Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =----------------------------------------------------------------------------=
- =-- LOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOL --=
- =----- -----=
- =------- GREETINGS! -------=
- =------ YOU ARE FORMALLY INVITED TO: ------=
- =--- - - ---=
- =--- _.-- ,.--. ---=
- =--- .' .' / ---=
- =--- | @ |'..--------._ ---=
- =--- / \._/ '. ---=
- =--- / .-.- \ ---=
- =--- ( / \ 0DAY \ ---=
- =--- \\ '. | # ---=
- =--- \\ \ -. / ---=
- =--- :\ | )._____.' \ ---=
- =--- " | / \ | \ ) ---=
- =--- snd | |./' :__ \.-' ---=
- =--- '--' ---=
- =--- ---=
- =----- 3RD (ALMOST) ANNUAL WHITE ELEPHANT 0DAY GIFT EXCHANGE -----=
- =------ WHEN: 6PM, FRIDAY AUGUST 2ND, 2013 ------=
- =------ WHERE: POOLSIDE AT DEFCON (RIO) ------=
- =----- -----=
- =-- LOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOL --=
- =----------------------------------------------------------------------------=
- ====================
- =- What is it? -=
- ====================
- A white elephant gift exchange ceremony for 0day.. some background:
- "A white elephant is an idiom for a valuable but burdensome possession of
- which its owner cannot dispose and whose cost (particularly cost of upkeep)
- is out of the proportion to its usefulness or worth"
- Read More:
- http://en.wikipedia.org/wiki/White_elephant_gift_exchange
- http://en.wikipedia.org/wiki/White_elephant
- Everyone has found white-elephants while bug hunting. These are bugs that
- are laughable due to their insignificance or unexploitability. Now you get
- to swap them for other, better (shittier) 0day at an informal meet-up by
- the pool at DEFCON. Woooow!
- For this event, a white-elephant 0day is defined as:
- ----------------------------------------------------
- A zero-day vulnerability (and accompanying exploit) with one or more of the
- following qualities:
- - the privilege/access gained from exploitation is lower than or same as
- the level(s) of privilege/access required for exploitation itself.
- - the deployment conditions for the vulnerability to be usable are
- impractical, unreasonable, or very rare in real-world scenarios
- - the affected software is hilariously worthless
- - the bug/exploit holds little or no value for an actual attack
- --------------------------------------------------------
- NOTE: The bug must be real and not purely theoretical!
- --------------------------------------------------------
- Here are some examples from previous years exchanges:
- --------------------------------------------------------
- - GPS device memory corruption, triggered by manually walking the
- device around in specific patterns to reach affected code path (LOL!)
- - OS/2 Telnet.d local-only stack-based buffer overflow (90s gold!)
- - Vulnerability with privilege-plummet (de-escalation) in local
- listening service
- ==========================
- =- How Does it Work? -=
- ==========================
- All participants show up at the date and time of the event with a print
- out (hard-copy) of their vulnerability's description of details and the
- proof-of-concept code. Each printout should also have a large-font title
- giving a vague description of the target software, bug class, and spoils
- gained from successful exploitation. The title should just be enough to
- give an idea of how hilarious the white elephant is, DO NOT GIVE ENOUGH
- DETAIL TO EXPOSE THE BUG IN THE TITLE. The rest of the printout must
- contain enough information for triggering the bug.
- At the event, each printout is placed into an envelope and sealed shut and
- placed in a pile on the floor or somewhere. Each participant then draws a
- number from a SUPER_SECURE_RANDOMIZED lottery hat. Whoever draws 1 gets to
- pick first from the envelope pile. The first participant opens the envelope
- they selected and reads the title of the white-elephant 0day to the group.
- For each following turn, the participant with the next highest number has
- two options:
- #1 Steal the 0day someone else has already opened and announced
- === OR ===
- #2 Pick an unopened envelope, open and announce it
- In the case that a participant chooses to steal an already opened 0day
- rather than pick an unopened envelope, the victim of the theft gets the
- same options: steal someone else's prize or pick an envelope.
- No steal backs allowed. Bartering is encouraged. Have fun!
- =----------------------------------------------------------------------------=
- =-=[ For any questions: drraid [at] gmail, or @drraid on twitter ]=-=
- =----------------------------------------------------------------------------=
- =--- LOLLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOL ---=
- =----------------------------------------------------------------------------=
- EOM
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement