
come to a situation where, you know, it can fill out a Vegas hotel during this stuff
and have tens of thousands of people come from all over the world to come and see this stuff.
You know, it's a great reflection on our industry growing and growing and growing.
You know, in those kind of instances, that's where post exploitation comes in.
Because it's very easy to say you're vulnerable to this exploit and that's it.
But business people don't understand that until you can say,
and by being vulnerable to this exploit,
here's a copy of all of your personal identifiable information for 10,000 clients.
And once you can start doing that, it becomes more of a real issue
because people are those kind of high levels of management don't understand vulnerability.
They don't care if there's one vulnerability or ten vulnerabilities.
What they understand is dollar values.
How much will they lose because of this exploit?
How much could they lose because of this exploit?
I think it's also hard for them to also explain to them as well,
that not all loss is gaced in dollars.
You know, if you lose 10,000 customers records,
you know, even if you don't get fined for it,
even the fact that your customers have lost confidence in you.
Yeah, reputational issues are sometimes more serious than dollar values.
Yeah, I mean, it's easy for us guys to appreciate that,
but maybe not so easy for co-centre managers to get that,
you know, you lose 10,000 people's records.
You know, you're going to have 10,000 people very, very annoyed.
One thing that helps is that there's a regulation now that
tries to prove vulnerability on these people,
and for instance, when you talk about regulation that's been put in place,
that we have made CEOs personally liable for misrepresentation
if they didn't take due care to protect their information.
Yeah, they sort of start to listen,
which was one of the key notes I think I'd like to have.
Actually, if you look at security, security is getting a lot of broad cost time.
We all need to speak C level language.
I think you're absolutely right, Frank.
I think you're absolutely right, Frank.
There's starting to become more accountability.
The problem is, is it's not uniformed from country to country.
There isn't like this global regulator that says,
well, the American industry needs to protect its state,
the same way as the British industry and the British industry,
there is no uniformed control over that country,
upon country, who are saying,
data protection, how you look after information and so on and so forth.
Rome wasn't built in a day, though,
and I think it will take a little while.
But I think more disclosure of the importance of looking after data,
and as data becomes more valuable as well, I suppose.
I mean, moving away to, I think this is more the black hat
for the sort of topic that we're addressing right now.
Although it does actually, it does actually go hand in hand
with the talk that Joe McGraw is going to try forward did,
is it more money, more problems,
where they're actually discussing some of the issues
that the bad guys have,
and it wasn't so much exploiting systems,
because the problems they were talking about
that seemed to be very easy in business logic related issues.
The issues that the bad guys were coming across
is what they're going to do with all the money.
What do you do when you've just stolen $480 million?
What do you do with it?
Where do you put it?
Where do you move it to?
Well, yeah, I mean, they're their presentation.
I mean, they're funny guides,
but the presentation follows on from last year's presentation,
which is get rich or die trying,
and it was a very, very funny presentation.
It didn't have a lot of substance from a tactical point of view,
but from an organizational point of view,
it was hilarious to see the business logic flaws
that just allowed these people to just go in
and either steal money or cost the company money.
I mean, from easy things like
someone managed to brute force a password
or a discount code for Pizza Hut,
which basically reduced the cost of a pizza to nothing.
They then made that public,
and suddenly Pizza Hut lost $70,000 in one day.
So the bad guy didn't make any money,
but he succeeded in making Pizza Hut look like idiots
and making them lose $70,000 in one day,
all because someone at Pizza Hut put the wrong code in
or put the wrong information in
is just the attacks kind of only got more hilarious from that point.
I mean, there was actually some depressing ones as well,
where someone managed to use a system
and use a cross-site scripting failure and a system,
which allowed you to gain a permit
to cut down trees in the rainforest.
And this company falsified a certificate
and then cut down hundreds of millions of dollars worth of trees.
And apparently this vulnerability still exists in the system
because the government don't want to do anything to fix it.
They don't even want to talk about it
or verify that the floor exists.
So I mean, that was more on the blackout side,
but certainly Defcon's more deep technical
than the blackout side.
The blackout side tends to talk more about
defense in depth and less technical.
Am I right in thinking that this year's Defcon was the first one
that you two had been to?
Yeah, the other side.
I mean, it was the first time in the U.S.
I think for both of us, wasn't it, Frank?
Yeah, the first blackout in the U.S.
first Defcon ever been to blackout conferences in Amsterdam
before.
So I kind of know what to expect there.
