Thousands of hackers in the same Las Vegas hotel? Sounds like a party to Mick!
Last month, I wrote a case study on Linux desktop system hardening, in the form of a step-by-step walk-through of how I prepared my Ubuntu laptop for DEFCON 17, the annual hacker's convention in Las Vegas that features one of the world's most hostile public wireless LANs. Well, you'll be happy and perhaps surprised to learn that my laptop came through unscathed.
But, you may wonder, was Mick exposed to cutting-edge developments in information security? Did he get invited to any elite skybox parties? And, doesn't this sort of reporting normally belong on a blog instead of languishing for a few months through the lengthy print process to which magazines are subject?
I'll answer the last question first. In the past, I've covered DEFCON on LinuxJournal.com under my hacker pseudonym Darth Elmo. (No, I'm no more scary as a hacker than my handle implies, although I'm working on it.) But this time, I thought it might be interesting to cover DEFCON, which really is one of the most important annual events in my field, in a little more depth. I wanted not merely to report on DEFCON, but also to touch just a bit on some ongoing paradoxes and conflicts in information security that always seem to leap out at me at DEFCON.
In short, I wanted to write a DEFCON article that people still would find relevant and interesting a few months after the actual event. You be the judge!
DEFCON, in case you aren't familiar with it, is an annual conference for the “security underground” held by Jeff Moss, aka The Dark Tangent (aided by scores of volunteers) in Las Vegas, Nevada, every summer since 1993 in late July or early August. It's run for and by self-identified “hackers”, which is to say, technology's more creatively minded researchers, problem solvers and boundary pushers.
The term hacker, of course, has a lot of baggage. In mainstream English usage, it typically means “computer criminal”. However, in the original meaning of the term, hackers are simply people who explore the limits of what is possible in computer systems, networks and other complex systems. Hackers are technologists who are driven to understand the full truth of what a given network, software application, device or operating system is really capable of doing (or being made to do), regardless of what its manuals, specifications or even its creators say.
Penetration testing, the art of breaking into systems or networks in order to document and demonstrate their various vulnerabilities, is one of the most visible and interesting applications of that kind of exploration, although it represents only a subset of what hacking is about. But penetration testing, and the skills involved in its practice, is somewhat problematic. Some hackers can and do cave in to the temptation to use their skills illegally or unethically, and even those who don't tend to be treated with suspicion by more conventionally minded IT professionals (not to mention law-enforcement representatives).
DEFCON has represented, for nearly two decades, an attempt to build some sort of understanding between the hacker community (in the broadest sense), law enforcement and the IT professions (certainly IT security). It isn't the oldest hacker conference, but according to longtime DEFCON insider Dead Addict, it probably was the first hacker convention to invite law-enforcement representatives and journalists to attend deliberately, and to encourage them to give presentations too.
In this column, I discuss my own perspective on DEFCON. DEFCON has changed a lot even just in the eight years I've been going (and even more over the past 16), but in my opinion, it remains the single-most important event in my profession, imperfect though it unquestionably is.
To start off, a bit of reporting is in order. At DEFCON, you really can't discuss culture separately from technology, since the whole point of the exercise is to celebrate their convergence. Furthermore, as always, I saw some very cool and interesting things.
In “Is Your iPhone Pwned?”, Kevin Mahaffey, John Hering and Anthony Lineberry (whom I interviewed in the August 2009 issue) described a WAP push attack that, although easily detected and traced by carriers, can be used to open arbitrary links and windows on mobile browsers. They gave an excellent overview of mobile device security, highlighting difficulties caused by incompatibilities between different providers' implementations of mobile platforms and devices.
Moxie Marlinspike, in his talk “More Tricks for Defeating SSL”, described a new “null prefix” attack that can be used to create fraudulent certificate signing requests (CSRs) that could result in attackers obtaining legitimately signed certificates for domains they don't own. Moxie's talk created a lot of buzz, and at least two other presentations referred to his work, including Dan Kaminsky's and Sam Bowne's.
Moxie is also author of the SSLstrip tool, which is sort of an HTTPS-to-HTTP proxy that can be used to capture SSL-encrypted data via man-in-the-middle attacks. He had presented on SSLstrip just a few days earlier at Black Hat Briefings 2009, a large commercial security conference that always precedes DEFCON. Sam Bowne gave a chilling but engaging demonstration of SSLstrip in his presentation “Hijacking Web 2.0 Sites with SSLstrip”, also demonstrating Rsnake's “Slowloris” tool for denial-of-service-attacking Apache Web servers.
