DefCon 23: The Writeup
Well, I'm back from DefCon in sunny and hot Las Vegas, Nevada and more or less reinserted back into my everyday life. I'm just about caught up on everything that happened at work and finally finished the notes that are going to comprise this article. I'll type up the notes I took during the talks at DefCon in a couple of days; they've voluminous and I want to get the experience out of my head and into external storage before the memories fade much more. Unfortunately, I didn't make it to any of the villages so I don't have anything from those. I'm told that at least a few of the village talks were recorded and will be posted to the DefCon Media Server in a month or two.
My flight to DefCon was pretty standard, I caught my first flight to Los Angeles and got to my connecting flight just as it started boarding. An hour later I was on the ground at McKarren, found my luggage on the carrol, took the 104 degree Fahrenheit sledgehammer to the face that is Las Vegas in the afternoon, and caught a shuttle bus to the hotel. Unfortunately I'd arrived too late for DefCon's opening ceremonies or Thursday's presentations so my plans consisted of meeting up with everybody and figuring out what to do next. I wasn't able to check into my hotel because Genetik was at dinner with the keycards and Seele hadn't landed yet. Rather than get stuck in a pickle I caught the Vegas Monorail to Bally's and then stumbled around for most of an hour in the thing-that-pretends-to-be-the-city-of-Paris trying to find the restaurant everybody was at. Even enlisting help from other congoers didn't help because we were all equally lost. It was a stroke of luck that I found everybody when I did, though I'll admit that low blood sugar didn't help. The late afternoon was spent catching up with Vlad, Sam, and Genetik, whom I haven't seen in quite a few years. Seele joined up with us later after her flight touched down. Dinner out of the way we headed for DefCon proper to pay admission on the theory that the line was still unreasonably long. Last year, I stood in line for several hours before finally getting a badge but this year a combination of new attendee badging tactics and the late hour resulted in getting into DefCon in less than ten minutes, most of that walking from the restaurant to the front desk.
I then received a phone call from some of my cow-orkers who were attending DefCon with me - they ran into problems checking in, and was there anything I could do to help? As it turned out there was a mixup with the length of the room reservation and some coaxing of the front desk (coupled with the judicious use of a fax machine (surprisingly, people still use those)) got them their room keys and into their room with a minimum of trouble. Some time was spent on hold and a little explanation later, and all appeared to be well with the world. All of us met up once again for a late night snack because most of us were still not quite ready for bed (or fueled up from the flight) and then turned in for the evening. The three of us were up bright and early on Friday morning because we were unusually well rested after our travels. After the usual routine of showering, dressing, and packing (or unpacking, really, because at DefCon you should carry as little as you possibly can for the sake of your health if nothing else) we made the block-and-change hike down the Vegas strip to Bally's and the Paris, the two conjoined hotels that DefCon took over this year. The theme of DefCon 23 was a combination of Discordian illuminism, the 23 Enigma, and film noir. Needless to say there were conspiratorial references all over the place.
I didn't make it to any of the villages this year, and only to a fraction of the talks, which is only to be expected. With several dozen talks in the lineup it's not physically possible to attend every last one. In this part of the writeup I won't touch very much on the actual meat of the talks, but on their broader context as experiences.
The talk by Michael Schrenk was basically an introduction to OSINT, or open source intelligence. While collecting OSINT for various purposes is pretty straightforward, and its analysis something of an art I found the talk somewhat helpful when put into a corporate context (analyzing the bits your competitors leak and minimizing those your own organization emits in like fashion). Bits of information get leaked where you least expect it (like the speaker's notes in a Powerpoint presentation) and are enough to make one think twice before publishing anything these days. The talk on cracking brainwallets, algorithmically generated cryptocurrency wallets based upon memorizable sequences of words was a wakeup call in terms of generating and maintaining passphrases. People are really bad at remembering strong passphrases because most of them inherently look like line noise. The problem is, statisticaly analysis of the passphrases people use (which come from dumped password databases taken from compromised online services) have made even six word sentences in a number of popular languages extremely unsafe for very long. When six words (with permutations of capitalization and spelling generated automatically by your software) are relatively easy to crack in a reasonable period of time (a couple of days unless you want to use someone else's processing power)... where do things go from there?
