most defcon intro. the bottle drop was perfect moral of the story: don't fire your hackers for finding stuff. give them raises and they will gleefully fix it for you
@@JeanQPublique I think the bottle drop comes across more as performative (maybe it was a long day). The bottle drop was applauded, but I doubt machismo was what was being cheered.
@@Techfuse13 And just think there is someone out there who would love to charge them for seditious acts for doing that while discussing incompetent diplomatic relations. The irony.. o.0
@@JeanQPublique Imagine thinking it an act of "machismo" to recall the passing of your brothers by drinking alcohol. Did you miss that necessary supplement today?
The moral of the story, kids, is that when you discover a vulnerability you shouldn't report it and instead should sell it to shady folks on the dark web. Or at least that's what punishing well-meaning hackers causes.
Correct, although that's more a blackhat conclusion than one that you can say at fedcon. Don't even try to report, just sell it on the black market because if they're going to treat you like a criminal regardless, might as well get paid.
Well, if you "sell" it, you can be accused of having done it only for personal profit. If you however publish it anonymously, they might still find out who you are and you are in trouble, but they can neither accuse you having it done for personal profit, as you gave it away for free, nor can they blame you to have published it for fame, as then you wouldn't have done it anonymously, since you cannot gain fame if nobody knows who you are. And when I say anonymously, I don't mean pseudo-anonymously, like using some kind of hacker nick or hacker group name, I mean using no name or pseudonym at all. After you've published it, you may point some media to it (TV or radio stations, newspapers, etc.) but I would not give it to them first, as that will again change the way how this looks and you never know what they are doing to do with the information.
@@xcoder1122 To be clear, I don't think anyone should be selling 0days. but the point of the comment was that if no matter how nicely you report you risk having your life ruined, it makes it a lot more attractive to have a reward for all that risk...
One of the many reasons we need reliable, trusted journalists is because while we should absolutely fight for better legal protections, there will always be some risk associated with going public with this kind of information, so it will always be safer to drop an anonymous tip to a reputable news outlet rather than go directly to the government.
Don't trust MSM, on either side. You can trace their money back to the same characters. You can see clips people made of local news across the nation saying the exact thing, word for word, on the same day. Citizen journalists are where truth is. They want you to believe only the selected "experts" that appear on TV have the right to form an opinion about anything. Just shut up and do as you're told. Only learn enough knowledge to be competent in one filed. Do not learn about other topics and especially don't connect the dots. Nothing is connected. Everything is a coincidence. Spend what little free time you have with bread & circuses so you don't think deeply about life. No, shut those feelings and thoughts down with some booze and entertainment. It has worked for over 2,000 years on the people and they still haven't caught on for the most part. They assume their neighbor is out to get them and we'll protect them if they give up their rights and money. LOL. Rinse, repeat.
"what are the problems here" it's frustrating how much 'laughing it off' there was about their two anecdotal experiences. How many people could survive being attacked by powerful systems, whether the banks or the government, losing your job suddenly, having to pay lawyers, etc... and even for these guys who have the social and financial support to survive those attacks, nothing was done to make it right. I'm sure lawyer fees were never reimbursed, and a government fine of 5k is nothing to sneeze at. Many people could not absorb that easily, although the lawyer fees dwarf it. Governments and these companies are effectively waving a gun around like a madman at anyone knowledgeable about security and hacking and making it clear that when you find a vulnerability you can't have a rational discussion with this nutjob. Your only option is to put on your black hat and monetize exploits otherwise nothing will ever be done to fix them. Anyway, great talk but it's a dark topic when you consider what might be happening to people with less voice or knowledge in navigating the corruption.
it's a fair point. I'm in the UK which has had a pretty severe cost of living crisis recently. As a dev with 7 or so years of experience I've ended up stopping eating takeaway out of financial necessity rather than health reasons. I could not survive a legal challenge. I was given a fine by (some organisation I won't name) for a public infraction. I had the choice to pay a fine or show up in court. I had a strong case, but I wasn't willing to pursue that route cause most of us are living paycheque to paycheque. If I'd got that $5000 fine it would have been devastating.
After all the shit LEOs have been caught doing in the past 5 years, and all the nothingburgers that have been done about it, I legit don't know if responsible disclosure is safe anymore. If I report a vuln and the cops show up to my house, I could very well get shot in my sleep over it.