But yeah, it just turned out to be America.
It was definitely bigger.
Yeah.
Yeah.
What was it like when you first got to Vegas
and saw all the other, you know, saw the event?
Was it, you know, was it overwhelming?
Or was it quiet?
Or was it, you know, what was your initial feeling when you got that?
Because Caesar's Palace, just the casino alone,
it's probably bigger than the town I live in, which is pretty scary.
But I mean, I lived and worked in London for eight years.
So I'm used to huge, great big buildings.
But it was just crazy.
I mean, it was my first time in the U.S.
And everyone said, well, you just got to remember Vegas isn't America.
You know, Vegas is, you know, it's in city.
So the rest of the U.S. isn't like Vegas, which is probably a good thing.
It's not probably, it's definitely a good thing.
So was it like...
The first thing that strikes you when you hit Vegas is the heat.
Oh, yeah.
115 degrees Fahrenheit.
I think for me, when I landed.
And I landed at night.
And it was still so hot that you just couldn't do anything.
And the first thing I needed to do was just get into it somewhere with air conditioning.
I think during the first day we had a 42 degrees centigrade.
Like, sorry, come to the conversion that quick.
Yeah, it's hot.
Yeah.
You know what people say in the West Bank?
I mean, during the event as well was just basically Vegas overrun by kind of security
and hacking professionals.
And then was, you know, everybody go to, is there an ethical hacker there or...
Oh, no.
No, I mean, Vegas is huge.
I mean, the 10,000 people for Defcon that are after and when it's a Defcon is like a drop in the ocean for Vegas.
I was talking to a taxi driver when I was out there.
They have to fill 2 million beds a week.
It's just amazing.
So the 10,000 people for a hacker conference is not a big thing.
I mean, I saw people around who were obviously hackers, you know, Black T-Shirts and jeans.
But you could really see who was a hacker and who wasn't because they were really the pale people in Black T-Shirts
with logos on them that say things like, no, I will not fix your computer.
And there's no place like local host.
Try harder.
Yeah, first you don't succeed, conceal all evidence that you've ever tried.
I shall be replacing you with a small shell script.
Yeah.
Yeah, I mean...
I'll keep that.
Oh, don't get me started on that.
I've recently had a run with someone about that.
That's a whole different subject.
Next podcast.
No, no, I think I'll be put up on...
I think I'll be shot and quoted for...
I just bad day and people not reading man pages.
And I never thought I would ever turn around and I never actually said that.
But it was very close enough.
But what is this?
People read man pages?
Yeah, well, you know, it annoys me when you, you know, you ask a question that's covered in the first sense of a man page.
And it's...
Oh, yeah.
You know, and you say, right, okay, no problems.
Read the man page.
I've read it, and I still don't know how it works.
You quite obviously not read it.
You know what I mean?
You're just telling me, you know, and then did that.
I didn't read it.
I grabbed it.
I couldn't find anything.
I think.
But, yeah.
Kind of off the sidetrack before, really, I'm still getting complaints about my...
my neoliberalism views to reading man pages.
I mean, what was the...
What was the highlight for you at BethCon?
Was it meeting all the other hackers or, you know, kind of...
I'm using hackers in a very general term, and I'm sure you both appreciate that.
Was it a really good opportunity for you to meet other people in the industry
that maybe if you weren't at that sort of event, you wouldn't have met because it's just, you know,
the nature of business, telephone calls and emails rather than face-to-face.
Or was it more...
You know, there wasn't a chance to get a hold of this.
This really, you know, listen to these talks and then the other kind of place.
And, you know, always it just to make sure of all of those things.
You are definitely at a conference like this.
At some point, facing the challenge, okay, do I break off this interesting conversation
and do I go and sit in a talk I really want to see, or...
Yes.
Do I just continue talking to this very interesting guy I've never met before,
or have met before and finally seen for the first time?
It's not enough time for everything.
That's the thing that hits you is when you...
Even when you look at the conference and you realize there's five tracks, six tracks,
I think that there was less tracks at Black Hat and the World Defcon.
But even when you look at the tracks, you realize there's always two or three things
on at once that you want to watch.
So there is no way you can see everything.
That's just the way it is.
And then when you add to that, the fact that there's so many people who you know
through online or through chat rooms or through forums or Twitter or any other resource,
or people that you've made in person you haven't seen since last year
or haven't seen since Black Hat Europe.
And you just want to go off and talk to these people.
