[Full-disclosure] CarolinaCon-10 - May 2014 - FINAL ANNOUNCEMENT
CarolinaCon-10 will be held on May 16th-18th, 2014 in Raleigh NC. For the cheap price of your average movie admission with popcorn and a drink ($20) YOU could get a full weekend of talks, hacks, contests, and parties. We've selected as many presentations as we can fit into the lineup. Here they are, in no particular order: - Bypassing EMET 4.1 - Jared DeMott - Password Cracking for noobs - smrk3r - AV Evasion with the Veil Framework - HarmJ0y, Christopher Truncer, Michael Wright - Simple Network Management Pwnd - Deral Heiland & Matthew Kienow - F*ck These Guys: Practical Counter-surveillance - Lisa Lorenzin - Carding Markets: Comparing Apples and Lemons - Professor Tom Holt - Exploiting the Bells and Whistles: Uncovering OEM Vulnerabilities in Android - Jake Valletta - How To Get Money Fast Using A Pwned PBX - unregistered436 - MDM is gone, MAM is coming - Yury Chemerkin - Demystifying The Cloud, a look at Hyperscale Computing From a Hacker Perspective - Nick Fury - The Insider Threat: From Snowden to the Unspoken - Omar Santos - Reverse Engineering Executables - Math 400 - Armageddon In The Air - Guarav Raj Anand - Hack Android Using Normal Permissions & Broadcast Receivers - Fadi Mohsen - Exceptions In Java Frameworks That Will Get You Owned - Benjamin Watson - Attacker Ghost Stories: Mostly Free Defenses That Gives Attackers Nightmares - mubix - Hacking the Hackerspace - Steven Sutton and Alan Fay **and possibly another presentation, plus another possible surprise yet to be locked-in** CarolinaCon-10 Contests/Challenges: - Capture The Flag - Hacker Trivia - Crypto Challenge (TBD) Other CarolinaCon-10 Side Events: - Lockpicking Village / Instruction - Saturday Night Hacker Social LODGING: If you're traveling and wish to stay at the Con hotel here is the direct link to the special CarolinaCon discount group rate ($101, set by the Hilton, not us): http://www.hilton.com/en/hi/groups/personalized/R/RDUNHHF-CCC-20140515/index.jhtml Shorter reservation link version: http://bit.ly/1cdpzjU ATTENTION: The discount group rate on Hilton hotel rooms expires on APRIL 18th 2014, so act quickly if you plan on staying at the hotel for all of the weekend fun. ADVERTISERS / VENDORS / SPONSORS: There are no advertisers, vendors, or sponsors allowed at CarolinaConever. Please don't waste your time or ours in asking. However if you have some spare non-commercial SWAG that you'd care to charitably donate as contest prizes we will always accept that with great appreciation. Contact us via: infocarolinacon.org CarolinaCon formal proceedings/talks will run; - 7pm to 11pm on Friday - 10am to 9pm on Saturday - 10am to 4pm on Sunday For presentation abstracts, speaker bios, the final schedule, side event information, and all the other exciting details (as they develop and as our webmaster gets to them) stay tuned to; http://www.carolinacon.org CarolinaCon has been Rated "M" for Mature. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-10 / 2014 - Call for Presenters/Speakers
h4x0rs, stuff breakers, InfoSec pros, g33k girls, international spies, and script kidz, CarolinaCon-10 will occur on May 16th-18th 2014 in Raleigh NC (USA). We are now officially accepting speaker/paper/demo submissions for the event. If you are somewhat knowledgeable in any interesting field of hacking, technology, robotics, science, global thermonuclear war, etc. (but mostly hacking), and are interested in presenting at CarolinaCon-10, we cordially invite you to submit your proposal. Please send; - your name or handle/alias - the presentation name/title - a brief topic abstract (1-2 paragraphs) - the estimated time-length of your presentation - a brief bio (100% optional item, but if your talk is chosen it saves the time and trouble of asking for it later) via e-mail to: speakerscarolinacon.org *NOTE: All submissions are due BY February 28, 2014. However we may be making some early selections this year from amongst the submissions, so please be timely in submission if you're committed to being part of the elite cadre of chosen presenters. We value diversity so please don't hesitate to propose your ideas no matter how outlandish. If you present at the Con, you will receive; - free CarolinaCon admission for you and one guest - one free CarolinaCon-10 T-shirt (l33t) - free transportation between RDU airport and the conference hotel (if needed) - minimal fame, glory, and possibly even notoriety - mad props and much love from our staff and attendees SPONSORS and/or VENDORS: We don't accept any, so please don't bother asking. Capitalism (what you vendor/sponsor types do) and philanthropic knowledge-sharing (what we do) don't mix in our opinion. We keep our admission price to the bare minimum to cover our venue and equipment expenses. All of our staff are volunteers who generously donate their time and energy. All of our presenters generously donate their time and talent. The only items sold at CarolinaCon are a limited quantity of single-design CarolinaCon t-shirtsand we only make and sell those because attendees and staff want them (and because they're cool). ATTENDEES: If you are interested in attending, watch this space for more details: www.carolinacon.org ...and don't forget to mark the May 2014 dates on your calendar. If you have any important (as in not-dumb and not-spam) inquiries about the event you can send email to: infocarolinacon.org We look forward to seeing you at our 2014 event. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-9 (March 15-17, 2013): General Announcement - Chosen Presenters and Topics - Side Event List
CarolinaCon-9 will be held on March 15th-17th 2013 in Raleigh NC. For the cheap price of your average movie admission with popcorn and a drink ($20) YOU could get a full weekend of the following instead. FASCINATING TALKS / ESTEEMED PRESENTERS!!! - Pwning the Pedophile - Joe Seanor - Terminal Cornucopia - Evan "treefort" Booth - Intro to Lock Picking - smrk3r - Stand Close To Me and You're Pwned: Owning Smartphones via NFC - Aditya Gupta and Subho Halder - Jargon Jitsu: The Tao of Buzzwords - Craig Searle (kezef) - Intro to Linux Exploit Development - DeBuG - Exploit Development for Mere Mortals - Joe McCray - Burp Suite: Comprehensive Web Pen Testing - JoshInGeneral - iPhone Data Reconnaisance without Physical Access to the Device - Jarrick - Travel for Free in Malaysia - Kiran Karnad - Screw You Guys, I'm Going Home - emwav - RAWR (Rapid Assessment of Web Resources) - @al14s and @c0ncealed - The Business of InfoSec - Dr. Tran - Search Engine Hacking: Finding Credit Cards, Social Security Numbers, and Frightenly More - Stephen Chapman - Digital Energy BPT - Paul Coggins - Getting Shells When Metasploit Fails - Ryan Linn (sussurro) - Dancing With Dalvik - Thomas Richards NOTE: Full abstracts will be posted on the Con website soon. The lineup above may be subject to slight change. We're still re-confirming that some international travelers listed will make it to the event, and we're hashing out a chosen topic amongst a handful of topics that one person submitted. But for the most part what you see above is what you'll see at the Con. MEGA-FUN SIDE EVENTS!!! - Capture The Flag (CTF) - Crypto Challenge - Hacker Trivia - Unofficial CarolinaCon Shootout - Lockpicking Instruction (random times to be announced in breakout room) - and more!!! CarolinaCon proceedings will run; - 7pm to 11pm on Friday - 10am to 9pm on Saturday - 10am to 5pm on Sunday LODGING: If you're traveling and wish to stay at the Con hotel here is the direct link to the special CarolinaCon discount group rate ($97): http://www.hilton.com/en/hi/groups/personalized/R/RDUNHHF-CAR-20130315/index.jhtml Shorter reservation link version: http://bit.ly/XhTtOu ATTENTION: The discount group rate on Hilton hotel rooms expires on February 12th 2013, so act quickly if you plan on staying at the hotel for all of the weekend fun. For the final schedule and all the other exciting details (as they develop and as our webmaster gets to them) stay tuned to; http://www.carolinacon.org (Yes I know - that site is pretty lame at the moment. Our volunteer web team seems to be on an unannounced hiatus currently. We'll sort that out ASAP and get something more appropriate posted.) Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-9 - March 2013 - Call for Presenters/Speakers/Papers/Demos
h4x0rs, InfoSec professionals, g33k girls, international spies, and script kidz, CarolinaCon-9 will occur on March 15th-17th 2012 in Raleigh NC (USA). We are now officially accepting speaker/paper/demo submissions for the event. If you are somewhat knowledgeable in any interesting field of hacking, technology, robotics, science, global thermonuclear war, etc. (but mostly hacking), and are interested in presenting at CarolinaCon-9, we cordially invite you to submit your proposal. Please send; - your name or handle/alias - the presentation name/title - a brief topic abstract (1-2 paragraphs) - the estimated time-length of your presentation - a brief bio (100% optional item, but if your talk is chosen it saves the time and trouble of asking for it later) via e-mail to: speakerscarolinacon.org The presentation submission coordinator is Zip. He will send you a receipt confirmation email at his first convenience. *NOTE: All submissions are due BY January 4th, 2013. However we will be making some early selections this year from amongst the submissions, so please be timely in submission if you're committed to being part of the elite cadre of chosen presenters. We value diversity so please don't hesitate to propose your ideas no matter how outlandish. If you present at the Con, you will receive; - free CarolinaCon admission for you and one guest - one free CarolinaCon-9 T-shirt (l33t) - free transportation between RDU airport and the conference hotel (if needed) - minimal fame, glory, and possibly even notoriety - mad props and much love from our staff and attendees SPONSORS and/or VENDORS: We don't accept any, so please don't bother asking. Capitalism and philanthropic knowledge-sharing don't mix in our opinion. We keep our admission price to the bare minimum to cover our venue and equipment expenses. All of our staff are volunteers who generously donate their time and energy. All of our presenters generously donate their time and talent. The only items sold at CarolinaCon are a limited quantity of single-design CarolinaCon t-shirtsand we only make and sell those because attendees and staff want them (and because they're cool). ATTENDEES: If you are interested in attending, watch this space for more details: www.carolinacon.org ...and don't forget to mark the March 2013 dates on your calendar. If you have any important (as in not-dumb and not-spam) inquiries about the event you can send email to: infocarolinacon.org We look forward to seeing you at our 2013 event. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-8 (May 2012): General Announcement - Chosen Presenters and Topics - Side Event List
