DEFCON is the annual hackers' conference, a 3 day hacking binge in Las Vegas that follows the more corporate Black Hat Conference. DEFCON has a hard time finding venues, according to Dead Addict (Black Hat's Grand Vizier), because the hackers wreak havoc on a hotel's computer systems. This year, though, they returned to the Alexis Park Hotel, an off-strip property whose campus feel and tolerant GM accommodate the fraternity atmosphere. (The hotel had to drain its pool yesterday after someone poured enough Koolaid powder in to create a massive purple beverage.)
DEFCON, in fact, resembles a giant party, with competing sound systems and widespread intoxication, but in fact there is more going on. The general purpose is to explore unintended avenues by which anyone can "own" someone else's resource through clever hacking. Obviously, such information could be used for Evil, but you have to look at the ends here, not the means. DEFCON exposes vulnerabilities in systems all around us so that, in the long run, we can all live more secure, private lives. How far you can go to expose vulnerability is a matter of widely differing opinion. Most folks at DEFCON go pretty far--supporting the publication of vulnerabilities as well as any stolen though mostly harmless information (some go much further).
At DEFCON yesterday I attended sessions on how to hack your neigbbor's garage door and remote car key, how to slip off handcuffs, and compromise the nation's telecommunications network. I attended a press conference by Dr. Linton Wells (CIO of Defense Dept) and Robert Morris (former NSA Director) regarding cyber terrorism,and I delivered a talk titled Information Security Industry: Billions Blown on Bloopers, Blights and Blunders. (View the Notes Pages for at least some of the narration behind the slides.)
I also visited the war room where teams of hackers compete in the annual Capture the Flag contest. Nearby, the Wall of Shame displays the usernames, passwords, photos and private information like tax returns of the hundreds of "sheep" whose computers were "owned" when they were naive enough to use local WiFi waves to surf. Winn Schwartau describes the ritual in detail. Other tables of the war room focussed on cracking new security products, with cash prizes offered by the forward-thinking vendors.
The parties included the geek-fetish Black and White Ball and the exclusive 9th annual Caesar's Challenge, in which "Caesar" challenges guests to solve a hard problem between chugs. (all the coolest hackers have "handles"--sort of superhero identities--like Mudge, Raven, Agent X and Dead Addict.) Another party favorite was RF-enabled Kegbot.
But the spotlight this week was on CiscoGate. Temperatures held steady in the high-90's all week, but tempers truly flared inside as a result of Cisco's epic faux pas. As widely reported, Cisco didn't want Michael Lynn of ISS to proceed with his planned presentation of flaw in Cisco IOS that would allow hackers to control Cisco routers. So, incredibly, their attorneys descended upon ISS to compel them to supress the talk, and then descended upon Black Hat, insisting on republishing the CD's and binders without the offensive material.
Man, this was the wrong crowd from whom to hide information! Michael Lynn resigned his job minutes before his talk and then, egged on by the crowd, spilled the beans. Cisco then fired off cease-and-desist letters to supress publication of the presentation, but as you can imagine, mirror sites popped up everywhere (there is a rather comprehensive one at the defiant www.cryptome.org). Cisco fired off various explanations along the way that they were simply protecting their proprietary information from being illegally disclosed, and that the vulnerability wasn't so bad after all. But I attended one session by Raven in which she pointed out that Cisco's own explanations accidentally revealed additional information about the vulnerability that facilitated generation of exploits.
Cisco failed to recognize the futility of suppressing data (especially from this group). More important than the black eye, Cisco can no longer expect security researchers to cooperate with the company if provocative findings invite litigation rather than appreciation. The attitude at DEFCON was best summed up by all the CisoGate t-shirts circulating including Raven's which simply read FUCK CISCO.
There were, by the way, lots of fun t-shirts, including my favorite: "Resistance is Futile (when <1 ohm)"
Another highlight of the conference was a dinner Bessemer hosted for the luminaries in attendance: Robert Morris (Cornell, ex-chief scientist NSA), Linton Wells (CIO, DoD), Paul Mockapetris (CSO, Nominum), Mark Maifrett (eEye), Bart Decrem (Flock), Raven, Dead Addict, Agent X, Nico Sell (DEFCON organizer), Brian Krebs (Newsweek), David Mortman (Siebel CSO), Alex Sotirov (Determina), Mike Jacobs (ex-NSA), Paul Proctor of the Bessemer-seeded company Gartner Group (though Paul still likes to say he's with Meta), Adam Shostak, Effugas (aka Dan Kaminsky) and others. Steve Wynn's new restaurant Okada peppered us with a barrage of tasty though not always identifiable morsels. The highlights were the 2001 Robert Sinskey Pinot Noir and the heavy duty air conditioning.
Throughout DEFCON I felt increasingly vulnerable to hacking. But looking back on the weekend, I feel a sense of awe and gratitude for these free-thinking geniuses who, in the long run, make our world safer. Then again, that could just be the sleep deprivation talking.