Hacking Vegas at Black Hat and DEF CON: One Geek's Experience
You may think the Furry Lil' Sith Lord is talking about a Gambino summit. He's actually talking about hackers.
DEF CON, which began as a relatively small get-together for members of the IS underground, has grown in recent years to become the world's largest and most publicized annual gathering of the diverse groups that comprise Information Systems Security. But despite its growth and more-or-less-mainstream success (measured in numbers and news articles), DEF CON is first and foremost for hackers.
The term "hacker" carries a lot of baggage, and, popular belief to the contrary, many people who call themselves hackers don't break into other people's systems. (Okay, maybe occasionally the systems of people they know, but not anybody who'd mind.) Whether one defines hackers as "computer criminals" or as "those who push computers, networks and even society beyond their creators' imagined limits", the term still has connotations of not-quite-strict legality and nonconformance taken to extremes.
So a few years ago DEF CON's creator, the Dark Tangent (aka Jeff Moss), decided it might be useful to precede DEF CON with an event more friendly to corporate and other "button-down" info-sec types. With the help of some corporate sponsorship he created Black Hat Briefings.
Black Hat has grown even more quickly (and much more profitably) than DEF CON; the two-day event takes place right before DEF CON, also in Las Vegas, and again every few months or so in Amsterdam, Singapore and Hong Kong (sequentially, not simultaneously).
Whereas DEF CON's registration fee is only $50, Black Hat costs $1,095. Also, while DEF CON has taken place for several years at (taken over, actually) the Alexis Park Hotel, Black Hat is held at the exponentially more lavish Caesar's Palace.
Darth Elmo had the good fortune to attend both this year. Unlike many Black Hat attendees he went with somewhat more of an underground perspective, or at least a non-corporate one. And unlike many DEF CON attendees, Darth can remember where he was, what he saw and what he drank for most of the time he was there. Here, then, are one geek's observations and opinions on these two fine events.
Of the two, as befits an expensive commercial event, Black Hat was way better organized and executed. Coffee and bagels ran out too quickly during the pseudo-complimentary breakfasts (complimentary to anybody who'd paid upwards of $1,095 to be there in the first place), but other than that things went smoothly and appeared to be consistent with the published schedule.
And the content itself? Several of the sessions Darth Elmo attended and all three keynotes (one the first morning and one during each of the two lunch banquets) were outstanding. A number of the other talks he attended were less technical and/or original than he'd hoped, though they were probably useful to newcomers to the field. But a few simply didn't deliver as promised; in Darth Elmo's keenly insightful opinion several of the talks he attended in the "Very Technical" track weren't very technical at all.
For example, one session on Automated Penetration Testing (i.e., automating the process of conducting security audits) had plenty of slides with lengthy lists of bullet-points, but absolutely no screenshots or code examples. Worse, it was delivered in a near-monotone. Being both boring and over-general are not the way to a geek's heart.
(Ironically, this particular session got some attention in the press since the system it described could, in theory, be used by anybody to perform a comprehensive penetration test of even complex networks and systems. Darth supposes this could revolutionize the pastime of Script Kiddie-ing, which is a scary thought. But his own suspicion is that the presenter's product, which it turns out the talk was really about, will be an extremely comprehensive but not earth-shattering security scanner; Nessus On Steroids, if you will. But Darth digresses.)
On the other hand, Darth Elmo also sat in on some excellent stuff. The opening keynote by author James Bamford on his experiences researching and writing about the ultra-secretive National Security Agency provided Black Hat with an auspicious start. Mr. Bamford gave a fascinating glimpse into the absurdity which ensues when a government agency needlessly tries to withhold non-sensitive and unclassified information from law-abiding taxpayers.
Jose Nazario gave a chilling but coherent, plausible and technical description of the imminent onset of Internet worms which will not only replicate themselves (what sets worms apart from viruses--viruses depend on other programs to propagate) but will also adaptively mutate themselves in ways that make them both more dangerous and more difficult to identify and neutralize. This lecture came out of research Jose is conducting in his pursuit of a PhD in Biochemistry.
Jay Beale, primary developer of the Bastille Linux system-hardening package, gave an excellent talk on securing Domain Name Services (DNS) and BIND (the most popular DNS package). Jay's talk included both the fundamentals of good DNS security and also specific techniques for and examples of applying them to BIND. He also discussed djbdns, an alternative to BIND.
Hacker-journalist Richard Thieme gave an extremely subtle and deep lunchtime keynote address on reality constructs and how they must adapt as the realities of computer security evolve. He used war in space as a metaphor. For example, consider the general who described high-velocity debris and even paint chips as a major threat to a spacecraft's structural integrity. Since technology has already advanced to the point where plasma/energy-shielding is possible, the general must change his understanding of the reality of threat-models in space. This sort of adaptation is necessary at a number of levels for all of us who deal with the rapidly-evolving world of info-sec.
