My Black Hat Talk

Fri, 01 Aug 2008 13:23:39 GMT
by pdp

I will give you some heads up what to expect from my Black Hat talk. If you are interested, you might want to attend. I prefer smaller but active audience. And of course I expect some interesting conversations after the talk if you are still awake of-course.

My talk is on Client-side Security issues. In fact, it is titled "Client-side Security" and I must confess I've made a horrible decision when choosing this title. It does not fit the talk that much although, the fact is that I am talking about a lot of client-side security problems and even some which affect the server-side due to problems on the client-side. It is twisted!

During the talk, I am planning to take the audience through some vulnerability disclosures which I've been personally involved with. My Black Hat talk in Amsterdam included too much vulnerabilities for an hour debrief. This time I will reduce the number, concentrating only on the most important ones.

That said, I will give the details of the QuickTime Vulnerability which I've found not that long time ago and which affected Vista, XP and even MacOS. The issue is interesting and it deserves some attention. I will make the details public on the site after the talk.

I am also planning to talk a bit about vulnerabilities which I've found within Java's VM and which haven't disclosed yet. I might need to omit some of the facts but in general it will be a nice informative sub-section of the entire presentation. Java has lots of issues and I believe that there will be some other talks during Black Hat which cover more in-depth techniques based on some of the research I presented on Black Hat Amsterdam, such as the JPG + JAR evil combo. If you are interested in client-side security issues you might want to attend these talks too.

I will cover all other issues from my previous talk, but briefly and I am planning to put some time on the "4th Generation of Backdoors" part which didn't receive much attention in the past conference due to lack of time. In general, some parts will be shrank and others will be extended.

The reason "Client-side Security" is inappropriate as a title is because a lot of the issues I am covering are design problems. Some of them cannot be easily fixed, others, although fixable, are hacks. Perhaps, I should have called the talk "Design Bugs" or something along these lines. Or maybe even "How to find killer bugs without trying!". That would fit my talk very well. Maybe I can use that for another talk.

So there you go. I promise to make the talk as interesting as possible. So if you want to learn something new and you would like to have some fun meanwhile then this is the talk for the 13:45 to 15:00 slot on the first day. Lucky for me, there isn't anything that I find that interesting in the other tracks, during the same time. No offense!

Archived Comments

oh, and mario has just contributed another 0day so this makes 3 0days in one talk.... damn... It is xmas in August.