If that's implemented, it'll just result in everyone's phones loudly buzzing continuously until the batteries run out.

And thus we learned that the true meaning of Christmas is not in buying whatever mass-produced junk is trendy at the moment, but in joining together in anger on the internet.

So, Confido was a Confidence Game? The name even means "I trust" in several Romance languages...

No preview on mobile. :(

And then there's "it's 2017 and we've never heard of UTF-8" bugs.

Thereâ(TM)s âoeyou forgot to check array bounds hereâ bugs, and then thereâ(TM)s âoeyour entire design is fundamentally fucked and insecureâ bugsâ¦

I doubt this has been lost on the DefCon organizers. Presumably they think that they'd lose more attendance by moving to Europe than by having people who can't safely travel to the US just not come, or attend/present via videoconference or something. And I suspect that's probably true -- very few people (in my experience) go to DefCon or similar conferences on their own dime; you go on your employer's money. And getting your employer to comp you a few hundred bucks for a flight to Vegas and a shitty hotel room (Vegas hotel rooms are notoriously cheap) is a heck of a lot easier than getting a company to cough up for a transatlantic ticket, hotel in Europe, etc. As long as the majority of the attendees are in the US, this is where the conferences are going to be.

But coming here if you're involved in cybercrime is probably, uh, not a very smart idea. That Hutchins came at all suggests to me that he didn't know that the FBI was onto his alleged previous (pre-Wannacry) activities; the alternative is that he's dumb, and he doesn't seem dumb. (Though a fair number of very smart people are also arrogant and don't give other people credit for being able to figure things out, so that's also an option, I suppose.)

There is a legitimate question as to whether there should be some sort of cyber amnesty program, though, given the number of mostly-legitimate "security researchers" who have shady backgrounds but seem to have moved on from them. I've got some mixed feelings on that. On one hand, getting blackhats and their knowledge out into the open so vulns can be remediated and the network in general made more robust is a Good Thing. But I don't know if it outweighs the message it would send, which is that you can basically play Computer Mafioso when you're young and then retire to a nice, secure, respectable position as "security researcher" without the threat of your prior activities coming back to bite you. That's not really how things work in the non-IT world; if you spend your 20s working for the Mob, and then retire to a respectable profession, that respectability is unlikely to protect you from getting a knock on your door sometime later, depending on the statue of limitations, for stuff you did earlier. Might make a judge or jury go easier on you, but it's not an ironclad defense.

I think it's more like "one good deed today doesn't get you off the hook for the bad deed you did last week".

In other words, if you're a blackhat who happens to take down another blackhat, that doesn't buy you a get-out-of-jail-free card that you can play when other things you may have done in the past surface.

Or at least, not to an extent that stops you from getting indicted. It might play pretty well in court if the whole thing actually goes to trial, I'd imagine. Can't hurt anyway.

That doesn't make any sense and has no basis in fact.

There are enough legitimate issues with the FBI / CIA and their handling of cybersecurity issues that creating conspiracy-theory narratives is both unnecessary and counterproductive. Frankly it just muddies the waters on the real issues.

That's partly because if you did search for it, the other side can claim you found their patents, and thus your infringement was now "willful", which results in triple damages. Since you'll be sued either way, it's safer to go in blind. Tech companies specifically instruct their employees not to search for patents for this reason.

There are plenty of companies that pay good money for red team exercises, and even have their own red teams (Microsoft has a very highly rated one for example). So if breaking in to systems and networks is what interests you, you can do it legitimately, make good money doing it, and even get sponsored training doing it. SANS has a whole track of courses for red team training.

Thing is, you don't get called a hacker in popular media when you do that since the term "hacker" is used to mean someone breaking the law with computer related things. You are an Information Assurance/Information Security professional. Your skills are the same as what they call a hacker, even your methods, the difference is you have been hired.

Now combine that with the fact that the US has more functional law enforcement than Russia and does at least make some attempt to squash cyber crime and is it any surprise we don't see as many in the US?

Password resets don't send plain text passwords. They send a link that can be used to reset the password, a link with a short life generally.