This is so funny, because I have a relatable case! I reported QR collisions to the Dutch government and got faced with the "these are non-issues" e-mail. Basically for the COVID QR code they used a TOTP based on first letter of name and first letter of surname plus date of birth. So any "SP" born on my birthday could use my QR codes with my credentials. Even worse was the fact that you could simply generate any QR code yourself, the app didn't use any API to fetch codes... no it just generated codes based on a secret bundled with the app. So much for "non"-issue, never heard anything from anyone. No cops tho, no cops!
kinda same, in our case it was the url ending they sent via email simply being a base64 encoded string of the firstname + lastname + date of birth. You could check, reschedule and cancel an appointment without any other credentials, it was completely nuts. Thinking about how this got approved made me lose some hope for all of us......
@@danielschmider5069 never has a rushed IT solution worked out. Some intern tests qrencode, slaps it onto a project and calls it a day. This stupidity always leads to silly things like this,.
When hackers realize en masse that the government is lying when it says it cares about security is when this changes. There is no reasoned argument that will convince an apparatchik that a real problem is more important than the governments reputation. If you report something embarrassing or issue an ultimatum to those people, most will respond with guns ( police and prosecution ).
god, the canadian government is such a joke sometimes. Sometimes i think we have it bad in the states, then I see stories like this, where a guy gets fined $7500 for reporting a freaking vulnerability... jesus. They act like he published the info online and didn't save their butt.
Chelsea Manning? Edward Snowden? The wikileaks pervert? You really think we have it better in the USA? $7500 would be preferable to prison or exile for most people.
This should be pinned. I was in the state at the time, and I remember hearing about this. I really enjoyed the talk. Thanks for shortening the amount of head scratching for me @MyThreeLivesASMR. St. Louis Mississippi would be good reference to drop in Shadowrun.😀
At the end he says he claims ignorance as he's Canadian, but I don't think he should even say sorry, he's just being Canadian - who here could point to the Yukon, or Nunavut, or Seskatechahaka, or any of the other provinces Canada claims to have on the map? Sure these places probably don't exist, but we should at least try and remember their names before Mississippi-shaming them for confusing two real places.
For anyone familiar with that chunk of the US, I saw a corporate email today indicating we had a new client in “St. Edwardsville, IL”. I let the sender know that Edwardsville had never been canonized. Disclaimer: I’m in the area but never considered voting for those lackwits Parson and Hawley. Those guys shouldn’t be allowed loose.
The problem is stated succinctly at the beginning - the lawyers. The attorneys told the CISO that they HAD to be heavy-handed from the jump, otherwise if it turned out to be a LEGITIMATE THREAT, then they (the government) would be liable. The problem is that attorneys have ZERO CLUE about what constitutes a legitimate threat versus "responsible disclosure." Hence the talk. Bottom line, educate the attorneys (and their minders) to recognize the difference between responsible disclosure and "Yuri the Ransomware Czar."
The most unbelievable thing about Thomas's case is that it happened in Canada. Down here in the third world, under a govt that was trying its best to worsen the situation at the time, we came up with a national level system that could track you vaccination records in a much safer and quicker fashion. I'm a bit shocked.
“A hacker with time on their hands is dangerous” yeh in 2005ish I knew what Snowden reported. I’ve basically only ever had one job. Go figure. But it was really a bad idea for society to punish me by preventing me from having a job. They really assume that if they destroy your career early in, that you’ll never become anything. They undervalue talent and natural intelligence, thinking that (as it was in earlier decades), if they just prevent you from ever being respected/employed in society then somehow you won’t be intelligent. We have things like github, Wikipedia, free online education…
@@SamTheEnglishTeacher 42 Also, the democrats are going to win the presidency by coercion & legal obstructionism, in which case the global economy will get BRICS’d
@@SamTheEnglishTeacher whenever some factors constituting an economic perfect storm are set in motion, Russia/China will attempt to force the rest. More specific questions will maybe get you more specific answers.
I wish I could say any of this was a surprise or is different in the UK where the law states that even intending to hack a system that is not yours or you do not have explicit permission to, is a bad time for you. Crazy. It's like they do not understand that criminals dint care about the law.
Just shows you anyone (government) caught with their pants down will do everything to say they were always wearing pants and some nefarious actor tried to remove them.
when your slides literally contain all the things you're going to say, they are bad slides. read up on how to make good presentations. Slides like these cause people to read ahead and become impatient, because they want to learn more. Use bullet points, and don't show them at once, fade them in when you're talking about it.
