Monday, August 20, 2012

DEFCON 20: The Coming Of Age

My first DEFCON began five summers ago, right after I met Roland.  He told me in three weeks he'd be flying down to Vegas.  I immediately knew what con he was talking about.  I'd dreamed of attending since I'd first heard about it in the late 90s.  I hadn't gone for two reasons: as a penny-pincher, I didn't like wasting my money on plane tickets, and... I didn't think I had any right to be there.

Awesome Track 1 Stage. Each bit is hanging in 3D.
A projector makes this interesting throughout the con.
I couldn't have been more wrong on both counts.  That was 2008, DEFCON 16.  I flew down and I had a blast.

Now it's 2012, and the 20th DEFCON known to mankind.  To put history into perspective, the first Defcon began right about the time the World Wide Web was being invented.  It was before Yahoo, before Amazon, before blogs.  It started during a time when terms like "email" and "download" were known only to a small minority of people, an extremely niche subculture.  I remember that time, even if I do not remember the first Defcon.

Like every year, this con was bigger.  Way bigger.  I would estimate, based on badge sales rumors, that there were roughly 16-19,000 people total.  (There were thankfully plenty of badges -- no one went home with a paper badge).  And not only did I feel like I belonged, I felt like a veteran.

Almost everyone I talked to said this was their first Defcon. When speakers asked for shows of hands, about 40% of the hands went up. This was a Defcon of newbies. Welcome n00bs.

The theme for me this year is a lesson that has been slowly dawning on me for the past half-decade.  It's a lesson that applies to all areas of life: Hacking is Doing.  The winners, leaders, experts, and elite in life are those who simply DO.  Life isn't High Fantasy.  No one is born The Chosen One.  Magic powers aren't something you're born with.

Destiny is guided by doers.  Not even by people who decide they want to be good at something -- but people who decide they want to learn.  People who want to play.  People who take a little time to do more than simply consume.  Those who make something.  There is no certification for cool.  There is no pay-wall, and all l33tist clique-barriers are social illusions -- merely games played by doers.

Fun facts: They let anyone into Defcon.  And you can be a hacker, too.

Want to be an expert at crypto?  Go solve some puzzles.  Want to learn about application security hands-on?  There's an app for that.  Want to play at being a hacker, or even become an expert?  If you have a mind for wiggling through cracks -- and if you're interested, it means you have a mind for it -- then go get it. Any other related field: hardware, programming, lockpicking, Morse code. Go learn it just because. There are some links, and you've got Google.  No time has ever been easier. (A shout-out to two more hacking-related games: Telehack and Uplink.)

The field is wide open.  I don't work in IT anymore, but if I did, I'd head straight for a job in infosec.  Unemployment is less than one percent.  You do not have to be Uber to be useful in this field.  Pen Testing is about finding low-hanging fruit -- the obvious numb-headed simple security flaws that anyone could find, if organizations gave a crap and bothered to hire you.  If I wasn't focusing on this writing career, I'd go immediately into that field.  And I'd be damn good at it.  Even though I'm a newb.  All it takes is a driving curiosity and an passion for peering inside closed boxes.

Did I mention Defcon is inspiring?  It was especially inspiring this year.

Lost preached the "Just Do Things" message every time he had a mic in front of him. As I said, it's a lesson life has been slowly teaching me, and Lost is a perfect example of this. As he tells it, he came to Defcon not that long ago as a newbie and immediately involved himself.  He started up a robot building party in one of the rooms and gathered lots of people.  He made himself official.  Simply by doing.  Now he's one of the "Elite", and his point, which he drove home over and over is: You should just go do things, too.

All DEFCON Badges Designers are born with a special birthmark,
proving their magical birthright from the gods.
(Not really.)
While I made a lengthy critique of the badge puzzle this year, the lasting message is that there was a badge puzzle this year.  Because Lost went and did it.  Not only that, but even though I made no progress on solving it, it rekindled my interest in puzzles for the second year in a row.  Three weeks after Defcon I'm still rabidly chasing puzzles.  I'm playing The Secret World because it has puzzles (and we are introducing two of our kids to the same joy).  I'm casually poking at TryThis0ne when I get time.  And I've started playing text adventures again, something I've not seriously done since I was 12.  (A Scott Adams girl here.)  My mind is filling with ideas for puzzle games that I could write, and even though I know I won't have time to actually do them, the energy is spilling into my other work.

