Defcon 15 Speakers (speakers_title.gif)
Alphabetical by Speaker Name

Agent X
Iftach Ian Amit
Ofir Arkin

Kevin Bankston
Andrea Barisani
John Benson
Peter Berghammer
Daniele Bianco
Sean M. Bodmer
Sam Bowne
Sergey Bratus
Taylor Brinton
David Byrne

D.J. Capelis
Jim Christy
Patrick Chung
Anton Chuvakin
Maria Cirino
Robert W. Clark
Greg Conti
Crispin Cowan

Jesse D'Aguanno
The Dark Tangent
Rick Deacon
Dead Addict
Jared DeMott
Ganesh Devarajan
Deviant Ollam
Roger Dingledine
Toralv Dirro
Jerry Dixon
Steve Dunker

Peter Eckersley
Luiz Eduardo
Dr. Richard Enbody
Joel Eriksson
Nathan S. Evans
Gadi Evron

Ben Feinstein
Matt Fiddler
Tim Fowler
Zac Franken
Andy Fried

Kenneth Geers
Dave Goldsmith
Damian Gomez
K N Gopinath
Joe Grand
Jennifer Granick
Thomas Grasso
Christian Grothoff
Lukas Grunwald
Barry Gundy
Peter Gutmann
David Gustin

Ian G. Harris
John Heasman
Aaron Higbee
Ricky Hill
Marcia Hofmann
Greg Hoglund
Dr. Thomas J. Holt
Broward Horne
David Hulton
Bob Hopper
Dan Hubbard

Jon Iadonisi

Mike Jacobs
Karl Janmar
Luke Jennings
Dave Josephsen

Dan Kaminsky
Vitaliy Kamlyuk
Patrik Karlsson
King Tuna
Dirk Kollberg
Tim Kosiba
Benjamin Kurtz
Lee Kushner

Mickey Lasky
Bob Lentz
Edward Lee
Janne Lindqvist
David Litchfield
Johnny Long
Myles Long
Marce Luck

Kevin Manson
Rich Marshall
Nick Mathewson
David Maynor
Nathan McFeters
Mark McGovern
Haroon Meer
Charlie Miller
Doug Mohney
H.D. Moore
David Mortman
Scott Moulton
Shawn Moyer
Alexander Muentz
Rich Murphey
Mike Murray

Brett Neilson
Claes Nyberg

Christer Öberg
Danny O'Brien
Brendan O'Connor
Robert O'Hara
Kurt Opsahl
Steve Orrin
Alfredo Ortega

Chris Palmer
Daniel Peck
Mike Perry
Aaron Peterson
Bruce Potter
Ken Privette
Paul Proctor
Dr. Bill Punch

Danny Quist

Aviv Raff
Vivek Ramachandran
Keith Rhodes
Matt Richard
Billy Rios
Ian Robertson
Martyn Ruks

Tony Sager
Oskar Sandberg
Michael Schearer
Bruce Schneier
Michael Schrenk
Ari Schwartz
Jason Scott
Dror Shalev
Zed A. Shaw
Marco Slaviero
David C. Smith
Window Snyder
Julian Spillane
Alex Stamos
Robert Stoudt
Tom Stracener

Richard Thieme
Marc Weber Tobias
Steve Topletz
Schuyler Towne

Randal Vaughn
Paul Vixie
Mario Vuksan

Linton Wells
Jacob West
Thomas Wilhelm
Christian Wirth

Dov Yoran

Paul Sebastian Ziegler
Matt Zimmerman
Philip R. Zimmermann

44 Lines about 22 Things that keep me up at Night
Agent X

What keeps a hacker up at night? What issues and projects keep Agent X from getting a good night's sleep? This turbo-rant will present 22 things that make the night seem long and morning far off. Technology challenges, social challenges. Issues with the hacker scene, issues with the way the world works.

Agent X: Jesse Krembs is co-founder of the Hacker Foundation and former president. He travels widely performing radio survey & installation work, for Fortune 500 companies and municipalities. He's been involved with Defcon since 1998 is now Head Speaker goon. In his spare time he tinkers with tech in his secert lair 893 Studio.

Ofir Arkin
CTO Insightix

Network admission control (NAC), network access protection (NAP), network access control (NAC), and many other acronyms refer to a technology which aim to provide with access control verification before (and after) allowing an element to access the network.

Unfortunately due to the lack of standardization, and the diversity of solutions, many (if not must) NAC solutions suffer form a multitude of weaknesses impacting the deployment, implementation and the overall protection they provide.

The presentation examines various NAC solutions from leading vendors, highlight their weaknesses, and demonstrate how they can be bypassed.

The presentation is an updated presentation, which includes new material, and new unpublished methods to bypass NAC solutions.

Ofir Arkin is the CTO of Insightix (, leading the development of the next generation of IT infrastructure discovery, monitoring and network access control systems for enterprise networks. He holds more then 10 years of experience in data security research and management. He had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir is the author of a number of influential papers on information warfare, VoIP security, network discovery and network access control and lectures regularly at security conferences. Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA). Ofir is the founder of Sys-Security Group (, a computer security research group.

Remedial Heap Overflows: dlmalloc style

Sometimes even the top dudes need a refresher course. Remedial Heap Overflows is not so much a lesson to the lame, but a refresher for the leet. One day the speaker was approached (in a subway, of course) by a top-notch dude (who has his own posse) and asked how they work. Clearly not even the best of the best always know everything.

Atlas, a disciple of the illustrious Skodo, has a history in programming, systems support, telecom, security, and reverse engineering. His introduction to the hard-core hacking world was through dc13's CTF Qualifiers. atlas won the individual contest in 2005 and lead the winning team "1@stplace" in 2006. atlas has written the WEP-cracking tool bssid-flatten, the @Utility-Belt (toolkit for hacking and exploitation), and his favorite tool, disass.

Injecting RDS-TMC Traffic Information Signals
a.k.a. How to freak out your Satellite Navigation

Andrea Barisani
co-Founder and Chief Security Engineer, Inverse Path Ltd.
Daniele Bianco

RDS-TMC is a standard based on RDS (Radio Data System) for communicating over FM radio Traffic Information for Satellite Navigation Systems.

All modern in-car Satellite Navigation systems sold in Europe use RDS-TMC to receive broadcasts containing up to date information about traffic conditions such as queues and accidents and provide detours in case they affect the plotted course.The system is increasingly being used around Europe and North America.

The audience will be introduced to RDS/RDS-TMC concepts and protocols and we'll show how to decode/encode such messages using a standard PC and cheap home-made electronics, with the intent of injecting information in the broadcast RDS-TM stream manipulating the information displayed by the satellite navigator.

We'll discover the obscure (but scary!) messages that can be broadcast (and that are not usually seen over legitimate RDS-TMC traffic), the limits of standard SatNav systems when flooded with unusual messages and the role that RDS-TMC injection / jamming can play in social engineering attempts (hitmen in the audience will love this!).

In order to maximize the presentation we'll also demo the injection...hopefully at low power so that we won't piss off local radio broadcasts.

Andrea Barisani is a system administrator and security consultant. His professional career began 8 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 16 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. He's currently involved with the Gentoo project managing infrastructure server security being a member of the Gentoo Security and Infrastructure Teams along with distribution development. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester and openssh-lpk projects and he's been involved in the Open Source Security Testing Methodology Manual, becoming a ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd.

Daniele Bianco is a system administrator and IT consultant.

He began his professional career as a system administrator during his early years at university.

His interest for centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructure.

For the time being Daniele is working as a consultant for Italian astrophysics research institutes, involving support for the design, development and the administration of IT infrastructure.

One of his hobbies has always been playing with hardware and recently he has been pointing his attention on in-car wireless and navigation systems. He's the resident Hardware Hacker for international consultancy Inverse Path Ltd.

Daniele holds a Bachelor's degree in physics from University of Trieste.

Bridging the Gap Between Technology and the Law
John Benson

The recent case of Julie Amero has cast a bright spotlight on the difference in understanding between the worlds of technology and the law. We will examine adoption of technology within the legal profession, trial court decisions, as well as legislative and appellate decisions which may be inconsistent with generally accepted security measures.

John Benson is the co-chair of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee, adjunct professor at the Colorado Technical University, and an electronic discovery analyst at a large midwestern law firm. While in law school he excelled in the areas of evidence and trial advocacy, produced papers on the Sony XCP Rootkit and NSA warrantless wiretapping program, and was a general menace to the local network administrators.

A Journalist's Perspective on Security Research
Peter Berghammer (pf0t0n)
CEO Copernio: Future Formats

The presentation details the process whereby journalists select, discard, research and ultimately publish security related articles. It outlines the credibility necessary for security researchers to be taken seriously in the presentation of their findings and examines the "blowback" that criminal and kiddie hackers have on the security industry from a journalists perspective. This talk also looks at the current practices of legitimate software companies between secure content (DRM et al), metadata tracking, hardware and software tracking, and the very close parallels between their methods and those of the "hacking" universe.

Peter Berghammer owns a number of companies in the military and consumer electronics market spaces. Additionally he has written monthly articles for the past few years dealing with security, the law, legislation. In 2005 he was named a Fellow at Stanford Law's Center for Internet and Society (researching security items and munitions law). He speaks frequently in international venues on items surrounding security, security breaches, privacy issues and pending legislation. Full bio info at:

Analyzing Intrusions & Intruders
Sean M. Bodmer
Savid Technologies, Inc.

Intrusion Analysis has been primarily reserved for network junkies and bit biters. However, due to the advances in network systems automation we now have time to pay more attention to subtle observations left by attackers at the scene of the incident. Century old sciences have enabled criminal investigators the ability attribute attacks to specific individuals or groups.

Sean M. Bodmer is an active developer and deployer of intrusion detection systems. Sean is also an active Honeynet Researcher, specializing in analyzing signatures and behaviors used by the blackhat community regarding patterns, methods, and motives behind attacks. Currently Sean is working on a highly-adaptive sensor network under a joint commercial venture in which global sensors are deployed to generate better understandings of various attack approaches and techniques.

Teaching Hacking at College
Sam Bowne
Part-time Instructor, City College of San Francisco, Computer Networking and Information Technology Department

Last semester I taught a new course in "Ethical Hacking and Network Defense" at City College San Francisco. I had legal, ethical, and practical concerns about this class, so I took several precautions to protect the students from one another, and others from them. The course was a success--it was full and popular, and there were no security problems (at least none that I found out about).

We have built hacking into our Computer Networking and Information Technology program. The topic is important and exciting for the students, and reinforces their security knowledge. I encourage other college teachers to do the same.

Sam Bowne: Degrees: B.S. in Physics, Edinboro University of PA; Ph.D. in Physics, University of Illinois, Urbana Champaign Industry Certifications: Microsoft Certified Professional, Microsoft Certified Desktop Support Technician, Network+, Security+, Certified Fiber Optic Technician Sam Bowne has been teaching at CCSF since 2000.

Entropy-based data organization tricks for log and packet capture browsing
Sergey Bratus
Department of Computer Science, Institute for Security Technology Studies, Dartmouth College

I will show how entropy, a measure of information content defined by Shannon in 1948, can provide useful ways of organizing and analyzing log data.

In particular, we use entropy and mutual information heuristics to group syslog records and packet captures in such a way as to bring
out anomalies and summarize the overall structure in each particular data set. I will show a modification of Ethereal that is based on these heuristics, and a separate tool for browsing syslogs.

Our data organization heuristics produce decision trees that can be saved and applied to building views of other data sets. Our tools also allow the user to mark records based on relevance, and use this feedback to improve the data views.

Our tools and algorithm descriptions can be found at

Sergey Bratus: For the past five years, my research at Dartmouth's Institute for Security Technology Studies was related to application of information theory and machine learning to log analysis and other security topics. Before that, I worked as a research scientist at BBN Technologies on applications of similar techniques to Natural Language Processing, English text and speech.

Intranet Invasion With Anti-DNS Pinning
David Byrne
EchoStar Satellite

Cross Site Scripting has received much attention over the last several years, although some of its more ominous implications have not. DNS-pinning is a technique web browsers use to prevent a malicious server from hijacking HTTP sessions. Anti-DNS pinning is a newly recognized threat that, while not well understood by most security professionals, is far from theoretical.

This presentation will focus on a live demonstration using anti-DNS pinning techniques to interact with internal servers through a victim web browser, completely bypassing perimeter firewalls. In essence, the victim browser becomes a proxy server for the external attacker. No browser bugs or plug-ins are required to accomplish this, only JavaScript, and untrusted Java applets for more advanced features.

If anyone still thought that perimeter firewalls could protect their intranet servers, this presentation will convince them otherwise.

David Byrne: Specializing in web application security, David Byrne is a seven year veteran of the Information Security industry. He is currently the Security Architect for EchoStar Satellite, owner of Dish Network. David is also the founder and current leader of the Denver chapter of the Open Web Application Security Project (OWASP).

Virtualization: Enough holes to work Vegas
D.J. Capelis
University of California, San Diego

Have you tried to firewall a machine from itself? Have you ever tried to protect a machine with a multi-personality disorder? These questions are brought to us by the wonderful technology of virtualization. Though the technology is clearly sexy, security has clearly been an afterthought.

While every product claims isolation, it seems that's only when you don't have an attacker involved. Despite what the press releases say, it's not free to put all your machines on the same hardware. We'll be brushing aside the dust and trying to figure out part of the cost.

D.J. Capelis is a student and researcher at the University of California, San Diego. He does research on processor design, secure systems and dabbles in cryptography. For a "real job" he is an active member of UCSD's Data Security Team teaching computers how to tell when users are being mean. D.J. also maintains the team's virtualized testing and development environment. In his free time, he tends to show up at 2600 meetings and other food-related events where he plays with his OLPC development board and does platform-related work on Blender.

Panel 1: Meet the Fed
Jim Christy
Jerry Dixon DHS
Tim Fowler NCIS
Andy Fried IRS
Barry Gundy NASA
Bob Hopper NW3C
Jon Iadonisi DoD
Mike Jacobs SRA
Tim Koshiba FBI
Bob Lentz DoD
Kevin Manson DHS FLETC
Rich Marshall NSA
Ken Privette Postal IG
Keith Rhodes GAO
Linton Wells NDU

This year we will have so many feds representing their federal agencies that we will have to break it up into two separate panels:

IA Panel: Information Assurance, CERTS, first responder's organizations from agencies including DC3, DHS, SOCOM, NSA, OSD, NDU, and GAO.

LE Panel: and Law Enforcement, Counterintelligence agencies including DC3, FBI, IRS, NCIS, NASA, NWC3, US Postal IG, FLETC, and RCMP.

Each of the agency reps will make an opening statement regarding their agencies role, and then open it up to the audience for questions.

Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS, National White Collar Crime Center (NWC3), Special Operations Command (SOCOM), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University, Federal Law Enforcement Training Center (FLETC), and the Government Accountability Office (GAO). For the third year in a row, the "Meet the Feds" panel has gone international. We will have a rep from the Royal Canadian Mounted Police.

For years Defcon participants have played "Spot the Fed" For the 2nd year, the feds will play "Spot the Lamer" Come watch the feds burn another lamer.

Jim Christy, FX/DC3
  • Dir of Futures Exploration
  • Dir the Defense Cyber Crime Institute
  • R&D of digital forensic tools and processes
  • T&Validation of tools both Hardware & software used in an accredited digital forensics lab
  • Dir of Ops for Defense Computer Forensics Lab
  • LE/CI Liaison to OSD IA
  • DoD Rep to President's Infrastructure Protection Task Force
  • US Senate Investigator ­ Perm Sub of Invest
  • 11 years Dir of AF OSI Computer Crime Investigations

Jerry Dixon, DHS
As Director of National Cyber Security Division (NCSD) of the Department of Homeland Security, Jerry Dixon leads the national effort to protect America's cyber infrastructure and identify cyber threats. He works collaboratively and facilitates strategic partnerships with stakeholders in the public sector, private industry, and the international arena. Mr. Dixon was appointed Director of the NCSD on January 7, 2006.

Prior to being chosen to lead NCSD, Mr. Dixon served as the Deputy Director of Operations for the U.S. Computer Emergency Readiness Team (US-CERT), where he was responsible for coordinating incident response activities across federal, state, local government agencies, and private sector organizations. Mr. Dixon was instrumental in creating US-CERT, which serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber infrastructure by coordinating defense against and response to cyber attacks. Mr. Dixon led the initial development of US-CERT's capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities across federal, state, local government agencies, and private sector organizations, making it Homeland Security's primary element of cyber preparedness and response.

Before joining NCSD, Mr. Dixon was the founding director of the Internal Revenue Service's (IRS) Computer Security Incident Response Capability. In this role, Mr. Dixon led their operational cyber security capability for the IRS and developed their ability to detect and respond to protect American taxpayer's private information from security attacks. Mr. Dixon has also served as Director of Information Security for Marriott International, a global private sector company, where he led cyber security planning, security architecture, and security operations.

Tim Fowler, NCIS
Tim is an active duty Marine Special Agent who has worked as a Cyber Agent for the NCIS Cyber Department in Washington, DC, for the last six years. Tim has 19 years of active duty service in the U.S. Marine Corps working in the fields of military police, polygraph, criminal investigations and computer crime investigations and operations. While working as a Cyber Agent for NCIS, Tim specializes in conducting criminal, counterintelligence and counter-terrorism computer crime investigations and operations. Tim also has extensive knowledge and experience conducting media exploitation operations in hostile environments. In 2004, Tim was awarded the Bronze Star with combat Valor device by the Secretary of the Navy for his media exploitation efforts in Iraq.

Barry J. Grundy, NASA
Barry J. Grundy has worked as a Special Agent for the NASA Office of Inspector General (OIG), Computer Crimes Division (CCD) for the past six years. In that time he has been responsible for conducting computer intrusion investigations related to NASA systems. In 2005, SA Grundy received the annual Inspector General's award for his investigative efforts. He currently serves as the Resident Agent in Charge of the Eastern Region of the NASA OIG CCD, responsible for the supervision of criminal investigations related to cyber events at eight NASA Centers. Before working for the NASA OIG, SA Grundy was employed as a Special Agent for the Ohio Attorney General's Office, Health Care Fraud Unit, where he was responsible for the computer seizure and forensic media analysis support for the unit in addition to maintaining a normal health care fraud case load.

Prior to his law enforcement career, Grundy served for six years in the United States Marine Corps. All of his active duty service was spent in Reconnaissance Battalions, eventually as a Recon Team Leader, Scout/Sniper, and Combat Diver.

SA Grundy currently lives in Maryland with his wife, Jo Ann and son, Patrick. Hobbies include motorcycles, computers, and outdoor activities.

Andrew Fried, IRS
Andrew Fried is a Senior Special Agent with the Treasury Inspector General for Tax Administration's System Intrusion and Network Attach Response Team (SINART). His organization is responsible for investigating computer security incidents involving the Internal Revenue Service.

During his 17 year career with Treasury, he is credited with developing his agency's Computer Investigative Specialist (CIS) program, whose members are responsible for analyzing seized computers, as well as the SINART program, whose mission is to investigate computer intrusions and conduct pro-active network penetration testing.

In 1986, while working at the Kennedy Space Center, he developed one of the first suites of software programs specifically designed for analyzing seized computers. His software was distributed, free of charge, to law enforcement agencies throughout the world.

Bob Hopper, NW3C
Mr. Hopper manages NW3C Computer Crimes instructor cadre who provide computer forensics training to state and local Law Enforcement throughout the United States. The Computer Crimes Section offers basic, intermediate and advance training in computer forensics and computer crimes as well as provides technical assistance and research and development for computer forensic examiners.

Mr. Hopper retired with nearly thirty years service with the Arizona Department of Public Safety and thirty seven years in Law Enforcement. Mr. Hopper's Law Enforcement career included assignments in Narcotics, Air Smuggling, White Collar Crime and Organized Crime. Mr. Hopper also developed and managed the Arizona DPS Regional Computer Forensic Lab. This computer forensic lab grew from a two man unit in 1998 to a state of the art computer forensic lab that, in 2005 when he retired, had grown to seven state, local and federal agencies and nearly twenty five computer forensic examiners.

Michael J. Jacobs, SRA International, Inc.
Michael Jacobs joined SRA in October 2002 as a Senior Advisor following his retirement from the Federal Government after 38 years of service. In March 2003 he was appointed Director of SRA's Cyber and National Security Program. Prior to SRA, Mr. Jacobs was the Information Assurance (IA) Director at the National Security Agency (NSA). Under his leadership, NSA began implementing an Information Assurance strategy to protect the Defense Information Infrastructure and as appropriate, the National Information Infrastructure. He was responsible for overseeing the evolution of security products, services, and operations to ensure that the Federal Government's national security information was free-flowing, unobstructed and uncorrupted.

Mr. Jacobs had a long and distinguished career at the National Security Agency where he served in key management positions in both the Intelligence and IA mission areas. He served as the Deputy Associate Director for Operations, Military Support where he was responsible for developing a single, coherent military support strategy for NSA. During his 38 years of NSA service, Jacobs was a leader in Information Systems Security production and control, policy and doctrine and customer relations. He has testified before Congress on defense issues and has spoken widely on topics ranging from IA to cultural diversity. For his vision, dedication, and accomplishments, he has been recognized by the Department of Defense with the Distinguished Civilian Service Medal; by the Director Central Intelligence with the Intelligence Community's Distinguished Service Award; and by NSA with the Exceptional Civilian Service Award. In addition, he has been awarded the National Intelligence Medal of Achievement and was twice awarded the Presidential Rank Award for Meritorious Achievement.

He earned his B.S. degree in Business Administration from King's College and completed the Senior Managers in Government Program at Harvard University's Kennedy School.

Mr. Jacobs resides in College Park, Maryland with his wife Ethel and their five children. From 1997 through 2001 he served as the City's elected Mayor following fourteen years as an elected member of the City Council.

Timothy Kosiba, FBI
Timothy Kosiba has been a Forensic Examiner with the FBI CART Program for 12 years, and managing the CART-BWI Laboratory in Linthicum, Maryland for the last 6 years. Mr. Kosiba has a B.S. in Management Information Systems from the University of Baltimore, and M.S. in Forensic Science from George Washington University. Currently, he is also the Program Manager for the Forensic Networks Program within CART, and is responsible for managing the deployment of 25 Storage Area Networks around the country, for use in examining and reviewing digital evidence. Mr. Kosiba is also a Certified ASCLD/LAB Inspector in the discipline of Digital Forensics.

Robert F. Lentz, OSD
Mr. Lentz is the Director for Information Assurance (IA) in the Office of the Assistant Secretary of Defense, Networks and Information Integration/Chief Information Officer. He is the Chief Information Assurance Officer (CIAO) for the Department of Defense (DoD) and oversees the Defense-wide IA Program, which plans, monitors, coordinates, and integrates IA activities across DoD. Mr. Lentz is also the Chairman of the National Space INFOSEC Steering Council (NSISC), a member of the Presidential Sub-Committee on National Security Systems (CNSS), the Manager of the DoD IA Steering Council, and the IA Domain Owner of the Global Information Grid Enterprise Information Management Mission Area. In his capacity of IA Domain Owner, Mr. Lentz is a member of the DoD CIO Executive Council. He also reports to the Deputy Undersecretary for Security and Counter-Intelligence and is a member of the Information Operations (IO) Steering Council. Mr. Lentz represents DoD on several private sector boards, including the Center for Internet Security (CIS) Strategic Advisory Council, the Common Vulnerabilities & Exposures (CVE) Senior Advisory Council, and the Federal Electronic Commerce Coalition (FECC).

