After years of rumours, the Google browser has appeared, and it's all shiny and Chrome. Yesterday everyone was talking about Google Chrome. Based on Webkit, and sporting a new JavaScript engine, it's looking rather exciting. That being said, this new browser is already hitting some bumps in the road.

Today on milw0rm, a PoC DoS appeared. I know, everyone is saying, 'Oh wow, not another DoS' or, as Amrit mentioned on Twitter, 'Beta software with a bug?'. However, it's not the fact that a DoS exists that I find interesting (I expect there will be a number of them). What I find interesting is that one of the new hyped features of Chrome is that each tab is its own process, so you can avoid browser crashes, and only the tab will crash. This PoC already proves that the initial implementation of tabbed process separation doesn't work. The PoC will crash the entire browser, not just the tab within it.

There's a second proof of concept on milw0rm. This one shows that Chrome uses automatic downloads without user interaction. Wasn't this frowned upon a while back when other browsers did this? Didn't Google learn from their mistakes? Sure, I have the option for Chrome to "Ask me where to save the file", but I don't want that. I would like a "Should I save this file" dialog. I like default download locations, I just want to confirm my downloads first. That's what Firefox does.

I also noticed that ZDNet has mention of a carpet bombing issue (PoC here)

Sure this is a beta, but how many people are going to switch to using it all the time simply because it's a Google product? Remember to be careful people.

On top of that we have the EULA (via The Register), which contains the following:

11.1 You retain copyright and any other rights that you already hold in Content that you submit, post or display on or through the Services. By submitting, posting or displaying the content, you give Google a perpetual, irrevocable, worldwide, royalty-free and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content that you submit, post or display on or through the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

I'm playing with Chrome to see what sort of issues I find, but Google has ensured that I will NEVER use it as my every day browser with that EULA statement. It is scary, there's really no other way to describe it.

Also note that Chrome has it's own blog.

Just a quick little note to share with people. In my efforts to add to the social activities associated with SecTor and to foster discussion, I've created a new website, SecTorAttendees.com. On the page you'll find a forum and a mailing list. I would invite everyone who is attending SecTor to join both and share in the discussion. For those of you that aren't quite sure yet, sign up and you'll most likely find a reason (hopefully in time to beat the end of August price increase)... and for those of you that can't make it to SecTor this year, you're all welcome as well, you'll see what's happening so that you can make it next year.

I wanted to take a minute and take a quick look at MS08-050. This was the recently released Microsoft Security Bulletin fixing a vulnerability in Windows Messenger. What I don't get is the Maximum Severity Impact of 'Information Disclosure'. From the Microsoft Advisory:

Scripting of a particular ActiveX control, Messenger.UIAutomation.1, could allow information disclosure from these programs in the context of the logged-on user. An attacker could change state, get contact information, and initiate audio and video chat sessions without the knowledge of the logged-on user. An attacker could also capture the user’s logon ID and remotely log on to the user’s Messenger client as that user.

Now, maybe I'm missing something here but since when is something that is interactive solely information disclosure? If I can change state, initiate audio and video sessions and log on to the user's client... I'd say that's a little more than 'Information Disclosure'. Given that most XP users will have this installed (given that it ships with the operating system), I would think this becomes slightly more important than an 'Information Disclosure'.

Does anyone have any insight on how Microsoft selects these ratings? I would really like to know the thought process that lead to this being labeled 'Information Disclosure'.

These don't necessarily apply to all cons, they are simply things that I believe could make cons better.

I think the biggest one is speakers. This one has to be considered by both the presenters and the con organizers. I've yet to attend a con where every presentation has rocked. There's always at least one case where the presenter has incredible information, but they don't know how to convey it to the audience. On the other side, I've seen presenters with mediocre information, who're amazing to watch simply because they knew how to convey information and speak to an audience. The other issue is people who don't really know what they are talking about. I don't know if people get nervous, or if they truly don't fully understand the material, but it's awful to sit in on a presentation where the speaker doesn't know their topic. There's always someone who's going to know more than you, that's a fact of life... but ensure that you aren't spouting inaccurate information. The worst case is obviously when you have someone who can't present and has inaccurate information.

Presenters: If you know you aren't a great public speaker and you won't be able to convey your point well, invite someone to speak with you. Someone who will be able to get the point across. You also have to determine which speaking style (story-telling, analytical, discussion or demonstration) is best suited to your material.

Organizers: Ensure you have the technical expertise to properly vet the talks. If you don't, bring in people that do. Of course, if you're working off abstracts with few details and relatively unknown speakers, this may be difficult. As a tie in to my next comment on the social aspects of a con, including presentations that are conversation starters, or that already have a buzz around them can be good as well, but they make good end of the day talks that can lead into social gatherings.

