Announcement

Collapse
No announcement yet.

Proper Shilling Ettiquete

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • WiK
    replied
    Re: Proper Shilling Ettiquete

    Originally posted by arahel_jazz View Post
    I suppose it wouldn't be any worse than the LifeLock idiot paying a truck to drive around with his Social Security number in 4-foot high lettering...
    Render,

    Send me some equipment to play with...I'll thrash it and send it back...of course If i can exploit/hack one might expect to keep it.

    Why not do a hack to own. I think it would entice a lot of people who may not be able to afford the equipment otherwise.

    WiK

    Leave a comment:


  • arahel_jazz
    replied
    Re: Proper Shilling Ettiquete

    I suppose it wouldn't be any worse than the LifeLock idiot paying a truck to drive around with his Social Security number in 4-foot high lettering...

    Leave a comment:


  • renderman
    replied
    Re: Proper Shilling Ettiquete

    Originally posted by theprez98 View Post
    Is this a US-based company?
    Yes it is and I know what you are thinking, but they seem to have found some legal loophole. I'm still trying to get more details

    Leave a comment:


  • theprez98
    replied
    Re: Proper Shilling Ettiquete

    Originally posted by renderman View Post
    To further clarify, it's an encrypted webmail product that the company has made every effort that they can that they cannot access your key or email contents. They are taking a stand for privacy by intentionally locking themselves out of the process (they apparently have some loopholes in lawful access regs). The goal is encrypted email that is strong enough for the tin foil crowd, but easy enough for grandma to use. Company has been around 5 years, and they have a beta currently up, so it's not some little 'change the world' startup we have seen come and go.
    Is this a US-based company?

    Leave a comment:


  • kcdclan
    replied
    Re: Proper Shilling Ettiquete

    Originally posted by renderman View Post
    Am I the only one who though underwear instead of T-shirt?
    Thats a good one i'd buy it.

    Leave a comment:


  • renderman
    replied
    Re: Proper Shilling Ettiquete

    Originally posted by astcell View Post
    I'm thinking of walking around with a t-shirt saying UNHACKABLE with a corporate IP address on it. If you get in you keep what you find.
    Am I the only one who though underwear instead of T-shirt?

    Leave a comment:


  • astcell
    replied
    Re: Proper Shilling Ettiquete

    I'm thinking of walking around with a t-shirt saying UNHACKABLE with a corporate IP address on it. If you get in you keep what you find.

    Leave a comment:


  • renderman
    replied
    Re: Proper Shilling Ettiquete

    To clarify, I was not looking at a contest or anything like that. I totally agree with all the sentiments that they prove nothing. I cannot remember any specific vendor ever doing it, but as cot mentioned, there have been some over the years in the contest area and random handouts all over the showfloor.

    I was looking more at some info handouts or something at con and engagement with the community at large outside of con. I was also going to encourage providing product to hackerspaces and other privacy aware organizations.

    To further clarify, it's an encrypted webmail product that the company has made every effort that they can that they cannot access your key or email contents. They are taking a stand for privacy by intentionally locking themselves out of the process (they apparently have some loopholes in lawful access regs). The goal is encrypted email that is strong enough for the tin foil crowd, but easy enough for grandma to use. Company has been around 5 years, and they have a beta currently up, so it's not some little 'change the world' startup we have seen come and go.

    I'm wanting to engage the community (here, at con, hackerspaces, whatever) to find out from the paranoid and doubtful among us, what would satisfy them that they are indeed unable to retrieve anything (think blowback from the recent Dropbox revelation) and what features the paranoid crowd likes. I'm not asking them to do work for free, but you can admit that for such a product, the hacker community makes and interesting feedback source.

    Obviously I want to do this without pissing anyone off, hence why I am asking here what is the best way to get that feedback without seeming to shill or go the annoying booth with a contest route?