Thursday's lunchtime keynote by Bruce Schneier was less heady but no less worthwhile. Bruce spoke largely off the top of his head on a range of current topics in cryptography and network security, but focused mainly on the need to rely less on prevention and more on monitoring and prosecution in dealing with computer crime.
In the real world, argues Schneier, we've so far had much more success using criminal justice as a means of deterring and containing crime than we've had with prevention. Similarly, in info-sec we need to pay more attention to intrusion-detection systems and rely less on firewalls. We also should spend more energy on catching and prosecuting computer criminals than on covering up the fallout of their actions.
Some of the afternoon sessions also stood out. Dr. Ian Goldberg of Zero Knowledge Systems gave an extremely technical talk on his successful cryptanalysis (i.e., cracking-wide-open) of the Wired Equivalent Privacy standard, used by wireless networking devices to provide security that is allegedly equivalent to cabled technologies. Descriptions of proofs and formulas that shattered WEP's integrity were interspersed with gleeful exclamations of "The attacker succeeds!", making for a convincing and humorous presentation.
Walter Gary Sharp, a geek-lawyer, held forth on the Legal Implications of Network Defense. Darth Elmo came away from this with the distinct impression that, at least in a general sense, the legal profession is starting to get a clue about how to deal with computer crime. Most of Sharp's examples alluded to non-electronic precedents, and one of Darth's pet rants for the last decade or so has been that cyberspace isn't really that different from meatspace. (Ask anybody who does this stuff for a living: the more of our real-world experience and common sense we apply to the electronic world, the better the whole thing works.)
Jericho gave an extremely iconoclastic and entertaining talk on why his Attrition group had stopped operating their mirror-site of defaced web pages, including a detailed background and history of the mirror.
Defacement mirrors are problematic on the one hand because they tend to glorify hacks whose sole point is macho posturing. (Something like, "Gr33tz to my kr3w! This sysadmin is so lame I hax0r3d his site in like 5 min. bekase he had his C: drive shaired hah hah hah!," etc. If only they all could be as S00p3r 3l33+ as Darth Elmo!). In fact, it's not uncommon for particularly self-esteem-impaired script-kiddies to register a domain-name, set up a phony web site, and then deface it themselves just for the honor of being mirrored.
On the other hand, mirrors also help security administrators and ordinary users alike see tangible results of bad security practices; in that respect they provide a sort of web-security barometer.
The last session our intrepid correspondent attended was an outstanding two-hour talk by the Honeynet Project, led by Lance Spitzner. If you're not familiar with him, Lance is the prolific author of useful hardening-procedures and white papers (his Solaris Hardening paper is required reading for Sun geeks), and a very personable guy besides.
Actually, the Honeynet show resembled a rap performance more than a seminar per se, as it featured a large number of Honeynet team-members (including Jay Beale, Fred Heidt and Marty Roesch), who alternated with Lance in relating the Honeynet story. And a compelling story it is.
A honeypot is a system deliberately left unsecured, usually in order to distract attackers' time and energy from one's "real" (important) systems; a honeynet is a whole network used for this purpose. The Honeynet Project's goal is to amass as much data and intelligence on current hacking/intrusion techniques as possible.
Darth Elmo's furry lil' opinion is that standalone honeypots are generally a waste of time for system administrators interested in protecting crucial systems. Such people should instead concentrate on securing those crucial systems, monitoring their logs, keeping their software and OSes up-to-date, etc.
But as a research project he finds the Honeynet Project fascinating. It seems to Darth that Lance et. al. are providing the Internet community with an immediately useful body of data that will help greatly in the construction of sane and reality-based threat models (i.e., in helping us identify real vs. unlikely threats to system/network security).
Are you following all this? 'Cause we're getting to the juicy stuff: DEF CON 9.
As enlightening and worthwhile as Black Hat is, it's expensive. And as Darth Elmo explained at the beginning of this dispatch, DEF CON came first. DEF CON is to Black Hat what Slackware is to Red Hat: it's been around longer, the full experience costs less, it's a lot less user-friendly and most hard-core hackers vastly prefer it.
So, what did Darth Elmo do at DEF CON? At least, what is he willing to disclose? Many a fun and interesting thing, to be sure.
Naturally he attended a lot of presentations: Web Security Survey in China; Firewalling WEP; How To Be an Independent Security Consultant; Bastille Redux & Direction (by Darth Elmo's most excellent playground friend Jay Beale, an InfoSec Badass of the First Order); Centralized Anonymity: the Rendezvous System (by Dr. Goldberg); and Creating a Stealth IDS w/ OpenBSD, Linux, and Snort were particularly interesting.