But you realize that if you do, you're going to miss a talk.
And there's that decision you have to make is either you're there to go to the talks
or you're there to talk to the people.
Getting that balance is very hard to do.
I always remember being taught when I first started Business Years ago.
When you went to networking events, you really had to make a choice before you went in
where you're networking or not working.
And it sounds like death kind of a lot of ways is about hard choices.
And I don't think it's fair to say that if you're sitting with a guy
that's having an interest in conversation that you're not working.
You know what I mean?
Because there might be broad news.
Oh yeah.
You have to talk to these people.
I know a lot of people through Twitter.
I know a lot of people through Twitter as in I've talked to them online
but I've never met them in person.
So I made a list of people I wanted to meet.
I made the list and I was like, okay, I need to meet these people.
And I met some people who were doing the talks.
I met people like Chris Gates, Carlos Perez, who gave a great talk.
He's known as Dark Operator.
He does quite a lot of the meta split scripts.
And I met him and we went out and we had some food and we had a chat.
And I met all the guys from Paul.com, the guys from Security Justice,
and a further podcast.
And it was really good to meet those guys and talk to them.
And I'm not that depressed that I didn't go to a lot of talks.
Because I know that I can see them again maybe in a month's time.
Maybe I'll see them acting around them in the next week or so when I'm there.
This is a couple of talks from Jason Lee Streets.
And Dan Kaminsky is doing his talk again.
So I can catch those talks at another event or I can just watch them online
when they're available online.
But those people are never going to be in the same place.
Maybe never again or maybe not until next year.
So for me it was more about socializing, getting to know these people up front
and in person.
And knowing when I come back that I'll be able to email them if I have any questions
and they know who I am now, they can email me if I have questions.
And this kind of crap was all about helping each other out.
You know, your deaf con sounds like a really scary place with lots of black cat hackers.
It's not really like that anymore.
I mean, deaf con one or two was lots of people who didn't want to tell you their name
and only went by a handle and they really did go off and hack websites.
And as times come by, people have told me it's got less and less about black cat hackers
and more about people in the security industry who just really want to have fun
and really want to do technical stuff.
I have a question.
I've heard a rumor that at deaf con you see Captain Trunch drunk dancing on a dance floor
guaranteed somewhere in the deaf con event.
Either of you two seeing Captain Trunch drunk dancing on a dance floor?
I saw some scary people dancing.
I saw Richard Mogel take his pants down in the middle of a presentation.
That was a Twitter bet.
Someone posted on Twitter while they were doing a presentation
that if 50 people retweeted that message that he'd have to take his pants down in the middle of the talk.
So immediately on Twitter everybody retweeted it and he had to take his pants down in the talk.
So definitely avoid that one on the video.
It wasn't a good thing, God, but it did have his trousers around his ankles.
But I think also when we went the last day when we ended up in...
I think it was off-ground house.
It's quite fun to be there together with people like Dan Kaminsky who are trying to manage a proper beer.
Yeah, that was hilarious because as I live in Austria, off-Browse is nothing strange to me.
I lived in Munich.
We were all drinking the huge gym beer and no problem at all.
Everyone from America at the end of one was okay, that's enough.
We were ready to just...
Okay, next.
But no, no, no.
It's fine.
We're finished with the evening now.
Time to go home.
So, yeah.
That was a funny evening.
We had Sherry Davidoff and Jonathan Hamm who did the presentation there.
Carlos Perez, Larry Pesci.
Yeah, it was like completely stocked with people who were doing talks.
And lots of famous names all over the place, which is...
It's one of the only places you can go where you can walk down a corridor and you just...
I walk down a corridor with Martin McKay, who does the netsec podcast.
And we met Kevin Mittnik.
So, you know, it's just suddenly in the round in the middle of nowhere we're Kevin Mittnik.
It's one of those things where you just see things you're not going to expect to see.
And it's definitely worth the money.
I paid for it all myself and I don't regret it at all.
I mean, just kind of a torsion to laughing, laughing off and off.
I mean, if you, you know, put a gun to your head now and said,
what was the highlight?
What was the one memory, if you were allowed?
One memory left of the event.
What was your highlight?
From what was the big moment for you at Defcon now?
I think...
I think the Maximilian Spikeworth talk was the best talk there.
I mean, every time he did another slide and he was going like,
well, actually, this is a passcage string and it does take no characters.
And he goes, oh my God, he didn't.
And then the next slide, yes, he did.
This is it.
