A got down to the conference a little late. I missed the morning sessions and headed straight over to the hacker arcade and lockpick village before the lunch crowd. I’m glad that I did.
I got about an hour of audio and permission to use it from Deviant Ollam and Mouse. Deviant did a series of quick hit presentations on a variety of different locks and on handcuffs. Mouse give some great, more one on one, suggestions for how to get started learning to lock pick in earnest. I got a little time with some of the training locks they had set out and managed to open the one, two and three pin locks.
Dan Kaminsky’s talk was intriguing if a bit more abstract. I had encountered context free grammars before in the arena of compression, so wasn’t particular surprised by his discussion of them. He ranged from discussions of the limits of human memory and recognition and how this constrains the security of passwords and correctly identifying bad hashes to new ways of visualizing files, other than the traditional hex listing, for a variety of purposes. Good stuff, plenty of Shmoo balls and beer involved.
The last session I caught before heading out was Chris Paget’s on subverting WPAD. WPAD is the protocol for HTTP proxy auto discovery and configuring. He had a demo that was pretty clear on the ease and impact of this flaw. The good news is that there is a Microsoft knowledge base article out or forthcoming on securing against this problem.