Twisted Agile: We're taking elements Agile dev and shaking it up with savvy best practices for better, faster outcomes. Sign up for our free webinar on June 11 at 10 a.m. PST/11 p.m. EST.
Thousands of security professionals, hackers, federal agents and media descended on Las Vegas this week to attend the Black Hat and Defcon conferences. The two conferences exhibit the extremes of hacker and security culture, with federal agents and major corporations descending on Black Hat in large numbers and mohawk-styled hackers and Electronic Frontier Foundation lawyers attending Defcon. It’s like the difference between law enforcement and pranksterism, where both have the object of protecting freedom.
Defcon (named after the old code for nuclear war, or defense condition) is now in its 19th year. It was started in 1993 by Jeff Moss, a hacker also known as Dark Tangent. Defcon began as a party for a visiting Canadian hacker. Now it has become the big hacker event of the year with more than 10,000 attendees. The Defcon conference is anything but corporate. For many years, it was at the downscale Riviera Hotel; this year it moved upscale to the larger Rio Hotel. Defcon is more tolerant of alternative views, such as open support for Anonymous, the hacktivist group that has launched denial of service attacks against major corporations in the wake of corporations turning their backs on Wikileaks and Sony’s battle with hacker Geohot. One attendee said it was impossible to find Guy Fawkes masks anywhere in Las Vegas, since the mask, like the one worn above, is a symbol for Anonymous.
Black Hat, on the other hand, is now 15 years old and draws more than 8,500 attendees to the elegant Caesar’s Palace Hotel. Black Hat has plenty of dramatic moments as the corporate, academic, government and indie hacker cultures mesh and sometimes clash. Plenty of people go to both conferences. But you’ll see more suits at Black Hat and more T-shirts at Defcon. You can pay corporate rates at Black Hat, but at Defcon, they don’t accept credit cards, since hackers do not want to be identified. You have to pay in cash, and attendees are identified as “human,” “goons,” (for staff) and “press.” (Yes, evidently press are not human). There are no names on Defcon badges, which are typically a product of the hacker imagination. I’m killing myself because I forgot to take a picture of the fake automated teller machine at Defcon. But I found it quite ironic that Barnaby Jack, the man who hacked an ATM at Black Hat last year, was now working for the very corporate McAfee Labs, which is owned by Intel.
At Black Hat, the great affairs of the world are discussed with a lot of gravitas. At Defcon, people heckle the speakers and drink beer in the middle of comic presentations. But one of the things they have in common is a growing importance in the world of technology. A few years ago, a CNBC reporter tried to sneak into Defcon to shoot undercover film of hackers — a big no-no at Defcon if you don’t ask permission of those you’re taking images of first. But this year, the media included CNN, the New York Times, Reuters, the Associated Press, NPR, the Financial Times — just to name a few.
Black Hat: Joseph “Cofer” Black, a counter-terrorism expert who anticipated the 9/11 attacks, warned Black Hat attendees that they should prepare for cyber war and figure out how to convince people who don’t believe such a war is happening, as happened before 9/11. During his opening keynote at Black Hat, a prankster set off a fire alarm. Black had to finish his talk with the sound of Klaxons going off.
Defcon: Clearly, Defcon had very different vetting rules for speakers compared to the academically peer-reviewed Black Hat. A hacker who goes by Kryptia spoke on a panel about the Anonymous and LulzSec hacktivist groups. He pulled off his mask and said he actually wasn’t speaking for Anonymous. In the audience, there was support for hacktivism, but the panel was divided about how effective the cyber vigilantes had become and whether they have lost their way. The panel debate was itself a theatrical microcosm of the whole problem of identifying members of Anonymous, or LulzSec, and prosecuting them for committing various hacking crimes such as shutting down web sites.
Black Hat: Jeff “Dark Tangent” Moss founded both Black Hat and Defcon. He is now vice president and chief security officer at ICANN, the international body that sets the rules for the internet. He called on corporations to make the internet safer by embracing DNSSEC (Domain Name System Security Extensions) as a way to reduce misdirection of users to sites with malware. Companies that sign their zone not only protect their own sites and users, they help the rest of the internet, Moss said.
