The Approximately Monthly Zoomer
VIScon 2024
2024-10-12
This year’s VIScon Symposium was again filled with interesting talks - a total of 25 in 4 tracks. Since these talks weren’t recorded or the slides publicly available, I wasn’t able to do my usual thing of enjoying the hallway track and watching the talks later, so I did what any muggle without a time-turner would do and just went to one talk per slot.
User Enumeration Based Profiling
If you are forgetful like me or (god forbid) don’t use a password manager, you sometimes forget, that you have already created an account on a specific platform. Sometimes you get a nice error, that says something along the lines of “this email address is already registered”. Surely this cannot be abused for mischievous purposes, right?
Automation, Automation, Automation
Mario thought he could try to abuse this usability feature. He looked around and found some websites that expose whether a specific email already has an account or not and then did what any hacker would do and automated this. In the end he did this for 111 webapps.
If you know exactly which platforms a user frequents, you can probably guess some things about them. The chances of a middle aged female teacher using HN and battle.net are probably low.
The main attribute Mario looked at for his talk is gender. Given a person has an account on sites A,B,C, and D, what is the probability they are male or female?
Lies, Damned Lies, and Statistics
Several approaches of answering these questions were outlined in his
talk, some naive, some less so, and some using machine learning of
course. The only question I had in the end was: How precise would a
prediction based on the email address alone have been compared to these
approaches? My thought was that marco.polo@gmail.com and
thor420@me.com had a higher probability of being male
compared to fairy.maria@hotmail.com and
jessica.miller@outlook.com.
How to make Formula 1 drivers obsolete
Students of the AMZ explained how their cars use computer vision and various other sensor inputs to control their autonomous car and win races. It was a very nice overview of the tech stack they use and an approachable explanation of their systems.
Given the (unrelated) shitshow at the A2RL in Abu Dhabi a few months ago, I’d say we’re at least 5 years™ away from making F1 drivers obsolete, although Ferrari is doing their best to stay on a par with the autonomous racing league (next year they’ll be better for sure).
Hacking the SBB
When you use the builtin sharing feature of the SBB app to share your itinerary, the link consists of a part that is always the same and of several (I think it was 6 in this case) characters that change. You don’t have to be a genius to see that this is probably insecure. Lucas decided to just iterate over all possible combinations of these links and scrape all the different itineraries. As it turned out, these links not only show your full journey stop-to-stop, but also your coordinates or address if you used those features.
So what if you can see an anonymous itinerary?
Let’s look at all the people who are going to the airport. Statistically, 30% of those people enter their home address or location to search for an itinerary. You now have a list of adresses of people that are going to the airport and are, possibly, not going to be home for a few days. Do I need to go on?
Breaking and Entering
Julia, allegedly not named after the programming language[citation needed], penetration tester and VIS alumna, recounted some of her engagements and how she got into places, where she wasn’t supposed to be. Besides the usual smoking-break-tailgaiting she explained how social engineering in general can be used during engagements while casually flexing never having had to use her get-out-of-jail-free card.
A Year in AI
Max and Nicolas brought the audience up to speed in all things AI in The fsued news show all while tracking NVidia’s stock price and the $/MTok of the best™ models throughout the year. Following the style of the fnord Jahresrückblick, it was a lighthearted and informative talk, leading to lots of discussion with and amongst the audience - a wonderful talk to end the day with.
The Hallway Track
Next to the talks there were of course some company booths, one with the obligatory lockpicking challenge. After patiently waiting in line for the people ahead of me to pick the lock or give up, I gave it a try - 44 metric seconds 😎. Although I preferred the quality and diversity of the first two VIScons, it was a good event overall and I’m glad I went. I can’t wait for the next VIScon.