Yeah I remember learning this one in high school As soon as my ppt hit the screen I was maybe 20 seconds at most into it and told to go sit down and I'll be doing it again. I have no memory of actually doing it again but I did learn to at least make a better ppt when slapping a book report together on something I definitely did not read
I much prefer these bullet points so when my Adhd drifts I can snap back easier. Also the presenters that do the slow fade every point often fail on what points to put on screen. Also they aren't presenting an education topic where people need to understand steps or points the same way as a high school presentation, or business meeting. Different folks have different needs for things so it's better to adjust your pp for the crowd.
most defcon intro. the bottle drop was perfect
moral of the story: don't fire your hackers for finding stuff. give them raises and they will gleefully fix it for you
It seems odd to start a talk with an act of machismo only to call it out in researchers a few minutes later...
moral of story don’t hire hackers at all . fuck off with your revenge fueled existance
@@JeanQPublique I think the bottle drop comes across more as performative (maybe it was a long day). The bottle drop was applauded, but I doubt machismo was what was being cheered.
@@Techfuse13 And just think there is someone out there who would love to charge them for seditious acts for doing that while discussing incompetent diplomatic relations. The irony.. o.0
@@JeanQPublique Imagine thinking it an act of "machismo" to recall the passing of your brothers by drinking alcohol. Did you miss that necessary supplement today?
The moral of the story, kids, is that when you discover a vulnerability you shouldn't report it and instead should sell it to shady folks on the dark web.
Or at least that's what punishing well-meaning hackers causes.
Correct, although that's more a blackhat conclusion than one that you can say at fedcon. Don't even try to report, just sell it on the black market because if they're going to treat you like a criminal regardless, might as well get paid.
Well, if you "sell" it, you can be accused of having done it only for personal profit. If you however publish it anonymously, they might still find out who you are and you are in trouble, but they can neither accuse you having it done for personal profit, as you gave it away for free, nor can they blame you to have published it for fame, as then you wouldn't have done it anonymously, since you cannot gain fame if nobody knows who you are. And when I say anonymously, I don't mean pseudo-anonymously, like using some kind of hacker nick or hacker group name, I mean using no name or pseudonym at all. After you've published it, you may point some media to it (TV or radio stations, newspapers, etc.) but I would not give it to them first, as that will again change the way how this looks and you never know what they are doing to do with the information.
@@xcoder1122 To be clear, I don't think anyone should be selling 0days. but the point of the comment was that if no matter how nicely you report you risk having your life ruined, it makes it a lot more attractive to have a reward for all that risk...
One of the many reasons we need reliable, trusted journalists is because while we should absolutely fight for better legal protections, there will always be some risk associated with going public with this kind of information, so it will always be safer to drop an anonymous tip to a reputable news outlet rather than go directly to the government.
Don't trust MSM, on either side. You can trace their money back to the same characters. You can see clips people made of local news across the nation saying the exact thing, word for word, on the same day. Citizen journalists are where truth is. They want you to believe only the selected "experts" that appear on TV have the right to form an opinion about anything. Just shut up and do as you're told. Only learn enough knowledge to be competent in one filed. Do not learn about other topics and especially don't connect the dots. Nothing is connected. Everything is a coincidence.
Spend what little free time you have with bread & circuses so you don't think deeply about life. No, shut those feelings and thoughts down with some booze and entertainment. It has worked for over 2,000 years on the people and they still haven't caught on for the most part. They assume their neighbor is out to get them and we'll protect them if they give up their rights and money. LOL. Rinse, repeat.
God Bless Dan Kaminsky - R.I.P. - missed but never forgotten
"what are the problems here"
it's frustrating how much 'laughing it off' there was about their two anecdotal experiences. How many people could survive being attacked by powerful systems, whether the banks or the government, losing your job suddenly, having to pay lawyers, etc... and even for these guys who have the social and financial support to survive those attacks, nothing was done to make it right. I'm sure lawyer fees were never reimbursed, and a government fine of 5k is nothing to sneeze at. Many people could not absorb that easily, although the lawyer fees dwarf it.
Governments and these companies are effectively waving a gun around like a madman at anyone knowledgeable about security and hacking and making it clear that when you find a vulnerability you can't have a rational discussion with this nutjob. Your only option is to put on your black hat and monetize exploits otherwise nothing will ever be done to fix them.
