Just thought I’d post some quick summary notes regarding Kiwicon 2038AD, which has just finished it’s first day .Scooters - Disrupting the Electric Scooter Market - Matthew Garrett
First talk was supposed to be Jessie Frazelle talking about Docker stuff, but she didn’t make it out of the US :(Reverse engineered apps used by electric scooter companies such as Spin and Lime. Not a massive job, as they both offer Android apps which can be decompiled reasonably easily using something like jadx / apktool . Neither of these are in Brisbane yet, but he suspects Lime is coming (because he was able to find active Lime scooters in Brisbane using their API) Lime scooters track the scooter’s location so that their service can tell people where hirable scooters are located. In use scooters disappear from the map so that you can’t see where people are riding API allows you to query a specific 6 digit scooter ID Scooter IDs are from 000000 to 999999 These can be brute forced reasonably quickly When querying a specific scooter ID you get it’s exact location, whether it’s in use or not This means that you can see where scooters ride to and from, potentially learning where somebody works/lives/visits/etc. Lime just raised over $400M USD of funding. vmpklon - Creation of a VMProtect Clone - Jon Erickson ( @2130706433 ) Jon created a VMProtect clone by reverse engineering pieces of the VMProtect tooling. VMProtect is a tool that obfuscates/protects your application by running it in a VM, like how Java’s JVM works. Key takeaways: Software (of all kinds) gets more complex over time Almost all software stands on the shoulders of it’s predecessors e.g. If you understand the simpler windows XP internals, you have a much better chance of getting your head around Windows 10 internals. There’s no better way to learn how something works than trying to write your own version of it. Apathy and Arsenic - Attacus ( @attacus_au ) Had a really solid comparison between the historical use of arsenic trioxyde (aka. inheritance powder) and the privacy issues that we’re facing today. Both are convenient, cheap, and produce some nice outcomes Arsenic was a cheap ingredient in particular colouring pigments, as a pesticide, and in cosmetics. Privacy-hostile tools/services are free*, are widely used, and provide services that people enjoy using. Both disproportionately affect[ed] people who are already disadvantaged. Arsenic was used in cheap wallpaper for colouring The few privacy-conscious-ish devices/tools that don’t require a ponytail to operate are somewhat pricey (iPhone is the only example I can think of…) Both seem[ed] difficult to get people to care about People are indifferent because: “I’ve got nothing to hide!” “I’m never going to be a target of things like that.” How do we fight “peak indifference” (aka. “When the most people give the least fucks”)? Awareness Attempt to bring privacy education to the masses Resistence Campaign for better laws Fact-check corporate spin/bullshit Accessible alternatives Even if these start out pricey, they will trickle down. Time/patience Keep informing, even if it seems like things aren’t changing Accept that not everyone will be on-board, but do your best to make things better for them anyway. Don’t be afraid to care about things that are important, even if it makes you “uncool”. Introducing “moriarty”, a smart contract audit tool - Caleb Anderson Created a tool to perform symbolic execution of Ethereum smart contracts in order to find money making vulnerabilities Brute forces all execution paths of smart contracts, for variables that matter Smart contracts can cost lots of money $741M USD of Eth was taken through a smart contract vuln in the DAO, known as a “reenterant attack”. Tool is able to check for money-making vulns, and even create a PoC exploit automatically
Not being released to the public, but suggested he is likely to provide it to individuals who ask nicely.This one included a good amount of math-ey stuff that I didn’t understand very well, hence the heavily summarised version. Feeding the Beast: Network Insurgency - Parks ( @syngularity0 ) Related red teaming to the .mil F3EAD methodology Reinforced that recon/enumeration is key. Lessons from game consoles and the coming security apocalypse - Boyd Multerer Boyd worked on the Xbox team at Microsoft until recently He and his team were faced with the problems of trying to secure a system where the owners of the system were actively working against you in order to try and cheat or get free games. You are unable to trust local storage, buses, drives, registers, memory, caches, as they are all susceptible to eavesdropping/manipulation if you have physical access and enough money/time. An attack that might cost a lot of money to develop can be funded by selling it as a product once it’s complete. e.g. Xbox 360 Reset Glitch Hack You need to assume that memory is compromised, all data traversing buses has been leaked.
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale - Moloch @littlejoetables and Mandatory @iammandatoryBurp intruder is a tool to send a large number of customised HTTP requests quickly, and provide the results in an easy to read manners quickly, and provide the results in an easy to read manner. Can be used to brute force logins, identifiers, or to fuzz web applications Is limited by your browser/bandwidth/rate limiting lambda-intruder allows you to do the same thing extremely quickly (enough to DoS many servers without realising it…) and cheaply using Amazon services. Rainbow tables are pre-computed hashes, used as an alternative to brute forcing/”cracking” password hashes Rainbow tables are big (TBs and TBs)… Google Big Query and other amazon services can help… big-rainbow GPU password cracking is useful and pretty fast, but causes lots of heat, and tends to cost a lot of money in GPUs, especially if you want to do it super fast AWS comes in handy again… masscat is a tool which can utilise Amazon services to spin up servers/lambdas/spots with big GPU power to perform your password cracking activities for you quickly and cheaply… Securing a World of Physically Capable Computers - Bruce Schneier Spoke about how the increasing complexity of computer systems increases their vulnerability Computer systems are not just our computers, but our TVs, fridges, phones, DVRs, etc. All of these are getting more and more vulnerable, and we need to make changes to stop this. The free market does not care about security, because consumers do not care I got lost taking notes at this point, thinking about what he was talking about, and instead took a horrible quality audio recording of the remainder, which I’velinked here.
If you’re around, and you recognise me (I’m wearing a black tshirt and sunglasses…), say hi!