The next one is the social aspect... something I've been talking about through-out this series of posts. For this one I'm going con specific and pointing to SecTor as my example. Ensure you have a social aspect to your con, whether it's organized bar hopping, a coffee house night or you've rented a suite at a hotel. The value add is huge. I've essentially come to the conclusion that if a con doesn't have a social aspect, it probably isn't worth my time. SecTor, while they had a brief open bar, immediately following the talks and a speakers dinner, didn't really have much of a social aspect last year. There were no vendor parties, no con organized outings. Some new organizers have been brought in, so I expect that to change.

Organizers: Social events don't need to be costly. Even speaking to a bar and explaining you'll be bringing in a large group is sufficient. Then simply tell everyone where to go. Above I noted that including conversation starting presentations is a good idea... these types of presentations may have controversial data, or just be interesting to a large number of people. When you include talks like this, especially immediately before a break / end of day, you give attendees something to discuss... this increases the social interaction of the con and will end up improving the experience for everyone.

A lot of cons have their registration / badge pick-up just before the con starts. A lot of the time this overlaps and you miss the first few talks while you wait in line for your badge. There's no reason why you couldn't have received your badge beforehand. The day before works well, assuming that there's no overlap with another conference, otherwise... why not have a printable version of the badge, users can do online registration, print a badge that they can use initial and that they can trade-in later on. Sure people could duplicate it, but people could duplicate the badges I've seen at a number of the cons. At least this way, people can see the talks they want to see right at the start, and they can stop by when the lines have died down to swap their badges. Also, at RECON, registration has several lines. You go to the proper line to get your badge, this means you don't have everyone in one massive line. I believe SecTor also took this approach last year, and it works really well.

While I've never organized a infosec con before, I have been involved in organizing several large group functions. That being said these are my thoughts on what could be done to improve various cons, feel free to take them or leave them.

I still haven't been to all that many cons but I think that I've been to enough to state some points. This blog post is dedicated to one of those points. When I first attended RECON in 2006, I wasn't sure what to expect... it was my first con. I'd always been active in security, but traveling to cons was never in my budget. When I got there I was somewhat surprised... while the talks were informative and many speakers had something to add that you'd miss if you just watched the PowerPoint but that wasn't the most important part of the con. The really interesting parts really happened when the talks were over for the day. The info sharing and networking that happened in the evening proved to be just as valuable as the presentations. The next con that I attended was SecTor (2007) and while the talks were great, I definitely noticed that the social aspect was lacking... It didn't have the feel of a big con... at least not the feel that RECON had lead me to expect. I summed up my experience to one of two things; SecTor was new (it was the first year) or RECON was an exception.

I ended up attending RECON again this past year and I found the social aspect to far exceed what I'd noticed in 2006. I don't know if it's because I was used to the con or if the atmosphere had changed, but the networking was great. I met a lot of interesting people that I still keep in touch with and that have become valued sources of information. In some cases, while the presentations were interesting, I found that an hour in the evening over a beer with the presenter could yield much more in-depth information. Again though... was RECON the exception, or had SecTor missed the social networking boat?

I finally answered that question this past month, when I attended Blackhat and DEFCON. As I've mentioned in past posts, I stayed at the booth for all of Blackhat, forgoing attending any of the sessions. I found that I gained a great deal of personal and business knowledge by interfacing with the booth visitors. The same thing happened in the evening, after we'd closed the booth. I was able to meet and speak with a number of people... not only people who's software I'd downloaded and used but people who's blogs I've heard and people who've read my blogs. Once again, the knowledge that was shared outside of the actual con was extremely beneficial. Many of the people I spoke with, I'm still speaking with... exchanging emails and sharing ideas. The ongoing discussion, that occurs long after the con has ended, is what makes a large portion of the con worth attending.

So there we are... 5 cons attended; 4 were social havens and one was a social flop. However, as I said, it was the first year of SecTor. The second SecTor is only a couple of months away and from what I hear there are huge improvements to the social aspects of the con. I'm eager for October 7th to show up so I can find out, but I'm not expecting to be disappointed. In the end though, the con is as social as you make it... You could attend Blackhat or DEFCON and not have the least bit of social interaction. So, if you're going to be around for SecTor... get in touch, let us know that you'll be there... because we definitely will be. If it turns out that nothing happens... I'll organize something. So SecTor attendees, watch our blog... if we get closer to the event and the organizers haven't announced anything in particular planned... I'll work something out and make it happen.

Hey All,

Quick post here as I'm trying to gather some statistics related to Denial of Service and people's perception related to it. I've posted a small survey here, if anyone is interested in filling it out.

