# Neg9 Seattle - Aug 8, 2017 ## Meeting Vitals | | | |-|-| |**Location**|University of Washington [Map](https://www.google.com/maps/search/UW+Computer+Science+%26+Engineering+-+Room+203,+185+West+Stevens+Way+Northeast,+Seattle,+Washington+98195,+United+States+of+America/@47.653273,-122.30605,19z) CSE 203| |**Date**|Tuesday, Aug 8, 2017| |**Time**|18:00hrs (6:00PM Pacific)| The doors will be locked after 5pm, but if you go to the side nearest the street, people will be waiting until 6pm to let you in. If there aren't people, there will be a sheet of paper that has a phone number you can call to get let in. ## Meeting Agenda [Lean Coffee](http://leancoffee.org/) agendaless meeting format To be determined on day of meeting at the meeting. ### Presentations * No formal presentations this month unless it is voted up in lean coffee. ### Hacking * We'll probably be playing CTF challenges or wargames. * Hackers will be encouraged to solve difficult challenges from the [leaderboard](https://neg9.org/leaderboard/). * Learn how to hack or show your prowess! ### Projects * [JavRE](https://www.altsci.com/concepts/javre/) * Reverse engineering tool for ELF executables * [JRSFuzz](https://www.altsci.com/jrsfuzz/) * Dumb fuzzer for a dumb world * Feel free to add your project here. ### Misc. Info None ## Meeting Minutes Here's an overview of this meeting for historical purposes. A full transcript is at the end. ### Discussed Topics, in order of # of votes * Anti-Doxxing - Javantea * SROP (Signal Return Oriented Programming) - tecknicaltom * ROP (Return Oriented Programming Basics) - GotJon05 * Concolic execution with Angr - isaak * Reverse Engineering Binaries in CTFs - @sniper * Analyze the DEF CON CTF scoring database (recently published) - stryde * Bluetooth fuzzing - coldwaterq * Intro To Side Channel Attacks (e.g. Chipwhisperer) - Cryptomonkey * ESP8266 $6 WiFi Adapter - hackworth * Being New to Security - tabasco ### Topics not discussed * Forensics - Javantea * Make an attempt at the 2017 DEF CON CTF Finals services - stryde * Black box testing - coldwaterq * The industry most ripe with vulnerabilities * What are partial and full RELRO, and how do you bypass them? - Durkheim * If you have a binary, what's the best way to determine what version of malloc (i.e. libc) is running on the server hosting the application? - Durkheim * Ransomware Reverse Engineering * Verilog - hackworth * Running a CTF - craSH * DEF CON 25 Stories / "What I did on my Hacker Summer camp" #badgelife - tecknicaltom, supersat * Tool Developments - @sniper * GDB Basics - Cryptomonkey * Security, or a lack thereof, can kill - Blue * I built a motorcycle, you won't believe what happened next! - Blue * Ramifications of DEF CON 25 arrest of Hutchins for malware research - Bucky * Steganography basics - Cryptomonkey ### Notes on topics covered (minutes) * Anti-Doxxing * SROP * ROP * [ropasaurusrex](https://blog.skullsecurity.org/2013/ropasaurusrex-a-primer-on-return-oriented-programming) * Concolic Execution * [Mechanical Phish](https://github.com/mechaphish) * [Trail of Bits porting of CGC](https://github.com/trailofbits/cb-multios) * Scoring of Defcon CTF * Patches handed out * Backdoors in the patches * Bluetooth Fuzzing * HackRF * Hopping * BladeRF * LimeSDR * libbtbb * BLE * Multiple radios * Someone knows about, they are on the list * Toorcamp will be a good time for radio people * Side-channel attacks * Defcon class about [ChipWhisperer](https://github.com/newaetech/chipwhisperer) * Power consumption * Heat * 14 spikes in a row, that's AES * AES-128 in 5 minutes 0_O * When someone puts an electromagnetic sensor next to your system, owch. * Mitigations: * Leveling the power * Steel mesh (faraday cage) * ChipWhisperer $400 * ChipWhisperer Lite * Screwing with the clock allows us to skip an if. * Firmware pulling * Read the key * Read the data * Annnd done. * EMP glitching * [ScanLime](http://scanlime.org/) Modified ChipWhisperer and Facedancer to dump ROM * ESP8266 * Cheap Wifi chip $7 * Arduino, microPython, lua interpreters * IoT is full of vulns * Cryptomonkey is optimistic * There's a IoT law in congress * Getting started in Security * No predefined path * Passion + self-taught * Education is new * All the industry now was self-taught * CTF as experience * Get one good writeup, publish, use a pseudonym * Entry-level machine learning job in Bellevue * Internships are awesome * Writing C code for IBM * CTF writeups * Code first * Write something smart * You are writing a story. * Take a look at the best teams on https://CTFtime.org * https://Neg9.org/ * rootfoo.org * Communication * Why did you make those mental leaps? * When did you go down a wrong path? * Capturing failure is interesting. * Decision trees are interesting to the writers. * FX of Phenolit: Defcon talk about Cisco * Github repo and interviews * Use your judgement * Employer's policies on publishing * MeatPistol authors were fired by Salesforce * Are you getting paid a lot of money? * Is someone telling you that they are going to do a lot a harm? * Did they do a lot of harm? * How much? * You can't know everything * Jack of all trades * I don't know much, but I know