DEFCON 2025

Another DEFCON in the bag. The recent DEFCONs have lost a little bit of the magic of when I first started attending. Security itself has grown up a lot since I started going. I guess we all have too. It’s all understandable, if a bit disappointing. A not-insignificant part of me would love to recapture some of the earlier magic I felt first being around others that wanted to learn and share and break things. It felt like a space that most people would rather not be in, which made it a bit safer for those of us that did. Now it’s safer for the masses, but the outside has come in. I think I ended up meeting more spouses and first time attendees than I did people with real security experience. There’s something beautiful about that, but it also feels like it puts us all “on display.” Come to DEFCON, look at the hackers in their wild habitat!

I went this year with an actual goal: to better understand how my choices with core might fare in front of people who know a thing or two about f****** sh** up. Way more than me, at least.

I didn’t get into it as much as I would’ve liked, but did get a chance to chat with the fine folks at the DDoS village and the Crypto and Privacy Village.

DDoS

Core’s current implementation seems to be fairly robust (we’ve solved the application logic component to a first order approximation) but it’s 100% public and unsuitable for any sort of public-internet-facing deployment. Core, being fundamentally a project aimed at facilitating inter-agent communication, should be somewhat more secure than this and ideally made more generally available. We have designs on inter-research-group systems over the public internet… at some point at least.

The DDoS village suggested that rate-limiting is probably the key mitigator of most DDoS methods (e.g., SYN flood). The best way to do that is use something like an off-the-shelf reverse proxy, but one of the ideas I’m fond of right now is simpler deployment stacks. Docker is fine, but ending up with some 7 container docker-compose file is starting to feel a little frustrating and insecure to me for other reasons. I can’t help but feel like in the long run, that’s not sustainable in the work we do right now. I think more code will need to be auditable, and a massive software stack is an obstacle to that. More and more I’ve just been doing single VM deployments with an open port. I like that core can just run as a service rather than needing any sort of measurable “stack”. I’ll think a little more about this is a post sometime soon.

Q: Is rate limiting inside of the application is out of the question?

Crypto & Privacy Village

(crypto means cryptography)

To the kind individual who actually looked at my beginner “crypto” code: thank you. I didn’t catch your name, but I really appreciate it. Always tough to hear “this is what a lot of beginner encryption code looks like, I can def figure out how to attack this,” but humbling.

Encryption to me is a key final addition to truly make this current version of core “feature complete.” I don’t envision doing anything fancy for core (the opposite actually), and I definitely am not trying to reinvent the encryption wheel. What I do want to guarantee is that there is a protected “Data” section of core’s blackboard posts, making it useable in more environments than it would be if it were completely public (i.e., only deployable in “trusted” environments). My goal is that it’s protected with reasonable security that works for both the corporate policy and the end-user.

Corporate and enterprise IT policies are getting pretty concerned with… well… everything. If core can offer a “middle ground” balancing:

  • ease-of-use
  • ease-of-deployment
  • security
  • ephemerality

then I believe we will have solved a real use case, certainly for research and perhaps more broadly. Not holding my breath necessarily on that second one.

I realized as I was convalescing yesterday that, complicated feelings aside, through a couple of short conversations I ended up with a seemingly infinite thread of real, meaningful learning to tug on. I got names, which led to projects, which led to good examples for me to read and pull from in my own work… damn if that isn’t the magic of DEFCON still working.

#defcon #security #core

2025-08-13 11:41