Thanks,
Tyler

As many of you may have already read, this year was my first DEFCON, so perhaps my views are swayed because I'm not a hardcore DEFCONian/DEFCONite (what is the correct term?). Anyways, I'm going to do more than rag on DEFCON here, but first let me rag on DEFCON.

Problem #1 was with badges. I showed up at BlackHat at 7:45 and picked up my badge in about 15 minutes. Quick and easy. With DEFCON I nearly fell asleep standing in line... only to find out that I was getting a temporary badge that I would have to return to swap out if I wanted the board designed by Kingpin. Sounds harmless enough, but it took over 2 hours to get my final badge. Maybe some people moved faster, but I bet a lot of people had even longer wait times. I'm attending a three day con, of which I'm already losing a day to travel and I've just lost another 1/4 day just getting my badge. Pick it up early you say? That's all fine and dandy, except that 'early' conflicted with a little something called BlackHat.

The next problem I had was the odor in Tracks 2 & 4... now maybe this was a one-time thing, but it really ruined my first DEFCON experience. Everything I had intended to see was either in track 2 or track 4, and I had to skip the talks because the stench in the room was awful. I realize that this was more the fault of the Riviera, but really now... it was just horrid. I ended up seeing speakers that I didn't want to see, or had never heard of. Which is cool... first time, unknown speakers sometimes have cool things to say. Sometimes, however, they don't.

Which brings me to my next point... the quality of the talks. Granted, most of the talks I intended to see where great (from what I heard / read) but schedule conflicts and that awful, awful odor kept me away. The talks I did see were primarily low quality, with inaccurate/incorrect information and someone who didn't know how to present, so they mumbled or talked very quietly. This was actually a point that I heard time and time again as I spoke with other attendees. Everyone seemed to feel that a number of the talks sucked. In the spirit of truthiness, if everyone said the talks sucked… they sucked. Look it up on Wikipedia.

Now, by this point I'm sure I'm being called all sorts of names or people are thinking, 'he just doesn't get the point of DEFCON, that it's representative of the underground, of the scene.' I get doing something because it's part of the scene... but some value would be cool. I spent most of my formative years on BBSes, Newsgoups and IRC and the time not spent there was spent at punk shows in the middle of a mosh pit. My parents didn’t get it, but there was value.

Also, don't get me wrong... as I've mentioned there are a number of talks that I really wanted to see, so maybe this really was just due to a bad first impression. Now... I said I wouldn't fully rag on DEFCON and I'm not going to... if you take away the talks, smells, and registration... DEFCON was awesome. Something tells me I've lost a lot of people by this point, and they didn't read that last line. No problem… this will be our little secret.

DEFCON was exactly what I wanted from a Social Scene... The Content Room and CTF were both a lot of fun, the vendor area was small enough to not be annoying and had some really cool stuff in it... I still haven't unpacked my 'H4ck3rs are People Too' DVD but I'm really looking forward to it. The same goes for the get togethers. The Freakshow Party was a blast, and again I met some great people. The Hardware Hacking village was great as well, and many thanks to the people that helped with soldering the mini-USB onto my badge.

So to sum up… registration, stench, and talks sucked; social scene was awesome. If things don’t work out in Security Research, perhaps I’ll become a social engineer. I don’t know if I’d be good at it, but I got you to read this post. ?

I am really looking forward to attending DEFCON next year... and my goal here was to provide some feedback that can hopefully improve the quality of the CON.

I was shooting for a five part write-up, and this is #3, which means at least two more blog posts... The 5th post, as scheduled right now, will actually be a discussion on ways to improve the cons... but then again I've never ran one... I'm simply another attendee. I don’t know if that makes me more or less qualified to speak up.

When you're in the vendor space, something you tend to see, as your average run of the mill employee, is rivalry between your competitors. I think this is normal... you have to compete. After all, you come head to head in evals and you are vying for business. That doesn't mean that you have to hate each other; it's like in hockey... you hit the other team hard over three periods, but at the end of it all you go out for a beer. This is something that I haven't really seen in the vendor space... I've seen companies in adjacent spaces get along well, but generally competitors, in my experience, don't seem to.

Blackhat changed all that for me... I was acutally quite impressed, so much so that I spent some time discussing the outcome with TK (our CTO), regarding how it was nice to finally see that "hockey attitude" (although, at the time we didn't call it the "hockey attitude") in our space. In fact the nCircle VERT members that were down there spent a good deal of their time with a few guys from a competing company, including a private party on them. I was actually surprised at first, at the bonds that were formed but in a way this related back to my previous post (Being a Research Engineer at a Blackhat Booth). With groups like Sales or Marketing, they can afford to, and in some cases need to, see the competitor as the enemy but with security researchers, consultants and pen testers... we're like the guys on the ice. We're doing what we do for the love of the game and while we can't share our play book, we can share a beer and discuss the basics... that knowledge that is familiar to everyone.

