Disobey 2020 - Covid-19 edition
Pathetic topic. I know. But still, I decided to include the Covid-19 to the topic. Just because I wanted to share that I'm donating some of my electricity (aka. computing powers) to the greater cause.
Folding@Home project has some Covid-19 related projects where you can share your compute resources to fight Covid-19. Drug and virus related researches are today really compute intensive, and thus also funding intensive. Having access to those high performance crunching machines requires quite much funding, because it's not cheap.
In the last twenty or so years there have been projects where this number crunching has been divided and distributed to smaller computers around the globe. Seti@Home has been probably the most known one, but they have shutdown the project a couple of weeks ago. In the late 90s or start of this century there also was some crypto related project where they tried to bruteforce open various encryption algorithms. I recall to participate in that for some time. I think cracking RC4 was a big thing then, but I can be wrong....
So, here's the Reddit-thread of this Covid-19 project. Unfortunately, because even this distributed number crunching requires quite much central resources to generate working units for those client systems to mangle, they are having issues because of the enormous interest from geeks around the globe. In any case, I installed the software and will let it run for a while now.
Some rumors from the ircland:
"They do 4k WU (Work Units) per day normally. Right no they are at over 40k WU. The servers are literally physically melting Some DCC donated 6 THOUSAND gpus and over 6 THOUSAND cpu cores to the project. Needless to say. The servers shit themselves."
Back to the actual topic, Disobey. Luckily it was a bit over month ago when they were still able to organize the whole thing. At the writing of this blog post all bigger events have been canceled, government is saying that if you really don't need to travel, do not travel, try to avoid malls where normally huge amount of people are gathered, etc. It's interesting to see the final consequences for the global economy because of all the travel and gathering bans. It will be huge. Hopefully it's worth it.
Problem with these events is that there usually is too much to see. This year they had the main stage with presentations, and two workshops running parallel. And of course the CTF challenge + various stands with their own cracking/penetration challenges. Oh, and even though some think nerds are antisocial, these events offer great possibilities to people to meet like minded friends.
For a first timer this task seemed almost too big. I tried to plan my schedule before the event, but decided not to follow that through completely. Here's the list I finally was able to attend to, and some comments.
Workshops:
Presentations:
Folding@Home project has some Covid-19 related projects where you can share your compute resources to fight Covid-19. Drug and virus related researches are today really compute intensive, and thus also funding intensive. Having access to those high performance crunching machines requires quite much funding, because it's not cheap.
In the last twenty or so years there have been projects where this number crunching has been divided and distributed to smaller computers around the globe. Seti@Home has been probably the most known one, but they have shutdown the project a couple of weeks ago. In the late 90s or start of this century there also was some crypto related project where they tried to bruteforce open various encryption algorithms. I recall to participate in that for some time. I think cracking RC4 was a big thing then, but I can be wrong....
So, here's the Reddit-thread of this Covid-19 project. Unfortunately, because even this distributed number crunching requires quite much central resources to generate working units for those client systems to mangle, they are having issues because of the enormous interest from geeks around the globe. In any case, I installed the software and will let it run for a while now.
Some rumors from the ircland:
"They do 4k WU (Work Units) per day normally. Right no they are at over 40k WU. The servers are literally physically melting Some DCC donated 6 THOUSAND gpus and over 6 THOUSAND cpu cores to the project. Needless to say. The servers shit themselves."
Back to the actual topic, Disobey. Luckily it was a bit over month ago when they were still able to organize the whole thing. At the writing of this blog post all bigger events have been canceled, government is saying that if you really don't need to travel, do not travel, try to avoid malls where normally huge amount of people are gathered, etc. It's interesting to see the final consequences for the global economy because of all the travel and gathering bans. It will be huge. Hopefully it's worth it.
Problem with these events is that there usually is too much to see. This year they had the main stage with presentations, and two workshops running parallel. And of course the CTF challenge + various stands with their own cracking/penetration challenges. Oh, and even though some think nerds are antisocial, these events offer great possibilities to people to meet like minded friends.
For a first timer this task seemed almost too big. I tried to plan my schedule before the event, but decided not to follow that through completely. Here's the list I finally was able to attend to, and some comments.
Workshops:
- Identifying attack paths with BloodHound
Problem with these workshops is that you need to somehow get the environment up and running for all participants. This was big issue here. For some reason the provided VM didn't work with my Ubuntu Virtualbox installation. And when I tried to install all manually, it took absolutely too long to get it working. Instructions were a bit "light".