Everything cool at Defcon exists because someone just up and did it.  From the electronic badges to the lockpicking village to each of the talks to the contest winners.  To the existence of Defcon itself.  People who are cool at Defcon are people who do.  There is no certification program, no minimum level of knowledge, and even the most expert black-badge CTF winner uber hacker still doesn't know some of the things you know, and is missing talents you possess.  It took me five Defcons to truly figure this out, so listen up.

Your brain is awesome, and it will grow to fill the requests you make of it.  A positive action is a butterfly wing-flap.  Not only can it cause awesome weather all over the world in places you never would have expected, but the workout builds the muscles in your wings until you become a mighty dragon.  Yeah, it's a cheesy metaphor, but I'm the one writing it... If you don't like it, go write your own metaphor.  That's the whole point of this rant.

I'd like to especially stress this message to women, who are more likely to wait to be given permission.  Don't wait till you're in your 30's to learn this lesson like I did, and if you're in or past your 30s?  Now is the best time to start doing.  If you need permission, here you go.  Permission granted, achievement unlocked, go do something.

This authentic WWII Enigma Machine was made by doers! Go make something!
So this year I'm going to focus more on doing.  I'm not going to worry about whether I'm qualified, or whether it will be cool.  I won't worry who the gatekeepers are, or if I'm smart enough to get very far, or if I might get tired and give up at some point.  I will not worry about any end-game.  I will just do what I find interesting and what will make me feel smarter when I'm finished.

DEFCON 20 was far more diverse.  As I said, lots of first-timers.  Sadly, accessibility comes at a cost.  The past two Defcons have been far more tame.  My first couple of Defcons, the twitter stream and rumor mills were full of exciting stories, and it was a bit of a game to anticipate hearing about the next antic.  The next prank, the next rumor of an arrest, the next hacked hotel facility, the next killer bee attack.  Of course every other story left us wondering if Defcon would be kicked out of the Riv.

This year?  I can't think of much that happened.  Not much at all, actually.  At least last year Sabu and the J3st3r were chasing each other around, and the phones got man-in-the-middled.

The downside of course is less excitement.  But less excitement equals less fear, and that's a beautiful upside!  The amazing feats this year seemed to be constructive, and that is something I can get behind.  Most notable, Ninja Networks built their own phone network and distributed special smart phones for those deemed l33t enough.  That's a trend I can support, and I'll just have to be grateful I got to experience the last few years of the wild-west-style DEFCON.

The Goons did an excellent job of Line Management this year.  Though I got in line at peak hours, I only had to stand there for about an hour.  I'd guess there were at least 3,000 people ahead of me.  And the line didn't block the hall.  For the most part, (with one exception), I did not find myself stuck in a between-panel hallway traffic jam.  I was allowed to sit in the same track across multiple talks, and there was (almost) always enough seating.  So very huge kudos to all those who pulled off that amazing social engineering hack.

Goon attitudes were definitely awesome this year.  It's not like the Goons ever sucked... I can't quite put my finger on it, but the Goons seemed more upbeat, and less... bossy?  More fun-loving?  Less oppressive?  Dunno what you guys did, but it was a joy to be ordered around by you guys this year.

On that same token, Defcon seemed like a better experience for women this year.  I've heard some pretty horrific stories, and like many geek cons, DEFCON has a reputation.  Personally, I've been protected from a lot of it since I attend every year with Roland.  But I've seen my share of sexist remarks in talks, and there was one incident last year involving Goons I thought worthy of filing a complaint over.

Yes, there were sexist remarks this year in talks and in hall-conversations.  But the culture made a definite shift in a positive direction.  Partly I'm sure due to official efforts, but also due to attendees taking action.  (See above about "doing".)  An attendee named KC distributed creeper cards, which brought awareness to the whole concept of sexual harassment, which seemed to have a huge overall effect.  In one talk, one of the Core Goons said something rather inappropriate to a woman asking a question at the microphone.  Instead of laughing, the audience groaned, and someone suggested he get a creeper card.

In general, sexist remarks (like tired jokes about being surprised there are any women in the room) met with very little reward.  So I expect next years Defcon to be a much more friendly environment for women.  Which is a good thing, because I saw more women as a percentage at Defcon this year than ever before. It helps that there are a number of female Core Goons, including Nikita, who can give a female voice in the upper echelons.  I am grateful for their hard work.

DEFCON Kids was growing up this year, too.  It makes me wish I could be a Defcon kid.  One of the most impressive things is that they have a Zero Day contest, in which kids find actual zero days in actual live systems, like online games.  I didn't write down the number, but this year they collectively found dozens of zero days.  We're talking twelve-year-olds here.  Just like it was in the late 80's, only now the adults are teaching them how to do it.  So awesome.

