DEF CON 19: Hide Your Passwords. Hide Your Laptop. Hide Your Phone. They’re Hacking Er’body Out Here THE Tech Scoop August 11, 2011 Tech DEF CON: The Holy Grail of nerdgasm (image courtesy of Wikipedia). To the lost bets of our co-workers, my fiance and I did not get married this past weekend in Las Vegas. We did something FAR better… we reached the Holy Grail of nerdgasm: DEF CON 19, the world’s largest hacker convention. Back to back with the prestigious Black Hat Technical Security Conference, the Cash-Only-Anonymity-Above-All 19th annual DEF CON had an estimated crowd of over 15,000, more than twice as many attendees than the Black Hat conference, though many of them were wanderers from Black Hat. The contrast between the two conferences was so blatant, it was like Alice suddenly plummeting into Mad Hatter’s tea party in Wonderland after just enjoying Earl Grey with British aristocrats. In this case, it was migrating from the grand Caesar Palace to the Mohawk-ruled Rio Hotel. As soon as we arrived on Thursday afternoon, the line for badge purchase was anywhere from 3,000 to 4,000 people long. Twitter was blowing up with Tweets like “it’s been 2 hours and I’m still in the back of the line” and “where is the end of this line?” When we finally received our badges and made our way to the buffet, the line seemed to have been standing still. Getting a badge to the Holy Grail isn't easy... you're competing with 15K other hopefuls. I admit, most of the presentations were too technical for my “sub-human” mind to comprehend (“Human” refers to all attendees who were not DEF CON speakers, while speakers were labeled as “Inhuman.” “Sub-human” is my term to define myself, a person who only has appreciation and awe for technology. No understanding.). But there were a few incredible takeaways from the presentations that have forever changed the way I tease my InfoSec fiance. Guide to help you navigate through the Holy Grail. One in particular was a panel discussion titled, “Whoever Fights Monsters…” Confronting Aaron Barr, Anonymous, and Ourselves.” This talk focused on the vast potential of hacking for the betterment of the world, also known as Hacktivism. It explored the option of utilizing highly inventive hacking methods to penetrate, expose, and debilitate child exploitation sites and terrorist organizations. Major hacker groups such as LulzSec and Anonymous have mainly targeted large corporations, and consequently, their consumers. Panel speakers posed the question: “If you really want to make a difference in the world as vigilantes, why not take down the real scums?” Another fascinating talk that appealed to even a non-techie like me was Moxie Marlinspike’s SSL And The Future Of Authenticity. He analyzed the effectiveness and security of major Certificate Authorities such as VeriSign, then proposed alternative ways for the public to further protect their privacy and certificate authenticity on the Internet. You can read more about the talk on his blog here. This image so awesomely depicts the essence of DEF CON, I just had to include it. One of the most respected groups at DEF CON, Electronic Frontier Foundation (EFF), hosted a panel to answer the audience’s “hypothetical” legal questions and provide updates on current legal events in the world of technology and information security. This was the first time I had heard of the group that has been working tirelessly behind the scenes to help preserve our technological rights. The EFF is a donor-funded nonprofit organization consisting of lawyers, policy analysts, activists, and technologists. A bio from EFF’s website defines the group as fighters “for freedom primarily in the courts, bringing and defending lawsuits even when that means taking on the US government or large corporations. By mobilizing more than 61,000 concerned citizens through [their] Action Center, EFF beats back bad legislation. In addition to advising policymakers, EFF educates the press and public.” EFF swag All of the presentations we heard were relatable and delivered an eye-opening experience. But the loudest buzz at DEF CON 19 were the games, contests, and puzzles. The most elaborate puzzle is the enigma around this year’s badge. Traditionally, DEF CON badges were electronic with puzzles embedded in them. This year, LosT — mathematician and creator behind the badges — decided to stray away from electronic badges and go with titanium. During LosT and Dark Tangent’s (Founder of DEF CON) talk, Making of the DEF CON Badges, we learned the process of creating and producing the badges, story behind the single eye cutout design, staining the titanium, the convoluted mathematical logic that resulted in the puzzles, and the clues scattered around the Rio Hotel. The captivated audience of 1,500 immediately turned into techie paparazzi, manically snapping photos of redacted formulas and worksheets in hopes of capturing clues that lead to solving a puzzle designed to stump 50% of its contenders. Human (attendee) badges were circular while the Inhuman (speaker/presenter) badges were pentagonal. But the design of both was identical, cutout of an eye accompanied with one letter and one number. The goal of the badge is to encourage attendees to interact with each other and make new friends. Without knowing the total letters and numbers used, every attendee would have to interact and check out each other’s badge in order to solve the hidden puzzle. Worth its weight in gold. The coveted DEF CON 19 badge. Contests included Spot the Fed, where attendees were challenged to identify federal agents covertly blended into the mass public of DEF CON; lockpicking; and competitions for young hackers in the making. The unplanned but not unexpected games were developed by the attendees of DEF CON. Laptops, antennae, and questionable “electronic charge stations” lined against the walls of the convention room hallways, all equipped to hack into anything with an outlet. Panicked employees spoke in hushed voices about their CMS and Outlook not responding; rumors of the Keno board being the next target; hacked slot machines and ATM’s; and the sudden change of music in the elevators. The Rio Hotel was in a state of calculated (and somewhat self-inflicted) chaos. Can you spot the patterns and clues that lead to the solution? Being the paranoid person that I am (as detailed in my prior post), upon seeing the “Wall of Sheep,” my eyes widened in terror. In a small, dark conference room sat approximately 10-15 computers (my estimation may be off, because I was paralyzed with fear at the time) with people fiercely typing away. A large flat screen displayed a simple scoreboard of usernames and IP addresses of the “sheep.” The objective of the Wall of Sheep is to raise security awareness. Through petrification. Providing an explanation better than I ever could (sorry, still petrified) was the Wall of Sheep’s website. It was “an interactive demonstration of what can happen when network users let their guard down. We passively observe the traffic on a network, looking for evidence of users logging into email, web sites, or other network services without the protection of encryption. Those we find get put on the Wall of Sheep as a good-natured reminder that a malicious person could do the same thing we did . . . with far less friendly consequences. More importantly, we strive to educate the “sheep” we catch—and anyone who wants to learn—how to use free, easy-to-use tools to prevent leaks in the future.” Fear: Stand staring, petrified with fear If my fiance hadn’t practically fireman-carried me out of the room, I would’ve spent the rest of the weekend staring at that screen, hoping my name never pops up, while obsessively checking to make sure my laptop is switched off and my cell phone is completely disconnected from my email, Twitter, and anything else with a username and password. Between checking to make sure my laptop was switched off, my cell phone was still wedged in a tight pocket behind a zipper, and my wallet still remained safely inside two layers of zipper pockets, DEF CON 19 was actually a fun and educational experience. Now please excuse me as I change all of my passwords for the third (and probably not the final) time.