One pleasant surprise was a Hacktivism panel moderated by members of the Cult of the Dead Cow. This was surprisingly thoughtful, relevant and serious, and stood in stark contrast to the cDc's usual DEF CON posturing. Most of the talking was done by Patrick Ball, Deputy Director of the American Association For the Advancement of Science. Mr. Ball is a hacker-activist involved with human-rights activities around the world.
The press tends to use the word "hacktivism" to describe the defacement of web sites for allegedly political reasons, but in Darth Elmo's definitive opinion the term should be reserved for people like Mr. Ball who actually do things with their skills. Encrypting communications and creating dependable databases for political watchdog groups is infinitely more elite than replacing some minor government office's web page with a hacked one for six hours on a Sunday night.
(DE wishes at this point to acknowledge an assist from tmns, without whose notes the previous two paragraphs would not have contained as many proper nouns.)
Last but not least was Peter Shipley's outstanding description of his adventures Wardriving in downtown San Francisco. Wardriving (or, as Shipley actually prefers to call it, "LANJacking") is to many security geeks either a scary threat or good clean fun, depending on who's doing it.
The idea is simple: if you sit in the back of a van with a wireless-network-card-equipped laptop computer which you've programmed to go into "discovery" mode repeatedly, then you can identify an awful lot of unsecured wireless access points (hubs) by driving around any urban center. By triangulating, using a GPS receiver and analyzing signal strength, you can make good guesses at said access points' probable locations.
You might be interested to know that very few people whose wireless networks support WEP actually bother to turn it on. Broken encryption is lame, but broken encryption that isn't even turned on is infinitely more so.
As if all that weren't entertaining enough, depending on the lay of the land you can connect to a wireless network from miles away (i.e., far beyond its advertised effective range) using an $80 dish antenna from Radio Shack. Mr. Shipley and his pals have reportedly connected to access points in San Francisco from 13 miles away in the hills of Berkeley. Evil Pete even claims to have connected to wireless LANS while driving down the freeway at 80 MPH.
(The age of drive-by hacking is here--be afraid, be vigilant and use encryption wherever possible!)
In summary, DEF CON had the same high overall level of presentation quality as Black Hat. Hot technologies covered in depth in Black Hat were also covered in DEF CON, often by the same speakers.
But don't start thinking that the two are interchangeable. DEF CON had game shows!
Your fearless Hacking Correspondent was there for most of these. One perennial favorite at DEF CON is the Spot the Fed contest: if at any point you notice a suspicious, federal-looking attendee and point him or her out to a DEF CON Goon, you might win a T-shirt that says "I spotted the Fed!" (The Fed receives one that says "I am the Fed!" Darth Elmo's colleague tmns reports that the latter are highly-prized Fed work attire, so much so that Feds have been known to finger each other at DEF CON.)
Spot the Feds runs for the entire convention, but this year there was also a panel discussion called Meet the Feds, the purpose of which was for a panel of various investigators and spooks from the US Government to give their best shot at presenting a human, benevolent face. However, before the actual panel-discussion began, Priest invited the audience to finger any suspected Fed among them (i.e., a Fed not sitting on the panel, all of whom were as obvious as the tattoos on MrMojo's arms).
Sure enough, an observant hacker near the front of the hall correctly identified a gentleman sitting near him as a Fed. This agent, being a good sport, stood up and answered questions from the audience about his weapons rating, computer training, etc. One friendly audience member even asked "Do you want a beer?" The Fed answered in the affirmative, and was presented with a cold bottle of beer, which he clearly needed given that the temperature in the tent in which this event was held never dropped below 95°F.
The purpose of this Q & A was to guess which federal agency this man worked for. Ultimately it was revealed that he was an FBI agent. The subsequent panel discussion was interesting, but not nearly as funny--Priest is as entertaining an emcee as he is formidable a bouncer, but he relinquished the microphone to drier wits when his impromptu Spot the Fed contest was done.
Actual game shows that were held included the TCP/IP Drinking Game and Hacker Jeopardy, also a drinking game. (The host, Winn Schwartau, easily held his own with the young contestants. Sadly, the heavily favored Drunken Whores team didn't make it to Round Two, despite living up to their name most admirably). New this year was Schwartau's game Cyberethical Surfivor ("Surf-ivor," as in "Surf the Web"--get it?).
The object of this last event was to credibly answer a series of ethical questions without being voted out of the game by the other contestants. Few of the questions actually seemed to deal with ethics, but it was still engaging. Also, since it didn't involve drinking, a wider range of participants were allowed and, as a matter of fact, a 15-year-old won.
And that, in a nutshell, is what Darth Elmo did on his summer vacation. He hopes he sees you at DEF CON 10 next year (but he'd better not see you in his system-logs in the mean time)!