Anyway, great talk but it's a dark topic when you consider what might be happening to people with less voice or knowledge in navigating the corruption.
it's a fair point. I'm in the UK which has had a pretty severe cost of living crisis recently. As a dev with 7 or so years of experience I've ended up stopping eating takeaway out of financial necessity rather than health reasons. I could not survive a legal challenge. I was given a fine by (some organisation I won't name) for a public infraction. I had the choice to pay a fine or show up in court. I had a strong case, but I wasn't willing to pursue that route cause most of us are living paycheque to paycheque. If I'd got that $5000 fine it would have been devastating.
After all the shit LEOs have been caught doing in the past 5 years, and all the nothingburgers that have been done about it, I legit don't know if responsible disclosure is safe anymore. If I report a vuln and the cops show up to my house, I could very well get shot in my sleep over it.
"Governments and these companies are effectively waving a gun" well, I rather have a picture of a monkey with a razor blade in my mind.
This is so funny, because I have a relatable case!
I reported QR collisions to the Dutch government and got faced with the "these are non-issues" e-mail. Basically for the COVID QR code they used a TOTP based on first letter of name and first letter of surname plus date of birth.
So any "SP" born on my birthday could use my QR codes with my credentials.
Even worse was the fact that you could simply generate any QR code yourself, the app didn't use any API to fetch codes... no it just generated codes based on a secret bundled with the app.
So much for "non"-issue, never heard anything from anyone. No cops tho, no cops!
I have to add that the date check didn't even check the year, only day and month...
kinda same, in our case it was the url ending they sent via email simply being a base64 encoded string of the firstname + lastname + date of birth. You could check, reschedule and cancel an appointment without any other credentials, it was completely nuts.
Thinking about how this got approved made me lose some hope for all of us......
@@danielschmider5069 never has a rushed IT solution worked out.
Some intern tests qrencode, slaps it onto a project and calls it a day.
This stupidity always leads to silly things like this,.
you should be really thankful for being handed such an easy way out of the cage.
This should be required watching for all bug researchers.
When hackers realize en masse that the government is lying when it says it cares about security is when this changes. There is no reasoned argument that will convince an apparatchik that a real problem is more important than the governments reputation.
If you report something embarrassing or issue an ultimatum to those people, most will respond with guns ( police and prosecution ).
Still have one of these service medals pinned to my Def Con bag.
god, the canadian government is such a joke sometimes. Sometimes i think we have it bad in the states, then I see stories like this, where a guy gets fined $7500 for reporting a freaking vulnerability... jesus. They act like he published the info online and didn't save their butt.
Chelsea Manning? Edward Snowden? The wikileaks pervert? You really think we have it better in the USA? $7500 would be preferable to prison or exile for most people.
Good to see he got ousted though. He would ruin your life if you didn't take a shot from Pfizer. Wonfer if he got kickbacks
THIS is how I find out Kevin Mitnick is dead?? RIP
12:59 I think there was a mistake here. The HTML "hacking" case occurred in Missouri, not Mississippi.
This should be pinned. I was in the state at the time, and I remember hearing about this.
I really enjoyed the talk. Thanks for shortening the amount of head scratching for me @MyThreeLivesASMR.
St. Louis Mississippi would be good reference to drop in Shadowrun.😀
At the end he says he claims ignorance as he's Canadian, but I don't think he should even say sorry, he's just being Canadian - who here could point to the Yukon, or Nunavut, or Seskatechahaka, or any of the other provinces Canada claims to have on the map? Sure these places probably don't exist, but we should at least try and remember their names before Mississippi-shaming them for confusing two real places.
Ha HA@@cannaroe1213
For anyone familiar with that chunk of the US, I saw a corporate email today indicating we had a new client in “St. Edwardsville, IL”.
I let the sender know that Edwardsville had never been canonized.
Disclaimer: I’m in the area but never considered voting for those lackwits Parson and Hawley. Those guys shouldn’t be allowed loose.
The problem is stated succinctly at the beginning - the lawyers. The attorneys told the CISO that they HAD to be heavy-handed from the jump, otherwise if it turned out to be a LEGITIMATE THREAT, then they (the government) would be liable. The problem is that attorneys have ZERO CLUE about what constitutes a legitimate threat versus "responsible disclosure." Hence the talk. Bottom line, educate the attorneys (and their minders) to recognize the difference between responsible disclosure and "Yuri the Ransomware Czar."
In the transcript around 00:16:38 it says "[inaudible 00:16:38]", he is saying the abbreviation "OSINT" there.
$5,000 usd fine!?!?!?
Yeah normally they get a life sentence
It was only a HIPPAA violation.
