I think we both did that "oh crap, gotta warm up!" thing... I've hardly had any time to practice the past month or so, might have a rough go of it at lockcon. I'm sure I'll be in my hotel room at night with some practice locks.  We have our meet tonight, so hopefully I can get some time with the tools this eve.

I'm afraid to think what's in store AFTER DefCon... 

guessing there's a ways to go before someone hits 31337...

Throw a SSD in a standard MBP, and it'll consistently outperform the MBP with Retina display, because so much processing power is used to drive the new display.

Since we still use wired networks, live CD's (at least two extra things you'd have to carry in your bag), etc, I wouldn't recommend the MBP w/ RD for any pen tester. Keep in mind that the RAM in the RD is soldered to the board (no upgrades) and the SSD is totally proprietary (unlikely/limited upgrades). If you want to upgrade in the future, standard MBP is the only way to go.

For reasons already mentioned, I love OSX as a pen testing platform. You get the power of *nix under the hood, which will compile a fair amount of software natively, you can go fink or macports for a wider selection of *nix utils, and of course you can run a VM for windows, BT, or any other x86 OS you might want to run.

Kind of the best of all the worlds, and (will this spark a firestorm?) IMHO OSX is infinitely more stable than windows, and that to me is worth something.

Holy moley, I'm alive!  Sad to say, but I've been sucked in by twitter (and mega busy). @revrance if anyone is interested... Blame Shmoocon.

Anyway, just though I'd pop in to say I'll be in vegas for DC. I got to meet Eth3real and tturner at Shmoo. Eth3real and I kind of joined forces for a picking competition at Shmoo, parted ways, both started local locksport chapters, and we plan to rule Black Bag at Defcon!

I'm also going to be at LockCon the week before, and Derby in Sept. Let's toast!

Hear hear!  Although I still feel like an ass for throwing away those time bonus points, but I hate losing to technology! Ya know what our biggest issue was though?  No EH.net t-shirts.  We would have been the team to beat if we had those.  @ don

I also learned how to impression a key, here's the final result: http://www.youtube.com/watch?v=cd1aF75Jk4Q

Got to meet tturner as well. Many drinks were had!

If you haven't seen it yet, this was probably the most gasp-inspiring demo at the con (although, attacking proximity card access systems demo was very similar and frightening) http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/

Unfortunately, like defcon, waaaay too much to see and do, but what I got crammed in was definitely worth it.

Good to meet those that made it, see whoever at the next con!  (Notacon? Thotcon? Hmmmm... (as my credit card screams in pain))

I have arrived!

Who's going?  Anyone want to get together for a`lil EH-net meetup?

I'm getting in to DC Wed afternoon, leaving monday eve.  Hoping to do a bit of sight seeing on thursday if the weather is nice (didn't get to do much during SANS).  Got a friend doing an 80's DJ night thing in Adams Morgan thurs night i might wander over to...

So, meet at the hotel? Go out for some adult beverages?  I dunno, I'm not a party planner.   

I think you just volunteered! 

Nice!  Kinda makes me miss networking...   

Congrats on the job offer!

If I may inquire, where did they "find" your resume?  I might like to be "found" sometime very soon. 

Sometimes the feedback from the command you run doesn't display to the screen, but will be in your source code, so after injecting your command, do a "view source" and see what you see.

Also, in some cases, you need to kajigger the command to force the feedback to the "screen", as some commands "hang" the input, and it's never returned to the browser.  At the moment, I can't remember what you have to append to the command... I can look it up later though.

"Writable" is a pretty generic term and can be interpreted many different ways.  They could be referring to directories, or "writing" to your SQL DB if you have one, it may also be a file injection vuln.

What bothers me most is your comment that they did it "off their own back"... They way you originally wrote that, it seems to me that this "company" did a pen test on your site without your permission, knowledge or consent.  True?

If true, they found an issue, and are now saying "we found something on your site, but we won't tell you until you pay us something."  True again?

If true again, this would be known as extortion (maybe something lesser, but extortion is such a sexy word).  At this point, you might want to get some legal people involved.  If whoever this is had wholesome pure intentions, they'd tell you want the problem was and not demand money.  If they pen tested your site without consent, you should have full legal precedence to go after them.  You might want to start collecting logs ASAFP in case you wind up in the middle of some legal action.  (of course, this doesn't solve your issue of finding out what the flaw is.  you may get that information from legal proceedings, or you may have to hire a legit pen tester to find it for you.  Or, you could just shell out the dough to whoever this is, but they may also be scamming you.  You pay them, then you never hear from them again, or they send you on a goose chase, and they get a nice pay day.)

If this is a company you hired to perform a pen test, a full report, including technical details on any flaws should be part of the package.  If you have to pay extra for data... you need someone that writes better engagement contracts. 

No worries   If the CTF falls through, I'll probably be spending a lot of time in LPV myself.  And the CTF will only last the entire conf if our team sucks.  I say we get in there, finish all the challenges the first day, then move on...

Wow... thanks everyone for the kind words!  You're the bestest! 


2 hr/75 question.  My first GIAC exam, so I cannot give a comparrison.

Tested yesterday.  It was harder than I thought, even with my books all tagged up.  You had your easy questions, then you had those that you could reference in the book, then there were numerous "logic" questions where you don't find a direct answer in the books.  Have to put all that knowledge together and actually come up with an answer.  The test engine screwed me out of three questions though.  Apparently, even if you have no answer selected, and you're mouse isn't on the "submit" button... if, say, one of your books accidentally hits the enter key on the keyboard... whoosh, you're on to your next question.  Beware of that!

Anyway, definitely one of the more difficult exams I've taken, but I give them thumbs up on making a test that isn't just about memorizing tool and googleable questions.  Why isn't "--help" ever a valid answer on those tool questions?