While we're on the topic of SSL attacks, Mike Zusman gave a talk called “Criminal Charges Are Not Pursued: Hacking PKI”, in which he demonstrated a way to use ordinary Domain Validation (DV) SSL certificates in man-in-the-middle (MitM) attacks against sites that use Extended Validation (EV) certificates. It was easy to see how Zusman's attack could be combined with SSLstrip and the null prefix attack.
As you can see, man-in-the-middle attacks against SSL were a very hot topic at DEFCON 17. At this point you may be wondering, “oh great screaming goats, can I ever use eBay safely again?” The good news is, yes, probably.
MitM attacks work only when attackers can insert themselves logically upstream of the victim and downstream of the Web site the victim is trying to reach. In some contexts, this is relatively easy—on a public Ethernet, like at a hotel or on some kinds of Wi-Fi hotspots (never mind exactly how for right now, although I may write a future column on ARP spoofing). But the chances of someone doing this on your home DSL network or at your workplace are probably fairly slim.
Still, I hope this cluster of presentation topics serves as a wake-up call to Web developers who mix clear text (HTTP) and encrypted (HTTPS) content, which makes this sort of attack much harder for end users to detect, and to Certificate Authorities who need to figure out better ways of screening certificate signing requests.
It may, of course, simply be that somebody needs to figure out a better way of securing Web traffic than SSL (or TLS) as we know it. Even without attempting MitM attacks, phishers frequently are successful in luring users who don't even notice that their fake e-commerce and on-line banking look-alike sites lack any SSL at all. SSL and TLS represent an important enabling technology for making the WWW useful for shopping, banking and other sensitive transactions. We wouldn't be using the Web for those things today had it not been for SSL/TLS. But, it isn't at all certain whether SSL can evolve to address emerging threats satisfactorily.
As is so frequently the case with DEFCON, some of the best talks I attended weren't explicitly technical. In “The Year in Computer Crime Cases”, Jennifer Stisa Granick of the Electronic Frontier Foundation used two recent court cases to illustrate a rash of recent attempts to widen inappropriately the definition of “unauthorized access” in the US Computer Fraud and Abuse Act. Jason Scott, in his talk “That Awesome Time I Was Sued For Two Billion Dollars”, gave a breathtakingly profane and funny account of a spurious lawsuit filed against him over an electronic book archived on his site www.textfiles.com.
And, in a conference characterized by very large venues filled to capacity, Adam Savage of the TV show MythBusters really packed the house, giving an entertaining and inspiring account of the role of failure in his career. Savage, an expert in special effects and industrial design, may not be as obvious a candidate for speaking at a hacker conference as Ms Granick, a longtime legal advocate in criminal cases involving hackers, or Mr Scott, a noted hacker historian and archivist. But with his highly creative approach to problem solving and his eloquence and empathy in describing the challenges faced by everyone who works with complicated systems, Savage connected convincingly and resoundingly to the DEFCON crowd and received a very warm welcome (and a standing ovation).
I also saw good presentations on security challenges in cloud computing, techniques and patterns of stock-scam spammers, quirks of the credit reporting system and on Metasploit's new WMAP module for attacking Web applications. And, I was very pleased to attend a talk by my old friend and former employer Richard Thieme, hackerdom's most prominent cultural attaché.
Some of the presentations I attended weren't very good—sad to say, I even walked out on a couple. DEFCON always has been somewhat hit and miss with regard to consistency of presentation quality. But the good ones were very good, and they easily outnumbered the less-good ones. In all my years attending DEFCON, I've never felt it was a wasted trip. Besides, prematurely exiting one or two presentations is usually the only way I can find time to check out the DEFCON vendor area, which provides one-stop shopping for all your hacker-fashion, lockpicking and wireless hardware needs.
Maybe because DEFCON invites such high expectations, a few things bothered me. Some are peculiar to DEFCON; others probably are characteristic of hacker culture as a whole. Either way, these observations are offered in a wholly constructive spirit. Nothing worthwhile is worth being complacent about.
The thing that bothered me most consistently about DEFCON this year was the behavior and attitude of many (emphatically not all) of the “red shirt goons”. In case you're unfamiliar with them, all members of DEFCON's volunteer staff are called goons, whether they're serving as actual physical-security goons like the red shirts, manning the information desk or running the massive DEFCON LAN infrastructure. All goons have T-shirts proclaiming their DEFCON goon status, but only the physical security crew's shirts are red.
