Darth Elmo Does Def Con 0x0A

It's time for Darth Elmo's annual Def Con dispatch.

What does a Minnesotan hacker do in the middle of the summer when he's sick of the brutally hot and humid St. Paul weather? Darth Elmo can only speak for himself, but for the second consecutive year he went to Def Con, where he experienced the brutally hot and dry Las Vegas weather. (For the record, Darth Elmo is now sick of all warm weather regardless of atmospheric conditions and has spent the past several days camped out in front of his beloved Whirlpool DesignerStyle air conditioner).

There are actually some very good reasons to go to Def Con. First and foremost is to hang out with other hackers in a bigger and better environment than the local shopping-mall-food-court "2600" meetings. Second, to party. Third, to attend presentations on such useful and diverting topics as kernel-level security, lockpicking and stealth logging. Fourth, to shop for quality geek merchandise such as Vanna Vinyl T-shirts, souvenir Def Con shot glasses and locale-restriction-disabled DVD players. Fifth, to participate in contests of skill such as Hacker Jeopardy, Capture the Flag (the Hacking Contest) and the Wardriving Contest. Sixth, to party some more.

In short, Def Con is a place where for one brief but intoxicating weekend (for some attendees, more like an intoxicated weekend), you can fly your Freak Geek Flag among kindred freak-geek spirits. This year's Def Con, Def Con 0A (0A is hexadecimal for "10", but of course you caught that right away, right?) delivered handsomely.

General Impressions

As always, the Def Con attendees themselves were fun to watch: a lot of pale tattooed people in black leather, security consultants who dressed and behaved less flamboyantly than the counter-culture types but who got along with them just fine, representatives of various law-enforcement agencies who so closely resembled ordinary security consultants as to make the "Spot the Fed Contest" futile, and hotel staff who gamely wore Def Con T-shirts and did a commendable job of making all of the above feel right at home.

And as Darth Elmo's compadre (and former Padre) Richard Thieme observed, Def Con 0A appeared to include a much more ethnically and sexually diverse crowd than past 'Cons. This was notable, as the hacker community, though philosophically a 100% equal-opportunity tribe, has tended to be dominated by middle-class white guys. No group that values unpredictability and individuality as much as we do can help but be bored by homogeneity. Better attendance by geek-girls in particular made for a more interesting Def Con 0A.

Speaking of the unique and wonderful, let's talk about the Goons, Def Con's intrepid staff. Behind the scenes they're responsible for everything from issuing press-credentials to running the impromptu Def Con TV Station on the Alexis Park's closed-circuit system. More visibly, the Goons serve as Def Con's bouncers, which as I'm sure you can imagine is a big job all by itself. The official Def Con 0A Goon T-shirt sports a quote from C. Montgomery Burns (of The Simpsons): "I prefer the hands-on touch you only get with hired goons."

This year the Def Con Goons were augmented with extra security staff (actually generic rent-a-cops, but checking badges is a waste of the Goons' considerable skills). Rather than putting a damper on things, the beefed-up security led, Darth Elmo thinks, to a much more laid-back Def Con than last year.

Maybe this was due to the smaller number of gate-crashers who social-engineered their way in (these reportedly caused a lot of last summer's mayhem). Or maybe the higher proportion of security professionals in attendance made for a more sober crowd. Regardless, Goon activity was much less frantic this time around, and as noted in last year's dispatch, if the Goons ain't happy, ain't nobody at Def Con happy.

Which is not to say that all anyone did was meekly attend security speeches and drink ice-water. (Okay, Darth Elmo did a lot of both, but he did other things too.) The inevitable Def Con room-parties ran pretty much continuously. Hacker Jeopardy was well attended and as rowdy as ever. The Black & White Ball inspired many attendees to dress up in their best or at least most bodacious outfits regardless of their intention to dance. And on Sunday one of the Alexis Park's fountains ran purple, after a vivid bit of vandalism we can only hope didn't wreck the fountain but which was, Darth Elmo must admit, pretty while it lasted.

Some Def Con Presentations

That's probably more than enough impressionism for most of you. On to some of the content--the big ideas disseminated at Def Con 0A. There were more than a few of these, and Darth Elmo minimized his liquor intake for the express purpose of remembering a few of them. Darth Elmo doesn't presume to portray these as the only worthwhile things discussed at Def Con, but offers them rather as sort of a representative selection, a cross-section of the Def Con specimen, as it were. For the second year running props are in order for tmns, who took notes on his elite MS-DOS-based HP handheld PC throughout the 'Con, and whom we can therefore thank for a few juicy details Darth Elmo forgot/missed/hallucinated-through.

The first DC0A speaker Darth Elmo remembers, Jennifer Stisa Granick, Esq., discussed the USA PATRIOT Act (sic), a piece of legislation which, while granting no new powers to law-enforcement agencies, does weaken some key restrictions on their ability to exercise their existing powers. In other words, the FBI, et al, have always been able to wiretap phones, intercept e-mail and log keystrokes, but the USAPA appears to have reduced the number of judicial hoops they need to jump through beforehand. Ms. Granick gave an engaging and balanced overview of the probable effect of the USAPA on hacking (in a nutshell, it doesn't look good).

Brett Eldridge of Netscreen gave a much more technical presentation on some weaknesses of the IPSec protocol, mainly two specific ones. The first is that in aggressive mode IKE (IPSec key-negotiation), a mode which is necessary in most remote access scenarios, user IDs are transmitted in clear text. This isn't nearly as huge a concern as if the shared secret were exposed too, but it does make it possible for an eavesdropper to track users as they connect from different locations.

