Just a reminder, the August OWASP DC meeting is this evening.
OWASP DC
Wednesday August 20th 6:30 PM
Deloitte and Touche
1001 G St NW Washington DC 20001
come join us!
Archive for August, 2008
OWASP meeting tonight
Wednesday, August 20th, 2008OWASP DC and CapSec DC for August
Wednesday, August 13th, 2008Back from Vegas, and this month’s meetups are looming.
OWASP DC
Wednesday August 20th 6:30 PM
Deloitte and Touche
1001 G St NW Washington DC 20001
This month, our agenda is as follows:
- Introduction to OWASP, Rex Booth
- The Big Picture: Web Risks and Assessments Beyond Scanning, Matt Fisher
- Security Conference Review: Black Hat & DefCon (group discussion)
- Open floor
Matt’s talk will focus on the need to risk and threat model software and pick appropriate peoples, tools, and testing techniques to test against the threat model. In today’s resource-constrained market many organizations are simply turning to automation to test their software security without truly understanding the limitations. This talk will discuss some of the broader threat cases, testing techniques for them, and whether current state of the industry technology is effective against them.
Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026.
Ostensibly, Refresh DC will be meeting on the 21st of this month, but no announcement has been made yet.
CapSecDC
Wednesday August 27th, 7:00 PM
Stetson’s
1610 U St NW
Washington DC 20009
Our monthly happy hour where we talk about everything under the sun. I’m sure this month will yield some follow-up from Vegas, and other things on the horizon. Last week, we headed down U street after a while, and dropped by DC9 for the later part of the evening.
Come join us at one or all!
Fear cuts deeper than knives
Saturday, August 9th, 2008This weekend, controversy surrounds the black hat/defcon security conferences once again. Students at MIT were slated to present on research on hacking the MTA farecard system (both magnetic stripe and RFID technologies), but a temporary restraining order granted this morning by a Boston judge has caused the cancellation of the talk.
There have been several different cases of legal threats shutting down talks in the past few years — in fact, it almost seems a mandatory event every year now. However, RFID seems to have attracted it disproportionately now, with IOActive having been forced to pull a talk in a previous year as well.
I’ll leave the details of this case to the reader’s google-fu right now (google news defcon, you’ll get plenty). But we put forward this question:
Why are the lawsuits brought against the researcher who uncovers the flaw in a system, rather than the vendors who provide the flawed system?
Most of the issues with RFID are already widely known, and the execution of the “exploits” are a matter of clever people utilizing cheaply available resources. Trying to repress their findings does nothing to truly protect the systems — all it does is mean that another clever person, who may mean more harm and less good, will come along shortly and do it again.
Perhaps some day organizations and government will evolve from having to place blame first and foremost. But until then, perhaps the blame should go on the group that created the problem, as opposed to the person who revealed there was one.
Defcon Presentation
Friday, August 8th, 2008I’d like to thank the people of Defcon and all of the attendees who came to my talk for the oppertunity to speak today. I have uploaded my Defcon 16 Presentation to the blog for your viewing enjoyment. The code has been uploaded to http://code.google.com/p/modscan/.
Looking forward to the rest of con. I’m sure we’ll write more later.
Viva Las Vegas!
Tuesday, August 5th, 2008Like many others of similar interests, we’ll be out in Vegas for most of this week/weekend, for Black Hat, DEFCON, and LifeCycle Security.
Mark is presenting at DEFCON this year, if you’re in town, stop by and see his talk, it’s scheduled for Friday at noon in the Track 3 room. We’ll also be at the OWASP/WASC party at Caesar’s on Wednesday night, and I’ll be haunting mostly the two appsec tracks during the days at BH.
Much to my shame, I’ve gotten a Twitter account, you can follow me here. I’m getting it as a conference tool, we’ll see how it goes. It will NOT become dumped into a blog anywhere, I have too much respect for the intarwebs to do that.
See you in Vegas!