I'm privileged to call many of these goons friends. In fact, it was the “original goon”, Conal Garrity, who first urged me to give DEFCON a try many years ago. I've seen my goon friends work incredibly long hours with little sleep, irregular meals and little else in the way of extrinsic rewards for their efforts. They're an amazing group of people.
So maybe I was disproportionately bothered by seeing a small number of the red shirts being disrespectful to the point of being counterproductive, in their efforts to manage the large crowds that attended DEFCON 17. At various times I saw some of these guys yelling at attendees, calling them names, insulting their intelligence and making vague threats (though their preferred punishment seemed to be “more yelling”).
One prominent goon even interrupted a presentation I was enjoying to harangue the crowd because there had been an incident concerning one person trying to bungee jump off the hotel's roof and another involving someone with a concealed handgun on the casino floor. The only problem was I'm pretty sure none of the hundreds of people who had up until this point been respectfully listening to Sam Bowne's talk had even heard of these incidents, let alone contributed to them in any way. I understand the goon was frustrated and stressed, but he took it out on the wrong people.
The crowds I saw at DEFCON this year were certainly large, but not unruly nor even particularly uncooperative. Certain goon antics seemed disproportionate. When I described some of them to a nonhacker friend later, his reaction was “sounds like Barney Fife syndrome”. I had to reluctantly agree that yes, it did seem as though authority had gotten to some of these guys' heads just a tiny bit.
Another thing that occasionally struck me was the paradox of DEFCON elitism. On the one hand, in many ways DEFCON represents one of the most inclusive, accepting and open atmospheres I experience in any context. Everybody is welcome: hackers, cops, feds, nerds, script kiddies, lawyers, teachers, students, reporters—even vendors. Boundaries of race, nationality, socioeconomics, creed or sartorial style generally do not apply at DEFCON.
And yet, there's definitely an in-crowd. DEFCON parties abound, which are, as with parties the world over, frequently about who is not invited as much as who is. This shows up in all sorts of contexts, including the speaking schedule itself, but it's subtle, and over the years I've had trouble putting my finger on the real shape, extent and nature of DEFCON elitism. To talk of elitism at such an essentially inclusive event as DEFCON really is a bit of a paradox.
Obviously nepotism figures into practically any human endeavor, so maybe it's no big mystery. But I've observed that many if not most of those who seem to be in the DEFCON in-crowd are more oriented toward attacking things than defending them. I suppose this isn't very surprising, given the way DEFCON markets itself—one of the official DEFCON T-shirts this year featured the slogan “hack everything!”
Why wouldn't a hacker conference concern itself primarily with new attack techniques? After all, as I've just described, much of the content that made the biggest impression on me this year involved attacks. Exposure to new attacks and vulnerabilities provides valuable insights to those of us who defend networks and systems for a living.
So, I don't mean to suggest DEFCON should set some sort of quota on attack-oriented material. However, I do think it's a shame that there's less of a focus on defense at DEFCON nowadays than there used to be. For example, both times I presented at DEFCON (in 2002 and 2003), my talk was included in the “Defense” track—a track that was phased out years ago. Maybe it's time to bring it back. Maybe more people need to submit DEFCON proposals involving compelling, cutting-edge defensive techniques.
And maybe, if we hackers want the world to give us more credit for the constructive things we do, and if we want people ever to accept the broader definition of hacker as creative problem solver, we need to do a little more to avoid giving the impression that we're almost exclusively creative problem makers.
So perhaps I'm less worried about nepotism per se—which in one form or another is inevitable in anything that relies so heavily on volunteers—than I am about its particular effects and ramifications. DEFCON simply needs more defense-oriented people it its in crowd. And I'm prepared to serve in that capacity myself, even if that means having to present at DEFCON year after year in multiple tracks, schmooze at all hours with prominent feds and attractive celebrity lawyers and accept one free beer after another at crowded, hot parties. You know where to find me, guys!
In all seriousness, DEFCON already is remarkably good, even incomparable. I can't over emphasize that for my friends and I who attended it, volunteered at it and presented at it, DEFCON 17 was a tremendous success—educational, thought-provoking, relevant, unpredictable, exhilarating at least as often as it was frustrating and, above all, fun.
In the words of Richard Thieme, who at the time wasn't sure whether he was quoting Simple Nomad or Bruce Potter, “For the system to work, it must never grow up and it must make us smile.” Here's to the scene's never growing up. I hope to see you at DEFCON 18!