DefCon 22: The writeup.

Aug 18, 2014

The reason I've been quiet so much lately and letting my constructs handle posting things for me is because I was getting ready to attend DefCon 22, one of the largest hacker cons in the world. It's been quite a few years since I last attended DefCon (the last one was DefCon 9, back in 2001.ev) due to the fact that Vegas is, in point of fact, stupidly expensive and when you get right down to it I need to pay bills more than I need to fly to Las Vegas for most of a week. I'm also in the middle of finishing up moving out of DC, which would tie up most of anybody's energy and money. However, this year $work sent me with two cow-orkers so once the ink was dry we kicked into lockdown mode to get ready in the days leading up to our flight. I'll post later about what all of that entailed, based upon the hypothesis that transparently documented security protocols executed correctly should stand up to a certain amount of scrutiny; additionally, peer review and scrutiny for security protocols isn't a bad thing at all.

Due to the no photography policy at the con I took only a handful of pictures outside of the conference space, and even then only of myself with an eye for keeping as many other people out of the frame as possible. Many of us aren't comfortable being photographed anymore because we as a society are under such tight surveillance in public that it's nice to not be recorded once in a while. So, I've got no pictures of and from DefCon this time around.

Our flight to Vegas wasn't much to write home about. It was pleasant as short flights go and largely inoffensive. Protip: If you're flying Spirit Air and you've got baggage to check, do so at the front desk. Don't check your baggage when you print out your boarding pass even if you do it at home. If you do it'll cost you somewhere in the neighborhood of $50us. if you check your baggage at the front desk as an "Oh, by the way" you'll only pay $16. Save some money, you're flying to Las Vegas. You'll need it. When we stepped out of McCarran Airport to get on the shuttle bus the dry desert air slammed into us like a firm yet fluffy hammer. After a minute or two we were unable to tell the difference between the air and the exhaust from an idling truck.

From the time we flew out of our home airport the three of us were operating in what we called autistic mode, a phrase taken from Ghost In the Shell which refers to the practice of operating while entirely disconnected from the global Net. DefCon's network is renowned as possibly the most hostile network environment on the planet, where no holds are barred, zero fucks are given, and it's aliens-from-Independence Day-nuke-dog-eat-dog. In short, you run at your own risk because there is no telling what's running loose on any of the wireless networks there. There is also no telling which of the wireless access points at any given hotel are legitimate and which might be booby traps. I've heard several people over the years mention that the number of hotel access points triples in the day or two preceeding DefCon and drops abruptly the day after the con wraps up. Additionally, it is generally agreed upon by the security community that the security measures on your average smartphone vary between "laughable" and "criminally negligent"; coupled with the state of the art in GSM and CDMA interception techniques even talking on the phone at DefCon is potentially hazardous. In a later post I'll describe our OPSEC protocol along with what worked, what didn't work, and what the pain points experienced were. We'd been advised by a friend on staff to not show up bright and early for badges because the lines were undoubtedly going to be long. Taking that advice to heart, the three of us had a leisurely breakfast and coffee on the Vegas strip, and shot the bull for a while before making the two mile hike to the Rio. Our hearts sank as we took in the line of people waiting to buy Defcon badges. It stretched the length of the main hallway in the Rio, through the back of the casino, all the way around the pool area, and probably out the front and down the sidewalk by the end of the day. It was comical. Absurd, even. I'd heard later that people started lining up for badges at 0430 PST8PDT on Thursday morning. I was afraid something like this would happen, so I brought a Nalgene bottle of water with me, a hat that I could collapse and stow in my backpack, and a tube of sunscreen to pass around because we'd be standing in the hot sun. We stood in line for a good four hours or so, periodically switching out to take breaks to go for water, run to the bathroom, or just duck into the shade and cool off a litttle. I found myself regretting not wearing my bathing suit under my Utilikilt because there was ample time to have jumped into the pool for a quick swim. Admittedly, the DefCon goons' line control worked remarkably well - one of my cow-orkers tells me that they were using the Burning Man protocol for getting movable objects to go places by coaxing large groups to move all at once and ensuring that the rest of the line followed suit. Consequently we made much faster progress than we feared we would. At one point goons walked the length of the line passing out bottles of water, an act for which many were grateful because the ambient temperature was in the high 90's and low 100's Fahrenheit all weekend (if you don't believe me hit up and roll forward a couple of days).

