Defcon Recap

Defcon 17 is in the books, and Gabrielle and I had another fantastic time.  Props go out to all of the Defcon staff.  The Locksport International team and TOOOL put another fantastic lockpicking village together.  Coffee Wars pulled a record turnout of thirty-six brews, and we met some great people there.  (We lost badly.) And thanks to the hard working goons we met.

We arrived on Thursday, but with the new Defcon 101 tracks, we were practically late.  The lines weren’t much worse than usual but there was a badge shortage right away thanks to the fine people at Chinese Customs.  Gabrielle and I ended up with paper badges at first, but Gabrielle social engineered us into two actual badges soon thereafter.

The badge, as usual, is fantastic.  Kingpin did an over-the-top job of building a sleek, simple badge that still has lots of hacking potential and out-of-the-box functionality.  It uses the 32 pin MC56F8002 processor, with a microphone and an RGB LED to produce visual effects from aural input.  Wired Magazine actually published the open source firmware.  I am not a hardware hacker, but I have been working on getting it to produce different visual output based on pitch rather than volume.

I didn’t get his name, but one of the engineering team from Freescale (the company that made the microprocessor on the badge) came to the con.  He just set up shop in the Hardware Hacking Village and helped people program the board.  It was one of the coolest things I have seen at any con.  As some of you probably know, my hardware experience is circa 1979.  He effortlessly moved between helping me with the most basic soldering questions to the most advanced programming questions.  I was blown.  Get me his address, someone.  I want to send him a bottle of Scotch.

It seemed like the traffic flow was worse at first compared to Defcon 15, but it soon leveled out.  Part of the problem was the need to clean out the rooms fully and then count them coming back in due to the fire code.  The marshals were around, and very visible, throughout the con.

There is a lot of talk about the Riv being too small.  I happen to disagree – I think that DT just needs to find a logistics volunteer that will orchestrate the talks in such a way to control the crowds.  I have seen Gabrielle do it.  It is possible.  (You hear that Jeff?  She will work for Absolut.)  The people at the Riv work their collective asses off to make it a good con and you just can’t replace that.  Let’s change the logistics instead.

Oh wait, there was technical content too!  Who knew?

The most significant thing I learned is that for all of the protections for CAS in the .NET Framework, there is a mind blowing flaw.  The framework assemblies are just called by name.  If you replace an assembly, EVERY .NET program on that machine will use the altered DLL to run the program.  Does that mean if you replace the encryption protocol to email the keys to China, that all programs will send that key to China?

Yes.

Discuss.

Props to Erez Metula.

There was a great talk on using iMacro to do screen scraping for AJAX sites, and I plan on getting some new PoCs for that up in the future.  It wasn’t rocket science, but it was a really good implementation of a simple idea that I sure as hell didn’t come with.  I mean, if it was easy, everyone would be doing it, right?  Screen scraping is a massively underused art.  There is a LOT of information out there and the web browser just sucks for really making use of it.

So much net development was done on Metasploit in the last 12 months that they got an entire track dedicated to it.  The biggest piece is undoubtedly the Oracle module, which really puts all of the disparate Oracle attacks into one place for ease in testing.  I can’t recommend its use enough if you are a pen tester or in charge of db security

The civil liberties content was significant compared to 15.  Nearly one whole track for three days was filled with lawyers telling us how not to go to jail when we fly to Italy on vacation with some music of questionable origin on our laptop.  I just popped in and out of these, but every time I did I learned something.

 Did you know that if you are asked to give up your password in the states you can say “come back with a warrant” but if you are flying overseas, they can just take the machine without your permission, copy the whole hard drive, and say “Thanks for the warez, d00d.”  Lesson learned?  Carry an empty laptop overseas and download your data set from a secure channel once you get there.   When done, upload results and clear the machine again.  Microsoft doesn’t even LET you carry a machine overseas.

Speaking of privacy (weren’t we, really?) social networking was a huge topic this year.  Tom Eston and Kevin Johnson gave a great talk on some proof of concept work they did on social networks and trust.  For instance, set up a parody account of a ‘B’ celebrity, and gain trust of followers.  Then send out a link for a fun quiz with an XSS attack.  Gain twitter cookie, get password, rinse and repeat.  Social Butterfly is another of their tools, which manages the creation of apps in social networking sites like Facebook.  It collects user accounts to be used for research purposes.  Check it out.  It’s not just that picture of the Christmas party last year that will get you in trouble on Facebook.

Locksport village was very informative, very well attended, and very well stocked.  I picked up some new equipment and finally met both Schuler Towne and Doug Farre in the flesh.  Doug and I are going to make some moves toward getting the Locksport International organization a little more, well, organized, and get things up and running there. 