And he goes and shows the code and says, no, just look at it out of focus.
Then you've got to be a vulnerability.
And you go, oh my God, he's not found something that if I see to be a certain certificate,
my machine gets home.
Well, yes, he did.
And that kept on happening during his talk, while he kept his speedy.
So that was in terms of talks.
That was the best experience.
And then being at the Paul Comparities and the other stuff,
that's sort of a...
But that's not a distinct moment.
That's a vibe that's there.
Well, I was very jealous that you guys were the Paul Comparities.
I mean, I was very jealous that you guys were in Vegas,
but I wasn't incredibly jealous about that as well.
And Chris, what was the crowning moment for you?
Oh, it's hard to tell really.
For me, it all kind of blows into one,
because I've got this horrible head cold, but also because I was spending too long
doing things like going to the Paul Comparities.
I mean, I have to agree, Marlon's...
Moxie, Marlon's bike.
I always get his name wrong, sorry.
His talk was really good.
I only actually caught the end of it.
I liked it when he was talking about the online certificate status protocol.
He was trying to explain how it functioned and how he could bypass it.
And finally, the final slide when he was talking about it was basically
in order to break the whole status protocol,
you just have to return the number three.
And so the next slide was, that's correct.
OCE SP is broken by the number three,
which I thought was the funniest slide I've seen at the whole conference.
But it's true.
It's just some of the things he'd found when he talks about them.
You just think, why didn't I see that before?
Why didn't no one ever notice that parts of it were written in Pascal
and accepted Noel?
And then other parts were written in C,
and Noel was the end of a line.
Of course, it's going to cause problems.
And when he finally talks about it and shows you,
it's like, well, yeah, of course it is.
It just makes it sound so easy and you actually understand it.
And it's in your head and you think,
why didn't no one ever find this before?
And it's just that great feeling where you actually,
you can sit through a technical presentation at the end of it.
You actually understand why it's a bug.
You don't just come out thinking, wow,
that was really technical, that he broke that.
And I have no idea how he did it.
You actually know how he did it and why it works,
which I thought was, yes, it is a good gift.
If someone was going to, say I was going to desk on next year,
what bit of advice would you give me?
What should I do to prepare myself about it?
Obviously, such a big event.
Lots of fluids.
Yeah, lots of fluids.
Some block.
Some block, yeah.
Yeah, definitely. Lots of some block.
It's one of those things that just,
whatever you prepare, when you go to desk on,
it doesn't matter because it will be overwhelming when you get there.
Don't stick too rigidly to your schedule.
In preparation of this pop pass,
I did a re-black on the blog that I posted on.
I think I have this big plan about attending something like,
I don't know something like 50, 60 talks that I wanted to see.
And then, of course, in the news,
Microsoft came out with this package.
I thought, no, I really want to be on the news,
so I'm going to swap this talk for that talk.
And then, at some point, I got stuck talking to somebody
which really enjoyed and was really fun.
I wouldn't have missed it.
But yeah, then you don't want to have regrets
that you didn't see that one talk that you were really intended to.
I mean, it is all, all fluid.
And I guess the other advice is,
the good thing about taking this conference abroad.
Whenever I went to desk on, sorry, blackhead Amsterdam,
it used to be okay.
Conferences over, get my car, go out.
And now that's in Vegas, I, yeah, you don't just go home,
so you stick around and get to socialize.
Oh, yeah.
Yeah, I mean, you have to socialize.
I mean, I know what I've said it before,
but the big thing for me for Defcon was meeting lots and lots of people.
And I went to consider me less talks and fractured.
As you can see by my blog,
I haven't actually mentioned the word Defcon.
He's got discussions of various things that he went to.
But I mean, everyone's got a plan until they get hit.
And my plan was to go to a load of talks.
And as soon as I got there and I realized what Defcon was,
and I saw these people I wanted to talk to,
my plan just went out the window.
I didn't even look at what was being talked about.
If I walked past the room and there was a talk I was interested in,
I'd pop in for five minutes.
If the talk was starting and it was interesting enough,
I'd stay until the end.
And if it wasn't interesting, I'd walk to the next room.
So I've seen half of certain presentations.
Or half of Moxie's talk.
I didn't see any of Dan's talk.
Because 10,000 people were trying to cram into a room big enough for about 2,000.
But as disorganized as it can be, it's just great fun.
There's so much to see.
I mean, we didn't even talk about,
there was a two-capture of the flag events going on.