One of the goons, whom I believe may have been one of Priest's lieutenants walked the line with one of the speakers and were offering to sell DefCon badges for a slight discount just to get the line cut down a little bit. At first I was skeptical of them. I didn't recognize the faces, voices, or gestures of either person at all, and forging Defcon badges is not only a known stunt it's a competition. Had it not been legit one or more of us would have been out $200us and up a certain small body of moving water sans propulsion. I advised one of my cow-orkers to not buy the badge for that reason. A minute or two later I then observed that attendees who'd already gotten their badges were treating these individuals with deference, and the other goons seemed to be taking orders from him. This made me suspect that they were, in fact, legit. Throwing caution to the wind I bought one of the badges and jumped out of line, on the hypothesis that if I'd been taken I'd be in a position to get a legitimate badge in a couple of hours. I feel bad about this because I ditched my cow-orkers. I tried to make up for it by gathering intel for them: How long the line was, what the expected wait was, the current con schedule, what was and wasn't open yet, and what was going on around the Rio. I'm relieved that they made it through the line in relatively short order after that but still somewhat upset that I acted without thinking.

As for the talks at DefCon, I'm going to type up my notes in a later post, so I'll not rehash all of the talks here. When download or Youtube links appear, I'll add them.

DefCon is also called LineCon by attendees for good reason. Even with seven presentation tracks, several in auditorium-sized rooms it's not uncommon for lines to stretch down the hall and around the corner as one or two hundred people queue up. A common strategy is to attend a talk that you're not particularly interested in and kill time (quietly practicing one's locksport with a practice lock, for example) so you will keep your seat for the talk that you actually wanted to attend. It's also not uncommon to find the talk you thought you weren't very interested in fascinating anyway and forget all about killing time. If nothing else the lines for talks move pretty fast once they actually start to move so don't be too put off by them. It's not worth pulling out your laptop for some quick shenanagains because you'll have to put it away again very shortly. I found myself camping out in the Penn and Teller track where a lot of really crunchy, hardcore technical stuff was being presented - many of the NSA Playset talks, traffic control system vulnerabilities, penetrating public surveillance networks... occasionally I hit some of the other talks but many of my interests were well represented there. Incidentally, keep a close eye on If you have any interest in professional security, this is what you could be up against on the job. If you're not but you're concerned about living in the twenty-first century, keep an eye on it anyway because this is what all of us are up against.

Once upon a time, the L0pht had a saying: "Making the theoretical practical." They were talking about security exploits. This basic principle hasn't changed in over twenty years. Attacks that were described by academics a few years ago from the lab are now fully implemented, downloadable, and... not easy to carry out at home, most of them require a nontrivial amount of background research and technical know-how to successfully pull off, but doable with a relatively minimum amount of money and some skullsweat. Between inexpensive software defined radios, cheap microcontrollers, open source software, super lightweight UAVs, and as one presenter put it "The willingness to start from first principles" some amazing things are happening these days. The traffic control system has, to put it bluntly, the security of a cereal box, a thought which has kept me up the last few nights. That a manufacturer can double, no, triple down on lies after being repeatedly shown evidence to the contrary still astounds me after fifteen years in the industry. I honestly thought that things would have changed for the better by now.

Incidentally, I'm very glad that cheap RTL SDR radio recievers are becoming popular; I fell in love with the RTL2832U I recieved as a Yule gift last year and it's one of my favorite toys. They lower the bar to getting a start in learning about radio in general, RF interception in particular, and security research immensely and GQRX is fun to use, though a bit tricky to get compiled (install it from the package repository, really).

I spent some time hanging out with elmers near the wireless village at DefCon and swapping stories (and egging on attendees who may have been curious about getting amateur radio licenses). My cow-orkers were fascinated by the villages at Defcon this year and spent not enough time learning the trades taught there (because one can never, ever spend enough time in the villages at any hacker con, there's too much to do and too many things to learn about). Also, every year at DefCon the Electronic Frontier Foundation runs MowhawkCon, where one can donate $15us (or put a bounty on one's locks as some do) and get one's hair styled into a mohawk. I've done a lot of things with my hair over the years; it's been long, it's been short, it's been nearly every color of the rainbow, it's been spiked, I've had the full Valaquen... but I've never had a mohawk. I've been slowly losing my hair over the past fifteen years or so, ever since undergrad and I have a deep and abiding love for the EFF, so I took the plunge and had my hair buzzed into a 'hawk. I may never have this chance again, I thought, and I don't regret it.

