Love of the game.

So! The qualifying round of DefCon's infamous Capture the Flag competition is this weekend. I'm excited, and not just because this would be my first CtF experience. The synergy (more or less) of people coming together with different experiences, knowledge, and ways of looking at problems could prove to be a great way to delve deeper into the field of code and code manipulation. (Let's be honest here, when it comes down to it, this is less about offense or defense and more about mental technique.)

This weekend, a group of us will be sharing one apartment, eating each other's food, hacking to the point of exhaustion... I can't think of a better way to spend a random summer weekend, but that could just be me. ;)

In preparation, I've been looking over last year's quals, helpfully posted by last year's team 1@stPlace. I think one of the things that blew me away was the wide range of topics presented, and the variety of exploitable things. XSS? Bitstream analysis? Reverse engineering protocols? Stealing entangled qbits? OK, just kidding about that last one, but it goes to show what an awesome, diverse field infosec can be. And as much as this is about hacking and having fun, I can only wonder what future DefCon CTFs may hold, especially with the dominance of mobile computing...

But the future can wait. This weekend, let teh funz beg!n.

Getting Involved: CitySec, OWASP, and SUGs! O MY!

It's been an amazingly busy time for the Vulnerable Minds. Plans for Defcon, CTF, Projects, papers, all of them are sucking up time. I have had multiple blog posts in the queue waiting to be finished and posted in all their glory, but I wanted to make a quick post to highlight something that's been important to me lately.

The image of the lonely hacker in a basement is quickly disproved as soon as you meet the very social characters that make up most of the hacking community. As happy as they are sitting around hacking on a neat piece of code they're just as happy going out for a beer and talking about that piece of code with others who share they're interests. Any conference is as much about the old friends you meet up with and the new friends you'll make as it is about the technical knowledge you'll gain.

Cons are, depending on your travel schedule and availability, few and far between for most and as a result smaller interest groups have been forming all over the country to support the desire many hackers/infosec professionals have to mix with their peers, share ideas, network, socialize, and just generally cause trouble. Much like 2600 a few years ago these groups seek to give people those opportunities.

Thomas Ptacek has been a huge proponent of these groups, and as such has organized CitySec, a small bulletin board meant to help form and nurture such groups, which I've been happy to be involved in, advocating a Washington DC meetup. Well before the CitySec site was even live Richard Beijtlich, along with other security professionals, started NoVASec (Northern Virginia) as a group for those interested in pure security, and less interested in discussing their CISSP number and GIAC scores and more into talking about what they're actually doing, could meet and talk about security. NoVASec has been excellent, just a bit of a stretch to get to as it's usually fairly far outside Washington DC proper.

Many other groups are also meeting regularly. OWASP has regular meetings, such as those in Washington DC, in various cities for developers, admins, and security folks interested in webapp security. For those more of the CISSP/Security Management mindset there are groups like ISSA-NoVA. The black or grey hat oriented crowd still has more than a few chapters of 2600 that still seem to meet, though I gather they're waning a bit. I'm also known to show up at a Snort Users Group meeting or two, though sadly the NoVA group hasn't had a meeting in a few months. Even many colleges are getting involved, with groups like the Penn State Information Assurance Club, and a similar club at RIT who's name I completely fail to remember.

I guess what I'm trying to say is that it's great the community that's coming up around various areas of the security field, and I've been happy, and encourage others in the security community, to get involved. I speak from experience when I say many of them are just as much fun as the larger conferences, and make great places to make new friends, make contacts, have a good beer, and occasionally learn something.

Time for a Tango

Well I've had a number of people curious about Project Tango. It's been going for a little over a week now, much of the initial work has been completed, and now I'm in the process of tuning some of the back end pieces for finalization and release.

So at this point I'm asking for some help, and in the process am going to give away a few things about the project, so here ya go:

• Are you a security professional who's an information junkie? Shoot me an email and let me know what you look for in getting your fix. What sites you read, what information you want, what information you don't want, and if you'd be interested in the Tango Beta.
  
• Are you a security professional using RSS to feed your information needs, whether addict level or more of a recreational RSS user? Shoot me an email, pet peeves, wants, information you don't or can't get via RSS, and if you'd be interested in the Tango Beta.
• Are you just really curious about what Project Tango is and want to make a compelling case to get in on the beta? Shoot me an email.
  

All email can be sent to tango.beta@vulnerableminds.com and we'll set you up for an early look at Project Tango.

Project Tango

No, this is not a reference to my favorite partner dance, and only partially an allusion to the common term used by counter terror teams to references subjects. Project Tango is a new initiative of mine that will be coming to the site soon. I'm hoping this will meet a need many already have in a new and innovative way.

This is a new direction for Vulnerable Minds, an experiment if you will, and I look forward to unveiling it. Want a hint as to where? All I'll say is Yahoo Pipes and Google Reader are two great tastes that taste great together.

The AdSense You May Not Know

Google's Adsense (yes, the advertising medium that internet users love to hate) has come into the spotlight this past week for some interesting 'interpretations' various advertisers are using. Turns out, the powerhouse advertising medium leads a double (perhaps triple) life. These deviations have been for both the benefit and hindrance of the internet community.

On the lighter side of things, the guys at TorrentFreak devised a way to use AdSense to help limit the spread of malware. They took up advertising space on a site that hosted a malware-infested BitTorrent client, but instead of advertising a product, they posted a warning about the very site the ad was on. These sites would end up have an ad specifically stating that their product puts malware on the users machine. The group over at TorrentFreak estimates that they prevented about 1,000 users from downloading the malware – of course admitting the entire way that the hosting sites were making money off the effort... they were still ads, after all.

On the darker side of things, Roger Thompson over at Exploit Prevention Labs Blog highlights how malware creators are using Google's advertisements for their benefit as well. Definitely click over and take a read at the article, very interesting stuff. The gist of it, however, is what you think you are clicking on may not be the case. Turns out, some ads are masquerading as legitimate sites (e.g. the Better Business Bureau) - so, when you click on them, they first pass you through an exploit of their choice, then forward you on to the site you wanted. The process is completely transparent, leaving the user oblivious to what just happened. Roger made a video of this here. ( --For those of you curious, apparently Google has recently taken down some of the main offenders)

Though it probably shouldn't, it does intrigue me how the same medium can be use for both the benefit and declination of the internet community.