Fresh Thoughts #77: Three Days in the Desert
- Newsletter
Whether you follow the teachings of Sun Tzu or Rage Against The Machine - we are told “know your enemy”.
Three Days in the Desert
Thinking of hackers and scammers as simple script kiddies may be convenient - people blindly running commands with pre-packaged instructions. And - at the lowest levels of criminality - this is fair.
But - where do these script kiddies get their new techniques?
In just under two weeks, the largest hacker conferences in the world will be running in Las Vegas.
Entering its 31st year - DEF CON is now very different from the small, off-strip meetup I attended close to 20 years ago.
Now huge Las Vegas ballrooms full of thousands of people. It has a more commercial feel than the risque antics of the early years. But it remains the most prominent underground hacking event of the year.
Past DEF CON conferences have been the launch pad for:
- The widespread use of Social Engineering
- The first proof-of-concept malware targeting Windows 2000 in 1999, which resulted in Microsoft focusing on trusted computing from 2002
- USB exploits - that are the root cause of why USB ports are disabled (or should be disabled) on all company-owned devices
- Remotely disabling the brakes on cars
- Causing ATM machines to spit out cash
- Hacking US polling machines
- Creating “voice of god” pranks by cracking Bluetooth security
This year we can expect another diverse array of exploits, including:
- An explanation of how a security researcher gained administrator rights to a Synology NAS during a Toronto hacking contest in 2022.
- How to break the encryption system for TETRA - the secure radio system used by police, fire, and first responders worldwide.
- Finding out which attacks Microsoft is worried about by listening to updates sent to Windows Defender - a security app installed on every Windows laptop.
Perhaps the most striking thing about DEF CON this year is how vendors and responsible disclosure are vital parts of the process.
Gone are the days of Cisco physically cutting a presentation from delegate's conference books the night before a presentation to avoid disclosure.
This year the TETRA vulnerabilities were found in 2021 and disclosed to the Dutch National Cyber Security Centre in January 2022. But it took another 18 months for the existence of the exploit to be made public in late July 2023.
But as ever - there will be surprises.
So I'll keep an ear open for under-the-radar exploits that didn't make it through official channels.
August 1, 20232 Minutes Read
