Sunday, July 31, 2005

DefCon 13 Part II

The Hard Rock Hotel is right across the street from DefCon, pretty convenient except that the street is six lanes, very busy and there are no crosswalks except at the major intersections. So, the shortest legal route between the two involves walking in the wrong direction and more than tripling the distance. That's hard to do when it's 104 outside and there's air conditioning where you're going. So, there are lots of people doing the mad dash all day long. At one point, I noticed a group moving across the lanes, all wearing DefCon badges, one of them in a wheelchair! They were all grouped with the wheelchair guy and making expectedly slow progress, causing an impatient motorist to honk. They yelled back, "hey, he's in a wheelchair" like that explained why they were jay-walking in the first place.

Of course, you don't have to jaywalk to put yourself in harm's way. I nearly got run over by an SUV full of people who were obviously wardriving for the DefCon competition. You know, scorching white Yagi (high gain WiFi antenna) hanging out the passenger window, passengers with laptops in the back seat. Subtle, they were.

I had dinner at my favorite German theme restaurant, the Hofbrauhaus. If you've ever seen a move showing Oktoberfest in Munich, with long wooden tables of people drinking huge mugs of beer and singing, you know what this place looks like, although maybe a bit more restaurant-like than the real thing. They have two huge rooms and when I asked for non-smoking they asked if it was OK to put me in the room that didn't have the insanely loud polka band. Hmmm, let me think, smoking and loud music not of my choosing or not?

There was one really loud table seated next to one of the large screens televising the band from next door. Every few minutes that table would erupt in a round of high-decibel cheering and huge mug raising.

At one point, the band was conducting a contest in the other room. Contestants had to hold a monster mug of beer at arm's length for as long as possible. Loud table just had to participate, so a couple of them were standing in front of the big screen, superimposing themselves into the scene in the next room as their drunken friends cheered them on in a contest they weren't actually participating in. Yet another way that people confuse TV with reality.

Friday finished up with Hacker Jeopardy. The format is three teams of three answering Jeopardy-style questions aimed at computer nerds. The questions are worth 100 to 500 points, and you also get an extra 100 points for every beer your team consumes. Much of the audience is also drinking, and the whole thing is pretty chaotic to the point that sometimes the judge can't hear the answers, sometimes the panel can't hear the questions, most of the time it's not clear whether the miked moderator or the audience has the most control. There's one round of five questions in each of six categories, then a final Jeopardy category/question. That's about enough time for each team to consume about equal points in beer as they earn with the questions.

If the panelists can't answer a question, it goes to the audience. If someone in the audience gets it, they get thrown a prize. In the second round, I won a t-shirt!

One of the categories was "Shit". (Hey, it's DefCon.) One of the questions was: "the oldest known sewer system was built by the Minoan civilization in Crete in this palace." No one on the panel knew the answer, but I did since I had been there and did the tour. "What is Knossos?" Unfortunately, a lot of people in the audience knew that one, and someone got it before I did.
But the 500-point question in that category was "the Greek word for shit."
That one I also knew and was standing as soon as the question was asked. I don't think anyone else was even indicating they knew. "What is skata?" Yeah, free t-shirt. I guess that proves I know my shit, even in Greek.

Also, in the second round, two of the contestants worked a little too hard at earning points through beer consumption and experienced a "reversal." At least it was only beer and not 20 or 30 hot dogs, and mostly off stage.

There was also a category on movie quotes which included several of our favorites: "Gentlemen, you can't fight in here. This is the war room."
"Surely, you're not serious." Another was "I love the smell of Napalm in the morning." I don't remember the other two, they were both familiar movies.

At one point, the power went out. Imagine several hundred mostly young, mostly drunk, males in a huge dark tent that just lost its air conditioning along with everything else. I packed up and was ready to bolt for the door if things got crazy. Amazingly, lots of people had flashlights and we got the power back in a few minutes. Someone had decided it would be fun to turn off the generator. The organizers were not amused. It just goes to show it only takes one dork to mess things up for a lot of people, even at a hacker convention.

My first session on Saturday was "The Hacker's Guide to Search and Arrest" which was really a talk on constitutional rights for everyone. The speaker was Steve Dunker, a former police officer and now a practicing lawyer.