Mr. Lentz has over 26 years of experience with the National Security Agency (NSA) in the areas of financial management and technical program management. He has served as Chief of the Space and Networks IA Office, Chief Financial Officer of the NSA IA Directorate, Executive Assistant to the NSA SIGINT Collections and Operations Group and Field Chief of the Finksburg National Public Key Infrastructure / Key Management Infrastructure Operations Center. He has also served on several strategic planning and acquisition reform panels. Mr. Lentz has received the NSA Resource Manager of the Year Award, the Defense Meritorious Service Award, the 2003 Presidential Rank Award and the 2004 ≥Federal 100≤ award. In 2004, Mr. Lentz also received the highest-level honorary award the Department can bestow on a civilian employee, the prestigious Secretary of Defense Distinguished Civilian Service Award. Mr. Lentz is a graduate of the National Senior Cryptologic Course at the National Cryptologic School, Federal Executive Institute (FEI) and the Resource Management Course at the Naval Postgraduate School. He earned a Bachelor of Science Degree with a double major in History and Political Science from Saint Mary's College of Maryland and a Masters Degree in National Security Strategy from the National War College. While attending the National War College in 1999, Mr. Lentz's primary focus was on Homeland Security.

Richard Marshall, NSA
Mr. Richard H. L. Marshall is the Senior Information Assurance (IA) Representative, Office of Legislative Affairs at the National Security Agency (NSA). NSA's Legislative Affairs Office is the Agency's point of contact for all NSA matters concerning Congress and is committed to maintaining a relationship with Congress built on trust, candor, completeness, correctness, consistency, and corporateness. Mr. Marshall has been instrumental in framing critical appreciation by key Senators and Representatives on Information Assurance and its impact on helping to protect the nation's critical infrastructures. As an additional duty, Mr. Marshall also represents NSA in the National Centers of Academic Excellence in Information Assurance Program in Boston, Massachusetts and the Detroit, Michigan areas where he led the effort to establish an International Consortium on Information Assurance.

Mr. Marshall was selected by Dick Clarke, the Cyber Advisor to the President to serve as the Principal Deputy Director, Critical Infrastructure Assurance Office (CIAO), Bureau of Industry and Security, Department of Commerce where he led a team of 40 dedicated professionals in coordinating and implementing the Administration's National Security for Critical Infrastructure Protection initiative to address potential threats to the nation's critical infrastructures. He persuasively articulated the business case for enhancing information assurance in government and private sectors, and championed national outreach and awareness of information assurance issues to key stakeholders such as owners and operators of critical infrastructures, opinion influencers, business leaders, and government officials.

Before being nominated by the DIRNSA and approved by the SECDEF to serve in an Executive Development assignment to help lead the CIAO, Mr. Marshall served with distinction as the Associate General Counsel for Information Systems Security/Information Assurance, Office of the General Counsel, National Security Agency for over eight years. In that capacity, Mr. Marshall provided advice and counsel on national security telecommunications and technology transfer policies and programs, the National Information Assurance Partnership, the Common Criteria Mutual Recognition Arrangement, legislative initiatives and international law. Mr. Marshall was the legal architect for the Joint Chiefs of Staff directed exercise ≥Eligible Receiver 97≤ that spotlighted many of the cyber-vulnerabilities of our nation's critical infrastructures and helped bring focus on this issue at the national leadership level.

Mr. Marshall graduated from The Citadel with a B.A. in Political Science; Creighton University School of Law with a J.D. in Jurisprudence; Georgetown School of Law with an LL.M. in International and Comparative Law; was a Fellow at the National Security Law Institute, University of Virginia School of Law in National Security Law; attended the Harvard School of Law Summer Program for Lawyers; the Georgetown University Government Affairs Institute on Advanced Legislative Strategies and participated in the Information Society Project at Yale Law School and in the Privacy, Security and Technology in the 21st Century program at Georgetown University School of Law.

Ken Privette, USPS
Ken works as the Special Agent in Charge of the Computer Crimes Unit (CCU) at the United States Postal Service Office of Inspector General. His Unit conducts computer crime investigations and provides computer forensics support to a force of over 650 agents who conduct fraud and internal crime investigations for the U. S. Postal Service. Over the past two years Ken's team has doubled in size, now managing a computer forensics workload of more than 900 requests per year.

Ken spent much of his professional life as a Special Agent with the Naval Criminal Investigative Service both overseas and state-side where he conducted investigations involving computer crime, terrorism, and counterintelligence matters.

Keith Rhodes, GSA
Keith Rhodes is currently the Chief Technologist of the U. S. Government Accountability Office and Director of the Center for Technology & Engineering. He provides assistance throughout the Legislative Branch on computer and telecommunications issues and leads reviews requiring significant technical expertise. He has been the senior advisor on a range of assignments covering continuity of government & operations, export control, computer security & privacy, e-commerce & e-government, voting systems, and various unconventional weapons systems. He has served as a Commissioner on the Independent Review of the National Imagery and Mapping Agency. Before joining GAO, he was a supervisory scientist at the Lawrence Livermore National Laboratory. His other work experience includes computer and telecommunications projects at Northrop Corporation and Ohio State.

Linton Wells II, Principal Deputy Assistant Secretary of Defense, Networks and Information Integration
Dr. Linton Wells II serves as the Principal Deputy Assistant Secretary of Defense (Networks and Information Integration). He resumed these duties on November 14, 2005 after serving as the Acting Assistant Secretary and DoD Chief Information Officer from March 8, 2004. He became the Principal Deputy Assistant Secretary of Defense (Command, Control, Communications and Intelligence) on August 20, 1998 which became Networks and Information Integration in 2003. Prior to this assignment, he had served in the Office of the Under Secretary of Defense (Policy) from 1991 to 1998, most recently as the Deputy Under Secretary of Defense (Policy Support).

In twenty-six years of naval service, Dr. Wells served in a variety of surface ships, including command of a destroyer squadron and guided missile destroyer. In addition, he acquired a wide range of experience in operations analysis; Pacific, Indian Ocean and Middle East affairs; C3I; and special access program oversight.

Dr. Wells was born in Luanda, Angola, in 1946. He was graduated from the United States Naval Academy in 1967 and holds a Bachelor of Science degree in physics and oceanography. He attended graduate school at The Johns Hopkins University, receiving a Master of Science in Engineering degree in mathematical sciences and a PhD in international relations. He is also a 1983 graduate of the Japanese National Institute for Defense Studies in Tokyo, the first U.S. naval officer to attend there.

Dr. Wells has written widely on security studies in English and Japanese journals. He co-authored Japanese Cruisers of the Pacific War, which was published in 1997. His hobbies include history, the relationship between policy and technology, scuba diving, and flying.

Panel 2: Meet the VCs
Paul Proctor, Moderator VP, Gartner
Patrick Chung Partner, NEA
Maria Cirino Co-Founder and Managing Director, .406 Ventures
Mark McGovern Tech Lead, In-Q-Tel
Dov Yoran Partner, Security Growth Partners

2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON XVI.

Patrick Chung, Partner, NEA
Patrick joined NEA as an Associate in 2004 and became Partner in 2007. Patrick focuses on venture growth equity, consumer, Internet, and mobile investments. He is a director of Loopt and Realtime Worlds, and is actively involved with 23andMe, Xoom and the firm's venture growth activities. Prior to joining NEA, Patrick helped to grow ZEFER, an Internet services firm (acquired by NEC) to more than $100 million in annual revenues and more than 700 people across six global offices. The company attracted over $100 million in venture capital financing. Prior to ZEFER, Patrick was with McKinsey & Company, where he specialized in hardware, software, and services companies. Patrick received a joint JD-MBA degree from Harvard Law School and Harvard Business School, where he was the only candidate in his year to earn honors at both. He also served as an Editor of the Harvard Law Review. Patrick was one of only nine Canadian citizens to be elected a Commonwealth Scholar to study at Oxford University, where he earned a Master of Science degree and won both class prizes for Best Dissertation and Best Overall Performance. Patrick earned his A.B. degree at Harvard University in Environmental Science. He is a member of the New York and Massachusetts bars.

Maria Cirino, Co-Founder and Managing Director, .406 Ventures
Maria is co-founder and managing director of .406 Ventures, a new VC Firm focused on early stage investments in information security, IT, and technology driven services. She currently serves as an active investor, director and/or chairman in four venture-backed companies including Veracode, Memento, NameMedia and Bit9. Maria brings 21 years of entrepreneurial, operating and senior management experience in venture-backed technology companies. Most recently, she served as an SVP of VeriSign following its 2005 $142 million acquisition of Guardent -- a Sequoia, Charles River and NEA backed IT security company that she co-founded and led as CEO and Chairman. In this role, Maria received several industry honors and awards, including "Ernst & Young Entrepreneur of the Year in 2003." Prior to Guardent, Maria was Senior Vice President responsible for sales and marketing at i-Cube, an IT services company, Which was acquired in 1999 by Razorfish for $1.8 billion. Prior to Razorfish, she was responsible for North American sales at Shiva, the category creating remote access company from 1993 to 1997 and prior to Shiva Cirino held various management positions at Lotus Development Corporation.

Paul Proctor, Vice President, Security and Risk Practice, Gartner Research
Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.

Mark McGovern, Tech Lead, In-Q-Tel
Mark McGovern leads the communications and infrastructure practice for In-Q-Tel, the strategic investment firm that supports the U.S. Intelligence Community. He has extensive experience developing, securing and deploying data systems. Prior to joining In-Q-Tel, Mr. McGovern was Director of Technology for Cigital Inc. He led Cigital's software security group and supported a Fortune 100 clientele that included Microsoft, MasterCard International, CitiBank, Symantec, CheckFree, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Earlier in his career, Mr. McGovern worked for the Central Intelligence Agency. Mr. McGovern holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute.

Dov Yoran, Partner, Security Growth Partners
Dov Yoran is a Partner at Security Growth Partners (SGP). Prior to joining SGP, Mr. Yoran was Vice President for Strategic Alliances at Solutionary, Inc. a leading Managed Security Services Provider. He was responsible for all partnerships, global channel revenue and marketing efforts.

Previously, at Symantec Corporation, Mr. Yoran managed the Services Partner Program, having global responsibility for creating, launching and managing the partner re-seller program. This program generated over 50% of Symantec Services revenue, with a partner base expanding across six continents.

Mr. Yoran came to Symantec as part of the Riptech, Inc. acquisition, in a $145 Million transaction that ranked in the top 2% of all technology mergers in 2002. Riptech was the leading managed security services firm that monitored and protected its client base on a 24x7 basis. At Riptech, he spearheaded the channel strategy, marketing and sales operations, growing the reseller program to over 50% of the company's revenue.

Prior to that, Mr. Yoran has worked in several technology start-ups as well as Accenture (formerly Anderson Consulting) where he focused on technology and strategy engagements in the Financial Services Industry.

Mr. Yoran has also written and lectured on several Information Security topics. He holds a Masters of Science in Engineering Management and Systems Engineering with a concentration in Information Security Management from the George Washington University and is a cum laude Bachelor of Science in Chemistry graduate from Tufts University.

Computer and Internet Security Law - A Year in Review 2006 - 2007
Robert W. Clark
Counsel, Dept of Navy Office of General Counsel

This presentation reviews the important prosecutions, precedents and legal opinions of the last year that affect internet and computer security. We will discuss the differences between legal decisions from criminal cases and civil lawsuits and what that means to the security professional. Additionally, we look at topics such as: email retention and discovery; active response; use of CFAA as non-competition methods; identity theft and notification issues; legal aspects of emerging technologies; lawsuits involving IT corporations (Google, Yahoo, Apple, Microsoft); and of course, the NSA surveillance litigation. As always, this presentation is strongly audience driven and it quickly becomes an open forum for questions and debate.

Mr. Robert Clark is the principal point of contact in the Department of the Navy Secretariat and the Office of the General Counsel for legal issues regarding information management/information technology. As such he is responsible for advising on critical infrastructure protection; information assurance; FISMA; privacy; electronic government; identity management; spectrum management; records management; information collection; Open Source Software; and, infrastructure protection program both physical and cyber assets. Prior to this position Mr. Clark was the legal advisor on computer network operations to the Army Computer Emergency Response Team. Both these positions require coordination and consulting with the DoD Office of General Counsel, NSA, and DoJ Computer Crime and Intellectual Property Section. He is a previous Black Hat lecturer and lectures at Def Con, the Army's Intelligence Law Conference and the DoD's Cybercrimes Conference.

Satellite Imagery Analysis
Greg Conti
Lieutenant Colonel, United States Military Academy

Satellite imagery was once restricted to organizations like CTU, but now it is freely available to us all via powerful free online tools and commercial services. In this talk we will look at commercial collection platforms and capabilities, orbital mechanics and a variety of imagery analysis techniques. We will analyze examples from interesting places around the world and explore issues surrounding the future of satellite surveillance.

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. His research includes security data visualization and web-based information disclosure. He is the author of Security Data Visualization by No Starch Press. His work can be found at

Securing Linux Applications With AppArmor
Crispin Cowan
Director of Software Engineering, SUSE/Novell

The core of the security problem is that most software contains latent bugs, and many of these bug can be exploited by attackers to cause the software to do something undesirable to the victim's computer. To block this threat, one can either use only perfect software (of which there is a shortage :) or use a security system to control what software may and may not do. The problem is that such systems are historically very difficult to use.

AppArmor is an application security system that directly attacks the ease of use problem, making it possible for widespread adoption by developers, system administrators, and users. AppArmor provides for security profiles (policies) that specify the the files that a given program may read, write, and execute, and provides tools to quickly and automatically generate these profiles.

This presentation will briefly introduce the AppArmor system, and then spend much of the time showing how to best use AppArmor to confine applications and protect systems. AppArmor is pure GPL software, and is available for SUSE, Slackware, Ubuntu, Gentoo, and Red Hat Linux.

Crispin Cowan has been in the computer business for 25 years, and security for 10 years. He was the CTO and founder of Immunix, Inc., acquired by Novell in 2005. Dr. Cowan is now the Security Architect for SUSE Linux, and applications that Novell offers for Linux. Dr. Cowan developed several host security technologies under DARPA funding, including prominent technologies like the StackGuard compiler defense against buffer overflows, and the LSM (Linux Security Modules) interface in Linux 2.6. Dr. Cowan also co-invented the "time-to-patch" method of assessing when it is safe to apply a security patch. Prior to founding Immunix, he was a professor with the Oregon Graduate Institute. He is the program co-chair for the 2007 and 2008 Network and Distributed System Security conferences. He holds a Ph.D. from the University of Western Ontario and a Masters of Mathematics from the University of Waterloo.

LAN Protocol Attacks Part 1 - Arp Reloaded
Jesse "x30n" D'Aguanno
Praetorian Global & Digital Revelation

Ever wanted to hijack a connection between machines on a LAN, deny service between a host you're attacking and a log server or intrusion detection system, or maybe wanted to sniff traffic on a switched network? Now you can! Er, wait... You already could with the ARP attacks we all know and love.

While these network attacks are quite effective, they do have their weaknesses, as well as security controls to help prevent them. In this talk I will build on the previous research in this field and introduce new, more reliable attacks against the ARP protocol which are much less identifiable and able to protect against.

Jesse "x30n" D'Aguanno is a security researcher and software engineer who has been involved in the security industry and "underground" for over 10 years. As a software engineer he has contributed to numerous opensource and commercial projects. As a researcher, he has written and published many papers and proof of concept tools. His current research interests are primarily focused on binary reverse engineering, anti-forensics, exploit development and network attack. He is a frequent presenter at different industry conferences and events. By day he works as the Director of Professional Services and Research for Praetorian Global, a security services company in California. In his "spare" time, he is the team captain for Digital Revelation, a security think tank most known as the two time winners (And almost annual participants) of Defcon CTF.

The Dark Tangent

Dark Tangent never speaks at DEF CON because he thinks it is cheating.. but not for the 15th anniversary! Come listen to a behind the scenes account of what really happened during the "Cisco/ISS Gate" fiasco from 2005. Throughout the talk the audience will be asked what they would have done at key points and then learn what I chose to do. A cautionary and comical tale of what happens when communication breaks down.

The Dark Tangent started DEF CON 15 years ago when his $2,000 1gig hard drive let the smoke out, eating his world known BBS system A Dark Tangent System, and forcing him to come up with new ways to be involved in the underground scene. He is constantly amazed that something that was his hobby and a passion early on in life has turned into a career and a lifestyle.

Hacking Social Lives:
Rick Deacon
IT Specialist

This presentation will discuss how to hack using web application hacking methods implementing minimal tools outside of the internet, a text editor, and a cookie editor. How to find exploits will be discussed, as well as what to do with the exploits. Multiple exploits will be revealed and broken down. MySpace XSS filter evasion will be discussed. Session hijacking using cookies provided from MySpace will be proven and shown using patched exploits.

The live demonstration (with audience participation) will be using a 0-Day MySpace exploit! The methodology and practices used in the presentation will always be relevant to MySpace as well as many other sites containing Cross Site Scripting holes. MySpace is filled with hundreds of unattended and undiscovered Cross Site Scripting exploits. Discussion on how to prevent these attacks and secure sites using web applications will also be touched upon. Also, tips on how to mess with your friends :) . Questions and volunteers are encouraged!

Now everyone can have a crack at their friend's MySpace! Just don't ruin anyone's precious social life.

Rick Deacon is a full-time IT Specialist at an established CPA firm in Cleveland, Ohio. Rick is also a part-time student working to achieve a Bachelor's degree in Networking through the University of Akron. Rick has been involved in multiple web application attacks that have been reported and fixed. Rick has been involved in information systems security for a few years and continues to discover and learn in order pursue a career involving such.

Picking up the Zero Day; An Everyones Guide to Unexpected Disclosures
Dead Addict

Security researchers around the world have been SLAPPed (strategic lawsuits against public participation) across the face by vulnerable software vendors. Bogus legal threats intended to intimidate and prevent public exposure of vulnerabilities are becoming increasingly common. If the software industry succeeds at silencing these researchers the public, governments, global industries, and end user customers are ill served and increasingly vulnerable. Successful silencing of research does not stop it, this merely drives it into private and underground economies.

While private commercial exploit economies are being launched, and underground exploit economies are flourishing, the independent researchers (including small security shops) are increasingly the source of open and honest security information. Corporate security researchers often have contractual relationships with vendors preventing the public disclosure of critical security vulnerabilities.

It is in this context that vulnerable software vendors attempt (often successfully) to silence hackers through bogus legal threats.

While the debate regarding appropriate disclosure protocols is interesting (although seemingly unending), I'm not going to talk about it. This isn't about designing a disclosure utopia, but how to deal with disclosure as it stands today.

Confrontational approaches serve no one (except perhaps aggressive attorneys increasing their billable hours), and legal threats are demonstrably counterproductive.

I'm going to tell everyone what to do: vendors, customers, hackers, and the press. I'll tell vendors how to handle any disclosure with integrity and their best interests in mind; an admittedly tricky task. I'll remind customers that they have the choice in the products they purchase, and it may be wise to reward those that address security issues responsibly. I'll then give some friendly advice to hackers (no legal advice will be given). Finally I'll address the role of the press and how their reporting can ensure the public interest is served.

If everyone starts playing nicely together, we'll all be better off.

Dead Addict helped found DEFCON 14 years ago. He has been DEFCON staff since then, has spoken at 7 DEFCONs, the Black Hat Briefings, Rubicon, as well as invitational security conferences. Professionally his employers have included a dominant operating system manufacturer, a respected computer security think tank, an internationally recognized financial infrastructure company, a popular telecommunications hardware and infrastructure company, as well as other smaller security and software firms. He lives in a strange foreign land with a beautiful intelligent creative mischievous DEFCON speaker as well as two affectionate rats. His credentials do not ensure the value of his words; analyze and determine their usefulness for yourself.

Revolutionizing the Field of Grey-box Attack
Surface Testing with Evolutionary Fuzzing

Jared DeMott Vulnerability Researcher
Dr. Richard Enbody Associate Professor, Michigan State University
Dr. Bill Punch Associate Professor, Michigan State University

Runtime code coverage analysis is feasible and useful when application source code is not available. An evolutionary test tool receiving such statistics can use that information as fitness for pools of sessions to actively learn the interface protocol. We call this activity grey-box fuzzing. We intend to show that, when applicable, grey-box fuzzing is more effective at finding bugs than RFC compliant or capture-replay mutation black-box tools. This research is focused on building a better/new breed of fuzzer. The impact of which is the discovery of difficult to find bugs in real world applications which are accessible (not theoretical).

We have successfully combined an evolutionary approach with a debugged target to get real-time grey-box code coverage (CC) fitness data. We build upon existing test tool General Purpose Fuzzer (GPF) [8], and existing reverse engineering and debugging framework PaiMei [10] to accomplish this. We call our new tool the Evolutionary Fuzzing System (EFS).

We have shown that it is possible for our system to learn the targets language (protocol) as target communication sessions become more fit over time. We have also shown that this technique works to find bugs in a real world application. Initial results are promising though further testing is still underway.

This talk will explain EFS, describing its unique features, and present preliminary results for one test case. We will also discuss future research efforts.

Jared DeMott is a vulnerability researcher, with a passion for hunting down and exploiting bugs in software. Mr. DeMott is the president of and is pursuing a PhD from Michigan State University, with dissertation work to be done on fuzzing. Mr. DeMott is a past DEFCON speaker.

Unraveling SCADA Protocols: Using Sulley Fuzzer
Ganesh Devarajan
Security Researcher Tipping Point Inc.

Firstly, I will be covering the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3, ICCP and IEC standards. North America mainly uses Modbus, DNP3 and to an extent ICCP, the European countries use the IEC standards. After the basics I will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack or take down the SCADA system. I shall as well discuss and demonstrate the current level of security implementation that these sites have.

After enumerating all those I will talk about the SCADA Fuzzer and the framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software out there will be shown. Even though some of the attacks can be detected by the inline devices today, they are more prone to false positives.

I am using the Sulley Framework to fuzz the various protocol implementations. I basically use Sulley to fuzz all the header fields of the various protocols. Sulley is equipped with some of the protocol specific CRC generators (CRC-DNP) apart from the regular ones. I have as well generated various test cases to fuzz the data sections of the protocols, unlike most other fuzzers.

Once the test cases are developed, the tool will be used to determine the vulnerabilities in various implementations and these vulnerabilities will be presented in Defcon. A case study of the various software implementations will as well be presented showing where they are normally vulnerable.

Ganesh Devarajan Ganesh Devarajan currently works as a Security Researcher for TippingPoint Inc., a division of 3Com. currently he focuses on SCADA Securities and other Application based securities. Prior to this, he worked as a Security Researcher for the CASE Research Center Syracuse , NY. He has publications in various fields such as RBAC, Wireless Securities, XML based Signatures and Runtime Software Application patches and holds a Masters Degree in Computer Engineering from Syracuse University .

Boomstick Fu: The Fundamentals of Physical Security at its Most Basic Level
Panel with Deviant Ollam, Noid, Frank Thornton (a.k.a. Thorn), jur1st

It seems that at every con nowadays there is at least one talk dedicated to physical security. Our servers and data can be encrypted and passworded with the latest algorithms, but that doesn't do the trick if someone marches them out the door when we're not looking. In the past, many physical security talks have focused on passive defense: locks that resist picking, safes which resist cracking, etc. However, sometimes an intrusion is detected while in progress... and such intrusions- even physical ones- may require immediate countermeasures.

Many of us in the security community own firearms, but few have ever had to use them in a defensive situation. Others have considered gun ownership but lack any experience or foundation in this area. This panel of experts will provide a comprehensive overview of this highly-charged and often-misunderstood topic. Bring any questions you have about hardware, ammunition, tactics, and the law.

Deviant Ollam is a frequent speaker on the topic of physical security. A graduate of the New Jersey Institute of Technology's "Science, Technology, & Society" program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. A gun-owning peacenick, Deviant disdains violence but believes in being prepared to confront it. He has given physical security presentations at DefCon, ShmooCon, HOPE, and at various colleges and universities, including the United States Military Academy at West Point.

