Can you expand on or point to a write up on reverse engineering patches?
Do you mean that reversers' try to locate the, say, buffer overflow that was fixed and try to find another way to exploit it? Why would major companies want to do this?
I actually didn't see the BH talk, but I saw a similar talk that Halvar gave at CanSecWest shortly after.
The gist of it is, imagine that you have a binary that you are looking to find vulnerabilities in to exploit. You can go through all the trouble of discovering a vulnerability, and then hope it doesn't get patched; or you can sit and wait for a patch for said binary. There's reams of data out there about how long it takes for systems to apply patches, but in general, you can find vulnerable versions of patched software long after the patch has been released.
Using binary differential analysis you are basically zeroing in on the parts that were changed (which you can imagine is a much smaller subset of the overall binary) and find the vulnerability much more quickly.
There are tools (there is/was a product called Bindiff that I don't know if Zynamics still sells after they got bought by Google), which help you do this in a more automated fashion.
That means that with much less work, you can write up a working exploit that will still work on some decent percentage of the install base for the application (until everyone patches it).
Additionally, you can imagine that a lot of times when vulnerabilities get fixed, they aren't necessarily fixed with the utmost rigor. There's a lot of cases where an individual vulnerability might be fixed, but if you look at what was done, you can find other parts of the binary that are vulnerable to the same underlying flaw. Knowing what gets changed in the patch can tell you a lot about underlying issues.
Think of Windows. You and I both know that not all machines running windows are up-to-date with their security patches. Reverse engineering a patch for a 0-day exploit could give an attacker an idea on how to compromise un-patched machines. With all the un-patched windows xp machines in the world, you could probably build your own bot net if you're smart enough :)
Like other seized assets they will get repurposed for other investigations. When the feds seize a boat, car, or home they either sell them or use them for operations, undercover and the like.[0]
I imagine the btc will be saved until the case is closed then try to be used for other investigations, I don't think the feds would try converting and selling it.
Why not convert it and sell it? Spending BTC doesn't destroy any evidence, you'll still have a record of the original BTC to trace. I imagine there is some legal procedure to go through before they can dispose of the assets, but I can't imagine them simply shredding the keys.
I'm pretty sure that's what the hearings are going to focus on. They may also throw in a little 'anyone can anonymously fund terrorists!' considering the sessions were called by the Committee on Homeland Security.
I posted a link further down in the thread about the majority of Texas supporting recreational and medical cannabis use, quoting from the study
"Respondents whose age fell between 30 and 65 were most likely to be in support of the measures, with the 18-29 age group being the most unsure. Those 65 and older showed the least support but were still a part of the majority approval"
You are completely correct. Even in Texas the majority of the citizens support legalizing medical and recreational marijuana[0] but no politician will ever bring it up.
I'm not. Police don't usually go after small time users. Any good city cop can find a trap house and pinpoint the crack heads going in and out. It's a waste of resources to arrest them though, they want the distributors.
BUT I also never thought they would bust SR dealers...
You are right. At my house I place one of those gym steps in front of my toilet and actually feel my body out of wack when I have to use other restrooms.
How can a working developer transition to security? Just apply to 'security' jobs?
I've been reading a lot and managed to complete a couple of those exploitation wargames and hack some web apps but am in a completely different domain.
Beyond that add in a bit of system administration knowledge e.g. in-depth knowledge of operating systems and networking, and you have everything you need to break many many systems!
Learn to see how things break. Most developers have a vision of how things should work. Good security developers have a vision of how things are brittle.
Risks Digest is a good, low volume, high signal to noise place to just soak in the idea of systems break (both accidentally and by malice).
It really depends on what type of security you want to be involved with. If you're interested in appsec (which I think is infinitely more interesting than network security, but obviously, other's opinions will differ), then web security is a good place to start.
I've spent the bulk of my career doing application security work, so I have less advice to give about other aspects of infosec (which like the article says, really is a large field).
But, (and this is fairly generic advice, received from a disembodied pseudonym on the internet) you can do a lot worse than just picking up a copy of the Web Application Hacker's Handbook, download the free version of Burp suite, set up a VM and install some old versions of popular CMS's (or bulletin boards).
EDIT: Here's an old comment by tptacek that recommends something similar for starting out (so at least two people recommend this): http://news.ycombinator.com/item?id=5266939
I don't find a lot of value in CTF's (again, other people obviously feel differently), and I disagree with the other person who recommended you go to Blackhat.
Security conferences can be great, but I wouldn't go to Blackhat as your first (I actually wouldn't go to Blackhat unless your work was sending you, or you're speaking there). You can't throw a rock without hitting ten security conferences nowadays, so I'd start with ones more local to you (which will have the added benefit of having attendees who are also more likely to be local to you).
Based on your HN profile, it looks like you might live in Austin? If so, there are plenty of companies hiring security folks (actually, almost everywhere there is a crazy unmeetable demand for security professionals).
If you're a developer, you've already got an advantage over 95% of the people working in Infosec. That sounds like an exaggeration, but people seem to have a hard time understanding the disconnect from the relatively small "hacker" community and the much much larger corporate world where "senior pen testers" don't know how to do anything above and beyond kicking off a network scan.
I'd like to think that the appsec world is a little more advanced, but I think that's just me rationalizing. The bulk of people doing corporate appsec work (by which I mean consulting) are just running WebInspect (or something equivalent). That's why if you spend any time in the infosec community, you'll hear countless tales about how difficult it is to hire good people.
If you have any specific questions, or just want any advice, feel free to email me (my email is in my HN profile).
http://www.mysanantonio.com/news/local/article/Gov-Rick-Perr...