There is a character stereotype in the RPG community: The pink mohawked cyberpunk. The stereotype typically involves over the top antics while on the job, black trenchcoat, mirrored sunglasses, combat boots, not looking back when the explosives go off... I had to do it. I quickly learned that mohawks are harder to manage than they seem. Lots of industrial strength hairspray is required and one's hair seems to need the right length and shaping to look right. I'm not certain that I fall into that category. My hair also requires significant amounts of teasing to stand up properly, a process which is both somewhat uncomfortable and probably hideously damaging to hair. I don't think it's the sort of thing one does all the time. I could also feel the breeze coming off the desert against my hair as the three of us walked back to our hotel later that evening. It's a strange feeling. It was blowing strongly enough that after a few minutes the semirigid crest of hair atop my pate bent about halfway down. The advice MohawkCon gave me about this consisted of "Take it down because it's not going to stand up right if you try to repair it. Try again later." I did this Saturday afternoon, in part just to see how much effort would be required. Two hours of standing in the shower combing tangles out with my fingers and then a very large toothed comb, assisted by generous amounts of conditioner were required to relax my remaining hair into a much thinner ponytail. If you habitually wear something around your neck, like a necklace or a chain you're going to have a devil of a time getting it off or back on unless it unhooks at some point. In fact, trying to pull my necklace off hurt because enough of the hair remained rigid that it refused to bend. Same with pullover shirts of any kind. I plan on keeping this new cut for a few months to see how it works out but it's a fair amount of work to maintain and I might wind up putting it up for special occasions.

I attended the Queercon kickoff gather at the iBar for a little over an hour on Thursday evening but practically everybody seemed to already know everybody else, and there were few opportunities to join in any discussions, which seemed to mostly consist of the "Hi, I haven't see you since the last DefCon!" sort. I gave it my best for most of an hour but eventually gave up and wandered off. Additionally, the iBar, where the Queercon meet-and-greet was being held was playing crappy dance music too loudly, which didn't help matters any.

DefCon is huge. DC22 was certainly over 20,000 attendees, possibly north of 25,000. I haven't heard any hard figures, just rumors from the goons. They ran out of the hackable badges by the end of Thursday and brought in laminated paperboard badges to replenish them. I know some old friends were around there somewhere but I ran into a very small number strictly by accident, and even then usually only once. Attempts were made at planning get-togethers but none of them worked out. Socializing at DefCon seems to be best done at one or more of the parties, ideally the smaller ones but birds of a feather do indeed flock together. The three of us attended the Friday party (a concert, really) after the talks were done for the day. We met up with some old friends of mine from 412 and 724, went to Fry's and an alehouse, bought supplies, and after warming up a bit hit the show downstairs. We passed on the performances by CTRL, Dual Core, and YT Cracker in favor of getting our game faces on. They're excellent performers but none of us are particularly big fans. We arrived just as MC Frontalot kicked off his show and performed a broad selection of songs from his discography, going as far back as the Rhyme Torrents compilations of years gone by. I suspect this was the first time my cow-orkers had been exposed to nerdcore but detected few to no complaints on the matter. After Front wrapped up his set the chiptune punk band Anamanaguchi took the stage, whom I'd been dying to see for several years and did an hour long set that made my year. I didn't spend much time looking at the stage because I spent the entire set dancing in the crowd. In point of fact not a few of us were showing our appreciation for Anamanaguchi by cutting a rug from the moment the first note was sounded until all that remained was amplifier buzz. While Anamanaguchi was breaking down their gear I took Peter Berkman aside for a moment and thanked the band for all their hard work. It was fantastic that they played DefCon and all of us had a great time. In turn, he thanked us for being the first crowd ever to dance during one of their shows. We stayed to dance to VJ Q.alba but left about halfway through his set because we had to get back to our hotel and make an attempt at sleeping. During that time I was overjoyed that he played a great cover of one of my favorite chiptunes - Comic Bakery by Martin Galway.

At one point during the con an old friend gave me an oscilloscope as a gift. Not a huge piece of kit, mind you but one of the new Gabotronics Xprotolab Portables that were on Kickstarter a while ago. I haven't tried to use it yet, and in point of fact I don't know much about it, but from what I've been able to gather the software's available on all of the major platforms, and it's a USB device so you just plug it in, start the application and put it to use. I'll have to find docs and a tutorial for it, but that'll come later when I'm in a position to actually put it to good use. Dan Kaminsky's presentation (his sixteenth at DefCon) was, as always, astounding, hilarious, thought provoking, brilliant, and inspiring. I honestly don't know how he has the energy to accomplish so much or where he gets the inspiration to find so many things that need fixed, but I can only wish for a small fraction of that energy. His talk's not on the Net yet as far as I can tell but it's worth waiting for; Kaminsky uploaded his slides a few days ago. If you're an application or crypto developer, take some time to read them. There is no way that I could describe everything he touched on because you simply wouldn't believe me. If you've ever seen Kaminsky talk you already know what you're in for. Make some popcorn, take copious notes, and have tissues handy because you will alternately laugh until you cry, or just cry from some of the archetypal fail implemented in software and on the market these days that he's found.

Sometimes I wonder why the Net hasn't yet melted down in a firestorm of mutually assured destruction.

I found that I didn't mind walking two miles each way to and from the hotel DefCon was held at, even in summer in the desert temperatures. I quite enjoy the exercise and the heat.

In addition to the usual competitions at DefCon (Capture the Flag, Social Engineering, Tamper Evident Seal Compromise, DefCon Badge Forgery (the winners are auctioned off to raise money for charity), Wireless Capture the Flag, you get the picture) ran Project 2, a capture the flag hacking competition advertised for people who don't do well under pressure, are lacking in self confidence, or are just starting out. The idea was that you could plug into their isolated LAN, download the puzzles, mirror the web pages, disconnect, register as a contestent or not as one chose, and solve the puzzles at one's leisure. I applaud them for this and hope they keep it up. I may even suggest a couple of puzzles later to add to the collection. My one complaint was that it was more difficult than it really needed to be to grab them all, especially if one was running late to a presentation that one had to see for work or something. Being able to wget a tarball of the site and be done with it would have been nice. There was also no shortage of classic hacker shenanagains happening at DefCon. For example at Hak5's booth in the vendors' room they were selling Wifi Pineapples, which can be described as a compact and extensible electronic warfare platform which also happen to make handy penetration testing tools in wireless environments. When on an engagement it's nice to have something you can "just use" rather than having to split your time between reconaissance and tool construction. Somebody at DefCon using the handle @ihuntpineapples was busily bricking every WiP they found with a 0-day they found in the control panel. The point made by @ihuntpineapples' taunt was that if one was serious about using a WiP they should have no trouble un-bricking the unit. It remains to be seen how many were returned to the Hak5 table for a refund and how many were successfully repaired and patched by their owners.

The parties at DefCon are legendary. It is said that in them alcohol flows like oxygen. The rooms are standing room only and packed with sweating people swapping secrets in whispers. Hackers discuss things the intelligence agencies don't yet know (or so they fervently hope) or brag about things they've done. Occasionally warnings are passed along of narrowly averted traps laid in black networks dripping with defenses. Dancing beaglettes entertain partygoers while questionable substances are bought, sold, and ingested. I don't know if any of those things are true. My suspicion (coloured by a bit of cynicism) is that some subset of those things (and others I've neglected to mention for one reason or another) may be true in varying combinations of circumstances and situations. However, I strongly doubt there is any Illuminati-like meeting of hackers gathering in a spy-movie like fashion to plot dastardly deeds. What I can speak to from experience, however, was that the three of us were invited to a vendor's party on Saturday night, where we met the C-levels and an unknown number of employees and random other people who were invited, and did the strange business thing called networking. I found myself in several conversations that night which touched on psychology and NLP, queer politics, security theatre, and random shenanagains with satellite communication protocols. The vendor in question undoubtedly spent astounding amounts of money renting the hotel suite, buying food and booze, and generally getting the word out. To be good guests we brought something with us to share with the rest of the party, as any good partygoer should. Somewhat to our surprise the Las Vegas police arrived at 0130 local time to politely shut the party down and allowed all of us to depart unharassed.

