Tuesday, September 28, 2010


This weekend it was BruCon again :) and just like last year it was a very nice con.

The first talk I went to see was the keynote "Memoirs of a Data Security Street Fighter" by Mikko Hypponen. I saw Mikko presenting at OWASP this year and I was not so happy about that presentation but this one was much better.

Next talk I went to see was "You Spent All That Money And You Still Got Owned..." by Joseph McCray. I went to see this talk before and it was worth watching it for a second time. Joe explains the things in a very comprehensive way. The talk was a little different and I personally liked it, not that it was better, but it was just a slightly different angle to explain it. But bottom line is still to quote him "fix your shit".

I went to a workshop by Didier Stevens. It was of course about pdf and he took us at a very nice tempo through a bunch of pdf's he prepared on a BackTrack4 VM. Bit by bit we learned to analyze them with the tools (pdfid and pdf-parser) he wrote. If you like to read about this, after BruCon he published a document about this on his blog.

In the afternoon I went to see Cyber[Crime|War] by Ian Amit. It was not a technical talk but it made you think, and I liked it.

Then it was Paul Asadoorian aka Paul from Pauldotcom his turn. I was eager to see his talk about Embedded System Hacking and his plot to take over the world. I've been listening to the Pauldotcom podcast from the very beginning and even in his presentation the world famous 'Bob' stories where present :). The content of the presentation was not that new if you listen to the podcast but still it was cool. Besides giving this presentation Paul also gave a nice presentation during the powerpoint karaoke (a game where you present a random deck of slides you have never seen before in you life).

There was a second workshop I took and that was Damn Vulnerable Web App by Ryan Dewhurst and ethicalhack3r. A nice way to get you in touch with all security problems of a web app. Personally, I think that it should become part of any school training where you make a website.

The last talk I went to see is Chris Nickerson's "top 5 ways to steal the company". I knew Chris from the Pauldotcom podcast. Chris is absolutely correct that companies don't care about how you can own their boxes. Management doesn't understand our technical mumbo-jambo and unless we are not changing our ways of presenting them what it means they will never listen to you.

The best lightning talk I saw was the one by Wicked Clown. Not only just for his cool leather jacket (with the image of a wicked clown on it), but also the RDP vulnerability he demonstrated.

Chris John Riley's totally pimped up his presentation about a tool he wrote in Python called UA-tester. Although his 5 minutes where up, it was amazing to see the difference in results switching between user agents. Something to definitely play around with.

Thanks to everybody involved, it was great.