Black Hat and Defcon have become the must-attend conferences for both computer security professionals and fringe hackers alike. I’ve been attending for a number of years and have always been struck by the stark contrast between the people attending, ranging from federal computer security experts on the one hand and mohawk-adorned rebellious teens on the other. (Pictured is Black Hat/Defcon founder Jeff Moss, also known as Dark Tangent). For all of our stories on Black Hat and Defcon, click here.
Defcon is in its 18th year and started in 1992, when Jeff Moss (above), threw a party in Las Vegas for about 100 of his hacker friends. It has since become the largest hacker convention in the world. Moss started Black Hat in 1997 and that conference draws a few thousand security pros and corporate security administrators.
Black Hat has plenty of controversy itself. This year, a Taiwanese researcher proposed a speech on hacking activities of the Chinese army. But under pressure from the Taiwanese government, he withdrew the talk. Somebody almost always pulls the fire alarm as part of the prankster tradition behind hacking. Speakers’ web sites are regularly hacked, and companies such as Cisco have pressured employees not to give presentations at Black Hat, which is held at the upscale Caesar’s Palace hotel in Las Vegas.
Defcon is a different animal, held at the downscale Riviera Hotel. Federal law enforcement agents arrested one speaker in 2001, a day after Defcon, for writing decryption software. Attendees are warned to stay off the wireless networks or risk being put on the Wall of Sheep, a projected image on a wall that shows usernames and partial passwords of those who have been “powned,” or hacked. At Defcon, you can pay for your badge in cash. The press is not allowed to take pictures of the crowd (Dateline NBC once tried to sneak a reporter in; she was caught and publicly embarrassed). There are physical lock-picking contests as well as cyber hacking contests. Guards are called “goons” and attendees, known as humans, delight in playing “spot the fed” competitions. I hope the photos below give you a good impression of what it’s like to attend these conferences in Las Vegas.
Barnaby Jack was the main attraction at Black Hat this year. He showed how to hack two automated teller machines on stage and got tremendous applause as the machines started spitting out “million dollar bills” that Jack had loaded into them.
John Hering (left), chief executive of mobile security firm Lookout, and Kevin MaHaffey, chief technology officer, gave a presentation on how apps often access private information on smartphones. They pointed to apps such as an Android wallpaper app that sent your identification information to a web site in China.
Hacker “The Grugq” showed how he could hack into the GSM phone network and bring down a cell site. He said even emergency services were vulnerable. His talk was one of several that showed the vulnerabilities of GSM (Global System for Mobile communications, the protocol used in 80 percent of the world’s cell phones).
Dan Kaminsky, who discovered a fundamental flaw in the internet’s address system in 2008, was entrusted as one of seven people who has a key to reboot the internet in case of a catastrophe. Kaminsky gave talks promoting the use of DNSSEC, or security extensions to the Domain Name System (which keeps all web addresses) to improve overall web safety.
General Michael Hayden, the retired director of national security, said that the internet was not created to be defensible. “You guys make the cyber world look like the north German plain and then you bitch and moan because you got invaded,” he said. He said that one of the tough things about cyber war is that there is often no way to tell who attacked you. If a 15-year-old kid in China launches an offensive cyber war, do you hold the government of China responsible?
Moxie Marlinspike, a researcher at the Institute for Disruptive Studies, was disturbed at how you have to either give up your privacy when using the web or cell phones, or just drop out of society. He showed another path with a project that allowed users to surf Google anonymously and make secure web calls.
A speaker named Rain talked about how to build a lie detector for a small amount of money and then beat it by controlling your emotional and physiological responses to questions.
After five years of running computer security at Facebook, Max Kelly quit three weeks ago. The former FBI computer security specialist said he believes that government and commercial entities should present a united defense against cyber warfare.
