DefCon 16: Hackers and a Gag Order in Sin City
In many ways the virtues that have brought Linux from a Unix look alike pet project to a competitive operating system are the same as the ideals behind DefCon. The community stood on each other's shoulders and developed piece after piece of software to fill in the gaps that were found through use. Programmer's built on the ideas of others creating tighter and tighter code to support an increasingly complex framework. Originally that was the theme of this article when I had begun thinking about writing it. The things that I saw at DefCon were every bit of the ideals I went up there to find and more...
Heading towards sin city I was anxious. I have never been enamored by the urban desperation built in the desert. Las Vegas was built on cheap electricity and bad math. This time it was different, I was finally getting to see something that I had been wanting to see for years, DefCon. Over the years this conference has been held up as the Mecca for system security. What began as a small gathering of friends and associates assembling to share advances in the dark art of computing has grown over the years into a gathering of somewhere around 8000 people coming to see some of the best minds in the field. Walking into the Riviera I was both amazed at the throng of people waiting to get into the conference and also a little surprised. While all walks of life were migrating towards the entrance, most of them appeared to be professionals that were puzzling out routing issues or studying for college exams the day before. They all seemed to be looking forward to the chance to learn new ideas and taking a break from the responsibilities that waited for them on Monday.
Like any event some of the familiarity fades as more and more people come to see the spectacle. Organization has to develop as the gathering of friends becomes a world famous event. As always there are the die hard fans who believe that the event has become commercialized and lost the freedom of the past. The very thing that is forcing DefCon to evolve is also providing a venue for huge competitions and a forum to share the advances of the year to thousands of interested minds. Competitions separate the noobs from elite. Capture the Flag, Own the Box, Beverage Cooling Contraption (BCCC) are some of the returning favorites, and the some of the new challenges like the MSK Security Challenge and the Race to Zero provide a venue for attendees to prove their skills. Are you a noob or elite?
DefCon produces the most hostile network environment in the world every year. The DefCon network has evolved with the event. What started out as a casually constructed resource to provide access to the Internet and a venue for pranksters to attack has grown into a hardened network. A quad-core Xeon supports the network with openBSD as the firewall protecting a backbone link to (an estimated) 150 vlans, propagated to the public with 35 Aruba AP-70 wireless access points and 30 ethernet connections to support the administration of the event. The AP-70s are maintained by a management switch. The AP-70s allow and monitor traffic and can triangulate the position of signals received. Since they are all propagating a signal from the management switch, traffic can be analyzed and recorded for the competitions.
I had the opportunity to speak with Steve Kirk (AKA Lock) the head of the NOC at DefCon. Steve has been a veteran of DefCon since DC3. The NOC is compromised of hard working volunteers that arrive at DefCon a week before the event begins to build a network to withstand the most hostile environment imaginable. The interview provided a lot of information about the network at DefCon; but also was a perspective into how DefCon had grown. The network deployment at DefCon was 8 months in the planning that had to be coordinated with union workers at the hotel and be strictly separated from the Riviera's data infrastructure. A lesson learned from previous conferences. The layer 1 planning and implementation has become a highly organized deployment built by friends. There is a circle of trust among the goon squad that have become like a family.
Steve took a moment to reflect on what DefCon really was behind the digital haze of evil that makes it such a thrill for visitors. People get together from all walks of life and have a chance to share ideas. Steve remembers, "seeing established men talking to a kid about incredibly advanced material as equals." There is a culture of curiosity that wipes the differences away and allows people to learn from each other. For a brief period of time all the stress of real life fades and the stress of DefCon intrigues and relaxes the participants. There is an amazingly comfortable feeling that pervades over the conference and people leave with a load lifted off their shoulders. David Bryan pointed out that DefCon was a working experiment of the book "The Power of Leaderless Organization." The goon squad has grown, losing members from time to time and remained incredibly close at the core of DefCon. The core of DefCon gets to build a power house of network security and intrigue, and have the visitors bring their toy to life. They have a living network in the most hostile environment possible and the attendees bring traffic to their work.
DefCon does have a hierarchy of sorts but another Black Hat / DefCon attendee explained that it was built from the grass roots and DCxxx groups all over the country discuss the exploits to unveil in the upcoming DefCon. Darington, a sixteen year veteran, pointed out that a "ridiculously rabid following" builds DefCon from the roots up every year. DC groups, are web groups that maintain contact throughout the year and are the sponsors of all the surprises at DefCon. From the Hackable Badge, beverage cooling contraptions, to the lock picking competition. They all were brought to DefCon by the fans that bring the conference to life. Each of these exploits have grown from silliness brought by some attendee to a function or competition.
DefCon is not all fun and games, every year the conference hold meetings and seminars of various types. Techs can share the knowledge they have gained that year and allow the visitors to participate in Q&A sessions. All of the material is available if you can find it from defcon.org. The most newsworthy of these were three MIT students who managed to find a serious hole that compromised transit systems all over the world. The only reason why I am singling this one out is the back story surrounding the presentation. While the information on the DefCon CD is fascinating, it was one of the least interesting presentations due to the Federal Gag Order imposed. They had an attorney from Electronic Frontier Foundation (EFF) begin the press conference with information leading up to why they couldn't under any circumstances talk further about the material that had already been released.
Zack Anderson, R.J. Ryan, and Alessandro Chiesa casually avoided answering all but the most obvious questions due to the gag order. Behind the scenes the three students and their professor, Ron Rivest an impressive cryptographer, answered questions with the press. They were definitely worried about their legal exposure. An argument was raised that they were merely presenting information to allow free passage on the Boston T for life for the benefit of the transit system. The previously overlooked hole could in fact be closed against future exploitation, but a Federal Judge, Douglas P. Woodlock, equated the speech to Hacking and placed a gag order on the presentation.
The students defended their right to present the speech with council provided by EFF under protection of prior restraint to speech and that key elements of the exploit were omitted to prevent the duplication of their work. Kurt Opsahl, senior staff attorney at the EFF, said the group would appeal the ruling on First Amendment grounds. The key elements were subsequently obtained from court documents and released over the Internet. NICE; that is all I can think to say about that.
A myriad of night life and parties fill the convention attendees time after the presentations, but you will have to attend DefCon yourself to find out what happens after hours. DefCon is definitely an event that serious computer aficionados should consider visiting and remember, "What Happens in Vegas, Stays in Vegas". Unless of course a Federal Judge imposes a gag order on it.
|Subject||Topic Starter||Replies||Views||Last Post|
|Nice story!||Sander_Marechal||2||1,792||Aug 16, 2008 2:10 PM|
You cannot post until you login.