“Sorry!” -Canadian government, except without the apology.
plus "legal fees"...
Man I would have been enraged. You make me pay for YOUR mistake?!
Nice speeches, interesting stories. Thank you for sharing. : )
The most unbelievable thing about Thomas's case is that it happened in Canada. Down here in the third world, under a govt that was trying its best to worsen the situation at the time, we came up with a national level system that could track you vaccination records in a much safer and quicker fashion. I'm a bit shocked.
“A hacker with time on their hands is dangerous”
yeh in 2005ish I knew what Snowden reported. I’ve basically only ever had one job. Go figure. But it was really a bad idea for society to punish me by preventing me from having a job. They really assume that if they destroy your career early in, that you’ll never become anything. They undervalue talent and natural intelligence, thinking that (as it was in earlier decades), if they just prevent you from ever being respected/employed in society then somehow you won’t be intelligent. We have things like github, Wikipedia, free online education…
What's going to happen?
@@SamTheEnglishTeacher do you really want to know?
@@DavidConnerCodeaholic yes
@@SamTheEnglishTeacher 42
Also, the democrats are going to win the presidency by coercion & legal obstructionism, in which case the global economy will get BRICS’d
@@SamTheEnglishTeacher whenever some factors constituting an economic perfect storm are set in motion, Russia/China will attempt to force the rest.
More specific questions will maybe get you more specific answers.
The only thing I learned from this is "See something, shut tf up."
Phil Haney did not klll himself.
Doors and corners, kid. Don't come into the room too fast.
I wish I could say any of this was a surprise or is different in the UK where the law states that even intending to hack a system that is not yours or you do not have explicit permission to, is a bad time for you. Crazy. It's like they do not understand that criminals dint care about the law.
say nothing to anyone, you will only get yelled at.
It’s cybersmart week in nz. A government awareness campaign. This seems ironically apt.
People with power never do the right thing. It's ridiculous.
1:48 AB MENTIONED
3:33
5:28
6:34
I can't believe how he disrespected a bottle of Knob Creek like that.
Timestamp 39:46 Dig your vibe. If you only get 15 minutes of fame... be a Rock Star.
Ignoring the framerate, the sheer clarity of this 720 video is far above most 1080 videos I watch
Just shows you anyone (government) caught with their pants down will do everything to say they were always wearing pants and some nefarious actor tried to remove them.
jesus christ im never reporting anything
Having faith in government to be anything other than self-serving was your mistake.
Amen
Best intro ever
34:47 Language is just data too, starting with "i like to help" would be good
👏👏👏🤣 1 drink per hour rule
hell of an intro
1:50 😂
I only trust techies that can slam liquor
Awesome job guys. The world needs white hat hackers all the time.
when your slides literally contain all the things you're going to say, they are bad slides. read up on how to make good presentations. Slides like these cause people to read ahead and become impatient, because they want to learn more. Use bullet points, and don't show them at once, fade them in when you're talking about it.
Yeah I remember learning this one in high school
As soon as my ppt hit the screen I was maybe 20 seconds at most into it and told to go sit down and I'll be doing it again.
I have no memory of actually doing it again but I did learn to at least make a better ppt when slapping a book report together on something I definitely did not read
Something tells me these guys realllly don't care...
Hackers are built different, we are not normal human beings and the audience was okay with this trust me
You're probably right, but I was only listening anyways. You're welcome for my extremely enlightening opinions
I much prefer these bullet points so when my Adhd drifts I can snap back easier. Also the presenters that do the slow fade every point often fail on what points to put on screen. Also they aren't presenting an education topic where people need to understand steps or points the same way as a high school presentation, or business meeting. Different folks have different needs for things so it's better to adjust your pp for the crowd.
It's NOT GOOD ENOUGH.
5 minutes of "wow I'm so great"
I love Canadians
Alcohol is bad.
nikki haley... nikki haley... nikkie haley... she was nancy pelosi one day!
2:30 🎉
01:50 👽
Got a little alcoholic for a seccond there...
i wish defcon would screen their presenters so we dont get slide readers.
These health fraud pushers need to go to hell
lol, renderman calling your state "batshit insane".
These mens rea issues are so immature, it's embarrassing.
It's so painful listening to this guy. ZERO technical stuff.
The man is bragging about stuff he found on shodan. Basically a noob.
damn im actually 1st
I’m deeply grateful for your sacrifice.
zazazazazazzzzzzzzzzzzzork
Cringe
Ooh, you owned *HIS* ass.