Noid is a recognized member of both the hacking world and the firearm community. A shooting enthusiast who has handled just about every manufactured style of firearm, his encyclopedic knowledge of guns results in a constant barrage of questions from individuals who are considering the purchase of a new piece of steel. During particularly stressful days at the office, Noid considers hanging up his INFOSEC spurs and becoming a range master or armorer for the Feds.

Frank Thornton (a.k.a. Thorn) runs his own consulting firm, Blackthorn Systems, which specializes in wireless networks. In addition to his computer interests, Frank was a law enforcement officer for many years. He has investigated thousands of crimes, been in numerous armed confrontations, and been directly involved in several shootings. Combining both professional interests, he was a member of the workgroup that established ANSI Standard "ANSI/NIST-CSL 1-1993 Data Format for the Interchange of Fingerprint Information."

Jur1st is the co-chair of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee, adjunct professor at the Colorado Technical University, and an electronic discovery analyst at a large midwestern law firm. While in law school he excelled in the areas of evidence and trial advocacy, produced papers on the Sony XCP Rootkit and NSA warrantless wiretapping program, and was a general menace to the local network administrators.

Tor and blocking-resistance
Roger Dingledine
Project leader, The Tor Project

Websites like Wikipedia and Blogspot are increasingly being blocked by government-level firewalls around the world. Although many people use the Tor anonymity network to get around this censorship, the current Tor network is not designed to withstand a large censor.

In this talk I'll describe our plan for extending the Tor design so these users can access the Tor network in a way that is harder to block.

Roger Dingledine is a security and privacy researcher. While at MIT he developed Free Haven, one of the early peer-to-peer systems that emphasized resource management while retaining anonymity for its users.

He is best known for leading the Tor project, an anonymous communication system for the Internet that has been funded by both the US Navy and the Electronic Frontier Foundation. He organizes academic conferences on anonymity, speaks at such events as Blackhat, Defcon, O'Reilly ETech, Toorcon, 21C3, and What the Hack, and also does tutorials on anonymity for national and foreign law enforcement.

Trojans: A Reality Check
Toralv Dirro
Avert Labs EMEA Security Strategist, CISSP, McAfee
Dirk Kollberg Virus Research Lead EMEA, McAfee

Today there is a lot of hype around some new proof-of-concept technology or around politically motivated trojans, etc. This talk will deliver a reality check, give an idea what kind of malware the McAfee Research organisation is actually seeing to be used in the real world and show how the different trojans work, what the impact is. The material used are internal statistics of the various threats sent to or discovered by us, some more detailed analysis to make functionality more transparent and some demo's, screenshots, etc. to make clear how complex the trojans used today in real attacks are. This also gives a a very clear picture of how the threat changed now that there is a lot of money involved in using trojans to steal personal data of all kind - from bank details to identities in online games.

Toralv Dirro works for McAfee as Avert Labs EMEA Security Strategist. Working in in Virus Research for many years since 1994 at McAfee (Dr Solomon's Software back then) after analysing viruses at the University of Hamburg before that, he got finally got bored with debugging things and focused on Network IPS and Vulnerability Assessment / Management. He recently rejoined the Research team. Toralv Dirro is a well reputed expert on next generation AV Technology and Network Intrusion Prevention and is a frequent speaker on those topics.

Dirk Kollberg works as Virus Research Lead within the McAfee Avert, focused on analysis of worms such as massmailer, P2P and service exploiting threats like Slammer or RPC-DCOM threats. Dialers, PWS trojans, IRC bots, script- and macro viruses.

Being born and working based in Hamburg, he does have a good view on European threats, especially on those from Germany. Before he started at McAfee in 1999, he has been working for 5 years as electronics technician on automated manufacturing processes and another year as 3D designer for product presentations on the web. He blames Commodore PET as reason of his addiction to bits and bytes.

Real-time Steganography with RTP
Computer Academic Underground

Real-time Transfer Protocol (RTP) is used almost ubiquitously by Voice over IP technologies to provide an audio channel for calls. As such, it provides ample opportunity for creation of a covert communications channel due to it's very nature and use in implementation. While use of steganographic techniques with various audio cover-mediums has been extensively researched, most applications of such have been limited to audio cover-medium of a static nature such as WAV or MP3 file audio data. This presentation details common techniques for use of steganography with audio data cover-medium, outlines the problem issues that arise when attempting to use these techniques to establish a full-duplex communications channel using audio data transmitted via an unreliable streaming protocol, and finally documents solutions to these problems as well as a reference implementation entitled SteganRTP.

I)ruid: Founder of the Computer Academic Underground, co-founder of the Austin Hackers Association (AHA!), and currently employed in VoIP Security Research by TippingPoint, a division of 3Com, I)ruid has over a decade of experience in various areas of information security including vulnerability assessment and penetration testing, secure network architecture, and vulnerability research and development, including research in specific areas related to the security of network protocols, network applications, and Voice over IP (VoIP).

Over the years I)ruid has been involved with many security community projects such as design and development of SPF for e-mail (RFC 4408) and contributing as a data mangler for the OSVDB. I)ruid has also released numerous tools to the community such as the infamous PageIt! mass-paging tool and the hcraft HTTP exploit-crafting framework. He regularly releases vulnerability and exploit advisories, speaks at security related events and conferences, is on the Technical Advisory Board of the Voice over IP Security Alliance (VoIPSA), is an active participant in various VoIPSA projects, and is a regular contributor to the Voice of VoIPSA blog.

Everything you ever wanted to know about Police Procedure in 50 minutes
Steve Dunker
Assistant Professor, Northeastern State University

Ever wonder just what rules law enforcement must follow? When do the police have to read you the Miranda Warnings? Who is subject to a Stop and Frisk? When does Double Jeopardy apply. What does a cop actually have to know before they can legally stop you? What is the effect of an Invalid arrest? Just when can the SWAT team kick your door without knocking first? When must an officer have a search warrant?

During the "Ask the Criminal Justice Professor" part of the program I'll answer your "hypothetical" questions concerning police procedure. If I don't know the answer, I'll make something up that sounds good.

Steve Dunker is a former police detective who worked as a planner and supervisor of an anti-crime and decoy unit. He was assigned to the Southwest Missouri Major Case Squad as a photographer. He is the Director of the Collegiate Officer Program and an Assistant Professor of Criminal Justice at Northeastern State University.

The Hacker Society around the (corporate) world
Luiz Eduardo

I will talk about the evolution and differences of the hacking communities around the world. Why and how this affects the hackers being taken to the corporate life, motivations, or just why is it better to stay totally underground. How companies attract and manage hackers, and how they scare them away. Computers are cool now, like the tshirt says, and small kids already know what ip addresses are, how to use netstat, etc. Is security gonna become a commodity? Come on over, let's talk about it. The more diverse the crowd is, the better.

Luiz Eduardo, security engineer, paranoid sometimes, hacker, and overall, a good guy. Started a long time ago w/ applications, then all kinds of network security technolgies, landed in wireless security for a while and now it's up for something new. Spoke at conferences in Mexico, Brazil and the US, is the wlan network guy for some security conferences (Defcon, Blackhat, CCC, Shmoocon, Layerone, H2hc, etc). Collects infosec certifications in the spare time and long flights in coach class while enjoying chicken or pasta.

Kernel Wars
Joel Eriksson Security Researcher and CTO of Bitsec
Karl Janmar Security Researcher, Bitsec
Claes Nyberg Security Researcher, Bitsec
Christer Öberg Security Researcher, Bitsec

Kernel vulnerabilities are often deemed unexploitable, or at least unlikely to be exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down to "creative debugging" and knowledge about the target in question.

This talk intends to demystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of several real-life kernel vulnerabilities. From a defender's point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited.

The entire process will be discussed, including how the vulnerabilities were found, how they were analyzed to determine if and how they can be reliably exploited and of course the exploits will be demonstrated in practice.

None of the vulnerabilities that will be used as examples had public exploits by the time they were exploited by us, and includes the (in)famous Windows 2000/XP GDI bug, the FreeBSD 802.11 bug and a local NetBSD vulnerability.

We will also demonstrate a full exploit for the remote OpenBSD ICMPv6 vulnerability found by CORE SDI, and discuss the payload techniques we used for it.

The NetBSD-bug is a new 0-day for Vegas and not the same bug that was disclosed at our BlackHat Europe presentation, and we will also throw in at least one more surprise 0-day to keep things interesting. ;)

More info will be made available at:

Joel Eriksson is the CTO of Bitsec, a newly founded security company based in Sweden. Joel has been working in the computer security field since 1997 when he started out as an independent consultant. His primary focus is within vulnerability research, exploit development and reverse engineering. Joel has previously spoken at Black Hat Europe and UNCON.

Routing in The Dark: Pitch Black
Nathan S. Evans Ph.D. Graduate student, University of Denver
Christian Grothoff, Ph.D. Assistant professor of computer science at the University of Denver

There is a pervasive dream about a free Internet which is robust, fully decentralized yet efficient, and which ensures privacy for all users. For seven years, the Freenet project has been the most visible embodiment of this vision. This talk will show that the recent 0.7 release of Freenet -- marketed to solve most of the problems -- entirely fails to deliver.

Freenet 0.7 promises efficient routing in restricted-route networks, often also called friend-to-friend (F2F) networks or darknets. Our work shows that a crucial step in the routing protocol can be easily subverted by an adversary which is no more powerful than any ordinary node operator. The attack targets a fundamental aspect of the routing protocol; in particular, it does not rely on minor flaws in the Freenet implementation and can thus not be easily addressed.

The goal of this talk is not to destroy the dream of a free Internet. Instead, the talk will educate the audience about pitfalls on the path to utopia, improving our progress to this shared vision by shining a light on certain dead ends.

Estonia: Information Warfare and Strategic Lessons
Gadi Evron
Beyond Security

In this talk we will discuss what is now referred to as "The 'first' Internet War" where Estonia was under massive online attacks for a period of three weeks, following tensions with the local Russian population.

Following a riot in the streets of Tallinn, an online assault begun, resulting in a large-scale coordination of the Estonian defenses on both the local and International levels. We will demonstrate what in hind-sight worked for both the attackers and the defenders, as well as what failed. Following the chronological events and technical information, we will explore what impact these attacks had on Estonia's civil infrastructure and daily life, and how they impacted its economy during the attacks.

Once we cover that ground, we will evaluate what we have so far discussed and elaborate on lessons learned while Gadi was in Estonia and from the post-mortem he wrote for the Estonian CERT. We will conclude our session by recognizing case studies on the strategic level, which can be deducted from the incident and studied in preparation for future engagements in cyber-space.

Webserver Botnets and Hosting Farms as Attack Platforms
Gadi Evron
Beyond Security

The thousands of servers in collocation centers and hosting farms are irresistible targets for bot-herders in the market for an ideal attack platform. Learn how about web server malware which is completely cross-platform, and how ISPs (with varying success) are detecting and responding to frequent attempts by the bad guys to take control.

Gadi Evron works for the McLean, VA based vulnerability assessment solution vendor Beyond Security as Security Evangelist and is the chief editor of the security portal SecuriTeam. He is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing as well as is the operations manager for the Zeroday Emergency Response Team (ZERT). He is a known expert on corporate security and espionage threats. Previously Gadi was the Israeli Government Internet Security Operations Manager (CISO) and the Israeli Government CERT Manager which he founded.

Panel: Internet Wars 2007
Gadi Evron
Andrew Fried IRS
Thomas Grasso FBI
Dan Hubbard Websense
Dan Kaminsky IOActive
Randy Vaughn Baylor
Paul Vixie ISC

Continuing our new tradition from last year, leading experts from different industries, academia and law enforcement will go on stage and participate in this panel, discussing the current threats on and to the Internet, from regular cyber-crime all the way to the mafia, and even some information warfare.

In this panel session we will begin with a short introductory presentation from Gadi Evron on the latest technologies and operations by the Bad Guys and the Good Guys. What's going on with Internet operations, global routing, botnets, extortion, phishing and the annual revenue the mafia is getting from it. The members will accept questions on any subject related to the topic at hand, and discuss it openly in regard to what's being done and what we can expect in the future, both from the Bad Guys and the Good Guys.

Discussion is to be limited to issues happening on the Internet, rather than this or that vulnerability. The discussion is mostly technological and operational in nature, although last year attendees chose to ask questions directing the discussion to the legal side of things. Participants are people who are involved with battling cyber-crime daily, and are some of the leaders in the security operations community of the Internet.

Gadi Evron works for the McLean, VA based vulnerability assessment solution vendor Beyond Security as Security Evangelist and is the chief editor of the security portal SecuriTeam. He is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing as well as is the operations manager for the Zeroday Emergency Response Team (ZERT). He is a known expert on corporate security and espionage threats. Previously Gadi was the Israeli Government Internet Security Operations Manager (CISO) and the Israeli Government CERT Manager which he founded.

Andrew Fried is a Senior Special Agent with the Treasury Inspector General for Tax Administration's System Intrusion and Network Attach Response Team (SINART). His organization is responsible for investigating computer security incidents involving the Internal Revenue Service.

During his 17 year career with Treasury, he is credited with developing his agency's Computer Investigative Specialist (CIS) program, whose members are responsible for analyzing seized computers, as well as the SINART program, whose mission is to investigate computer intrusions and conduct pro-active network penetration testing.

In 1986, while working at the Kennedy Space Center, he developed one of the first suites of software programs specifically designed for analyzing seized computers. His software was distributed, free of charge, to law enforcement agencies throughout the world.

Thomas Grasso began working with computers in 1993 as a network administrator. In 1998 Mr. Grasso received an appointment to the position of Special Agent with the Federal Bureau of Investigation (FBI). After attending new agents training at the FBI Academy in Quantico, Virginia, Mr. Grasso was transferred to the FBI.s Chicago Field Office where he was assigned to the Regional Computer Crime Squad. In the fall of 2000, Mr. Grasso was transferred to the FBI.s Pittsburgh Field Office and assigned to the High Technology Crimes Task Force where he served as the FBI Liaison to the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University. Mr. Grasso is now part of the FBI.s Cyber Division and is assigned to the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, a joint partnership between law enforcement, academia, and industry. Mr. Grasso is a 1991 graduate of the State University of New York at Buffalo, where he majored in Geological Sciences and minored in Music.

Dan Hubbard is the VP of Security Research at Websense and runs Websense Security Labs. He is responsible for all things security at Websense, including managing the Websense Security Labs that researches, analyzes, and reverse engineers malicious code, analyzes security trends, and provides research on malicious Websites and network protocols. Hubbard also defines security-related product features. He is the pioneer behind Websense's Web filtering database that supports its Security Group. Hubbard also acts as the company's security spokesperson

Dan Kaminsky Dan Kaminsky is the Director of Penetration Testing for Seattle-based IOActive, where he is greatly enjoying having minions. Formerly of Cisco and Avaya, Dan was most recently one of the "Blue Hat Hackers" tasked with auditing Microsoft's Vista client and Windows Serve 2008 operating systems. He specializes in absurdly large scale network sweeps, strange packet tricks, and design bugs.

Randal Vaughn teaches a variety of courses in Information Systems. Vaughn is a widely quoted expert in the areas of cyber warfare, cyber defense, and internet threat metrics and reporting. He is on the Board of Advisors for MI5 Security and an Academic associate for the AntiPhishingWorkingGroup. He is a member of Educause, the Society for Information Management (SIM), and the Association for Computing Machinery (ACM). His work has been published in several mathematics publications and he has authored white papers such as "Using PowWow in the Academic Environment" for Tribal Voice. Previously, Vaughn worked at Mobil Exploration and Producing Services, Inc. as a computer analyst for seismic processing support. Prior to that, he was the lead designer for Vought Aircraft's Group Technology Support Software, a component of the U.S. Air Force's Integrated Computer Aided Manufacturing project. He also served in the U.S. Air Force as a project engineer and database administrator. Vaughn's operating system experience includes legacy mainframe operating systems, Microsoft Windows, Linux, and Apple Mac OS and Mac OS X operating systems.

Paul Vixie holds the record for "most CERT advisories due to a single author" which came primarily from his years hacking on BIND4 and BIND8. Later on he cut off the oxygen supply to his brain by wearing a necktie for AboveNet, MFN, and PAIX. At the moment he is President at ISC where his primary duty is to sign paychecks for the people who bring you BIND9 and F.ROOT-SERVERS.NET. He is also an occasional critic of just about everything (the blog: FM.VIX.COM).

Biometric and token based access control systems: Are you protected by two screws and a plastic cover? Probably.
Zac Franken

An overview and demonstration of common access control and biometric systems. This will include the key elements of their implementation and includes in-depth technical analysis of their common weakness. I will then demonstrate bespoke hardware developed to perform an attack that renders most access control systems useless.

Zac Franken has been running operations for Defcon for nearly 14 years. Generally preferring to stay behind the scenes, he finally has allowed himself to be talked into a presentation. When not running Defcon operations or attending security conferences, he skulks in his dormant volcano lair .With a penchant for physical security and access control systems, he noodles around with access control systems, designs workarounds, and weeps at the inadequacy of todays access control technology.

Greetz from Room 101
Kenneth Geers

Imagine you are king for a day. Enemies are all around you, and they seem to be using the Internet to plot against you. Using real-world cyber war stories from the most tightly controlled nations on Earth, Greetz from Room 101 puts you in the shoes of a king who must defend the royal palace against cyber-equipped revolutionaries. Can a monarch buy cyber security? Are his trusty henchmen smart enough to learn network protocol analysis? Could a cyber attack lead to a real-life government overthrow? Ten case studies reveal the answers. Which countries have the Top Ten most Orwellian computer networks? Come to the talk and find out.

Now imagine that your name is Winston Smith, and that you live in a place called 1984. You don't trust the government, and you don't trust the evening news. You can't send your girlfriend an email because you think that the Thought Police will get it first. Greetz from Room 101 details what Web surfing, email, blogging, and connections to the outside world are like for the half of our planet's population who enjoy little to no freedom online, in places where network security battles can mean life or death. Last but not least, the DEFCON audience will hear about the future of cyber control, and the future of cyber resistance.

Kenneth Geers has worked for many years in a wide variety of technical and not-so-technical disciplines. The oddest job he had was working on the John F. Kennedy Assassination Review Board (don't ask). He also waited tables in Luxembourg, harvested flowers in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly spider in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. Kenneth is the author of Cyber Jihad and the Globalization of Warfare; Hacking in a Foreign Language: A Network Security Guide to Russia; Sex, Lies, and Cyberspace: Behind Saudi Arabia's National Firewall; and IPv6 World Update. His website,, is devoted to the intersection of art, the fate of nations, and the Internet. Greetz to Bunny, Izzy, Yofi, and Boo!

The Completion Backward Principle

If you're responsible for the burglar alarm at your facility, do you understand how it's being monitored by the "Data Monitoring Group" flunkees? Are all those alarm conditions real? The Completion Backward Principle covers issues arising from Internet-enabled monitoring of burglar alarm systems, and possible mitigations. Spot The Fed will most assuredly be played at this talk.

geoffrey: For the past seventeen years, geoffrey has been a Facility Security Officer and ComSec manager in support of various tla's. Securing computer networks, telephone systems, and buildings is not just an adventure, it's his job. He can often be found giggling, like a schoolgirl, at the thought of global warfare being waged upon nouns. geoffrey is also available for childrens' parties.

Intelligent debugging for VulnDev
Damian Gomez
Researcher, Immunity, Inc.

Anyone who has ever developed an exploit will tell you that 90% of their development time was spent inside a debugger.Like with all software engineering, the actual implementation language of the exploit is somewhat irrelevant. The exploit is merely a solution to a problem that was solved using your debugger of choice.

Because a large percentage of your exploit development time is spent inside a debugger, the need for an exploit development oriented debugging framework becomes apparent. This framework should combine the readability of a GUI, the speed of a command line, and the flexibility of a scripting language.

During this talk we will discuss various topics that are relevant to debugging in the context of exploit development. These topics include protocol analysis, runtime data type analysis, advanced heap structure and flow analysis, and bypassing protection mechanisms.

Intelligent Debugging discusses how this process can be optimized, saving you both time and resources. Ultimately resulting in a more reliable exploit.

Damian Gomez is a Security Researcher at Immunity, which he joined in February 2006, after five years as the Chief Security Officer at Informar Argentina S.A., where his responsibilities included internal security auditing, network design, and intellectual property management with watermarking technologies. Prior to Informar, Damian worked on secure networking infrastructure at the Comision Nacional de Comunicaciones.

In addition to consulting services, Damian is an exploit developer for Immunity and is lead developer for Immunity's VisualSploit. Damian's current main project is the developing of the vuln-dev oriented Immunity Debugger and the integration of it with the other Immunity's frameworks. Damian is located at Argentina, South America.

Multipot: A More Potent Variant of Evil Twin
K N Gopinath
Senior wireless security researcher/manager, R&D Group, AirTight

This presentation pertains to a discovery of a more potent variant of Evil Twin. We call it Multipot. Multipot consists of multiple APs which are configured with the same SSID and lure WiFi clients into connecting to them. The term Multipot is derived from 'multiple' and 'honeypot'. Multipot can occur naturally in the form of multiple Municipal APs or Metro APs around the victim client, all of which are naturally configured for the same SSID (e.g., GoogleWiFi). Such a natural Multipot can induce non-policy compliant communication from wireless clients of an organization. There can also be a handcrafted or malicious version of Multipot where an attacker can combine it with known Evil Twin attack tools (e.g., KARMA, delegated) and launch a Man-in-the-Middle attack against wireless clients.

The prevalent Evil Twin defenses are ineffective against Multipot. In particular, the prevalent defenses include: i) Taking precaution so that clients are not lured to Evil Twins (e.g., specialized client side software), and ii) since these precautions are not always foolproof or practical, using a Wireless Intrusion Prevention System (WIPS) to block clients' connections to Evil Twins. Most of the current WIPS use deauthentication (deauth) based session containment to defend against this threat. In this presentation, we demonstrate that Multipot renders the deauth based session containment completely ineffective. Multipot provides a glimpse into the complexities of evolving wireless vulnerabilities and their countermeasures.

K N Gopinath (Gopi) is a senior wireless security researcher and senior engineering manager at AirTight Networks. Gopi has several years of experience with 802.11 protocol implementations, device drivers, WiFi networks, and wireless intrusion detection and prevention. His research focuses on making wireless networks secure. His current interest includes understanding wireless MAC implementation anomalies and wireless devices fingerprinting. Gopi also has invented several patent pending wireless intrusion detection and prevention techniques.

Gopi holds a Master's degree in Computer Science and Engineering from the Indian Institute of Technology Kanpur (IITK), and in the past has worked as a researcher at Bell Laboratories at Murray Hill, NJ. He has published several technical papers and delivered invited talks in international networking and security conferences/workshops.

Making of the DEFCON 15 Badge
Joe Grand

Joe Grand is an electrical engineer, prominent speaker, and prolific inventor with multiple pending patents and over a dozen commercially available products. He is the President of Grand Idea Studio, a San Francisco-based product research, development, and licensing firm, where he specializes in the design of consumer electronics and video game accessories.

Involved in computers and electronics since the age of 7, Joe has had the fortune of being a member of the legendary Boston-based hacker collective L0pht Heavy Industries, testifying before the United States Senate Governmental Affairs Committee under his nom de hack, Kingpin, and being praised as a "modern day Paul Revere" by the Senators for his research and warnings of computer security weaknesses.

Recognized for his unconventional approaches to product development and licensing, Joe is also a well-known hardware hacker, the author of two books, contributor to four others, on the technical advisory board of MAKE Magazine, and is a co-host of an upcoming engineering show for Discovery Channel.