    Leave a comment:


  • Chris
    replied
    Re: Proper Shilling Ettiquete

    Originally posted by noid View Post
    I would also add to this that having your product at DEFCON and letting DEFCON attendees thrash on it for a few days does not constitute any sort of endorsement of your product by DEFCON Communications. If the vendor in question is merely looking for some sort of free product endorsement, that would probably wave them off.

    Until theres a promotional photo of DT holding your product and saying 'I don't always hack, but when I do I use WombatCorp brand hacker widgets; stay unpwnd my friends' it's not a DEFCON endorsement.
    I officially endorse this lack of endorsement

    Leave a comment:


  • noid
    replied
    Re: Proper Shilling Ettiquete

    Originally posted by TheCotMan View Post
    Are you talking about things like this: (?)

    https://pics.defcon.org/showphoto.ph...c-sign&cat=518

    Some ideas...
    * Let everyone know about it months ahead of time
    * Give people the same kind of access to the product that they could have in the real world, which means physical access to learn about it for months before the "contest."
    * Strong words to remind vendors, "just because people could not find an exploit within 3 days at this convention does not mean they won't: not everyone at the convention tried, and 3 days is not enough time to adequately test most modern devices/products." (Example: with Pwn2Own, well known devices/OS/applications are put up for testing, and people can test them from home/work for many days to develop an exploit that can be executed within minutes once at the convention.) If I made a product and took it to Defcon, and spent 3 days in the contest space inviting people to try to break it, but there was only one, and I watched everyone that touched it, and nobody broke the device, then would I market the product as, "Even hackers at Defcon could not break it" ? That is the kind of thing a marketer would do, but it rubs attendees the wrong way.
    * If their product really is as secure as they believe, then they should not have any problems with people becoming "intimate" with the product, or disassembling it, or reverse engineering it. (Understanding how something works is core to hacking. Without having an opportunity to learn about something so well that you can demonstrate a, "hack," how can a contestant adequately test the product?
    * Don't require people to sign anything or fill out paperwork if they "win" in order to get their prize.
    * Don't require people to sign anything or fill out paperwork to enter/try.
    * Allow video recording and pictures during attempts
    * Allow attempts to be conducted in private. (It is fine to require a demonstration on a new device in public and record the progress.)
    * Make the reward high enough to encourage very skilled people to spend time working on it. For example, if a reward it $500, and an attacker spends 10 hours working on a product, and they succeed, did they just earn $50/hour for their 10 hours of work while at a convention where they could be doing so many other things instead? It is easy to observe, "Bug Bounties," are going this way with greater and greater rewards being offered as time moves forward and fewer bugs are submitted.

    I may revisit this later with other ideas.

    Hope this helps Renderman. Good luck!
    I would also add to this that having your product at DEFCON and letting DEFCON attendees thrash on it for a few days does not constitute any sort of endorsement of your product by DEFCON Communications. If the vendor in question is merely looking for some sort of free product endorsement, that would probably wave them off.

    Until theres a promotional photo of DT holding your product and saying 'I don't always hack, but when I do I use WombatCorp brand hacker widgets; stay unpwnd my friends' it's not a DEFCON endorsement.

    Leave a comment:


  • TheCotMan
    replied
    Re: Proper Shilling Ettiquete

    Originally posted by Chris View Post
    Just to clarify (not for you Cot but for anyone that may see the pic you linked to), that is a contest that took place in the contest area, not a Vendor in the Vendor area. If this is what Render is referring to then it makes more sense to me.
    Ah yes, you are totally right. I thought I mentioned it, but it seems I forgot.

    This picture that I linked to was taken by me on the contest floor, not in the Defcon vendor room. It was projected onto the wall using a data projector.

    Sorry about that.

    Leave a comment:


  • Chris
    replied
    Re: Proper Shilling Ettiquete

    Originally posted by TheCotMan View Post
    Are you talking about things like this: (?)

    https://pics.defcon.org/showphoto.ph...c-sign&cat=518
    Just to clarify (not for you Cot but for anyone that may see the pic you linked to), that is a contest that took place in the contest area, not a Vendor in the Vendor area. If this is what Render is referring to then it makes more sense to me.