This year was the second at the Rio, and I think I missed the Riviera more than ever.  Every time I had a Defcon memory, it was set at the Riv, and I looked around to find myself in a different place.

I got to see way more talks this year than last.  The talks seemed to lean more technical, and since I'm not in the field anymore, I'm more interested in higher-level talks.  Things like theory and the state of global cyberwarfare and lock picking exploits and biohacking.  Talks on the five newly discovered SQL Injection Techniques with play-by-play how-tos aren't really useful to me.  So in a sense, the talks weren't much for me to write home about.  I probably managed to miss some really good talks, but there you go.  I'll highlight the ones that stood out.

Obviously the keynote by General Alexander, Commander, U.S. Cyber Command, Director, National Security Agency, is worth commenting on.  I had mixed feelings about his talk.

I love the fact that the NSA and hacker communities are finally on speaking terms.  I've read Crypto: How The Rebels Beat the Government Saving Privacy in the Digital Age, and understand the historical context.  The NSA fought every effort to bring encryption technology to the private sector, where it was sorely needed.  Remember when you couldn't export Netscape because of SSL?  Thank the NSA for that.  A lot of our core technologies like email and DNS are fundamentally non-secure for lots of reasons, but a big one is that the private and academic sectors had no access to cryptography, on threat of arrest.

So to see the NSA finally "getting it" on some level was amazing.  And to hear the head of the NSA agreeing with the hacker community on many levels was like Javert telling Jean Valjean that maybe the system was a little corrupt, and perhaps Valjean should be pardoned.

On the flip side, some other things he said made it very clear that the fundamental philosophies of the NSA are still quintessentially opposed to the philosophies of the hacker community.  So while the two groups are agreeing on a lot of the higher concepts, their root reasoning is still at odds.  For instance, after acknowledging that many things which shouldn't have been illegal are now legal thanks to hackers, he then made it very clear that all attempts to improve security should only be done above ground, within the legal sphere.

At its core, the Feds are still Javert.  They don't get that sometimes the law is fundamentally flawed, and that the only way to change those laws is to continually act against them to prove how flawed they are.  If it weren't for lawbreakers, we'd still be at 1980's level security, and encryption and the internet would be owned by true criminals.  (One could argue that this is actually the case.)

So his talk really rubbed me the wrong way.  The Feds are still the Feds.  Don't get me wrong -- hackers should absolutely go work for the NSA.  For starters, your country needs you.  For seconders, their philosophies aren't going to change without more of our culture on the inside.  Like last year, I still hold that the community should take advantage of these olive branches.  Get to work.

I also got to see an unscheduled talk by Kevin Mitnick in the Social Engineering room.  I'd always wanted to watch the Social Engineering contest, so when I had a moment, I wandered over.  Nothing much was going on, so I parked, waiting for the next round to start.  Soon it was announced that Mitnick would be there, and the room filled right up.  I had third-row seats, and got to listen to a lot of stories about Back In The Day.

I knew a lot of hackers Back In The Day.  They traded Zero Days and hacked payphones and cracked games and ran elite boards.  When the "Free Mitnick" campaign started, the hardcore hackers criticized Mitnick, saying he was merely a social engineer, and anyone can pick up a phone and steal a password.

I'm sorry, but those guys were wrong.  Mitnick had to know what he was talking about to call up software companies and get copies of source code.  He used a lot of technical hacks to secure social engineering hacks, and to be honest, he was far more hardcore that most of the tech-only hackers I knew.  He wasn't just hacking servers, he was hacking every single system he could get his hands on.  Including social systems.

And frankly, he deserved to get arrested.  Though a lot of the charges against him were trumped up, he committed a number of real crimes.  Nevertheless, his stories were very cool, and he was clearly a pioneer in this field.  If you ever get a chance to hear him speak, go take a listen.  You will learn more about the hows and whys of security than anywhere else.

I watched three social engineering contest rounds.  The contest works like this:  Contestants are give a list of 20 "flags" they have to capture.  Examples: What OS and browser version are you using?  Is it kept updated?  Who is your shipping vendor?  Do you have a cafeteria?

Contestants are placed in a sound-proof booth and are assigned a company to attack.  The moderator does all the dialing, and the audience can listen to the caller and the callee.

