Why You Should Go to Defcon

Everyone remotely related to IT security
or IT in general knows about Defcon, and I am no exception.
Unfortunately Las Vegas is far away from Bristol, England. I also
had no spare time to make it to Defcon in previous years, as I was
busy setting up my own IT security company. This year, however I
was determined to go. I had coauthored a book on wireless hacking
and security, to be published in late Autumn, and had been invited
to Defcon by one of the world experts in Wi-Fi security to discuss
my ideas. The meeting also would give me the chance to discuss my
views with the main experts in the field, whose attack tools and
methodologies I wrote about in my book.At Heathrow, I ran into a long ugly queue due to additional
security checks. Because I am not European enough (I have Ukrainian
citizenship), I was pulled from the queue and subjected to five
additional checks and searches. Despite its great efforts, security
didn't find a non-existing bomb or a pair of scissors, and I
happily landed in Pittsburgh, Pennsylvania. Customs there were far
friendlier; the only remarkable memory is their utter surprise when
I said I was flying to attend the most famous information security
and hacking conference in the world. "What, in Pittsburgh?", they
asked.The flight from Pittsburgh to Vegas was more fun. A guy next
to me was surprised when I started reading Bob Neveln's
Linux Assembly Programming. I in turn was
surprised by his fascination. Eric, as his name happened to be,
also was flying to Defcon and was studying computer science at an
Ivy League university. His surprise was attributed to the fact that
I was dressed in a suit and wore a CISSP badge. He assumed I must
be from management (I am) and thus should not have any interest in
Linux or assembly. He also asked me if the (ISC)2 Code of Ethics
allows me to hang out with hackers at Defcon. The confusion didn't
last long, however, and soon laptops were pulled out (we both
happened to run Debian). I set mine as an access point using Juoni
Malinen's HostAP driver to swap various pentesting-related code.
This might have been the highest and fastest flying custom-built
Linux access point ever.When we landed, I learned that Eric had nowhere to stay, so
he crashed in my room. He had been to Defcon before, and so the
next day I had a guide to show me around. Of course, I grabbed my
Zaurus with both Kismet and Wellenreiter installed to see how
abundant and secure the local wireless LANs were. Just after
leaving the hotel I detected a dozen access points; only three of
them were WEP-enabled. In general, the density of wireless LANs in
Vegas is comparable to London, but Vegas has more connected clients
per deployed access point and more non-802.11 networks such as
TurboCells in action.As for enabled WEP, Vegas averaged around 27%, which is 5%
less than our estimate for London. Approximately the same ratio
applies to access points running unchanged default configuration.
US wireless LANs aren't more secure, after all, and the wardriving
competition at Defcon demonstrated the same results I found while
walking around with my Zaurus and old D-Link CF card. Apparently,
you don't need high gain antennas and cars to collect a reliable
amount of statistics--a pair of trainers and a small PDA with a
client card is sufficient.Defcon registration is cheap, $75 for a conference with such
potential. The audience ranges from hackers to feds, but the major
split is between what I call groupies and geeks. The groupies come
for fun and fun, while the geeks come for fun and knowledge. The
groupies mainly are in their teens and early twenties; the geeks
span all ages and backgrounds. While the groupies stick together,
trade software and hover around the hacker movies hall and
organized parties, the geeks are more individualistic, attend the
talks, chase presenters round the clock and participate in the more
serious competitions, such as the Defcon Wardrive. It was quite
amusing to see a large flock of groupies trading various Windows
software in a hall using Defcon's wireless LAN. A few of the
serious lads clearly were eavesdropping on this traffic and
launching various man-in-the-middle attacks. After a short thought,
I joined the sniffers.In general, I was rather surprised by a large amount of
youngsters trying to do everything possible to look like a hacker
and modeling their appearance and behavior after popular
hacker-related fictional heroes, such as Neo. This manifestation of
hacker culture does not seem to be present in the UK, at least not
to such an extent. Of course, the real hackers, many of whom were
presenters at Defcon talks, at most would wear a witty
Thinkgeek/Jinxwear T-shirt and seem totally innocuous.As for the presentations themselves, the majority I attended
were superb and very practical. They provided information you can
use straightway and demonstrated new tools out for downloading, the
features and inner workings being explained by the creators. It was
striking that very few presenters were representatives of well
known IT companies or what the general public thinks of as the IT
industry. The majority were individual, independent security
consultants, often running their own companies, or enthusiasts
programming and researching for fun--in one word, hackers, in the