Beyond spending some time together, and sharing a few drinks, there were a few things that really impressed me. An nCircle intern decided to pay his own way down to Vegas for DEFCON but ended up showing up a day early. He didn't have a place to stay, so he was offered a couch in Chad's suite... that's right, a competitor offered up a room. On top of that he provided his free DEFCON ticket (which is included in some, but not all, BH registrations) since he knew he wouldn't be around to attend. Our intern was travelling on his own dime. A hotel room in Vegas for the night, and a ticket to DEFCON... that was a huge savings to him.

The next time I was really impressed involved another person without a free DEFCON ticket and, at the time, I happened to be talking to Alan Shimel. I mentioned this, and he apologized for not having one to share (since he wouldn't be around for DEFCON) but he also went and checked with the other people at his booth to see if anyone had an extra that they wouldn't be using.

The last occurance involved people who aren't competitors, but researchers in a seperate vendor space. We left for the flight back to Toronto Sunday afternoon, but our intern, who was taking advantage of a seat sale, wasn't flying back until Monday. I sent a text to Mike and asked if he could put up the intern for the night, and he was able to do so, saving our intern the cost of a hotel room.

To me, all of these are examples of going above and beyond what one would expect from a competitor but chalk this up to one more thing that I learned at Blackhat. We're all in this to learn. In the end it doesn't matter if you're learning from your colleagues within your company, or from others in the industry... we're all just in it to learn. I understand that there are some companies that don't feel this way... that take more of an isolationist approach. As far as I know SecTOR will be the next big con I attend... so to all the companies in our space, and all people in the research community, come and track me down. We're at a Con... it's time to put the gloves away and grab a beer together until the next time our two teams step out on the ice.

This year I attended my first BlackHat/DEFCON and during BlackHat, I didn't attend a single talk. I had talks I wanted to attend but I ended up enjoying myself at the booth so much, that I chose to stick around and talk to people. While I have to say that attending talks would be cool, I realized that BH isn't about the talks... that is definitely part of BH, but it's not all of it. I missed every talk and had an amazing time.

Those of you that go for the talks are probably wondering how I had an amazing time... it was really quite simple. I spoke to people at the booth; every person that came by, that I had the chance to speak to... I spoke with. I work at a desk, and interact with the rest of the team, and fellow security researchers via IM but security researchers, with a few exceptions, generally aren't the public face of a company. For those two days I was interacting with people non stop... I spoke with customers, evals, prospects and others in the industry.

When I showed up, I was expecting to take in as many talks as I could... but once I spent some time at the booth, I realized that it was the better place to be. Given the amount of work that I've done on our WebApp360 product, and that it was something a lot of booth visitors wanted to see, I was able to get direct feedback and insight. There was a certain amount of personal gratification that went along with it, but really it was more about the feedback. When a customer or potential customer tells you directly that they really like the way something was implemented, or that they'd like to see XYZ implemented differently, it's something you remember and, when needed, re-investigate.

Also, we had VERT Dog Tags at the booth, complete with a bit of geek humour. Passing out the dog tags and seeing the different reactions between people who got them and didn't get them was priceless. For those of you that wanted one and didn't get one, I apologize... they were quite popular and next year we'll need to make a note to have more of them.

I was able to walk people through our product line but with hopefully a slightly different perspective than they'd get from a marketing or sales person. I'm sure there are plenty of people who thought 'sure, sure' and rolled their eyes when I would respond with, 'Well, I'm not a marketing person, I'm a research engineer, so I can't really answer that'.

What am I getting at? Well, in the end, it's nice to, from time to time, get away from your daily routine. To do something completely different. It's something I highly recommend that everyone try. Not only did I walk away with increase self satisfaction and a sense of feeling that I benefited the company, but I walked away with some thoughts and interactions that really impressed me (more on this to follow). As well, I was at the booth at the right time, and got to do a quick microcast with Martin McKeay of the Network Security Podcast.

Just wanted to let everyone know that a few of us will be down at BlackHat / Defcon. We'll be attending talks and working the nCircle booth. Feel free to find us if you're interested in getting together for a drink or whatever.

As for talks (as mentioning what you are attending seems to be popular)... You'll find us at the DNS talk, and that's about the only guaranteed one. If I can recommend one, check out Bruce Dang's talk, I saw a version of this at RECon and it really is an incredible presentation.

Feel free to fire me an email today if you will want to get together and I'll send you a cell number where you can call/text us.