Code Auditing the Defcon Way

An anonymous reader writes "Last weekend at Defcon, the best and brightest hackers got together to play Capture the Flag, a weekend long hacking event that is the premier event of its kind. According to the results, Shellphish won (UC Santa Barbara students led by professor Giovanni Vigna). An article at SecurityFocus states that the competition was far more technical than in previous years, focusing on reverse engineering skills and code auditing." From the article: "The game required skills that are also required by both security researchers and hackers, such as ability to analyze attack vectors, understanding and automating attacks, finding new, unpredictable ways to exploit things...It's about analyzing the security posture of a system that is given to you and about which you initially know nothing."

More technical?

[Alex P Keaton in da]

Sort of like when extreme sports went mainstream... Seems like this is a better way for people to show of their skills for the ever growing, and ever more lucrative security business....

Re:More technical?

[kihjin]

http://www.extremeprogramming.org/ [extremeprogramming.org] :-P

Re:More technical?

[xcentrics]

"What it takes to be an elite hacker is to find vulnerabilities in custom software," said the Kenshoto member. "It is not code auditing per se. They have to reverse engineer, and we have made it difficult to reverse engineer."

real-Reverse Engineering under linux ?!? forget about it.
i mean the system is free ,98% of software is free.Therefore there are no commercial _exe_packers_ (i've never heard about it) so RE is not as hard as under Win where anything can be packed in example with Asprotect.If ther

Re:More technical?

[Anonymous Coward]

http://protools.reverse-engineering.net/unpackers. htm [reverse-engineering.net]

Sorry to tell you this, because just like Shrinker, some bunch of dorks has also broken AsPack (as far as Win32 Portable Executeable format packers/compressors)...

I use (or have used) both in the past not only to gain the faster loadtime off disk (or, even over LANS, because the decompression process only happens AFTER the read up off of the diskdrive into memory, & thus, runtime & today's modern VERY fast nearly 4ghz CPU's more than makeup for t

Re:More technical?

[CryBaby]

I suspect that the motivation behind changing the game was to de-emphasize the growing commercial aspect. If you've attended DefCon in the past few years and watched Capture the Flag, it felt like it was slowly being taken over by corporate teams (several teams were named after their company and/or displayed large company banners in the game area).

This was still a "creeping" influence the last time I attended (not too long ago), but it sure felt like a trend.

I can understand why companies are upset by the c

Re:Why do Defcon hackers prefer Linux?

[Demogorgo]

i wish i had a dollar for every time some bearded lowlife tried to put firefox on my computer. who do they think they're fooling?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Why do Defcon hackers prefer Linux?

[James McGuigan]

The job of a linux distributor (such as Red Hat, Debian, Gentoo, Ubuntu etc) is primarily that of assembling a large quantity of free and open source software into an easy to use and pre-configured package. While they may write and contribute some of their own software to the mix, and do some customisation and bug fixes of their own, 95%+ of the software you see in a linux distro will be common to other distrabutions.

I don't use Red Hat or Fedora myself, so could be wrong about the below, but... Fedora is

Re:Why do Defcon hackers prefer Linux?

[kc0re]

I would like a team of totally mac users to jump in on this. Just to prove/see how secure macs really are.

Re:Why do Defcon hackers prefer Linux?

[Mechcozmo]

Let me simplify the above:
Linux is only free if your time is worthless.

That isn't to say Linux is bad-- but the setup of various components can be... trying at times.

You forgot

[woah]

..but the setup of various components can be... trying at times

...only for thick people.

Seroiusly though, buy only supported hardware. When you buy a Mac, you don't expect for all your existing PC peripherals to work with it. Same goes for Linux. Check to see what is supported. That's all there is to it.

What really gets me are all these whiny posts, "I installed Linux and now my camera's not working and my scanner's not working and blah blah bla..." - Get a clue, kids!

Re:You forgot

[Mechcozmo]

Actually all of my hardware was supported with Ubuntu. However, I could not get WINE to work. I was lost. I figured out to add the repository, searched for WINE, checked it and then told it to download and install, etc. I was happy that I didn't have to bother with a CD key, restart, etc through all of this. But then once it said it was done... nothing. How did I start WINE? Configure it? View a ReadMe file?

