DEF CON & AMD Sinkclose

Kyle Fox here. Sorry for being a little late this week, normally these things are written during the week they happen and then compiled into This Week in Security on Monday. But I was at DEF CON all week! 

 

DEF CON 32 in the Bag

The thirty-second iteration of the largest hacker convention in the world, DEF CON, happened this week, with around 20,000~30,000 attendees. I spent a lot of my time there working on DEFCON Fursbadge-related stuff and did some walks of the convention floor.

 

Hotel Issues

As it has been since the 2017 incident in Las Vegas, hotels were inspecting rooms to make sure nothing untoward was happening. But Resorts World pushed it a bit further. Guests reported their belongings were inspected through and hotel guests from DEF CON were told inspections would happen daily. This was not the only property issue with DEF CON, the Fountainbleau closed a furry party.

 

Badge

Not to be left out of controversy, DEF CON itself had a bit of controversy over a dispute on payment and credit for the DEF CON badge itself. Entropic Engineering contended that they were reporting all cost issues to DEF CON as badge work progressed. DEF CON noted that the cost overrun reached 60% by time they pulled the plug. The badge software developer included an Easter egg in the badge, which DEF CON said crossed the line, resulting in him being dragged off stage during the badge talk.  Deviant Ollam has posted a video with his take on the controversy.

 

Crowdstrike Gets Pwnie for Most Epic Fail

Crowdstrike accepted the Pwnie award for Most Epic Fail on stage at DEF CON.  The Pwnies are awards for various cybersecurity achievements, and recipients rarely accept the award for Most Epic Fail.

 

Badgelife

First time attendees of DEF CON may notice that other attendees are not only wearing DEF CON badges, but other badges created by groups at DEF CON.    This year was no exception. There were badges like the Aerospace Village badge, a meticulously Beetlejuice themed Dante's Inferno badge, the DEFCON Furs badge I worked on, as well as a multitude of other badges. But this year was also not without badge issues, like AND!XOR's production issues and general supply chain logistics issues and customs being slow.

 

RPi RP2350

The Raspberry Pi people announced a new version of the RP2040 chip, this one is called the RP2350.  This chip has two ARM-CortexM33 cores and two RISC-V cores. The chip provides a performant update to the wildly successful RP2040 and was featured in the DEF CON official badge. Limited samples were available if you could find the Raspberry Pi people in the Embedded Systems Village. Currently it’s unclear when parts and products will come to market.

 

TSA

As is tradition, DEF CON results in some confusion with the TSA at LAS.

 

Moxie Marlinspike - Agile

Just prior to DEF CON at Blackhat, Moxie Marlinspike and Jeff Moss had a fireside chat about the impact Agile has on programmers' understanding of the systems they are programming on. Central to this complaint is the fact that security vulnerabilities often exist in the interaction of layers of abstraction or between two pieces of code written by different people. For example, a lot of HTTP smuggling attacks depend on two different HTTP parsers interpreting requests in a different manner. Marlinspike elaborates that Agile methodology encourages siloed practices without sufficient understanding of the ecosystem they exist in. I am looking forward to this talk being posted to YouTube so I can review it further.

 

AMD Sinkclose Vulnerability

A flaw has been discovered in AMD chips that researchers are calling Sinkclose. This flaw allows attackers with complete control over a system to embed persistence within the CPU itself. AMD has released mitigations for some products, with further mitigations coming soon.

 

Roundup:

• After USPS scammers tricked his wife, a security researcher hacked them back.
• Home Security company ADT got hacked, says home security systems not compromised.
• Layoffs in Silicon valley may be the cause of Burning Man's ticket glut.  But the crusty burners are celebrating it being like old times again.