Otherwise Bloodhound seems to be a great tool, and I just need to find time to investigate it more. - Fun With Logs
The same applies here as with the previous workshop. They tried to have their own WLAN with some server accessible onsite, but it crashed almost instantly. Finally we were able to get things up and running, and SpectX is a product I will investigate more in (hopefully near) future.
I had heard about term log poisoning before, but I didn't fully understand what it was. Now I know. That was probably the biggest thing for me in this workshop. - Leading your remediative Red Team
Workshop for geeks where computers were "banned". I loved this! We had to plan our redteaming mission for a customer, and think how to approach the situation. What would be the most valuable assets, how to get to them, what kind of resources we would need, what team members we'd like to have, etc.
Here you can see our personnel list. And thanks to our member from some government related organization, we also included the last four lines for this one week project. Funds well used!
Presentations:
- Keynote by Mikko Hyppönen
Hyppönen is Hyppönen. Like with all highly visible persons, not all like his style. But I like. And Keynote was good.
Video link added 2020-04-19: https://www.youtube.com/watch?v=4YdopejYmck - Let’s get physical
I left early from the 'Fun with logs' workshop, and was able to hear the end of this presentation. It was one of the most interesting presentations I heard this year. At least some of the topics and concepts they provided.
They described a way to circumvent Credential Guard without braking it, so no need to find a security vulnerability in it. And the same issue affects all virtual machine based security. If you can find a suitable vulnerability in the host machine firmware, you may be able to jump from 1 VM to the another. It's normal to update operating system + software, but quite many are forgetting to update drivers, BIOS and other firmware stuff. Not many hands were raised when they asked how many have checked their situation during last month....
Video link added 2020-04-27: https://www.youtube.com/watch?v=DXkd56WP_Oc - Secure Elements and Disclosure
This was short introduction for the physical properties of secure elements used in different electronic gadgets to provide storage for security keys or computation resources for encryption/hashing/etc. Nothing really interesting from my point of view, but still it was quite fascinating to see those chips.
Big problem with these chips is that manufacturers quite often require NDA when providing the chips for you. So you can't publish anything you have done with those. - Shooting ourselves in the foot with 15Gbps traffic - a DDoS primer
You are breaking Finnish law, when you'll launch DoS attack to your own systems. But if you are not suing yourself and you won't cause issues to 3rd parties, no one probably will pursue the issue further. The speaker said that still he hesitated a bit when signing the actual "Let's proceed with the attack" -paper....
He described quite nicely the whole process, and how things proceed. And got quite big laughs with 'And then we found out one page, which was so poorly written, that you could crash it just by pressing F5 manually in your browser. Even I couldn't have done so poor stuff after many days of trying.'
Perhaps the most important thing in this talk was that it's not easy process to execute properly. There are many things to consider, starting from where to get the DDoS traffic. Just getting the traffic is not enough, you need to have monitoring and things in place.
Video link added 2020-04-19: https://www.youtube.com/watch?v=vBMnjdcyP4w - More than turbulence
I'm not going to publish the dirty details of this talk, but something can be found here:
https://www.csoonline.com/article/3451585/boeings-poor-information-security-posture-threatens-passenger-safety-national-security-researcher-s.html
Even if you wouldn't believe everything, there are still too many weird and problematic details and pieces. Boeing should know better. :/
Ps. If you have publicly available dev-server, it's better not to connect it to the production data without proper authentication.....
Video link added 2020-04-19: https://www.youtube.com/watch?v=xLKQlAytnAw - Keynote by Jayson E Street
Many really good thoughts, but perhaps a bit too long rant. But I really agree with his statement that if you want to become security professional, you need to have genuine interest in this field, and you need to invest also your own time, not wait only that your employer invests in you.
Video link added 2020-04-19: https://www.youtube.com/watch?v=kQyBF89G3yE&feature=youtu.be - Cybersecurity for business trips
This is one talk I'd really really would like to see on Youtube. I missed the start and there were so many interesting details about how to secure your physical and computer stuff when travelling, so can't even remember everything. :/
If you have some good resources around this topic, please let me know!
The link to the 2020 videos (added 2020-04-19): https://www.youtube.com/playlist?list=PLLvAhAn5sGfiZKg9GTUzljNmuRupA8igX
Comments
Post a Comment