Disclosure and Intellectual Property Law: Case Studies
Jennifer Granick
Executive Director, Center For Internet and Society, Stanford Law School

The simple decision by a researcher to tell what he or she has discovered about a software product or website can be very complicated both legally and ethically. The applicable legal rules are complicated, there isn't necessarily any precedent, and what rules there are may be in flux.

In this presentation, I will use Cisco and ISS's lawsuit against Michael Lynn (from Black Hat 2005) and HID's cease and desist letter to IOActive (from Black Hat 2006) to discuss major intellectual property law doctrines that regulate security research and disclosure. I will give the audience some practical tips for avoiding claims of illegal activity.

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Security by Politics - Why it will never work
Lukas Grunwald
CTO of DN-Systems Enterprise Internet Solutions GmbH

This talk will show what happens if security is driven by politics and compromise, also I will cover additional security risks by the new generation of electronic passports.

It will show why it could be possible to produce fake biometric fingerprints from the new generation electronic passports, for example by rogue regimes. The new bogus security attempts to secure the ePassports via EAN (Extended Access Control).

Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany) a globally acting consulting office working mainly in the field of security identity, and internet/eCommerce and Supply Council solutions for enterprises.

Lukas presented at the Lower House of German Parliament for the Free Democratic Party as RFID and ePassport expert at the hearing for the new ePassport Law to allow the use of biometrics in electronic travel documents.

Mr. Grunwald has been working in the field of IT security for nearly 15 years now. He is specializing in security of wireless and wired data and communication networks, forensic analysis, audits and active networking. Mr. Grunwald regularly publishes articles, talks and press releases for specialist publications. He also participates actively in conferences such as Hackers at Large, Hacking in Progress, Network World, Internet World, Linux World (USA/Europe), Linux Day Luxembourg, Linux Tag, CeBIT and Blackhat Briefings.

Hardware Hacking for Software Geeks
David Gustin
Software Developer

This presentation is an introduction to hardware design and reverse engineering, with an eye towards developing an individual laboratory for future exploration. We start by covering the basic tools and setting up a laboratory. In this section, we cover the basic tools, such as soldering tools, oscilloscopes, and logic analyzers. The focus is on getting the tools for low or no cost. From there, we cover the forward engineering process, including various microcontroller designs. Finally, we will go over hardware reverse engineering and its relation to the forward engineering process. There will be demonstrations of low cost oscilloscopes, logic analyzers, and flash dumping tools. These tools will be used against consumer-grade hardware to demonstrate the beginning of a reverse engineering attempt.

This talk assumes slight prior knowledge of electronics on a hobbyist level. The ability to read a schematic will come in handy, but isn't required. Even if you don't have a hobby-level interest in electronics, we hope you will by the end of the presentation.

David Gustin David has been working as an embedded software developer since 2001. He spent 3 years interning at Astronautics Corporation of America working with safety critical avionics devices for projects ranging from the space shuttle to commercial airliners. After graduation he spent 8 months working on embedded devices for building control networks containing thousands of networked devices on various topologies. David then took a job doing quality assurance at Imperfect Networks verifying a suite of products relating to malicious traffic generation. He has since moved back into embedded software and spent a year developing and testing software for the AirBus A380 Super Jumbo. He is currently working on Maritime Control Systems for ZF.

Ab3nd plays with electronics for fun and programs computers for money. His past projects have included Tesla coils, a lighting system for a model apartment, telepresence drones, sentry guns, a wearable computer, magnetic card readers and writers, and mad scientist props. His future projects are legion. Abend enjoys good gin.

The Commercial Malware Industry
Peter Gutmann

Malware has come a long way since it consisted mostly of small-scale (if prolific) nuisances perpetrated by script kiddies. Today, it's increasingly being created by professional programmers and managed by international criminal organisations. This talk will look at the methods and technology employed by the professional malware industry, which is turning out "product" that matches (and in some cases even exceeds) the sophistication of standard commercial software, but with far more sinister applications.

Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland, New Zealand, working on the design and analysis of cryptographic security architectures. He helped write the popular PGP encryption package, has authored a number of papers and RFC's on security and encryption including the X.509 Style Guide for certificates, and is the author of "Cryptographic Security Architecture: Design and Verification" (published by Springer-Verlag) and the open source cryptlib security toolkit. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about PKIs and the (un-)usability of security applications.

INTERSTATE: A Stateful Protocol Fuzzer for SIP
Ian G. Harris
University of California Irvine

We present the INTERSTATE fuzzer to detect security vulnerabilities in VOIP phones which implement Session Initiation Protocol (SIP). INTERSTATE generates an input sequence for a SIP phone which is constructed to reveal common security vulnerabilities. SIP is a stateful protocol so a state machine description of the SIP protocol is used by INTERSTATE to ensure that the entire state space is explored. The input sequence consists of SIP request messages as well as GUI input sequences which are remotely applied to the phone under test. The input sequence is generated to perform a random walk through the state space of the protocol. The application of GUI inputs is essential to ensure that all parts of the state machine can be tested. Faults are injected into SIP messages to trigger common vulnerabilities. INTERSTATE also checks the SIP response messages received from the phone under test against the expected responses described in the state machine. Checking response messages allows for the detection of security bugs whose impact is more subtle than a simple crash. We have used INTERSTATE to identify a previously unknown DoS vulnerability in an existing open source SIP phone. The vulnerability could not have been discovered without exploring multiple paths through the state machine, and applying GUI inputs during the fuzzing process.

Ian would like to give recognition to the following co-authors for their contributions. Thoulfekar Alrahem, Alex Chen, Nick DiGiussepe, Jefferey Gee, Shang-Pin Hsiao, Sean Mattox, Taejoon Park, Albert Tam, and Marcel Carlsson.

Ian G. Harris is currently an Associate Professor in the Computer Science Department at the University of California Irvine. He received his BS degree in Computer Science from Massachusetts Institute of Technology in 1990. He received his MS and PhD degrees in Computer Science from the University of California San Diego in 1992 and 1997 respectively.

His research interests involve the testing of hardware and software systems. His current research projects include fuzzing of embedded software, and hardware/software covalidation.

Hacking the Extensible Firmware Interface
John Heasman NGSSoftware

"Macs use an ultra-modern industry standard technology called EFI to handle booting. Sadly, Windows XP, and even Vista, are stuck in the 1980s with old-fashioned BIOS. But with Boot Camp, the Mac can operate smoothly in both centuries."
- Quote taken from

The Extensible Firmware Interface (EFI) has long been touted as the replacement for the traditional BIOS and was chosen by Apple as the pre-boot environment for Intel-based Macs. This presentation explores the security implications of EFI on firmware-based rootkits.

We start by discussing the limitations of the traditional BIOS and the growing need for an extensible pre-boot environment. We also cover the key components of the EFI Framework and take a look at the fundamental design decisions affecting EFI and their consequences. Next we consider the entry points that an EFI system exposes - just how an attacker may set about getting their code into the EFI environment - taking the Apple Macbook as our reference implementation.

After demonstrating several means of achieving the above, we turn our attention to subverting the operating system from below, drawing parallels wherever possible to attacks against systems running a traditional BIOS.

The final part of this presentation discusses the evolution of EFI into the Unified Extensible Firmware Interface (UEFI), soon to be supported by Windows Server (Longhorn) and discusses the application of the previously discussed attacks to UEFI.

John Heasman is the Director of Research at NGS Software. He has significant experience in vulnerability research and has released numerous advisories in enterprise-level software, including Microsoft Windows, Norton Antivirus, Exchange Server and PostgreSQL.

His primary research interest is in rootkit and anti-rootkit technologies though he also has a strong interest in database security and was a co-author of the Database Hackers Handbook (Wiley, 2005).

He holds a Masters degree in Engineering and Computing from Oxford University and is certified as a CHECK Team Leader allowing him to lead penetration tests of UK government systems.

Hack Your Car for Boost and Power!
Aaron Higbee
Managing Partner and co-founder,Intrepidus Group

What happens when you combine a natural hacker, a computer controlled car, and security consultant's discretionary income spent on a pile of parts? A four cylinder, 2.5 liter, 500hp monster daily driver that runs on pump gas. (Pump gas plus computer controlled methanol injection for that extra umph.)

If you love the smell of gasoline and want to learn about performance tuning and ECU hacking, then this presentation is for you. If you have the dealer change your oil for fear of voiding the warranty, then you may want to skip this presentation. ? Attendees will be introduced to the tools of the trade and tuning concepts that are meant to squeeze out every last drop of power. Concepts will be backed up by practical examples and advice that the audience member can take away and try on their own (....if they dare). The presentation will cover automotive protocols, sensors, and tuning concepts used in making power. The presentation will cover the role of octane, water injection, and methanol injection as a means of coping with high boost turbocharged applications. Basic knowledge of electronic fuel injection and how a motor works is recommended. An understanding of the mechanics of turbochargers and superchargers is a plus but is not required. The presentation will conclude with car modification laws, CARB, emissions testing, SEMA, and privacy concerns about the data an ECU can store.

Aaron Higbee is a Managing Partner and co-founder of the Intrepidus Group. He has over 10 years of information security experience with reputed companies like Foundstone, Lucent Technologies, and EarthLink. Aaron built his information security career on a passion for understanding technology and pushing its limits. It's the natural extension of a curious mind to want to be in control of his cars ECU in order to find out what it really can do. As a gearhead hobbyist, Aaron has spent the past six years exploring ECU tuning and performance modifications. His time and effort has produced heart pounding, neck snapping, dyno proven results, and a passion to share this knowledge with those who are interested. Aaron is a speaker at leading industry conferences like Black Hat, Def Con, and Hack-In-The-Box. In addition, he is often invited to guest lecture on advanced information security concepts at the nation's top universities including Carnegie Mellon. He has delivered security training courses to over 1000 information security officers of US government agencies and Fortune 500 companies.

GeoLocation of Wireless Access Points and "Wireless GeoCaching"
Ricky Hill
Senior Scientist, Tenacity Solutions

GeoLocation of 802.11b Access Points is not a trivial task. As wardrivers who've stumbled various networks with a GPS unit will attest, "Netstumbler doesn't provide the real location of access points". Instead, it provides an estimate of where the software thinks they are. Why should this be so? In a comparative sport made popular by the proliferation of portable GPS units, GeoCachers routinely find their "caches" or treasures with amazing accuracy. The Wardriving community should be able to do the same...

This talk is about 802.11b Access Point location. The project's primary goal is to build a novel hardware & software configuration that can be used with wardriving gear and Netstumbler to geoLocate AP's as they're encountered. Various methods of radio location are discussed along with a new game we'll call "Wireless GeoCaching."

The Presentation will include details of the hardware - construction of a rotating, stepper-motor driven directional antenna, and the software: Netstumbler and Visual Basic. Video and photos of the actual GeoLocation/ GeoCaching sessions will be shown.

No prerequisite - only an interest in Network Stumbling, GeoCaching and Wireless Technology.

Rick Hill, CISSP, CWSP works as an information systems security engineer for Tenacity Solutions, Inc., an IT consulting firm based in Reston, VA. Specializing in Wireless Security, his day job involves certification and accreditation of govt. networks, site survey, and network security assessment. Mr. Hill has been involved in hardware and electronics for most of his career including a 10 year stint for ITT Automotive where he designed and built equipment including ABS brake systems, image processing, and robotic control applications. A previous speaker at DEFCON ("WarRocketing - Network Stumbling 50 square miles in less than 60 seconds"), Rick's after work interests include powerboating, netstumbling, and shooting high power rockets. He also holds a technician class amateur radio license (KG4BSY), which he uses primarily for telemetry and investigating new wireless applications.

Greg Hoglund

Greg Hoglund has been a pioneer in the area of software security for ten years. He created and documented the first Windows NT-based rootkit, founding in the process.

The Market for Malware
Dr. Thomas J. Holt
Assistant Professor, Dept. of Criminal Justice, University of North Carolina

As the world comes to rely on computers and rapidly changing technologies, the threat posed by computer attackers has become increasingly significant. Computer attackers exploit vulnerabilities in systems and circumvent antivirus software to obtain all manner of personal and financial information. However, individuals no longer need to rely on their abilities, as malware and automated tools quickly and efficiently perform attacks for them. Individuals can buy access to sophisticated malware, including bots, Trojans, and worms via markets run in publicly accessible web forums operating out of Eastern Europe, Russia, and other parts of the world. These forums also operate black markets where individuals can sell the data they illegally obtain for profit. Examining these markets can have significant benefit for computer security and law enforcement by identifying the functionality of malware in the wild, and the individuals who create these tools. This presentation will explore the latest tools and materials being sold in active publicly accessible web forums that traffic in malware and personal information.The cost, functionality, and utility of these programs will be explored, as well as the dynamics of sellers and buyers in these markets.

Dr. Thomas J. Holt is an Assistant Professor in the Department of Criminal Justice at the University of North Carolina at Charlotte specializing in computer crime, cybercrime, and technology. His research focuses on computer hacking, malware, and the role that technology and the Internet play in facilitating all manner of crime and deviance. He works with computer and information systems scientists, law enforcement, businesses, and technologists to understand and link the technological and social elements of computer crime. Dr. Holt has been published in academic journals, and has presented his work at various computer security and criminology conferences. He is also a member of the editorial board of the International Journal of Cyber Criminology.

Click Fraud Detection with Practical Memetics
Broward Horne
Software Consultant

"Click Fraud Detection with Practical Memetics" is an evolution of my previous Defcon presentations. The original Meme Miner program and Meme Theory were enhanced for better predictive ability which led to an accidental detection of "Pay-Per-Click" advertising fraud. This presentation includes expanded overview of Meme Theory, real-life example of Botnet click fraud, strategies to detect memetic inconsistencies in network propagation, strategies to deceive existing detection schemes and future "Pay-Per-Click" fraud issues. See for more.

Broward Horne is a software consultant with a diverse IT background, doing contract work for Unigard, Nike, JP Morgan, Verizon, Transcore and the US Department of Transportation, a former employee of several large corporations (Hewlett Packard, Avnet, Teradyne, Litton) and two startup companies. His projects include network construction and administration, prototype wireless LANs, prototype pen-top software, CRM software, e-commerce, insurance and banking enterprise applications. He began data-mining & business intelligence in 1993 as a career guidance tool and has slowly expanding the scope and strategy of Meme Theory. See for more.

Faster PwninG Assured: New adventures with FPGAs
David Hulton

I've been giving talks on how FPGAs are cool for the past couple of years at Defcon, so what's different this year? Well, I'll be releasing a couple of new tools.

BTCrack is a Bluetooth PIN cracker that will allow you to crack 8-digit Bluetooth PINs on an FPGA or 5-digit PINs on your computer in real-time (Longer PINs require a little more time) using a capture of the pairing process.

The other tool, WinZipCrack will let you crack WinZip AES encrypted files by specifying a list of words that you want to try. The FPGA implementation runs an order of magnitude faster than a PC and the tool supports all of the different modes of WinZip encryption. I'll also be releasing a tool that will allow you to convert WinZIP AES encrypted files into normal unencrypted PKZIP files with the correct passphrase (in case any of you have ever tried opening a WinZip AES encrypted file in unix, ugh!).

I'll also be doing a lightning quick demo of the other tools available on the OpenCiphers Project website and will be releasing Virtex-5 LX50 support for the whole toolset with up to 3x performance over the previous cores on the Virtex-4 LX25 as well as full Windows support.

David Hulton has been hacking with wireless and embedded devices for the past 5 years and actively involved in the security industry for 10. After helping start and run various security meetings and ToorCon back in the late 90's, he switched focus and became credited with designing open source tools such as bsd-airtools, doing extensive security research with Wireless, Smart Cards, GSM, and most recently with revolutionary high-speed crypto cracking applications for FPGAs.

HoneyJax (AKA Web Security Monitoring and Intelligence 2.0)
Dan Hubbard VP Security Research, Websense Security Labs

We have all heard of Honeypots and more recently HoneyClients. Now we are introducing the concept of HoneyJax. Once again functionality has beaten our security, and Web 2.0 is in full force. User-created content, radical trust, and social networks have lead to several malicious code attacks and spammers have learned that the web a great compliment to sell there trade.

This session will show provide examples and insights into the problems of Web 2.0 and include one way to assist in the identification and tracking of mis-use of these technologies by deploying HoneyJax's within the operating environment.

Dan Hubbard is VP of Security Research of Websense Inc. He manages all security research and security product vision at Websense, with responsibility for several security-related product features, and acts as a security evangelist externally. Hubbard is the pioneer behind Websense's Threatseeker Technology and started Websense Security Labs. The product that Threatseeker supports provides an additional layer of security to networks by preventing employees from inadvertently accessing sites that are infected with malicious mobile code or spyware. Hubbard has presented and spoke around the world at events such as Black Hat, RSA, InfoSec, and Toorcon. Also has been quoted by the media in publications such as USA Today, CNET, NY Times, NBC and ABC NEWS, and CNN.

One Token to Rule Them All: Post-Exploitation Fun in Windows Environments
Luke Jennings
MWR InfoSecurity

The defense techniques employed by large software manufacturers are getting better. This is particularly true of Microsoft who have improved the security of the software they make tremendously since their Trustworthy Computing initiative. Gone are the days of being able to penetrate any Microsoft system by firing off the RPC-DCOM exploit. The consequence of this is that post-exploitation has become increasingly important in order to "squeeze all the juice" out of every compromised system.

Windows access tokens are integral to Microsoft's concept of single sign-on in an active directory environment. Compromising a system that has privileged tokens can allow for both local and domain privilege escalation.

This talk aims to demonstrate just how devastating attacks of this form can be and introduces a new, open-source tool for penetration testers that provides powerful post-exploitation options for abusing tokens found residing on compromised systems. The functionality of this tool is also provided as a Meterpreter module for the Metasploit Framework to allow its use to be combined with the existing power of Metasploit. In addition, a complete methodology will be given for its use in penetration testing. This will include identifying tokens that can be used to access an otherwise secure target and then locating other systems that may house those tokens. A new vulnerability will also be revealed that appears to have been silently patched by Microsoft. The impact of this vulnerability is that privileged tokens can be found on systems long after the corresponding users have logged off.

Finally, defense strategies will be discussed that can help provide defense in depth to reduce the impact of token abuse as a post-exploitation option.

Luke Jennings is a security consultant for MWR InfoSecurity in the UK and is a recent computer science graduate of the University of Southampton. Luke's previous work has primarily been focused on penetration testing and application testing which has also led to his discovery of some critical, remotely exploitable vulnerabilities in widely deployed software. As a result of this, Luke has become increasingly interested in dedicating a portion of his time to active security research. Luke is also interested in promoting security awareness among computer scientists, and has guest lectured at his old university to further this.

Homeless Vikings, (short-lived bgp prefix hijacking and the spamwars)
Dave Josephsen
Sr Systems Eng, DBG Inc

BGP Prefix hijacks take the IP addresses of others and make them your own. This talk provides a chilling account of the current use of prefix hijacks by spammers in a successful effort to defeat RBL's. Placed within the context of the history of the spamwar, this talk makes clear the grim future we face if we continue to escalate the spam war into the network layer; namely a future where every spammer on earth can arbitrarily choose and make routable an unallocated ipv4 address (one that the RBL's have never seen) once per day for the next 150 years or so without ever using the same address twice, and never colliding with any other spammer.

Dave Josephsen: Author of the Prentice Hall book: "Building a Monitoring Infrastructure with Nagios", Dave Josephsen is the Senior Systems Engineer for DBG, Inc., where he maintains a collection of geographically dispersed server farms. He has a decade of hands-on experience with Unix systems, routers, firewalls, and load balancers in support of complex, high-volume networks. He has nearly two decades of experience putting paper in printers, and over THREE decades of experience breathing. His co-authored work on Bayesian spam filtering earned a Best Paper award at USENIX LISA 2004. He has been published in both ;login and Sysadmin magazines on topics relating to security, systems monitoring and spam mitigation.

Black Ops 2007: Design Reviewing The Web
Dan Kaminsky

Design bugs are really difficult to fix - nobody ever takes a dependency on a buffer overflow, after all. Few things have had their design stretched as far as the web; as such, I've been starting to take a look at some interesting aspects of the "Web 2.0" craze. Here's a few things I've been looking at:

Slirpie: VPN'ing into Protected Networks With Nothing But A Lured Web Browser. Part of the design of the web is that browsers are able to collect and render resources across security boundaries. This has a number of issues, but they've historically been mitigated with what's known as the Same Origin Policy, which attempts to restrict scripting and other forms of enhanced access to sites with the same name. But scripts are not acquired from names; they come from addresses. As RSnake of and Dan Boneh of Stanford University have pointed out, so-called "DNS Rebinding" attacks can break the link between the names that are trusted, and the addresses that are connected to, allowing an attacker to proxy connectivity from a client. I will demonstrate an extension of RSnake and Boneh's work, that grants full IP connectivity, by design, to any attacker who can lure a web browser to render his page. I will also discuss how the existence of attacks such as Slirpie creates special requirements for anyone intending to design or deploy Web Single Sign On technologies. Slirpie falls to some of them, but slices through the rest handily.
p0wf: Passing Fingerprinting of Web Content Frameworks. Traditional OS fingerprinting has looked to identify the OS Kernel that one is communicating with, based on the idea that if one can identify the kernel, one can target daemons that tend to be associated with it. But the web has become almost an entirely separate OS layer of its own, and especially with AJAX and Web 2.0, new forms of RPC and marshalling are showing up faster than anyone can identify. p0wf intends to analyze these streams and determine just which frameworks are being exposed on what sites.
LudiVu: A number of web sites have resorted to mechanisms known as CAPTCHAs, which are intended to separate humans from automated submission scripts. For accessibility reasons, these CAPTCHAs need to be both visual and auditory. They are usually combined with a significant amount of noise, so as to make OCR and speech recognition impossible. I was in the process of porting last year's dotplot similarity analysis code to audio streams for non-security related purposes, when Zane Lackey of iSec Partners proposed using this to analyze CAPTCHAs. It turns out that, indeed, Audio CAPTCHAs exhibit significant self-similarity that visualizes well in dotplot form. This will probably be the first DEFCON talk to use WinAMP as an attack tool.
A number of other projects are also being worked on - I've been sending billions of packets for a reason, after all, and they haven't been coming from WinAMP :) There will be some updates on the analysis tools discussed during Black Ops 2006 as well.

Dan Kaminsky Dan Kaminsky is the Director of Penetration Testing for Seattle-based IOActive, where he is greatly enjoying having minions. Formerly of Cisco and Avaya, Dan was most recently one of the "Blue Hat Hackers" tasked with auditing Microsoft's Vista client and Windows Serve 2008 operating systems. He specializes in absurdly large scale network sweeps, strange packet tricks, and design bugs.

Fighting Malware on your own
Vitaliy Kamlyuk
Virus Analyst, Kaspersky Lab

There is always a possibility to get infected by some malware, i.e. by surfing the web and catching the malware that uses some new exploit in your browser. What should you do then? Do you know what is available on Windows system to fight malware? The problem of fighting malware on Windows is the limitation of basically available tools. I am going to show you some tricks that will let you do some complicated actions using ONLY components of Windows system and NO 3rd party tools.

I have been working in Kaspersky Lab for 2 years. I've started as a developer & researcher and at some points worked as unix administrator. Today I am working as virus analyst. This position gave me the knowledge of deep understanding of the majority of modern Windows technologies. As a result I learnt how to do the programming in machine code. My presentation will show you the cases when this knowledge is mandatory. I am going to show how to develop an antivirus solution using Windows notepad and the knowledge of machine code programming. Besides, I am going to show several hacks to perform complicated tasks in limited Windows environment.

Vitaliy Kamlyuk: Having rich experience of taking part in different conferences. Have received more than dozen awards and prizes during education at school and university. Have been working in Kaspersky Lab Moscow since 2005. Started as C++ developer, but changed positions several times. Worked as a FreeBSD system administrator, virus analyst and finally doing forensic examination. Inventor of the technology that is used in KL for finding similar malicious files in huge storages (the technology was successfully submitted for patenting in 2006).

