Mastodawn

Richard Stephens

Security conference talks fall into two categories
* we designed a distributed entropy siphon to perform a black-box hypervisor side channel escape and chain-load a persistent rootkit into the CPU cache
* we looked behind the sofa and found an entire industry of products/services that have made no attempt at security at all and are therefore vulnerable to the most basic issues that we've been finding in everything for the past 30 years, and no-one else had bothered to look.

Elvith Ma'for Oct 23

@richardstephens the best ones are, when they are working on the first kind and then accidentally stumble upon several of the second kind

@elvith @richardstephens the description of professional pentesting

byte (is having a bad time)Oct 23

@richardstephens theory vs practice

Tryst 🏴󠁧󠁢󠁷󠁬󠁳󠁿 🇮🇪

ms_asexual_flag

@richardstephens You're forgetting the industry vendors spreading fear over APTs to shill products

@tryst @richardstephens this was the one I was expecting to be listed.
All are real though >v<

Cliff Barbier Oct 25

@tryst
@richardstephens

IMO, those are advertisements, not talks. And I conspicuously stand up and walk out of advertising presentations.

@richardstephens isn't there also a third category of grifters selling snake oil to ignorant C-suite folks?

Saphire Lattice Oct 23

@richardstephens This post feels mildly relevant...

https://chaos.social/@ge0rg/115423543031291713

Ge0rG (@ge0rg@chaos.social)

Attached: 1 image @whitequark@mastodon.social And to add to the horror, all of the cars and chargers are in the same physical powerline broadcast domain, so when another car is plugged in, it needs to broadcast ping and measure the response signal strength(*) to find out which charger it's connected to... And once the data channel is up, you authorize the payment with the absolutely unforgeable and secret... *checks notes* serial number of your RFID card! (*) SLAC (Signal Level Attenuation Characterization)

chaos.social

@saphire @richardstephens
Can someone explain why I can buy petrol for my old car anonymous by paying with cash (forget the surveillance cameras for now), but not charge an electric car without giving the seller all my data?
All the charging station needs to know should be a simple feedback on progress of charging to adjust the current, or am I ignorant/naive?

Parnikkapore Nov 4

@jakobtougaard @saphire @richardstephens AFAIK (based almost completely on TechnologyConnections videos eep), you're right here - the "charging" bit doesn't care who you are, the "paying" bit does, and the common charger networks merely didn't go for "unlock the charger at the counter" or even "put a bog standard credit card reader in the charging station".

PhilSalkie Oct 23

@richardstephens
That conference (covering both sides) just wrapped up in Boulder, CO today. See you all at the next one!

David W. Jones Oct 23

@richardstephens
Hmm, more likely:
･ Everyone else had looked and reported, but the industry vendors still haven't fixed the issues.

Eli the Bearded Oct 23

@richardstephens

Oh. Is someone selling an IoT sofa now? /s

(Saw the security issues with the IoT mattress this week and was reminded seeing this post)

Scott 🇯🇲 🇺🇸Oct 23

@elithebearded @richardstephens The IoT bed stuff triggered by us-east-1 falling down wasn’t even the worst of it. This was from February this year: https://trufflesecurity.com/blog/removing-jeff-bezos-from-my-bed

Removing Jeff Bezos From My Bed ◆ Truffle Security Co.

Eight Sleep smart bed found to contain an exposed AWS key and a likely backdoor that allowed engineers to remotely access users' beds

black_sparkling_heart

@richardstephens

Sometimes there is a subcategory of that second bullet point:

- We saw a talk someone else did... and decided to "pull up the couch cushions and 'dig around for loose change'"

😉

curtmack Oct 23

@richardstephens Also the close cousin of looking behind the couch, "we bought an expired URL"

Billy O'Neal Oct 23

@richardstephens @deviantollam

Deviant Ollam Oct 23

@malwareminigun @richardstephens 😂

Foone🏳️‍⚧️Oct 24

@richardstephens my favorite kind of talks are the variant that's:

* we designed a distributed entropy siphon to perform a black-box hypervisor side channel escape and chain-load a persistent rootkit into the CPU cache. now we can play homebrew on your nintendo/xbox/ps5

Patrick Georgi Oct 27

@foone "_we_ can play homebrew on _your_ {device}" was deliberate, right? 🙂

ity [unit X-69] - VIOLENT FUCK Oct 30

@foone @richardstephens wish any of my stuff was the first variant but I'm not that cool, I only have "I looked behind the sofa" topics which I am unsure will be accepted as talks. Stuff like, defeating BitLocker on all consumer devices or a party trick 0day in Linux USB stack.

