https://shampoo.antville.org/ ...la lausige Leben, revisited de Tue, 12 May 2026 06:36:28 GMT 2026-05-12T06:36:28Z de https://shampoo.antville.org/stories/1728492/ <p>Last friday I had the honour of giving a talk at <a href="https://deepsec.net/">DeepSec2007</a> in Vienna. Due to other obligations I unfortunately could only attend the final day of the conference.</p><img alt="" style="" title="" loading="lazy" src="https://antville.org/static/sites/shampoo/images/logo.png" /><p>The day started with a keynote presentation by <a href="http://www.blackhat.com/html/bh-about/bh-about-index.html">Jeff Moss</a>, the founder of BlackHat. He gave a really entertaining talk on responsible disclosure using the Mike Lynn/ISS/CISCO-debacle of 2005 as an example. Jeff was followed by Halvar Flake who talked about (semi-)automatic malware classification using his tool <a href="http://www.sabre-security.com/products/bindiff.html">BinDiff</a>. BinDiff looks fantastic. I am always intrigued by tools that combine clever algorithms with a good looking and usable GUI. While I don't necessary completely agree with Halvar's assessment why his technique is significantly better than the competing approaches, I learned a lot from his presentation. Then I had to to some last minute refinements on my slides and meet some people, therefore I skipped most of the trailing presentations.</p><p>The next talk I attended was <a href="http://www.databasement.net/csrf.html">my own</a>, which went fine. Once again (a probably for the last time) I presented on CSRF. This time I skipped most parts concerning our protection mechanisms and concentrated more on the various exploiting aspects using real life examples and demoing Justus's CSRF-exploit-o-mat, which allows the automatic creation of a working exploit in less the 5 seconds. I got some good questions and had a couple of nice conversations in the hallway.</p><p>The conference ended for me with Melanie Rieback's presentation on <a href="http://www.rfidguardian.org/index.php/Main_Page">RFIDGuardian</a>. The RFIDGuardian is a small wearable appliance which is able to intercept, alter, or block communication between RFID-readers and RFID-tags (e.g., your passport, tags in your clothing, or tags you didn't even know you had). The appropriate action which the guardian should execute can be selected on a per tag basis, thus allowing a rather fine-grained control. The feature I liked the most is, that the tool provides auditing/logging capabilities which enable the user to exactly establish when and where somebody tried to access RFID-tags during the day. Right now, only prototypes exist but Melanie's research group is trying to get some funding for mass production, which would result in a possible end-consumer price around 200 €. As all the basic information (software, hardware design) is open and free (GPL, CC) it is also possible to build your own device at home, provided you have a soldering iron and know what you are doing ( a note to my stundents: If anybody wants to do this as a part of his master's thesis, drop me a line).</p><p>In the evening <a href="http://blog.fukami.io/">fukami</a>, <a href="http://blog.php-security.org/">Stefan Esser</a>, and I attended Monochrome's fantastically entertaining <a href="http://www.monochrom.at/taugshow/index.htm">Taugshow</a>. The show's talk-guests on stage were (among others) Cory Doctorow, Tim Pritlove and Jeff Moss. The secret highlight of the show was a friendly american who almost chocked when he was trying to eat a dollar-bill (which he did to support the US economy).</p><p>In summary, DeepSec was a very pleasant and inspiring experience. My only regret is that my time was to limited so that I missed the first day and neither had the time to check out the Meta-Lab nor visit the Roböexotica-event.</p> Thu, 29 Nov 2007 16:05:13 GMT https://shampoo.antville.org/stories/1728492/ Maddin 2007-11-29T16:05:13Z