enough about this because I saw a talk. * Breadth and depth. * Knowledge frameworks, how things interact, implied behavior. * Link Dump from meeting * https://thisissecurity.net/2015/01/03/playing-with-signals-an-overview-on-sigreturn-oriented-programming/ * https://www.youtube.com/watch?v=SYYZjTx92KU * https://toorcamp.toorcon.net/register/ * https://pwnable.tw/ * https://github.com/angr/angr * https://blog.legitbs.net/2017/07/def-con-ctf-2017-final-scores-and-data.html * https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20ctf/ * http://scanlime.org/ * http://newae.com/ * https://www.sparkfun.com/products/13678 #### Transcript (Durkheim) ###### Attending tonight: * craSH * tecknicalt0m * Javantea * Durkheim * CryptoMonkey * coldwaterq * Hackworth * Jonathan * Kyle * Straad * Basco * Sniper * Paul (cK) * SportsBadGuy * Bucky * Donquixote * Carl / superSat * Blue * Minutes: Durkheim (As I'm new to Neg9, apologies if I misattributed something that was said, or didn't get someone's name correct in the notes below. Also for self-evident reasons I didn't get down many of my own comments.) This was a "Lean Tea"-style meeting. We wrote between 0 and 2 "project ideas" on sticky notes, voted up to twice on projects in which we were interested, and covered topics in decreasing order of votes, for between 5 and 7 minutes for each topic. craSH: Neg9 has an awesome leaderboard. The more you complete the better you are, but getting to the top is really difficult. You learn lots of cool things. We talk but we've learned some awesome stuff throughout the years. ###### Quick intros: Jonathan -- Evergreen -- ROPing questions / ASLR. Tom: with Neg9 since met these guys -- push people to be active -- more vocal for that reason. Carl / superSat: researcher at UW, previously grad student, doing embedded systems security stuff. Kyle: interning at VertaLabs, interested in health care security, wondering what industries are super vulnerable. Question about REing ransomware. Hackworth: Interested in Verilog, for programming FPGAs. Works for SI, general troublemaker. Javantea: hacker, Neg9 CTF team. Interested in talking about anti-doxing (that's a hard problem). SportsBadGuy: [missed his intro] Basco: new to security, met Hex last year who told her about Neg9. Taught herself lots of stuff, just graduated college and wants a job, prefers that it's in security. How do you go from teaching yourself stuff to doing it for life? Paul: Interested in talking about ESP 82/66: it's a wifi module, three bucks a whack to put into consumer devices to connect to the internet and it's an epic horror show. Sniper: REing binaries. He's with SI. Wants to learn more about binaries [exploitation], specifically with respect to playing CTFs. Happy to help with projects. Tooling ideas. Straad: analyzing the scoring CTF database. Used to play DefconCTF as team Fast and HatesIrony, just moved from Washington DC. Built CTFs as part of the services offer team for Concerto, then at DARPA doing Cyber Grand Challenge AI stuff. Now he's at Microsoft Research. Matt (CryptoMonkey): played a couple CTFs with the Neg9 team, got maybe one solve. So also plays on the leaderboard. Doing lots of the lower tier CTFs, has been soloing those, pretty much a CTF beginner, does mostly hardware crypto. He knows a lot about load balancing and security, and most of his solves are in logic and stego. He's concentrating more on reversing now. Tom: Interested in talking about SROP: Signal return-oriented programming. It's a new exploit technique to him, he wants to know if other people know about it. ColdWaterQ: Into Blue tooth testing, black box testing. Part of Neg9 CTF, works at Microsoft. Bucky: Interested in the ramifications of the arrest of the malware researcher at DefCon. Just graduated college, new to the Seattle area, finding the communities in town. Blue: "security or lack thereof can kill". He built a motorcycle, and is interested in areas where systems thinking helps outside security. Does doing work in other areas help you in the security realm? He's building a distributed data grid for a company downtown. Isaac / DonQuixote: Evergreen, binary exploitation course. Just did CMU wants to solve RPISec bomb... ###### 1. Anti-doxing Javantea: What happens when someone doxes you? Does it affect you, your friends, people you may not even know? Different based on the context. So a celebrity having their phone number made available and it's their only method of communication, they'll have a bad day. Might be the worst day of their lives. They decide they'll quit Twitter etc. Or the opposite perspective: I have the phone number of a celebrity because phone numbers aren't secure credentials. How do you think about what is my responsibility to not divulge the number of a celebrity? There's an obligation not to cause other people physical harm. But if I call on the Internet to punch someone for me, is that speech or is that crossing a line? I believe in strict freedom of speech. Think of the worst thing you've said to anyone, I believe you should have the right to say that. As long as there's a limitation on freedom of speech, there's a doubt about whether