CarolinaCon-8 will be held on May 11th-13th 2012 in Raleigh NC. For the cheap price of your average movie admission with popcorn and a drink ($20) YOU could get a full weekend of the following instead. FASCINATING TALKS / ESTEEMED PRESENTERS!!! - Big Bang Theory: The Evolution of Pentesting High Security Environments (OR) Advanced SQL Injection - Joe McCray - Spyometrics: New World of Biometric Surveillance - Dr. Noah Schiffman - Identifying Cyber Warriors - Professor Farnsworth / Tom Holt - Bypassing Android Permissions - Georgia Weidman - Patch to Pwned: Exploiting Firmware Patching to Compromise MFP Devices - Deral Heiland - Attacking CAPTCHAs - Gursev Singh Kaira - Hacking as an Act of War - G. Mark Hardy - Project Byzantium: Improvisable Ad-Hoc Wireless Mesh Networking for Disaster Zones - The Doctor - Hacking your Mind and Emotions - Branson Matheson - Intro to Hacking Bluetooth - ronin - Malware Retooled - Big-O - Inside Jobs: Stealing Sensitive Data and Intellectual Property - Vic Vandal - It's 2012 and My Network Got Hacked - Omar Santos - DevHack: Pre-Product Exploitation - Snide - Raspberry Pi's Impact on Hacking - DJ Palombo - Declarative Web Security: DEP for the Web - Steve Pinkham - Dr. Tran goes to Switzerland - Dr. Tran BONUS TALK!!! - purposely unannounced topic - purposely unannounced presenter (NSFW and NSFKids, will occur late Friday night) MEGA-FUN SIDE EVENTS!!! - Capture The Flag (CTF) - Crypto Challenge - Hacker Trivia - Unofficial CarolinaCon Shootout - Lockpicking Instruction (random times to be announced in breakout room, not quite as big or organized as the past couple of years) - and more!!! CarolinaCon proceedings will run; - 7pm to 11pm on Friday - 10am to 10pm on Saturday - 10am to 5pm on Sunday LODGING: If you're traveling and wish to stay at the Con hotel here is the direct link to the special CarolinaCon group rate ($95, sorry for the rate hike, we outgrew the last hotel and it's at the Hilton this year): http://www.hilton.com/en/hi/groups/personalized/R/RDUNHHF-CCC-20120511/index.jhtml Shorter link version: http://bit.ly/vK8Y2y For the final schedule and all the other exciting details (as they develop and as our webmaster gets to them) stay tuned to; http://www.carolinacon.org Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-8/2012 - Final Announcement/Call for Papers/Presenters/Speakers
h4x0rs, InfoSec professionals, international spies, script kidz, and posers, CarolinaCon-8 will occur on May 11th-13th 2012 in Raleigh NC (USA). We are now officially accepting speaker/paper/demo submissions for the event. If you are somewhat knowledgeable in any interesting field of hacking, technology, robotics, science, global thermonuclear war, etc. (but mostly hacking), and are interested in presenting at CarolinaCon-8, we cordially invite you to submit your proposal. Please send; - your name or handle/alias - the presentation name/title - a brief topic abstract (1-2 paragraphs) - the estimated time-length of your presentation - a brief bio (100% optional item, but if your talk is chosen it saves the time and trouble of asking for it later) via e-mail to: speakers carolinacon.org The presentation submission coordinator is Zip. He will send you a receipt confirmation email at his first convenience. *NOTE: All submissions are due BY March 1st, 2012. However we may be making some early selections this year from amongst the submissions, so please be timely in submission if you're committed to being part of the elite cadre of chosen presenters. We value diversity so please don't hesitate to propose your ideas no matter how outlandish. If you present at the Con, you will receive; - free CarolinaCon admission for you and one guest - one free CarolinaCon-8 t-shirt (they're gonna be l33t) - free transportation between RDU airport and the conference hotel (if needed) - minimal fame, glory, and possibly even notoriety - mad props and much love from our staff and attendees SPONSORS and/or VENDORS: We don't accept any, so please don't bother asking. Capitalism and philanthropic knowledge-sharing don't mix in our opinion. We keep our admission price to the bare minimum to cover our venue and equipment expenses. All of our staff are volunteers who generously donate their time and energy. All of our presenters generously donate their time and talent. The only items sold at CarolinaCon are a limited quantity of single-design CarolinaCon t-shirtsand we only make and sell those because attendees and staff want them (and because they're cool). ATTENDEES: If you are interested in attending, watch this space for more details: www.carolinacon.org ...and don't forget to mark the May 2012 dates on your calendar. If you have any important (as in not-dumb and not-spam) inquiries about the event you can send email to: info carolinacon.org We look forward to seeing you at our 2012 event. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-8 (2012) Call For Papers/Presenters/Speakers
CarolinaCon-8/2012 - Call for Papers/Presenters/Speakers h4x0rs, InfoSec professionals, international spies, script kidz, and posers, CarolinaCon-8 will occur on May 11th-13th 2012 in Raleigh NC (USA). We are now officially accepting speaker/paper/demo submissions for the event. If you are somewhat knowledgeable in any interesting field of hacking, technology, robotics, science, global thermonuclear war, etc. (but mostly hacking), and are interested in presenting at CarolinaCon-8, we cordially invite you to submit your proposal. Please send; - your name or handle/alias - the presentation name/title - a brief topic abstract (1-2 paragraphs) - the estimated time-length of your presentation - a brief bio (100% optional item, but if your talk is chosen it saves the time and trouble of asking for it later) via e-mail to: speakers carolinacon.org The presentation submission coordinator is Zip. He will send you a receipt confirmation email at his first convenience. *NOTE: All submissions are due BY March 1st, 2012. However...we may be making some early selections this year from amongst the submissions, so please be timely in submission if you're committed to being part of the elite cadre of chosen presenters. We value diversity so please don't hesitate to propose your ideas no matter how outlandish. If you present at the Con, you will receive; - free CarolinaCon admission for you and one guest - one free CarolinaCon-8 t-shirt - minimal fame, glory, and possibly even notoriety - mad props and much love from our staff and attendees SPONSORS and/or VENDORS: We don't accept any, so please don't bother asking. Capitalism and philanthropic knowledge-sharing don't mix in our opinion. We keep our admission price to the bare minimum to cover our venue and equipment expenses. All of our staff are volunteers who generously donate their time and energy. All of our presenters generously donate their time and talent. The only items sold at CarolinaCon are a limited quantity of single-design CarolinaCon t-shirtsand we only make and sell those because attendees and staff want them (and because they're cool). ATTENDEES: If you are interested in attending, watch this space for more details: www.carolinacon.org ...and don't forget to mark the May 2012 dates on your calendar. If you have any important (as in not-dumb and not-spam) inquiries about the event you can send email to: info carolinacon.org We look forward to seeing you at our 2012 chill event. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-7 - Apr 29th thru May 1st 2011 - Raleigh NC
We're baaack!!! CarolinaCon-7 will be held on April 29th thru May 1st 2011 in Raleigh NC. For the cheap price of your average movie admission with popcorn and a drink ($20) YOU could get a full weekend of the following instead. ESTEEEMED PRESENTERS / FASCINATING TALKS: - sec0ps - The Failure that is Penetration Testing - Gerry Brunelle - Dissecting the Hack: Malware Analysis 101 - G. Mark Hardy - Tales from the Crypto - Deral Heiland - If you Own a Multi-Function Printer then I Own You - Chris Teodorski - Fun with SSH Honeypotting - Lisa Lorenzin - Security Lessons from Cracking Enigma - Thomas Holt - Do Personality Traits Increase the Likelihood that You will Hack? - Dr. Tran - How to Own and Protect Your Office Space - Omar Santos - Current and Future Trends in Cybercrime and Exploitation - mjg - Yara and Python: The Malware Detection Dynamic Duo - Branson Matheson - TTL of a Penetration - Nick Fury - Serial Killers: USB as an Attack Vector - Justin Troutman - Mackerel: A Progressive School of Cryptographic Thought - Ryan Linn - PIG: Finding Truffles without Leaving a Trace - purehate - Why your Password Policy Sucks - ronin - Hack from a Library with Katana - Adam Drew - Music and Audio Production with FOSS - Jordan Sissel - logstash: Open Source Log and Event Management MEGA-FUN SIDE EVENTS: - Lockpicking Village - Capture The Flag (CTF) - Hacker Trivia - Hacker Movie Screenings - Unofficial CarolinaCon Shoot - and more!!! CarolinaCon proceedings will run; - 7pm to 11pm on Friday - 10am to 11pm on Saturday - 10am to 6pm on Sunday If you're traveling and wish to stay at the Con hotel here is the direct link to the special conference group rate ($69): http://ichotelsgroup.com/redirect?path=rates&brandCode=HIĀ®ionCode=1&localeCode=en&GPC=CCG&hotelCode=RDUCV&_PMID=99801505 Shorter link version: http://bit.ly/fV9pq1 For all the exciting details as they develop (and as our webmaster gets to them) stay tuned to; http://www.carolinacon.org Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Getting Off the Patch
