I gave a presentation on computer vulnerability history at BSides Delaware in November, 2013. Shortly after, I gave the presentation a couple times shortly after at Westchester Community College and the University of Pennsylvania, along with a brief version for the Invisible Harms conference at UPenn. The linked version above is the revised copy after my initial run at BSidesDE. The talk gives a history of computer vulnerabilities starting in 1902 (for real!) and continues up to modern day, looking at how long we have been subject to them, and asking the question 'why' do we still see them in modern software. Video from the BSidesDE presentation is available courtesy of Irongeek. A copy of the original BSidesDE presentation is available, but I recommend the revised copy above. As always, there are extra comments and tons of references in the PPT files.
Steve Christey, the CVE Editor from MITRE, and I gave a presentation at Black Hat Briefings 2013 on the problems we have witnessed over the years with poor vulnerability statistics. Rather than just debunk a handful, which we did, we also went into extensive detail on the different types of bias that ultimately lead to these bad stats. In addition to showing concrete examples of how the bias plays out, and how a single researcher can significantly impact stats, we also point out examples of 'good-ish' stats, since we haven't seen truly good ones yet. Why? The data sources are so primitive, but they are all we have right now. In addition to the the slides presented, we left in over 40 additional working slides that didn't make the cut. As always, there is additional commentary, references, and notes in the PPT that weren't seen in the presentation.
For the second year in a row, I helped RussR organize and present the annual DEF CON Recognize Awards, different than the closing ceremony con awards given by Dark Tangent. These awards are entirely community driven, and celebrate the good and bad of our industry throughout the year. We point out the best and worst in media, Twitter feeds, and more. This award ceremony includes the increasingly infamous "Charlatan of the Year Award".
I was asked by RVAsec to fill in as a last minute replacement for a speaker that canceled. The topic of Vulnerability Databases (VDBs) is very familiar to me, so the only trick was cramming an intricate topic into about 50 minutes. Overall, I attempt to enumerate the serious weaknesses in most VDBs that make up a cornerstone of our industry. When you build on a proverbial straw house, it will crumble at some point. I certainly plan to refine this presentation and give more information and examples.
For BruCON 4 (2012), and for THOTCON 0x04 (2013), Josh Corman and Jericho presented on Cyberwar. While the topic has been beaten to death, our talk focused on two aspects. First, a solid debunking of the rhetoric and hype that has dominated the topic for years. Second, building up a new set of ideas that seem to be lost on the cyberwar 'experts', that effectively broadens the topic and should make everyone reconsider what they think they know about it. In short, Cyberwar has been here for a long time, and it isn't what we were expecting.
For the second year in a row, I helped RussR present the annual DEF CON Recognize Awards, different than the closing ceremony con awards given by Dark Tangent. These awards are entirely community driven, and celebrate the good and bad of our industry throughout the year. We point out the best and worst in media, Twitter feeds, and more. This award ceremony includes the increasingly infamous "Charlatan of the Year Award".
At DEFCON 20, Timmay gave a presentation on the supposed merit of the CISSP certification. It included several reasons why he felt the certification was based more on ISC(2) market hype than an actual value. He asked Jericho to contribute and present a handful of slides (pages 37 - 43) regarding the ISC(2) Code of Ethics and his research into their effectiveness and how the organization handles complaints.
Jericho presented on the 13 year history of the Errata project at RVAsec, giving a behind-the-scenes look at the nightmare and headaches involved. Both from the project, and from the security industry. This presentation was updated slightly, and given a month later at the Black Hat Briefings 2012 in Las Vegas. (Updated PPT, Updated PDF)
Josh Corman and Jericho did a presentation at SOURCE Boston 2012 about the hacktivist "group" Anonymous.
At Defcon 19 (2011), Paul Roberts led a panel with Josh Corman, Krypt3ia, and Jericho, talking about the "group" Anonymous.
Hacker Court at BlackHat 2008 covered a hypothetical case of the hacking of a social network, 'My Face'.
Hacker Court at BlackHat 2007 focused on a hypothetical case of the theft of a high end virtual item, Pfizer's Rod of Endurance. The panel explored the legal issues surrounding Terms of Service (ToS) and airport searches.
BlackHat 2006, the Hacker Court panel examined legal issues surrounding the use of sniffers at public conferences.
Jake Kouns and Brian Martin covered vulnerability databases: inherent problems, important issues, major players, research & rankings, and the future. Presentation at CanSecWest 2005.
The third Hacker Court had a snazzy name and theme. The panel explored the issues surrounding "war sailing" and enjoyed great puns like "pier to pier networking". Done at Black Hat 2004.
Hacker Court at BlackHat 2003 focused on a hypothetical case of a user being hacked in the online game, 'GettaLife', and being robbed of virtual items.
The inaugural Hacker Court panel at Black Hat 2002, covering a hypothetical case of the Air Force being hacked.
"Thoughts, commentary and notes after closing the defacment mirror. Presentation by Jericho and Mcintyre, at BlackHat USA 2001.
This presentation covered the basics of running the Defacement Mirror, problems we ran into, the mirror process, detailed statistics on defacement activity to date, and more. Presentation by Jericho, Munge, and Punkis at BlackHat USA 2000.