Re: Proper Shilling Ettiquete


I do not recommend you use the method you did at Shmoocon the one year with the projector and standing on a chair. That method seemed to at least piss off the vendor.

Re: Proper Shilling Ettiquete

Renderman.

I don't mean to get pissy with you here, but I have run the vendor area at DEF CON since DEF CON 10 and I can't remember ONE vendor that had a "hack our stuff" deal going on. Now, I've destroyed many a brain cell over the years and will admit to not having a perfect memory anymore but could you please let me know what vendor did a hack our stuff, give us free beta testing/security services table in the DEF CON vendor area in the last 10 years?

ETA: I actually clicked on this thread because I could have sworn (at my first glance) that it said "Proper SHITTING Ettiquete" Mayhap I need to get my eyes checked.

Re: Proper Shilling Ettiquete

Are you talking about things like this: (?)

https://pics.defcon.org/showphoto.ph...c-sign&cat=518

Some ideas...
* Let everyone know about it months ahead of time
* Give people the same kind of access to the product that they could have in the real world, which means physical access to learn about it for months before the "contest."
* Strong words to remind vendors, "just because people could not find an exploit within 3 days at this convention does not mean they won't: not everyone at the convention tried, and 3 days is not enough time to adequately test most modern devices/products." (Example: with Pwn2Own, well known devices/OS/applications are put up for testing, and people can test them from home/work for many days to develop an exploit that can be executed within minutes once at the convention.) If I made a product and took it to Defcon, and spent 3 days in the contest space inviting people to try to break it, but there was only one, and I watched everyone that touched it, and nobody broke the device, then would I market the product as, "Even hackers at Defcon could not break it" ? That is the kind of thing a marketer would do, but it rubs attendees the wrong way.
* If their product really is as secure as they believe, then they should not have any problems with people becoming "intimate" with the product, or disassembling it, or reverse engineering it. (Understanding how something works is core to hacking. Without having an opportunity to learn about something so well that you can demonstrate a, "hack," how can a contestant adequately test the product?
* Don't require people to sign anything or fill out paperwork if they "win" in order to get their prize.
* Don't require people to sign anything or fill out paperwork to enter/try.
* Allow video recording and pictures during attempts
* Allow attempts to be conducted in private. (It is fine to require a demonstration on a new device in public and record the progress.)
* Make the reward high enough to encourage very skilled people to spend time working on it. For example, if a reward it $500, and an attacker spends 10 hours working on a product, and they succeed, did they just earn $50/hour for their 10 hours of work while at a convention where they could be doing so many other things instead? It is easy to observe, "Bug Bounties," are going this way with greater and greater rewards being offered as time moves forward and fewer bugs are submitted.

I may revisit this later with other ideas.

Hope this helps Renderman. Good luck!

Re: Proper Shilling Ettiquete

Just to clarify (not for you Cot but for anyone that may see the pic you linked to), that is a contest that took place in the contest area, not a Vendor in the Vendor area. If this is what Render is referring to then it makes more sense to me.

Re: Proper Shilling Ettiquete

Ah yes, you are totally right. I thought I mentioned it, but it seems I forgot.

This picture that I linked to was taken by me on the contest floor, not in the Defcon vendor room. It was projected onto the wall using a data projector.

Sorry about that.

Re: Proper Shilling Ettiquete

I would also add to this that having your product at DEFCON and letting DEFCON attendees thrash on it for a few days does not constitute any sort of endorsement of your product by DEFCON Communications. If the vendor in question is merely looking for some sort of free product endorsement, that would probably wave them off.

Until theres a promotional photo of DT holding your product and saying 'I don't always hack, but when I do I use WombatCorp brand hacker widgets; stay unpwnd my friends' it's not a DEFCON endorsement.

Re: Proper Shilling Ettiquete

I officially endorse this lack of endorsement

Re: Proper Shilling Ettiquete

To clarify, I was not looking at a contest or anything like that. I totally agree with all the sentiments that they prove nothing. I cannot remember any specific vendor ever doing it, but as cot mentioned, there have been some over the years in the contest area and random handouts all over the showfloor.

I was looking more at some info handouts or something at con and engagement with the community at large outside of con. I was also going to encourage providing product to hackerspaces and other privacy aware organizations.

To further clarify, it's an encrypted webmail product that the company has made every effort that they can that they cannot access your key or email contents. They are taking a stand for privacy by intentionally locking themselves out of the process (they apparently have some loopholes in lawful access regs). The goal is encrypted email that is strong enough for the tin foil crowd, but easy enough for grandma to use. Company has been around 5 years, and they have a beta currently up, so it's not some little 'change the world' startup we have seen come and go.

I'm wanting to engage the community (here, at con, hackerspaces, whatever) to find out from the paranoid and doubtful among us, what would satisfy them that they are indeed unable to retrieve anything (think blowback from the recent Dropbox revelation) and what features the paranoid crowd likes. I'm not asking them to do work for free, but you can admit that for such a product, the hacker community makes and interesting feedback source.

Obviously I want to do this without pissing anyone off, hence why I am asking here what is the best way to get that feedback without seeming to shill or go the annoying booth with a contest route?

Re: Proper Shilling Ettiquete

I'm thinking of walking around with a t-shirt saying UNHACKABLE with a corporate IP address on it. If you get in you keep what you find.

Re: Proper Shilling Ettiquete

Am I the only one who though underwear instead of T-shirt?

Re: Proper Shilling Ettiquete

Thats a good one i'd buy it.

Re: Proper Shilling Ettiquete

Is this a US-based company?

Re: Proper Shilling Ettiquete

Yes it is and I know what you are thinking, but they seem to have found some legal loophole. I'm still trying to get more details

Re: Proper Shilling Ettiquete

I suppose it wouldn't be any worse than the LifeLock idiot paying a truck to drive around with his Social Security number in 4-foot high lettering...