Gringo Warrior was a hoot.  I supplied the live guard with a cigar (which he really needed!) and watched.  Deviant had a whole boatload full of people, and I hadn’t practiced enough, so I didn’t do it this year.  Maybe next year.  The ah-ha moment for that was watching a very accomplished picker run the whole gamut in three minutes, and then spend ANOTHER three minutes trying to open the car door.  After that, Deviant stood by the auto locks and yelled “Everyone look!!”  Took out his auto jigglers.  “Easy lock,” pop.  “Medium lock’” pop.  “Hard lock,” pop.  “GET some jigglers people!  They aren’t that expensive!”  I got some jigglers.

My Defcon moment had to be standing in the elevator lobby waiting for a ride down from my floor, when thmping bass – LOUD thumping bass – became clearly audible.  I thought “that’s one hell of a boom box.”  Wait.  Aren’t those lights?

The door opens, and there is a full mobile DJ station in the elevator.  I kid you not.  There was a mini-rave going on right there in the elevator with a DJ and dancing babes and the obligatory big white guy who can’t dance just bobbing his head and looking cool.  It had to have been the coolest thing I have ever seen in an elevator, bar none.

Can’t wait for next year, folks.  This one was fantastic.  Till then, see you at PhreakNIC!

Breaking news: "Internet Lawyer" clueless

I have started and deleted this post three times because I am so fired up.  I ended up just making a comment on this guys blog, but I thought I would post it here since there is exactly 0% chance he will approve it.  The post is by an internet lawyer and points out how 'nasty' Defcon is and that it should be 'shut down' if it doesn't 'clean up it's act'.  I am tense.  Very, VERY tense.

OK, here is my comment:

Imagine you are in charge of infosec for a large bank, running Oracle. There are 3,000 developers - most of them contractors - working with various databases inside your firewall. It's you, with nothing, versus 3,000 people you don't know backed potentially by 22,000 Russian and Chinese criminals with the latest 0day exploits. What are you going to do?

Well, first, you are going to go to Defcon, where without telling them which bank you work for you will learn the latest on these exploits from hackers who would be glad to give the information away nearly for free (since Oracle rarely does anything about them). This way, you know what you are faced with from the people who aren't so open. We usually call those people the criminals. I am sure you have heard the term.

Second, you are going to use Metasploit to test said database. Why? Because it is a framework for penetration testing with all of those exploits already in place. You can make sure that your database can't be compromised by those nameless criminals (there's that word again), all due to the VERY hard work of just a few extremely smart ... wait for it ... hackers.

You, my "internet lawyer" friend, have completely failed to get the point. You mention "finding an alternative approach for sharing knowledge and information away from the public eye." All of this information is already out there for those who care to find it. Defcon makes it available to the overwhelmed many who are tasked with protecting what we have. And that's a bad thing exactly how?

Thoughts are welcome from the peanut gallery.  Remember to read his post first, and the comments.  I do give him credit for allowing a few comments through.  Gah, sorry, I am just astounded that there are people still like this in the industry.

EDIT:  Ok, I was wrong.  He actually did publish my comment and published his own rebuttal, and my respect for him increased somewhat.  Nonetheless, it's that old argument: if you make owning a gun criminal, only the criminals will own the guns.

MVC3WPF Launch on Thursday - use the MVC pattern with WPF successfully!

As posted earlier by Brian Prince and Stephen Giffin, the MVC4WPF project will be launched to CodePlex on Thursday.  We will be having a spash at the Columbus Microsoft office in the morning - if you would like to attend, please RSVP here.  I'm actually quite proud to be involved in this effort,, even if jsut as a tester and tech writer.  The thought that went into this product is very impressive.  If you are doing large WPF projects you certainly owe it to yourself to check it out.

A little about MVC (from the Developer Guide): Model-View-Controller is a pattern for software development.  It doesn't provide development tools of its own, but is rather an agreed-upon way to go about developing software.  It builds upon the concept that divides the basic functions of a contemporary application into component parts:

  • The model, which represents the underlying data;
  • the view, which represents what the user sees; and,
  • the controller, which manages the business logic and communication between the view and the model.

The three parts of the software communicate with the use of agreed upon contracts that define communication between the parts, and property bags that hold configuration values and data objects. 

MVC works well with WPF because Microsoft has done some of the heavy listing for us in the division-of-duties arena.  Like ASP.NET, the View code is physically segregated into a code file all its own with hte XAML file (ASP.NET of course uses the ASPX file).  This basic architectural decision makes things appropriate for MVC.