It seems a truism in life that one can find oneself in the most interesting of conversations if one happens to be in the right place at the right time, and happens to overhear the right thing. A piece of free advice to take or not as you will: Talk to random people at DefCon. Be polite. Ask good questions, and if you've done anything unusual or strange that seems thematically appropriate politely bring it up in conversation. At some point you may be given something unusual: A custom poker chip, a business card, a plastic wristband, a small 3D printed thingy, or even a small button or pin. Keep it on you at all times, and show up wherever they tell you when they tell you. If you're given a Twitter handle or the like keep an eye on it. There will most likely be a private party going on, and you may have just been given an invitation. Show up, be a good guest, be brave, and see what happens.

As for Las Vegas itself, it's a surreal city to explore. Some of the triff hotel/casinos have the historical re-enactment thing down and it can be a little disorienting. The Luxor Las Vegas resembles for all the world a pyramid straight out of pharonic Egypt. At night the gargantuan building looks pitch black, save for the kleig light beaming skyward from the cap of the pyramid and lights crawling up and down the vertical edges. Upon seeing the Luxor in the dead of night the first thing I thought of was the Renraku Arcology from the RPG Shadowrun, and all the horrors thereof. Planet Hollywood reminded me of a gigantic mall along the lines of Tyson's Corner Mall in northern Virginia: Very expensive stores, exclusive and pricy restaurants, and lots of squeaky clean marble. It definitely has more chrome and neon lights than other malls I've been to. The Bellagio Hotel has its own lake, with periodic musical shows and its famous dancing water fountains therein. I wonder how much water they have to pump in every day to replace what's lost through evaporation. Probably numbers I don't want to think about. The Paris Las Vegas Hotel and Casino boasts a replica of the Eiffel Tower in France with a restaurant at the very top... still not sure what to make of that. One of my cow-orkers wondered what archeologists a thousand years from now would make of Las Vegas due to the replicas of several historic monuments from scattered periods of Earth history all existing in one place cotemporaneously. The Surrealist couldn't have done a better job of making life interesting for the people of the future.

The flight home wasn't all it could be. Spirit Air planes tend to be a little on the cramped side, and we got stuck on the runway for over an hour before getting clearance to take off. At one point the engines were powered down, only to be powered back up at the last minute. Kind of frustrating, really. After landing, a series of public transportation rides and a pickup on the street later brought me home. The rest of the week was spent trying to figure out how to pick up my usual workaday life away from the insanely high data rate environment of DefCon. I'm still recovering - I ate much worse than usual, my allergies are going nuts, and it would seem that my sleep schedule's been screwed up but good, too. If I can go back next year, I most certainly am.

I mentioned that I brought a Nalgene water bottle with me - one of the 32 ounce ones. My advice is that you drink as much water as you can at breakfast before you go out, and before you leave ask your waiter or waitress to fill it for you. Throw a little more salt on your food than usual if it's medically permissible because you'll lose more than you think as you sweat. Bananas are good and you'll need the potassium, too; for the first two days I had a headache that I couldn't put a dent in until I realized that my body was running low on potassium. As always, however, water needs to be in your body more than it needs to be in a bottle. Drink up whenever the opportunity presents itself, then refill for later.

/* ***** */

While doing background research for this post I stumbled across something on the Defcon goons page: "In memoriam."

DefCon's been happening for 22 years now and shows no signs of stopping, the traditional "DefCon is cancelled" pranks notwithstanding. Hackers have met at DefCon, dated, gotten married, had kids, and are now bringing their kids to DefCon with them. Some of them are sharp as a laser cutter's beam. At MohawkCon I observed a family of hackers - two generations - getting their heads shaved for charity. Shamefully, not once had I considered that some members of the DefCon family had fallen. I don't consider myself part of the DefCon family or community; I'm not there enough. I run where I will, when I will, how I will, and where I am most needed, and rarely do all of those circles overlap. It tugs at my hearts that some have gone beyond the veil: Poolboy, Dr. Nick2000, Ghent, and Josh. I never knew them, nor had I heard of them but I sort of wish I had. Now I never will. Dream well, wherever the four of you are. Your friends and family miss you terribly.