
Revisiting the BlackHat BCard hack of 2018 - sus_007
https://hackaday.com/2019/10/18/revisiting-the-blackhat-hack-how-a-security-conference-was-pwned/
======
todd3834
I remember when I was a kid and thought that hacking was this intense activity
of "breaking in". Movies like Hackers really captured my imagination. Some
vulnerabilities and hacks truly are incredible like Stuxnet[0]. However, after
creating software for many companies for many years you start to realize that
most of the "hacks" were just someone not being careful enough. A PM dropped
the ball on a project, security wasn't even informed of the project, there was
no security team, or some other simple mistake. One of the companies I worked
at hired security experts to train us how to write more secure code and you
wouldn't believe how bored the room looked. Almost no one was paying
attention, even the junior engineers who were the primary reason for the
training.

Anyways, as long as humans are writing code and organizations function the way
they do today these exploits are going to continue happening.

0:
[https://en.wikipedia.org/wiki/Stuxnet](https://en.wikipedia.org/wiki/Stuxnet)

~~~
yoloClin
> One of the companies I worked at hired security experts to train us how to
> write more secure code and you wouldn't believe how bored the room looked.

That's indicative of a bad/dry trainer. A good trainer should easily be able
to captivate the room with interesting anecdotes, war stories and general
humor while teaching good, factual, actionable information.

Security should be fun, especially when you're coming from a developer
perspective and you get to break everything instead of fixing it for once.

It's a real shame you had that experience, because the world really needs more
security oriented developers.

~~~
todd3834
Personally I found it pretty captivating and actually have been friends with
the trainer for years now. That part didn’t seem relevant but now it does. I
think he was probably the best teacher on the subject I’ve ever met and was
very entertaining to me.

I just think the audience wasn’t into learning. That might have been a culture
problem at that company. It is hard to imagine something similar happening
where I’m at now.

Also not sure why you got downvoted. I think it was a fair response.

------
yellow_lead
This is why Defcon doesn't ask for attendee information and only accepts cash.
What an embarrassment.

------
BlueGh0st
>the range of valid IDs was between 100000-999999, and there were about 18,000
attendees

>Using Burp Suite, the task would take about six hours.

I really don't think you should be using Burp Suite for this number of
requests. IME You're begging for a crash.