I learned so much from watching this.  The first guy called HP Sales, and claimed to be a new art student. He played dumb about computers, which not only made for a hilarious conversation, but he also managed to capture most of the flags.  I started to get an inkling what kind of information is important to a hacker, and combined with Mitnick's talk, I could easily see why.  Why would you want to know their shipping provider?  Well if you wanted physical access to the building, you might want to dress up as the UPS guy.  If you wanted to send a Trojan, you might want to know what exploits would work, so it would be good to know OS version and the type of anti-virus software.

The third guy was also interesting.  They gave him AT&T, which is notoriously difficult to sosh, and I quickly learned why.  He called a local retail store, and used an interesting (and entertaining) meta tactic.  He had done a lot of research ahead of time, which as Mitnick's stories proved, is very important because it makes you appear convincing.  He told her he was from internal security, and that the DEFCON hacker convention was going on, and they were doing social engineering contests, and for some reason, her store was on a list.  As an audience, we had to suppress our reactions to maintain silence, but inside I was dying of laughter.  It really doesn't get much more meta than that.

At first his strategy seemed to be working, but at some point she just clammed up.  She was well-trained, and about the time he started asking about their operating system, her red flags started waving.  She played it really cool and refused to answer his questions, or if she did, she did so vaguely.  I was very impressed.  The contestant's technique was probably too pushy, and he talked too much, but either way, it was obvious AT&T security had done its job on training.

So he tried again, to another store.  The guy he got started out pretty quiet, but after a while, out comes a fair amount of information.  Which goes to prove that security is only as strong as the weakest link.  And there will always be weak links, so the best route is to try to cover every single angle as best as you can.

I also learned about how innocent-seeming information can be leveraged.  If you're attending Defcon in the future, definitely check out this event.

I also saw the talk by Kevin Poulsen.  I remembered the article from Wired in 1999, which I re-read every few years.  Poulsen describes his exit from prison in 1996.  He went in in 1991, when BBSes reigned and the Internet was only available to academics and hackers.  I nearly cried every time I read his description of stepping out of jail and looking up at a billboard with URL printed on it.  When he went in, the web hadn't even been invented, and just five years later, mainstream advertisements were sending people to websites.  If you're interested in computer history at all, it's an article well-worth reading.

Like Mitnick's talk, Poulsen's was entertaining and old school and I learned that Poulsen was arrested for very good reason.  He'd definitely crossed that line from hacker to con man, and stole real money and property using some pretty ingenious schemes.  (As an aside, this Unsolved Mysteries episode made while Poulsen was still a fugitive is a beautiful bit of history.)

The parties were pretty great this year, and the Crystal Method concert totally rocked.  Roland and I danced  ballroom style.  I remember at one point, standing there awash in music and joy and marvel, thinking of my 16 year old Mormon self, with my first modem, logging onto BBSes.  I imagined how I would explain any of this life to her.  She was so very, very different from who I am now.  Although I am just now rediscovering how cool she was, too, and that's the person I'm uncovering as I do all these puzzles.

Like last year, I entered the Short Story Contest this year.  And I was given an opportunity to do a reading at the Forum Meetup.  I read my entry, "Where the Eye Lacks Message", to a small crowd of about ten people.  I hadn't prepared, other than a couple of practice readings in the room, and I didn't have a handy printout with underlines like I did at my Wayward Reading.  But I found reading from my smart phone to be almost as good, and perhaps in some ways, better.  Someone else decided to do a reading as well, and I really enjoyed it.  I wouldn't mind if DEFCON made this a "thing", but even if it just stays a small impromptu deal in a side-room, I would totally repeat the experience.

My story was a paranoid conspiracy adventure based on last year's badge contest.  So it was really thrilling when Lost bumped into me in the hall and said he liked it.  As I said, recognition is all about the doing.

DEFCON always makes me look at the world in a different way, and on the last day, we saw this at the Carnival World Buffet:

Defcon 20 is closed.
This is an ATM.  It accepts money.  Including cash.  If you're new to computer security, you might wonder why this is interesting... after all, there is no keyboard attached.  But even a little vague information is necessary for a good hack, and here I learned lots of specific information.  Including what kind of financial processing software it uses (which would tell me what ports to scan on a network to find this machine), and something even more damning: It's running VNC, which could allow an attacker to remotely connect to the full desktop.  I hope they got that thing fixed... but probably they didn't.

This year was the best DEFCON I've attended.  It's a great place for learning and doing and meeting, I'm looking forward to seeing you there next year, when DEFCON turns 21 and will finally be old enough to drink!

No comments:

Post a Comment