you can do science, research, talk about things important to you. There's a clear line crossed when someone publishes info that otherwise would be private. How do you go about solving someone as difficult as doxing? Hackworth: [to Javantea] So basically you said you're pro free speech, but want to take an area of speech out of bounds. Javantea: Well, I don't want doxing but I also want anyone to be able to say anything. Hackworth: [missed it.] superSat: So you want you to have someone's phone nubmer and not do something with it. Javantea: CryptoMonkey: But often people dox someone for they money. [Let's say I'm into doxing], I do it for the money, sometimes for the lolz, but if you're going after a celebrity, it's about the money. Does a paparazi care if their reputation gets smeared? superSat: Isn't anonymity part of free speech? Tom: [something about the stupidity of celebrityhood.] Javantea: What about doxing intelligent people who aren't celebrities? superSat: Washington Secretary of State website: you can download the entire voter registration database. So, there's an issue about the tradeoff between government transparency vs. private information. Hackworth: Everyone know who Valerie Plame is? [A few undergraduate students haven't heard of her.] Valerie Plame was doxed as a CIA operative while deployed, by the presidency no less. Her husband was Joe Wilson, an ambassador at the time. That endangered her, had national security ramifications, and potentially even worse it endangered everyone who worked with her. [Someone]: The core harm of doxing: your identity is your password. Convincing the Fortune 50 to move beyond identity would pull the poison out of the attack. Tom: Right, your social security number was never supposed to be used like a password, but it is now. [Straad I think]: You know, I got to my DEFCON hotel and my credit card was denied. I was thinking, we know how to send a random number, hash it, send it back...it's 2017, let's face it...why can't you have me just ask the credit card to verify my identity... [someone else]: You know, that has to be the cheesiest story about having a credit card called into question at DEF CON that I've ever heard... [someone else]: Doxing someone changes the way people interact with that person. You open up their house, open up the dynamic in which people interact with them. If you're known on Twitter, you can't interact with the world the same way as when you're not known. Javantea: Death threats are a main issue. If people weren't so willy-nilly about sending out death threats...[we probably wouldn't be discussing doxing at all tonight.] Anonymity is the problem when it comes to doxing. Hackworth: There's a challenge of enforcing societal norms. Do we get people to play more nicely when they have to attach their real names to comments they make? superSat: Well when Youtube combined your real name with your Google Plus account, people didn't change their behavior in the comments. [Vote: we've finished this topic.] ###### 2. SROP Tom: This is probably going to be a short one, since nobody else knows about this topic and I just looked at it...Signal Return-Oriented Programming. Signal handlers, when the kernel changes context for signal handlers, store the full context of the registers in a specific spot on the stack. When [execution transfers back to user mode] the signal handler restores them, and SROP uses the few instructions at end of a signal handler to control the entire register state in very few instructions. If you have ever written ROP gadgets, it seems like most of your code is just setting up your registers for getting in the state of what you want to do. So this seems like a cool hack for what you want to do. [someone]: So what are you doing, ROPing into end of a signal handler? Or are you triggering a signal? Are you using the end of a signal function to change the parameters? superSat: My guess is it's the OS doing the state [?] so you have to convince the OS to do the signal somehow. Javantea: Signal handler: call a signal from libc, that decides that this address gets executed when a signal occurs, the handler starts executing and you have a couple instructions before everything goes to hell, and return at the end. Something has to set up the state, has to be libc or the kernel, right? Tom: ROPing to a syscall-ret gadget. You set up an actual syscall with minimal side effects... Q: Int80 [REP or maybe RET], which mitigations are triggered here? Tom: [Looking something up]: This one is talking about 64-bit: syscall ret. So this can be homework for us. Javantea: this is security.net. Durkheim: Does anyone know of any CTF questions that reference this technique / skill? [Maybe Straad or coldwaterq]: NCSC2014: Pwnable 600: SROP. ###### 3. Basics of ROP TeknicalTom: So back in the old days with a buffer overflow vulnerability you overwrite return address, and at the time you put the shell code in your buffer, jumped back to buffer, and had code execution. But once the NXbit came along new hardware meant that the stack was no longer executable. Out of returntolibc came ROP. If you control the stack you can return to an address that