DEF CON 31 War Stories - The Risks of Pointing Out the Emperor is Buck Naked - Renderman, Tom Dang
Рет қаралды 51,021
8 ай бұрынPost 9/11, the phrase “If you see something, say something” became ubiquitous. If you saw something of concern, better to report something that was nothing than let something bad happen. Problem is, no one let the authorities know that they should apply this to the online realm too. Threats of arrest and criminal investigations have the opposite effect and chill anyone from wanting to report security vulnerabilities that affect everyone.
Lack of clear reporting paths, misunderstandings, jurisdiction issues, superseding laws, and good old fashioned egos can make trying to do the right thing turn into a nightmare that can cost livelihoods, reputation, criminal charges and even worse, particularly when government systems are involved.
This talk will cover the presenters personal experiences with poorly written or a lack of vulnerability disclosure policies with their governments and what it cost them in trying to make things better. The presentation will then move to a discussion about what should be done and what is being done to make sure that reporting a vulnerability doesn’t cost you everything. Anyone who is responsible for writing such disclosure policies or legislation will benefit, but so will any hackers that want to make it safer to report issues they find by advocating for changes.
@quillclock 8 ай бұрын
most defcon intro. the bottle drop was perfect moral of the story: don't fire your hackers for finding stuff. give them raises and they will gleefully fix it for you
@JeanQPublique 7 ай бұрын
It seems odd to start a talk with an act of machismo only to call it out in researchers a few minutes later...
@joshuasmith9350 7 ай бұрын
moral of story don’t hire hackers at all . fuck off with your revenge fueled existance
@Techfuse13 7 ай бұрын
@@JeanQPublique I think the bottle drop comes across more as performative (maybe it was a long day). The bottle drop was applauded, but I doubt machismo was what was being cheered.
@jameslynch8738 6 ай бұрын
@@Techfuse13 And just think there is someone out there who would love to charge them for seditious acts for doing that while discussing incompetent diplomatic relations. The irony.. o.0
@cogspace 7 ай бұрын
One of the many reasons we need reliable, trusted journalists is because while we should absolutely fight for better legal protections, there will always be some risk associated with going public with this kind of information, so it will always be safer to drop an anonymous tip to a reputable news outlet rather than go directly to the government.
@craigslist6988 8 ай бұрын
"what are the problems here" it's frustrating how much 'laughing it off' there was about their two anecdotal experiences. How many people could survive being attacked by powerful systems, whether the banks or the government, losing your job suddenly, having to pay lawyers, etc... and even for these guys who have the social and financial support to survive those attacks, nothing was done to make it right. I'm sure lawyer fees were never reimbursed, and a government fine of 5k is nothing to sneeze at. Many people could not absorb that easily, although the lawyer fees dwarf it. Governments and these companies are effectively waving a gun around like a madman at anyone knowledgeable about security and hacking and making it clear that when you find a vulnerability you can't have a rational discussion with this nutjob. Your only option is to put on your black hat and monetize exploits otherwise nothing will ever be done to fix them. Anyway, great talk but it's a dark topic when you consider what might be happening to people with less voice or knowledge in navigating the corruption.
@colewilliams9834 8 ай бұрын
it's a fair point. I'm in the UK which has had a pretty severe cost of living crisis recently. As a dev with 7 or so years of experience I've ended up stopping eating takeaway out of financial necessity rather than health reasons. I could not survive a legal challenge. I was given a fine by (some organisation I won't name) for a public infraction. I had the choice to pay a fine or show up in court. I had a strong case, but I wasn't willing to pursue that route cause most of us are living paycheque to paycheque. If I'd got that $5000 fine it would have been devastating.
@TehNoobiness 7 ай бұрын
After all the shit LEOs have been caught doing in the past 5 years, and all the nothingburgers that have been done about it, I legit don't know if responsible disclosure is safe anymore. If I report a vuln and the cops show up to my house, I could very well get shot in my sleep over it.
@wolcek 5 ай бұрын
"Governments and these companies are effectively waving a gun" well, I rather have a picture of a monkey with a razor blade in my mind.
@stiLLa2000 7 ай бұрын
God Bless Dan Kaminsky - R.I.P. - missed but never forgotten
@sjoervanderploeg4340 7 ай бұрын
This is so funny, because I have a relatable case! I reported QR collisions to the Dutch government and got faced with the "these are non-issues" e-mail. Basically for the COVID QR code they used a TOTP based on first letter of name and first letter of surname plus date of birth. So any "SP" born on my birthday could use my QR codes with my credentials. Even worse was the fact that you could simply generate any QR code yourself, the app didn't use any API to fetch codes... no it just generated codes based on a secret bundled with the app. So much for "non"-issue, never heard anything from anyone. No cops tho, no cops!
@sjoervanderploeg4340 7 ай бұрын
I have to add that the date check didn't even check the year, only day and month...
@danielschmider5069 6 ай бұрын
kinda same, in our case it was the url ending they sent via email simply being a base64 encoded string of the firstname + lastname + date of birth. You could check, reschedule and cancel an appointment without any other credentials, it was completely nuts. Thinking about how this got approved made me lose some hope for all of us......
@sjoervanderploeg4340 6 ай бұрын
@@danielschmider5069 never has a rushed IT solution worked out. Some intern tests qrencode, slaps it onto a project and calls it a day. This stupidity always leads to silly things like this,.
@andrewphi4958 2 ай бұрын
you should be really thankful for being handed such an easy way out of the cage.
@JustPlainRob 7 ай бұрын
The moral of the story, kids, is that when you discover a vulnerability you shouldn't report it and instead should sell it to shady folks on the dark web. Or at least that's what punishing well-meaning hackers causes.
@danmerillat 7 ай бұрын
Correct, although that's more a blackhat conclusion than one that you can say at fedcon. Don't even try to report, just sell it on the black market because if they're going to treat you like a criminal regardless, might as well get paid.
@xcoder1122 5 ай бұрын
Well, if you "sell" it, you can be accused of having done it only for personal profit. If you however publish it anonymously, they might still find out who you are and you are in trouble, but they can neither accuse you having it done for personal profit, as you gave it away for free, nor can they blame you to have published it for fame, as then you wouldn't have done it anonymously, since you cannot gain fame if nobody knows who you are. And when I say anonymously, I don't mean pseudo-anonymously, like using some kind of hacker nick or hacker group name, I mean using no name or pseudonym at all. After you've published it, you may point some media to it (TV or radio stations, newspapers, etc.) but I would not give it to them first, as that will again change the way how this looks and you never know what they are doing to do with the information.
@danmerillat 5 ай бұрын
@@xcoder1122 To be clear, I don't think anyone should be selling 0days. but the point of the comment was that if no matter how nicely you report you risk having your life ruined, it makes it a lot more attractive to have a reward for all that risk...
@Derbauer 7 ай бұрын
This should be required watching for all bug researchers.
@LordNAg 7 ай бұрын
THIS is how I find out Kevin Mitnick is dead?? RIP
@moonasha 7 ай бұрын
god, the canadian government is such a joke sometimes. Sometimes i think we have it bad in the states, then I see stories like this, where a guy gets fined $7500 for reporting a freaking vulnerability... jesus. They act like he published the info online and didn't save their butt.
@timothyblazer1749 6 ай бұрын
When hackers realize en masse that the government is lying when it says it cares about security is when this changes. There is no reasoned argument that will convince an apparatchik that a real problem is more important than the governments reputation. If you report something embarrassing or issue an ultimatum to those people, most will respond with guns ( police and prosecution ).
@feelinghealingfrequences7179 7 ай бұрын
$5,000 usd fine!?!?!?
@thewhitefalcon8539 7 ай бұрын
Yeah normally they get a life sentence
@asailijhijr 7 ай бұрын
It was only a HIPPAA violation.
@Adoyleonon 6 ай бұрын
“Sorry!” -Canadian government, except without the apology.
@joshuagies4900 6 ай бұрын
plus "legal fees"...
@paullees6687 6 ай бұрын
Man I would have been enraged. You make me pay for YOUR mistake?!
@vaporygon137 7 ай бұрын
Still have one of these service medals pinned to my Def Con bag.
@RoamingAdhocrat 7 ай бұрын
Doors and corners, kid. Don't come into the room too fast.
@jvsonyt 7 ай бұрын
The only thing I learned from this is "See something, shut tf up."
@htx80nerd Ай бұрын
Phil Haney did not klll himself.
@Stjaernljus 7 ай бұрын
say nothing to anyone, you will only get yelled at.
@MyThreeLivesASMR 7 ай бұрын
12:59 I think there was a mistake here. The HTML "hacking" case occurred in Missouri, not Mississippi.
@Techfuse13 7 ай бұрын
This should be pinned. I was in the state at the time, and I remember hearing about this. I really enjoyed the talk. Thanks for shortening the amount of head scratching for me @MyThreeLivesASMR. St. Louis Mississippi would be good reference to drop in Shadowrun.😀
@cannaroe1213 6 ай бұрын
At the end he says he claims ignorance as he's Canadian, but I don't think he should even say sorry, he's just being Canadian - who here could point to the Yukon, or Nunavut, or Seskatechahaka, or any of the other provinces Canada claims to have on the map? Sure these places probably don't exist, but we should at least try and remember their names before Mississippi-shaming them for confusing two real places.
@edbail4399 5 ай бұрын
Ha HA@@cannaroe1213
@DavidConnerCodeaholic 7 ай бұрын
“A hacker with time on their hands is dangerous” yeh in 2005ish I knew what Snowden reported. I’ve basically only ever had one job. Go figure. But it was really a bad idea for society to punish me by preventing me from having a job. They really assume that if they destroy your career early in, that you’ll never become anything. They undervalue talent and natural intelligence, thinking that (as it was in earlier decades), if they just prevent you from ever being respected/employed in society then somehow you won’t be intelligent. We have things like github, Wikipedia, free online education…
@SamTheEnglishTeacher 7 ай бұрын
What's going to happen?
@DavidConnerCodeaholic 7 ай бұрын
@@SamTheEnglishTeacher do you really want to know?
@SamTheEnglishTeacher 7 ай бұрын
@@DavidConnerCodeaholic yes
@DavidConnerCodeaholic 7 ай бұрын
@@SamTheEnglishTeacher 42 Also, the democrats are going to win the presidency by coercion & legal obstructionism, in which case the global economy will get BRICS’d
@DavidConnerCodeaholic 7 ай бұрын
@@SamTheEnglishTeacher whenever some factors constituting an economic perfect storm are set in motion, Russia/China will attempt to force the rest. More specific questions will maybe get you more specific answers.
@mr_b_hhc Ай бұрын
I wish I could say any of this was a surprise or is different in the UK where the law states that even intending to hack a system that is not yours or you do not have explicit permission to, is a bad time for you. Crazy. It's like they do not understand that criminals dint care about the law.
@Jordan-hz1wr 7 ай бұрын
I can't believe how he disrespected a bottle of Knob Creek like that.
@goldnutter412 7 ай бұрын
34:47 Language is just data too, starting with "i like to help" would be good 👏👏👏🤣 1 drink per hour rule
@Zsub1 6 ай бұрын
In the transcript around 00:16:38 it says "[inaudible 00:16:38]", he is saying the abbreviation "OSINT" there.
@MadeAnAccountOnlyToReplyToThis 4 ай бұрын
Damn Renderman is still kicking, respekt
@illsmackudown 7 ай бұрын
>The other guy at least had his own clothes... >You don't have clothes! >Yeah well, I'm not supposed to have clothes, it's how I look From DHMIS
@frankligas2249 7 ай бұрын
Timestamp 39:46 Dig your vibe. If you only get 15 minutes of fame... be a Rock Star.
@graog123 5 ай бұрын
hell of an intro
@robmorgan1214 7 ай бұрын
It's NOT GOOD ENOUGH.
@MadeAnAccountOnlyToReplyToThis 4 ай бұрын
Damn the Defcon audience has either gotten super stuffy or (impossible) they fixed the audio finally
@ChairmanHehe 7 ай бұрын
jesus christ im never reporting anything
@ryanwaege7251 7 ай бұрын
Having faith in government to be anything other than self-serving was your mistake.
@colestowing8695 4 ай бұрын
Amen
@benfreeman9717 6 ай бұрын
Ignoring the framerate, the sheer clarity of this 720 video is far above most 1080 videos I watch
@sediqullahsarwary103 7 ай бұрын
Awesome job guys. The world needs white hat hackers all the time.
@iisthphir 5 ай бұрын
01:50 👽
@06howea1 7 ай бұрын
Got a little alcoholic for a seccond there...
@alexstixx 7 ай бұрын
lol, renderman calling your state "batshit insane".
@bobmcbob4399 6 ай бұрын
These health fraud pushers need to go to hell
@iWhacko 7 ай бұрын
when your slides literally contain all the things you're going to say, they are bad slides. read up on how to make good presentations. Slides like these cause people to read ahead and become impatient, because they want to learn more. Use bullet points, and don't show them at once, fade them in when you're talking about it.
@jdcjr50 6 ай бұрын
These mens rea issues are so immature, it's embarrassing.
@jslay88 7 ай бұрын
i wish defcon would screen their presenters so we dont get slide readers.
@GamingKing545 8 ай бұрын
damn im actually 1st
@godofsquirrels494 8 ай бұрын
I’m deeply grateful for your sacrifice.
@asemic 8 ай бұрын
zazazazazazzzzzzzzzzzzzork
@claykellogg5372 6 ай бұрын
Cringe
@blackneos940 6 ай бұрын
Ooh, you owned *HIS* ass.
@edbail4399 5 ай бұрын
DEFCONConference
Рет қаралды 11 М.
Christiaan008
Рет қаралды 1,5 МЛН
Oscar's Funny World
Рет қаралды 115 МЛН
DEFCONConference
Рет қаралды 108 М.
DEFCONConference
Рет қаралды 105 М.
The Security Repo
Рет қаралды 754
HackersOnBoard
Рет қаралды 388 М.
DEFCONConference
Рет қаралды 21 М.
DEFCONConference
Рет қаралды 50 М.
Jack Rhysider
Рет қаралды 475 М.
DEFCONConference
Рет қаралды 63 М.
DEFCONConference
Рет қаралды 77 М.
VICE News
Рет қаралды 364 М.
Infinity Circus
Рет қаралды 3,6 МЛН
ЗОЛОТОЕ-TV
Рет қаралды 1 МЛН