I learned that when police frisk a suspect, it is only to search for weapons. They're not allowed to go after anything else unless they have a good reason to believe it's contraband. That's why they always ask, "what's that in your pocket there?" If they get an answer that gives them reason to think it's something illegal, it becomes fair game.

He spoke well of the TV show "The Shield". He says that's pretty accurate, that police work "is about 50% 'The Shield' and 50% 'Reno 911'. Any cop who's honest will tell you the same."

His best story was about DEA agents who were staking out a drug dealer. The dealer used a cordless phone for all of his calls, so they rented a nearby house and listened in with a scanner. They were getting great information until the cordless calls suddenly stopped. They poked through his garbage and found a codeless phone, broken, and a receipt for a new corded phone. So, they printed up a notice that looked like one of those offers, "Congratulations you have won either a cruise, a cordless phone, or $50." You'll receive your gift in the next 7 to 10 days." The next week they mailed him a cordless phone, which he happily started using and they were back in business.

(I take that to mean be careful what you say on your cordless phone, although I understand the 900 MHz phones are much more difficult to listen in on. At least the books I saw at DefCon said it was hard, alongside clear instructions on how to do it for older phones.)

One of the most popular sessions of the conference is "Meet the Feds." This year's panel consistent of 11 representatives from agencies such as NSA, DOD, FBI, RCMP, USPS, FTC, Dept. of Treasury, IRS, GAO. The moderator introduced the panel then each one gave short opening remarks. Most of the remarks were all but begging for resumes from talented people who were clean enough to be able to get clearances. To show they weren't all horribly square, one guy from the NSA was wearing a Grateful Dead t-shirt and talked of partying with the band.

The moderator, Jim Christie of the DOD, got things rolling with a little survey. "Before we get started, I'd like to do a survey at the request of various agencies. I would like everyone to stand up. (everyone stands) If you're in the NSA, please sit down. If you've never broken the law, sit down. (very few people sat) If you have never illegally broken into a computer system, please sit down. (most everyone sits down, then slowly it dawns on the people still standing what they are revealing about themselves, and to whom they were revealing it, and they sat down as they clued in) I'm sorry, some of the cameras didn't get everyone. Could those people stand back up again? I did that same joke at DefCon five years ago, I'm surprised you fell for it again." It was very funny.

One guy on the panel looked about 80, with disheveled white hair and beard. He'd look totally normal asking for change on the corner. He turned out to be the (former?) chief scientist at the NSA (!) and was apparently well known and highly regarded by the crowd. He gave a very sincere plea for hiring the most talented people and asked those people not to "cross the line" (meaning don't screw yourself out of a cool career by getting a criminal record). He explained, "it's OK to smoke pot, just don't get caught" clearly aiming that remark at Mr. Grateful Dead t-shirt. Despite his appearance, he was clearly very sharp and well spoken. Hackers come in all sizes and shapes.

Friday, July 29, 2005

DefCon 13 Part I

It doesn't usually take eight hours to fly direct from Seattle to Las Vegas, but it does when thunderstorms in Las Vegas cause your flight to be diverted to Ontario, California. Even that wouldn't have been so bad except for the fact that the flight crew had started at 3:00 am, so we had to wait for new pilots to arrive from LA. The flight attendants were continuing on to Anchorage, so their day was far from over.

The line for cabs at the Las Vegas airport was insanely long, like Disney World long. It took over an hour just to get a cab. I'm sure I could have walked to the hotel faster, but the temperature was still in the mid 90's and I had overpacked as usual, so the hike had less appeal than the insane snaking line. I got to the Hard Rock Hotel just before midnight, and had dinner in the "casual dining" restaurant while watching the ESPN coverage of a July 4th hotdog eating contest. I'm not sure which was more surreal, the contest or the generic sports commentary of it. All the clich├ęs and buzz words were in there: the rookie who held up under the media pressure and was worthy of watching in the future, the world champion described as "the Lance Armstrong of the sport," the lengthy background on the (female) challenger who might unseat the favorite. About two-thirds through, one contestant was having a very obvious struggle, holding is hand over his mouth and looking very distressed, the commentator explained, "you can't have a reversal at this stage under the rules of this competition." I experienced a morbid curiosity in wondering whether I was about to watch some guy's prolific hurl displayed on multiple wide screens for the viewing pleasure of the restaurant's dining customers. (The favorite did win with 47 hot dogs consumed in 12 minutes, although he didn't have his best game that day. His personal best is 53. The challenger placed second with high 30's, setting a new US record. But keep your eye on the rookie, he's the future in this sport.)

The late arrival meant I missed the Electronic Frontier Foundation pre-event, but they had a pretty strong presence at the conference so I got to hear updates on their work later.

Friday morning started bright and early, hoping to get through registration before it got mobbed. I wasn't there when the opened at 8:00, but getting there at 8:30 worked nicely.

DefCon two years ago was horribly overcrowded and I missed some of the sessions I most wanted to hear because the fire marshal has these fussy rules about how many people you can back into a room. The sessions run in three tracks and at least two of them looked to be quite popular. So, I headed to the conference room for the one I had cared the most about and camped out for the 10:00 session to start. Phillip Zimmerman, inventor of PGP, was set to announce his next big project.

Unfortunately, a) he was told that the talk was scheduled for 11:00 and b) he was stuck in the line for a taxi at Ceasar's Palace. So, he was late (or on time for the 11:00 talk if you prefer). His next big project is Secure Voice, doing secure phone calls with Voice-Over-IP peer-to-peer without needing an intermediate server. This could be a problem for the feds who want to keep things simple by requiring all phone service providers to have back-doors for wire taps.

In the impromptu session to fill the first time slot in Phil's absence, we heard about how biometric security systems work and how to attack them. The most interesting observation was that if you use your fingerprint to buy groceries and log onto your online banking account, then anyone who can break into the grocery store's system can get the biometric data needed to breaking into you bank account as well. Be careful to whom you give your fingerprint, retinal scan, voiceprint, etc.

The snafu in the morning caused one of the three conference tracks to slip by an hour. After lunch, I took advantage of a break in interesting session to take a catnap. When I got back to the conference for the next session on my list, I found that the schedule had been shifted back, so instead of being 30 minutes early, I was 30 minutes late to a sold-out session. Such is DefCon.

The EFF had a nice long presentation with Q&A. There was lots of good stuff there, too much to try to summarize here.

After dinner, I popped into the end of what looked like a very interesting session. He's been hired by a company with major bandwidth to do Internet security research and presented some interesting findings. The bit that I heard (and was able to understand) explained how some simple-minded anti-intrusion methods can lead to even more serious vulnerabilities. If Big Bank has intrusion prevention software the blocks access from an IP address sending malicious packets, an intruder can send packets with fake IP addresses so they look like they are coming from the DNS server for a major ISP. When Big Bank stops responding to requests from the ISP's DNS server, the attacker can then much more easily spoof fake answers to DNS queries for Big Bank's online banking server and start doing really bad things.

The last activity of the evening is Hacker Jeopardy. While they're setting up for that, I'll talk about food. At least in this small segment of Vegas it's amazingly difficult to escape cigarette smoke, especially in restaurants. Finding vegetarian fare is also challenging. Sitting down for a plate of token vege fare in a smoke-filled restaurant is not that appetizing. After exploring the Hard Rock Hotel, which is very smoky in all the public areas, and knowing what I found in other local establishments last time I was here, I finally decided to give the new German restaurant a try. It's the Las Vegas edition of the famous Haffbrau House in Munich. Not expecting much from a Germany restaurant, I was pleasantly surprised to find some reasonable food and a non-smoking section. So, I had fish and chips for lunch. Beer seemed like a reasonable lunchtime beverage (when in Munich, do as the Germans do), but 17 ounces seemed like a bit much, so I ordered the 10 ounce beer. It came in a cute little mug that reminded me of childhood mini root beer mugs at A&W restaurants. For dinner, I ordered the middle-sized 17-ounce beer, a cold cucumber salad and a creamy mushroom dumpling dish.

Ok, they've found the bottle openers. I looks like Hacker Jeopardy is ready to start. More later...