[HITB-Announce] #HITB2015AMS Call for Papers is Open

[Hafez Kamal]

Happy December everyone - It's that time of the year again when we ask
you to submit your latest and greatest research papers for HITB Security
Conference in Amsterdam! Our 6th annual event in The Netherlands takes
place at the Beurs van Berlage from the 26th - 29th of May 2014.

Event Website: http://conference.hitb.org/hitbsecconf2015ams/

As always we start with 2-days of hands on technical trainings followed
by a 2-day triple track conference. Along side HITBSecConf, we'll also
be holding HITB Haxpo on the 27th, 28th and 29th of May at De Beurs van
Berlage and entrance to the Haxpo arena is COMPLETELY FREE and OPEN TO
PUBLIC.

With support and backing from the Amsterdam Economic Board (AMEC), HITB
Haxpo is a technology exhibition that brings together hackers, makers,
builders and breakers in a celebration of innovation and outside the box
thinking! We've got areas dedicated to showcasing hackerspaces, makers
with 3D printers, laser cutters and other fabrication goodies, a Lock
Picking Village by TOOOL Netherlands, a developer hackathon and our
attack and defense Capture the Flag live hacking competition plus an all
new Start Up Village!

---

HITBSecConf is a deep-knowledge, highly technical conference and we're
looking for material which is new, fresh and preferably something which
hasn't been presented previously. In short, show us your 0days!

Submission Deadlines:

   Round #1 selection: 1st February 2015
   Round #2 selection: 1st March 2015


Submissions will be evaluated in 2 rounds. If all slots are filled
in the first selection round, we will close CFP early so DON'T DELAY
SUBMITTING!

HITB CFP: http://cfp.hackinthebox.org/


===

Each accepted submission will entitle the speaker(s) to
accommodation for 3 nights / 4 days and travel expense reimbursement
up to EUR1200.00 _per speaking slot_

Topics of interest include, but are not limited to the following:

  Cloud Security
  File System Security
  3G/4G/WIMAX Security
  SS7/GSM/VoIP Security
  Security of Medical Devices
  Critical Infrastructure Security
  Smartphone / MobileSecurity
  Smart Card and Physical Security
  Network Protocols, Analysis and Attacks
  Applications of Cryptographic Techniques
  Side Channel Analysis of Hardware Devices
  Analysis of Malicious Code / Viruses / Malware
  Data Recovery, Forensics and Incident Response
  Hardware based attacks and reverse engineering
  Windows / Linux / OS X / *NIX Security Vulnerabilities
  Next Generation Exploit and Exploit Mitigation Techniques
  NFC, WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security

WHITE PAPER: If your presentation is short listed for inclusion into the
conference program, a technical white paper must also be provided for
review (3000 - 5000 words).

Your submissions will be reviewed by The HITB CFP Review Committee:

Charlie Miller (formerly Principal Research Consultant, Accuvant Labs)
Katie Moussouris, Chief Policy Officer, HackerOne
Marco Balduzzi, Lead Research Scientist, Trend Micro
Itzik Kotler, Chief Technology Officer, Security Art
Cesar Cerrudo, Chief Technology Officer, IOActive
Jeremiah Grossman, Founder, Whitehat Security
Andrew Cushman, Senior Director, Microsoft
Saumil Shah, Founder CEO Net-Square
Thanh 'RD' Nguyen, THC, VNSECURITY
Alexander Kornburst, Red Database
Fredric Raynal, QuarksLab
Shreeraj Shah, Founder, BlueInfy
Emmanuel Gadaix, Founder, TSTF
Andrea Barisani, Inverse Path
Philippe Langlois, TSTF
Ed Skoudis, InGuardians
Haroon Meer, Thinkst
Chris Evans, Google
Raoul Chiesa, TSTF/ISECOM
rsnake, SecTheory
Gal Diskin, Intel
Skyper, THC

