I recently had the pleasure to be invited by Dhillon to present at HackInTheBox (HiTB) Dubai with Billy Rios on our "Cross Domain Leakiness" work. Here is a link to our updated slides:
http://docs.google.com/Presentation?id=dfgb2455_72fkwc2phcIt was a very productive conference, all told. The sort of conference where new attacks materialise over breakfast conversations. In terms of new and pending material, I'll do separate posts regarding:
- My latest E4X cross-domain theft attack (building on the work of my colleagues Filipe and Michal)
- A new "divided login" attack (Billy and I having fun over breakfast)
- JDK GIFAR fix considered incomplete
- A new cross-browser cross-domain theft
There was also a very interesting (and perhaps overdue) theme running throughout the conference. It was best put in words during Mark Curphey's keynote address: "builders vs. breakers". And my summary of this is that the industry has too many breakers and not enough builders. Builders have the maturity to step back from the world of random bugs and glitzy hacks, and move the state of security forward. But the economics of the security industry often selects for breakers: the 17 year old kid who finds an XSS in Twitter gets all the press attention; conferences are full of talks about one-off hacks and breaking technologies because the "let's fix it" talks are not showy enough; opinionated and technically lacking blogs and advisories seem to be favoured sources of information.
I'm going to be thinking about contributing more to the building side.
Excellent Post! The world has far to many people throwing bricks through windows and not enough smart window breakers helping design the next generation of windows.
ReplyDeleteWerd!
ReplyDelete