While this idea may work in small shops, it won't scale to large ones. There are something like 800 heterogeneous servers where I work. Small clusters of like-purpose servers are allocated to hosting many different processing components that make up the enterprise architecture. Applying purpose-specific hardening is a goal, but one that is extremely difficult to achieve and then maintain. And at the end of the day if you have a server cluster hosting MS-SQL or Oracle or Apache or IIS or whatever, AND only the necessary listening services are on, AND there is filtering to allow specific source and destination traffic, IF there's an identified vulnerability in any of those available services the machines must be patched to mitigate system and data risk. Even with services/daemons/etc. that aren't used and have been disabled, you can't rely on them remaining that way. Some newly installed component could require starting them up, or some Sys-Admin could make a configuration mistake and start up some vulnerable service(s). So if there is software installed on a system and that software has a known vulnerability and an available patch, any smart resource owner is going to mandate that the patch be applied to mitigate "potential" risk. If they don't and the system and/or data is compromised, that resource owner might have a hard time explaining how due diligence was exercised to absolve themselves and the organization of any data breach or service delivery liability. As for having to spend a lot of cycles testing patches, those days of half of the patches being applied breaking something are long gone. The risk still exists, and maybe one or two out of every hundred operating system or core software patches does break something. Vendors have gotten a LOT better about releasing reliable patches. I say this as an InfoSec engineer who has been playing this patching game for 20 years. But what about that small percentage of patches that does break something? For mission-critical servers any organization worth its salt has a Dev, QA, and Production server environment. You roll out the patches to Dev, and make sure nothing breaks while the developers are working daily in that environment. Then you roll to QA and have someone test any app that could potentially be impacted by the patch(es) deployed. By the time you roll the patches to Production, the risk of an outage is almost nil. And for the workstation environment, create a pilot group for patch deployments. Deploy patches to their machines, see if anything breaks, and if nothing does you then deploy the patches safely to the entire organization. As for the cost of deploying patches and the time it takes, automated patching tools are quite mature and robust these days. It takes a security administrator, server administrator, or desktop administrator mere minutes and a few mouse clicks to deploy patches to hundreds or thousands of machines. The other side of this patching coin is being audited. Many organizations are mandated to have independent security audits of their infrastructure performed. Those organizations and others may also have business partners who want audit verification of how vulnerabilities are being mitigated. And where an independent audit report shows that an organization isn't applying patches for countless vulnerabilities on scores of systems, you can bet that the concept and practice of patching will be embraced very soon thereafter. Just for clarity I'm not saying the proposed idea has no value. I'm a big fan of system hardening via various means. If you're not running a vulnerable service or it's not available to untrusted machines or users, the chances of it being compromised are obviously diminished greatly. But you shouldn't rely on that situation remaining static, and the smart move is to patch vulnerable software or remove it from the system altogether if it isn't needed. Obviously removal isn't an option when it comes to operating systems. You could replace them with some B1 certified security level system, but you're not going to be able to run a lot of common business apps successfully on such an architecture. And even if you could those apps could have vulnerabilities and need to be patched. Sandboxing has value, but it doesn't supplant patching in my professional opinion. I do know a way to do away with patching - have software developers stop writing crappy code that doesn't do good input validation (cough). Of course that is a nirvana not likely to be seen in our lifetimes. Wow, did I just write an article damn near equal in length to the InfoSec Island one posted that started this thread? Either I have free time to spare or I'm really into the concept of patching known vulnerabilities. Unfortunately for me it's the latter. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://
[Full-disclosure] CarolinaCon-VII/2011 - Call for Papers/Presenters
InfoSec professionals, h4x0rs, international spies, script kidz, and posers, CarolinaCon is accepting speaker/paper/demo submissions for its 7th annual Hacking/InfoSec conference. This year's event will be held on the final weekend of April 2011 (Apr 29th thru May 1st) in Raleigh NC. Who will be presenting which topics this year? That's where YOU possibly come in. If you are somewhat knowledgeable in some interesting field of hacking, technology, robotics, science, global thermonuclear war, etc., and are interested in speaking/presenting at CarolinaCon, we invite you to submit your proposal (in brief) for our review. If you are interested in presenting please send; - your name or handle - presentation name/title - brief topic abstract - estimated time-length of presentation via e-mail to: speakers carolinacon.org *NOTE: All submissions are due BY March 1st, 2011. However we may be making some early selections this year from amongst the submissions, so please be timely in submission if you're committed to being part of the elite cadre of chosen presenters. We value diversity, so please don't hesitate to propose your ideas no matter how outlandish. If you speak at the Con, you will receive; - free Con admission for you and one guest - one free CarolinaCon-7 t-shirt - minimal fame, glory, and possibly even notoriety - mad props and much love from our staff and attendees - something else that's l33t but has yet to be finalized by the Con staff SPONSORS: We don't accept any, so don't bother asking. Capitalism and philanthropic knowledge-sharing don't mix in our opinion. We keep our admission price to the bare minimum to cover our venue and equipment expenses. All of our staff are volunteers who generously donate their time and energy. All of our presenters generously donate their time, talent, knowledge, and experience - and for that we and all of our attendees can't thank them enough. ATTENDEES: If you are interested in attending, watch this space for more details: http://www.carolinacon.org ...and don't forget to mark the dates on your calendar. We look forward to seeing you at our 2011 chill event. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 69, Issue 26
Er, I meant to type "philanthropic" in the CarolinaCon CFP, and seem to have missed the "p" in typing. That's what I get for banging out a CFP while hacking the planet simultaneously (heh). -Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-VII/2011 - Call for Papers/Presenters
InfoSec professionals, h4x0rs, international spies, script kidz, and posers, CarolinaCon is now accepting speaker/paper/demo submissions for its 7th annual hacking/InfoSec conference. This year's event will be held on the final weekend of April 2011. The venue is Holiday Inn (Crabtree) in Raleigh, NC. Raleigh is about 30 minutes from Durham, Chapel Hill, and Research Triangle Park. Who develops and delivers CarolinaCon? CarolinaCon is proudly brought to you by "The CarolinaCon Group". The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights. The CarolinaCon Group is also closely associated with various "2600" chapters across NC, SC, TN, VA, LA, DC, and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters. What events will be at CarolinaCon? CarolinaCon is mainly about the educational talks, presentations, and demos. Alongside those we will have several other technology-related contests and challenges. Details on other events will be announced on our website as they are planned out. Who will be presenting which topics this year? That's where YOU possibly come in. If you are somewhat knowledgeable in some interesting field of technology, hacking, science, etc., and are interested in speaking/presenting at CarolinaCon, we invite you to submit your proposal (in brief) for our review. If you're interested in presenting please send; - your name or handle - presentation name/title - brief topic abstract - estimated time-length of presentation via e-mail to: speakers carolinacon.org *NOTE: All submissions are due BY March 1st, 2011. We may be making some early selections this year from amongst the submissions, so please be timely in submission if you're committed to being part of the elite cadre of chosen presenters. We value diversity, so please don't hesitate to propose your ideas no matter how outlandish. If you speak at the Con, you will receive; - free Con admission for you and one guest - one free CarolinaCon-7 t-shirt - minimal fame, glory, and possibly even notoriety - mad props and much love from our staff and attendees SPONSORS: We don't accept any, so don't bother asking. Capitalism and hilanthropic knowledge-sharing don't mix in our opinion. We keep our admission price to the bare minimum to cover our venue and equipment expenses. All of our staff are volunteers who generously donate their time and energy. All of our presenters likewise generously donate their time and talent. The only items sold at CarolinaCon are a limited quantity of single-design CarolinaCon t-shirtsand we only make and sell those because attendees and staff want them. ATTENDEES: If you are interested in attending, watch this space for more details: www.carolinacon.org ...and don't forget to mark the dates on your calendar. We look forward to seeing you at our 2011 chill event. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-VI/2010 Announcement - March 19th-21st - Raleigh NC
