Monday 5 August 2013

Day 5 - DefCon 2013 - roundup of what happened

Since my Day 1 post, a lot has happened and I'm finally on the way home.

After all the adrenaline, my brain is starting to shutdown so here is a brain dump of the highlights of DefCon 21:
  • The presentation I delivered with Abe was great, we were able to show a great number of demos (with the help of PoCs previously created by Alvaro) and even though we had a room change, there was a packed room with good interactivity with the participants (see my next batch of posts for details of what we presented)
  • I meet with great number of friends and colleagues :
    • The 19x SI (Security Innovation) hackers that made it to Vegas - it is amazing how much talent exists at SI and how many great hires have occurred in the last year. It was great to meet them all and I was able to have a couple great chats about the O2 Platform and how it can be used on current SI engagements (specially by John B who is reviewing 1 Million lines of .NET code and his following the same paths/problems I had a couple years ago (for example O2 already already a full blow API to create/manage/manipulate C# AST, so there is no need to build a similar tool using RegExs :) )
    • Ian Spiro: currently trying to figure out where to go after IBM was crazy to let him go (btw, if you are into BitCoins, talk to Ian, since he all over it)
    • John Steven: still the most cleaver guy I know, and the only one I am able to have certain types of security conversations with (he is moving away from SAST which is a massive tragedy, but the crypo/enterprise stuff he is doing sounds amazing (I have the dream of one day working with John, and together make a massive dent in the Application Security universe)
    • OWASP Crowd (Sarah Baso, Samantha & Dennis Groves, Kelly) - it was good to catch up and to personally apologise to Sarah for writing the hash blog post about her promotion. My promise to them was that I am going to try to have a more positive OWASP behaviour/contribution (instead of being the guy that complains about what is going on)
    • OWASP's Joanna (from Curacao) - she is a new OWASP leader and is simply amazing. Great energy, ideas and focus. The plan is for her to help to make O2 more consumable and easy to understand (starting with a couple how-tos and 'what is O2' pages)
    • OWASP's Arturo - the super guy from Argentina. He was at my talk and it was great to see him again and catch up. He had a good .NET friend who I ended up spending a good amount of time doing an 'ADT-style O2 Presentation' :). He was quite impressed with O2 and maybe he might help to make some bridges with Microsoft (who is still ignoring the innovation and ideas that are happening at the O2 Platform)
    • OWASP's Mano Paul (pic here) who is always doing something interesting and crazy (these days it is a mix of webappsec education, with mobile reverse engineering research and teaching hacking on religious environments :)  )
    • ... sorry for the ones that I missed, but I'm running out of coffee...
  • I was able to spend quite a bit of time learning about Java Object serialisation and writing the exploits for the vulnerabilities that Abe and Alvaro had found (I really felt that we pushed the research on this topic massively forward)
  • I was able to go barefoot 99% of the time, only got kicked-out of a couple places and was ask to put sandals on a couple restaurants. Here is me presenting BF
  • Again I forgot that in the USA an ID is need to get into a bar (i.e. I was not able to get into the Microsoft party)
  • I saw a couple good presentations, but didn't find a lot of web/application stuff (it looks like DefCon is a lot about Hardware/Network-Security/Political topics). Which actually makes it that the OWASP conferences are now THE place for the latest and best Web Application Security research
  • The time-zone between the US and London sucks, it is hard to sync up and I really miss the family (this is my first 7 day trip for ages)
    • DefCon for kids is great and next year I'm going to try to bring my kids here 
  • My off-the-grid experiment went great, and I was really amazing to see how much of my research and work is current online and open (and how refreshing it is to not have emails every day :) )
  • After having a lot of OWASP related talks, I more and more convinced a great model for (parts of) OWASP is one based on Reddit: "Laser-sharp-focused communities, that are ruled by meritocracy, work in a complete open and transparent way , but are free to control the community voice, activities, focus, inputs, outputs, etc.."
    • After all, what OWASP is really good at is: 'Community'
    • This 'bottom-up' owasp model is one that allow the right individual(s) to lead with their work and energy, without needing 'permission, mission or direction 'from the top'
  • I also think that the time is right to bring back the idea of 'Software/API labels', specially for API's like the Java XmlDecoder, who (in my point of view) is not fit for purpose and should be removed from the JDK (or be handled with lots of care)