So, I’m back and now have some time to write about my travel in two amazing security conferences:
Hack in the Box in Dubai and Troopers in Munich

Both conferences are really well organized and with an amazing content! (I’ll not give my opinion about the each talk, mainly because I have not paid enough attention in important talks).

In HITB the after-conference party was sponsored by Argeniss and was in a boat - amazing drinks and view around Dubai Marina… In troopers we went to a typical Germany
place (old era) to eat an amazing meat (pay attention, please… I’m Brazilian and I’m saying it’s an AMAZING meat over there), sponsored by ERNW.

Back to conference content, in both conferences I had enough time to exchange ideas with attendees and speakers… Troopers received a lot of system administrators from
companies around Germany, which was important to me to better understand the security ideas they have in Germany. Also, some legal discussions about the new laws in this
country (I’m better informed now).

HITB Dubai this year was bigger then in the past year, but the CTF game was not so funny (there is no money involved, hehehehe)… Our team at Scanit (Oger Systems R&D Lab) won
(to be honest, Chaitanya Sharma from Scanit India passed the Zone-h web challenges steps and Julio Auto the reverse engineering steps - I just gave a lucky hint in the latest one - a off-by-a-few overwrite).

Lots of well known names went to Dubai this year, just to tell some: Skyper, Cesar Cerrudo, Alexander Kornbrust, Raoul Chiesa, pdp…

Troopers surprised me!! Really… It’s a new conference, but lots of important guys went there: Alexander Kornbrust, Andrew Cushman, Dan Berstein, Raoul Chiesa, Ariel Waissbein…

Anyway, now I’m back to Brazil (yeah, I left Scanit) to work @Check Point… good luck to me, hope to see you guys in some conference (why not Hackers 2 Hackers Conference in Brazil? - http://www.h2hc.org.br).

So, it’s time to another blog entry, another idiot/dumb post…

http://www.securityfocus.com/archive/1/451637/30/0/threaded

And for sure DragonFlyBSD and TrustedBSD* are also affected for this issue… why?

The bug occur because bsd developers does not know how integer convertion is done? Or just because you have copy and paste the bug from another BSD to yours? It’s always a problem when you copy code from another location. How secure is that code? What is the historical security problems it has? Let’s audit it!
Congratulations to you, OpenBSD guys, who simply don’t support things you don’t audit… why someone wanna use firewire? hehehe . Yeah! Is pretty easy talk about the problems, but, how I can help to solve it? I really dunno… In my mind, you need to understand the code you are copying, but, for god, please, copy it

Cya,

Rodrigo Rubira Branco (BSDaemon).

A lot of discussion has been done worldwide about the disclousure (or not) of new information systems vulnerabilities.

First we have people who like full-disclousure (bug-details, including how to explore it and an exploit for it), in the other hand, who doesn’t agree on the vulnerability disclousure (need the disclousure of patches, not the details of what bug it corrects).

This kind of idea facilitates the attackers’ sucess (they just need to verify the differences between a system and the patched version of this system, using bindiff tools to help in this process). The users, who don’t need to really update systems (just update when a security flaw exists not just because an update exist) can’t know when is secure not update the system (so, let’s sell more systems…).

My first blog entry does not try to discuss it, but discuss this position:

“The policy of the FreeBSD Security Team is that local denial of service bugs not be treated as security issues; it is possible that this problem will be corrected in a future Erratum”

Interesting to see this kind of answer for a security problem in the system, mainly when the bug can be exploited (yeah, it can be exploited).

But, local denial of service is not a problem? Hum, sorry for hosting companies who uses FreeBSD!!

Cya,

Rodrigo Rubira Branco (BSDaemon).