DefCon 18

It’s been a few weeks now and I haven’t posted about attending DefCon 18 in Las Vegas. I’ve been letting it fester a bit before talking about it. Time to get it down.

First of all, what is it? It’s a hacker convention, but don’t get the wrong idea here. Most (though certainly not all) of the people there have no interest in stealing the passwords to your bank account. Certainly I’m not. My interest stems from the same place my interest in physics comes from: how is the world put together? What can you do with it?

Also, I run all of my own servers. I have had direct experience of having them hacked (many years ago, thank God) and see the daily barrage of kiddie scripts from South Korea and China trying to gain access to my systems.

So let me give you some highlights of the events of the three days:

Meeting Captain Crunch

Captain Crunch showed up at the opening picnic, under the center tent. He’s famous in the community for figuring out in the 1960’s that a whistle making a sound at 2600hz over a telephone line would trick Bell’s computers to switching your call to a cost-free line. His name comes from the fact that whistles given away free inside a box of Captain Crunch cereal would use exactly that pitch. Later, he started making blue boxes to replicate the sound. One of the people who profited from sales of those boxes was future Apple founder Steve Jobs.

The Keynote Speech

Given by the head of technology for Facebook, the speech was interesting but nothing to write home about. Far more interesting were the people I was sitting next to. On my left was a sysadmin for a series of Portland, Oregon coffeehouses. On my right was the gentleman (“John”) in charge of securing all of the computers on the .mil network (all of the Pentagon computers, for starters). And, interestingly, the three of us had a great and useful discussion afterward.

How It Works

The easy part is going to the lectures, but if that’s all that you do you will be wasting your time. The best idea is to start conversations with the people around you. Everyone here has a similar interest and mindset. I saw perhaps eight speeches of varying quality, but the folk that I randomly bumped into in the halls were at least as interesting as the speakers.

Sample Lecture One: Hacking ATMs

This was one of the most popular sessions and I did not get to see it myself. However, I got brought up-to-date with someone who did sit through it. Not as interesting as the video makes out. I had visions of all the ATMs at the Bellagio spewing cash after this speech, but that’s not really what happened. The hacker had to be able to purchase the ATM on the open market to experiment with it, then had to find an active machine to work on. He had to haveĀ  physical access to the internal system in order to update the firmware. Only then did the machine start to throw cash around. Not very impressive in the end.

Sample Lecture Two: Eavesdropping on GSM Cellphone Conversations

I was also unable to attend this one (Saturday mid-day lectures were horribly overcrowded). This one worked as advertised. Despite warnings not to give the speech by the FCC, the hacker set up about $1500 worth of ham radio equipment and proceeded to take over everyone’s cellphone in the hotel. Every call they made was routed through his setup. Every call anyone made was prefaced with a warning, “Your conversation is being recorded.” And at the end of the presentation, the speaker takes out a USB keydrive with all of the recorded conversations and publicly cuts it in half. More info on this interesting and entertaining presentation here.

Sample Lecture Three: China’s Cyber Army

This one did not happen. The presenters were told by the Taiwan government not to give it, so they gave a technical lecture on securing SQL databases instead. From information on the web (corroborated in part by .mil’s “John” above), China is the biggest official problem in computer and data security. Furthermore, the US is not their sole or even their most important target. Taiwan and China have been having an ongoing, undeclared cyberwar going over a couple of years now, which was going to be the heart of this talk.

There is some public information available, which multiple people pointed me to, here and here. Very interesting, and I would have loved to have heard more.

Sample Lecture Four: The Power of Chinese Security

This was interesting, but not in the way I thought it would be. There were three speakers, each with a different specialty. The first one was a native Hong Konger, who spoke with a very thick accent. His information, on how the Great Firewall of China operates, was of great interest and I took extensive notes. The second speaker was a volunteer developer for TOR, who became famous soon afterward. He’s also a volunteer developer for WikiLeaks and he was detained by customs officials prior to entering the US. All three of his cellphones were confiscated.

Unfortunately, the speech was not so interesting. His concern was to free the Chinese people of the Great Firewall with a publicly available service like TOR. While there were some interesting problems involved, nothing of interest to me in particular (though he did have an interesting judo-style attack in mind for re-setting the Great Firewall IP blocks). The last speaker, whom I had just heard in an Android cellphone rootkit presentation, gave a long, useless lecture on Green Dam, a discontinued project by the Chinese government to legally bug all computers in China.

Sample Lecture Five: Moxie Marlinspike

This lecture had no interest to me at all, but I’d met people who work with this guy. “Changing Threats to Privacy: TIA to Google” No interest at all. Wow! I’ve never felt so much that I was living in a science fiction novel than when I was listening to this guy. Tracking the flow of social networking data was never so interesting … Completely dissected the worldview of Neil Stephenson (data havens and crypto) and showed why, outside of China and Iran, it never happened and what it has been replaced with.

Contests and Parties

There were lots of contests. The best one was the Social Networking Room, where hackers get people working at major corporations and positions give up sensitive data or visit websites in ways that would allow an unscrupulous sort to hack into them. The data they wanted? The operating system the person worked on, programs (with version numbers) they had, if they had wifi and if they used out-of-house backup services. We watched as several companies fell by the wayside.

At the end, Kevin Mitnick stands up. He’d earlier volunteered for an attack on Microsoft, but his lawyer talked him out of it. He presented it to the audience and it was simply brilliant.

Does this sort of thing have any legitimate use? Yes. The bad guys do it, so we need to know how. The person sitting next to me in the presentation did this sort of thing for a living. When his security firm starts working with a new client (almost always a bank or financial institution), he does a social attack on them exactly like we were watching. They then train their clients to recognize and prevent these kind of attacks.

And the surprise of the contest? Google. Every other target succumbed almost immediately. Not Google. I watched three different conversations where the Google employee simply hung up the phone on the attacker. No other company came close.

Other contests including a race to chill a pint of beer. Another was to hack as many set computers as possible, then protect them from other teams. Another was to take a mass of wireless data and surmise the usernames and passwords from them. I believe the record was for 50,000 combinations. And there was the Wall of Sheep, an automated sniffer that would show the username and (obscured) password of every non-protected wifi user at the show.

Oh, and parties? Not for me. Too used to my early morning awake, early to bed life of raising kids and running a business. I was in bed by 10 every night. I did win at blackjack though …

Leave a Reply