44CON LONDON 2015 has ended
Back To Schedule
Friday, September 11 • 15:00 - 15:59
Responsible disclosure: who cares?

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Both OJ and Dan have been conducting security assessments for years. Occasionally a discovery is made which warrants discreetly contacting the vendor in question to let them know several thousand (or million) of their devices have a major vulnerability. Sometimes the vendor takes notice and subsequently takes action, however sadly on most occasions they either feign effort, completely ignore the researcher, or openly say 'go away'. These are a couple stories of how responsible disclosure was attempted, but the company in question couldn't be troubled to help themselves.

Dan will articulate the story of events surrounding the recent goatse-ing of a sign in Atlanta, Georgia. LED billboards are apparently just like every other "IoT" style device - completely open, completely public, you just have to know where to look. A little shodanning and one can find any number of colorful things on the internet. Dan will tell the story about his attempts to notify this sign company shortly before they got goatse'd, their interactions before and after and the demeanor in which one can conduct oneseself when going about turning a security disclosure into a conference talk. We will check live on stage to see how many of these things still exist, as well.

OJ will tell a horrible tale of his first ever disclosure experience, one that involved a very large vendor of consumer storage products. The story consists of initial vulnerability discovery, analysis, and exploitation, and then leads into what seemed like an endless back-and-forth with the vendor over a series of months. There were lows, and there were highs. The former outnumbered the latter. There was much derp! All will be shared in its lulzy glory, in gory detail, up to and including a discussion with the vendor's CSO. The story will end with an opinion. A strong one. OJ will also be trawling shodan to show how many boxes are still vuln. He will be going through the exploit step by step and explaining how things were discovered.

avatar for OJ Reeves

OJ Reeves

Founder, Beyond Binary
OJ Reeves is an Australian security professional who specialises in attack simulation. When not breaking networks and software he is actively contributing to the Metasploit framework, with a particular focus on Meterpreter.
avatar for Dan Tentler

Dan Tentler

Dan Tentler is a Co-Founder of Carbon Dynamics, specializing in Attack Simulation. He currently manages the Attack Simulation division of the organization. He shouts on the internet, quite a lot, occasionally talks to the news. Angry old man of the internet.

Friday September 11, 2015 15:00 - 15:59 BST
Track 1

Attendees (0)