I know, I know, I was just talking about upcoming cons, but I'd like to take a moment and specially call this one out: This is the first year for SecTor out in Toronto, and I've got to say, I'm really looking forward to this one. For a first year con, filling up three tracks in two days with some genuinely interesting looking material is pretty impressive. I've become pretty good friends with a few of the organizers, and they're pretty much The Awesome, so I'm sure that has something to do with it.

One of the talks I'm actually looking forward to is really obscure: SSL Fingerprinting has kind of been in the back of my mind for a while now. (Big complex parser on anonymous surface of lots of embedded devices. You think this wouldn't interest me?) Turns out Jay Graver and Ryan Poppa from nCircle have already been playing around with that stuff. Cool!

Ah, just back from Toorcon in San Diego. I've been doing Toorcon for years; it's one of my favorites just from the perspective of everyone being able to hang out freely with no distance between "speakers" and "attendees". Lots of smart people up to great stuff -- Nate McFeters actually told me of a brilliant and obvious (in retrospect) attack against the JVM's 11 year old DNS Rebinding defenses:

1) Tell JVM to load your code from www.attacker.com (attacker IP)
2) Crash JVM
3) Rebind www.attacker.com to target IP
4) Tell JVM to load your code from www.attacker.com. It won't go out to the target IP -- it actually has a local cache, keyed on hostname only.

Yes, they reimplemented the 11 year old DNS Rebinding bug. *sighs* Apparently it's fixed, or is about to be anyway.

So one of the really cool things about giving these talks is seeing how people process the information and go off in a hundred different directions. Check this line of thinking out -- apparently, the entire plugin API never thought hosts or IPs would ever matter, and people have been hacking that information out of the DOM since. Every once in a while, as a security auditor, you see a system that is clearly designed in such a way that it implies its own exploit. This is a good example.

It's wandering season! I don't get to do nearly as many new cons as I'd like (and people have no idea how much it kills me not to be able to accept every invitation), but this month I'm actually hitting not one but two new events. First, I'm flying out for Bar Camp LA this weekend, November 3rd and 4th. Bar Camp is interesting -- it's a sort of "pattern" for a semi-self organizing weekend con that's gotten syndicated out worldwide. Check out the main Bar Camp Wiki -- there's something like 29 of these coming up in the next few months. I have a lot of fun every time I stop by Los Angeles (understatement), and Bar Camp should be especially interesting as I get to hang out with a whole new crew of smart people, not all of whom are even hackers.

(Side note: Spent some time hanging out with some guys from the Golem Group at Caltech, who were all too happy to show me running simulation code from their entry into the 2007 DARPA Urban Grand Challenge. I got to watch a live recording of the real world as a series of OpenGL Particles. LIDAR is officially awesome. This alone made that day grand; the bouncy castle, the mexican wrestling masks, the lecture on biological logic, and the feather boa put it into an entire new class of awesome.)

OK, this just rocks. Grandma made Black Hat TV!

Hanging out in Vienna's Metalab, the first of the Hackerspaces that the Hacker Foundation has taken us to. It's actually really interesting, studying very finely designed approaches to building an artistic/technical/constructive space for creative work. One interesting tidbit -- this hackerspace has been successful enough to get funding from the Austrian government! That's really cool.

It's a good vibe here -- good enough that Bre and I are coming back tomorrow night to give talks. If you're in the area, stop on by! Metalab is at:

Rathausstr. 6
1010 Wien
Vienna, Austria

We'll be here around: 16-Aug-2007 19:00

This should be fun...

So someone asked me what users should do, to protect themselves against DNS Rebinding attacks.

That's when I realized it wasn't completely obvious to people that XSRF is irrelevant as long as DNS Rebinding exists.

XSRF -- Cross Site Request Forgery -- deals with the concept that random web sites can in fact cause your browser to make arbitrary GET and POST requests. If you have a home router that will respond to these arbitrary GET/POSTs by, for example, changing its DNS server to an arbitrary location, well, it's now pretty easy for someone to hijack your network connection.

You go to a website, it reconfigures your router. Not good.

Traditionally, XSRF defenses use the fact that a cross-site request can't have its response read out by script. So if using a router's web interface depends on pulling some data out from a login page response, the attacker who can cause a browser to make arbitrary requests can't do anything.

Except, DNS Rebinding means an attacker can read these responses, because the Same Origin Policy that's supposed to establish this security boundary is easily bypassed by putting both the home router and the attacker server in the same DNS domain.

