Click through for more…
Creative Commons Image from IrisDragon on Flickr
The story of the puppy goon.
Rules of dealing with the goons:
- there are no rules which you can premeditate on.
- rules are created by the goon in the moment.
- DT or Priest can overturn any rule, usually not in your favour.
- with few exceptions, goons may not delegate their jobs to human class attendees.
It is important to note these rules as you consider the following story.
In a fit of proactivity, the Dan Kaminsky talk was moved from Track 5 (consider a shoe-box as a roomy alternative to Track 5) to Track 3. In the fine tradition of DEFCON, a bit more than half of the attendees for session n-1 were actually there for session n. Sometimes this plan goes awry (goon yells: “All Humans must LEAVE the room NOW”) but about 200 people thought they were being smarty pants. The lineup was (eventually) sucessfully pivoted from the area of Track 5 over to Track 3 (nerd conga anyone?) and the goon in charge of the portal to Track 5 was tasked with managing to tell people that the talks had been swapped.
Problem the First: the enforcement / portal guardian goon was apparently about 17, 130lbs, and more in awe of us than we were of him.
Problem the Second: the young goon-spawn (good call on that one Mom-of-cyberpunk-rocker-chick Haywire) kept leaving to check on things as he was not equipped with even a scanner (let alone transmit capability)
Problem the Third: when he’d leave his post, _he_put_me_in_charge_ Please note that this year, I was wearing a human badge.
Problem the Fourth: it took him 20 minutes to validate that what I’d told him was true – he’d already sent the lineup over to Track 3 without checking with goon central. Agent X just about had a fit when I described the situation. You could see the veins throbbing under his flowing locks of golden hair.
Moral of the story of the puppy goon. I could’ve seriously f****d up traffic within DC because (of all things) the enforcement point was not configured for authority validation. I maintained my ethics (dumb Myrcurial) because Agent X and Priest would’ve kicked the ever-living-crap outta me (smart Myrcurial) but damn, I was tempted to exploit that little flaw in the system. Major points to Mrs. Myrcurial (who has had many many aliases and I’m not sure which one she’s using for her world domination practice) for initially describing this authority substitution algorithmn as it related to road traffic modification post-game in high-school.
The story of the puppy presenter.
Rules of presenting:
- accept that there will be audience members who know more about your topic than you do.
- thoroughly research your work for prior art.
- test everything
- stop talking when it becomes obvious that the ENTIRE audience knows more about the topic than you do.
Again, see how the rules apply to the story…
The presenter gets up, is about to make big noise (which subsequently made an AP wire story and a segment on Fox News????), and launches into what shall forever be known as “one of those DC15 Topic 101 sessions” he manages to make it through the 101 without making too many mistakes. (Note that reading a spec and ever touching an implementation of that spec are NOT the same thing). After a little while, he gets to explaining the complicated bits… but can’t tell us shit due to the fact that his employer has said no (Mike Lynn was spinning somewhere nearby). Finally, get to the end of his talk and realize that there are at least 4 other design flaws which he has not only failed to enumerate, but also which he does not even see exist. And two of them are actually described in the spec in such detail that they are obvious after a cursory read.
Problem the First: lack of sufficient study to know that he was presenting prior art
Problem the Second: his demo was so obfuscated that it was not an affective proof – he could’ve done anything.
Problem the Third: out of the front two rows, there was collectively something like 70 years of experience in his topic. He’d been working on it for 2 months. The math is left as an exercise for the reader.
Problem the Fourth: he didn’t even notice the vulnerability which would’ve given him remote root in less time than his demo simply broke the cord.
Moral of the story of the puppy presenter, I didn’t get upset, but I wasn’t really happy about his use of my time. Basically the same talk was given at DC13.
The new emerging class: The Puppies.
Both of the above literary articles describe members of the emerging class of “Security Puppies”. They’re going to grow up just fine (the DC community will take care of proper care and feeding) but right now, they’re as cute as a bucket full of fluffy 4 week old german shepards. It is incumbent upon the communitity to bring them forward. Onward and upward. It doesn’t take long for one of those cute puppies to grow and be trained into a lethal semi-autonomous weapon system. Can our two test cases be brought into line? I think so.
Agent X is going to help the junior goon.
I’m going to try to help the presenter by helping him to ground his research into some real world bits and pieces.
As you think through your interactions last weekend, can you think of any more obvious cases of the “puppy” class? Perhaps over in CTF, Hacker Spaces, Lockpicking Village?
Comments make me happy – do you want to be responsible for my sadness?
[tags]information security training, defcon, defcon15, SCADA, social engineering, Priest, Agent X, WTF[/tags]