Having worked in IT for (gasp!) twenty-five years, I have long enjoyed the side of my job that deals with securing the networks I am responsible for. Network security is a game to me; trying to find and stop hackers before they find and stop me. As my blogging has revealed over the years, I enjoy solving a good mystery. How far back can a track an attacker? Or an adversary? How much knowledge can I dig up? This is all very fun.
My current job doesn’t deal with this directly as I am lucky to have a great team who watches the network. Still, I have to pay some attention to what’s what. So, when the department budget allowed for sending me to my first DefCon, I was delighted to go. Two weeks ago, I was on a plane to Las Vegas to join 25,000 other “hackers” in an intense, three-day powwow of matching wits, sharing forbidden knowledge, and proving points.
This year is the 25th anniversary of DefCon (i.e. “DefCon 25”). DefCon gets its name partly from the U.S. Department of Defense’s “Defense Condition” levels, as popularized by the movie “War Games.” Partly, it’s a made-up word with the “Con” meaning “convention.” DefCon was started (if I am correct) by Canadian bulletin-board owners who decided that on-line meetings were not enough. It has continued to be one of the premier conferences/training sessions that draws attendees from around the world.
Now, the term hacker in the public mind tends to have a negative connotation but this is not entirely true. The title of hacker in the industry vernacular is actually a badge of honor, bestowed upon a developer who can quickly kick out computer code. You’ll find many computer people proud to call themselves hackers yet they don’t break into computers. In an effort to protect the positive connotation of the term hacker, the IT community introduced a new phrase to describe computer criminals as “crackers.” This term has more or less failed to catch on, so “hacker” now describes both types.
It takes a lot to willingly get me to Las Vegas. It’s a fake city out to take my money and I don’t particularly enjoy having my money taken. Only if there’s an interesting conference am I likely to go. DefCon qualified so I booked my plans.
DefCon fully complies with the “what goes on in Vegas stays in Vegas” saying. DefCon organizers have no idea who will attend or who has attended. There is no way to register for the conference, and thus no way for DefCon (or the authorities) to track who shows up. Everyone pays cash at the door, whether you’re a government employee, a computer geek like me, or a journalist. I was not sure how this would work in practice but somehow it did.
There are several accounts out there that describe more of the DefCon experience so I’ll focus on my own here.
I’d never seen so many geeks in one place. I’m also not used to going “full geek” in public for three days straight but it’s easy at DefCon. No matter how “leet” you think you are, there is someone here who is eons more masterful at doing what you do. You just go with the flow.
My colleagues and I picked out talks we wanted to attend from a large list of concurrent discussions. There were workshops and villages also, where attendees could roll up their sleeves and practice the skills that were being discussed. Vendors were also present to sell hacker tools of various varieties. It was mind-boggling! I shopped the vendors, practiced my lock-picking skills, and observed the various ways that cars could be controlled via computer. Never have so many warranties been voided in one place.
I was even bold enough to connect my phone to DefCon’s WiFi network. DefCon is said to be the “world’s most hostile network environment” and it’s easy to see why. Fake wireless access points and cell towers abound. Any device that connects here must be considered hacked and then wiped clean after the conference. That’s why you’ll see more flip phones and other “burner” phones here than probably anywhere else.
Still, I couldn’t resist trying my own burner phone on DefCon’s network. I figured if it got hacked I wouldn’t really lose anything and later I could study how it happened. DefCon was smart with its network this year, however, and required WiFi clients to use a cryptographic certificate to connect (called 802.1x). This seemed to eliminate all but the most dedicated hackers and I did not hear of anyone who used this new procedure having falling victim to hackers. Impressive!
At past conferences, DefCon used to play a game called “Spot the Fed.” Lately Feds have been welcome. Feds even give talks and panel discussions. Indeed, I attended many talks were by private-sector security professionals who were often collaborating with federal agencies on cases. I was pleased to see this kind of trust displayed though there is still so much more to be done.
The real adversary here seemed to be state-sponsored Russian and Chinese cyber criminals. Most people I heard from seemed to have their sights on these bad guys. As such, I came away from DefCon thinking not that these DefCon hackers have the goal of disrupting society but that of improving society. The aim is to point of the flaws in the things we use because pretending something works when it actually doesn’t doesn’t do anyone any good but the bad guys. Though it’s sometimes not easy for an outsider to see, DefCon attendees have morals (some of them strongly held) and the overall vibe I got was that if you’re a company or government that is being a dick to others you just might get some electronic karma sent your way. Like, for instance, the Anonymous group taking down the website of some jerk who really deserved it. This action may even be considered a touch patriotic. I was glad to meet the people who really are keeping everyone safe by their calling out when the emperor has no clothes. That’s how we progress.
There were too many talks to attend them all, and too many conversations which could’ve lasted longer. It was exhausting, fun, eye-opening, and mind-blowing. I cannot wait to go back.