I was sitting in the first few minutes of the Quantum Computers vs Computer Security talk when my pager went off. Per OPSEC I was running in autistic mode for most of DefCon but one of my agents got through to my thoroughly dumbed down burner flip phone to warn me that something major had happened at work, and that I had best get my ass someplace with a reasonably safe wireless environment to see to it. Some texts to Vlad later and I was upstairs in his room on my spare laptop, VPN'd in and punching away for all I was worth. Regarding the talk I had to bail on, I'll be omitting the few notes I took in favor of catching up on the video later. Some time later, Chris Rock's talk, whimsically entitled I Will Kill You showed just how easy it is to fake your own death or someone else's for all intents and purposes, shut down all legal lines available to that identity, and assign power of attorney and a last will and testament to someone (yourself, usually). He also described in some detail how one could go about setting up shell identities (along the lines of shell companies) as far as national registries are concerned that have tax IDs, bank accounts, medical records, and life insurance. Of course, the possibilities for revenge or tactical distraction and disruption were used as a real life case study.
Friday night involved dinner and the first couple of concerts of DefCon 23. First up was Dual Core, the nerdcore hip-hop crew last seen at the EFF's 25th birthday celebration. Yheir set covered a broad selection of tracks from all of their albums, with what I think was only a little newer stuff. I'd just bought their new CD, All the Things, but I haven't had time to listen to it yet so I'm probably way off base here. Anyway, as I am wont to do when the music's good and I'm having a good time I'm busy embarassing myself on the dance floor, much to the amusement of many other attendees. Who says a bunch of hackers can't cut a rug? Next up was MC Chris, who I'm not much of a fan of, I'll admit. MC Chris has some songs that I genuinely like, but he also has some that are done in styles of hip-hop that I'm just not a fan of. I remember some of his early tracks from the Rhyme Torrents compilations but that's really about it. I was surprised that he ran his set solo, both on the mic and jockeying a laptop running his own backing tracks; then again, I probably should not be because this is the twenty-first century. I noticed that he had bits of his own voice mixed into the backing track, probably to make it easy to stay in synch. He did an excellent job from a technical perspective, and it wasn't up until the very end that he made a mistake. I commend the man for getting up on stage, letting it all hang out and putting on a hell of a show because it was clear that he was giving it everything he had. Even though I'm not much of a fan of his work I still found it enjoyable. Rounding out the night was a set by YT Cracker, the 'runner who found hip-hop by way of the FBI. I caught only a small part of his set at the beginning because something else came up (sense a theme?) and I had to leave the party early.
On Saturday morning I made sure to catch the talk about how the Wassenaar Agreement would effect security research, in no small part because an old friend of mine was one of the presenters. In short it doesn't seem like it's going to be nearly as big a deal as many seem to think it is because the laws in question are so dense and legalease is, well, legalease. Lots of Boolean ANDs and the occasional Boolean OR are involved which make all the difference when you're trying to interpret what you can or can't do without risking jail time. When the talk comes out it will definitely be worth rewatching a couple of times. Then the talk many of us wanted to see came, Machine vs Machine: Inside DARPA's Fully Automated CTF.
If you're not familiar with hacker CTF, or Capture the Flag, it's almost but not quite like running around playing an actual game of capture the flag. There is an isolated network which all of the competing teams jack into. On the competition network are machines that teams have to either defend by identifying and patching vulnerabilities on your machines or attacking the boxen of competing teams, figuring out what network services are listening on them (normally they're brand new so you have to figure out how to interact with them in the first place) and break in. It's usually a combination of both. The vulnerabilities built into the target machines can be highly esoteric and difficult to exploit, and the environments can have the most bizarre configurations. I've only done one CTF in my life, on the red team of a collegiate competition some years ago. I don't do well under pressure, and maybe I'm a little too crazy in my technique and style to really be effective in a competition with reasonably solid rules. Leisurely puzzles and code hacking are more my style.