Note: We do not accept product or vendor related pitches. If you would
like to showcase your company's products or technology at HITB Haxpo
(which also has it's own set of speaking slots), please email
i...@haxpo.nl or conferencei...@hackinthebox.org to request for a
sponsorship kit

Regards,
Hafez Kamal
Hack in The Box (M) Sdn. Bhd
36th Floor, Menara Maxis
Kuala Lumpur City Centre
50088 Kuala Lumpur, Malaysia
Tel: +603-26157299
Fax: +603-26150088


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/0fcy0rn2-m52k-f4ug-wy7x-6b3isrweh...@hackinthebox.org

Re: SSL 3.0 and older ciphers selected in applications

[Daniel Pocock]

On 08/12/14 21:28, Daniel Pocock wrote:
 
 
 On 08/12/14 21:16, Kurt Roeckx wrote:
 On Mon, Dec 08, 2014 at 08:17:53PM +0100, Daniel Pocock wrote:

 If I understand your reply correctly, the version in Ubuntu and Fedora
 will still talk TLS 1.0 with the version now waiting in jessie?

 Yes.

 Do you believe it would be reasonable for me to request a smaller
 unblock that just changes the call TLSv1_method to SSLv23_method?

 That depends on wether it's acting as client or server.  If it's
 acting as server I say yes.  If it's acting as client I suggest
 you also have a way to turn off TLS 1.2.  I understand that it
 needs to be able to talk to many different things and TLS 1.2 has
 has been breaking things it shouldn't and you already indicated
 problems with some products.  But maybe it just needs to be used
 for a while with the SSLv23 method to see if there are problems or
 not.

 
 It plays a few roles:
 
 a) repro acts as a WebSocket server (for WebRTC)
 
 b) in federated SIP, repro acts as both server and client
 
 c) in a phone system, repro acts as server (e.g. my home phone system
 has some Polycom desk phones, Jitsi with JDK1.7 and Lumicall on Android
 as clients)
 
 d) people use the reSIProcate library in all kinds of products where it
 is client (e.g. in Counterpath softphones) or server (e.g. in some
 commercial Session Border Controllers).
 
 All of these use cases are supported by the Debian packages.
 
 For the SIP proxy, repro, the smallest possible change to use SSLv23 as
 default would involve touching 6 lines of code in repro/ReproRunner.cxx,
 replacing SecurityTypes::TLSv1 with
 SecurityTypes::SSLv23 on each.  As well as changing the server behavior,
 this also has the effect of enabling TLS 1.2 when acting as client in a
 federated SIP connection.
 
 For other uses of the library it is up to the developer to select SSLv23
 when they call SipStack::addTransport
 

Thanks for this feedback, I made a patch for the existing package and
submitted another unblock:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772634

To keep the change smaller, I just hardcoded it to use SSLv23_method and
not to use TLS 1.2 for any client connections.  This is still an
improvement over the previous behavior of the package using TLS 1.0 for
everything.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54875743.1050...@pocock.pro

Testing needed for xorg-server security update

[Moritz Muehlenhoff]

Hi,
there's been a new release of xorg-server fixing multiple security
vulnerabilities: 
http://lists.x.org/archives/xorg-announce/2014-December/002500.html

The update is ready for Wheezy/stable and has been successfully tested 
on an Intel graphics adapter.

But since different hardware will exercise different code paths and
since the backported patches are rather huge in size, so I'd like to
have some additional pre-release testing on people running Debian
stable/wheezy with the nouveau driver or the radeon driver. (Additional
testing with the intel driver would be great as well).

You can fetch the updated packages for i386 and amd64 at 
http://people.debian.org/~jmm/

Since a lot of the changes involve GLX, you could e.g. test with OpenArena
or Nexuiz. Playing games _and_ helping out Debian, when do you ever have 
the chance for that :-)

Please report success or errors to t...@security.debian.org

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141210055604.GA3114@pisco.westfalen.local