Defcon: Attendees were greeted with this Da Vinci Code-style reality game that required them to solve a variety of mind-bending puzzles. The attendees received pure titanium badges that had a cut-out of the Egyptian mathematical symbol the Eye of Ra, as well as a letter and a number. A hacker who goes by the name “LosT” created the game as a way for hackers to show off their skills.
Black Hat: Cyber espionage can take many imaginative forms. Two security researchers Mike Tassey (left) and Richard Perkins (right) built an unmanned aerial vehicle, loaded it with wireless interception technology, and showed how you can spy on your neighbors or corporations from above.
Defcon: The conference talks weren’t all about politics or pranks. Most of them focused on hardcore security technology where speakers offered proof that they had accomplished the tasks, or hacks, which they claimed they did.
Black Hat: Peiter Zatko is a famous hacker known as Mudge from the early L0pht group. But he crossed into the realm of white hats when he joined the Pentagon’s Defense Advanced Research Projects Agency as program manager for cyber security. In a Black Hat keynote, he announced that the government plans to invest in hundreds of small cyber security projects and companies in order to kickstart security technology. Zatko found that it takes about 125 lines of code to create the typical piece of malware and it takes about 10 million lines of code to create sophisticated technologies to protect against it.
Defcon: These women were marketing, um, a company’s security technology. But the message was meant to cater to the sentiment at Defcon, where sympathy for the cause of Anonymous and its hacktivism was believed to be high. Of course, you never know. They could have been undercover federal agents, who were also plentiful at Defcon.
Black Hat: The talks took place in cavernous ballrooms at Caesar’s Palace. In the overcrowded sessions, security researchers drew enormous applause whenever they figured out something cool that had never been done before.
Defcon: The food at the past venue, the Riviera Hotel, was often horrible. It consisted of hacker food such as pizza, potato chips, hot dogs and chicken strips. But this year, at the Rio, the food was much better, ranging from hand-made chicken burritos to sushi boxes.
Black Hat: Dmitri Alperovitch, the vice president of threat research at McAfee, unmasked a huge five-year cyber espionage campaign called Operation Shady RAT. He said that the operation was likely created by a nation-state and it penetrated the computer networks of 72 governments and major corporations around the world. Many pointed the finger at China, though McAfee did not identify the perpetrator.
Defcon: On sale in the vendor area were skeleton keys and lock picks aimed at getting past any physical barrier. Getting through physical locks or cyber locks both take mental discipline, and they both require skills that are on the edge of legality. Defcon holds an annual lock picking contest, and this year experts opened a $1,300 card-and-code government lock within seconds.
Black Hat: Scores of vendors had their own booths where they sold their services. There were plenty of parties at swanky Vegas venues and a night of parties in suites at Caesar’s Palace.
Black Hat: Not every attendee at Black hat was overtly corporate. David Marcus, director of security research at McAfee, has much more of a Defcon look. He is pictured here at McAfee’s reception, but he got into a heavy conversation at Defcon about the Anonymous hacktivist group. Marcus noted that McAfee recently hired Barnaby Jack, who hacked an ATM last year, to do security research.
Defcon: The vendor area at Defcon targeted “gamers, geeks and hackers.” That’s an increasingly wide swatch of the population these days. We have no picture of the “crowd” at Defcon because that’s a press no-no. Many hackers (and undercover feds) don’t want their pictures taken.
Black Hat: Hackers debated who had the bragging rights for the best way to attack a mobile network. What was the best way to pwn (pronounced pone or own), or trick, the widest number of users. Is it by hacking the infrastructure of the wireless system, the chips within the hardware, the operating system, or the applications themselves? From left to right: Charlie Miller, Ralf-Phillipp Weinman, Nick Depetrillo, and Don Bailey. Much of the talk at Black Hat has shifted to hacking mobile systems; three of them focused on hacking Apple mobile technology.
Defcon: Some talks are approved for comedy alone. This talked, entitled the IPocalypse is a lie, by the fake-named Sterling Archer and Professor Freaksworth (right) dwelt on the shift from Internet Protocol Version 4 to IPv6, which is meant to move beyond the 4 billion internet addresses out there. They made their half-serious case that IPv6 is a global conspiracy.
