I've been learning hacking Apis since last year, love it. Great talk btw!
@TheCyberWarriorGuy6 ай бұрын
:)
@isaacr81637 ай бұрын
😋 Promo-SM
@patriciamolina3407 ай бұрын
Congratulations, Felipe. Way to go! 👏
@mayanjacharles91011 ай бұрын
great work please can i get your contacts just a student
@lucapirolo982 Жыл бұрын
Great video, looks like a great tool
@kirangavara Жыл бұрын
Amazing work Christian Schneider
@shikida Жыл бұрын
theme: appsec education. duration: almost 40 minutes. when it starts to talk about appsec education: 20 minutes. Look, I think there's room for improvement.
@brickwilbur98052 жыл бұрын
HELP ANYONE WITH SOME ANDROID SKILLS!! HACKED ATTACKED. ?? A few days ago, while watching a KZread video(via the App) on my Samsung Galaxy S20 FE 5G, the left half of the video portion was covered with a pinkish/orangish screen with the words "MICROWAVE SPY CAMERA 1.XXXX" (where xxxx was 4 digits that I don't remember). After about 20 seconds, I clicked the next video and the exact same thing occurred. I then clicked back to the previous video and the video didn't have this "notice". Then I returned to the new video and it was no longer there either! I played one more completely different video and it wasn't on it either. I tried to look in the developer options for how to see active programs running and it listed about 20, but nothing that stood out as suspicious. I just now put the phone in airplane mode. How can I inspect my phone for evidence of this "screen notice"? Maybe some kind of cache files containing the "screen notice" or whatever? Is there a way to get a dump of ALL processes running before it's too late and it terminates, or the cache gets deleted? I would like to get proof this exists on my phone. Need evidence. Please help ASAP!!
@rudyfernandez55222 жыл бұрын
Hi Graham and thanks for the video! Using Pysa, can we track the flow of sensitive data through third-party packages and make sure they do not use it dangerously? If yes, what is your recommendation or do you have a tutorial tackling this risk? Thank you
@adeniyigbenga90792 жыл бұрын
I will be glad if you can reach back to me,I have some questions and also see if you can mentor
@Cools20092 жыл бұрын
17:37 That was the video, not your computer.
@defenestrated232 жыл бұрын
Excellent talk
@himanshumishra82182 жыл бұрын
Can you please this the ppt here
@gsuberland2 жыл бұрын
Great talk! Quick tips on the hardware side, based on what I could see on the PCB: - J1, J4, and J5 could be anything, but I'd investigate them for UART (serial interface) given the direct traces from the CPU. This is where you're most likely to get boot output logs and maybe an interactive shell. - U4 is almost certainly the EEPROM that stores the firmware & config - probably a 24LCxxx or 25LCxxx series (I2C and SPI interface EEPROMs, respectively). You can clip onto these with a SOIC8 clip, and dump them that way, but the (electrically) safer method is to desolder it and use a ZIF socket to hook it to an Arduino or other SPI/I2C interface and dump it. - JL3 is probably an ICSP header for programming the device, or a similar programming interface. The square and diamond pads are probably VCC and GND, others will be signals. Doesn't look right for JTAG but ICSP or similar is likely. Could also be a breakout for a SPI bus. - J3 is an unpopulated SATA connector. The L-shape on the silkscreen is a nice hint, but the traces give it away. There are two pairs of traces routed very close to each other with termination resistors. That indicates two high-speed differential pairs. Two pairs usually means transmit and receive. SATA uses a 7-pin connector which matches, and if you google pictures of SATA connector parts you'll see the standard staggered pinout that matches the PCB footprint. - J8 and J10 are almost certainly just for power. - The chip at the top with the crab logo is a Renesas Ethernet PHY for the network port. - iTE are a major manufacturer of Super I/O and HDMI interface chips, so my bet is you've got an IT66121 and IT6604 (or similar) doing the transmit and receive, plus audio. - JL5 is an mPCIe connector which is probably used for WiFi or cellular network adapters in other models. Not to be confused with M.2, even though it looks similar. You can tell the difference by the pin count - mPCIe has two rows of 26 pins for mPCIe, whereas M.2 has 67 pins total and only 6 per side on the smaller side of the notch. Given the presence of that SATA connector at J3, I'd guess the OS on this thing has SATA drivers, so you could probably install an mPCIe SATA card in here to load your own storage. - The connector to the left of the mPCIe slot is an SD card connector. This is a very easy avenue to getting files on and off the device since the SoC will have an SD interface or at least a SPI interface that can talk to it natively. Embedded Linux should have inbuilt support for mounting it without needing extra kernel modules. - The 32-pin IDC footprint on the left is possibly ExpressCard, but it's a bit weird so I'm not 100% sure there. Definitely not ATA, FDD, or SCSI from the looks of it. SAS 4i has 32 pins but the connections don't look right for that. It might just be completely proprietary. - The square unpopulated footprint below the battery looks like it might be for a SIM card connector, so maybe this board can have an LTE card plugged into the mPCIe slot.