SQL injection and out-of-band channeling
Patrik Karlsson

A large number of web applications are still found suffering from improper input validation controls. This is a fact commonly exploited by hackers in order to gain unauthorized access to backend databases and steal sensitive corporate information. As systems are hardened hackers are often forced to rely on blind SQL injection in order to extract information.

The audience will be introduced to out-of-band channeling, an alternate technique which under certain circumstances can be much more efficient in achieving the task. A number of different channels, pros & cons and preventive measures will be presented. Did you know a hacker could steal your corporate secrets by channeling them over DNS?

Patrik Karlsson is the founder of the security related website, where he publishes some of his security related work. He is also a partner at Inspect it, a Swedish based information security consultancy. His work has been mentioned in a number of articles and books and used for education and security testing. For the last couple of years he has specialized in web application security, databases and his family.

Hacking EVDO
King Tuna

Come and spend 50 minutes with the King, not Elvis, but King Tuna. He is going to give you a peak into EvDo and some of the goodies it has to offer. After a very brief overview of what EvDo is he is going to go into detail about the different hardware options you have, and most importantly, how EvDo cards can be hacked and the advantages of delving into the insides of the card. Can ESN's be moved? Can EvDo be used in monitor mode?

Bring a bag because there will be treats for 100 people with a patch so you can use your EvDo card on your laptop as a client or access point.

King Tuna has been a hacker since he discovered DOS 6.0 before pre k. He has matured his knowledge in hacking with time and experience. Currently he works for Wardrivingworld helping customers extend there range as well as at schools to develop classes about improving & testing wireless security.

Functional Fuzzing with Funk
Benjamin Kurtz

This talk will introduce a simple and incredibly powerful framework for the scripted generation of network traffic: Funk, a new tool for fuzzing arbitrary network protocols written using the Chicken Scheme-to-C compiler. Source code will be provided and explained, so you can start using this framework today for all your network traffic generation needs!

Some familiarity with functional languages like Lisp or Scheme will behelpful, but not required.

Ben Kurtz is a software engineer at an industry-leading model-based design company. Earlier, he earned his Masters of Computer Science by applying language theory to the visual analysis of probe data under the DARPA DASADA program. Soon afterward, he discovered that it's much easier to break something than to fix it, and became the principal researcher and developer of threat generation and analysis technologies at Imperfect Networks. In other incarnations, he has worked on critical systems for power plants, passenger jets, and insurance companies. If you knew him better, this would make you nervous.

Comparing Application Security Tools
Edward Lee
Security Researcher, Fortify Software

If you're going to buy an application security tool, which one will it be? Every vendor likes to talk about how their tools are the best. "We are the market leader!" they all say. But not everyone can lead all the time. I will show how I took half a dozen "leading" application security tools (both static and dynamic) and compared them head-to-head against the same open source application. All of the tools found something, but no two tools find the same thing!

I will break down the different techniques each tool uses and show specifically which bugs each tool finds. The proceedings will include all of the details about the code so that you can add your own tools to the comparison. The presentation gives a methodology for doing detailed tools comparison.

Edward Lee Edward Lee is a member of Fortify Software's Security Research Group, which is responsible for building security knowledge into Fortify's products. Specifically, Mr. Lee investigates and develops methodologies for the discovery of vulnerabilities and defense against attacks in software. Prior to joining Fortify, Mr. Lee was a security consultant at Exodus Communications/Cable & wireless where he was responsible for securing customer systems and advising customers about potential threats. He is also an active member of a team that has won twice at the Defcon Capture the Flag hacking competition.

IPv6 is Bad for Your Privacy
Janne Lindqvist
Helsinki University of Technology

In recent years, covert channel techniques for IPv4 and more recently for IPv6 have been published by the scientific community and also presented in DEFCON 14. However, a covert channel that contains a considerable bandwidth has been overlooked, the autoconfigured IPv6 address itself. IPv6 Stateless Address Autoconfiguration is used for autoconfiguring addresses without a server in IPv6 networks. The autoconfiguration mechanism consists of choosing an address candidate and verifying its uniqueness with Duplicate Address Detection. The autoconfiguration mechanism has privacy issues which have been identified before and mitigations have been published as RFC 3041. However, we show that the privacy protection mechanism for the autoconfiguration can be used as a covert channel, and consequently, be used to harm the privacy of the user. The covert channel can be serious threat for communication security and privacy. We present practical attacks for divulging sensitive information such as parts of secret keys of encryption protocols. The scheme can also be used for very effective Big Brother type surveillance that cannot be detected by established intrusion detection systems.

Janne Lindqvist, M.Sc. (Tech), is a researcher and PhD candidate in Telecommunications Software and Multimedia Laboratory at the Helsinki University of Technology and currently a visiting scholar in the International Computer Science Institute affiliated with the University of California campus in Berkeley. Before joining the academia, he worked as a network & security engineer and software engineer in the private sector. Mr. Lindqvist's research interests are in the broad sense in the field of security and privacy and he has published over 10 articles in international scientific conferences.

Database Forensics
David Litchfield
Founder, Next Generation Security Software

Since the state of California passed the Database Security Breach Notification Act (SB 1386) in 2003 another 34 states have passed similar legislation with more set to follow.

In January 2007 TJX announced they had suffered a database security breach with 45.6 million credits card details stolen - the largest known breach so far.

In 2006 there were 335 publicized breaches in the U.S.; in 2005 there were 116 publicized breaches; between 1st January and March 31st of 2007, a 90 day period, there have been 85 breaches publicized.

There are 0 (zero) database-specific forensic analysis and incident response tools, commercial or free, available to computer crime investigators. Indeed, until very recently, there was pretty much no useful information out that could help.

By delving into the guts of an Oracle database's data files and redo logs, this talk will examine where the evidence can be found in the event of a database compromise and show how to extract this information to show who did what, when. The presentation will begin with a demonstration of a complete compromise via a SQL injection attack in an Oracle web application server and then performing an autopsy. The talk will finish by introducing an open source tool called the Forensic Examiner's Database Scalpel (F.E.D.S.).

David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd.

No-Tech Hacking
Johnny Long
Penetration Tester (*snicker*)

I'm Johnny. I hack stuff. I've been at it for quite a while now, and I've picked up a few tricks along the way. I get asked about my tricks all the time, mostly by kids who saw that movie. You know the one. But I've always said no. I've held onto my secrets as part of the pact I made with the hacker underground. I mean I'm allowed to give talks and presentations about hacking stuff, but the secrets... the real super-cool secrets I've had to keep to myself. The head of the underground said so. But I got this email the other day that says I'm THIS close to getting kicked out of the underground. Seems the glare of the public eye has been on me for far too long and I've become a liability. So, I'm going to be proactive. I'm going to quit before they can fire me. I'm coming out of the closet (not that one) and I'm airing all the underground's dirty laundry in the process. That's right. I'm going public with the 'berest of the 'ber. The real ninja skillz are yours for the knowing. Want to know how to suck data off a laptop with nothing but your MIND? Poke your way into a corporate email server without touching a keyboard? You think I'm kidding. I'm not. Want to slip inside a building and blend with the shadows? Even the best slip up with this trick, but don't worry. If your camouflage breaks down, I'll teach you the Jedi wave. Not the one in Star Wars (they stole theirs from the hacker underground), but the REAL Jedi wave that confuses people and makes them ignore you as you bumble around in the high security areas. Or the smoke trick. The one that lets you pass through walls untouched, surrounded by a cool-looking (but smelly) cloud of smoke. How about sucking sensitive data from a corporate network from the parking lot? Without a wireless device. How about blending in with the feds? You can chat with them about... fed stuff, and they'll accept you as one of their own. All this and more. The underground is gonna be sooo ticked off.

Johnny Long is a Christian, pirate, hacker, (almost) ninja and author. He has been spotted around

Self-Publishing and the Computer Underground
Myles Long
Director of Depravity, cDc communications/CULT OF THE DEAD COW
Rob "Flack" O'Hara member cDc's Ninja Strike Force
Christian "RaDMan" Wirth founder, ACiD Productions

Have you ever considered publishing your own book? Your own DVD? Self-publishing has been a part of the computer underground since its inception, from the Neon Knights to the Syndicate of London's recent book "End of Dayz". This panel will discuss types of self-publishing (both on- and off-line) and their relevance to the computer underground. They will also discuss their personal experiences in self-publishing. Ample time for questions will be available. Learn about the process from people who have gone through it.

Myles Long, M.S., E.I.T., is a member of CULT OF THE DEAD COW. He sits on the editorial board for cDc's e-zine. Additionally, Long served as the editor for cDc's first book, "The Book of Cao: Enlightenment through a Poke in the Eye", which was published in August 2006.

Rob O'Hara, aka Jack Flack, has written articles for the O'Reilly book "Retro Gaming Hacks". He also writes reviews for "Videogame Collector" magazine and the Digital Press bi-monthly zine. O'Hara is a forum moderator and administrator for Digital Press (where he also writes two regular feature columns, a contributing writer at The Log Book, and a staff reviewer at iRetroGames. O'Hara has had reviews published on and has had articles published by both "2600: The Hacker Quarterly" and CULT OF THE DEAD COW. O'Hara's first book, "Commodork", detailing his escapades in the BBS era, was published in September 2006 and has been extensively reviewed. He is a member of cDc's Ninja Strike Force.

Christian Wirth, aka RaD Man, is a computer artist and historian that founded ANSI Creators in Demand in 1990, which later became ACiD Productions, in order to celebrate the ANSI/ASCII art form. After ACiD moved to a dormant state, Wirth began and completed work on a DVD-ROM featuring over a decade and a half of artpacks by ACiD and many others entitled "Dark Domain". Wirth also owns the North American distribution rights to "Freax Volume I: The History of the Computer Demoscene". Additionally, he is a member of cDc's Ninja Strike Force.

Social Attacks on Anonymity Networks
Nick Mathewson

Any attacker can scam one or two users into revealing themselves, but do you know how to talk an entire community of smart hackers into weakening its anonymity?

In spite of progress in traffic analysis, social engineering attacks remain the most effective way to break users' anonymity and one of the best force multipliers for traditional traffic analysis attacks. Why bother doing traffic analysis when you can trick users into isolating themselves using nothing more than an IRC client? I'll discuss social attacks to circumvent and weaken existing anonymity networks, from the obvious to the intricate.

This talk will include analysis of historical attacks against the Mixmaster and Cypherpunk remailer networks, and advice for building and using anonymity tools to resist these attacks.

Technical Changes Since The Last Tor Talk
Nick Mathewson

There hasn't been a talk from the developers of Tor (the popular anonymity network) at Defcon since 2004. Since then, we've revised the protocols, added piles of new features to the software, tightened security, integrated more helper tools, made hard strategic decisions, and suffered growing pains. There have been new attacks, new defenses, new research, and new ideas.

In this talk, I'll present the most important technical changes and developments since you last heard about Tor at Defcon. Time permitting, I'll talk about the big technical challenges we're facing for the next year, some of the more interesting feature proposals we're considering, and some of the more interesting ways that smart programmers can help spread privacy to the world.

Nick Mathewson Nick Mathewson is an anonymity researcher, software engineer, and privacy hacker. His research at MIT concentrated in verifying privacy properties in Java bytecodes; he received an M.Eng in 2000. Since 2002, he has worked on anonymity, first as lead developer on Mixminion; and as a core developer on the Tor Project since 2002. His research focuses on attacking and strengthening anonymity networks. He lives in Cambridge, Massachusetts.

It's All About the Timing
Haroon Meer
Technical Director, SensePost
Marco Slaviero Senior Security Analyst, SensePost

Timing attacks have been exploited in the wild for ages. In recent times timing attacks have largely been relegated to use only by cryptographers and cryptanalysts. In this presentation SensePost analysts will show that timing attacks are still very much alive and kicking on the Internet and fairly prevalent in web applications (if only we were looking for them). The talk will cover SensePost-aTime (our new SQL Injection tool that operates purely on timing differences to extract data from injectable sites behind draconian firewall rulesets), our new generic (timing aware) web brute-forcer and lots of new twists on old favorites. We will discuss the implications of timing on current JavaScript malware discussing XSRT (Cross Site Request Timing)(because we can never have too many acronyms!) and will demonstrate how reasonably effective this is against the "Same Origin Policy".

If you are doing testing today, and are not thinking a lot about timing, chances are you are missing attack vectors right beneath your stop-watch!

Haroon Meer is the Technical Director of SensePost. He joined SensePost in 2001 and has not slept since his early childhood. He has co-authored several technical books on Information Security and has spoken and trained at conferences around the world. He has played in most aspects of IT Security from development to deployment and currently gets his kicks from reverse engineering, application assessments and similar forms of pain.

Marco Slaviero is a senior security analyst, avid reader and recovering student. He is currently a PHd candidate and a valuable member of SensePosts Security Assessment team. He doesn't smoke and is rumored to harbor personal animosity towards figs.

How smart is Intelligent Fuzzing
- or -
How stupid is Dumb Fuzzing?

Charlie Miller Senior Security Analyst, Independent Security Evaluators

Dynamic analysis, or fuzzing, is a popular method of finding security vulnerabilities in software. Fuzzing may be used by a developer to find potential problems as part of the quality-assurance process or may be used to find potential exploits in an existing software application. Fuzzing has grown in popularity because it is much easier (and often more effective) to generate and run arbitrary inputs than it is to perform a manual code audit or use software reverse engineering. However, the quality of the fuzzing analysis depends heavily on the quality and quantity of the fuzzed inputs. These inputs, called test cases, are normally constructed in one of two ways: mutation-based or generation-based. In mutation-based fuzzing, known good data are collected and then modified; modifications may be random or heuristic. The advantage of mutation-based fuzzing is that little or no knowledge of the protocol or application under study is required, however it is likely that the collected test cases will only test the most common functionality. Generation-based fuzzing starts from a specification or RFC, which describes the file format or network protocol, and constructs test cases from these documents. Generation-based fuzzing is a much more complete method of fuzzing, but it requires a significant amount of up-front work to study the specification and manually generate test cases. In this talk we analyze the differences between mutation and generation-based fuzzing techniques for the Portable Network Graphics (PNG) format, and quantify the potential advantages gained by using a generation-based approach. Our results show that generation-based fuzzing performs up to 76% better when compared to mutation-based fuzzing techniques for this format.

Charlie Miller spent five years as a Global Network Exploitation Analyst for the National Security Agency. During this time, he identified weaknesses and vulnerabilities in computer networks and executed numerous successful computer network exploitations against foreign targets. He sought and discovered vulnerabilities against security critical network code, including web servers and web applications. Since then, he has worked as a Senior Security Architect for a financial firm and currently works as a Senior Security Analyst for Independent Security Evaluators, a security consulting firm. He was a technical editor for the upcoming fuzzing book authored by Sutton, Greene, and Amini.

His areas of expertise include identifying vulnerabilities in software, writing exploits, and computer attack methodology. He is a Red Hat Certified Engineer (RHCE), GIAC Certified Forensics Analyst (GCFA), and is a Certified Information Systems Security Professional (CISSP). He has a B.S. from Truman State University and a Ph.D. from the University of Notre Dame.

The Next Wireless Frontier - TV White Spaces
Doug Mohney
Editor, VON Magazine

More unlicensed bandwidth from TV!?!
A long-term push to free up more wireless spectrum is expected to come to fruition this year as the FCC will open up unused TV channels - dubbed "white spaces" - for unlicensed broadband use this fall, with full-blown availability in 2008 once the DTV transition takes place.

Dell, Google, HP, Intel, Microsoft and Philips have joined together in the "White Spaces Coalition" to lobby for a spectrum sensing technology to find open TV channels while Motorola has submitting a more conservative proposal combining a geolocation database with spectrum sensing. Microsoft has gone so far as to submit a prototype device to the FCC to allow the regulatory agency to explore and evaluate cognitive radio and spectrum sensing technologies.

Is more unlicensed wireless bandwidth just around the corner? What is the promise of TV whitespace spectrum? What opportunities will there be to create new software and new devices? What are the "gotchas" in the various proposals? What is the latest information out of the FCC on White Spaces device?

Doug Mohney is Editor-in-Chief of VON Magazine ( and a contributor to Mobile Radio Technology ( He has been following the 700 MHz changes and white spaces happenings for three years.

Tactical Exploitation
H.D. Moore
Director of Security, BreakingPoint Systems
Valsmith Founder, Offensive Computing

Penetration testing often focuses on individual vulnerabilities and services. This talk introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using combination of new tools and obscure techniques, I will walk through the process of compromising an organization without the use of normal exploit code. Many of the tools will be made available as new modules for the Metasploit Framework.

H.D. Moore is the director of security research at BreakingPoint Systems, where he focuses on the security testing features of the BreakingPoint product line. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects.

Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Valsmith founded Offensive Computing, a public, open source malware research project.

Disclosure Panel
David Mortman, Moderator
CSO-in-Residence, Echelon One
Paul Proctor, Moderator VP, Gartner
Window Snyder, Vendor Director of Ecosystem Development, Mozilla Corporation
Ian Robertson CSO, RIM
David Maynor CTO, Errata Security
Dave Goldsmith

Concerns about ethics for security professionals has been on the rise of late. It's time for researchers and vendors to meet up and discuss the issues of ethical behavior in our industry and start setting some guidelines for future research and discussion. Join active analysts, vendors and researchers for a lively discussion.

David Mortman, CSO-in-Residence, Echelon One
As CSO-in-Residence, David Mortman, is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and is leading up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE and ISSA, and an invited speaker at RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist and speaker at RSA 2007, InfoSecurity 2003, Blackhat 2004, 2005 and 2006, Defcon 2005 and 2006 and will be speaking at Defcon 2007 as well. Mr. Mortman sits on a variety of advisory boards including Qualys and Flexilis amongst others. He holds a BS in Chemistry from the University of Chicago.

Paul Proctor, Vice President, Security and Risk Practice, Gartner Research
Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.

David Maynor, CTO Errata Security
David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable.

Dave Goldsmith
Dave Goldsmith was co-author of the first published i386 stack overflow, and is a respected consultant, trainer, and researcher with over eleven years of experience. David co-founded @stake, managed its critical NYC office, and led Symantec Security Academy. David co-invented firewalking, which reverse-engineers firewall rules from remote firewalls and authored security tools for ISS and Network Associates.

Window Snyder is the Director of Ecosystem Development at Mozilla Corporation.

Prior to joining Mozilla, Ms. Snyder was a principal, founder, and core team member at Matasano, a security services and product company based in New York City and a senior security strategist at Microsoft in the Security Engineering and Communications organization. At Microsoft she managed the relationships between security consulting companies and the Microsoft product teams and the outreach strategy for security vendors and security researchers. Previously she was responsible for security sign-off for Windows XP SP2 and Windows Server 2003.

Ms. Snyder was Director of Security Architecture at @stake. She developed application security analysis methodologies and led the Application Security Center of Excellence. She was a software engineer for 5 years focused primarily on security applications, most recently at Axent Technologies, now Symantec.

Ms. Snyder is co-author of "Threat Modeling", a manual for security architecture analysis in software.

Re-Animating Drives & Advanced Data Recovery
Scott Moulton
Forensic Strategy Services, LLC. / System Specialist

NEW!! Advanced Data Recovery Material. Even people who think they know everything about a hard drive will be surprised at what they will learn in this presentation. Everyone will learn something new about hard drives and how to perform data recovery. We will lay it on the line and tell all! We will display All NEW Material and Animations on the inner workings of a hard drive. We will discuss rebuilding a hard drive and will teach you what to look for and how to accomplish this task on your own. If nothing else you will be entertained by one of the best animations on hard drives in the style of the History Channel.

Scott Moulton is a forensic specialist and runs a data recovery company out of Atlanta called My Hard Drive Died where he uses his forensics experience to recover hard drives.

(un)Smashing the Stack: Overflows, Countermeasures, and the Real World
Shawn Moyer
Chief Researcher, SpearTip Technologies

As of today, Vista, XP, 2K03, OS X, every major Linux distro, and each of the BSD's either contain some facet of (stack|buffer|heap) protection, or have one available that's relatively trivial to implement/enable. So, this should mean the end of memory corruption-based attacks as we know it, right? Sorry, thanks for playing.

The fact remains that many (though not all) implementations are incomplete at best, and at worst are simply bullet points in marketing documents that provide a false sense of safety.

This talk will cover the current state of software and hardware based memory corruption mitigation techniques today, and demystify the myriad of approaches available, with a history of how they've been proven, or disproved. We'll then walk through some real-world analysis of attacks against vulnerable code, and look at how effective the various protection mechanisms are at stopping them.

As an addition to this talk, I thought I'd put my money where my mouth is, so I'm offering a shiny new server up for "Øwn the box? Own the box!", running two services with known vulnerabilities that, hopefully, are protected by the countermeasures described in the talk. If it's compromised before the talk, the winner should be prepared to come up on stage and share how he / she succeeded.

Shawn Moyer is the Chief Researcher of SpearTip Technologies, a forensics, assessment and incident response consultancy. He has led security projects for major financial companies, credit card vendors, and the federal government, written for Information Security magazine, and spoken previously at BH and other conferences. He's currently spending most of his waking moments building a soon-to-be-released security appliance. In his spare time, he's been working on translating Snow Crash into Esperanto.

Protecting your IT infrastructure from legal attacks- Subpoenas, Warrants and Transitive Trust
Alexander Muentz

You think your systems and data are safe from any attack. You fear no script kiddie. You get a +5 against social engineering. Yet a single subpoena can crack your junk open wide. A search warrant might leave you with an empty server room.

The law might be the biggest threat to your users, systems and you. Learn how to plan for and react to search warrants, subpoenas and wiretaps. I'm going to speak about the law in an IT context, make it accessible and relevant. If you manage other people's systems for a living or just are afraid of your own privacy and liberty, you might want to see this.

Alex Muentz is a lawyer and a sysadmin. He's interested in the intersection between law and technology, and has given talks (PumpCon, H.O.P.E. Six, L.I.S.A.) and published papers (2600, SysAdmin, ;login:) on this topic. He does some pro bono representation for technology professionals. He hopes he isn't as boring as this sounds.

Windows Vista Log Forensics
Rich Murphey PhD
Chief Scientist, White Oak Labs

Event logging in Windows Vista is quite different in terms of the way events are stored on disk and the way they are used by applications. Vista uses a new encoding of event records that lends itself to much broader flexibility for searching events. This encoding has a direct impact on forensic examination of event logs, which will be discussed in this presentation. The impact of the new application programming interface (API) is no less important. A primary role of the event log is support for debugging and tech support resolution. Such debugging information, in turn, provides significant value to forensic analysis where it indicates chronological traces of user activity. The new API offers far more dependable and detailed capabilities for monitoring. To the degree that this API motivates more pervasive debugging information, Vista event logs may provide greater capability to reconstruct timelines of user activity. During the presentation, sample Vista logs will be examined from a forensics perspective. Finally, the impact of these issues on relevant forensic tools will be explored.

Rich Murphey was a founding core team member of FreeBSD and XFree86. He received a PhD in Electrical and Computer Engineering from Rice University, was on the Faculty of the University of Texas Medical School in Galveston, and was Chief Scientist at PentaSafe Security Technologies. He currently works in the fields of Digital Forensics and Intrusion Prevention Systems.

Creating and Managing Your Security Career
Mike Murray

Lee Kushner President of LJ Kushner & Associates

Careers in information security are often difficult to navigate, with the industry changing more and more radically every year. We're going to talk about the important skills, traits and knowledge that a security pro needs, not just the usual stuff (like "go get a CISSP"), we're going to come from the perspective of two people who spend much of their time talking to hiring managers and companies looking for security stars, as well as talking to those same security stars about their careers, where they're going, what's working for them, and, most importantly, what's not. And we're going to use that information to teach you how to manage your own career to find the job that keeps you challenged, growing, happy and appropriately compensated.

