The list of speakers and
schedule for ShmooCon has
been posted. A lot of interesting topics to check out, it's so hard to
choose. My friend Ryan Clarke is speaking on "Extend your Code into the
Real World," a look at electronics and hardware hacking. Ryan now
teaches at my university and also runs the LosT @ Con Mystery Challenge
at Defcon each year.
If you're going to attend ShmooCon, post a comment or reply to this
discussion
thread.
Also, I'm one of the lucky ones to have been chosen to participate in
ShmooCon labs, and "get hands on time implementing cutting edge security
tools in a real world environment." You can learn more about ShmooCon
Labs:
...As a vendor you will get a chance to implement your gear in an
untrusted, potentially hostile environment of 1000+ hackers.
We are building a network that needs to be up and running in time
for the conference so be prepared to jump in the fire. During
Shmoocon various aspects of the network will be made available for
attendees to hack on and all vendors should expect their products to
get looked over with a fine tooth comb or a 20 pound hammer.
I am interested to see what vendors will be representing themselves and
show their true colors, at a real security conference, and not some pony
show in San Francisco...
Posted by Marcin on Sunday, March 4, 2007 in
Security.
If you haven't heard, a keygen was released that brute-forced the
correct CD key for Windows Vista. Martin McKeay did the
math and let's just
say, it'll take a really long time for anybody to brute force a key with
available processing power we have today. Fortunately, you don't have to
wait that long. PARADOX has figured a way to bypass activation in
Windows Vista.
It works like this: select manufacturers (Dell, etc) are granted the
right to embed certain license information in hardware, conveniencing
the user and not requiring activation. The mechanism, known as 'SLP 2.0'
('system-locked pre-installation 2.0') has three conditions, a
hardware-embedded BIOS ACPI_SLIC information signed by Microsoft, a
certificate(an XML file) issued by Microsoft, and a special product key.
To use it, you first install Windows Vista without a product key and
then load a device driver to emulate the "embedded" BIOS, install the
certificate, and then finally a product key.
The land of
Richard
has full instructions and more details, and finally the files you need.
(I have saved it all in case the site gets taken down...)
btw, md5 checksum for the file is af3bd1cf1d0d10a16a9c3871fda51135
Posted by Marcin on Sunday, March 4, 2007 in
Security and
Tech.
Look left when everyone looks right and say no when everyone says yes.
Then, ask why? You're in the position as a security professional to tell
the bosses no; that's what you're paid for. Don't be afraid to cry wolf
when something is out of the ordinary, and do it often. It may not be
itthis time, but sooner or later, it will be for real and will then
look better on you than the incident that slipped by and you not calling
it out.
I just wanted to share these thoughts in addition to a little
story
from a mailing list LonerVamp posted.
Posted by Marcin on Tuesday, February 27, 2007 in
Security.
Do tools make us
dumber?
I don't agree with the idea exactly, as they are just that, tools. Tools
are just another level of abstraction from thinking at a lower level.
It's what distinguishes an engineer from a kit builder. Who here wants
to program in 1's and 0's, or use Maxwell's equation in designing
integrated circuits? There may be times where an engineer working in
their field will need to know, but many of us operate at higher levels
and thus, are abstracted from it all.
Using tools effectively though, requires a knowledge of the key
underlying workings and also calls for the right tool for the right job.
Often times, we try and use a Leatherman to build a house when it comes
to security. You have your NAC this and UNP that and all these other
"all in one appliances," and still don't have everything you need to do
the job properly. I feel the Unix philosophy is spot on here; you have a
tool that does one thing, and one thing well. You tie multiple tools
together to accomplish more involved tasks.
Posted by Marcin on Sunday, February 25, 2007 in
Intelligence,
Security and
Tech.
Hey Mike, thanks for posting your
presentation
(Building a Sustainable Security Career) you gave to ISSA-NH the other
day. I found it interesting, since "your father's 6 fundamental
assumptions about work" were the same I had for quite a while. You can
definitely see how the talk can apply outside of information security,
so I'm re-posting it here for my friends and others who would otherwise
miss it.
Posted by Marcin on Wednesday, February 21, 2007 in
Security.