All of that said, the Cyber Grand Challenge cluster, twenty racks of badass, gonzo, Wu-Tang machine intelligence software running like a bat out of hell shocked the shit out of me. I think everybody positioned even vaguely near the information security industry suspected on some level that certain US government agencies have serious ICE breaking horsepower stashed away, and I don't just mean the NSA. DARPA's CGC cluster has something like a 76% success rate when running offense in a king-hell CTF network, and a 100% success rate for finding and fixing exploitable bugs in the systems it's tasked with defending when working on just the executable binaries, no source code involved. That's equivalent to reverse engineering a piece of software that you've never seen before, finding a remotely exploitable bug in it, and patching it by editing the binary by hand. Possible for organic life, to be sure, but now there is software which does it far better than a skilled hacker and barely slows down in so doing. They also showed off some code execution visualization software (local copy), which displayed what was going on within a running process as a Hilbert Curve inside a dynamic virtual space, with the temporal axis depicting runtime is some of the niftiest code visualization I've ever seen. I really hope I can get my hands on it at some point because it doesn't seem to be in their Github account.
Next year DARPA will be bringing the entire CGC cluster, all twenty racks, to DefCon a day early to compete in the CTF to end all CTFs against some of the most talented hackers on the planet. They say they've developed some innovative VR software that uses the latest version of the Unreal engine to depict not only network activity but system activity and software runtime as if they were points of view within a massive first person shooter arena. Word has it that they've even hired a professional FPS tournament commentator to provide color commentary. I guess I'll be flying up a day early next year...
I took a few hours off to get lunch and browse the dealer's room whereupon I bought way too much pen testing gear to add to my collection. Additionally, every locksport vendor was completely out of advanced practice lock sets, sold out within three hours of the dealer's room opening. I guess I'll have to accumulate a paycheque or two and check out some of the usual sites online. I nearly bought some serious radio gear while I was there but elected not to because I had to buy some books for work and had to be careful with the amount of weight in my suitcase on the way back.
The one talk that everybody wanted to see was the Remote Exploitation of an Unaltered Passenger Vehicle talk, which was all over the news not too long ago. The news coverage wasn't sensationalistic. It wasn't sensationalistic enough. Chrysler really sodomized the canine with something like seventeen different models (it was hard to count while the slide was onscreen) as far back as 2013, with no authentication required to wreck serious havoc with any of the cars. Let's be clear, this was a nontrivial hack. The two presenters spent over a year (probably more than that) and several thousand US dollars reverse engineering both hardware and software from their test vehicle to figure out how everything worked and determine how it could be exploited. Writing the exploit code didn't seem very difficult (well, mostly) but the time that went into learning how everything worked was considerable. Next was a talk on a classic heist movie technique, intercepting and looping live securicam feeds. Their technique involved compromising a wired data network physically with some custom equipment and software they'd developed that can allow a computer to edit video streams in realtime so that, to anyone watching the output of the camera they'd only see a boring scene. Their software is smart enough to detect a timestamp which is part of the video stream and update that in realtime, too. Richard Thieme spoke again, this time on transhumanism and the implications of technology on identity. Fascinating stuff, he's really up on the bleeding edge. He could easily present at one of the Transhuman Visions conferences if his speaking fee could be covered. In point of fact he touched on a lot of things that we in the community are wrestling with.
Following that was a talk on DIY Nukeproofing that wound up being cancelled for unspecified reasons. Priest, chief of security for DefCon took the stage for an impromptu game of Spot the Fed to fill time. I was there with my cow-orkers, and did what I could to explain the hilarity that is Spot the Fed while some infamous tales from cons gone by were told by Priest. Several people from the audience were taken on stage but none were found to be federal agents (probably much to their relief). The game was cut short after twenty minutes for suspicions that probably aren't mine to speak of. Suffice it to say that life is.