    Leave a comment:


  • TheCotMan
    replied
    Re: Proper Shilling Ettiquete

    Are you talking about things like this: (?)

    https://pics.defcon.org/showphoto.ph...c-sign&cat=518

    Some ideas...
    * Let everyone know about it months ahead of time
    * Give people the same kind of access to the product that they could have in the real world, which means physical access to learn about it for months before the "contest."
    * Strong words to remind vendors, "just because people could not find an exploit within 3 days at this convention does not mean they won't: not everyone at the convention tried, and 3 days is not enough time to adequately test most modern devices/products." (Example: with Pwn2Own, well known devices/OS/applications are put up for testing, and people can test them from home/work for many days to develop an exploit that can be executed within minutes once at the convention.) If I made a product and took it to Defcon, and spent 3 days in the contest space inviting people to try to break it, but there was only one, and I watched everyone that touched it, and nobody broke the device, then would I market the product as, "Even hackers at Defcon could not break it" ? That is the kind of thing a marketer would do, but it rubs attendees the wrong way.
    * If their product really is as secure as they believe, then they should not have any problems with people becoming "intimate" with the product, or disassembling it, or reverse engineering it. (Understanding how something works is core to hacking. Without having an opportunity to learn about something so well that you can demonstrate a, "hack," how can a contestant adequately test the product?
    * Don't require people to sign anything or fill out paperwork if they "win" in order to get their prize.
    * Don't require people to sign anything or fill out paperwork to enter/try.
    * Allow video recording and pictures during attempts
    * Allow attempts to be conducted in private. (It is fine to require a demonstration on a new device in public and record the progress.)
    * Make the reward high enough to encourage very skilled people to spend time working on it. For example, if a reward it $500, and an attacker spends 10 hours working on a product, and they succeed, did they just earn $50/hour for their 10 hours of work while at a convention where they could be doing so many other things instead? It is easy to observe, "Bug Bounties," are going this way with greater and greater rewards being offered as time moves forward and fewer bugs are submitted.

    I may revisit this later with other ideas.

    Hope this helps Renderman. Good luck!
    Last edited by TheCotMan; May 10, 2011, 08:38.

    Leave a comment:


  • Chris
    replied
    Re: Proper Shilling Ettiquete

    Originally posted by renderman View Post
    So often vendors will show up at Defcon to ply their wares and do stupid things like 'hack our stuff contest' or other such nonsense to use the Defcon name to promote their product or get free work out of us.

    On rare occasion though there are products that are of genuine interest to the hacker community and where feedback from the community can make things better. I have a client I am doing some work for in such a situation. Their product and stance on issues close to hackers hearts are very much in line. I've been asked to help give them direction and guidance on how to improve their product to be acceptable to security nuts like us.

    My problem is how to do this without being a tool or seen as a shill. Hopefully my reputation carries some weight that I would not align myself with shmucks or sell out.

    Any advice on how to engage the Defcon community without pissing people off?
    Renderman.

    I don't mean to get pissy with you here, but I have run the vendor area at DEF CON since DEF CON 10 and I can't remember ONE vendor that had a "hack our stuff" deal going on. Now, I've destroyed many a brain cell over the years and will admit to not having a perfect memory anymore but could you please let me know what vendor did a hack our stuff, give us free beta testing/security services table in the DEF CON vendor area in the last 10 years?

    ETA: I actually clicked on this thread because I could have sworn (at my first glance) that it said "Proper SHITTING Ettiquete" Mayhap I need to get my eyes checked.

    Leave a comment:


  • streaker69
    replied
    Re: Proper Shilling Ettiquete

    Originally posted by renderman View Post

    Any advice on how to engage the Defcon community without pissing people off?

    I do not recommend you use the method you did at Shmoocon the one year with the projector and standing on a chair. That method seemed to at least piss off the vendor.

    Leave a comment:

Working...
X