@kylecreamer72082 жыл бұрын
Great talk! The case study was very realistic in terms of showcasing just how easy it can be to skip good security practices & the consequences that can play out. Especially loved the sections at the end showing the results of the static analysis tool and then digging in to the corresponding vulnerabilities in the code. Also, there were at least 4-5 laugh-out-loud moments -- really enjoyed the humor sprinkled throughout the talk :)
@luckynumbersevuuun3 жыл бұрын
excellent work. succinct, clear, useful, and interesting. good balance in presentation. doing some of it live adds credibility.
@cyphercoda45753 жыл бұрын
can we have the slides?
@AlexShinkevich3 жыл бұрын
Thank you James for interesting presentation
@sql70023 жыл бұрын
Thanks Mazin 🙏🙏🙏
@weldonco99023 жыл бұрын
Basically if a vendor has a NOTE right below the intro, they are probably not thinking of security first.
@weldonco99023 жыл бұрын
Oh and pub/priv keys
@DigitalOverdose3 жыл бұрын
Awesome talk! The voice acting and sound FX were fantastic! Loved it! Thanks for the shoutout! <3
@maj1133 жыл бұрын
👀👋
@alexhoffman50733 жыл бұрын
NO... THANK YOU.
@ennvee41343 жыл бұрын
This is a fantastic analogy! Thank you putting all of this together. Wonderful.
@alexhoffman50733 жыл бұрын
Thanks! Glad you enjoyed it!
@faizandish83493 жыл бұрын
Really a needable video.
@ohhmypenniereview85053 жыл бұрын
Can we slide of this talk?
@cloufish77903 жыл бұрын
Probably one of the most valuable Talk for Bug Bounty Hunters at DEFCON, but it's bad that the Microphone was low-quality - sometimes It was hard to understand you
@preetham31513 жыл бұрын
Agree
@GalNagli3 жыл бұрын
Sorry for that, I think it's the post-processing phase of the talk
@0xsudip8923 жыл бұрын
@@GalNagli Can i get the slides?
@RhythmGoyal3 жыл бұрын
Liked it
@gmtw143 жыл бұрын
Where do i get access to litefuzz? Is it open source
@securedelivery3 жыл бұрын
Fantastic stuff, Grant
@ifeoraokechukwu13463 жыл бұрын
Can't wait for this talk!!
@NaveedSec3 жыл бұрын
Great Talks Nagli, Learn alot!
@anilhanimi80463 жыл бұрын
i want hack apps which app we have to download
@mulle29923 жыл бұрын
first?
@nighthawk_steel72633 жыл бұрын
Thank you.
@albert52823 жыл бұрын
we need slackbot api and discord api added to typeshed !!!!!!!!!!
@stupidmonkeyx43 жыл бұрын
Absolutely BEASTS!!!!!!!!
@adriano-moraes4 жыл бұрын
Nice job.
@NDMendes4 жыл бұрын
Congrats David e Pedro!
@pauloasilva_com3 жыл бұрын
You may mean Paulo. No worries: security through obscurity is a misconception :D
@ahmedsherif72584 жыл бұрын
Good Efforts guys! I'm just wondering, why you did not use Nuclie project which is working the same way by defining the rules. github.com/projectdiscovery/nuclei
@eshansrivastava71224 жыл бұрын
Link to the slides ??
@ES-bw7oz4 жыл бұрын
Go ahead and hop in our discord, and I think you might find one there :) discord.gg/defcon
@beckismith17314 жыл бұрын
good, good. I will watch your career with great interest.
Пікірлер
amazing talk
been trying to set this up for days now
I've been learning hacking Apis since last year, love it. Great talk btw!
:)
😋 Promo-SM
Congratulations, Felipe. Way to go! 👏
great work please can i get your contacts just a student
Great video, looks like a great tool
Amazing work Christian Schneider
theme: appsec education. duration: almost 40 minutes. when it starts to talk about appsec education: 20 minutes. Look, I think there's room for improvement.
HELP ANYONE WITH SOME ANDROID SKILLS!! HACKED ATTACKED. ?? A few days ago, while watching a KZread video(via the App) on my Samsung Galaxy S20 FE 5G, the left half of the video portion was covered with a pinkish/orangish screen with the words "MICROWAVE SPY CAMERA 1.XXXX" (where xxxx was 4 digits that I don't remember). After about 20 seconds, I clicked the next video and the exact same thing occurred. I then clicked back to the previous video and the video didn't have this "notice". Then I returned to the new video and it was no longer there either! I played one more completely different video and it wasn't on it either. I tried to look in the developer options for how to see active programs running and it listed about 20, but nothing that stood out as suspicious. I just now put the phone in airplane mode. How can I inspect my phone for evidence of this "screen notice"? Maybe some kind of cache files containing the "screen notice" or whatever? Is there a way to get a dump of ALL processes running before it's too late and it terminates, or the cache gets deleted? I would like to get proof this exists on my phone. Need evidence. Please help ASAP!!