At the end of Saturday afternoon we reconvened to get dinner, then dropped our stuff off to get ready for the dance party that night. Generally speaking, parties like that don't get started until later so we didn't feel any particular time pressure to be there on time. I did catch part of DJ Jackalope's set and had a great time dancing to warm up for later in the night. Downlink spun an excellent set that I missed most of due to typicaly strange (for most people) circumstances.
Shortly after Downlink got started I was buttonholed by another con-goer who showed me a small red card with white text, about the size of a business card, and asked me if I had a match. The card had a date in the far future printed on it, for example Tuesday, September 26, 2152. Naturally, I hadn't the slightest idea of what he was talking about but because I'm up for just about any kind of weirdness (especially at a con trying to go full Illuminatus!) I decided to follow and see what happened. I was summarily introduced to a woman in a black dress who gave me such a card in a little black envelope with identical instructions to seek out other partygoers and bring them into the hallway. It would appear that one of the crews at DefCon (I'm not sure which one) was running a Discordian game with a decidedly Bladerunner feel to it. I'm pretty sure that the dates on the cards are supposed to be incept dates. I wandered around for an hour or so, finding people with matching cards and bringing them to the ballroom doors to do whatever it was we had to do; most of it was pretty silly and all Discordian-themed - all in good fun. Each time, both of us collected another dogtag.
I've no idea what they're for but I plan on keeping mine handy next year.
At the stroke of midnight, on the stage came Dieselboy.
Dieselboy was one of the first drum-and-bass performers in the pb-cle scene way back in the day, a true luminary of both the scene and the genre. I honestly don't know how many times I've seen him perform live. For whatever it's worth I haven't seen Dieselboy perform since I left the scene in 1999 or therabouts (while Terrence McKenna may have been comfortable with being a geriatric raver, I found myself increasingly weirded out), so when I heard that he was going to be at DefCon I made certain that I would be attending, for work or not. Suffice it to say that I honored one of the grandmasters of the pb-cle community the best way I know how: I danced until I nearly collapsed. I'm still feeling it nearly a week later.
Dieselboy's was hands-down the best show I've seen in a long, long while, and that's counting a few Amanda Palmer shows and KMFDM last month. To sidetrack a bit, the DefCon 23 badges this year were playable records, each the size of a 45 but I've reason to suspect that they're cut to be played at 33 1/3 revolutions per minute. The joke was that by attending DefCon you now have it on your permanent record... regular con-goer badges were white, security goons' red, and I think presenters' records were blue. Artists at DefCon were given transparent records to wear as badges. After Dieselboy's set was over, through one of those glitches in reality that followed me around all weekend (it was the perfect environment for them, after all) I saw and took an opportunity to meet him backstage (well, kind of off-to-one-side-stage, but let's keep the narrative moving) and thank him for performing. "Hi. You have no idea who I am, but I saw you spin at just about every pb-cle party back in the day, and I've been waiting for this show for about sixteen years. Could I get your autograph?"
Because I'm one of those people that inherently takes care of record albums (I used to be a DJ, though I never made it big for reasons irrelevant to this blog post) I kept mine in its paper sleeve all weekend to protect the groove cut into it. Long story short, after scrambling for a pen for a moment, Dieselboy autographed the record sleeve for me. Then, for no reason I could tell, he hugged me. Nothing to it, no ulterior motives, an old-school "Hi, you're a good person," hug from back in the days when Peace, Love, Unity, and Respect were the words we lived by.
"Here. Have my artist's badge," he said, and gave me his lanyard and DefCon 23 badge.
You could have knocked me over with a feather.