So, the #1 thing people need to do to protect themselves against DNS Rebinding -- set strong passwords on your home router. Not a single device in the field with a weak password can be safe. Every XSRF defense has been defeated. *sighs*

In other news, this entire class of bugs seems to be attached to an ancient law of security: "Simultaneous access to multiple security domains is hard." We're trying to do something very difficult with private content on the web, and given the creakiness of something as essential as the Same Origin Policy, I'm becoming increasingly worried that we're missing some essential infrastructure here.

That being said, so many people are working together on fixing SOP that the inertia from that effort might well drive further goodness. Cool!

You'd think after Black Hat, Defcon, and the truly absurd Hackers On A Plane / CCC Camp journey, I'd be ready to go home.

Nah. I'm hanging around Europe for another week. Nick Farr has a posse, and he is guiding us on a tour of some of Europe's "Hackerspaces" -- highly creative environments somewhere between artist studios, clubs, and barn raisings. Tonight, we're off to C-Base, possibly the best known of them, but all week we're going through Germany and Austria to see just what people are up to.

I suspect I will be losing weekends to 3ric's Public Nerd Area after all. I blame Bre of MAKE Magazine.

Wow. This entire experience has been exhausting but incredible. I've spent this entire month surrounded by astonishingly friendly, deeply creative people. I've captured videos, even doing my first interview ever! And I got pelted with water balloons.

On camera.

Rock.

There are many communities in Seattle, but two of the most visible are the Hackers and the Burners (of Burning Man). Though there's some overlap between the two, they're rather distinct groups.

The distinction may not exist here, in a small town outside of Berlin. CCC Camp is beyond incredible. I am literally failing to sleep, lest I miss a moment.

Just a day in, here's a couple tales...

TOP TEN+ REASONS YOU REALLY SHOULD BE AT CCC CAMP (After 36 hours):

10. Talks are in nuke-hardened aircraft hangars. Yes, I already mentioned this. I don't care. Best venue evar.
9. Hangar was camouflaged as a hill. Camouflage has been broken by topping hill with a black Pirate flag.
8a. The planes are out front. What part of "MiG-23" is not awesome?
7b. Just in case, internal lighting has been added to most of the jets.
7c. Jets. That's plural.
6. 24 hour Pasta stand. Next to your tent.
5a. Supermarkets here have wheelchair-accessible shopping carts.
5b. Said carts are in fact hacker friendly.
5c. Said hackers with said carts not met friendlily.
4. NSA listening post? Right over there.
3a. $10G commercial autonomous flying quadrocopters? To your left.
3b. $500 homebrew autonomous flying quadrocopters? To your right
3c. Earthbound? Try the remote control electric wheelchair. (See also: 5a)
2a. FTTC (Fiber To The Camp)
2b. PTTT (Power To The Tent)
2c. DETH (DHCP Ethernet Tracing Hike -- 1000 feet to find which tent has the DHCP server.)
1. "Aww! You guys have no power? Come, we have alcohol and we have electricity." Uh, yes'm.

Seriously, Euro-Peeps? If you don't come out here right now, an American may very well have to accuse you of being a workaholic. Srsly. Fefe and I summon.

(In other news, photos are being uploaded as we speak.)

DEFCON was mind bogglingly fun; photos inbound. The badges this year were just absurdly hackable; check out Meredith Patterson talking about making an MP3 player out of Joe Grand's awesomely hackable creation.

Meredith hacked herself a press badge and I did an interview :) Good times!

Out by Berlin for CCC Camp. On Saturday, I deliver a talk in a nuke-proof aircraft hangar.

Perhaps the true weight of this has not sunk in. My talk has been partially secured against nuclear weaponry. ROCK!!!

BTW, a really cool article just came out regarding the latest research -- check it out!

OK, I was *trying* not to mess with DNS, but the combination of "DNS", "Firewall", and "Tunneling" proved just too tempting for me to ignore. Here's the slides from my Black Hat talk -- I'll update after Defcon, but yeh, here's what I'm playing with!

Black Ops 2007: Design Reviewing The Web

Everyone's talkin' about the TCP relaying stunts, but there's also Audio CAPTCHA analysis and (my favorite) concrete mechanisms for busting Provider Hostility.

(What's Provider Hostility? The opposite of Network Neutrality. Not fun.)