My colleague Adam Kujawa recently wrote a great post about the Malwarebytes experience at the hacker convention DefCon this year.
By popular demand, here's a round-up of my top four favorite DefCon talks from a development perspective:
1. “Stiltwalker”, by “DC949” (http://www.dc949.org/projects/stiltwalker)
I am sure everyone is familiar with reCAPTCHA. You have likely wasted hours of your life (in the aggregate) on it. The basic idea is that there are tasks (image or audio recognition of words or letters) that a machine cannot successfully do reliably (usually!) but that are very easy for humans, and so performance on these tasks can distinguish a real person from a machine, like a bot on a forum or message board. The Stiltwalker talk was about a machine-learning attack on audio CAPTCHA: the speakers found that they could train a neural net to “beat” it using not much more than a few basic background-subtraction tricks. Depending on the precise implementation of CAPTCHA they tested, they could get 60-99% accuracy. This is easily enough to consider the system “broken.” Really cool! Actually, I notice it's already up on Wikipedia: http://en.wikipedia.org/wiki/ReCAPTCHA#Security
2. “Hammer: Smashing Binary Formats into Bits” by Meredith Patterson and Dan “TQ” Hirsch
The lead-in to this talk was something to the effect of “have you ever used parser generators like Yacc or Bison? Don't you hate them? Here's something better.” Patterson and Hirsch then launched into an argument for “language-theoretic security” (basically, how virtually every parsing-bug-turned-security-flaw could be obviated with intuitive robust parsing – think along the lines of SQL injection). See http://www.cs.dartmouth.edu/~sergey/langsec. Then they showed a parsing library they have written called “Hammer” (https://github.com/UpstandingHackers/hammer) which has quite honestly the prettiest syntax I've ever seen in a parsing library. I really want to find some time to play around with it.