Mike Murray: A 10-year veteran of the security industry, Mike Murray focuses his expertise on building strong security teams, and helping security professionals create successful and fulfilling careers. Dubbed "Mr. Security Career", his new book "Forget the Parachute, Let Me Fly the Plane" is targeted at careers in fast-moving industries. Learn more at and at Mike's blog at

Lee Kushner is the President of LJ Kushner and Associates, LLC, an Executive Search firm dedicated exclusively to the Information Security industry and its professionals. Founded in 1999, LJ Kushner has successfully represented Fortune 2000 companies, Information Security Software Companies, Information Security Services Companies and large technology firms in enabling them to locate, attract, hire, and retain top level Information Security talent. He has been an invited speaker on the subjects of recruitment, retention, and industry trends at Information Security Conferences that include The Black Hat Briefings, The RSA Security Conference, Information Security Decisions, and a variety of ISSA Chapter Conferences.

The Science of Social Engineering: NLP, Hypnosis and the science of persuasion
Mike Murray

Anton Chuvakin Ph.D.

Social engineering has traditionally been more of an art than a science, we try different things, and if they work, we continue to use them over and over again. Some of the best social engineers have developed excellent technique even without understanding why what they're doing works. Mike & Anton are skilled communicators trained in NLP, hypnosis, FACS and other sciences of influence, and will present (and demonstrate) some of the cutting edge research on influence and persuasion.

Mike Murray A 10-year veteran of the security industry, Mike Murray focuses his expertise on building strong security teams, and helping security professionals create successful and fulfilling careers. Dubbed "Mr. Security Career", his new book "Forget the Parachute, Let Me Fly the Plane" is targeted at careers in fast-moving industries. Learn more at and at Mike's blog at Additionally, through his training as a master practitioner in Neurolinguistic Programming, and a certified hypnotherapist, Mike has developed skills in communication that have allowed him to understand the precise nature of human communication and persuasion.

Dr. Anton Chuvakin, GCIA, GCIH, GCFA ( is a recognized security expert and book author. In his current role as a Chief Logging Evangelist with LogLogic, a log management and intelligence company, he is involved with projecting LogLogic's product vision and strategy, conducting logging research as well as assisting key customers with their LogLogic implementations. He was previously a Chief Security Strategist with a security information management company.

A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3" and the upcoming book on PCI. Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal and several blogs

Being in the know... Listening to and understanding modern radio systems
Brett Neilson
Taylor Brinton

"Being in the know" is key to supporting or violating a security infrastructure. Whether you're taking over the Taco Bell drive through or listening in during a presidential visit, being armed with the right information could drastically affect your outcome and ultimately lead to your success. This talk will focus on modern radio systems and the challenges of listening to them. We will provide information on several utilities and resources to aid in reconnaissance efforts as well as provide detailed information about how various types of radio systems function in today's modern world. Lastly we will cover some of the hardware to help make you successful and review some fun things to listen to here in Vegas and to do when you get back home.

Brett Neilson is a manager of network and information security systems and has a strong background in the wireless industry. Previously, he worked for one of the leading wireless communication companies as a Senior Systems Administrator and RF Field Technician. Currently he spends his time overseeing a team of system owners for a major financial institution. Brett is also an active amateur radio operator and scanner enthusiast who can be frequently found mapping and monitoring RF systems in his area.

Taylor Brinton is an IT manager for the leading Property Management Company in Utah. He is also a managing partner in a web hosting company, which provides design and hosting services nationwide. Taylor is an active amateur radio operator, who loves to learn new technologies and teach others about radio and computer/network systems.

Hack your brain with video games

Julian Spillane CEO Frozen North Productions, Inc

Video games are the most effective and accessible tool for hacking your physical and mental state, yet the potential impact of these technologies has yet to be exploited. In this presentation we will take you on a journey through video games -past, present and future-, dispelling the myths and emphasizing the realities, both positive and dark. We will also explain how different input devices can be used to improve the brain and how to hack together your own input framework to take advantage of these innovative peripherals.

This presentation will focus on the various opportunities of such hardware, especially biofeedback devices, in gaming and the positive effects that these technologies can have on our brains and bodies. We will also be presenting some code for expanding and accepting peripherals outside of the norm; as well as a demo of the technology, Biofeedback Tetris, making use of heart-rate monitoring and a measure of galvanic skin response to enhance game-play.

Ne0nRa1n is your run-of-the mill visionary dancing monkey whose interests lie in neuroscience, psychology, and yummy sugary snacks. Stumbling without purpose in the computer underground for a decade now, she has never graduated from any secondary institution, has never held down a job of any great importance, and spends most days trying not live up to her potential.

Julian Spillane is the co-founder and CEO of game development company Frozen North Productions, Inc. Julian attended the University of Waterloo for Software Engineering and has taken a great interest in applying principles of engineering design to software development in the games industry. After working on contract with the Department of National Defence, Julian went on to do contract work for various game development houses and eventually formed his own studio. Julian is also the founder and Chair of the Toronto Independent Games Conference, a conference dedicated to bringing together independent game developers, students, and hobbyists to discuss various facets of the industry, improve skills and encourage networking.

Digital Rights Worldwide: Or How to Build a Global Hacker Conspiracy
Danny O'Brien
International Outreach Coordinator, Electronic Frontier Foundation

Hackers and tech users in the United States have long benefited from some long-lived institutions that have worked to helped defend and publicise their rights, including but not limited to EFF and DefCon itself. But the legal and political fights over DRM and copyright, privacy invasions, cybercrime round-ups and security scaremongering, are now increasingly international battles. How can hackers across the world build their own institutions, and co-ordinate between them. Headed by Danny O'Brien, EFF's International Outreach Coordinator, co-founder of the UK's Open Rights Group, and inventor of "Life Hacks", this talk will pool advice from activist hackers coming to DefCon from around the world.

Danny O'Brien is the International Outreach Coordinator for the EFF. He works to help us collaborate with organizations and individuals fighting for liberties across the world. Danny has documented and fought for digital rights in the UK for over a decade, where he also assisted in building tools of open democracy like Fax Your MP. He co-edits the award-winning NTK newsletter, has written and presented science and travel shows for the BBC, performed a solo show about the Net in the London's West End, and once successfully lobbied a cockney London pub to join Richard M. Stallman in a spontaneous demonstration of Bulgarian folk dance.

Greater than 1: Defeating "strong" Authentication in Web Applications
Brendan O'Connor

With Phishing, Fraud, and Identity Theft at peak levels, banks, credit unions, credit card companies, and other financial institutions are enhancing the security of their website authentication. This talk will cover the new methods of authentication, such as mutual authentication, device fingerprinting, out of band authentication, one time passwords, and knowledge base archives. We will analyze how these controls are intended to function, what they're really doing, and how we can defeat them. We will also evaluate the effectiveness of specific technologies based on their stated purpose: stopping phishing, fraud, and identity theft.

Brendan O'Connor is a security engineer from the Midwest. He worked in security for a communications company for four years before switching to the financial sector in 2004. Brendan currently works as a Security Engineer for a financial services company, where his duties include vulnerability research, security architecture, and application security. He has several multi-letter acronyms after his name, drinks too much coffee, and plays an unhealthy amount of Warcraft.

Panel: Ask the EFF
Kurt Opsahl
Senior Staff Attorney
Kevin Bankston Staff Attorney
Marcia Hofmann Attorney
Matt Zimmerman Staff Attorney
Danny O'Brien EFF Activism Coordinator
Peter Eckersley Staff Technologist

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as NSA wiretapping (with newly released technical information), using the Freedom of Information Act to dumpster dive with the law, tips and tricks for hacking evoting machines legally, how censorship, surveillance and privacy invasions are spreading throughout the world - and how hackers' can defend civil liberties at home and abroad, threats to freedom from digital TV, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

Kurt Opsahl is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal, which established the reporter's privilege for online journalists.

Kevin Bankston, an EFF Staff Attorney specializing in free speech and privacy law, was EFF's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries (American Library Association v. U.S.). Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin.

Marcia Hofmann is an EFF Staff Attorney based in Washington, DC, where she focuses on government transparency and civil liberties issues. Along with her colleague David Sobel, she established EFF's FOIA Litigation for Accountable Government (FLAG) Project. Prior to joining EFF, Marcia was Director of the Open Government Project at the Electronic Privacy Information Center (EPIC), where she spearheaded EPIC's efforts to learn about emerging policies in the post-9/11 era and was lead counsel in several Freedom of Information Act (FOIA) lawsuits. Documents made public though her work have been reported by the New York Times, Washington Post, National Public Radio, Fox News, and CNN, among others. She is a graduate of the University of Dayton School of Law and Mount Holyoke College.

Matt Zimmerman is a Staff Attorney with the Electronic Frontier Foundation, specializing in electronic voting issues. For the 2004 and 2006 elections, he coordinated a team of nationwide legal volunteers who responded to election-day problems with e-voting technology for the non-partisan Election Protection Coalition. He currently heads EFF's efforts to coordinate nationwide e-voting litigation and amicus support and evaluate emerging voting technology. He is also actively involved ine-voting-related grassroots development and public education efforts. His practice further includes ongoing work in areas such as online privacy, anonymity, and intellectual property. Prior to joining EFF, Matt was Privacy Fellow at the public interest law firm The First Amendment Project where he specialized in privacy and open government issues. Previously, Matt worked at the international law firm Morrison & Foerster LLP, where he focused on technology and commercial litigation matters, and the nonprofit advocacy organization The First Amendment Project, where he specialized in privacy and free speech issues.

Danny O'Brien is the International Outreach Coordinator for the EFF. He works to help us collaborate with organizations and individuals fighting for liberties across the world. Danny has documented and fought for digital rights in the UK for over a decade, where he also assisted in building tools of open democracy like Fax Your MP. He co-edits the award-winning NTK newsletter, has written and presented science and travel shows for the BBC, performed a solo show about the Net in the London's West End, and once successfully lobbied a cockney London pub to join Richard M. Stallman in a spontaneous demonstration of Bulgarian folk dance.

Peter Eckersley is a Staff Technologist for the Electronic Frontier Foundation. He keeps his eyes peeled for technologies that, by accident or design, pose a risk to computer users' freedoms-and then looks for ways to fix them. He explains gadgets to lawyers, and lawyers to gadgets. Peter is currently putting the finishing touches to a PhD on digital copyright policy with the Intellectual Property Research Institute of Australia and the computer science department at the University of Melbourne. His doctoral research focused on the practicality and desirability of using "virtual market" public funding systems to legalize P2P file sharing and similar distribution tools while still paying authors and artists for their work.

The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats
Steve Orrin
Dir. of Security Solutions, Intel, Corp.

Organizations that are implementing XML based systems, Web Services, Web 2.0 applications are discovering that there are security challenges unique to them that can surface throughout the various phases of lifecycle. Traditional network and application protection and infrastructure systems lack the functionality, performance, and operational efficiencies needed to provide a secure, cost effective solution. Web Services, SaaS and SOA provide significant benefits and efficiencies to organizations that implement them. However they also introduce new risk structures not seen in other applications or technology solutions before. This session investigates the nature of XML, Web Services and next generation threats, including a new threat model for categorizing and classifying threat types, attack vectors, and risks. The session covers new and evolving attacks and the potential damage and loss that they can cause. These include Payload, Semantic and Structural XML based attacks, as well as some Web 2.0 attacks and next generation worm threats.

Steve Orrin is Director of Security Solutions, for SSG's SPI group at Intel, Corp. and is responsible for Security Platforms and security strategy and product direction. Steve joined Intel as part of the acquisition of Sarvega, Inc. where he was their CSO. Steve was formerly Vice President of Security Solutions for Watchfire, Inc. Steve was previously CTO of Sanctum, a pioneer in Web application security testing and firewall software, and came to Watchfire through an acquisition of Sanctum. Prior to joining Sanctum, Steve was CTO and co-founder of LockStar, Inc. LockStar provided enterprises with the means to secure and XML/WebService enable legacy mainframe and enterprise applications for e-business. Orrin joined LockStar from SynData Technologies, Inc. where he was CTO and chief architect of their desktop e-mail and file security product. Steve was named one of InfoWorld's Top 25 CTO's of 2004 and is a recognized expert and frequent lecturer on enterprise security. He has also developed several patent-pending technologies covering user authentication, secure data access and steganography and one issued patent in steganography. Orrin holds an honors degree in research biology from Kean University and is published in several scientific and medical journals. Orrin is a member of the Network and Systems Professionals Association (NaSPA), the Computer Security Institute (CSI), SEI (Software Engineering Institute), International Association of Cryptographic Research (IACR) and is a co-Founder of WASC (Web Application Security Consortium) and the SafeSOA Taskforce. He participates in several OASIS, IETF and AFEI working groups.

OpenBSD remote Exploit and another IPv6 vulnerabilities
Alfredo Ortega
Core Security

OpenBSD is regarded as a very secure Operating System. This article details one of the few remote exploit against this system. A kernel shellcode is described, that disables the protections of the OS and installs a user-mode process. Several other possible techniques of exploitation are described. Several other ipv6-related vulnerabilities are described and disclosed.

Alfredo Ortega: Born at Esquel, Chubut, Argentina on 1978. Worked on lowly security related works (Mostly cracking) since 2000. Majored in Computer Science in Universidad de la Patagonia San Juan Bosco on 2003 PhD student at ITBA (Instituto Tecnologico de Buenos Aires) Actually working as Exploit Writer for Core Security.

Breaking Forensics Software: Weaknesses in Critical Evidence Collection
Chris Palmer
Security Consultant, iSEC Partners
Alex Stamos Founding Partner, iSEC Partners

Across the world law enforcement, enterprises and national security apparatus utilize a small but important set of software tools to perform data recovery and investigations. These tools are expected to perform a large range of dangerous functions, such as parsing dozens of different file systems, email databases and dense binary file formats. Although the software we tested is considered a critical part of the investigatory cycle in the criminal and civil legal worlds, our testing demonstrated important security flaws within only minutes of fault injection.

In this talk, we will present our findings from applying several software exploitation techniques to leading commercial and open-source forensics packages. We will release several new file and file system fuzzing tools that were created in support of this research, as well as demonstrate how to use the tools to create your own malicious hard drives and files.

This talk will make the following arguments:

(1) Forensic software vendors are not paranoid enough. Vendors must operate under the assumption that their software is under concerted attack.

(2) Vendors do not take advantage of the protections for native code that platforms provide, such as stack overflow protection, memory page protection), safe exception handling, etc.

(3) Forensic software customers use insufficient acceptance criteria when evaluating software packages. Criteria typically address only functional correctness during evidence acquisition when no attacker is present, yet forensic investigations are adversarial.

(4) Methods for testing the quality of forensic software are not meaningful, public, or generally adopted. Our intention is to expose the security community to the techniques and importance of testing forensics software, and to push for a greater cooperation between the customers of forensics software to raise the security standard to which such software is held.

Chris Palmer is a security consultant with iSEC Partners, performing application penetration tests, code reviews, and security research.

Alex Stamos is the co-founder and VP of Professional Services at iSEC Partners, a leading provider of application security services. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security.

He is a well-known researcher in the field of software security and has been a featured speaker at top industry conferences such as BlackHat, CanSecWest, DefCon, Toorcon, SyScan, Microsoft BlueHat, the Web 2.0 Expo, InfraGuard, ISACA and OWASP.

He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley.

CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript
Daniel Peck
Security Researcher, Secureworks
Ben Feinstein Security Researcher, Secureworks

The web browser is ever increasing in its importance to many organizations. Far from its origin as an application for fetching and rendering HTML, today's web browser offers an expansive attack surface to exploit. All the major browsers now include full-featured runtime engines for a variety of interpreted scripting languages, including the popular JavaScript. The web experience now depends more than ever on the ability of the browser to dynamically interpret JavaScript on the client.

We will present a software framework for the automated collection of JavaScript from the wild, the subsequent identification of malicious code, and characteristic analysis of malicious code once identified. Building on the work of several existing client honeypot implementations, our goal is to largely automate the painstaking work of malicious software collection. Our focus is on attacks using JavaScript for obfuscation or exploitation.

We will also discuss the findings based on the deployment of a network of CaffeineMonkeys. The analysis and conclusions will focus on identifying new in-the-wild obfuscation / evasion techniques and JavaScript browser exploits, quantifying the prevalence and distribution of well-known and newly discovered obfuscation and evasion techniques, as well as quantifying the prevalence and distribution of known and newly discovered JavaScript browser exploits.

Daniel Peck is a Security Researcher at Secureworks. His team is responsible for day to day discovery and documentation of vulnerabilities, as well as crafting countermeasures for several product lines and training security analysts to detect attacks patterns and trends. He has also been a critical team member in creating numerous internal tools and contributing to the design of future products and services. He has a BS in Computer Science from the Georgia Institute of Technology

Ben Feinstein is a Security Researcher at SecureWorks. He was introduced to IDS when working on a DARPA/Air Force contract 2000-2001 while getting his B.Sci in Computer Science at Harvey Mudd College. He is the author of RFC4765 and RFC4767. He has worked professionally designing and implementing security-related software since 2001. Feinstein worked in the areas of next-gen firewall systems, IDS/IPS, log analysis and visualization, vuln scanning, secure messaging, and security appliances, among other things.

Feinstein was a panelist at RAID and presented at ACSAC and several IETF meetings and achieved his CISSP certification in 2005.

Securing the Tor Network
Mike Perry
Mad Computer Scientist, evil labs

Imagine your only connection to the Internet was through a potentially hostile environment such as the Defcon wireless network. Worse, imagine all someone had to do to own you was to inject some html that runs a plugin or some clever javascript to bypass your proxy settings. Unfortunately, this is the risk faced by many users of the Tor anonymity network who use the default configurations of many popular browsers and other network software. Tor is designed to make it difficult even for adversaries that control several points in the network to determine where you're coming from or where you're going, yet these "data anonymity" attacks and attacks to bypass Tor can be performed effectively by a malicious website, or just one guy with a Ruby interpreter! To add insult to injury, software vendors seldom consider such exploits and other privacy leaks as real vulnerabilities.

Fortunately, there are some things that can be done to improve the security of the web browser and Tor users in general. This talk will discuss various approaches to securing the Tor network and Tor usage against a whole gauntlet of attacks, from browser specific, to general intersection risks, to theoretical attacks on routing itself. Methods of protection discussed will include node scanning, transparent Tor gateways, Firefox extensions (including the dark arts of Javascript hooking), and general user education. Each approach has its own strengths and weaknesses, which will be discussed in detail.

By day, Mike Perry is a mild mannered reverse engineer owned and operated by Riverbed Technology, slaving away at accelerating broken monopolistic protocols from the Evil Empire and generally helping to make the Internet faster by several orders of magnitude. By night, he transforms into an ardent supporter of digital rights, privacy, and anonymity on and offline. Mike believes that not only is it every person's right to opt-out of the Database Nation, it is also in their self-interest to do so, and to have company. We are only just beginning to understand the consequences of having our entire lives archived and sold to the highest bidder, to say nothing of rampant government surveillance. Those who are not careful with protecting their personal information and online activities are in for some unpleasant surprises in the future: be it from a bitter divorce case, character attacks in a frivolous lawsuit, political opposition, or just plain old marketing spam that arrives at exactly the wrong time. In a world where our minute-to-minute thoughts are archived by IP address in search engines, Mike believes Tor is desperately needed not just by political dissidents, but by everyone.

Pen-testing Wi-Fi
Aaron Peterson
Founder,Midnight Research Laboratories

As wi-fi becomes increasingly popular and as more layers of access control are added, the fact that a wireless access point exists becomes less interesting to us. The problem is that manually going through a long list of access points checking for interesting information is tedious at best.

Wicrawl is a tool that will allow you to "crawl" through discovered access points with a series of plugins that implement common tools (nmap, aircrack, etc) to find the accessible, interesting, or relevant ones. This can help with penetration testing, detecting rogue access points, or maybe just finding free internet access. We recently revamped wicrawl to be more targeted towards penetration testing adding a new reporting infrastructure as well as accelerated hardware support, and this will be released at Defcon. A wi-fi finding robot will also make its debut!

Aaron will give a guided tour of this new utility and its capabilities, as well as the plugins. A live demo of wicrawl will be shown. We'll hand out free liveCDs that include the software!

Aaron Peterson Aaron is the founder of Midnight Research Laboratories, a computer security research group based in the San Francisco bay area with members in several US cities. He is the project leader and a developer for wicrawl. By day he works on the Harvard University network security incident response team, and by night does security consulting and penetration testing with Alpha Defense.

How to be a WiFi Ninja
Matthew Shuchman

As one of the founders of, where over the past few years we have sold thousands of WiFi devices and antennas for Pen testing and extended range WiFi, I will be presenting simple, but very effective techniques for extending the range of WiFi beyond the standard 15-30 meter range to 3-5 km, or more using home brew components.

Pilgrim is an ancient hacker who came from the tombs of Egypt. In those days punch cards ruled the world. Well with maturity may come intelligence and he founded WarDrivingWorld and enjoys teaching. He was formerly a government economist, has published business books and articles, and owned a network company. He lives in Florida with his dog Jack and enjoys playing with WiFi for fun and profit.

Stealing Identity Management Systems

Novell's Identity Manager and related components are become fairly common in large networks. Identity management systems in general bring a number of security implications that are often not well understood. Even when best practices are followed, the system often has vulnerabilities that can be exploited. Since there seems to be little research into hacking identity management systems, the goal of this talk is to bring some recognition to security risks these systems bring to an organization. This talk will look at some of the inherent properties of identity management systems which can make them prone to exploitation, and look at some specific techniques for exploiting certain configurations.

Plet is a security researcher who formerly worked for a consulting company, and now works for a non-profit in an attempt to restore the karma lost by being a consultant. He was forced to work with Novell's idm products, and grew to hate Novell as a result. He wrote the first commercially available universal password reader.

Dirty Secrets of the Security Industry
Bruce Potter
The Shmoo Group

The fox is guarding the hen house, and both the fox and the hens are making a lot of money in the process. Such is the state of the security industry in 2007. For the last 15 years, we have been building security into our networks and applications using concepts like "defense in depth" and "layered security." It turns out, that the attackers are now leveraging our security systems against us. Worse, we have made the security industry a self feeding, self fulfilling prophecy that may actually be causing harm to those we are trying to protect.

Yeah, FUD! So while this may sound fatalistic and like I'm trying to stir up a flame war, I think there are real issues that we need to face when it comes to the next steps in computer security. This talk will uncover 8 dirty secrets of the security industry. Some you will believe, some you will be skeptical of, and some may strike a little too close to home.

Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton.

Covert Debugging: Circumventing Software Armoring Techniques
Danny Quist
Cofounder, Offensive Computing, LLC
Valsmith Cofounder, Offensive Computing, LLC

Software armoring techniques have increasingly created problems for reverse engineers and software analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common newer methods must be developed to cope with them. In this talk we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from the most advanced software armoring systems. As a demonstration we will automatically remove packing protections from malware.

Danny Quist is currently the CEO and co-founder of Offensive Computing, LLC a public malware research site as well as a consulting company. He is a PhD student at New Mexico Tech working on automated analysis methods for malware with software and hardware assisted techniques. He has written several defensive systems to mitigate virus attacks on networks and developed a generic network quarantine technology. He consults both with both private and public sectors on system and network security . His interests include malware defense, reverse engineering, exploitation methods, virtual machines, and automatic classification systems.

Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Valsmith founded Offensive Computing, a public, open source malware research project. Valsmith is also a member of the Cult of the Dead Cow NSF.