MVC4WPF has a ton of automation to make development much simpler than many other MVC environments.  It is appropriate for junior developers, and is very forgiving to work with.  It is rather open ended, and will cut you if you don't read the recommended usage.  The project will come with a boatload of documentation (some of which I wrote) that will help a lot.

Keep an eye on the codeplex site, and come on up Thursday if you get the chance to see what I am talking about.  Should be a good time.

Bing is filtering searches they suspect of being for crackers

So I posted a search on Bing today, so check some statistics , like I would with Google.  You know, you search for a unique term, and then search for it in conjunction with another unique term, and you look at the denla, and you learn something.

Well I learned something alright.  Lo and behold, Bing didn't like my search.  Instead of results I got a plain white page that said:

We are seeing an increased volume of traffic by some malware software. In order to protect our customers from damage from that malware, we are blocking your query. A few legitimate queries may get flagged, and for that we apologize. Please be assured that we are hard at work on this problem and hope to get it resolved even better as soon as possible.

Imagine my suprise.  I wonder if there will be a large collection of blue towncars and Bill Gates dressed like Wolverine in my driveway in the next ten minutes.  Seriously, if I vanish, check for pieces of my DNA in Steve Ballmer's bathroom.

This is a lesson to those of use looking to the Internet to be the be-all and end-all of storage devices.  Remember, you don't OWN crap.  Jason Scott said it best in his blog post Fuck The Cloud, so I won't repeat it here.  Be warned that if you post something that someone doesn't like, and they own the box, no law on earth is going to keep them from doing damn well what they want with it.

For now, my default search engine is Google, and I publish my information to servers I can touch.

Cloudcamp Columbus

So I am sitting here at TechColumbus watching the Unpanel at CloudCampColumbus.  Everyone here has a very good perspective on cloud and the problems and benefits.  The list of unpanel topics reads like a collection of general questions about cloud.

  • Auto scaling
  • Server huggers
  • Hybrid Clouds
  • Encryption
  • Security
  • Compliance
  • The business case
  • Disaster recovery
  •  Scalability Planning

 I think we just about covered it.   We are picking sessions now.

  • Intro to cloud
  • Architecture for the cloud
  • What and When to move to the Cloud
  • Examples of cloud apps
  • Enterprise Utilities
  • Clous OS Security
  • Cloud Storage
  • App and Data Cloud Concerns

Proof that the unconference idea works?  Who knows.  Decided on the Architecture group, and now am sitting with a bunch of people smarting than me.  Bummer.

So anyway, there is some meta comversation revolving around cloud computing that I have yet to completely master, but I think I am getting the idea.  People are wrapping th ebig providers around themselves.  For instance, ShareThis, who is talking right now, is an EC2 partner, and they just resell the service.  They don't really make or provide anything at all.  It is an ISP reseller.

This begs the question - is this just hosting.  That's all it is.  Noone is really using this for anything significant yet, at least not at this level.  Right now, they are just providing site hosting for applications that go viral.

So what is the highest level of cloud?  What can be done with this other than scalability?  Funny, they are talking about the same scaling problems that everyone has now - caching, bad code, weak queries.  Cloud won't help there!  What is it REALLY for?

That meta question brought a lot of interesting answers.  Brian Prince brought up the reality of disposable computing.  I thought that was a good point - you can treat the computing resoruces as temporary assets.  Where does that lead us?  No answer yet.

Microsoft Windows 2008 Server Licensing For Dummies

I was honored to be asked late last year to write Windows Server Licensing 2008 for DummiesWin2k8LicensingFDSmall as a joint project with Wiley and Microsoft.  This is a custom book – an eighty-six page minibook specifically for Microsoft to give to customers working on licensing Windows Server 2008.  I finished it in March, and finally got a few copies.  If you want a copy, you have to ask you local Microsoftie!

Anyway. the book came out very well.  The people in the licensing office are so very knowledgeable and easy to work with; the project was a complete joy for me.  What’s more, I think it really is a win for the average IT manager – the book is readable, easy to understand and accurate.  Licensing is foreign to many people, but with a few basic points in mind, you really can keep legal and save yourself some money!

I think the custom book concept is a real win for Microsoft too – they get a great, well known format for not much more cost than it takes to develop and print all of those whitepapers that no one ever reads.  People actually real dummies books, you know what I mean? 

Anyway, they gave them out at TechEd, and I think there will be more at PDC when the time comes.  Drop by the Windows Server book and snag a copy in November.

Liveblogging setting up data storage for Sharp

After uploading the basic services to Azure early this morning, I felt the need to finish, and actually set up some kind of data storage for the system.  After all, the services are only useful if the data is actually accessible, and eventually I plan to resubmit this as my certified app for POINT's ISV certification.  So I squandered one of my two storage service keys to Sharp's database in the cloud.