Black Hat: At the Pwnie awards, companies or hackers received awards for the best or worst accomplishments in security. Among the companies savaged were Sony, which won the Pwnie for the “most epic fail” for its lawsuit against Geohot and failure to protect the 100 million users of its Sony Online Entertainment and PlayStation Network gaming services. And those praised: Geohot, the hacker sued by Sony for circumventing the security of the PlayStation 3, won for the best song, as seen in this YouTube video.
Defcon: In the vendor area, you can buy just about anything that seems like electronic contraband. The WiFi Robber says it can help you secure your wireless network, regain access after losing a password, and “much more.”
Black Hat: Each year, security researcher Dan Kaminsky gives a talk and hands out cookies baked by his 88-year-old grandmother (left). This year, Kaminsky is coding some interesting technology that could propel him into the center of the net neutrality debate. Kaminsky calls his invention Nooter (a contraction of the phrase “neutral router”). It is a sort of lie-detector test for internet service providers (ISPs). Nooter will be able to send traffic along different paths and determine whether or not your ISP is deliberately slowing some of your internet traffic, such as data from file-sharing web sites.
Defcon: If the stereotype of a hacker is someone with a Mohawk hair cut, you might as well live up to it. The stylists at Defcon were quite busy this year.
Black Hat: Uh, there’s a naked guy in the middle of Caesar’s Palace. (Yes, it’s a replica of Michelangelo’s David). It’s pretty majestic compared to the Chippendale’s club at the Rio, where Defcon is held.
Defcon: Lots of businesses are moving to cloud computing, where they operate their services in data centers hosted by big companies. But Ramon Gomez, a security professional at a hosting provider, sounded the alarm and said that vendors should do a better job of telling users when large numbers of them are suffering the same kinds of problems or attacks. Sometimes it takes nine hours to get a response from a cloud services vendor about a cyber attack, Gomez said.
Black Hat: Philippe Courtot started Qualys a decade ago to focus on cloud security. At first, people ridiculed the idea but now it is fashionable to hire security-as-a-service such as what Qualys offers to 5,500 corporations and governments. Qualys announced a number of new services and features at the show.
Defcon: Gulp. Don’t get caught on the Wall of Sheep. That is the wall where the names of users, their partial passwords, and devices are listed after they have been hacked at Defcon, via the WiFi network or Bluetooth connections.
Black Hat: Jerome Radcliffe, a diabetic and a security researcher, showed how he figured out how to hack into an insulin pump for diabetics. The process was far too easy, as there was almost no security built into the device. Brad Smith, another security tech expert and a registered nurse, said that the problem of medical device hacking has been around for a long time. He said, “It’s just not his insulin pump. It’s also in other devices.” Smith said the history of these devices is a “litany of disaster” when it comes to security.
Defcon: Among the competitions held every year is Capture the Flag, where teams of hackers are sent on missions to attack the security of major corporations. And every year, they succeed with a large number of penetrations.
Black Hat: Security researcher Charlie Miller takes a second to think during his demo of hacking a battery for a MacBook laptop. Miller hasn’t figured out how to make a battery explode, but he did learn how to brick a battery from afar.
Defcon: You could buy this rug at the vendor faire at Defcon. While the show is for hackers, the presence of federal agents is always felt. At the federal agents panel, the government agencies made light of the undercover nature of their work with a “Spot the Fed” contest. Four women went up on stage and the audience members had to guess which one was a federal agent. Only two of four contestants got the guesses right.
Black Hat: The conference drew more than 8,500 attendees in its 15th year.
Defcon: I didn’t actually see anyone hacking naked at Defcon, but there were definitely people wearing this shirt.
Defcon: Steven Levy gave a talk about early hacker culture based on the first book on hackers, Hackers: Heroes of the Computer Revolution, published in 1984. In his talk, he said tha the spirit of hacking — built on the idea that information should be free — is still alive at many corporations such as Facebook and Google. Maybe in that respect, Black Hat and Defcon aren’t so different after all.