Defcon 19 was held this past weekend in a brand new venue, the Rio. It was a nice setup, although at times the space felt a little too small to comfortably accommodate the 10,000+ kids of all ages, sizes, genders and (sometimes it seemed) species. Some of the talks were so popular that we had to wait in long lines to get in, and some people ended up sitting on the floor. Not that anyone seemed to mind — unlike at BlackHat, even the attorneys weren't wearing suits or dresses — although I did see a number of people who dressed up for the occasion, complete with blue or pink hair.
Perhaps the difference between the two conferences is best illustrated by a look at the attendee badges. In the photo below, the BlackHat badge is on the right; it looks like any other conference badge. On the left is the Defcon badge; it doesn't look like a conference badge at all, but more like some exotic talisman. It's made of titanium and there's no name, since many of the hackers in attendance want to remain anonymous - just a cryptic alpha numeric designation, in my case, P-52.
The difference between BlackHat and Defcon is exemplified by the difference in the attendee badges.
There are different shaped badges for different classes of attendees: The pentagon with the Eye of Horus cutout designates a member of the press, a sheriff's-style star within a circle is for law enforcement, and there were other shapes and designs to identify vendors, speakers, "goons" (Defcon staff), "uber," and Humans (everybody else). The badges are an integral part of a puzzle-based reality game that attendees could participate in (or not).
I only got to attend the first day, as I had to leave Las Vegas on Saturday, just as things were getting revved up. But it was a fun-filled and information-packed day, beginning with a fascinating peek into the world of strategic planning for offensive cyber ops brought to us by Chris Cleary with the U.S. military's Cyber Command. The focus was on how a rigid, hierarchical structure like the military can work effectively with the free-form hacker community and how the strengths of each can complement one another. We got a deep dive into "milspeak," learning about everything from the difference between tactics and techniques to the spectrum of conflict with its operational themes and elements. We heard about Schriever Wargame (a multi-service, multi-agency space/cyberspace exercise) and then walked through a detailed analysis of the attack that was planned, carried out and ultimately thwarted in the movie "Live Free, Die Hard."
The second session I attended was titled, in the true spirit of Defcon, "WTF Happened to the Constitution?" Michael Schearer, aka "theprez98," took us through the history of privacy law and how the U.S. Constitution, legislation, and case law protect our rights to privacy — and how they increasingly don't.
Another very interesting presentation at Defcon was given by Semon Rezchikov and Joshua Engelman, who talked about the FAST and SPOT airport security programs that rely on the same sorts of observational techniques and microexpression analysis used by the character Dr. Cal Lightman in the cancelled TV program "Lie to Me." They had prepared a demonstration of the use of an infrared camera but unfortunately, there were "technical difficulties" and time ran out.
Semon Rezchikov and Joshua Engelman talk about airport security.
Net neutrality is a big issue in the tech industry these days, and a panel discussion about the topic was well attended. A little surprisingly, given the somewhat anti-government leanings of many of the members of this crowd, most panel members (or at least the most vocal ones) seemed to be in favor of additional government regulation to force neutrality practices on ISPs. That viewpoint was challenged by some in the audience during the Q&A period.
One of the most fascinating and practically useful (in my opinion) sessions was titled, "Staying Connected during a Revolution or Disaster." Thomas Wilhelm provided a downloadable Android app that can be used to create ad hoc wireless networks with smart phones when cellular service is not available, for disseminating information and staying in touch with family and friends, contacting emergency services and more. It's called the Auto-BAHN project and the ultimate goal is to have phone vendors and/or wireless providers include the software in all devices so it will be available to everyone in case of a critical emergency situation. You can find out more about it at http://hackerdemia.com
The Malware Freak Show session was another "standing room only" presentation, in which Nicholas Percoco and Jibran Ilyas of Spiderlabs demonstrated and analyzed four different types of malware that could be used at grocery stores, bars, etc. to capture credit card information.
Finally, I went to another panel discussion, this one about "The Year in Digital Civil Liberties" populated by attorneys, technologists, and other staff members with the Electronic Frontier Foundation (EFF). The format was loosely defined with topics stemming from questions from the audience; these ranged from bills in Congress giving the president power to flip an "Internet Kill Switch" (removed after the Egyptian uprising) to liabilities involved in operating open wireless networks to frivolous software patents to search and seizure issues involving cell phones and laptops (including the issue of compelling decryption) to the Wikileaks case. There was plenty of information packed into one short hour.
"The Year in Digital Civil Liberties" with panel members from the EFF
I wish I'd been able to attend the Saturday and Sunday sessions, as there were many more fascinating-sounding presentations and panel discussions on the agenda. Although BlackHat is certainly the more prestigious of the two conferences, I have to say you get a lot more "bang for the buck" at Defcon - not to mention the fact that it's just a lot more fun.
Next year, Defcon turns 20. Will it lose some of the playfulness and rebellious spirit when it's no longer a teenager? I doubt it. I plan to be there to find out.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.