Richard Stephens Oct 30

@ity @foone this wasn’t meant as a sleight against either category - they are both interesting and important!

David Chisnall (*Now with 50% more sarcasm!*)Oct 24

@richardstephens

At least at academic security conferences, there’s also a load of ‘We designed this complex mitigation for a class of vulnerability in {Android,Linux} but did not look at why this class of vulnerability does not exist in {some other mainstream OS} and compare our complex mitigation against their technique that eliminates the problem by construction’.

tautology Oct 24

@david_chisnall @richardstephens and as it's academic they will use overblown academic english everywhere. Why say "use" when you can say "utili[sz]e" and the need to link every sentence together with "however" and "therefore" so that no knows what the hell they're talking about.

David Chisnall (*Now with 50% more sarcasm!*)Oct 24

@tautology @richardstephens

In some places (my favourite: you can global replace 'in order to' with 'to' and improve readability in almost any paper). But also there's a hard page limit, so before publication someone will have gone through and deleted a load of words to make paragraphs smaller, which also hurts readability.

@tautology @richardstephens @david_chisnall not that often in my experience. See for example your example.

David Culley Oct 27

@tautology When I wrote my thesis, I intentionally wrote "use" rather than "utilize" for exactly that reason.

My advisor then criticized that my text doesn't sound academic enough, I should replace "use" with "utilize". 🤦‍♂️

tautology Oct 27

@davidculley I refused to use utilise. I did get in an interrobang and a joke about Uranus in the same sentence. I probably lost marks for that, but it was worth it.

Marcos Dione Oct 24

@richardstephens don't forget the ones that unlock shit so we can use them as we want, not as the manufacturer wanted.

@richardstephens I think the theft at the Louvre clearly indicated that nearly every company is extremely vulnerable to any kind of RIDICULOUSLY SIMPLE physical attack. Put on a hi viz jacket, walk in, steal hard drives, plant rubber ducky and pwnd.

Phil M0OFX Oct 24

@richardstephens *tears up my prospective talk in the latter category*

Richard Stephens Oct 24

@philpem This was definitely not intended as a sleight against work in either category! They are both valuable and important!

Phil M0OFX Oct 24

@richardstephens No offence taken! 😆

synlogic4242 Oct 24

@richardstephens nailed it

tautology Oct 24

@richardstephens I feel seen (in the second category).

Richard Stephens Oct 24

@tautology this post was not intended as a sleight against either category - they’re both important and interesting.

Johan Manner Oct 24

@richardstephens my favourite variations on number two are
* we fixed the trains, choo choo
and
* we fixed the tractors, tractor go brrrrrrr

Christian Berger DECT 2763 Oct 26

@richardstephens There's also the type about "You can take over this piece of equipment(, all you need it to have physical access)".

A feral Natalie Oct 26

@richardstephens

: : looks at all my security conference talks, past and upcoming : :

Yeah, that checks out.

';DROP TABLE foxes;--Oct 27

@richardstephens second category is very popular with radio stuff where it's just like "this is secure because nobody else could build the custom hardware to decode or transmit this signal", and the researchers are just like "we have software defined radio now!"

@richardstephens And while those conferences happen, users with little training continue to click on links that they receive via email on HTML emails.

@maryjane @richardstephens and organisations keep demanding that employees/customers click on dodgy looking but actually legit links in emails

That also.

@richardstephens

Also, my comment about "untrained users" was not a criticism of end users. No one is an expert on everything. Training is needed.

@richardstephens

tranarchy_a_genderqueer

@richardstephens in all the years (since the late 1990s) I'm doing incidence post mortems it's always been the behind the sofa situation.

I wish I'd seen at least something sophisticated.

These days, just loock up the complience forms for a given industry and check for the first obvious things they missed and in 2/3eds of the cases that's exactly the vector that got used.

Also if thech actually gets too goood people stay as stupide as the've always been and the social vector is always the best way for any targeted attack.

Wladimir Palant Oct 29

@richardstephens I feel like I’m looking behind the sofa all the time, finding more and more crap that all the “cool folks” never bothered with.

Sacha Ligthert 🇳🇱🇬🇧Oct 30

@richardstephens This reminds me on how bugtraq in the late '90s/early '00s got their submissions:
1) Carefully probe commonly used to software to find some 3 bit glitch that allowed for a buffer overflow.
2) Download some random no-name FTP/HTTP server with 5 users world wide, inject 10 to 20 thousand lines in some command, cause a crash due to some overflow, write a post about it and conclude that its uncertain if its exploitable.

I do not miss the bugtraq mailinglist.