There's a vendor room where the vendors actually know what they're talking about.
Where you get vendors like Paul.com.
You can buy t-shirts from people like DJ Jackal Open,
the Exotic Library Podcast and things like that.
And there's huge areas where things like all of sheep are going on,
which is hilarious by itself.
And there's lot-making village and a hardware hacking village where you can just go up
and solder chips and practice things.
There's always something to do.
And because there's so much to do,
if you just go to the talks, you're missing out on the other 75% of what's going on at the conference.
So if you just get the schedule and highlight everything you want to see,
then either you're going to not have as much fun as you could.
Or you're just going to get depressed when you get there and realize there's no way you can see that many talks.
So just didn't wrap them up and close to wrap them up.
What, you know, if I gave you one word,
what one word would you use to describe the whole BethCon experience?
Tyring would be my word, I think.
Purely because you just don't stop.
You finish talking to people and partying at three o'clock in the morning,
but then you have to get back up again at seven o'clock in the morning or eight o'clock in the morning
to go and have breakfast so you've got enough energy to do the next day.
So yeah.
Thank God I don't have kids.
I have to take one turn to describe it.
I'll go back to Hitchhiger's guy to the galaxy and describe it as infinite improbability drive.
I was thinking don't panic.
No, don't panic. Mostly harmless. We defend it as well.
Right. Well, I mean, I feel that I could talk to you guys about this for another hour.
And I'm just, obviously, I like to try and keep the shows down to 45 minutes to an hour or so.
So what I'm going to do is I'm going to wrap up.
Is there anything before we finish that either yourself,
of course, or yourself Frank would like to talk about before we wrap up?
Never use an ATM at DefCon.
Or the network.
If you haven't heard the, usually at DefCon, they hack one or more of the ATMs at one or more of the hotels,
just because you're in a different hotel doesn't mean you're safe.
This time, as well as hacking the ATMs, that someone actually brought their own ATM and put it in a corner,
which, although it's like they were possibly stealing money from people with accounts.
And although it got caught pretty quickly, I find incredibly hilarious.
The fact that they brought their own ATM with them is just always makes me laugh.
Frank, anything you'd like to add before we wrap up?
Well, when you said you wanted to talk another hour, I guess maybe next week when we both finished hacking at random,
which is going to start in two hours and this Thursday might be another good opportunity.
I would absolutely love that. I'd really love to pick your two brains again,
especially fresh from another hacking conference.
Consider a date if your two are available without doubt.
Oh, you don't want to fresh from the conference, trust me.
We're camping in the middle of a field.
You're putting an honest shower, Fred.
Fresh isn't the time.
There's probably no fresh from the conference.
Yeah, well, certainly. I'm up for that.
So if you need us, then just send us a message.
We can talk for hours.
What we'll do is we'll organize it once we've finished this up.
All that's left me to do is thank both Frank and Chris for taking the time out
to come and speak to me about this.
I really enjoyed it, and as I said earlier on, I can talk about this for another hour,
and I'm sure the listeners will feel how envious and jealous I am with YouTube
going off and basically living the hackers dream in some ways.
If you guys are just off the top of my head, I can't remember both of your blocks.
Before we wrap up, could you tell the audience where people can find out more information about Autonomous Frank?
Information about Autonomous is on www.autonomous.com and the blog posts that I wrote for
desk on and blackhead are on www.fighter.net.
Okay, okay. And are you both on Twitter?
Yes, yeah, both on Twitter.
And where can they find out and find your blog, Chris?
My blog is www.c22.cc.
I definitely recommend Frank's Cupfighter.net and blog if you want to get some good reviews of DevCon
because he was certainly going to significantly more talks than I was and significantly less hangover than I was as well.
Well, as you say, thanks very much for joining us and all that's left I need to do is thank the HPR listeners for listening to it.
Now, before I go, if you would like to do an episode for HPR, you can do an episode on all sorts of stuff.
But kind of the feeling that I have about HPR is if you're willing to talk about it, we're willing to listen.
So if you are interested in doing a talk for HPR, you can find contact details on the website.
Record an episode, contact a Nigma or Klaatu and they'll let you know about how best to get your episode out.
All that's left for me to do is thank you all once again for listening and I'll catch you again tomorrow on the next HPR episode.
Thank you for listening to HACRA Public Radio.
This is HPR sponsored by Carol.net, so head on over to C-A-R-O dot N-T for all of us here.
Reference in New Issue Copy Permalink