Security

Deb does DEFCON: Hacking conference tackles cyberwar and civil liberties

There's a little more rebellion and fun among the free spirits at DEFCON after the more buttoned-down BlackHat, according to Deb Shinder. But the topics are serious business.

Defcon 19 was held this past weekend in a brand new venue, the Rio. It was a nice setup, although at times the space felt a little too small to comfortably accommodate the 10,000+ kids of all ages, sizes, genders and (sometimes it seemed) species. Some of the talks were so popular that we had to wait in long lines to get in, and some people ended up sitting on the floor. Not that anyone seemed to mind -- unlike at BlackHat, even the attorneys weren't wearing suits or dresses -- although I did see a number of people who dressed up for the occasion, complete with blue or pink hair.

Perhaps the difference between the two conferences is best illustrated by a look at the attendee badges. In the photo below, the BlackHat badge is on the right; it looks like any other conference badge. On the left is the Defcon badge; it doesn't look like a conference badge at all, but more like some exotic talisman. It's made of titanium and there's no name, since many of the hackers in attendance want to remain anonymous - just a cryptic alpha numeric designation, in my case, P-52.

The difference between BlackHat and Defcon is exemplified by the difference in the attendee badges.

There are different shaped badges for different classes of attendees: The pentagon with the Eye of Horus cutout designates a member of the press, a sheriff's-style star within a circle is for law enforcement, and there were other shapes and designs to identify vendors, speakers, "goons" (Defcon staff), "uber," and Humans (everybody else).  The badges are an integral part of a puzzle-based reality game that attendees could participate in (or not).

I only got to attend the first day, as I had to leave Las Vegas on Saturday, just as things were getting revved up. But it was a fun-filled and information-packed day, beginning with a fascinating peek into the world of strategic planning for offensive cyber ops brought to us by Chris Cleary with the U.S. military's Cyber Command. The focus was on how a rigid, hierarchical structure like the military can work effectively with the free-form hacker community and how the strengths of each can complement one another. We got a deep dive into "milspeak," learning about everything from the difference between tactics and techniques to the spectrum of conflict with its operational themes and elements. We heard about Schriever Wargame (a multi-service, multi-agency space/cyberspace exercise) and then walked through a detailed analysis of the attack that was planned, carried out and ultimately thwarted in the movie "Live Free, Die Hard."

The second session I attended was titled, in the true spirit of Defcon, "WTF Happened to the Constitution?" Michael Schearer, aka "theprez98," took us through the history of privacy law and how the U.S. Constitution, legislation, and case law protect our rights to privacy -- and how they increasingly don't.

Another very interesting presentation at Defcon was given by Semon Rezchikov and Joshua Engelman, who talked about the FAST and SPOT airport security programs that rely on the same sorts of observational techniques and microexpression analysis used by the character Dr. Cal Lightman in the cancelled TV program "Lie to Me." They had prepared a demonstration of the use of an infrared camera but unfortunately, there were "technical difficulties" and time ran out.

Semon Rezchikov and Joshua Engelman talk about airport security.

Net neutrality is a big issue in the tech industry these days, and a panel discussion about the topic was well attended.  A little surprisingly, given the somewhat anti-government leanings of many of the members of this crowd, most panel members (or at least the most vocal ones) seemed to be in favor of additional government regulation to force neutrality practices on ISPs. That viewpoint was challenged by some in the audience during the Q&A period.

One of the most fascinating and practically useful (in my opinion) sessions was titled, "Staying Connected during a Revolution or Disaster." Thomas Wilhelm provided a downloadable Android app that can be used to create ad hoc wireless networks with smart phones when cellular service is not available, for disseminating information and staying in touch with family and friends, contacting emergency services and more. It's called the Auto-BAHN project and the ultimate goal is to have phone vendors and/or wireless providers include the software in all devices so it will be available to everyone in case of a critical emergency situation. You can find out more about it at http://hackerdemia.com

The Malware Freak Show session was another "standing room only" presentation, in which Nicholas Percoco and Jibran Ilyas of Spiderlabs demonstrated and analyzed four different types of malware that could be used at grocery stores, bars, etc. to capture credit card information.

Finally, I went to another panel discussion, this one about "The Year in Digital Civil Liberties" populated by attorneys, technologists, and other staff members with the Electronic Frontier Foundation (EFF). The format was loosely defined with topics stemming from questions from the audience; these ranged from bills in Congress giving the president power to flip an "Internet Kill Switch" (removed after the Egyptian uprising) to liabilities involved in operating open wireless networks to frivolous software patents to search and seizure issues involving cell phones and laptops (including the issue of compelling decryption) to the Wikileaks case. There was plenty of information packed into one short hour.

"The Year in Digital Civil Liberties" with panel members from the EFF

I wish I'd been able to attend the Saturday and Sunday sessions, as there were many more fascinating-sounding presentations and panel discussions on the agenda. Although BlackHat is certainly the more prestigious of the two conferences, I have to say you get a lot more "bang for the buck" at Defcon - not to mention the fact that it's just a lot more fun.

Next year, Defcon turns 20. Will it lose some of the playfulness and rebellious spirit when it's no longer a teenager? I doubt it. I plan to be there to find out.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

2 comments
pkokkinis
pkokkinis

I attended Defcon 18 at the Riviera and can say it was interesting. I was a bit put back by all the attendees on the first day, friday, in such a small venue. By Saturday afternoon, I was completely exhausted by sitting in all the lines for the popular talks. Fast forward one year to Defcon 19 at the Rio: When I plucked down my 150 clams, I was rewarded with a laminated piece of paper that said Defcon 19 - no hackable circuit board badge as was in Defcon 18, nor the Titanium sheriff's badge as was this year's. After speaking to some goons I had met the previous year, the Defcon coordinators chose to only make 10K titanium badges for this year's conference, obviously wanting to capitalize even more (There was over 10K in attendance at Defcon 18 and the show was at the tiny Riviera, plus, growing astronomically year over year, so why only 10k?). Anyway, I really liked the Rio, but registration for the badge was still a mess. The swag line was a gajillion people long. The talks were meh. I was really hoping the conference being held this year at the Rio would make it more exciting and cool for me, but can honestly say it was a total waste of time. The admission price is tiny compared to what my time was worth when I can easily learn about anything offered at Defcon using a simple Google search, sans the Defcon attitude and introverted freaks of nature that have attended these events. Fool me once, shame on you. Fool me twice, shame on me and FU to your future events.

hippiekarl
hippiekarl

about after YOU spoke to them, they chose to make only 10k badges this time? Why do you suppose they waited to hear from you first, as attendees were already showing up?! Sounds like the 'introverted freaks of nature' weren't so problematic for you at Defcon 18, but THIS time........what? I get the impression that everyone except you enjoyed themselves this year; maybe you just got owned in the poker room or somesuch......

Editor's Picks