does something and returns to somewhere under your control on the stack. Then you engineer a chain of returns where you can put your data. So you chain together gadgets, which are a few instructions before a return. One thing that makes it really powerful is x86 is a variable-width instruction set. Pretty much every byte is a valid instruction pointer, if the instructions are valid. So you can find instructions that make sense to you. Durkheim: How do you use ROP to pivot from the stack to the heap? [Someone]: Here's the magic ticket for a pivot: I'll go to 32-bit. The xchg eax, esp instruction will point the stack pointer at a general purpose register. A constraint solver then helps you to find what series of gadgets gets you there. Donquixote: You can also find instructions that add or subtract from esp. There were tools that looked at ROP gadgets and would build a ROP chain for you. They got demoed [at a DEF CON at some point]. [Someone]: Same guy who wrote PETA had a ROP chain tool, but it never materialized. Jonathan: Sawen [sic?], the guy who wrote ROPgadget, experimented with [sat solvers?] and found it wasn't fruitful. Durkheim: What are some tools for finding the instruction you need followed perhaps by a really long series of instructions, such that the challenge then becomes keeping what you want in the registers after maybe 30 assembly instructions? [Someone]: With ROPPER, you can specify how far back you want to go. It will search back 15 etc. Then you figure out if it will actually work. Example of automated black box ROP: Don Sung's system, Galactica, managed automated exploitation against a bug it found. Another system fielded a protected stack, and Galactica re-exploited their patch using ROP, it was a contextual ROP solve. It picked up the context from edi. This was documented, there was a movie that came out about five days ago on YouTube. It's two hours, but I know where it is, I can fast-forward into that little spot and send the link to the hackers' mailing list. Tom: Meta did a write-up of what he considers the canonical intro to ROP challenges, ROPasaurus rex, he solved it and did a write-up for it, and it's a good example of intro to ROP. Check out his write-up or any others, this is all about reading as many write-ups as you can or doing as many challenges as you can. Crash: There's a GitHub with a collection of write-ups, ctfwriteups. That's an awesome resource, and has gotten lots of traction. ###### 4. Concolic Execution Donquixote: Last night I was looking at Angr. It builds on binary exploitation. Finding ROP chains is kind of an art: now you can't just write whatever shellcode you want, you have to find gadgets and chain them together, and to speed this up people have gotten into automated forms of fuzzing with SAT solving and symbolic execution (where you regard the registers as symbolic, and [concretize?] them by feeding them various types of inputs). It's used in REing challenges now, not as much for finding bugs. Finding a bug is harder to do with a SAT solver maybe, I don't know. You can step through the binary symbolically, that is you can add constraints to the symbolic buffer, constrain it and allow your program to work faster. Binaries are getting bigger, and CTF players are going to have to adapt -- it won't be a 32-bit world for much longer. 64-bit binaries have different way of calling functions, using registers. So concolic execution libraries like Angr look like the wave of CTF playing for the future. Angr has lots of write-ups out there. Lots of folks here have used it for binary exploitation. [Someone -- I think Straad]: Veritesting, satisfiability solving, concolic execution....we had to use "big data" to manage inputs, because inputs coming from the network were potentially hostile, going into same database as program analysis inputs, and the database management problem was just as big of a problem to win. It was an attempt to automate DEF CON CTF. The two major structural changes to the game [in setting up an automated CTF] were 1. Attack / Defense-style CTFs where you could see people's patches before you field them, and 2. an API so that robots could play. It was a brokered CTF where there was an automation call to say please field this patch for me, field this exploit, tell me my score, etc. UCSB open-sourced the entire thing and then put it on GitHub, you can just download their automatic CTF-playing robot via VM and put it on your own laptop. It's just for CGC binaries but here's the thing...there are 7 system calls, just the BSD template, and hooking it into any OS is just an hour's work! CryptoMonkey: I don't think the 7 system calls was a problem... ###### 5. CTF Scoring Database Next topic: Let's talk about analyzing the DEF CON CTF scoring database that was just published. All that's out is who won. It's in Postgresql6, on DEF CON's media site: media.defcon.org. Straad: This year, PPP killed everyone by putting in two backdoors. Everyone found the first one and then there was a second door. This year, there were backdoors, bugged doors, and intentional partial patches. [I just wanted to see people fix it correctly.?] I want to know, how much was first exploit and how much was effective meta-game defense? I wrote the legitbbs problem for the DEF CON CTF. The CTF was crazy -- 9-bit middle-endian ANSI control codes. Tom: In the History of CTF panel, when they realized that this is a global game, they had to architect it so that fluency in English isn't an advantage. superSat: [Something about TOR camp 2018.] Tom: TOR camp is great. [One year we had a] Deer fax machine[?], we taught people to tap phones, and [Laudner?] wanted to do a 2600-style voice BBS. 2600 ran in the New York area -- you take everything you know about a BBS but it's not computers, it's all voice. superSat: We did something like that but it wasn't well known. [TOR camp is great.] Tom: I want to second that pitch: TOR camp is awesome. It's hackers "camping", many for the first time, and old school telephones run to tents, with trans-oceanic links, deployed by kayak. Hackworth: And crank calls. ###### 6. Bluetooth Fuzzing javantea: I talked to people at TOR camp about that, Michael Osman and Travis (goodtooth?) are radio / hacker people. So HackRF is something Michael Osman created. What can HackRF do to bluetooth? Bluetooth is a channel-hopping, spread-spectrum protocol. And the speed at which it hops is too fast for HackRF. If instead you get an Ubertooth, you can use aliasing to get read access to Bluetooth, which is what you need for fuzzing. You get a protocol, and give it semi-valid input. So HackRF or maybe USRP is the best tool you can get (USRP is best but expensive) to do this fuzzing protocol. You hop along, read a packet, and go "aha, this is where I can start sending data." You're communicating with another device, say a dongle, headset, PS3 controller, you name it -- thousands of devices. For the HackRF you need to write firmware for the HackRF in order to hop that fast and the [USRP?] radio is fast enough to keep up with the radio. If anyone has elite skills in ARM, you can hop along in C code. CryptoMonkey: If you get a radio with a huge bandwidth there are SDRs that can do that. You [FFT?] out to each one of them and pull the spikes out athat way. SUB interfaces. The trick to also doing bluetooth is the Ubertooth is great because the USB3 SDRs are fast enough to get the data out fast enough. You need one of the newer ones or the bladeRF. [Someone:] LineSDR did a crowd supply thing recently and has a 61 MHz one, I'm waiting on mine and am pretty excited. CryptoMonkey: wide bandwidth is a cheap way to avoid the frequency hopping, because you can do everything in software. Real time. [Question about SDR tools?] [Someone:] Nothing is open source. Some of the people who do testing have code for it. [Someone else]: There are also expensive Bluetooth sniffers where you provide the Bluetooth key and it does the sniffing for you. They're always firmware mods for cheap hardware. CryptoMonkey: But they're vulnerable to timing attacks, they're prone to glitching / timing attacks. Q: What resources are out there to begin? CryptoMonkey: I suggest the Ubertooth stuff which is supported in GRC, and GNU Radio stuff. It's an accessible way to ... [missed it.] Javantea: There's an unofficial maintainer of GR Bluetooth. It's deprecated -- the people who wrote that wrote it badly and don't support it. libbtbb is the way to go. Tom: What does the maintainer of a deprecated code base do? [Someone]: Warn people not to use the code! Q: Bluetooth that is low-energy? Does anyone know anything about that? Javantea: ... [missed it.] Get into the IRC channel. Someone: There was some other discussion about people wanting to do more amateur radio stuff at TORCamp because it corresponded with the major ARRL Field Day. [Someone]: Are there things for non-security people to do at TOR Camp? [Reply]: Yes, in fact there's a whole track for children. Tom: TOR Camp is a bunch of hackers out in nature with the Burning Man hackers laughing at the non-Burning Man hackers about being out of civilization. ###### 7. Intro to side channel attacks from CryptoMonkey CryptoMonkey: At Black Hat I took a class from the guy who built the Chip Whisperer. We used X metas doing AES. You measure the power consumption of the magnetic field of the chip, and watch the spikes as it changes registers. You can see the 14 spikes in a row. And we were able to do like 50 runs / samples of this watching it go through 50,000 runs of each run and literally break AES-128 in like 5 minutes. We do a lot of crypto and work with chips [at F5] but if someone can just put a little magnetic field sensor on it...it's all statistics, if the key is this and I know the data are this, what is the probability that I get a spike here. Crash: What are possible mitigations? CryptoMonkey: You do "decoupling caps" by grounding out all the spikes. In professional-grade chips they have a steel mesh over them that is practically a Faraday cage so they don't leak as much. I had a better Chip Whisperer at home, there's a demo for it and it also does glitching where you screw with the clock of something. So you can watch a processor doing it saying "give me 1,000 samples," run through some tests and the key just falls out! Second, you screw with the clock and skip sections of code, thereby bypassing authentication. The kit you get from NewIE is pretty neat. They have an entry-level kit, they have tons of examples up on his site. We've been playing with our Broadcom cryptochips and encipher chips. We have FIPS processors that are super-secure. If you get physical access to a box and cut it open then you can pull out the crypto keys, breaking AES-128 in like five minutes. The site is newie.com. [Colin -- someone's name?] There's a two-day class at Black Hat. You just look at the power consumption. The graphs look like spikes but you can tell what [registers?] they are. Given lots of embedded stuff is moving towards these encrypted bootloaders...you set a key the hardware has to have so you never see the firmware unencrypted, but now you can say "let me pull that out." Six years ago, there was a talk by a guy named Matt on pulling firmware out of embedded routers, now you can just clip a chip on and pull out keys using tools we use in CTFs. They encrypt that now so I power [this device] up, decrypt the encrypted data and get at it. With a $300 tool you can undo what they did to encrypt their boot ROMS. Scary stuff. I'm into stuff that lowers the entry level of a lot of this stuff. I did the USB fuzzing course because someone created a dongle that you can just buy. That was a game changer. With the Chip Whisperer, now you don't need a $20,000 oscilloscope. You can do this to any embedded device you can buy at Fry's because they don't use warded chips. Tom: There was a talk at ReCon about using powerglitching. They built their own EMP generator to do glitching. CryptoMonkey: Regarding ScanLime, her YouTube channel: she was doing glitching and dumped the entire firmware with just basic glitching. She modified the equivalent of a Chip Whisperer and used "face dancer" to the dump entire ROM out the USB port and get the entire firmware app without breaking the box. Tom: she's been doing stuff for years. Paul: There's [ESB?], a wifi controller that is in the $3-$5 price range in bulk (ten units). It serves as an access point serving four clients, and connects to another router. It has 16 I/O ports, serial ports, and interfaces to a lot of devices. It has a [LOUA?] and MicroPython implementation, and is programmable with Arduino toolchain. It's designed to go into IOT things to make them insecure. Crash: Looks like fully decked-out, one is $6.95 for a single controller. Paul: I put together a sniffer for DEF CON. I want one based on 15 modules that runs in parallel, you can run it off a battery pack. These things are super cheap. Documentation and tool chains are readily available. It's designed to be easy to use. Javantea: The take-away is that IOT is so completely broken that it isn't even a choice, it's either don't ever buy an IOT thing period, or just pile them up -- why not have ten refrigerators that all put backdoors into your network? What's the harm in one more? But that to me is the take-away, you should never ever buy an IOT device. But why is there an IOT, why is that an acronym? CryptoMonkey: It's the 1990s all over again. Having secured the desktop hopefully we'll [secure IOT devices] faster, and Senrio in Portland is trying to bring security in, but I don't think anyone's buying or seeing that. Hopefully... Javantea: How many botnets do you need? Blue: They just put an IOT law in to Congress, I don't know if it will pass... CryptoMonkey: The largest DDOS ever is [regularly] doubling and tripling in size. Some of these guys are generating over a terabit DDOS. Crash: DDOS is scaling with the capacity of everything else as well. [More raw DDOS...] Hackworth: [Some type of toy?] is now banned in some countries. ###### 8. How do people who are new to security break into the field? Crash: This is what I did. I founded Neg9 and the West Coast Hackers, and I realized I could get paid for doing this stuff. I was a sophomore in high school when I founded West Coast Hackers. I did sysadmin work at a web hosting company, moved to more web security work and found hacking was fun. T0m: I find that there's no predefined path to get into it. You get people straight out of academia vs. people with a self-taught IT background or who come out of the dev world. I came from dev, I did about 5 years of software dev before admitting to myself that I found security more interesting than the gaming world that I was in at the time. There's no predefined path, what we have in common is a passion for the field and being able to be self-taught, to having the passion to really want to dive into it. What makes good hiring is that [Javantea?] calls it the evil streak, I call it the hacker mindset: the mental aspect that you can't turn off if you're the right kind of person. You can be moral and law-abiding, but when you walk into a store you think about where all the hammers are and you think about where you can walk out with stuff...it's that mindset that really will get you to the world you want to be in if security is really it. It's the combination of wanting to know everything about something and wanting to push the boundaries of what's possible