Microsoft threw a party at the cool Vanity nightclub at the Hard Rock Hotel. I met with Dave Forstrom, director, Microsoft’s Trustworthy Computing Group, for an interview. He said that the company’s disclosure of bugs in its operating systems and software have worked pretty well in the past few years. Now, it will release vulnerability information to third-party partners — including antivirus vendors and other companies — ahead of time so that they can come up with fixes before the bad guys can get their hands on the information. There are now 65 partners participating, including Adobe, which will share its vulnerability information ahead of time with the partners.
And yes, I suppose this good news from Microsoft was cause for much rejoicing. Here are some party goers dancing away at the Microsoft event. Microsoft said that the number of vulnerabilities found on its systems remains far smaller than those found elsewhere.
More scenery from the Microsoft party at the Vanity nightclub. There are many distractions in Las Vegas. But by and large most people seemed focused on vulnerabilities. You’ll notice the stark difference from this slick scene at a Black Hat party and the imagery at Defcon.
Amazon.com had job openings in security. It used this computer science programming puzzle to try to recruit new employees.
Here’s another scene from the Black Hat exhibits, where a company asked hackers to assemble a little robot for fun. It was another interesting way to find job recruits.
Can you smell the money here? Bahram Yusefzadeh, chief executive of Red Lambda, and Rob Bird, chief technology officer at Red Lambda, were quite pleased to raise $10 million in new funding for their grid-based security platform, AppIron. At the show, they announced the FireGrid unified threat management service to use grid computing solutions (treating lots of unused computers as one big supercomputer) to deal with all sorts of security threats. The future, they say, isn’t just in the internet cloud; it’s in the grid.
David Marcus, director of security research at McAfee, got a few tattoos so that he could get VIP entrance to the McAfee party. At a pre-party reception, he mentioned how his daughter played a joke on him by grabbing his iPhone and telling the world that she had just powned her father, the security guy. Marcus laughed that off and noted how all of the interest at the show was moving to concerns about mobile security, as smartphones become the new computers.
Garry Pejski, a 31-year-old security consultant from Toronto, told the Defcon crowd a cautionary tale about how in his early career he wrote spyware that tricked people into accepting junk software installs and pop-ups. He said your honor is worth more than the money you can get from such jobs; but he cracked some funny jokes as well about how bad antivirus software was at detecting spyware.
One of the many temptations in Las Vegas: the pool at the Hard Rock Hotel.
At Defcon, the counterculture is alive. You can tell the mixture of cyberculture and anarchy in these T-shirts for sale at the event.
Gamers, geeks and hackers. That’s probably a good description of the 10,000 or so folks who attended Defcon.
Chris Paget, an “ethical hacker,” tried to read radio frequency identification tags from the 29th floor of the Riviera Hotel. He pointed his high-powered antennae at a guy with tags on the ground. He could detect the tags, but could not read the serial numbers on the tags because of the Las Vegas heat. Still, his point was a good one. It makes no sense to put identification data in RFID tags such as U.S. passport cards.
In the recreation area of the Defcon conference, you could get your very own mohawk. I decided to pass.
I stopped at the Wall of Sheep to check to see if any of my passwords were on it. Fortunately, I turned off both my laptop’s Wi-Fi and my iPhone’s as well. Many other people failed to do so.
Breaking into computer networks isn’t the only thing you can learn at Defcon. You can also take classes on lockpicking physical locks as well.
Chris Paget had to put up warnings throughout the Riviera Hotel saying that he was going to hijack the cell phone network there for purposes of demonstration. He managed to do so, getting dozens of GSM phones to log on to his makeshift GSM network. The point he made is that GSM is a flawed technology and that you can intercept calls on it.
Meet the hacker’s best friend: Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, which often defends the rights of hackers to do research and protects them when the government comes after them. She talked about the EFF’s efforts to win consumers the right to jailbreak their iPhones, or put unauthorized software on it for their own personal use.
Charlie Miller, a security researcher who talked about how North Korea could build a cyber army to beat the U.S., doctored a photo of North Korean dictator Kim Jong-Il and his generals having a laugh. Miller predicted it would cost $45 million and two years of work for North Korea to set up a fearsome cyber army.