H4x0rs, InfoSec professionals, script kidz, n00bs, posers, and hot girls who like geek-smart guys (heh): CarolinaCon is back for its 6th esteemed year! For about the price of your average movie admission with popcorn and a drink ($20), YOU are invited to join us for an intimate weekend of technology-related education and information sharing. This year's event will be held on the weekend of March 19th-21st, 2010 - at the Holiday Inn (Crabtree Valley/Glenwood Ave) in north Raleigh, NC. Raleigh is about 30 minutes from Durham, Chapel Hill, and Research Triangle Park. This year CarolinaCon will run for 3 days!!! Talks will run from 7pm to 10pm on Friday, 10am to 10pm on Saturday, and 10am to 4pm on Sunday. The currently confirmed list of exciting topics and esteemed presenters includes; - We Don't Need No Stinking Badges - Shawn Merdinger - Locks: Past, Picking, and Future - squ33k - Cybercrime and the Law Enforcement Response - Professor Farnsworth - You Spent All That Money and You Still Got Owned - Joe McCray - Something Smells Phishy: The Evolution of Social Engineering - Chris Silvers and Dawn Perry - It's Not A Vulnerability, It's A Feature - Deral Heiland - The Search for the Ultimate Handcuff Key - Deviant Ollam - OMG, The World Has Come To An End!!! - FeloniousFish - Physical Manifestation of Software: Microcontrollers 101 - Nick Fury - Protecting Systems through Log Management and System Integrity - David Burt - Metasploit - Ryan Linn Other presentation submissions still being sifted through and/or confirmed for possible spots on the agenda include; - Defenseless Defense against Corporate Breaches - The Art of Software Destruct - Mitigating Attacks with Existing Network Infrastructure - SQL Injection for n00bs - Advanced SQL Injection - How the Droid Was Rooted - Smart People, Stupid Emails - Mitigating Attacks with Existing Network Infrastructure - Why Linux is Bad for Business - Hacking with the iPhone - Developing an Integrated GRC Program - End-User Focused Pen-Testing And other conference events currently on tap include; - Hacker Trivia - TOOOL Lockpicking Village and others to be announced! If you plan to attend from out of town and would like to reserve a room at the Con hotel, call 919-782-8600 or 1-800-HOLIDAY. Mention that you want to reserve your room under the group block of "CarolinaCon Technology Conference", to get the special rate of $69 dollars per night. And for all the exciting details as they develop, stay tuned to: www.carolinacon.org Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-VI/2010 - Call for Papers/Speakers
InfoSec professionals, h4x0rs, script kidz, posers, and government spies: "CarolinaCon" is back yet again! Yes, for about the price of your average movie admission with popcorn and a drink, YOU are invited to join us for yet another intimate and informative weekend of technology education. What is this "CarolinaCon"? CarolinaCon is an annual Technology Conference whose mission/purpose is to; - Enhance local and global awareness of current technology issues and developments, - Provide affordable technology education sessions to the unwashed masses, - Deliver varied/informative/interesting presentations on a wide variety of InfoSec/hacking/technology/science topics, and - Mix in enough entertainment and side contests/challenges to make for a truly fun event When/Where is CarolinaCon? This year's event will be held on the weekend of March 19th-21st, 2010. The event will mostly occur at a Holiday Inn in Raleigh, NC. Raleigh is about 30 minutes from Durham, Chapel Hill, and Research Triangle Park. Who develops/delivers CarolinaCon? CarolinaCon is proudly brought to you by "The CarolinaCon Group". The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights. The CarolinaCon Group is also closely associated with various "2600" chapters across NC, SC, TN, VA, LA, DC, and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters. What events will be at CarolinaCon? CarolinaCon is mainly about the talks/presentations/demos. Alongside of those we'll surely have several other technology-related contests/challenges, as we've had in past years. Details on other events will be announced soon. Who will be presenting which topics this year? That's where YOU possibly come in. If you are somewhat knowledgeable in some interesting field of technology, hacking, science, etc., and are interested in speaking/presenting at CarolinaCon, we invite you to submit your proposal (in brief) for our review. If you're interested in presenting please send; - your name or handle, - the topic/presentation name, - estimated time-length of presentation, and - a brief topic abstract via e-mail to: speakers carolinacon.org *NOTE: All submissions are due BY January 29, 2010! Please be timely in submission if you're committed to being part of the elite cadre of presenters. We value diversity, so please don't hesitate to propose your ideas no matter how outlandish. Unfortunately as a non-profit dedicated to affordable education (our admission cost is still holding tight at $20), we've made very little profit each of the past years and are still trying to invest in the basic A-V gear needed to put on the event. So we can't afford to pay anyone to speak nor cover any related expenses yet (sorry). However if you do speak at the Con, you will receive; - free Con admission for you and one guest, - a free Con t-shirt, - minimal fame, glory, and possibly notoriety, and - mad props from our staff and attendees I'm excited and I want to present! What do I do know? If you're interested in speaking, send the 411 requested to: speakers carolinacon.org (BY/BEFORE January 29th 2010) And if you're interested in attending, watch this space for more details: www.carolinacon.org ...and don't forget to mark the dates on your calendar! Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-V - March 13th-14th 2009
InfoSec professionals, h4x0rs, script kidz, posers, and government spies: CarolinaCon is back for its 5th year! For about the price of your average movie admission with popcorn and a drink ($20), YOU are invited to join us for yet another intimate and informative weekend of technology education. This year's event will be held on the weekend of March 13th-14th, 2009. The event will mostly occur at the Holiday Inn in Chapel Hill, NC. Chapel Hill is about 30 minutes from Raleigh, Durham, and Research Triangle Park. For all the exciting details as they develop, stay tuned to: www.carolinacon.org CarolinaCon is an annual technology conference whose mission/purpose is to; - provide "affordable" technology education sessions to the unwashed masses, - deliver varied/informative/interesting presentations on a wide variety of InfoSec/hacking/technology/science topics, and - mix in enough entertainment and side contests/challenges to make for a truly fun event. CarolinaCon is proudly brought to you by The CarolinaCon Group. The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights. The CarolinaCon Group is also closely associated with various 2600 chapters across NC, SC, TN, VA, LA, DC, and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters. The currently chosen list of exciting topics and esteemed presenters includes; International Hacker Community Studies - Professor Farnsworth Software Reverse Engineering with the Leaf Framework - Chris Anti-debugging: A Developers Perspective - txs Detecting the Matrix: Hiding Virtual Machines from Malware - redspot Attacking Layer 8: Client-side Penetration Testing - Chris Gates (CG), Vince Marvelli (g0ne) The Security Assessment Methodology - Kellep Charles (KC) Running Snort and ClamAV on your Wireless Router - ciscostu Leveraging Metasploit through Nmap - Ryan Linn The Day The Spam Stopped: The Srizbi Botnet Takedown - Alex Lanstein The Ten Finger Discount: Philosophy and Ethics of Modern Piracy - mjg Packing & The Friendly Skies - Deviant Ollam Web-enabled: Smart Solution or Security Blunder - Deral Heiland What does Mickey Mouse have to do with a Viral Outbreak in India? - Nick Fury Other events currently on tap include; Capture The Flag Hacker Trivia and others to be announced! Where else can you have that much fun for $20 (that doesn't involve mind-altering substances or Internet pr0n, cough)? WARNING: Shameless (yet well-intentioned) pitch alert!!! For the corporate-sponsored amongst you, for the first time we invite you and/or your organization to demonstrate its philanthropic generosity by sponsoring a "CarolinaCon scholarship". In past years the CarolinaCon staff and non-profit board has allowed some predetermined number of student attendees on tight budgets to attend CarolinaCon for free. But why should we monopolize all the good karma and feelings of self-worth? So if you have a spare $20, consider donating it to this year's scholarship fund. You'll sleep better knowing you helped someone in need, and you can legitimately write it off as a charitable donation. Here is a link to the non-profit's filed articles of incorporation, for reference: http://www.secretary.state.nc.us/corporations/Filings.aspx?PItemId=7889445 And if your company is feeling extremly saucy and generous, the non-profit can accept donations to help buy equipment for future Cons. Absolutely no pressure to give here, but the Con barely breaks even annually and we beg/borrow/steal LCD projectors, PA equipment, etc. in putting on the event annually. Again, NO PRESSURE! We just figured we'd offer the "opportunity" to help provide affordable education to others, for the first time in 5 years of Con history. On that note if you're a struggling student desperately seeking knowledge, give the Con staff your best sob story at the door (heh) and apply for one of our admission scholarships. CarolinaCon-V - Be there or be l4m3! Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-2008, March 28th-30th, full agenda posted