At first blush, this seems straightforward.  I logged into the Azure dashboard at https://lx.azure.microsoft.com and provisioned a new storage services account.  This required only a unique name and a description.  In exchange, Azure provided me with three endpoints:

  • the blob services;
  • the queing services; and,
  • the table services.

OK, right now I need tables.  I am essentially going to move the simple 4 table schema for Sharp into the cloud for this first version - we'll look at sophisticated use of property bags and whatnot at a later date.  I have my primary access key; time to move to Visual Studio.

 

Seeking name for new Rye/Wheat blend

I decided that I wanted a simple Rye/Wheat blend for the end of summer, so I constructed this fairly simple recipe.  I think I might have underhopped it, especially considering the Rye character which at first take seems to demans a little more upfront bitterness.  We will have to see though - I put it down in primary on Sunday.

I'm also looking for a name for it - apparently they were all of of Creativity at the homebrew shop.  Thoughts?

Wheat/Rye

Wheat/Rye
American Wheat or Rye Beer

 

Type: Extract

Date: 6/17/2009

Batch Size: 5.00 gal

Brewer: Bill sempf
Boil Size: 3.25 gal Asst Brewer: Gabrielle sempf
Boil Time: 60 min Equipment: Brew Pot (4 Gallon)
Taste Rating(out of 50): 35.0 Brewhouse Efficiency: -
Taste Notes:
 

Ingredients

Amount Item Type % or IBU
7.00 lb Wheat Dry Extract (8.0 SRM) Dry Extract 87.50 %
1.00 lb Rye, Flaked (2.0 SRM) Grain 12.50 %
1.00 oz Mt. Hood [5.30 %] (60 min) Hops 12.1 IBU
1.00 oz Saaz [2.50 %] (15 min) (Aroma Hop-Steep) Hops -
0.75 oz Orange Peel, Bitter (Boil 5.0 min) Misc  
1 Pkgs American Hefeweizen Ale (White Labs #WLP320) Yeast-Wheat  

 

Beer Profile

Est Original Gravity: 1.062 SG

Measured Original Gravity: 1.580 SG
Est Final Gravity: 1.016 SG Measured Final Gravity: 1.160 SG
Estimated Alcohol by Vol: 5.99 % Actual Alcohol by Vol: 62.65 %
Bitterness: 12.1 IBU Calories: 7,560 cal/pint
Est Color: 8.0 SRM Color:
Color

 

Introducing: C# 2010 All In One Desk Reference For Dummies!

I’m pleased and proud to announce that I’ll be migrating the fantastic C# 2008 for Dummies book by Steve Davis and Chuck Sphar to an All In One format for the release of C# 4.0 and VS 2010.  All of the goodness in the 2008 Dummies book, plus the bonus chapters on the site will be in the all-in-one.  Alongside, there will be tons of new information on Windows and Web programming, new features and fun stuff.  There will be nine (!) books in one cover for this all in one, including:

  • Book 1: Basics of C# Programming
  • Book 2: Object Oriented C#
  • Book 3: Designing for C#
  • Book 4: A tour of Visual Studio
  • Book 5: Windows Programming (Winforms and WPF)
  • Book 6: Web Programming
  • Book 7: Service Oriented Development (ASMX and WCF)
  • Book 8: Neat Stuff (Robotics, Graphics, AI and Compilers!)
  • Book 9: C# 4.0 New Features

 

The book will be available everywhere right around the release of Visual Studio 2010 in late fall or early winter. 

Shameless self promotion

I have set up a number of conglomeration sites in the last week, which I thought I would share with the interested.  One relates to books, one to articles, and one to speaking.

The first is FiledBy, at http://www.filedby.com/author/bill_sempf/.  It is a managed site with books of mine that are still in print.  Neat concept, and I look forward to using it.

The second is SpeakerSite.  Set up by my friend Artie Isaac, it is a conglomeration of a lot of speakers on different topics.  My site is http://www.speakersite.com/profile/BillSempf and I have posted a video to my recent cloud computing presentation.  After my C#4.0 presentation Tuesday, I'll post a video to that too.

The third is Ulitzer.  This one is pretty cool.  Back in 2000 -2001 timeframe, I wrote a number of articles for Sys-Con media.  After I started my contract with MSDN I kinda dropped off their map, but I didn't lose touch with the people involved.  Now, it turns out they are a big power in publishing for cloud computing, along with their other assets.  Anyway, they have these customizable author sites, and mine is http://williamasempf.ulitzer.com/.  I'll be adding articles and linking up this blog to it shortly.

Anyway, I usually just write about technology, and this is not specifically VB technology, but it is cool use of the media so I thought I would share.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList