Endpoint/Device Security

Top 10 Things I Learned at Blackhat 2012 & Defcon 20 and Vegas

This year I’m making just one epic top ten list. After 8 days in the Vegas desert, which included four days of training, two days of Blackhat and three days of Defcon, I learned a lot about a many things, including myself:

There are two things wrong, er right, here, John did do a lot of standing, and he is not Paul. All joking aside, the folks at Blackhat rock and both the training and briefings are extremely well done. Huge thanks to all of the Blackhat [email protected]

  1. It’s Not About You – I heard this quote recently, something along the lines of “All quarrels begin with selfishness”. I spoke with a lot of people, and the most enjoyable folks to talk to were the ones that truly wanted to give and make the community a better place. The ones that do things because its the right thing to do, and don’t expect anything in return. My advice to folks is to fit this into your career somehow, even if its a small slice, everyone will benefit. Of course, Johnny Long and the entire Hackers For Charity crew have made it a huge portion of their mission to help others, which is so awesome. We try to help HFC as much as we can, and so should you!
  2. Reversectf

    Tim got bored in class and wrote an application to keep track of team scores for the Offensive Countermeasures reverse CTF (in like his sleep or something, Tim is an AMAZING programmer!). In the “reverse CTF” the teachers hack into student’s virtual machines (with permission of course) and the students are encouraged to hack us back.

  3. NFC Is Really Neat – Charlie Miller gave a great talk on NFC technologies embedded in a few different model phones. The attacks required that you be in proximity to your victim, however, it underscores just how bad security is on mobile devices.
  4. Johnteaching

    John is also an amazing instructor. I truly believe that if the entire slide deck were nothing but lolcatz the students would still walk away with tons of knowledge, rate the course really high and talk about how awesome the class was for them.

  5. The Community Is Stronger Than Ever – The fact that each year both Blackhat and Defcon seem to grow in number is one indication that we have a great community. It means more people want to be a part of it, which is awesome. However, we have to hold a high standard. Jericho gave a great talk at Blackhat about policing our own, making sure that the community is aware of “false profits” and other such notions. This is important work, and we all need to do our best to support our community and call bullshit when we see it.
  6. Ben

    It was great hanging out with Ben, make sure you go grab the latest versions of his wireless honeypot called “Claymore”.

  7. I Love Python – I spent some time with both Ben Jackson and Tim Tomes over the weekend of Blackhat training. While John Strand did the hard work of training, myself, Tim and Ben did some good ol’ fashioned “geekin’ out”. I learned more about Python and made some contributions to Ben’s wireless honeypot project. In the end, I love Python (the debugger alone sets it apart from many other languages).
  8. Badpassword

    Part of the problem with embedded device security is that the developers don’t even LET you try to make it secure. W-T-F Asus!

  9. The Loud Minority Will Remain The Minority – This concept I borrowed from the cigar industry. I got talking to some of the folks that are behind making some of the finest cigars in the industry. They all say the same thing, if they listen to the “loud minority” they would be out of business. The hardcore cigar enthusiast wants certain things, specific blends, sizes and shapes of cigars. If they catered to this group, they’d go out of business, while its loud, its still the minority. The security industry has a similar group of people, and while I totally appreciate and respect people’s opinions, I try to fit it into the larger picture.
  10. Cooltoy

    HFC had this really cool rifle wireless hacking thinner. It had every kind of wireless toy on it, including ninja remotes and just about every other toy from deal extreme.

  11. There Will Always Be One Porn Star At Defcon – I won’t post it here, but I always end up with at least one picture to use in my presentations where at least one person is from the adult film industry. You will just have to wait until one of us presents in the proper setting to see the picture ;)
  12. Davidblackhat

    The largest Blackhat I saw in Vegas.

  13. “Hack Naked” Is A Great Filter – When people see the term “Hack Naked”, there are a few typical reactions. Having displayed this phrase proudly at Defcon to over 15,000 people, I feel like I can define a few of them. Some just laugh, and that’s all they do. They giggle and smile, and then just keep walking, almost like when you see someone with their fly down or toilet paper stuck to their shoe when they come out of the bathroom. Its cute and funny, and that is all. The next group finds it so funny and interesting that they want to be a part of it. They pick up a sticker and buy a shirt and wear it proudly. If you ask them “Why Hack Naked”, they’d say “Who cares, that shit is funny”. These are the folks we like to hang out with coincidently. The final group are the ones who are offended. I’m not sure if its the idea of someone sitting at a computer naked or the mudflap girl image, but its clear they are offended. Society today is far too easily offended, and if the mere suggestion of someone being naked offends you, get over it, we all came into this world naked. Furtheremore, there are far worse things to promote than being naked. I can’t help but think of a quote I read from an interview with Robin Williams who said when faced with the choice of their children seeing violence on TV or a love scene, the choice is clear, let them see the love scene! (And no, I’m not suggesting you let your kids watch porn).
  14. Dcbooth

    Our “booth babe” got lots of attention, mostly people were frightened by the 6′ tall cardboard cutout of Larry, naked, holding only a WRT54G wireless router.

  15. Cigars Make Friends – In a way, I kinda felt like King Edward VII of England who, after assuming the throne from mother, Queen Victoria, had previously banned smoking in court stated: “Gentlemen, you may smoke.” Its no secret I love to smoke cigars, and it was great to share that with many friends, both old and new.
  16. Pussycat

    I smoked a cigar called the “Pussycat”, couldn’t resist! In the back is one of my new friends, thanks to our shared passion for cigars!

  17. We Still Have A Huge Embedded Device Security Problem – I sat in on one of the talks at Blackhat on embedded device hacking. Its still the same story, poor security controls, poor coding, poor security feature implementations (stack has ASLR, but heap overflows still work).
  18. Weirdshowerwindow

    Sharing a room with Dave “The AV guy” when there is a window between the shower and the bedroom, is, well, weird.

  19. Our Listeners Rule – Just saying’, you all rock. I met so many listeners at both conferences and just wanted to again thank you for listening. We really appreciate your support, and more than ever are committed to sharing knowledge with the community in an entertaining way.
Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.