Thursday, August 27, 2009


Ok, I'm apparently not going to get around to a full recap of Blackhat/DEFCON, so here's some bullet points.

  • Shawn Moyer/Nathan Hamiel talk was first and probably best at BH. I don't think most people got it. I'm not sure I even 100% got it.
  • Thanks to the DEFCON goons who got me into the BH speakers party. Maybe next year I will be there for real.
  • WhiteHat dinner was excellent! Good people over there.
  • Mandiant training was good. A little more "find malware in Windows boxes" than I'd have liked, but overall a very valuable experience.
  • HackProv! (Did you know that Chicago plays "Big Buddha" differently than Boston? They use swears.)
  • Badges by December. Seriously badge fail.
  • My favorite moment of the whole trip was making an analog iPhone amplifier out of a plastic cup and Seventeen magazine at the Riv bar at like 3am.
  • Also, some dude was like "I don't think you guys like the same music as me" but it turns out his iPod was loaded up with 90's industrial and we were all like "sup man"
  • Honestly by the time DEFCON rolled around I was pretty much talked out, I only ended up going to a very small number of talks. "The Psychology of Security Unusability" was excellent but much too rushed
Hallway/bar track was the best. Met a ton of cool people, and probably (maybe?) justified the money my company spent to send me out there. Definitely looking forward to next year, though I may skip the training.

Friday, August 14, 2009

XSS-ing the user agent. Is there a point?

Still haven't gotten around to recapping the rest of BlackHat/DEFCON. It's still on the list. In the meantime...

I've been seeing a lot of this lately:
User-Agent: <script>window.location='http://somewhere'</script> (compatible; MSIE 7.0; ...etc etc)

I'm not sure if this is attacking a specific vulnerability, or just trolling for unknown XSS vulnerabilities. Doesn't seem like the most subtle way to do it in either case. Anyone know?

Tuesday, August 4, 2009

Post BlackHat/DEFCON

Unfortunately the blogging failed closed after Blackhat Part 1, as the network got a little too dangerous to start throwing my Blogger credentials across it.

I have a ton to write about, and it's going to take me several posts. In the meantime, DEFCON BEES