The Inherent Insecurity of Widgets and Gadgets
Aviv Raff
Security Researcher, Finjan
Iftach Ian Amit Director of Security Research, Finjan

Widgets (or Gadgets) are small applications, which usually provide some kind of visual information or access to a frequently used function. Because widgets are in fact applications, they too can include malicious code. Furthermore, due to the simplicity of legitimate widgets, such as calculators and clocks, they are developed without security in mind.

In this presentation, we will explain the three different types of widgets in detail. We will demonstrate proof of concept of a malicious widget for each of the types and also highlight the attack vectors for exploiting a vulnerable legitimate widget.

Following the demonstrations, we will talk at a high-level about widgets integrated in mobile devices. We’ll take a brief look at the Widgets 1.0 paper created by the W3C, and also talk about the similarity between widgets and browser extensions in terms of their inherent insecurity.

Aviv Raff is a security researcher specializing in application vulnerabilities research, security product evasion techniques and malicious code analysis. He contributes to projects like Metasploit and Month of Browser Bugs. He is also a co-creator of several known browser fuzzers like Hamachi, CSS-Die and DOM-Hanoi. In his spare time, Aviv works as a security researcher at Finjan's Malicious Code Research Center (MCRC).

Iftach Ian Amit: With over 10 years of experience in the information security industry, Iftach Ian brings a mixture of Software development, OS, Network and web security to Finjan as the Directory of Security Research. Prior to Finjan, Iftach was the founder and CTO of a security startup in the IDS/IPS arena and developed new techniques for attack interception. Prior to that, he served in a director position at Datavantage (NASDAQ:MCRS) with responsibility for software development, Information security as well designing and building a financial Datacenter. Prior to Datavantage, he managed the Internet application department at Comsec Consulting as well as the Unix Department, where he has been consulting to major banking and industry companies worldwide. Iftach Ian holds a Bachelors degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya.

The Emperor Has No Cloak - WEP Cloaking Exposed
Vivek Ramachandran
Senior Wireless Security Researcher, AirTight Networks

We thought The Emperor has No Cloak story was a pure fiction until we came across an announcement three weeks ago. Marketing can sell anything. The question is can an invisible cloak be sold in modern times when most of us can see through it?

The WEP cloaking technique works (or rather, as we argue, does not work) by injecting spoofed WEP encrypted data frames ("Chaff") into the air. These chaff packets may contain random data or encrypted with a key different from the actual WEP key in use and may use only weak IVs. Unmodified WEP cracking tools fail to crack the original WEP key in a chaff-contaminated packet trace. Apart from the fact that WEP cloaking does not address any of the other weaknesses in WEP (such as message modification, replay attacks, shared authentication flaws, packet decoding using ICV etc); there are multiple ways to beat WEP cloaking, which we will disclose during our talk.

We also plan to release a set of tools including a patch for Aircrack which will keep WEP cracking the simple job it's always been - even in the presence of WEP Cloaking. Final verdict on WEP Cloaking: WEP was, is, will remain broken. It cannot be secured by obscuring its flaws.

Vivek Ramachandran is a member of security research team at AirTight Networks. His current focus is on 802.11 security -- both threats and countermeasures. In 2006, Vivek was featured in the "India Top 10" list of the Microsoft Security Shootout contest (web application security) among a reported 65,000 participants. He has delivered talks and tutorials in security conferences and workshops, and has published case studies and original research papers in DDoS mitigation and arp spoofing detection. Vivek is a graduate in Electronics and Communications from the Indian Institute of Technology, Guwahati.

Beyond Vulnerability Scanning - Extrusion and Exploitability Scanning
Matt Richard
Rapid Response Team, iDefense
Fred Doyle Labs Director, iDefense

With this presentation we will demonstrate a new tool called eescan that automates extrusion and exploitability scanning using a client/server approach. Eescan will be released under the GPL and utilizes python to create an extensible framework for testing extrusion and exploit defenses.

All network security systems have gaps. Layered security tries to cover the gaps with overlapping protections like firewalls, intrusion prevention, proxies and other mechanisms. How do you really know where the gaps are before the weeds grow through? Vulnerability assessment tools scan for vulnerable systems from an attackers perspective. This technique has value but fails to represent the risk posed by client application usage and attacks. They also fail to assess extrusions - the traffic content allowed to leave a network.

Extrusion and exploitability scanning attempts to find these gaps using an automated scanning framework. The scanning techniques simulate user and attacker behavior from the client perspective to holistically measure the amount of risk in a given security system.

Matt Richard works on the Rapid Response team at iDefense, a Verisign company. At iDefense he is responsible for analyzing and reporting on samples of unknown malicious code and other suspicious activity. For 7 years prior to iDefense Matt created and ran a managed security service used by 130 banks and credit unions. In addition he has done independent forensic and security consulting for a number of national and global companies.

Matt has written a number of tools including a web application testing tool, log management and intrusion detection application and an automated Windows forensics package. Matt currently holds the CISSP, GCIA, GCFA and GREM certifications.

Biting tha Hand that Feeds You - Storing and Serving Malicous Content >From Well Known Web Servers
Billy Rios
Senior Security Researcher, VeriSign
Nathan McFeters Senior Security Advisor, Ernst & Young

Whats in a name? How do you know you should "trust" the content you are receiving? In today's World Wide Web, we place a lot of "trust" into domain names. For many, domain names help determine the whether a particular link or file should be trusted, or eyed with suspicion. Domain name trust has even made its way into security systems, considering many of the protections built into our browsers are based strictly on domain names! In this talk, we'll take a look at some simple ways to store and serve malicious content from some of the most popular servers on the Internet.

It's time we rethink the ways we've implemented one of our most treasured Web resources... web mail. We'll bite the hand that feeds us by abusing the very features that make web mail services so popular. We'll show you how to use popular web mail servers as a repository for malicious content and how to serve that content to those surfing the World Wide Web (no email address required!)

Billy Rios is a Senior researcher for VeriSign's Global Security Consulting Service. He has performed network, application, web-application, source-code, wireless, Internet, Intranet, and dial-up security reviews and penetration testing for numerous clients in the Fortune 500.

Prior to joining VeriSign, Billy worked as an Intrusion Detection Analyst with the Defense Information Systems Agency (DISA). While at DISA, Billy provided vulnerability analysis, network intrusion detection, incident response, incident handling and formal incident reporting of incidents related to Department of Defense information systems throughout the entire Pacific Region.

Billy has an undergraduate degree in Business (with a formal concentration Information Systems) from the University of Washington and a Master of Science Degree in Information Systems (with Distinction) from Hawaii Pacific University.

Billy is also a Captain in the United States Marine Corps Reserve and served as an active duty Marine Officer during Operation Iraqi Freedom. Billy was recognized by Time magazine as "Person of the Year" for 2006.

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center based out of Houston, TX. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500 during his career at Ernst & Young and has served as the Engagement Manager for the ASC#s largest client, leading hundreds of web application reviews this year alone.

Prior to taking the position with Ernst & Young, Nathan paid his way thru undergrad and graduate degrees at Western Michigan University by doing consulting work for Solstice Network Securities a company co-founded with Bryon Gloden of Arxan, focused on providing high-quality consulting work for clients in the Western Michigan area.

Nathan has an undergraduate degree in Computer Science Theory and Analysis from Western Michigan University and a Master of Science Degree in Computer Science with an emphasis on Computer Security, also from Western Michigan University.

MQ Jumping
Martyn Ruks
Senior Security Consultant MWR InfoSecurity

Every day billions of dollars pass through middleware, the unglamorous component of most enterprise applications. Middleware may be unglamorous, but even if billions of dollars doesn't interest you, it's bound to attract someone's interest sooner or later. Often security is addressed in the front-end web server and back-end database but the other components are often ignored. The reason for this can be a lack of understanding of the risks or lack of knowledge of the middleware products and how they can be attacked. One important property of a multi-tier environment is the ability to reliably pass data between authorised system components and therefore messaging software is often required. A popular and widely deployed example of such a component is IBM's Websphere MQ (formally MQ Series).

This software can be run across a number of platforms including Microsoft Windows, commercial and Open Source UNIX platforms and IBM \u2019s z/OS and i5 Operating Systems. Companies use the technology to pass messages between application components and it is widely deployed across a wide range of industry sectors including Finance, Retail, Healthcare and many others. During penetration tests conducted by MWR InfoSecurity against its clients it has been discovered that the security features provided by the product are either not utilised correctly or are not suitable for their intended use.

This presentation will uncover the truth behind Websphere MQ security as it is deployed in the real world and will look at how the software can be abused by an attacker resulting in remote code execution. The talk will focus on methods for analysing the security controls that can be used to protect an installation of MQ and the limitations of each of them. Following on from this section of the talk a number of methods will be presented for compromising both the message data and the Operating System through the MQ service. This will culminate in a demonstration of some of the attacks presented in the talk, followed by a discussion about the methods that exist for protecting an installation and ensuring that security breaches do not occur.

Martyn Ruks is an information security professional working for MWR Infosecurity in the UK. His primary interest is in weird networking protocols and the software that use them. His interest in Websphere MQ arose after being asked to test an installation for a client and the results encouraged him to investigate further. Martyn spoke at Defcon last year about IBM Networking Security and the fact that this year's talk is about Websphere MQ is just coincidence, or maybe its the fact that IBM occupy the office next to his, either way he hopes to show you cool stuff you can do when you produce your own code that communicates with someone else's software.

Vulnerabilities and The Information Assurance Directorate
Tony Sager
Chief, Vulnerability Analysis and Operations Group, Information Assurance Directorate, National Security Agency

The Information Assurance Directorate (IAD) within the National Security Agency (NSA) is charged in part with providing security guidance to the national security community. Within the IAD, the Vulnerability Analysis and Operations (VAO) Group identifies and analyzes vulnerabilities found in the technology, information, and operations of the Department of Defense (DoD) and our other federal customers. This presentation will highlight some of the ways that the VAO Group is translating vulnerability knowledge in cooperation with many partners, into countermeasures and solutions that scale across the entire community. This includes the development and release of security guidance through the NSA public website ( and sponsorship of a number of community events like the Cyber Defense Initiative and the Red Blue Symposium. It also includes support for, or development of, open standards for vulnerability information (like CVE, the standard naming scheme for vulnerabilities); the creation of the extensible Configuration Checklist Description Format (XCCDF) to automate the implementation and measurement of security guidance; and joint sponsorship, with the National Institute of Standards and Technology (NIST) and the Defense Information Systems Agency (DISA), of the Information Security Automation Program (ISAP), to help security professionals automate security compliance and manage vulnerabilities. The presentation will also discuss the cultural shift we have been making to treat network security as a community problem, one that requires large ≠scale openness and cooperation with security stakeholders at all points in the security supply chain ≠ operators, suppliers, buyers, authorities and practitioners.

Tony Sager is the Chief of the Vulnerability Analysis and Operations (VAO) Group, part of the Information Assurance Directorate at the National Security Agency. The mission of the VAO organization is to identify, characterize, and put into operational context vulnerabilities found in the technology, information, and operations of the DoD and the national security community and to help the community identify countermeasures and solutions. This group is known for its work developing and releasing security configuration guides to provide customers with the best options for securing widely used products. The VAO Group also helps to shape the development of security standards for vulnerability naming and identification, such as the Open Vulnerability and Assessment Language (OVAL), partnering with National Institute for Standards and technology (NIST) on the Information Security Automation Program (ISAP), developing the eXtensible configuration checklist description format (XCCDF), and for hosting the annual Cyber Defense Exercise and the Red Blue Symposium. Mr. Sager is active in the public network security community, as a member of the CVE (Common Vulnerabilities and Exposures) Senior Advisory Council and the Strategic Advisory Council for The Center for Internet Security. He is in his 29th year with the National Security Agency, all of which he has spent in the computer and network security field.

Network Mathematics: Why is it a Small World?
Oskar Sandberg
Chalmers Technical University and Gˆteborg University

Networks are central do almost everything that hackers do. Be they computer networks, peer-to-peer networks, information networks, or social networks, they are all around us and understanding them is the key to understanding both the strengths and vulnerabilities of our world. The speaker, a mathematician working in the field of complex networks, will introduce the modern mathematics of networks, and how it can be applied to real-world situations.

In particular, we will look at the small-world phenomenon, which says that points in many naturally occurring networks tend to separated in only a few steps. In the case of social networks formed by friendship bonds, this is the famous "six degrees of separation". We will discuss the relevance of this to the world around us, as well as attempt an understanding of the dynamics of such networks, what makes them special, and why they seem to form naturally without explicit design.

Oskar Sandberg (born 13 January 1980 in Falun, Sweden), is a key contributor to the Freenet Project, and a graduate student at the Chalmers Technical University in Gothenburg, Sweden. Oskar collaborated with Ian Clarke to design the new "darknet" model employed in Freenet 0.7, work which was presented at the DEF CON security conference in July 2005. Oskar is also working on a Ph.D. about the mathematics of complex networks, especially with regard to the small world phenomenon. Besides this he has an active interest in distributed computer networks and network security, and has been an active contributor to the Freenet Project since 1999.

The Church of WiFi Presents: Hacking Iraq
Michael Schearer

What in the world is a U.S. Navy officer (a Naval Flight Officer, no less) doing in the middle of Iraq? Electronic warfare, of course! The Church of WiFi presents an unclassified presentation of theprez98's experiences during his 9-month tour in Iraq. Embedded with Army units on the ground, theprez98 brought his expertise in electronic warfare to bear against the biggest threat to coalition forces - the improvised explosive device (IED). He will explore the communications infrastructure and the brief history of the Internet in Iraq. Furthermore, drawing on his background as an EA-6B Electronic Countermeasures Officer, he will explain the counter-IED fight in Iraq. Finally, he will discuss the prospects for the future.

Michael Schearer ("theprez98") is an active-duty EA-6B ECMO. He flew combat missions during Enduring Freedom, Southern Watch, and Iraqi Freedom. He took his EW specialty to Iraq, where he embedded with Army units. While at Penn State, he is actively involved in IT issues. He is a licensed amateur radio operator, an active member of the Church of WiFi and a regular on the DEFCON and NetStumbler forums. He lives in Pennsylvania with his wife and 3 kids.

Q & A with Bruce Schneier
Bruce Schneier

Bruce Schneier is an internationally renowned security technologist and CTO of BT Counterpane, referred to by The Economist as a "security guru." He is the author of eight books -- including the best sellers "Beyond Fear: Thinking Sensibly about Security in an Uncertain World," "Secrets and Lies," and "Applied Cryptography" -- and hundreds of articles and academic papers. His influential newsletter, Crypto-Gram, and blog "Schneier on Security," are read by over 250,000 people. He is a prolific writer and lecturer, a frequent guest on television and radio, has testified before Congress, and is regularly quoted in the press on issues surrounding security and privacy.

The Executable Image Exploit
Michael Schrenk

The "Executable Image Exploit" lets you insert a dynamic program into any community website that allows references to off-domain images; like MySpace or eBay. By uploading the following line of HTML to a community website, <img src=""> you can launch a dynamic program that masquerades as a static image and capable of reading and writing cookies, analyzing referrer (and other browser) variables and access databases. It is even possible to create an image the causes a browser to execute JavaScript.

Michael Schrenk A previous DEFCON Speaker (DC10 & DC11), Michael Schrenk has created Internet strategies for companies like: Disney, Nike, AOL and Callaway Golf. He is the author of "Webbots, Spiders, and Screen Scrapers" (2007, No Starch Press), and has written for Computer World and Web Techniques magazines. Currently, he has an article (about webbots) in the July issue of php|architect. Mike has also taught college courses on web usability and Internet marketing. You can contact him at

Panel: Center for Democracy & Technology Anti-Spyware Coalition
Ari Schwartz, Moderator
Deputy Director, the Center for Democracy and Technology
Ben Edelman Harvard Business School
Eileen Harrington Deputy Director, FTC Bureau of Consumer Protection
Mario Vuksan Director of Knowledgebase Services, Bit9

Profit and motive for spyware will increase drastically over the next three years. How are federal agencies and corporations planning for this surge? What are next big technological breakthroughs? How can we prepare?

Ari Schwartz, Deputy Director, the Center for Democracy and Technology
Ari Schwartz is the Deputy Director of the Center for Democracy and Technology (CDT). Schwartz's work focuses on increasing individual control over personal and public information. He promotes privacy protections in the digital age and expanding access to government information via the Internet. He regularly testifies before Congress and Executive Branch Agencies on these issues.

Schwartz also leads the Anti-Spyware Coalition (ASC) , anti-spyware software companies, academics, and public interest groups dedicated to defeating spyware. In 2006, Schwartz won the RSA award for Excellence in Public Policy for his work building the ASC and other efforts against spyware.

Ben Edelman, Harvard Business School
Ben Edelman is an assistant professor at the Harvard Business School in the Negotiation, Organizations & Markets unit.

Ben's current research includes analyzing methods and effects of spyware, with a focus on installation methods and revenue sources. Ben has documented advertisers supporting spyware, advertising intermediaries funding spyware, affiliate commission fraud, and click fraud.

More generally, Ben is interested in the evolving mix of public and private forces shaping the Internet -- how private parties and central authorities seek to change users Internet experience. In this vein, Ben tabulated registrations in new TLDs and tracked Internet filtering efforts by governments worldwide.

Ben's academic research focuses on Internet advertising. Looking at pay-per-click auctions for online advertising, Ben has analyzed search engines market designs, bidders' strategies, and possible improvements to these large and growing marketplaces. Ben's recent academic work also includes designing compensation structures to deter advertising fraud, and critiquing online "safety" certifications that fail to adequately protect users.

Ben was previously a Student Fellow at the Berkman Center for Internet & Society, where his projects included analyzing the formative documents and activities of ICANN, running Berkman Center webcasts, and developing software tools for real-time use in meetings, classes, and special events. He oversaw ICANN Public Meeting webcasts and operated the technology used at ICANN's first twelve quarterly meetings. Ben wrote about domain name politics, particularly in the context of expired domain names subsequently used for pornography and registered with false WHOIS data. He developed methods for testing Internet filtering worldwide, without leaving his office, publishing reports on filtering in China and in Saudi Arabia.

Ben has served as a consultant and testifying expert for a variety of clients, including the ACLU, the City of Los Angeles, the National Association of Broadcasters, the National Football League, the New York Times, the Washington Post, and Wells Fargo.

Ben holds a Ph.D. from the Department of Economics at Harvard University, a J.D. from the Harvard Law School, an A.M. in Statistics from the Harvard Graduate School of Arts and Sciences, and an A.B. in Economics from Harvard College (summa cum laude). He is a member of the Massachusetts Bar.

Eileen Harrington, Deputy Director, FTC Bureau of Consumer Protection
Eileen Harrington, an attorney, is Deputy Director of the Federal Trade Commission's Bureau of Consumer Protection. The Bureau of Consumer Protection¹s mandate is to protect consumers from deceptive, unfair, or fraudulent practices. The Bureau enforces a variety of consumer protection laws enacted by Congress, as well as trade regulation rules issued by the Commission. Its actions include individual company and industry-wide investigations, administrative and federal court litigation, rulemaking proceedings, and consumer and business education. In addition, the Bureau contributes to the Commission¹s on-going efforts to inform Congress and other government entities of the impact that proposed actions could have on consumers.

Prior to becoming Deputy Director of the Bureau of Consumer Protection, Ms. Harrington was Associate Director for Marketing Practices. In that role, she led the Commission¹s consumer fraud law enforcement effort, and oversaw some of its most visible regulatory work, including the National Do Not Call initiative and implementation of the CAN-SPAM Act. She also led development of the Commission¹s Internet Fraud enforcement program and coordinated domestic and international law enforcement programs to detect and halt fraud against consumers on the Internet.

Ms. Harrington joined the FTC as Assistant Director for Marketing Practices in 1987, and served as Associate Director for Marketing Practices from 1991 to 2005. In 1997, President Clinton conferred on Ms. Harrington the rank of Distinguished Executive in the Senior Executive Service for "sustained extraordinary accomplishments" in organizing and leading interagency enforcement, education and regulatory efforts to halt consumer fraud. In 2004, she was awarded a Service to America Medal for her work on the National Do Not Call Registry.

Mario Vuksan, Director of Knowledgebase Services, Bit9
Mario Vuksan is the Director of Knowledgebase Services at Bit9, a leading provider of application and device control solutions, where he has helped create the world's largest collection of actionable intelligence about software. Before Bit9, Vuksan was Program Manager and Consulting Engineer at Groove Networks (acquired by Microsoft), working on Web based solutions, P2P management, and integration servers. Before Groove Networks, Vuksan developed one of the first Web 2.0 applications at 1414c, a spin-off from PictureTel. He received a bachelor's degree in Mathematics, Art History, and Computer Science from Swarthmore College and a master's degree in Art History from Boston University.

Jason Scott

Too often, "Computer History" gets shoved into a forgotten bin of irrelevancy, devoid of use for lessons and understanding. Even more often, people often fail to realize they're making history themselves. Jason Scott will walk though the basics of computer history, what to save, how to ensure things last for future generations, or perhaps how to ensure it's never found again.

Jason Scott is a hard-core computer historian now celebrating 25 years online, starting when he was 11. He's the administrator of TEXTFILES.COM, a growing collection of computer history, and the director of one released documentary, "BBS", on Dial-Up Bulletin Board Systems, and two still-in production documentaries: "Get Lamp" (on text adventure games) and "Arcade" (on Arcades). At last year's Defcon, he ate a 16-pound lobster named Brian.

A Crazy Toaster: Can Home Devices Turn Against Us?
Dror Shalev
Security Expert, Check Point Software Technologies

Home networking devices, wireless equivalents, hardware and technology raise new privacy and trust issues. Can home devices turn against us and spy on our home network? Do we care if our toaster sees us naked? This talk will cover a scenario of "Crazy Toaster". Trojan device under Vista and XP environment, or software with TCP/IP capabilities like routers, media players or access points, that joins a local area network and thus becoming a security hazard.

This "Crazy Toaster" presentation will discuss the steps needed to conduct a Trojan device that exploits users trust in technology. Flaws associated with home networking protocols such as UPnP and SSDP would be presented. The primary goal of the "Crazy Toaster" presentation is to present a new offensive technique by demonstrating the security hazard and design flaws. As home networking becomes more ubiquitous, the scope of this problem becomes worse.

Dror Shalev is working as a Security Expert for Check Point SmartDefense Research Center, focusing on Browser & Windows Security. He has worked as Senior Security Researcher at, Malicious Code Research Center, as well as having found several major security vulnerabilities in various major web mails systems such as Hotmail, Yahoo! Mail, and in Microsoft products. SOC Manager at DATA SEC, developed and designed Internet Security Systems, Conducted penetration tests for e-Banking systems in Europe. CTO & Co-Founder at BmyPC, developed R&D methodology and software for virtual Web desktop service, enabling web devices to receive computing services via the internet. Dror has run a Security Workshop that deals with recent Browser Exploits security & privacy, online threats at

Saving The Internet With Hate
Zed A. Shaw

Utu is the Maori word for a system of revenge used by Maori society to provide social controls and retribution. Utu is also a protocol that uses cryptographic models of social interaction to allow peers to vote on their dislike of other peer's behavior. The goal of Utu is to experiment with the effects of bringing identity, reputation, and retribution to human communications on the Internet. A secondary goal is wiping out IRC because apparently nobody really likes IRC.

This presentation will cover the protocol's design, use of cryptography, secure coding practices, and an analysis of it's adoption and current research results. The presentation is for medium to advanced participants interested in similar open source projects. In the spirit of openness and collaboration and just plain evil, there will be an Utu server running for conference participants to use during the conference. The goal is to present the system, get people thinking, and obtain feedback on the design and implementation.

Zed A. Shaw is the author of a Ruby web server named Mongrel and a frequent speaker at conferences and user groups around the US. He's currently working as a software developer and tinkers on open source projects in his spare time.