and what people want you to know. Crash: Formal education in this is a new thing. When I was interested in this, security wasn't taught as a course at most colleges. Matt Bishop's class was maybe going on, in the past few years schools have been getting a lot of that. CryptoMonkey: UW Bothell had their first student OWASP meeting. I was talking to people doing computer security / information assurance, and none of us on the Board had majored in anything computer-related, and we talked about how we fell into it. I agree about the hacker mindset but I think the difference is that now you have to have the curiosity and know when to stop, as the things I did to learn assembly and reverse engineering 20 years ago are not the same now. Now the trainings are the way to do it now. Seize the leaderboard. Additionally, sometimes when looking at an application in the wild, you see there are flaws but don't do anything about it. If a website doesn't have a bounty, you have to STOP. Don't do anything about it. We turn away really smart people if they have any kind of a blemish on their record. The Neg9 leaderboard is the better way to go. [Someone:] Lots of companies require experience. How do you develop that? CryptoMonkey: We bring tons of UW computer science students in for internships at F5 networks. If you can get an internship then that's a great way and there are a ton of internships here. Getting your foot in the door is the hardest part of this. Once you say I did these CTFs...you say I learned about this approach, it doesn't matter if you learned by reverse engineering malware, looking at something on VulnHub, or by CTF challenges. [You will get your foot in the door.] [Someone else:] Publish stuff if you can, if there's no limit then GitHub is your friend. Github is a great way to leave a trail of what you can do. T0m: GitHub matters more than your resume. [Someone]: What does entry level work look like? [Reply:] Log analysis. Mundane work. It gives you a corner. The computer security world is vast. People take stuff from log streams and use machine learning, saying this is dangerous and this isn't. There are forensics people, and a professional services / consulting world where their whole world is to write the report. Nobody will ever tell you this, the job is really to hack stuff and then take three times as long writing stuff up in Word. Whatever else you're doing, get one good write-up done and publish it on the Internet. Use a handle, publish it and don't read any of the comments. Use that as your calling card. Nobody reads resumes in the computer security world. They want to know, can you break stuff, write it up and communicate it in an articulate way. CryptoMonkey: And can you communicate it in a non-technical manner. T0m: There are tech people in development firms where you talk to competent programmers all day, there are customers with varying levels of competency. That separates the good person at a job from a tester. Speaking to the customer, and writing reports that people learn from, the stupid soft skills you learn in college -- that matters. CryptoMonkey: A guy asked the panel, how do you get a job doing machine learning? Machine learning is a tool that people use to solve business problems. Reverse engineering malware is a useful tool. We hire people on just talking about how you learned a tool. You never enter a company knowing how to do a job. I've been at F5 for 16 years and am barely there. Those things are what get you in the door, as well as GitHub -- what you put out there publicly. Javantea: I know a guy in Bellevue if you're looking for an entry-level machine learning guy. [Someone else:] There's an operational aspect of security: every single enterprise has a security team focused on particular things, and their purpose is to understand security and practices etc. in there to help the company to do what it needs to do but secure those systems so they can get stuff done and not get pwned. There's a whole operational aspect that requires its own set of expertise as well. T0m: You have to be an expert at something in this field, and you have to figure out what that something is going to be. Figure out what interests you and what you want to be doing. CryptoMonkey: At the beginning of your career, you don't know everything. When I switched from network engineering to designing hardware chips, I didn't think I would want to be doing electronics and now i do it all the time. At a larger company like ours we put people back in for some other job. At the beginning of your career you can't be afraid to try a different area. Play with a lot of things and if someone offers you something different, try it. Crash: Internships now are awesome. Our interns have done 3-4 different internships. They get lots of exposure to different things, I didn't do internships but it seems pretty cool. Blue: You can also work in something close to security and every time you see a security incident, dive in to get exposure. CryptoMonkey: Prove you are a good worker and have a security mindset. [Someone:] This is a perennially talent-starved field, think tanks are putting out papers saying we