That aside you think it is easy to pay off someone at Google to access e-mail? Try it. What you'd discover is that first most people are fairly moral, you may not be, but most are but second that places like Google have some pretty series security controls in place. A random employee can't just go and access someone's mail. I don't mean they aren't allowed to, I mean there are controls in place to keep them from doing so. Such a thing is monitored and requires authorization. You'd need to compromise more than one person, and that's pretty hard, certainly more than a "mild challenge". Particularly given that your target it a password reset for some random person's account.

You seem to be applying 20 year old thinking to the modern IA landscape. Yes, back in the 90s it might have been easier to compromise someone at the local ISP that had all of 10 people working at it and no security controls at all to get in to the mail server. Well part of the changing world and the "cloud" nature of modern services is that's not your target anymore. By and large mail is hosted by big providers, who have some of the best blue and red teams in the business working for them. They are hard targets.

While e-mailed password reset links are not the best way of doing security, they are plenty good enough for the value of what they are protecting. The resources required to compromise such a thing are way in excess of the value you'd gain. So people aren't going to try.

Well first off forgive me if I don't believe your "I'm such a l33t haxor" stories without a bit of proof. I have encountered more than a few people in my career who have supposedly done all kinds of nifty shit, yet have trouble doing even the most basic IA related tasks.

Second, things have gotten more secure than since the Internet started. Source routing is something blocked on almost all networks, switches have replaced hubs (and switches are hardened against things like ARP poisoning now), most systems and networks have stateful firewalls sitting on them, and so on. What worked in 1995 is not very likely to work today.

However the biggest of all is as I noted in my first post: E-mail is generally encrypted between provider and person today. The biggest e-mail platforms, Gmail, Office 365, etc do encryption to the endpoint. When you check Gmail, be it via web browser or your phone, Google encrypts the session with TLS and your browser/app decrypts it. That means any data theft on the target's network or the ISP is out, it is encrypted.

So you are then left with the e-mail host, the company sending the mail, and maybe the transit providers supposing those companies don't encrypt e-mail between them (which they often do). If you really think you can hit Google, well then let's hear how that would go. Lay out the theoretical framework for how you'd get in to their systems to be able to monitor data in transit.

So no, sorry, this isn't an easy task to accomplish. You'd be far more likely to succeed in attacking the target's computer (as ever) in which case crypto doesn't matter since it is decrypted on their system. Of course neither would a reset e-mail since you could just capture the passwords directly.

I know there's this idea that anything not encrypted is super vulnerable but really, then about what you are saying: How to you mount such an attack? Suppose that someone requests an account reset from Amazon and it is going to their Gmail account. Where do you propose to intercept the message? You think you can realistically hack in to the servers or network at either company? If not there you'd have to get in to one of the tier-1 transit providers. These are some pretty hard targets. Other than that the only thing you could target is the lines themselves. Of course it is a bit difficult to physically tap fiber, in a conduit, and is a bit conspicuous.

It is far less feasible to intercept plain text traffic than many geeks make it out to be. It is not impossible, a state actor can do it, or the ISPs themselves of course. But for J. Random Hacker? Pretty close to impossible. Particularly if you are talking e-mail which these days is normally only plain text between providers, and is sent encrypted to the end user. Getting to tap that traffic would be very difficult, and I'd argue someone that did would ahve higher value targets than a password reset e-mail.

It probably varies state to state but in AZ, your car is listed on your insurance. While the liability insurance is for you operating a vehicle, and applies even if you drive another car, your car is still listed on your insurance paperwork. It also helps determine the rate. If you have a high performance car, you are going to pay higher liability insurance than someone with an econobox.

So if you found a car driving around, and couldn't find a record for its insurance, good chance the owner is uninsured. It is possible that they are and just neglected to add this particular car (though that could mean the policy wouldn't cover them, which would make them effectively uninsured) but more likely they don't have insurance.

Not saying I support this spy cam crap (particularly since a private company is running and as with speed cameras they'll try to game it) but it would be something where if you run a car's plate and it comes back as not in the system 99%+ of the time it is being driven by an uninsured driver.