Why You Should Go to Defcon
Everyone remotely related to IT security or IT in general knows about Defcon, and I am no exception. Unfortunately Las Vegas is far away from Bristol, England. I also had no spare time to make it to Defcon in previous years, as I was busy setting up my own IT security company. This year, however I was determined to go. I had coauthored a book on wireless hacking and security, to be published in late Autumn, and had been invited to Defcon by one of the world experts in Wi-Fi security to discuss my ideas. The meeting also would give me the chance to discuss my views with the main experts in the field, whose attack tools and methodologies I wrote about in my book.
At Heathrow, I ran into a long ugly queue due to additional security checks. Because I am not European enough (I have Ukrainian citizenship), I was pulled from the queue and subjected to five additional checks and searches. Despite its great efforts, security didn't find a non-existing bomb or a pair of scissors, and I happily landed in Pittsburgh, Pennsylvania. Customs there were far friendlier; the only remarkable memory is their utter surprise when I said I was flying to attend the most famous information security and hacking conference in the world. "What, in Pittsburgh?", they asked.
The flight from Pittsburgh to Vegas was more fun. A guy next to me was surprised when I started reading Bob Neveln's Linux Assembly Programming. I in turn was surprised by his fascination. Eric, as his name happened to be, also was flying to Defcon and was studying computer science at an Ivy League university. His surprise was attributed to the fact that I was dressed in a suit and wore a CISSP badge. He assumed I must be from management (I am) and thus should not have any interest in Linux or assembly. He also asked me if the (ISC)2 Code of Ethics allows me to hang out with hackers at Defcon. The confusion didn't last long, however, and soon laptops were pulled out (we both happened to run Debian). I set mine as an access point using Juoni Malinen's HostAP driver to swap various pentesting-related code. This might have been the highest and fastest flying custom-built Linux access point ever.
When we landed, I learned that Eric had nowhere to stay, so he crashed in my room. He had been to Defcon before, and so the next day I had a guide to show me around. Of course, I grabbed my Zaurus with both Kismet and Wellenreiter installed to see how abundant and secure the local wireless LANs were. Just after leaving the hotel I detected a dozen access points; only three of them were WEP-enabled. In general, the density of wireless LANs in Vegas is comparable to London, but Vegas has more connected clients per deployed access point and more non-802.11 networks such as TurboCells in action.
As for enabled WEP, Vegas averaged around 27%, which is 5% less than our estimate for London. Approximately the same ratio applies to access points running unchanged default configuration. US wireless LANs aren't more secure, after all, and the wardriving competition at Defcon demonstrated the same results I found while walking around with my Zaurus and old D-Link CF card. Apparently, you don't need high gain antennas and cars to collect a reliable amount of statistics--a pair of trainers and a small PDA with a client card is sufficient.
Defcon registration is cheap, $75 for a conference with such potential. The audience ranges from hackers to feds, but the major split is between what I call groupies and geeks. The groupies come for fun and fun, while the geeks come for fun and knowledge. The groupies mainly are in their teens and early twenties; the geeks span all ages and backgrounds. While the groupies stick together, trade software and hover around the hacker movies hall and organized parties, the geeks are more individualistic, attend the talks, chase presenters round the clock and participate in the more serious competitions, such as the Defcon Wardrive. It was quite amusing to see a large flock of groupies trading various Windows software in a hall using Defcon's wireless LAN. A few of the serious lads clearly were eavesdropping on this traffic and launching various man-in-the-middle attacks. After a short thought, I joined the sniffers.
In general, I was rather surprised by a large amount of youngsters trying to do everything possible to look like a hacker and modeling their appearance and behavior after popular hacker-related fictional heroes, such as Neo. This manifestation of hacker culture does not seem to be present in the UK, at least not to such an extent. Of course, the real hackers, many of whom were presenters at Defcon talks, at most would wear a witty Thinkgeek/Jinxwear T-shirt and seem totally innocuous.
As for the presentations themselves, the majority I attended were superb and very practical. They provided information you can use straightway and demonstrated new tools out for downloading, the features and inner workings being explained by the creators. It was striking that very few presenters were representatives of well known IT companies or what the general public thinks of as the IT industry. The majority were individual, independent security consultants, often running their own companies, or enthusiasts programming and researching for fun--in one word, hackers, in the definition of the word I support.
