the lasting headlines from defcon 16 (and black hat)

Every year the Blackhat/Defcon one-two punch of hacker info-sharing makes some headlines. Three years ago was Ciscogate, two years ago Spot the Reporter, and last year Maynor/Ellch and Apple got busy. Here are some stories that made the rounds this year.

Presenters banned from discussing how to beat the Boston subway system. While they were banned, the materials were still available to every attendee and even mirrored online. The presentation looks fun, by the way. Nonetheless, we are hopefully slowly learning that supressing information/truth does not improve security. Fix the shit rather than cover it up.

French reporters booted from Blackhat for sniffing passwords of other reporters. I think I agree with how this was handled, based on what I’ve read. The reporters are not new to the cons, know what the Wall of Sheep is supposed to be, and knew the rules of the press area. That press area does need to remain a safe place in what is otherwise the most hostile network any of us will ever likely be on. Of course, on the other hand…the victims at least got a first-hand lesson in how to fail at protecting your logins… I somewhat disagree that the sniffing of those passwords should be illegal…again, while that network does need to have some semblance of security, in the end it is still an open and hostile network with hosts you can not fully trust. It should have been ethically respected, if not legally bound.

I haven’t even read the full-disclosure threads yet, but it looks like several people had accounts hijacked over the past week (pdp from gnucitizen and Alan Shimmel). I wonder if this is related to possibly using the network at Black Hat and either having your system pwned or a gmail session hijacked. This is easy to do if you stay logged into gmail and open a browser to it on accident while on a hostile network. There have been at least two recent presentations on the topic, one involving sidejacking with Hamster from Erratasec and another from Jay Beale this year at Defcon. More reason to respect the hostility of the networks at these two events.

Security Monkey beat me to the punch on a post like this, and he has more info on his post.