Final message about the upcoming Con in the Raleigh/Durham/Chapel Hill area of NC. Full talk abstracts and speaker bios are now online: http://www.carolinacon.org/lineup.html Other side event details are forthcoming. Countdown = three weeks. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-2008, March 28th-30th
Announcing CarolinaCon-2008!!! Yep, CarolinaCon is back for another round of h4x0r/InfoSec/tech education and partying. Now in its 4th year, CarolinaCon provides a very affordable, informal, and friendly atmosphere for knowledge sharing and hanging out with like-minded individuals. CarolinaCon-2008 will be held at the Holiday Inn in Chapel Hill NC, which is less than 30 minutes away from Raleigh, Durham, and Research Triangle Park. The event dates are March 28th and 29th, 2008. The current lineup of speakers/topics is: * Ethical Hacking in Forensics - Robert Andrews * Layer 7 Attacks - Travis Altman * Format String Vulnerabilities - Deral Heiland * Console Modding 101 - Nick Fury * Introduction to Technical Surveillance Counter Measures - Tim Johnson * Women in Technology and Hacking - l33tphreak * Blogging for Bad Guys: What Not To Say On-Line - Dr. Thomas J. Holt * Rootkits: Then and Now - txs * ZFS (on FreeBSD) - Wesley Shields * Spooky Action at a Distance - Erik Scott * Local-Link Networking - Gomi There will also be informal LAN gaming, workshops, video screenings, and other amazing events yet to be announced. Back by popular demand, Hacker Trivia will be hosted by Vic Vandal and AlStrowger on Saturday night. Astound your peers, squash your enemies, win valuable prizes, or look incredibly stupid in the game that tests your knowledge of arcane hacking-related information/history. Admission to this year's CarolinaCon will be, as usual, $20 (cheap). For more information on the venue, lineup, events, talk abstracts (as they are posted), etc., please visit www.carolinacon.org. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon 2008 - Call For Papers/Speakers
InfoSec professionals, h4x0rs, script kidz, posers, and government spies: "CarolinaCon" is back yet again! Yes, for about the price of your average movie admission with popcorn and a drink, YOU are invited to join us for yet another intimate and informative weekend of technology education. What is this "CarolinaCon"? CarolinaCon is an annual Technology Conference whose mission/purpose is to; - enhance local and global awareness of current technology issues and developments, - provide affordable technology education sessions to the unwashed masses, - deliver varied/informative/interesting presentations on a wide variety of InfoSec/hacking/technology/science topics, and - mix in enough entertainment and side contests/challenges to make for a truly fun event. When/Where is CarolinaCon? This year's event will be held on the weekend of March 28th-30th, 2008. The event will mostly occur at the Holiday Inn in Chapel Hill, NC. Chapel Hill is about 30 minutes from Raleigh, Durham, and Research Triangle Park. Who develops/delivers CarolinaCon? CarolinaCon is proudly brought to you by "The CarolinaCon Group". The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights. The CarolinaCon Group is also closely associated with various "2600" chapters across NC, SC, TN, VA, LA, DC, and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters. What events will be at CarolinaCon? CarolinaCon is mainly about the talks (presentations/demos). Alongside of those we'll surely have several other technology-related contests/challenges, as we've had in past years. Details on those will be announced soon. Who will be presenting which topics this year? That's where YOU possibly come in. If you are somewhat knowledgeable in some interesting field of technology, hacking, science, etc., and are interested in speaking/presenting at CarolinaCon, we invite you to submit your proposal (in brief) for our review. If you're interested in presenting please send; - your name or handle, - the topic/presentation name, - estimated time-length of presentation, and - a brief topic abstract via e-mail to: speakers carolinacon.org *NOTE: All submissions are due BY mid-January 2008! Last year we unfortunately had more submissions than time-slots and "first come first affirmed", so be timely in submission if you're committed to being part of the elite cadre of presenters. Unfortunately as a non-profit dedicated to affordable education, we've made "less than $100 total profit" each of the past years and can't afford to pay anyone to speak nor cover any related expenses (sorry). However if you do speak at the Con, you will receive; - free Con admission, - a free Con t-shirt, - an invitation to a private soiree during the conference, - minimal fame and glory, and - mad props from staff and attendees We value diversity, so please don't hesitate to propose your ideas no matter how outlandish. I'm excited! What do I do know? If you're interested in speaking, send the 411 requested to: speakers carolinacon.org (BY/BEFORE January 15th 2008) And if you're interested in attending, watch this space for more details: www.carolinacon.org ...and don't forget to mark the dates on your calendar! Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon presentation drafts
[EMAIL PROTECTED], phr34kz, g33k5, InfoSec pros, and "not" you feds/cops (heh), CarolinaCon-2007 is April 20th-22nd. Check out the carolinacon.org site for more details. Here's a sample of what's on tap currently, as far as pure talks go (in no particular order whatsoever). Also these abstracts are really rough, as clearly evidenced in places. I'll be firing our secretary and technical writer as soon as we hire one or both (cough). I can only be directly blamed for how 1-2 of these look. I can be blamed if the formatting on this post is all screwed up, as I'm lazily cutting and pasting text from the site HTML (which I did not code up, and which seems to have been cut and pasted from phpBB forum posts). And without further delay or disclaimers... "Examining The On-line Black Market" Computer attackers no longer need to rely on their abilities, as malware and automated tools quickly and efficiently perform attacks for them. Individuals can buy access to sophisticated malware, including bots, Trojans, and worms via markets run in publicly accessible web forums centered primarily out of Eastern Europe and Russia. These forums also operate black markets where individuals can sell the data they illegally obtain for a profit. Since these markets are dynamic and often written in foreign languages, it is not fully understood how these markets operate. Using a sample of publicly accessible web forums that traffic in malware and personal information, this talk will explore the current state of the on-line black market. The data are used to understand the quantity and type of data being traded and sold, and identify the dynamics of sellers and buyers in these markets. This talk should benefit anyone with an interest in computer security or hacking by detailing the methods and tactics of malware writers and data thieves, as well as upcoming malware threats. "Intro to Electronic Circuits and Circuit Elements" This presentation is slated to encompass a wide variety of simple electronic circuit elements and how to assemble them into working circuits. The elements that would be examined in the presentation would include power sources, resistors, diodes, Timer ICs, Op-Amps, and testing equipment. I will cover how to use the equipment and also include an introduction to soldering the circuit elements onto mounting boards. I would go over how to assemble or purchase all of the components to build the circuits and test them. To conclude I would demonstrate a few simple circuits and how to build them at home along with where to purchase or obtain the components. "FreeBSD Jails 101" Talk starts out with an overview of chroot (Cool and chroot(2) and why they are ultimately not acceptable to isolate processes from each other. Move into jail(Cool and jail(2) and how they work and can properly isolate processes. Finish by explaining the relationship between virtualization and jails and some things to keep in mind when using jails. I will also have a machine with a few jails up and running to illustrate some of the points in my talk. "Building and Maintaining a Community Hacker Lab" This panel discussion will cover the major hurdles to be made in creating and maintaining a hacker lab for your local group or club. The esteemed panel of current CCG lab scientists will discuss lessons learned in the pursuit of obtaining and maintaining a hacker lab for the NC2600 community. The CCG lab is currently in operation, and is a non-profit research laboratory dedicated to creating innovations in the fields of computer security and software development. Its inspirations lie in places like the infamous l0pht and less-known but still l33t NOLAB. By striving for technical skills development and by using knowledge-sharing, the goal of the CCG lab is for computer security-minded persons to explore and learn in a heterogeneous networked environment. Major panel topics to be covered include; funding, finding an appropriate location, physical/network access control, network design, projects, membership/participation, and obtaining hardware/software. Questions from the audience are also encouraged, as the panel and sponsoring non-profit hopes to inspire other groups to build their own labs. "How to 0wn Capture the Flag" This presentation will cover the knowledge needed to setup, run, and win a capture the flag game. The setup portion of the presentation will cover how the scoring application works and the details of setting up the hardware. Advanced topics such as using a Honeywall to log attacks that happen during the game will be touched on as well. After an explanation of the inner workings of how the game works an open discussion of tips and tricks on how to bend the rules without breaking them will follow. A prize will be awarded to the person who has the best tip as voted on by the attendees, so bring your best hack. "Keeping Secret Secrets Secret and Sharing Secret Secrets Secretly" Secrecy is the practice of hiding information
