DEF CON & AMD Sinkclose
Kyle Fox here. Sorry for being a little late this week, normally these things are written during the week they happen and then compiled into This Week in Security on Monday. But I was at DEF CON all week!
DEF CON 32 in the Bag
The thirty-second iteration of the largest hacker convention in the world, DEF CON, happened this week, with around 20,000~30,000 attendees. I spent a lot of my time there working on DEFCON Fursbadge-related stuff and did some walks of the convention floor.
Hotel Issues
As it has been since the 2017 incident in Las Vegas, hotels were inspecting rooms to make sure nothing untoward was happening. But Resorts World pushed it a bit further. Guests reported their belongings were inspected through and hotel guests from DEF CON were told inspections would happen daily. This was not the only property issue with DEF CON, the Fountainbleau closed a furry party.
Badge
Not to be left out of controversy, DEF CON itself had a bit of controversy over a dispute on payment and credit for the DEF CON badge itself. Entropic Engineering contended that they were reporting all cost issues to DEF CON as badge work progressed. DEF CON noted that the cost overrun reached 60% by time they pulled the plug. The badge software developer included an Easter egg in the badge, which DEF CON said crossed the line, resulting in him being dragged off stage during the badge talk. Deviant Ollam has posted a video with his take on the controversy.
Crowdstrike Gets Pwnie for Most Epic Fail
Crowdstrike accepted the Pwnie award for Most Epic Fail on stage at DEF CON. The Pwnies are awards for various cybersecurity achievements, and recipients rarely accept the award for Most Epic Fail.
Badgelife
First time attendees of DEF CON may notice that other attendees are not only wearing DEF CON badges, but other badges created by groups at DEF CON. This year was no exception. There were badges like the Aerospace Village badge, a meticulously Beetlejuice themed Dante's Inferno badge, the DEFCON Furs badge I worked on, as well as a multitude of other badges. But this year was also not without badge issues, like AND!XOR's production issues and general supply chain logistics issues and customs being slow.
RPi RP2350
The Raspberry Pi people announced a new version of the RP2040 chip, this one is called the RP2350. This chip has two ARM-CortexM33 cores and two RISC-V cores. The chip provides a performant update to the wildly successful RP2040 and was featured in the DEF CON official badge. Limited samples were available if you could find the Raspberry Pi people in the Embedded Systems Village. Currently it’s unclear when parts and products will come to market.
TSA
As is tradition, DEF CON results in some confusion with the TSA at LAS.
Moxie Marlinspike - Agile
Just prior to DEF CON at Blackhat, Moxie Marlinspike and Jeff Moss had a fireside chat about the impact Agile has on programmers' understanding of the systems they are programming on. Central to this complaint is the fact that security vulnerabilities often exist in the interaction of layers of abstraction or between two pieces of code written by different people. For example, a lot of HTTP smuggling attacks depend on two different HTTP parsers interpreting requests in a different manner. Marlinspike elaborates that Agile methodology encourages siloed practices without sufficient understanding of the ecosystem they exist in. I am looking forward to this talk being posted to YouTube so I can review it further.
AMD Sinkclose Vulnerability
A flaw has been discovered in AMD chips that researchers are calling Sinkclose. This flaw allows attackers with complete control over a system to embed persistence within the CPU itself. AMD has released mitigations for some products, with further mitigations coming soon.
Roundup:
- After USPS scammers tricked his wife, a security researcher hacked them back.
- Home Security company ADT got hacked, says home security systems not compromised.
- Layoffs in Silicon valley may be the cause of Burning Man's ticket glut. But the crusty burners are celebrating it being like old times again.
- Saravanan_M_KEmployee
loved to read your defcon experience.
- James_AffeldEmployee
In 2012 F5's own (at the time) Matt DuHarte accepted the Epic Fail Pwnie on behalf of F5 for shipping a static root SSH key. He thanked the security community for driving better software. “You got a bug with us, bring it to us. We want it.” Outstanding! I think this baller move restored a lot of credibility.