The second weakness is that by supporting a hashed but static Vendor ID string, an attacker could compare the Vendor ID in an eavesdropped IPSec packet against a list of hashes of known Vendor IDs. Generally speaking, IPSec packets sent from systems running on the same platform running the same version of the same vendor's IPSec software will contain the same Vendor ID.

Neither of these weaknesses represents an actual attack vector. Instead, they both fall into the category of information gathering. But in the process of discussing them, Mr. Eldridge gave a lucid description of how IPSec key-negotiation works, which was no small accomplishment, and in general it was an interesting and worthwhile talk.

Bastille-Linux developer and Linux-security author Jay Beale, a close personal friend of Darth Elmo, was also a presenter at Def Con 0A, twice in fact. His first presentation was on how to secure WuFTPD and ProFTPD, which Darth Elmo is positive was a stunning success, but which Darth Elmo skipped in order to see Jennifer Granick's USAPA speech (see above). The reader may interpret that any way they like, except as a disparagement of the estimable Mr. Beale. (Is Darth Elmo really so shallow as to sometimes prefer proximity to gorgeous, brilliant women over quality time with his ever-shrinking circle of friends? Or was he nobly furthering his understanding of important legal and political matters? Darth himself isn't completely sure about that one.)

Anyhow, Darth did make a point of getting out of bed by noon the next day just to attend Jay's presentation on Bastille-Linux. This was a lively, informative and humorous talk, and it was attended by a tightly-packed but appreciative audience. The talk described the Bastille approach, covering Linux system-hardening both generally and relative to Bastille. And to Darth Elmo's delight, Jay announced that although Bastille has tended to be very Red Hat-/Mandrake-centric, version 2.0 officially will be supported on HP-UX, SuSE Linux, Debian Linux and Turbolinux as well.

Another Saturday speaker at Def Con 0A was Simple Nomad, who talked about "The Hacker Nation", that is, about current issues and concerns faced by the hacker community, particularly in the US. With the advent of the "War on Terrorism" hacking is now political whether we want it to be or not. Simple Nomad said, "there are those who consider hacking to be a form of terrorism. Technologies which protect people's privacy, therefore, are more important than ever."

Consider encryption: good tools for encryption are now ubiquitous, but what do you do when simply using these tools brings you under suspicion of evildoing? One approach is to encrypt via steganography, in which otherwise-unused bits in image files are used to transmit encrypted messages overtly. This allows you to hide a message in a way that makes it difficult not only for an eavesdropper to intercept but even to know that you're sending one in the first place. Simple Nomad has been increasingly intrigued by steganography and has been collecting images from public web sites in an attempt to gauge how widespread steganography already is. (According to Simple Nomad, "In the interest of science, in the interest of you, I've gone out and gotten a shitload of porn.")

Using Niels Provo's tool, stegdetect, Simple Nomad has been analyzing steganographic content in these images. Interestingly, he's found little or none in the pornography he's collected (unless he's simply missing some really effectively hidden stego and/or getting distracted by the images' other contents). But he identified two perfectly innocent photos of actress Sandra Bullock that do contain encrypted steganographic messages created by Niels Provo's tool Outguess.

Simple Nomad also has been involved with Cliquenet, a system for people to communicate anonymously over networks.

Simple Nomad's talk was one of the highlights of Def Con 0A on several levels. First, Simple Nomad is an extremely well respected and knowledgeable hacker, besides being an entertaining speaker. Second, inasmuch as one person can serve as spokesperson for such a diverse and ornery group as hackers, Simple Nomad's talk addressed issues that many if not most people in "the scene" have been grappling with lately.

Richard Thieme addressed many of the same issues, but from a somewhat different angle. Thieme is a consultant, speaker and writer, sort of a "hacker philosopher journalist sage". His presentations at security and hacking conventions, often in the form of keynote addresses, are always well attended and well received. Although he is neither an engineer nor a programmer, he understands a great deal about computer security, hacking and technology, and he has filled an important niche in recent years by speaking very eloquently about the relationships between technology, people and spirituality.

This sounds like and is deep, esoteric stuff. But as Darth Elmo has seen him do many times over the years, Richard spoke straight to the heart of some important matters that were right at the front of the audience's minds. Among other things, he reminded us that at its best, hacking is a form of truth-seeking, and that this is therefore important work that absolutely must continue even through difficult times like these--no, especially through times like these. In all it was a stirring and comforting talk, and it ended with the only standing ovation Darth Elmo witnessed at Def Con 0A.

As tempting as it is to end with Richard Thieme, one more speaker is doubtlessly of interest to readers of this web site: Linux Journal's own Mick Bauer, author of the Paranoid Penguin security column and another bosom pal of Darth Elmo's. Mick gave a talk entitled "Stealthful Sniffing, Logging, and Intrusion Detection: Useful and Fun Things You Can Do Without An IP Address".

Mick's presentation combined a simple topic, i.e., running log servers and IDS probes IP-less, with a high level of detail, i.e., listings of actual configuration files (most other Def Con presentations didn't get as far as listing software configuration files). Mick clearly enjoyed himself, getting distracted only briefly when a Def Con Scavenger Hunt contestant streaked naked across the back of the hall.

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix