============================
|                          |
|     Circle of HOPE       |
|         Day One          |
|  A GOPHER Blog from mnw  |
|__________________________|
|                          |
|     Talks I Went To      |
|                          |
| 1. ATT&CK                |
| 2. Internet Censorship   |
| 3. Trade Secret Law      |
| 4. Social Engineering    |
| 5. Sex Worker (Rights )  |
| 6. FERPA ( Privacy )     |
| 7. Surveilance Mitigation|
|__________________________|
|         Misc             |
|                          |
| 8. Food                  |
| 9. Social                |
|                          |
============================

-- ATT&CK --

Speaker Twitter Handles : @ckorbon and @its_a_failure_

Pen testing traditionally has a defending team trying to mitigate
exploits found by the attacking team.  The problem that can develop
is that the defending team starts to adapt their defenses to the
attacking team and not the real world attackers they are actually
trying to prepare for.  It appeared to demonstrate something I have
seen out in the wild. Teams who are in the business just want things
to stay working, and when the security team wants to break something
the business tryings to just roll with it or go around it.

The ATT&CK is a knowledge base that contains what an attack is ,
how to detect it, and how to mitigate it. It's a really amazing
piece of work. Initially it was Windows only, but has since had
Linux and macOS versions posted.

The HTTP url is : https://attack.mitre.org

Keywords that were useful in this talk :
 Red Teaming APT3 Adversary

I'm really not doing this talk justice, but I'm a little tired so
I think that's why I'm not being as clear.  Check out that website.
It's an amazing library of security information.

Bonus message was : Reports are often written after the event and
so they can make assumptions. Be sure to look at why an adversary
might do something.

-- Internet Censorship Panel Discussion --
This talk and the ATT&CK talk were both really enjoyable.

The talk was going to be the panel says what they're working on
and then quesitons. The practical result was a round for what are
you working on, then a round on why did you get into this field,
and then closing thoughts.  There were still questions.

The panel was Roya Ensafi, Sergey Frolov, Lex Gill, and Will Scott.

I wish I took better notes, but I was very much engrossed in the
discussion. Also during the first two talks I was seated near the
AV people and they kept talking really loudly. When they would shut
up people near me would start talking.  It all settled down
eventually.

-- Trade Secret Law --

Speaker: Ed Ryan - Lawyer

* Trade secrets are a kind of IP they have special properties.
-- Warrantless search and seizure
-- Laws currently not sufficient to protect IP owners.

* Diff between Trade Secrets and Patents
-- Main benefit is that trade secrets have no shelf life or
  expiration date
-- Trade secrets are free
-- Patents are disclosed.

* Facts
-- Each state has its own trade secret law, and the fed
  govt has its own law
-- Except for NY most conform to the Federal
  Defend Trade Secrets Act ( DTSA)

* Vocabular Words
-- Damages - "unjust enrichment"; "Willful and
  malicious" will get double
-- Actual Damages
     - Losses caused
                 - Also includes unjust enrichment
-- Reasonable Royalty - Instead of Actual Damages the two companies
  come to terms and establish a new ongoing relationship.

* Examples *

DeCSS
-- EULA imposted a duty not to reverse engineer it.
-- Was not possible to sue in the USA because it was not a secret by the
  time suit was brought.
-- Reverse engineering had happened in Norway.
-- Misappropriation : Civil; Improper means. "have reason to know" vs
  "should have known"

Waymo v Uber
-- Waymo is an Alphabet company and a new company founded by old
  employees was bought by Uber.

// Special Section // Civil Seizures

-- If the secret's disclosure can be prevented can be seized.
-- Has a very high bar.
-- This has only happened 5 times since 2016
-- Ex parte ( target doesn't get a say)
-- Seizure is necessary to prevent dissemination of the
  secret.
-- Harm to the owner should outweigh the harm to the
  target. Also should substantially outweighs harm to
  3rd parties.
-- Must show likelihood of success, and target actually has the
  secret.
-- Target can sue for damages if the seizure was improper.

Criminal Side of Things * Economic Espionage Act

-- Must be used in or intended for use in interstate or foreign
  commerce.
-- Must benefit someone other than the owner
-- The perpertrator should know that it will damage the owner.
-- Up to 10 years, if done for a foreign agent it's 15

Exemptions:
 Reverse Engineering
 -- Is not misappropriation
 -- It isn't a trade secret if it's "readily ascertainable"



** There was a heckler in the first row, which was kind of novel.


-- Social Engineering --

* Speakers Alex , Emmanuel, Kyle, ChesireCat

* Fun with phones, the hosts were going to try and demo against
three big corporations. Unfortunately the IVRs thwarted all attempts.
-- Verizon no dice
-- AT&T no luck
-- Spectrum also no luck

Succsess Stories Since the phone trip was so short the panel shared
one of their successful engineering stories.

-- First story was from Alex. The short version is that the phone
  company sent out nasty letters to owners of 800 numbers
  threatening disconnection unless they called a specific number.
  When the speaker called he recognized that it was an AT&T brand
  answering machine, the same he had. His had a default password
  of 10 to check messages. Sure enough the phone company had not
  changed the default.
  He listened to several of the reply messages, and called them
  back just messing with the other phreaks. He would then let them
  know how to get into the answering machine too.

-- Second story was about a piece of old technology called the Audio
  Distribution Network. This was before voicemail.
  What you would do is call in and leave a voice recording. The
  recording would could then get sent to an extension, who would then
  call in and pickup their messages calling their own local access
  number.  It was popular with phreaks because many of the accounts
  had never been or were rarely used. This meant that you could make
  a local call and leave messages with all your phriends all over
  the country.  They were going to get busted, but one person in
  their crew could hear touchtones. He wanted to delete a message
  he'd sent the person. When he logged in they found that the user
  had been making a deal with the feds, but hadn't contacted them
  yet.  Social engineering time as they then called and faked out
  Special Agent Mark Hopper or Mark Lee Hopper, something like that.