Under Windows it is a messy pain but you at least can run the program. Under OS X you contr

Re:Why do Defcon hackers prefer Linux?

[James McGuigan]

Assuming that you know what you are doing (ie have done it before), then setting up a linux machine (especally a fairly user friendly one like Ubuntu), can actually take less time overall than installing and configuring Windows, MS Office, Anti-Virus, Windows Updates and various other utilities.

apt-get install is actually a very easy way to install new software on linux. Alot quicker (human time and attention wise) than finding your MS Office CD, typing in the CD code, then going through the 15 minute insta

Re:Why do Defcon hackers prefer Linux?

[Mechcozmo]

The other thing to note, is that while some people may be money rich but time poor, there are equally many more others who are time rich but money poor.

And for those who are not money rich and not time rich, what options do we have? OS X is set up in less than 30 minutes. Windows is set up in a few hours. Linux has taken too long to get working and therefore not worth spending more time on it which is unfortunate since I'd like to use it.

"According to the results"

[Armchair Dissident]

"According to the results, Shellphish won"

Who wants to be that Shellphish hacked the results...

Re:"According to the results"

[Armchair Dissident]

be? be?! Bet!

Doh!

[KnarfO]

Son of a B!

Well, as for myself, my PC runs OT/NT

[RedLaggedTeut]

Well, as for myself, on my PC the operating systems installed are OT(old testament) and NT(new testament).

While I like how the OT is handling faults from a theoretical point of view, in practice I mostly use the NT, since applications keep on running and work together well.

Re:Well, as for myself, my PC runs OT/NT

[Exluddite]

Yes and things have really improved from OT to NT. Used to be that when the system crashed, you were down for 40 days, with NT you're back up and running in 3.

Anyone parse that as professor Vagina?

[Anonymous Coward]

Damn, I need to get laid.

Posture =)

[PlasticMonkey]

Haha, he said posture! - Nope, I don't get it either - hey it's early!

Erm on a serious note, how did the Defconhackers get an overal score of 0?

Why are they even *on* there? Randomness.

-Phil

Re:Posture =)

[PlasticMonkey]

Yeah, but it's still crazily low! The next runner up is like way ahead :p

Re:Posture =)

[viega]

Well, they pretty much didn't play. First, only one of their team members showed up. Then, he recruited some people, but by the time he did, the green team had totally owned them. They sat there the whole time, but they might have even been helping out the green team.

X (Hackers) Games

[KarMax]

IMHO there is nothing WRONG about this kind of "x hacker games" there is a lot of this kind of stuff, Hollywood movies, popcorn books (like Davinci Code by Dan Brown), among others.

The problem is when begins to be a serious "news" or "event".

The article try to remark that the event is "pro" or "serious", dont get it...

Its just a game!

Re:X (Hackers) Games

[KarMax]

Maybe you missunderstud me

Im _NOT_ denigrating them, they are playing and this is good!, i play to!
I use "Davici Code" in the example, becouse its a "best seller" book, fictional novel, who was taken seriously as if we were talking about a SERIOUS book.

Olimpic games its a bad example, to discuss becouse i dont aprove olimpic games, i think its stupid (medaling stuff).

I dont share your point of view... i mean, be better all the time is what i want, but becouse i want to be better, not becouse i want somethin

Re:X (Hackers) Games

[b0urn3]

Actually, considering the amount of data that is collected from both wargames and the DC wireless network for research use, it is pretty "serious." Too bad next year's Defcon has been cancelled.

Security Posture?!?

[birge]

Is anybody else disturbed by the growth of meaningless, self-aggrandizing jargon in this field? Attack vectors, security posture... Give me a break. These guys do good work, they don't need to puff themselves up with this kind of fantasy verbage like some social scientist or art historian. When did people's egos get so big they need to invent cool sounding words for everything? We've got a serious arms race going on in the "my profession is cooler than yours" wars.

Re:Security Posture?!?

[duffbeer703]

I'm glad that I'm not the only one to notice and be annoyed by it. I find the compulsion to substitute "ph" for "f" everywhere even more obnixous.

The worst is the growth of "dark" words, darkmail, darknet, darkphish, argh... enough already!

Re:Security Posture?!?