definition of the word I support.At the same time most well-known IT industry giants were
under-represented, as if the major insecurities in their products
discussed at the conference do not touch these companies at all. Of
course, you cannot determine the precise composition of an
audience, but I would have expected at least some questions or
comments from representatives of major companies after the
talks.It is impossible to determine which presentation was the
best, and because there were three overlapping lines of talks, I
made it to only one-third of the presentations. For the rest of the
talks I had to be satisfied with the Defcon CD given out during
registration.The presentations I remember most are Fyodor's (the Nmap
author) "Advanced Network Recon Techniques" and a group talk on
"Abusing 802.11". Apparently, there are some things about Nmap I
didn't know despite using this wonderful tool for many years. As
for the 802.11 abuse, it was pure joy (all right, I waited six
months to attend it, and thus my opinion is subjective). An
unforgettable moment was a full hall loudly cheering in the
darkness at the news of a new version of Kismet, with those who
couldn't get a seat cheering outside. The same level of enthusiasm
met other new (or nearly new) tools and attacks, including the
improved cracking of the Cisco LEAP authentication protocol and a
method of portscanning through a wireless LAN protected by WEP,
without even knowing the key. If there still are people who think
wardriving is fiction, that no one uses anything more advanced than
Netstumbler for wireless hacking, that WEP (or even the current
version of WPA) provides a reasonable level of security and that
wireless threats are just a popular media scare, this talk was your
wake-up call.As well as being very informative, Defcon is fun.
Unfortunately, I couldn't sign up for both the Defcon Wardrive and
the Wireless Shootout, even though it was tempting. You needed to
register as part of a five-member team for the Wardrive and
bringing all the necessary equipment, especially high gain
antennas, from the UK is too much hassle. I would have hated having
to explain to various security officials what each peace of
equipment was. It was just as well that the competitions overlapped
with many presentations I needed to attend; nothing is perfect.
However, the number of competitions available is large and ranges
from dumpster diving and lock picking contests to coffee wars. And,
of course, there is Hacker Jeopardy. I've been told that the
questions at the contest are hard, but it wasn't the case. In fact,
many questions did not relate to hacking or IT at all.
Nevertheless, Hacker Jeopardy is great fun reinforced by
stripteases and lager, although calling Bud Light beer should be
the only remaining reason for capital punishment.This year the contest was decorated by Kevin Mitnick, whose
team actually won the Jeopardy tournament. It was Kevin's first
Defcon after the ban on attending hacker gatherings was lifted this
year, and he was warmly welcomed back to the family by Defcon
organizers at the closing ceremony. Kevin appeared to be pleasant
to talk with, easy going and open--none of the cybercriminal
monster traditionally depicted by the media. Nor did he look like
the guy who played Kevin in The Takedown
movie; perhaps we shouldn't trust the blue screen of deception as
much as we do.The conference proved to me what I already knew:
unfortunately, the IT security industry still lags behind the
hacking/cracking underground, and as long as the arrogance of the
security community and its general snobbery persist it will remain
this way. My existing views that an Oxbridge or Ivy League computer
science degree does not teach real-world IT security were
reinforced in spades at Defcon. Even well-respected certificates,
such as CISSP, assume you have three years of full-time information
security work experience rather than assuming you have passed a
week-long "how to pass an exam" course and got the certificate
because your company management decide it is needed. I felt more at
home intellectually at Defcon, with all the "evil hackers" around,
than I've felt at many of the official meetings with so-called
industry security professionals I have to attend. If you do not
have a real fascination with computer security or even an
obsession, then you make a lousy security expert. There are too
many Armani-suited security professionals and not enough
anoraks.To draw the bottom line, Defcon is a great celebration of
hacker culture and knowledge. It definitely is worth attending if
you are an IT security professional, especially one in the UK,
which has no comparable equivalent. At least Germany has the Chaos
Communication Camp. Suspend your stereotypes of the underground,
and dive into it for fun and knowledge. Both are essential for
proper understanding of information security as it is, away from
the artificial boundaries and opinions imposed by textbooks and
official certification courses. Welcome to reality.Andrew Vladimirov is head of
security for Arhont.com and has co-written WiFoo, the first
practical guide to wireless penetration testing and hardening. He
also wrote the chapter on wireless security for Network
Security: The Complete Reference.

email: andrew@arhont.com