-- Third person didn't have a story, but gave out some general
advice.Call back over and over to collect target specific understanding
and so that you can pick up the jargon.

-- The final story was about a cool job on the Telex network. The
  government or users would complain about phreaks getting on the
  network, but ATT says that's impossible they're totally different
  networks. They weren't of course, and this lead to our cool story.
  There were a few unused exchanges that were being routed out to the
  Telex network. You could get in by dialing the exchange, 2600'd
  out and then plopping the phone on an old modem.  Type away and it'd
  show up on a terminal somewhere out in the ocean.
  It was good fun, and no one got hurt or figured it out.

* Phone Demo Attempt 2

-- Hotel restaurant, to see if we could get a free tour of their
  basement or sub basement.
-- Manager was out of town.
-- Foiled because engineering works best when done in person and when
  done over voicemail requires a much more sophisticated attack.

* DNC Registry Attempt
-- Call someone from the DNC since you know
that they don't want to be contacted.
-- The pay off is that they
get confirmed on the registry.
-- Target answered, and then said
something uninteligable and hung up.

* Gmail Support Line Attempt
-- Gmail help phone number.
-- Disconnected by poor phone line quality.


-- Sex Worker Rights --

* Mayhem

This talk was very full, and as a result I couldn't take notes
during the talk. Here's what I can remember

-- In the United States death rates for sex workers are over twice
that of the next most dangerous job, lumberjacks.
-- The United
States is using its power and influence around the world to push
the approach of Ending Demand for sex work.
-- There was a distinction
made between decriminilization and legalization.
 - Legalization : Heavily regulated. Case study was in Nevada.
 Keeps most of the bad stuff, and gets rid of the good stuff.  -
 - Decriminalization : Removes all prostitution laws from the books.
 This leaves workers in control. It's the prefered and endorsed
 resolution.
-- The Nordic model has been pushed for which is a
decriminalization model, but the government is still very hostile
toward sex workers.


-- FERPA --

Federal Educational Privacy Act

*Wikipedia*
 The Family Educational Rights and Privacy Act of 1974 is a United
 States federal law that governs the access of educational
 information and records to public entities such as potential
 employers, publicly funded educational institutions, and foreign
 governments

You have a right to gain access to your records.  * Exercising
Rights
-- You have to make a request.
-- What consitutes a request
is vague but just has to be reasonable. The example given was that
even if you just wrote FERPA? on a napkin that would be enough to
argue that you were invoking your rights.


* Requirements -- 45 Days from the time of request. If that is on
a holiday or weekend then it's the following business day.  --
Access to your documents is granted by the law, but the law says
access not copy.  -- Freedom Of Information Act requests from public
institutions is possible when privacy restriction is removed and
that's a way to get a copy of your records.  -- Private institutions
are much harder to deal with since FOIA isn't applicable. Many
institutions are against people making requests.

* Resistence -- It's a hard and poorly trained topic for many
educational administrators.  -- It is seen as a hostile act by the
administration.  -- Was not designed with the expectation that the
schools would be hostile -- Institution may not disclose all other
groups that have your records. They'll just give you the records
they have. The example was they may tell you we have the record of
your attendance here but we don't know who else has what records
for you.

* Two Exemptions to FERPA -- Terrorism Investigation -- Grand Jury
Supboena

* Tips and Misc Be sure that you ask for your FERPA access log.
This will show you if the school's disclosed your records to anyone
incuding law enforcement.

FERPA gives you a right to a hearing if you want to dispute something
in your records. Some of the stipulations are vague like a resonable
time to comply.

You can amend or add to your record regardless of the outcome.

For more information the website is studentrecord.org

-- Surveilance Mitigation -- This was the last talk I attended.
The short version is that we need to decentralize. The longer
version had a few big key points.  --  IPV6 adoption is low, and
it's put forward that it is because scarcity of IPV4 addresses
means new players can't join the game.  -- Government actors collect
obscene amounts of data and aren't planning on stopping.  --
Suggested solutions were to use software like:
   - CJDNS a peer to peer end to end encrypted DNS protocol.  -
   IPFS a distributed hash based file system.  - Mesh Networks w/
   Libre Router! Mesh networks don't use the traditional TCP/IP
   stack and now that there is a good commodity router we should
   try and focus on that.

-- Food! -- Breakfast: Bacon Egg Cheese sandwhich from a truck with
a cup of coffee 5 bucks. The coffee was so lava hot that I couldn't
drink it before I went to the conference.  Lunch: 2 Slices and a
can of soda deal 4 dollars. Was really good, and no I'm not saying
what side street it was on because I can't remember.  Dinner: Halal,
combo over rice. 7 dollars the guy gave me a banana for free but
I tipped him a dollar to say thanks.  Was good, but not as good as
the Halal Bros back home.

I had about 3 Club Mates today. It's a good drink, but much like
most drinks I've had up here they just don't keep drinks super
cold. I think it's just because off a truck or a cart it's sitting
in an ice chest. I'm not 100 percent. I really do love the readily
available inexpensive food options. I'm going to miss a 24 hour
deli around the block.

I gave a club mate to someone today and they were really grateful.
Was a very positive experience to help someone out.

-- Socialization -- I got to meet someone who I've known online a
long time. NYBill over on mastodon and I were friends back during
the days that the awesome Linux Outlaws podcast was still going
strong.  It was really pleasant to meet him and get to talk. We
shared a beer across the street and now I owe him one.

I don't have a microphone, but I'm hoping that I can do my AnonRadio
show tomorrow as scheduled. Stay tuned to mastodon.sdf.org to find
out.

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.