[Full-disclosure] CarolinaCon 2007 Announcement/Press Release
The Carolinacon Group, a North Carolina-based non-profit organization dedicated to technology education, proudly announces and invites you to join us for an event: Carolinacon 2007. The conference will be held April 20-21 in Chapel Hill, NC at the Holiday Inn on North Fordham Boulevard. Chapel Hill is within a 30 minute drive of Raleigh, Durham, and The Research Triangle Park. Now in its third year, started as a grass roots movement to bring local technology enthusiasts together, the event spotlights a diverse array of topics: computer and computer network security, software code, electronic hardware modification, reverse engineering, information age privacy and civil liberties issues, the state of underground cultures tied to technology, and many other related subjects of discourse. For a $20 admission fee, payable in advance or at the door, you can spend a weekend among intelligent inquisitive people talking about far-reaching ideas. Despite being open to the public, there is an intimate atmosphere. You will meet and hang out with speakers and other attendees alike. In addition to seminars, you can participate in a number of challenges and contests, and attend our now (in)famous after-hours social gatherings. While the list of topics and speakers from our past two Carolinacon events are hard to rival, this year we are expanding the number of speakers to provide even more opportunities for information and education. They include several talks Friday night, and all the talks we could possibly squeeze in from noon to midnight on Saturday. As is our tradition, we will close out Saturday night with an open trivia challenge based on seminar-related subject categories. The current draft of our agenda includes topics such as: - computer filesystem forensics - FreeBSD Jails - the evolution of telephone switching technologies - creating and managing a non-profit computer research lab - human natural intelligence and a cortical primer - an examination of the online black markets by a UNC Charlotte professor - electronic circuits and circuit elements - ways to win an electronic "capture the flag" contest - non-cryptographic methods for protecting and sharing information securely - legal issues in open source software development, usage, and distribution and more! For more information, please check out and stay tuned to our website (http://www.carolinacon.org/) or send your specific information requests to [EMAIL PROTECTED] This invitation is submitted sincerely for your consideration by the volunteers and staff of Carolinacon 2007. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture
This input is literally weeks late, but I'm making the effort anyway. To anyone on this list that actually knows me, I'd like to throw in my personal encouragement to participate in Doctor/Professor/Mr. Holt's research study. I know the guy personally. He's been to at least one party at the "Vandal Estate", which is like a 3-hour drive from his house to mine. That either means his social life is pretty desperate or I have kickass parties worth the drive. But now I've digressed rapidly, and back to the message purpose. He is employed by UNC-C, as anyone can verify with minimal effort. Bottom line is he's a good and trustworthy guy, and isn't trying to get anyone to incriminate themselves or anything evil like that. He often tries to understand and develop some "unified theory" of what drives individuals to become "hackers", purely from an academic motivation. I don't want to slant his goal, but the way "I" see it is "what drives an individual to reverse-engineer, test, and/or break technological systems", or "how and why does a hacker become a hacker, and how does that individual view their own activity or behavior along those lines". That's my interpretation anyway, for what it's worth. He drops related questions in other settings often enough, in his recurring quest for knowledge and understanding. He does a lot of other things in his work and life of course, but that is my two cents on the topic being replied to. I'll also add that his research findings will only have any value if he gets "quality" participants. That can mean a lot of things, but I think the main characteristic would be anyone who has had any "gray or black hat" tendencies at times...who can honestly and clearly explain how they came about those tendencies. Of course "don't be stupid" in any participation, but please take one hour of your time to participate if you can spare it. I'm sure he appreciates the few comments/advice thrown out here, but what he really needs are answers to his specific survey questions. My added advice to any potential participants is; - don't list any specific legal lines you may have crossed using any details that could tie you as the respondent to any specific incident, - don't include any details that could identify your identity, via survey data aggregation or otherwise, - communicate with Doctor/Professor Holt using anonymous single-use e-mail accounts only, - don't bother trying to collect the $10, unless you really need it and don't care about any associated risk to your anonymity via collecting and using it (yeah I know, "duh"...but I said it all anyway) That way even if the data is subpoenaed, it holds no value to those who might use it for purposes not intended by Doctor/Professor Holt (as someone wisely noted the possibility). I don't know what his deadline is, but obviously the sooner the better so he can start the huge task of compiling and analyzing results. I do know no deadline has passed yet. Thus wraps up my endorsement/reference, to those who know and trust me. Sure I should have pinged people individually with that message, but the shotgun approach works for me because I'm admittedly lazy. For the record I did participate, as anonymously and vaguely as I felt necessary (while sharing some honest thoughts and personal history that I hope held some value towards the goal). Peace, Vic - CISSP, SSCP, HIJKLMNOP, etc. (cough) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon 2007 - Call for Speakers/Papers
InfoSec professionals, h4x0rs, script kidz, posers, and government spies: "CarolinaCon" is back again! Yes, for about the price of your average movie admission with popcorn and a drink, YOU are invited to join us for yet another intimate and informative weekend of technology education. What is this "CarolinaCon"? CarolinaCon is an annual Technology Conference whose mission/purpose is to; - enhance local and global awareness of current technology issues and developments, - provide affordable technology education sessions to the unwashed masses, - deliver varied/informative/interesting presentations on a wide variety of InfoSec/hacking/technology/science topics, and - mix in enough entertainment and side contests/challenges to make for a truly fun event. When/Where is CarolinaCon? This year's event will be held on the weekend of April 20th-22nd, 2007. The event will mostly occur at the Holiday Inn in Chapel Hill, NC. Chapel Hill is about 30 minutes from Raleigh, Durham, and Research Triangle Park. Who develops/delivers CarolinaCon? CarolinaCon is proudly brought to you by "The CarolinaCon Group". The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights. The CarolinaCon Group is also closely associated with various "2600" chapters across NC, SC, TN, VA, LA, DC, and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters. What events will be at CarolinaCon? CarolinaCon is mainly about the talks (presentations/demos). Alongside of those we'll surely have several other technology-related contests/challenges, as we've had in past years. Details on those will be announced soon. Who will be presenting which topics this year? That's where YOU possibly come in. If you are somewhat knowledgeable in some interesting field of technology, hacking, science, etc., and are interested in speaking/presenting at CarolinaCon, we invite you to submit your proposal (in brief) for our review. If you're interested in presenting please send; - your name or handle, - the topic/presentation name, - estimated time-length of presentation, and - a brief topic abstract via e-mail to: speakers carolinacon.org *NOTE: All submissions are due by mid-February 2007! Unfortunately as a non-profit dedicated to affordable education, we've made "less than $100 total profit" each of the past years and can't afford to pay anyone to speak nor cover any related expenses (sorry). However if you do speak at the Con, you will receive; - free Con admission, - a free Con t-shirt, - an invitation to a private soiree during the conference, - minimal fame and glory, and - mad props from myself and others. We value diversity, so please don't hesitate to propose your ideas no matter how outlandish. Past speakers/topics include highlights such as; - IPv6 Implementations/Demos - Tokachu (NC-2600) - Digital Media (why blue is not blue) - Lexicon (DC-2600) - Pirate Radio - Dr Anonymous (parts/places unknown) - Ethics in Hacking - Endgame (NC-2600) - Hack-Nano Project - cipz (LV-2600) - Chronology of the Phrack Microcosm - CyberSpy (SpyTech Industries) - DNS Hacks: No Resolution - Matt (NC-2600) - Gender in Hacking - Dr/Professor Holt (UNC-C) - Reverse Engineering - txs (GhettoHackers) - College of Hacking - Vic Vandal (NOLAB/504) - Building Competitive Robots - Nick Fury (NC-2600) and many more! All the talks were great in my humble opinion, but my "personal" favorites from past years have to be; pirate radio, nano-hacking, and the robot. The nano-hack maniac did live demonstrations that probably sterilized a few people near the stage, the robot presentation included a working "Johnny-5" type robot that the NCSSM team had built and competed with, and the pirate radio presentation was about "real" pirates who raided ships by force and then broadcast their programs from waters not in/near the continental United States (presented by one of those pirates with related photos). I'm excited! What do I do know? If you're interested in speaking, send the 411 requested to: speakers carolinacon.org (by February 15th 2007) And if you're interested in attending, watch this space for more details: www.carolinacon.org ...and don't forget to mark the date on your calendar (4-20, cough)! Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CarolinaCon-2006 - Call for Speakers/Papers