I danced a little more after that but mostly wanted to spend some time with old friends. Every con, whenever enough of us get together, we toast an old friend who died some years ago during the prime of his life. This year we did so surrounded by classic arcade games with a fine whiskey and were there until the goons asked us to leave because they were shutting everything down for the night. I crashed for a scant few hours back in my hotel room and somehow got up bright and early the next morning to make it to a few talks. Chris Domas' talk on using psychological warfare to deter reverse engineering of software. left me in stitches. There is no shortage of "$foo is Turing-complete" papers out there but he's the only person I know of who's ever done anything with one. In this case, it was the MOV assembly instruction (local copy). Domas figured out how to turn the call graphs displayed by reverse-engineering tools into 8-bit greyscale displays that could be used to display arbitrary bitmaps. In other words, zooming way out on a super-dense callgraph could be made to display the message "SPOILER ALERT: YOU FAIL." in block letters to whoever is looking at your code. A few of us think this could be a common way of watermarking one's code inside of a year because it's just too funny not to do.
Knocking my neighbor’s kid’s cruddy drone offline by Michael Robinson was similarly funny and informative. There are a few consumer drones on the market with some seriously stupid vulnerabilities in their firmware that are very easy to exploit. First year comp.sci student errors, in point of fact. Not to demean anybody just starting out, gods know I've fucked up pretty badly a few times, but these mistakes that are made from of lack of experience. It's possible to connect to the drone as if it was a wireless access point, telnet to your default gateway (which is the access point), run the shutdown script the manufacturer left in the firmware image, and brick the drone (maybe, he wasn't quite clear on that). Some days it's all you can do to not move to the country and raise sheep. Or mess with your neighbors.
I had one last chance to meet everyone for lunch at DefCon, including a colleague from the Bay Area whom I didn't expect to run into. After an hour or two (we took our time, even after Seele left to catch her flight home) we split back up to attend the closing ceremonies that capped off DefCon. At this point DefCon turned into LineCon, which means that we stood in line waiting to get into closing ceremonies for something like an hour, maybe a little more. After finding seats and sitting down, we were shown the four entrants to and winner of the T.D. Francis X-Hour Film Festival were shown and announced, respectively. The winning team of DefCon Capture the Flag was announced; I think they're the youngest CTF champions in DefCon history. Their team captain is only ten years of age. Their team captain also successfully cracked an experimental build of Windows 10 running on a RaspberryPi B+ snuck onto the network as an easter egg without any of the usual reverse engineering or analysis tools, i.e., wholly intuitively.
I was sitting with the folks I met while we were standing in line and we looked at each other and then said, pretty much at the same time, "We're obsolete."
In addition to Uber Badges (which will get them into DefCon for free for the rest of their lives) they'll have to come back next year to defend their CTF championship title. They will also have to go up against DARPA's CGC cluster.
I really don't have much else to say about DefCon. The rest of my time in Las Vegas was pretty anticlimactic after having my wetware blown out of my ears. All of us went to dinner and spent a couple of hours hanging out talking because we knew we'd have to go our separate ways in a few short hours. The next morning brought with it a leisurely cab ride to McKarren Airport (no, I didn't see any of the buses with "Area 51" painted on the sides, though I was half wishing I would). I didn't expect the TSA to enact "expedited security check" protocols, which basically means we had to throw everything in our carry-on luggage and walk through a metal detector. No shoes, no strip-o-scan, no opt out, just a quick jaunt through security. Given the amount of gear I bought in the dealer's room I'm somewhat surprised that my suitcase didn't get searched. As it turns out I really did hurt myself dancing too much at DefCon; my back's been bothering me nonstop, but I'd do it again in a dead second. The way I see it, if I'm too old to dance I'm just too damned old, so I plan on enjoying myself as much as I can.
I don't think I can deal with burner flip phones anymore. Punching letters on T9 style keypads that don't have backspace keys or any easy way to enter commonly used punctuation marks (like commas or periods) really impaired my ability to operate at a critical time. I think I'm going to have to start using disposable smartphones, which are a thing now, perhaps with a disposable VPN account to secure my data traffic at future DefCons.
I don't have much else to write at the moment. I did take a few pictures at DefCon with the express permission of everyone present that I'll put up at some point. I've got a backlog of photographs that need sorting and posting, anyway.