The Shmoo group [cazz] has been awarded the first CVE for a vulnerability in an exploit [edit: I am still waiting to confirm this claim]. They went on to detail 0day exploits in Canvas and Metasploit. These were really funny as they were based on the attack http://www.digitaldefense.net/labs/papers/Termulation.txt credited to HD Moore (founder of Metasploit). Oh the irony. The 0days got even better from there, when they detailed a Kismet exploit that could have (did?) root anyone trying to war drive at the con. Damn funny that they were able to take away one of people's fav tools in a sentence. No doubt Kismet will be out with a new (safer?) release shortly. I think the moral of the story is that when working with security tools, we really have to be mindful of what we run and that most often we run them as root.

Other highlights from Shmoo's talk were;

+ IDN is still a total mess and browser vendors don't seem to care. When phishers wake up to the possibilities here your friends and family members are in danger. You might want to go set up some boomarks for your grandmother and hide her address bar. Just tell her the internet got smaller and now only has 6 sites. [ericj]

+ Rainbow Tables! Get your Rainbox Tables! Shmoo is now offering a 43.9 GB torrent of LanMan Hashes. Fun stuff. Now if only I could download that without buying a new hard drive. [dan m.]

+ A certain American Nucular power plant allowed a journalist to publish a picture of their 'ultra secure' wifi setup -- including the brand name and IP ADDRESS! Lame. [beetle]

My fav quotes from Shmoo's presentation.

"Step 3 is Profit" (Like the underpants gnomes) [cazz]

"Gartner can blow us" [beetle]

"Oh ya the vendors guys are here too. They are the ones with the loud hawaiian shirts and the good hair cuts." [rodney]

"PKI is teh suk" [beetle]