[birge]

Yeah, I'm extremely bitter because I can't figure out what attack vector means... My point, sport, is that I know exactly what it means, because adding "posture" after security doesn't add any meaning. It's just, well, posturing; nerds playing cloak and dagger, painting themselves as agents in an engagement that's far less interesting in real life than they'd like to believe. Hence, all the dark-this and black-that, as if we were talking about something more important than a computer file.

Re:Security Posture?!?

[birge]

Wow. I never attacked anyone in particular. I think I pretty much addressed it as a general criticism, in fact one that is very common to other fields, so if you're just a minion going along with the flow, no need to feel picked on. What the heck did I do that constitutes "taking it out" on anybody?

Re:Security Posture?!?

[birge]

I was talking about PEOPLE (i.e. an entire industry field), not a specific PERSON. You calling me a pompous ass is a personal attack, me faulting a group mentality isn't. If you had the stones to post under your own name, I'd have the chance to show you what a decent personal attack looks like.

I agree that CV is pretentious as a word. But, there's a difference between a CV and a resume. And CV comes about historically; it's an older phrase than resume and people trying to get academic jobs have called their

Re:Security Posture?!?

[birge]

Guess what? An attack vector isn't the same thing as an attack. There are plenty of attack vectors that are never exploited through actual attacks.

That's like saying there are a lot of pitches that haven't been pitched. I mean, pitch vectors that haven't been pitched.

Look, if you consider making fun of an entire industry tantamount to personally attacking each individual, then fine, give me that power. At any rate, I'm sorry if my argument isn't as tight as you'd like. Maybe if I summarized it more eloqu

Re:Security Posture?!?

[birge]

I think if you reread my first post, you'll see that I made a point of saying that I respected WHAT these folks do, and just thought the words were contrived. But you're right about MIT having a reputation for arrogance, and I really don't want to contribute to that. I didn't mean to sound arrogant, because my original point was that I don't like the way professions try to sound important by coming up with obfuscating phrases, when simple ones (or existing ones) will do. I was being accusatory, but I'm perf

Re:Security Posture?!?

[birge]

The term "security posture" has an obvious and well-defined meaning. It's been in use since before IT systems, and its etemology is from the military world.

Jeez, that makes it sound even more pretentious! Guys with guns who dodge morter rounds invented the term, and it's been adopted by pasty guys who wear sandals, write computer code and wake up around noon. (I'm one of the latter guys, so don't get too pissy about the insult.) Sure, call me a dick (and you'd be half right) but don't you see my point eve

I would love to see network trace logs

[abulafia]

I haven't been to Defcon since the third one... no time (at least I have the t-shirts), and now that I don't live nearby, it is hard to justify the expense and time off. Hell, I can't even have normal vacations, let alone conference junkets. But damn, this seems like it would have been a great year to have gone.

I'm sure someone watched the wire for this event - if TCPdump (or whatever) traces of it are available anywhere, someone post a link. It would be a fascinating thing to waste my weekend on.

The game is quite different...

[lamj]

I was there playing CTF. This year's focus is definitely very different, unless you can dream assembly, you are not going to be very effective at attacking.

The way they setup the infrastructure also does not allow you to do a whole lot of defense against the attacks.

In terms of this being real-world... Honestly, how many security incidents are caused by hackers reversing the binary which lead to the intrusion? I would say 95% of intrusion are done by script-kiddie method.

I hope they will put more infrastruc

Teams?

[geekp0wer]

Just like online gaming.... Teams were not balanced. From what I heard the top 3 teams all had 20+ people. Some 30..... 4th place had 7 people. Also heard the points system was a little skewed. Basicly if you owned someone else's server then you scored points for the length of time you owned it. B ut then the team that was being hacked would take it off line and you would be out of luck. The penalties for off line boxes were less sever than the rewards for owning someone. The contest was run by a group ca

Re:Teams?

[kenshotosnit]

The penalty for off-line boxes was MORE severe than the reward for an 0wn. You could basically score two points for an 0wn per 5-10 minutes. If you managed to take down all your services for the whole game, you'd end up with 0 points, because your attack score was multiplied by your uptime percentage. Let's say that you determined that you were getting pwn3d through the Alice service about 1/2 way through the game, so you just shut the thing off. The one team would probably fail to score two points ever