proxy70

-- ATT&CK --
Speaker Twitter Handles : @ckorbon and @its_a_failure_

Pen testing traditionally has a defending team trying to mitigate exploits found by the attacking team. The problem that can develop is that the defending team starts to adapt their defenses to the attacking team and not the real world attackers they are actually trying to prepare for. It appeared to demonstrate something I have seen out in the wild. Teams who are in the business just want things to stay working, and when the security team wants to break something the business tryings to just roll with it or go around it.

The ATT&CK is a knowledge base that contains what an attack is , how to detect it, and how to mitigate it. It's a really amazing piece of work. Initially it was Windows only, but has since had Linux and macOS versions posted.

The HTTP url is : https://attack.mitre.org

Keywords that were useful in this talk :
Red Teaming
APT3
Adversary

I'm really not doing this talk justice, but I'm a little tired so I think that's why I'm not being as clear. Check out that website. It's an amazing library of security information.

Bonus message was : Reports are often written after the event and so they can make assumptions. Be sure to look at why an adversary might do something.

-- Internet Censorship Panel Discussion --
This talk and the ATT&CK talk were both really enjoyable.

The talk was going to be the panel says what they're working on and then quesitons. The practical result was a round for what are you working on, then a round on why did you get into this field, and then closing thoughts. There were still questions.

The panel was Roya Ensafi, Sergey Frolov, Lex Gill, and Will Scott.

I wish I took better notes, but I was very much engrossed in the discussion. Also during the first two talks I was seated near the AV people and they kept talking really loudly. When they would shut up people near me would start talking. It all settled down eventually.

-- Trade Secret Law --

Speaker: Ed Ryan - Lawyer

* Trade secrets are a kind of IP they have special properties.
-- Warrantless search and seizure
-- Laws currently not sufficient to protect IP owners.

* Diff between Trade Secrets and Patents
-- Main benefit is that trade secrets have no shelf life or expiration date
-- Trade secrets are free
-- Patents are disclosed.

* Facts
-- Each state has its own trade secret law, and the fed govt has its own law
-- Except for NY most conform to the Federal Defend Trade Secrets Act ( DTSA)

* Vocabular Words
-- Damages - "unjust enrichment"; "Willful and malicious" will get double
-- Actual Damages - Losses caused
- Also includes unjust enrichment
-- Reasonable Royalty - Instead of Actual Damages the two companies come to terms
and establish a new ongoing relationship.

* Examples *

DeCSS
-- EULA imposted a duty not to reverse engineer it.
-- Was not possible to sue in the USA because it was not a secret by the time suit was brought.
-- Reverse engineering had happened in Norway. i
-- Misappropriation : Civil; Improper means. "have reason to know" vs "should have known"

Waymo v Uber
-- Waymo is an Alphabet company and a new company founded by old employees was bought by Uber.

// Special Section //
Civil Seizures
-- If the secret's disclosure can be prevented can be seized.
-- Has a very high bar.
-- This has only happened 5 times since 2016
-- Ex parte ( target doesn't get a say)
-- Seizure is necessary to prevent dissemination of the secret.
-- Harm to the owner should outweigh the harm to the target. Also should substantially outweighs harm to 3rd parties.
-- Must show likelihood of success, and target actually has the secret.
-- Target can sue for damages if the seizure was improper.

Criminal Side of Things
* Economic Espionage Act
-- Must be used in or intended for use in interstate or foreign commerce.
-- Must benefit someone other than the owner
-- The perpertrator should know that it will damage the owner.
-- Up to 10 years, if done for a foreign agent it's 15

Exemptions:
Reverse Engineering
-- Is not misappropriation
-- It isn't a trade secret if it's "readily ascertainable"

** There was a heckler in the first row, which was kind of novel.

-- Social Engineering --

* Speakers Alex , Emmanuel, Kyle, ChesireCat

* Fun with phones, the hosts were going to try and demo against three big corporations. Unfortunately the IVRs thwarted all attempts.
-- Verizon no dice
-- AT&T no luck
-- Spectrum also no luck

Succsess Stories
Since the phone trip was so short the panel shared one of their successful engineering stories.
-- First story was from Alex. The short version is that the phone company sent out nasty letters to owners of 800 numbers threatening disconnection unless they called a specific number. When the speaker called he recognized that it was an AT&T brand answering machine, the same he had. His had a default password of 10 to check messages. Sure enough the phone company had not changed the default. He listened to several of the reply messages, and called them back just messing with them. He would then let them know how to get into the answering machine too.
-- Second story was about a piece of old technology called the Audio Distribution Network. This was before voicemail. What you would do is call in and leave a voice recording. The recording would could then get sent to an extension, who would then call in and pickup their messages calling their own local access number. It was popular with phreaks because many of the accounts had never been or were rarely used. This meant that you could make a local call and leave messages with all your phriends all over the country. They were going to get busted, but one person in their crew could hear touchtones. He wanted to delete a message he'd sent the person. When he logged in they found that the user had been making a deal with the feds, but hadn't contacted them yet. Social engineering time as they then called and faked out Special Agent Mark Hopper or Mark Lee Hopper, something like that.
-- Third person didn't have a story, but gave out some general advice.Call back over and over to collect target specific understanding and so that you can pick up the jargon.
-- The final story was about a cool job on the Telex network. The government or users would complain about phreaks getting on the network, but ATT says that's impossible they're totally different networks. They weren't of course, and this lead to our cool story. There were a few unused exchanges that were being routed out to the Telex network. You could get in by dialing the exchange, 2600'd out and then plopping the phone on an old modem. Type away and it'd show up on a terminal somewhere out in the ocean. It was good fun, and no one got hurt or figured it out.

