You may have heard something in the news about PDF recently… By the power of Google!

• http://www.heise.de/security/meldung/27C3-Brandgefaehrliche-PDF-Dokumente-Update-1162122.html (The one that started it all)
• http://www.h-online.com/security/news/item/27C3-danger-lurks-in-PDF-documents-Update-1162166.html (… auf Englisch)
• http://it.slashdot.org/story/11/01/02/0231242/Detailing-the-Security-Risks-In-PDF-Standard (Basically the Heise article)
• http://www.daemonforums.org/showthread.php?t=5507 (Links to Heise, like Slashdot)
• http://m.io9.com/5731328/10-devious-new-ways-that-computer-hackers-can-control-your-machines-or-fix-them
• http://66.71.254.238/2011/01/10/c3.html (A blog)
• http://frutosdelcaos.blogspot.com/2010/12/idiosincrasias-de-pdf.html (Un blog en español)
• http://blog.scrt.ch/2011/01/07/27c3-we-come-in-peace/ (Un blog en français)
• http://trackback.fritz.de/2011/01/08/trb-210-27-chaos-communication-congress/ (A Podcast)
• http://www.tablix.org/~avian/blog/archives/2010/12/27c3_wrap_up/ (A mention on another blog)
• … and fifty zillion ever-so-slightly modified copies of the Heise Online news article. Some with creeping errors.
  It is now abundantly clear that the major source for news is other news — negativland
  https://encrypted.google.com/search?q=27c3+julia+wolf+pdf

I recently gave this presentation at the 27th Chaos Computer Congress in Berlin. For some reason, the slides never made it from Pentabarf to the Fahrplan. (They should be here: http://events.ccc.de/congress/2010/Fahrplan/attachments/1796_27C3_Julia_Wolf_OMG-WTF-PDF.pdf Curerntly 404, not by intent.) So first order of business, here are the long sought after slides: 27C3_Julia_Wolf_OMG-WTF-PDF.pdf (I have had so many requests for these.)

At PH-Neutral, I recently presented a bunch of information about how no two PDF readers will see a PDF file in the same way. Which is useful if you're trying to sneak an exploit past a smart A/V scanner. [Unfortunately, most A/V scanners are not even smart enough to find an exploit sitting in easy-to-read plaintext at the top of a well-formed file.]

Someone took a picture of one of my slides, which has been quite popular, based upon the number of retweets and views.

So, I'll explain how this works, for the benefit of everyone who wasn't there at the time&hellip

The Present

Hi-ho, Julia here. So, here's a summary of computer security conference related things that I'm involved with.

I'll be at the RSA Expo for at least one of the days next week (probably Wednesday). So if you see a blue-haired weirdo wandering around, asking vendors difficult questions¹, that's probably me. If you would like to wander around the Expo for free too, then enter the code EC10FIR [Expires Friday Feb 26] into the appropriate field from wherever this link <Register Now!> may lead you. You'll need to register — enter a bunch of personal information about yourself first, so that you can get a ton of junk mail later this year. However, note that the only thing they actually seem to check when you pick up your badge at the expo, is the name on your government issued photo ID. So, in previous years my job title has been Professional Tomato Squeezer, working for the Instrumentality of Penguins Project — which is how I know when marketers are using RSA's mailing list.

FireEye has a booth at RSA this year (Booth #332) See also: Official FireEye RSA2010 Stuff.

The Past

And from last October, these are my ToorCon 11 Slides [ironically PDF] They're almost the same as the ones from my Brucon talk, but with a little more stuff.

The Future

I'll be presenting a talk at PH-Neutral 0x7DA on how to do horrible things with PDF files. Not just exploits and syntax abuse/obfuscation, but tricks like generating the Mandelbrot set with the halftone screen spot functions.

I'm thinking of submitting a talk to Black Hat or Defcon. Are there any topics that you, the reader, would like to hear me talk about? Sure, I could do an in-depth technical talk on a specific botnet. Or a less-in-depth presentation on a whole bunch of different malware. Or a talk about reading/writing exploits and reverse engineering. Or an actually-good-talk on old-school phreaking. Of course, Defcon being Defcon, I could probably submit a talk on Goetic demon summoning (with live demonstration!) and it would get accepted. So… suggestions?

I promise that my next blog post will have more crypto and hexdumps in it.

¹ For example…
Vendor: Our product is software that you install on your windows laptop, which calls home to check if it has been stolen. And if so, deletes sensitive documents to keep them from falling into the wrong hands.
Me: So, what if rather than booting the laptop into Windows normally, the person who stole the laptop takes the hard drive out and reads the data with Linux?
Vendor: <crickets chirping> … You'll need to talk to one of our engineers.

   We're sharing our research at the upcoming ISOI6, the US Dept of Defense Cyber Crime conference, Internet2 Joint Techs, and at ShmooCon. If you are attending any of those events, we'd love to meet you in person!  Alex talks about McColo, I'll be discussing Web malware in government networks, Stu covers the latest in malware obfusction tactics, and Julia dives into the Srizbi botnet takedown.  For Dates, times, topics, & locations, please read on.