don't have enough hackers and it's a national security problem. There's tons of hiring queues trying to absorb people constantly, and the big problem is the first internship. After that it's all pivoting. ###### 9. What are the ingredients for a good CTF write-up? Javantea: Code first. You have to share the source code. T0m: but some "writeups" are just Python code for the exploit. I follow a lot of the groups that do write-ups. I go to CTFTime, sort teams by their number of writeups, and subscribe directly to the top teams. A write-up should be reproducible. But should also be interesting. Write a story where it goes in order and is exciting, with all the details. Crash: See the main neg9.org news feed. There are many pages of content, it's pretty good, we review them amongst each other before posting. Rootfu.org is Meta's website and he has a smaller number but pretty high-quality writeups. These translate into writing the boring reports and communicating at any job. T0m: I have a different voice and the same idea. You should be able to produce a write-up where someone a step below your technical level can still walk through it and understand what's going on. CryptoMonkey: You have to say why you did various things. That helps to make it compelling for someone to read. So people can say from a business perspective, this person thought of how people can go off track here, and addressed this as part of a write-up. T0m: Don't be afraid to show the wrong paths you went down. When someone asks you to code up this stupid challenge, they really want your thought process. A good write-up shows why you made various mental leaps. You can tell when a write-up has omitted lots of hours of work. [Someone else:] Failures can be interesting from a security perspective. Any decision tree that you took that spent a bunch of time as an attacker is usually actually interesting to the person who created the challenge. This one hacker met a release engineer at CISCO [at a conference] and said one of the big peroblems I have pwning your firmware is you distribute your software as a uniform binary blob and I just can't find predictable gadgets. And the engineer said "we're working on fixing that" and the hacker says "No, don't fix it! My point is that's protecting you!" [Someone else:] For CTFs, the difference between a 100- vs. a 500-level challenge is that 200-level challenges are worth no points with people still going crazy. Capture everything you're doing, and use Etherpad. It's an amazing text wiki thing where you collaborate, and is good for building writeups. [Someone else:] Security professionals have to keep track of everything you did so if you fail you can say what you tried. So that's the benefit of write-ups. CryptoMonkey: If you documented all the things you tried and didn't work, you can pass the work along. Hackworth: document your stuff as you're doing it because it may go away. ###### 10. Ethics of Writing Exploits [Another question:] In my GitHub repository, I'd rather showcase software that I've written. But how do I make sure that I'm not uploading something wrong that might turn against me, vs. something impressive? Javantea: You just know when something is good and something is bad. If you're torn between "is this right?" and "is this wrong?", well in my opinion viruses are speech. It's up to you to decide whether publishing a virus is your God-given right or if you should just do the simple stuff. Hackworth: If it's part of your current employer's line of business, stay on the right side of your employer's policies. CryptoMonkey: The MeatPistol guys got fired from SalesForce for making their code public! [Someone:] Say you write an IDA Pro Plug-in and someone uses your tool [for hacking]... Hackworth: There have been court cases on that topic. You have to use your best judgment. Javantea: Every tool has dual use. Nothing sophisticated enough to do good cannot also be used for bad. [Someone]: You can ask yourself, are you paid a ton of money [to develop a tool]? Did someone say they were going to hurt people? Did they then do it? If you get the trifecta it's pretty bad. When in doubt ask the EFF or email this group. They're there to help people like us. [Another comment:] With respect to what interests you, security previously was systems and now it's a huge field where people are coming in from AI, ML and so on, how do you keep yourself updated with it and how do you make yourself feel whether it is the right path? Is it okay for a person to know everything, or just concentrate on one thing? T0m: Give up on the idea of sleeping. Hackworth: Also, give up on knowing everything. [Straad I think:] Plus, give up on knowing a lot about any one area. If you want to know everything about something, talk to a Ph.D. candidate and ask them what they know about. They'll tell you what the thing was that made them the world expert. And it's always something really narrow. Knowledge frameworks matter more than specific knowledge. How to guess implied behavior based on what it is that you can actually see. Making a good guess about what some thing is processing. [End of meeting.] ---- CategoryLocalMeetings