InfoSec/h4x0ring enthusiasts, "CarolinaCon" is back for another weekend of varied/informative/ interesting/educational presentations, more project mayhem, more heavy partying, and hopefully "not more" of almost getting the whole thing booted from the hotel (not once, not twice, but three freaking times)! Lame introductions aside, here are the basics: What: CarolinaCon-2006 Where: Raleigh, NC When: June 9th-11th (2006) As this isn't a call for "attendees", actual location info will be announced the next time around (although the place has been reserved, and we're not welcome back at AmeriSuites so it ain't there, cough). What this is, is a CALL FOR SPEAKERS/PAPERS. In that respect, if you're interested in presenting please send; - your name or handle - the topic/presentation name - estimated time-length of presentation - a brief topic abstract - any special equipment needs, and - the day/night/time of weekend you'd prefer presenting on to: [EMAIL PROTECTED] If you'd kindly CC me on that, I'd personally appreciate it. And no, we "can't" afford to pay anyone's way to the RTP-NC area (sorry)... as we're completely non-profit (registered as such) and basically only charge attendees just enough to cover the basic Con expenses. If you do speak at the Con, you WILL get; free Con admission, a free Con t-shirt, an invitation to the private soiree Saturday night, minimal fame and glory, and mad props from myself and others. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] No one else seeing the new MS05-039 worm yet?
>care to share? Dude I'll e-mail you a very temporary link to the executable, off the list. Just share it further using your own bandwidth instead of mine please. I've done likewise with a few other people who requested a sample, but don't have time to respond to each request individually. If you want to post it on your own box and share it with the full "full disclosure" list, that's up to you. I see Symantec came up with an advisory 10-11 hours after they got a sample, yet still got a couple things wrong. My 411 wasn't completely comprehensive either, but I'm not getting paid to analyze malware for the masses and don't have a dedicated lab, l33t expensive tools, and a paycheck dedicated to such things. On all the infections I've seen (I work for a large international organization, so malware presence is a given...due to technical constraints I'll not delve into at the moment) there were no e-mail impacts. Also I didn't see the Was*.tmp DLL they mention on most boxes. Also they don't mention that "multiple" reg keys may be added to the Run folder. Lastly they don't point out that "worm" propagation based on the PnP vulnerability only occurs on the Win2K boxes. Win2K3 and WinXP require some user/machine action to exploit the vulnerability, and the malware can't infect those boxes independently. I don't think I mentioned that either, but figure most on this list know such things. AV vendors shouldn't make such assumptions though. The behavior varied from workstation to server. On one server the malware was constantly creating 1.7GB executable files and eating up 100% of the CPU. That box was a very unique animal though and I doubt most would see that on your average server. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] No one else seeing the new MS05-039 worm yet?
This has been going around since early Monday afternoon. Symantec and other AV vendors have had code since then, and no details STILL. I guess one can call it the Katrina worm until something better comes along. Details: - Exploits MS05-039, but also MS04-011 and MS03-026. - Scans on port 5000 and 135. - On workstations opens up range of listening ports above 1024, visible with "netstat -a". - Creates 40K svc.exe and several randomly named LARGE .exe files in: C:\WINNT directory. - Sticks a long line of hosts resolving to broadcast address in: C:\WINNT\System32\Drivers\etc in hosts file. - Adds reg key(s) under: HKLM\Software\Microsoft\Windows\CurrentVersion\Run which are those random .exe file names mentioned above. - May create svc.exe and exe.tmp reg keys under: HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\(machine key)\ FilesNamedMRU (may be unrelated, not generally found on infected box). - Prevents killing processes via Task Manager (all processes backed by gray color, clicking individual processes does nothing). - One can use other utilities to kill running malware processes. - Symantec may report as [EMAIL PROTECTED] and/or W32.HLLW.Nebiwo. Cleanup: - Backup registry. - Delete malware-related reg keys as noted. - Delete malware-related files. - Re-check registry, as executables may enter new values before all cleanup actions complete. - Edit hosts file, removing added data and saving afterward. - Empty Recycle Bin. - Patch infected machine. - Reboot. - Verify that symptoms are gone. I've not had time to decompile code to dig out other details, but cleanup routine seems sufficient for most part. Have had working routine since early afternoon, and expected details from vendors long before now. Peace, Vic ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ICMP Security Vulnerabilities - NEW (cough)
In response to you Chad Loder: On Thu, 14 Jul 2005, Chad Loder wrote: > Vic, > > I find it interesting that you've gone through the > trouble of writing a 10 page email in which you > seem to be claiming partial credit for someone else's > work, but you have not bothered to include any > references to substantiate your claims, other than > a mailing list you can't remember, some private > conversations on a tangentially related subject > you've had with associates over the years, and your > newbie ICMP guide. There was no real "trouble" in "writing a 10 page email" as mostly all I did was cut-and-paste something I wrote 10+ years ago that I HAPPENED to have relatively handy. My only "trouble" is in responding to retarded statements, one of which is ignorantly outside the original thread. Guess which one that is! I explained quite clearly "why" I didn't include those "references". Obviously you didn't understand those words. And is there any real value to such inclusion anyway in this case? The content would still be what it is. I did "reference" a few RFC's, for the record (as you contradicted yourself in noting). The "mailing list" was not one I was ever a member of, nor did I ask nor was told what it was. A colleague (who ran an InfoSec consulting business and a "hacker" lab) with me was into BSD big-time, had a copy of that guide, and asked me if he could post it to some BSD mailing list he was on. I never asked which one (and didn't care), and gave my OK. We never discussed it again, but I did remember that conversation we had working in the lab some 6-7 years ago. > Unfortunately your email adds nothing new to the > discussion and only shows that you did not take the > time to understand the draft, nor the fixes that have > been implemented in OpenBSD and Linux. Whether or not it added anything new to any specific persons, discussions, etc, I'm sure at least someone learned something by it being posted. BTW how could it list fixes implemented in OpenBSD and/or Linux if it was written before some of those fixes were implemented? Also the "guide" was clearly titled as to its intent/content, which was not "ICMP flaws and fixes". Exactly what does your post "add new" to anything or anyone? Ironically, the answer to that is "not a damn thing!" > Now, regarding your guide to ICMP filtering. First, > your guide says nothing about the blind ICMP attacks > against TCP in Fernando's paper. Your guide appears > to be a summary of other information (including guides > and published exploits) available well before 1994 > (including, for god's sake, the "Security Considerations" > sections of RFC's published in 1990 and even earlier). That guide wasn't entitled "blind ICMP attacks against TCP", which may be one of several reasons there was no mention of such things in it. I made it quite clear that the information was "old news", hence it being "available well before 1994". Being that you're such an expert on "old info availability", perhaps you should include those references you are alluding to. > In addition, some of the advice in your guide is > dangerous for basically anyone other than home users > sitting behind a firewall. This, too, was widely > known before your guide was published. I'll tell you the same thing here that I told Fernando Gont based on his reply to me. The text is a "guide", as are ALL "guides", which may not apply in individual network situations. The fact that you don't seem to understand that basic concept is certainly "interesting". There are implementation details missing from the guide, but that was "intentional" - as different filtering products have different syntax, features, and layers of granularity available. It assumes one understands the product one is working with and how to apply the guide to their individual environment. There is no "one size fits all" in security and/or networking in many, many cases. This is simply one of those many cases. > You need to hit the books. You assume to know what I haven't read or NEED to read, which is quite an ignorant statement. What I can say to that is if I stacked the diversity and depth of my knowledge, skills, abilities, experience, references, and credentials against yours, I'll bet good money it won't be "I" that requires such ignorant advice. Just because I've never been very visible in the public domain (under ANY of the names associated with me, by design) doesn't mean I don't know and haven't done much. It is quite the contrary. I've been in this InfoSec game professionally since 1989, and held other computer jobs/interests long before then. > -Chad Loder > Freaking retards! Sheesh! Vic (what a waste of time that was, which won't happen again) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ICMP Security Vulnerabilities - NEW (cough)