* Phone Demo Attempt 2
-- Hotel restaurant, to see if we could get a free tour of their basement or sub basement.
-- Manager was out of town.
-- Foiled because engineering works best when done in person and when done over voicemail requires a much more sophisticated attack.

* DNC Registry Attempt
-- Call someone from the DNC since you know that they don't want to be contacted.
-- The pay off is that they get confirmed on the registry.
-- Target answered, and then said something uninteligable and hung up.

* Gmail Support Line Attempt
-- Gmail help phone number.
-- Disconnected by poor phone line quality.

-- Sex Worker Rights --
* Mayhem

This talk was very full, and as a result I couldn't take notes during the talk. Here's what I can remember

- In the United States death rates for sex workers are over twice that of the next most dangerous job, lumberjacks.
- The United States is using its power and influence around the world to push the approach of Ending Demand for sex work.
- There was a distinction made between decriminilization and legalization.
- Legalization : Heavily regulated. Case study was in Nevada. Keeps most of the bad stuff, and gets rid of the good stuff.
- Decriminalization : Removes all prostitution laws from the books. This leaves workers in control. It's the prefered and endorsed resolution.
- The Nordic model has been pushed for which is a decriminalization model, but the government is still very hostile toward sex workers.

-- FERPA --
Federal Educational Privacy Act
*Wikipedia*
The Family Educational Rights and Privacy Act of 1974 is a United States federal law that governs the access of educational information and records to public entities such as potential employers, publicly funded educational institutions, and foreign governments

You have a right to gain access to your records.
* Exercising Rights
-- You have to make a request.
-- What consitutes a request is vague but just has to be reasonable. The example given was that even if you just wrote FERPA? on a napkin that would be enough to argue that you were invoking your rights.

* Requirements
-- 45 Days from the time of request. If that is on a holiday or weekend then it's the following business day.
-- Access to your documents is granted by the law, but the law says access not copy.
-- Freedom Of Information Act requests from public institutions is possible when privacy restriction is removed and that's a way to get a copy of your records.
-- Private institutions are much harder to deal with since FOIA isn't applicable. Many institutions are against people making requests.

* Resistence
-- It's a hard and poorly trained topic for many educational administrators.
-- It is seen as a hostile act by the administration.
-- Was not designed with the expectation that the schools would be hostile
-- Institution may not disclose all other groups that have your records. They'll just give you the records they have. The example was they may tell you we have the record of your attendance here but we don't know who else has what records for you.

* Two Exemptions to FERPA
-- Terrorism Investigation
-- Grand Jury Supboena

* Tips and Misc
Be sure that you ask for your FERPA access log. This will show you if the
school's disclosed your records to anyone incuding law enforcement.

FERPA gives you a right to a hearing if you want to dispute something in your
records. Some of the stipulations are vague like a resonable time to comply.

You can amend or add to your record regardless of the outcome.

For more information the website is studentrecord.org

-- Surveilance Mitigation --
This was the last talk I attended. The short version is that we need to decentralize. The longer version had a few big key points.
-- IPV6 adoption is low, and it's put forward that it is because scarcity of IPV4 addresses means new players can't join the game.
-- Government actors collect obscene amounts of data and aren't planning on stopping.
-- Suggested solutions were to use software like:
- CJDNS a peer to peer end to end encrypted DNS protocol.
- IPFS a distributed hash based file system.
- Mesh Networks w/ Libre Router! Mesh networks don't use the traditional TCP/IP stack and now that there is a good commodity router we should try and focus on that.

-- Food! --
Breakfast: Bacon Egg Cheese sandwhich from a truck with a cup of coffee 5 bucks. The coffee was so lava hot that I couldn't drink it before I went to the conference.
Lunch: 2 Slices and a can of soda deal 4 dollars. Was really good, and no I'm not saying what side street it was on because I can't remember.
Dinner: Halal, combo over rice. 7 dollars the guy gave me a banana for free but I tipped him a dollar to say thanks. Was good, but not as good as the Halal Bros back home.

I had about 3 Club Mates today. It's a good drink, but much like most drinks I've had up here they just don't keep drinks super cold. I think it's just because off a truck or a cart it's sitting in an ice chest. I'm not 100 percent. I really do love the readily available inexpensive food options. I'm going to miss a 24 hour deli around the block.

I gave a club mate to someone today and they were really grateful. Was a very positive experience to help someone out.

-- Socialization --
I got to meet someone who I've known online a long time. NYBill over on mastodon and I were friends back during the days that the awesome Linux Outlaws podcast was still going strong. It was really pleasant to meet him and get to talk. We shared a beer across the street and now I owe him one.

I don't have a microphone, but I'm hoping that I can do my AnonRadio show tomorrow as scheduled. Stay tuned to mastodon.sdf.org to find out.