Cool stuff learned from competing in the DC3 digital forensic challenge
David C. Smith
University Information Security Officer, Georgetown University
Mickey Lasky Senior Security Analyst

Last fall, the Department of Defense Cyber Crime Center (DC3) hosted a digital forensics challenge that included interesting puzzles such as physical media reconstruction, data carving, password cracking, and booting forensic images with virtual machines. My team from Georgetown University competed with a shoestring budget against a 140 teams and came in 4th place overall. The presentation will cover the individual challenges, our solutions, and the methodologies we developed to compete with the pros.

David C. Smith works at Georgetown University as the University Information Security Officer and manages a team to provide security services to the University in this time of data loss / e-discovery peril. Prior to becoming much more of "the man" than he intended, Dave was a security consultant, active with open source projects, a 2600 meeting regular in DC / Northern VA area, and ran a bitchin WWIV BBS - The Last Cigarette.

Thinking Outside the Console (box)
aka Theresa Verity

Having seen the ads this last holiday season, you think you might know all there is to know about the new crop of console game systems. But are these, and other console game systems, just for fun and games? Could they be used for other purposes?? Yes they can. With the advent of more powerful consoles many systems have the ability to do just about anything - after all they are still computers. Two years ago I gave a presentation at ToorCon discussing the hackability and usability of hand-held game systems. Since then, I have looked at all of the popular game consoles and researched their collective potential as platforms of covert penetration testing. Many of these machines can be easily modified to execute code not originally meant for game systems. In this topic I will discuss how game consoles can be used as another avenue in the penetration of your network...

Squidly1 aka Theresa Verity, is a Computer Network Defense Team Lead for the Navy - and after work she investigates network security issues and plays online. Theresa's technical background began during her childhood (long ago) with her first program, a game coded on the Commodore VIC-20. Her interest in anything computerized continued on through college with her studies as a Software Engineering major. During the last two years, after purchasing a Sony PSP, she has spent her spare time investigating possible threat vectors from the new generation of hand-held game consoles. That research evolved into talks at ToorCon7 and at the NSA's REBL Conference in 2006. She is currently a member of DC-757, Sploitcast and is an unrepentant G33k.

When Tapes Go Missing
Robert Stoudt

We hear it in the news all too frequently, "26 IRS tapes containing taxpayer information potentially contain taxpayers' names, SSNs, bank account numbers, or employer information", "tapes containing customer information were stolen from a lock box... 196,000 names, SSN, etc", "disappearance of 9 tapes containing payroll information on 52,000 employees, including SSNs and in some cases bank account numbers. The 9th tape contained "less sensitive" information about 83,000 hospital patients."

With quotes such as "It is important for customers to note that these tapes cannot be read without specific computer equipment and software", in attempted damage control, it is critical that we understand when such statements are true and under what circumstances they are not.

With this in mind, we will take a look at the little investigated field of tape forensics. We will look at how easy it is to recover data from tape, the limitations of tape data recovery and tape data recovery methods, and of course, steps to protect your company data.

Robert Stoudt currently spends his days ''ethically'' hacking corporate customers for a fortune 10 company. Prior jobs included Senior UNIX, M$, Network Administrators through the eleven years prior to his move to the gray side.

He enjoys working on a variety of technical projects including forensics analysis, incident response, vulnerability analysis and R&D. This includes learning how things work and how to subvert them for his benefit and pleasure.

He holds over 35 computer certifications including: CISSP, GCIH, SUN SCSA, Redhat RHCE, IBM AIX

Hacking the EULA: Reverse Benchmarking Web Application Security Scanners
Tom Stracener
Sr. Security Analyst, Cenzic
Marce Luck Information Security Architect, A Fortune 100 Company

Each year thousands of work hours are lost by security practitioners as time is spent sorting through web application security reports and separating out erroneous vulnerability data. Individuals must currently work through this process in a vacuum, as there is no publicly available information that is helpful. Restrictive EULAs (End User License Agreements) prohibit examining a signature code-base for common errors or signature flaws. Due to the latter point, a chilling effect and has discouraged public research into the common types of false positives that existing commercial technologies are prone to exhibit.

Reverse Benchmarking is a new species of reverse engineering that involves running a security solution against an application designed to solicit false positives. Unlike testing scenarios that emphasize gathering valid or accurate data, Reverse Benchmarking involves exposing architectural or logical flaws within a web application scanner by employing techniques to trick simple rule-based mechanisms. Running a scanner against a Reverse Benchmark target quickly reveals faulty rules, flawed testing logic, or poorly written or implemented security testing procedures. Additionally, a Reverse Benchmarking application will expose patterns in the propensity of a scanner to report false results, making it easier to spot false positives when they occur in the future.

Reverse Benchmarking opens up new opportunities for studying and improving existing web application security technology by exposing common faults in testing logic that are often the culprit of massive false positives. In turn this facilitates research into a taxonomy of general false positive types, ideally, a schema for mapping particular security tests to a common, generic language. This can provide a framework around which public discussion, research, and documentation of such flaws can occur without violating EULA agreements. We will also discuss the formation of a open community initiative centered around the use of Reverse Benchmarking to study false positive types.

Tom Stracener is a Sr. Security Analyst for Cenzic's CIA Labs. At Cenzic Tom has played an important role in the evolution of their flagship technology Hailstorm, and was one of the chief designers of the Cenzic HARM Score, the Hailstorm Application Risk Metric. He usually embarrasses himself horribly at Defcon at least once a year, but this is his first time to do it before an audience. Tom has spoken at more than 50 conferences and events in the last 2 years.

Marce Luck Marce has been working in the information security field since the late 90s and during that time has worked for a bunch of places once, but no place twice. Marce's former employers include: the CERT/CC, IBM, Farmers Insurance, Deloitte, Cenzic, and Himself. He currently works for A Fortune 100 Financial Company as an Information Security Architect, and enjoys it very much.

Fingerprinting and Cracking Java Obfuscated Code

The process of obfuscating intermediate platform independent code, such as Java bytecode or Common Intermediate Language (CIL) code aims to make the source code generated by reverse engineering much less useful to an attacker or competitor. This talk focuses on the examination of fingerprinting particular obfuscators and provides a tool capable of cracking key obfuscation processes performed. As more programming languages use intermediate platform techniques on compiled code, the vision behind this talk is to further provide a methodology in reversing obfuscated applications. The demonstration of the tool developed on a number of cases will show how such a methodology can be put in place for cracking obfuscation techniques.

Subere: There is a world of numbers, hiding behind letters, inside computers that stimulates the brain of Subere. Currently, he is focusing on research relating to coding standards, practices and ways of exploiting development code. This focus entails the breaking and making of client-side standalone as well as web applications. As such things need doing for a living and can take their toll he has recently joined Information Risk Management, based in London. His area of expertise is in source code audits, bytecode interpretations and reverse engineering. He has performed a number of source code audits and application security assessments on an international level.

Creating Unreliable Systems, Attacking the Systems that Attack You
The Hacker Pimps
Marklar The Hacker Pimps

This presentation focuses on analysis and strategies in dealing with systems that gather information, more specifically, personal information. This talk suggests that we need to start looking at the technology of the future through different a different set of eyes, the ones of a researcher. A new classification method is introduced for the classification of attacks on information gathering systems and strategies are introduced for dealing with this technology. Systems that are unreliable cannot be counted on, so the best defense is a good offense.

Sysmin and Marklar are two of the founding members of the Hacker Pimps, an independent security research think tank. The Hacker Pimps provide research in to areas of information security and privacy. Members of the Hacker Pimps have been speakers at a variety of different security events.

Sysmin is a senior security consultant for a large consulting firm. He is a frequent public speaker on a variety of different topics and has spoken at many events including: DEFCON, HOPE, ShmooCon, ToorCon, and even the Pentagon just to name a few. Sysmin holds a veritable bevy of certifications in the area of information security and has a Master of Science in Information Technology with a specialization in Information Security. He is also the POC for the DC904 and a member of the Jacksonville 2600, Stegonet project, and the North American IPv6 Task Force.

Marklar is one of the foremost marklars on marklar. He has been pondering the effects of marklar on the World Wide Marklar for many years and hopes to foster conversation on enabling greater marklar on the marklar so that our marklar marklar can remain marklar.

The Church of WiFi's Wireless Extravaganza
The Baby-Eating Bishop of Bath and Wells
Renderman Sacramental Wine Taste Tester
theprez98 Spoonfeeder Extraordinaire

The Church of WiFi (reformed) returns to Las Vegas bigger and better than ever. Last year we brought you the first pre-computed rainbow tables for faster WPA cracking. This year, we've gone overboard and expanded the tables to places and sizes not dared before. Can you say: our own live distro?

And that's not all: we're prostelytizing our wireless foo this year by hosting the Wireless Village, a place for tutorials, mini-presentations, and breakout sessions. Of course, we have some new projects to show you and a few more ideas on the horizon. Isn't it time you converted?

Frank ("Thorn") Thornton runs his own technology-consulting firm, Blackthorn Systems. An interest in Amateur Radio has also helped him bridge the gap between computers and wireless networks. Thorn's experience with computers goes back to the 1970's when he started programming mainframes. Over the last thirty years, he has used dozens of different Operating Systems and programming languages. According to others who should probably know better, Thorn is "widely recognized as one of the premier experts in wireless networking and wireless security."

In addition to his computer and wireless interests, Thorn was a Law Enforcement Officer for many years. As a detective and forensics expert he has investigated approximately one hundred homicides and thousands of other crime scenes. Combining both professional interests, he was a member of the workgroup that established ANSI Standard ANSI/NIST-CSL 1-1993 "Data Format for the Interchange of Fingerprint Information." Thorn is a co-author of "WarDriving: Drive, Detect, Defend", "Game Console Hacking", "RFID Security", "WarDriving & Wireless Penetration Testing" and contributor to "IT Ethics"and "Emerging Threat Analysis" -all by Syngress Publishing. He resides in Vermont with his wife.

Renderman has been a fixture in the wardriving community for many years. He never seems to be out of crazy projects and ideas, never very far from wardriving news, often causing it himself. He also co-authored "RFID Security" for Syngress publishing. He spends his time working on things like the 'stumbler ethic', Worldwide wardrive, 'the warpack' and the Church of WiFi. When not working to make wardriving an acceptable hobby, he can usually be found taking something apart, creating an army of cybernetic fluffins, trying to win the Defcon wardriving contest, or more likely, at the hotel bar.

Michael ("theprez98") Schearer is an active-duty EA-6B ECMO. He flew combat missions during Enduring Freedom, Southern Watch, and Iraqi Freedom. He took his EW specialty to Iraq, where he embedded with Army units. While at Penn State, he is actively involved in IT issues. He is a licensed amateur radio operator, an active member of the Church of WiFi and a regular on the DEFCON and NetStumbler forums. He lives in Pennsylvania with his wife and 3 kids.

Hacking UFOlogy: Thirty Years in the Wilderness of Mirrors
Richard Thieme

"You're over the line," an intelligence professional told Richard Thieme recently. "You know enough to know what's not true but you can't know enough to know what is. You're well into the wilderness of mirrors."

Hacking one complex system is always in some ways like hacking another. You must see nested levels of the context that others assume and which is therefore invisible, you must see through the story that the system tells about itself, and you must have a means of filtering out disinformation and misinformation while suspending belief in the patterns your own mind suggests along the way. You must never believe what you think until the evidence is compelling. And you must have a way of staying sane when the consensus reality that has knitted you into its tissue is challenged at its core.

Ever since a USAF fighter pilot with the "right stuff" told Richard Thieme (who was then his Episcopal clergyman) in 1978 that "we chase the things and can't catch them" -- Thieme has explored this domain with beginner's eyes and an open mind. He has interviewed astronauts and NASA psychologists, physicists and social scientists, and scholars in "the invisible college" who conduct serious research and rigorous historical analysis. He has compared notes with intelligence professionals who believe that the least unlikely hypothesis for some of the data is, as one said, "a cultural intrusion" over many decades.

In this presentation, Thieme shows how "hacking the system" of data, disinformation, and "true believers" in an environment which has been saturated with ridicule since 1952, when critical elements of the government made a decision to debunk reports and those making them, is like hacking any complex system in our world of huge black budgets, appropriate paranoia, psy ops, and obsessive secrecy.

This presentation will make you think. It will make you re-examine your presuppositions about what is real. It will at the least bring you face to face with the possibility that you have been "owned" by the managers of perception who appointed themselves guardians of the Bigger Picture - an awareness that animates all real hackers.

Richard Thieme continues to write and speak to the deeper issues of technology and its impact on the human condition. He has published several dozen short stories in the past few years, including "Zero Day: Roswell," "More Than a Dream," "Incident at Wolf Cove," and "Species: Lost in Apple-picking Time," which touch on some of the issues raised by this talk. (Those stories and more are at

High Insecurity: Locks, Lies, and Liability
Marc Weber Tobias Investigative Attorney and Security Specialist -
Matt Fiddler
Security Specialist -

There is a lot of hype by lock manufacturers, especially those that sell "High Security" cylinders. Terms like "pick proof" and "bump proof" often accompany UL and ANSI rated locks and cylinders.

If your intent is to protect your home then you can be assured that a lock carrying a UL 437 or ANSI rating is quite sufficient. The rules drastically change however if you are going to rely upon locks to protect high value targets such as cash, sensitive information, munitions, or critical infrastructure components. It is then that you might want to do a bit more research into what really constitutes a high security lock and how they can be compromised in the real world. In this presentation we will dissect and analyze these high security standards. Covert methods of picking, bumping, and certain other bypass techniques will also be presented and demonstrated allowing even the highest rated cylinders to be compromised in well under ten minutes.

Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. Marc is a member of a number of professional security organizations, including the American Society of Industrial Security (ASIS), Association of Firearms and Tool Marks Examiners

Matt Fiddler leads a Threat Management Team for a Fortune 100 Organization. Mr. Fiddler's research into lock bypass techniques have resulted in many public and private disclosures of critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has spent the last 15 years enhancing his extensive expertise in the area of Unix and Network Engineering, Security Consulting, Computer Forensics, and Intrusion Analysis. Currently Mr. Fiddler is the Connecticut Chapter President and active Board Member of Locksport International.

Portable Privacy: Digital Munitions for the Privacy War
Steve Topletz
Hacktivismo Member; Administrator, XeroBank

This talk will discuss the increasing need for portable privacy protection, and the pragmatic tools to accomplish it. A law only gives you consent to exercise a right you must already be able to assert. With the open war on privacy rights, not creating tracks has become more important because of increasing data retention and the risks it exposes.

Steve Topletz from Hacktivismo will present the risks, development framework, and solutions to retain your privacy. The talk will include tools for private communications, encrypted data storage, anonymous commerce, and portable secure computing environments. Steve will also be providing a development pre-release of xB Machine, a new portable secure computing environment. A limited number of free XeroBank anonymous internet accounts will also be provided to attendees.

Steve Topletz is a member of Hacktivismo, an international group of hackers, human rights workers, lawyers and artists that evolved out of THE CULT OF THE DEAD COW. Mr. Topletz is the developer of Torpark, the most popular free anonymous web browser, with over 3 million international users, and he is also the administrator of XeroBank, a commercial anonymity network.

Locksport: An emerging subculture
Schuyler Towne
Board of Directors, TOOOL US

Locksport is nothing new, but it's recent attention in the media and sudden growth have made it a popular topic. This talk will settle some of the bigger debates about the Locksport community. Are we criminals? Are we having a positive impact on modern security? Who started it? Who's advancing the field? And, why do we do it?

This talk will cover a brief history of locks, but will focus primarily on how the locksport community has grown, it's ethics (and ethical struggles) and it's impact on modern security. You will not learn how to pick locks at this talk, but you will learn how lockpickers have impacted your everyday lives.

So, if you've ever taken an interest in good old physical security, come out and learn about the new generation of hardware hackers. Pick the planet!

Schuyler Towne is a board member of The Open Organisation Of Lockpickers, US and editor in chief of NDE Magazine. He has had the pleasure of competing in the Dutch Open, looks forward to this years LPCon, and keeps good company.

Malware Secrets
Offensive Computing, LLC

What would you do if you had a massive collection of malware? What secrets could you uncover? This rapid fire presentation seeks to reveal some of these secrets based on the analysis of Offensive Computing's large malware collection. (Over 100,000 samples) What are malware author's commonly using to pack their binaries? What are the rarest packers, and could this indicated a targeted attack? How do Anti-Virus companies generally perform on a data set known to contain a large number of malware? These are the some of the questions we will answer in Malware Secrets.

Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Valsmith founded Offensive Computing, a public, open source malware research project. Valsmith is also a member of the Cult of the Dead Cow NSF.

Delchi has been involved in computers and computer security for over 15 years. He currently works doing real time incident response protecting sensitive data. He specializes in data mining, log corelation, IDS signature creation and is a member of the Cult of the Dead Cow's NSF and most recently has contributed his skills as a both a computer security analyst and spiritual advisor to the Offensive Computing project.

How I Learned to Stop Fuzzing and Find More Bugs
Jacob West
Manager, Security Research Group, Fortify Software

Fuzzing and other runtime testing techniques are great at finding certain kinds of bugs. The trick is, effective fuzzing requires a lot of customization. The fuzzer needs to understand the protocol being spoken, anticipate the kinds of things that could go wrong in the program, and have some way to judge whether or not the program has gone into a tailspin. Get this setup wrong, and you end up fuzzing the wrong thing, exercising and re-exercising trivial paths through the program, or just plain missing bugs (as Microsoft did with the .ANI cursor vulnerability). Fuzzing effectively takes a lot of customization and a lot of time.

Proponents of fuzzing often avoid static analysis, citing irrelevant results and false positives as key pain points. But is there a more effective way to channel the energy required for good fuzzing in order to find more bugs faster? This presentation will propose a series of techniques for customizing static, rather than dynamic, tools that will let you find more and better-quality bugs than you ever thought possible.

We compare static and dynamic approaches to testing and look at:

- The fundamental problems involved in fuzzing
- Why static analysis is harder for humans to think about than fuzzing
- Interfaces for customizing static analysis tools
- The kinds of bugs static analysis is good at finding
- Why static analysis is both faster and more thorough then fuzzing
- Where static analysis tools break down
The talk concludes with the results of an experiment we conducted on open-source code to compare the effectiveness of fuzzing and static analysis at finding a known-set of security bugs.

Jacob West manages the Security Research Group at Fortify Software, which is responsible for the discovery and categorization of the security issues identified by the company's various software security products. In addition to his research responsibilities, Mr. West spends time in the field working with Fortify's customers. Prior to joining Fortify, Mr. West worked with Dr. David Wagner at UC Berkeley where he contributed to the development of MOPS, a static analysis tool used to discover security vulnerabilities in C programs.

Turn-Key Pen Test Labs
Thomas Wilhelm

Currently, those interested in learning how to professionally conduct Information System Penetration Tests have very little options available to them - they can either illegally attack Internet-connected systems, or create their own PenTest Lab. For those who prefer to avoid legal complications, they really only have the last option - a lab. However, this can be a very complicated and expensive alternative. In addition, scenarios have to be created that actually represent real-world scenarios; for a beginner, this is is a Catch-22 since they don't yet have the experience to even know what these scenarios might look like, let alone design them in a challenging way.

In order to provide a simple way for both beginners and experts to improve their skills in Penetration Testing, I have designed what is, in effect, a Turn-Key PenTest Lab using LiveCDs and minimal equipment requirements. The LiveCDs each represent different scenarios that mimic real-world systems and services, which provide essential challenges to improve critical skills in the field of PenTesting. The LiveCDs are available under the GNU GPL license, and freely available to the public.

Thomas Wilhelm: Currently employed in a Fortune 50 company as a penetration tester, Thomas has spent 15 years in the Information System career field, and has received the following certifications: CISSP, SCSECA, SCNA, SCSA, IAM. He started his career as a system administrator and has recently moved into the penetration testing arena.

Multiplatform malware within the .NET-Framework
Paul Sebastian Ziegler

Multiplatform Malware - many of us have heard that term. Discussions on this matter arose a few month ago and they didn't cease yet. But while many people have taken interest in this matter there still isn't much of a common sense around. The time has come to change this! In this speech you will learn about:

  • a) The current status of multiplatform malware.
  • b) The possibilities multiplatform malware opens up for an attacker.
  • c) Different kinds of multiplatform malware.
  • d) How to easily implement multiplatform malware using runtime frameworks You will also see a live demonstration of multiplatform malware while it's in action hopping between multiple operating systems with ease.

Multiplatform malware is here to stay. And it will be a blast to computer security once it starts to strike. Many systems we presently consider "secure" will be broken, many basic concepts of security will be circumvented. If we don't want to be on lost stands as defenders once that happens - or if we want to ride the wave as attackers - we'll have to act now. Let's create the common sense the community has long waited for! Let's discover what is possible and where fiction starts! Let's all make this fairly new technique blossom or explode - whichever you prefer.

Paul Sebastian Ziegler: Paul is an autodidact. You can easily tell since he sometimes messes up the pronunciation of technical terms - whitepapers in leetspeak simply don't contain phonetic spellings very often. His mind is just as chaotic with a lot of ideas, concepts and terms lying around and links between them wildly spreading like weeds. This constellation often leads to strange gasps of reality and also of computer security. And as always - "strange" is just another term for "new" and "unusual".

Being a freelancer brings Paul time to write articles (hakin9) and books (O'Reilly), but pentesting and system administration take up most of his time. During free time he enjoys geeking out (e.g. turning record players into voice-controlled wireless mp3-music-stations), programming and swordplay. Also friends tend to keep him distracted a lot.

Paul believes that real security can only come from broad knowledge and that security through obscurity is doomed to failure. Due to this basic assumption most of his research is dedicated to breaking security mechanisms and discovering new attack vectors to raise public awareness - - be it by analyzing wireless frames, messing with people's minds or pushing the topic of multiplatform malware.

Philip R. Zimmermann

The time for secure encrypted VoIP for the masses is upon us. The Zfone Project has come a long way in the two years since Phil Zimmermann demoed a prototype at Black Hat. It's now a family of products, running on Symbian and Windows mobile phones, soft VoIP clients on Mac OS X, Windows, Linux, and in the Asterisk PBX, in both open source and commercial products. Zfone lets you whisper in someone's ear from a thousand miles away.

Phil will be explaining the ZRTP protocol used by Zfone, and demoing it. The ZRTP protocol does not rely on a PKI. It also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. This means your VoIP security doesn't depend on VoIP service providers who don't always act with your best interests in mind. ZRTP performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream. And it supports opportunistic encryption by auto-sensing if the other VoIP client supports ZRTP.

The law enforcement community will be understandably concerned about the effects encrypted VoIP will have on their ability to perform lawful intercepts. But what will be the overall effects on the criminal justice system if we fail to encrypt VoIP? Historically, law enforcement has benefited from a strong asymmetry in the feasibility of government or criminals wiretapping the PSTN. As we migrate to VoIP, that asymmetry collapses. VoIP interception is so easy, organized crime will be able to wiretap prosecutors and judges, revealing details of ongoing investigations, names of witnesses and informants, and conversations with their wives about what time to pick up their kids at school. The law enforcement community will come to recognize that VoIP encryption actually serves their vital interests.

Philip R. Zimmermann is the creator of Pretty Good Privacy. For that, he was the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world.

Latest News TitleFor the all the latest news and discussions on DefCon 15 Check out the RSS Feeds and the DefCon Forums!

Call for Papers
The DEFCON 15 Call For Papers is now closed.

Don't see your event? Updates will be frequent. Contest Organizers, Event Planners, etc. email neil [at] defcon [dot] org with your info.

If you have a tip or story that might help out new con-goers, email neil [at] defcon [dot] org

For the DefCon Main site,
Click Here