Dude, I'll try to respond to what you're saying, but I avoid these mailing lists because I simply don't have time to deal with such things (hence my delayed response). I'm a VERY busy person, and my life/interests don't revolve around IT/InfoSec. It's simply a "job", which I do well and have done much better than most for more years than most. First, I've got no beef with you, and I truly respect what you're trying to do. It's the huge glut of daily "discovered vulnerabilities" that has long bugged me, in the sheer fact that MANY are neither "newly discovered" nor are "actual vulnerabilities". If I tried to comment on each daily, I would have no time in my life for anything else whatsoever. So obviously I won't EVER be doing that. I work to live, not vice-versa. For the record, Vic isn't my real name (it's an old band/stage name) and isn't the only alias I've ever used. Even where my real name is concerned, I've seen that there is someone else who has only been in InfoSec ~5 years who has posted questions publicly that I wouldn't have needed to ask. I've wondered how many see that and think I posted such things. But I believe he is from the UK, and I'm from New Orleans Louisiana. The week I posted my ICMP comments, a guy who works for me on my security team sent me a couple articles and asked for my feedback. He often does, as he's trying to learn things and match his perspective against mine a bit. Yours was one of them, and the other was so retarded and wrong that I brushed it aside without a second of consideration. Anyway after we tossed comments back and forth, he pointed out the fact that I NEVER share information/knowledge that might be useful to others in the public domain. And he's absolutely right. I've given dozens and dozens of talks at conferences, but many of those "back in the day" were done on transparency pages, white boards, etc. (like at CA-World 5 years in a row under my real name), or were given at "private Cons". I've also done hundreds of "internal white papers, technical bulletins, etc" - none of which has ever seen the "public light of day". Then much of my work is "owned" by the federal government or military, and can't ever be shared publicly. [readers]So what's your stupid point already Vic? Sorry...I'm getting to it. So with this dude bending my ear, and me thinking how true it is that I've shared so little experience, and me considering walking away from IT/InfoSec soon to work on other interests/projects, I decide "I'm gonna force myself to TRY to share some information". So I take the more interesting of the two sent (yours), and post some old data of mine that was somewhat handy. Your response (and my response to it) follows: On Thu, 14 Jul 2005, Fernando Gont wrote: > At 06:42 p.m. 12/07/2005, Vic Vandal wrote: > > Vic, > > I'd like to sum-up my response, before quoting your e-mail to respond to > each of your comments. > > a) Discussing an issue "in various circles" is not "raising awareness". The > proof of that is the large number of vulnerable implementations, as listed > in NISCC's and CERT/CC's vulnerability advisories. Vic: When I said "discussed in various circles", obviously there was some public documentation of such things, which is what I drew my ICMP filtering guide from so long ago. I agree that there are a large number of vulnerable implementations of "everything under the Sun", which is why I'm thoroughly bored and quite sick of this profession. It will get MUCH worse before it ever gets better (if ever). I applaud those who wish to "fight that fight", but I'm hoping to go off and work on things I find much more interesting/challenging soon. There aren't many systems/ networks I can't break nor fix, hence "time" is the limiting factor and the time I'm willing to put into that "fight" is nearing its end. > > b) Guides and papers such as yours have broken the Internet, particulary, > the PMTUD mechanism. Your guide recommend to filter ICMP "fragmentation > needed and DF bit set". Thus, any intermmediate system that (unfortunately) > implements your proposal will break the PMTUD mechanism, and thus any > connection using it will stall (except in specific scenarios in which the > PMTU is the same as the MTU of your link). > I don't know if it's just that the work you read was bullshit (or too old), > that you didn't read it well, or that you didn't care. > Publishing non-elaborated work such as yours make more harm than good. Vic: It was never intended to be used in "intermediary devices"
[Full-disclosure] ICMP Security Vulnerabilities - NEW (cough)
I know this is now even older news than it was when the recent flurry of discussion started last week, but I'm just getting around to sharing a bit of additional information on the subject. Regarding those three (3) "vulnerabilities" discussed by Fernando (can't recall his last name, no offense meant), followed by a link to and discussion of here, I respectfully submit the following: 1) Regarding ONLY the "source quench" discussion there, that is absolutely "nothing new". I've had a paper/guide mentioning it specifically since 1994, that I've shared with various entities I've worked for since that time. That same paper was posted to some BSD-related mailing list back in 1997 or 1998 (by a friend of mine who I had shared it with), but I can't recall the list/site name. I've also provided it to various friends in the InfoSec industry (as recommended ICMP filtering guidance) sporadically through the years. Yes I know Fernando's paper elaborated a bit on potential fixes, but regarding ONLY the "source quench" item again it is not "new" and has been discussed in various circles in the past. 2) I also personally launched a source-quench DoS "over the shoulder" of a friend who was competing in CTF at DefCon MANY years ago, which "may" have been the first DoS in those games (it certainly pre-dated the massive DoS storms later years saw). 3) I didn't "discover" the "source quench" nor any other ICMP "vulnerability", but took the work of others to provide some guidance on firewall filtering. I wish I could give exact credit where credit is due, but don't have that kind of free time to dig through my boxes upon boxes of printed and digital resources. Also the pointers in my mind to such details (stored a decade or more ago) have been broken somewhere in time passed. I will acknowledge that the first "widely published" discussion on the exact topic of ICMP filtering was "probably" in the 1995 release of "Building Internet Firewalls" (by Chapman and Zwicky). I had the book in my desk back then, but left it behind when I left the organization that paid for it. IF I still had it, I'd gladly quote it directly to verify the exact verbiage/discussion of the topic therein. 4) For future reference, I'll share the ICMP filtering guidance here (mentioned in item #1 above). Perhaps it will help someone secure their environment, and possibly discount some "newly" discovered vulnerabilities as "old news" in the future (which I suspect some jackasses will start posting a few of these as their own "discoveries" shortly). 5) Noting #4 above, this information may be re-published/distributed ONLY with the ENTIRE contents of this e-mail/posting (including these numbered statements/disclaimers). 6) No I haven't notified "CERT", "Micro$oft", or any other vendor/organization. This is "old news" after all, and I assume "being able to read" is a prerequisite for becoming employed at most places dealing with such things. And if Cisco or anyone else wants to claim some kind of patent protection for such info, I promise I will dig up sources that show non-"any vendor mentioned in the recent post/article" releases of these details as far back as 1994-95. You can bet the house on that. Nuff said! Here's the list (cut-and-pasted from HTML, so please excuse the lame formatting): "Un-Official Guide to Secure ICMP Packet Filtering" (applicable to firewalls, routers, and/or other packet-filtering devices) Produced by: Stuart Thomas and Vic Vandal Original Publish Date: 1994 Last Content Revision: 1995 Format Revisions: various dates Echo and Echo Reply Messages - ICMP Code Type 8 Discussion: The echo message (also called echo request) is used to check if a host is up or down. When a host receives the request, it sends back an echo reply message. These messages are usually generated by the ping command, but may also be generated by a network management device that is polling the nodes of a network. Security Issues: Echo requests can be used by an outsider to map your network. Firewall Filtering: Allow the outbound echo request and inbound echo reply. Deny the inbound echo request and outbound echo reply Destination Unreachable Message - ICMP Code Type 3 Description: These messages are generated by hosts or intermediate routers, in order to notify the initiator that a session cannot be established. Security Issues: An attacker can force nodes of your network to generate these packets, in order to obtain knowledge of your network. Firewall Filtering: Allow the inbound message (for troubleshooting purposes). Deny the outbound message. Source Quen