Hi Graham and thanks for the video! Using Pysa, can we track the flow of sensitive data through third-party packages and make sure they do not use it dangerously? If yes, what is your recommendation or do you have a tutorial tackling this risk? Thank you
I will be glad if you can reach back to me,I have some questions and also see if you can mentor
17:37 That was the video, not your computer.
Excellent talk
Can you please this the ppt here
Great talk! Quick tips on the hardware side, based on what I could see on the PCB: - J1, J4, and J5 could be anything, but I'd investigate them for UART (serial interface) given the direct traces from the CPU. This is where you're most likely to get boot output logs and maybe an interactive shell. - U4 is almost certainly the EEPROM that stores the firmware & config - probably a 24LCxxx or 25LCxxx series (I2C and SPI interface EEPROMs, respectively). You can clip onto these with a SOIC8 clip, and dump them that way, but the (electrically) safer method is to desolder it and use a ZIF socket to hook it to an Arduino or other SPI/I2C interface and dump it. - JL3 is probably an ICSP header for programming the device, or a similar programming interface. The square and diamond pads are probably VCC and GND, others will be signals. Doesn't look right for JTAG but ICSP or similar is likely. Could also be a breakout for a SPI bus. - J3 is an unpopulated SATA connector. The L-shape on the silkscreen is a nice hint, but the traces give it away. There are two pairs of traces routed very close to each other with termination resistors. That indicates two high-speed differential pairs. Two pairs usually means transmit and receive. SATA uses a 7-pin connector which matches, and if you google pictures of SATA connector parts you'll see the standard staggered pinout that matches the PCB footprint. - J8 and J10 are almost certainly just for power. - The chip at the top with the crab logo is a Renesas Ethernet PHY for the network port. - iTE are a major manufacturer of Super I/O and HDMI interface chips, so my bet is you've got an IT66121 and IT6604 (or similar) doing the transmit and receive, plus audio. - JL5 is an mPCIe connector which is probably used for WiFi or cellular network adapters in other models. Not to be confused with M.2, even though it looks similar. You can tell the difference by the pin count - mPCIe has two rows of 26 pins for mPCIe, whereas M.2 has 67 pins total and only 6 per side on the smaller side of the notch. Given the presence of that SATA connector at J3, I'd guess the OS on this thing has SATA drivers, so you could probably install an mPCIe SATA card in here to load your own storage. - The connector to the left of the mPCIe slot is an SD card connector. This is a very easy avenue to getting files on and off the device since the SoC will have an SD interface or at least a SPI interface that can talk to it natively. Embedded Linux should have inbuilt support for mounting it without needing extra kernel modules. - The 32-pin IDC footprint on the left is possibly ExpressCard, but it's a bit weird so I'm not 100% sure there. Definitely not ATA, FDD, or SCSI from the looks of it. SAS 4i has 32 pins but the connections don't look right for that. It might just be completely proprietary. - The square unpopulated footprint below the battery looks like it might be for a SIM card connector, so maybe this board can have an LTE card plugged into the mPCIe slot.
Great talk! The case study was very realistic in terms of showcasing just how easy it can be to skip good security practices & the consequences that can play out. Especially loved the sections at the end showing the results of the static analysis tool and then digging in to the corresponding vulnerabilities in the code. Also, there were at least 4-5 laugh-out-loud moments -- really enjoyed the humor sprinkled throughout the talk :)
excellent work. succinct, clear, useful, and interesting. good balance in presentation. doing some of it live adds credibility.
can we have the slides?
Thank you James for interesting presentation
Thanks Mazin 🙏🙏🙏
Basically if a vendor has a NOTE right below the intro, they are probably not thinking of security first.
Oh and pub/priv keys
Awesome talk! The voice acting and sound FX were fantastic! Loved it! Thanks for the shoutout! <3
👀👋
NO... THANK YOU.
This is a fantastic analogy! Thank you putting all of this together. Wonderful.
Thanks! Glad you enjoyed it!
Really a needable video.
Can we slide of this talk?
Probably one of the most valuable Talk for Bug Bounty Hunters at DEFCON, but it's bad that the Microphone was low-quality - sometimes It was hard to understand you
Agree
Sorry for that, I think it's the post-processing phase of the talk
@@GalNagli Can i get the slides?
Liked it
Where do i get access to litefuzz? Is it open source
Fantastic stuff, Grant
Can't wait for this talk!!
Great Talks Nagli, Learn alot!
i want hack apps which app we have to download
first?
Thank you.
we need slackbot api and discord api added to typeshed !!!!!!!!!!
Absolutely BEASTS!!!!!!!!
Nice job.
Congrats David e Pedro!
You may mean Paulo. No worries: security through obscurity is a misconception :D
Good Efforts guys! I'm just wondering, why you did not use Nuclie project which is working the same way by defining the rules. github.com/projectdiscovery/nuclei
Link to the slides ??
Go ahead and hop in our discord, and I think you might find one there :) discord.gg/defcon
good, good. I will watch your career with great interest.
This is honestly so enjoyable.
This is the way.
What a fun talk!
nice! counting on.
This wasn't a complete bleh! 🥰