At the same time most well-known IT industry giants were under-represented, as if the major insecurities in their products discussed at the conference do not touch these companies at all. Of course, you cannot determine the precise composition of an audience, but I would have expected at least some questions or comments from representatives of major companies after the talks.
It is impossible to determine which presentation was the best, and because there were three overlapping lines of talks, I made it to only one-third of the presentations. For the rest of the talks I had to be satisfied with the Defcon CD given out during registration.
The presentations I remember most are Fyodor's (the Nmap author) "Advanced Network Recon Techniques" and a group talk on "Abusing 802.11". Apparently, there are some things about Nmap I didn't know despite using this wonderful tool for many years. As for the 802.11 abuse, it was pure joy (all right, I waited six months to attend it, and thus my opinion is subjective). An unforgettable moment was a full hall loudly cheering in the darkness at the news of a new version of Kismet, with those who couldn't get a seat cheering outside. The same level of enthusiasm met other new (or nearly new) tools and attacks, including the improved cracking of the Cisco LEAP authentication protocol and a method of portscanning through a wireless LAN protected by WEP, without even knowing the key. If there still are people who think wardriving is fiction, that no one uses anything more advanced than Netstumbler for wireless hacking, that WEP (or even the current version of WPA) provides a reasonable level of security and that wireless threats are just a popular media scare, this talk was your wake-up call.
As well as being very informative, Defcon is fun. Unfortunately, I couldn't sign up for both the Defcon Wardrive and the Wireless Shootout, even though it was tempting. You needed to register as part of a five-member team for the Wardrive and bringing all the necessary equipment, especially high gain antennas, from the UK is too much hassle. I would have hated having to explain to various security officials what each peace of equipment was. It was just as well that the competitions overlapped with many presentations I needed to attend; nothing is perfect. However, the number of competitions available is large and ranges from dumpster diving and lock picking contests to coffee wars. And, of course, there is Hacker Jeopardy. I've been told that the questions at the contest are hard, but it wasn't the case. In fact, many questions did not relate to hacking or IT at all. Nevertheless, Hacker Jeopardy is great fun reinforced by stripteases and lager, although calling Bud Light beer should be the only remaining reason for capital punishment.
This year the contest was decorated by Kevin Mitnick, whose team actually won the Jeopardy tournament. It was Kevin's first Defcon after the ban on attending hacker gatherings was lifted this year, and he was warmly welcomed back to the family by Defcon organizers at the closing ceremony. Kevin appeared to be pleasant to talk with, easy going and open--none of the cybercriminal monster traditionally depicted by the media. Nor did he look like the guy who played Kevin in The Takedown movie; perhaps we shouldn't trust the blue screen of deception as much as we do.
The conference proved to me what I already knew: unfortunately, the IT security industry still lags behind the hacking/cracking underground, and as long as the arrogance of the security community and its general snobbery persist it will remain this way. My existing views that an Oxbridge or Ivy League computer science degree does not teach real-world IT security were reinforced in spades at Defcon. Even well-respected certificates, such as CISSP, assume you have three years of full-time information security work experience rather than assuming you have passed a week-long "how to pass an exam" course and got the certificate because your company management decide it is needed. I felt more at home intellectually at Defcon, with all the "evil hackers" around, than I've felt at many of the official meetings with so-called industry security professionals I have to attend. If you do not have a real fascination with computer security or even an obsession, then you make a lousy security expert. There are too many Armani-suited security professionals and not enough anoraks.
To draw the bottom line, Defcon is a great celebration of hacker culture and knowledge. It definitely is worth attending if you are an IT security professional, especially one in the UK, which has no comparable equivalent. At least Germany has the Chaos Communication Camp. Suspend your stereotypes of the underground, and dive into it for fun and knowledge. Both are essential for proper understanding of information security as it is, away from the artificial boundaries and opinions imposed by textbooks and official certification courses. Welcome to reality.
Andrew Vladimirov is head of security for Arhont.com and has co-written WiFoo, the first practical guide to wireless penetration testing and hardening. He also wrote the chapter on wireless security for Network Security: The Complete Reference.