Network News

X My Profile
View More Activity

Leaving Las Vegas: So Long DefCon and Blackhat

For better or for worse, the annual Black Hat and DefCon gatherings were largely overshadowed by the Michael Lynn/Cisco scandal. In talking with dozens of speakers and attendees about this over the past week, the overwhelming consensus was that Cisco and Internet Security Systems committed a public relations blunder by trying to silence Lynn and destroy all trace of his research into flaws in Cisco's widely used Internet routers.

As the conference wound down, someone was distributing a mini-disc containing the slides and audio recording of Lynn's talk, distribution of which was supposed to have been quashed under terms of a settlement agreed to by all parties involved. I, for one, do not understand how the two companies could reasonably expect that Lynn's research would remain a secret after it was presented to a security community that prides itself on sharing information. The Lynn materials have since been posted on numerous Web sites, and are now being traded on Internet file-swapping sites.

The legal actions by Cisco and ISS against Black Hat and Lynn -- coupled with news of an FBI investigation into Lynn's actions -- certainly riled some of the hackers who were in Las Vegas for DefCon and Black Hat.  Some claim to be determined to duplicate Lynn's work and create computer code that could successfully exploit the flaw that Lynn went to great pains not to detail. (Incidentally, Wired has a decent Q&A with Lynn that goes into a bit more detail about the background leading up to last week's legal mess.) It also remains unclear whether the legal actions against Lynn could have a chilling effect on security researchers' future willingness to approach and ultimately confront software and hardware vendors about flaws in their products.

Nearly every expert I spoke with about Lynn's research said it was a matter of "when" -- not "if" -- an exploit would be found, given that Cisco vulnerabilities present a highly attractive target for attackers (a majority of Web and e-mail traffic is routed through Cisco devices). The other widely-held view I heard was that due to the complexity of patching Cisco routers (think network downtime), a great many companies using vulnerable Cisco products will wait until an exploit is out to apply the latest Cisco patches to fix the problem.  By then, however, it may be too late; the emergence of an Internet worm that leveraged such an exploit could very well result in widespread and sustained Internet outages.

In previous posts, I mentioned my reluctance to go online at DefCon, after more than a few people warned me that using the WiFi connections there could be hazardous to my computer's health and to my privacy. Sure enough, that advice was not unfounded: During the awards ceremony on Sunday, conference organizers said they spotted more than 130 "rogue" WiFi networks set up to lure unsuspecting users into logging on, giving the networks' owners a chance to steal personal information.

DefCon 13 also was notable for being the location where two new world records were set -- both involved shooting certain electronic signals unprecedented distances. Los Angeles-based Flexilis set the world record for transmitting data to and from a "passive" radio frequency identification (RFID) card -- covering a distance of more than 69 feet. (Active RFID -- the kind being integrated into foreign passports, for example -- differs from passive RFID in that it emits its own magnetic signal and can only be detected from a much shorter distance.)

The company's feat is also a reminder of the security and privacy issues presented by RFID technology, which is increasingly being used by companies like Wal-Mart to store information about their products. Using a device like the one Flexilis built, someone could conceivably sit out in the parking lot and peer inside the shopping bag of a customer leaving a store, or use the RFID tags to keep tabs on that person's movements. Using slightly different methods, attackers could send signals that effectively jam or manipulate a store's RFID readers, tricking the devices into reading a $99 item as a 99-cent item, for example.

The second record set this year at DefCon was pulled off by some teens from Cincinnati, who broke the world record they set last year by building a device capable of maintaining an unamplified, 11-megabit 802.11b wireless Internet connection over a distance of 125 miles (the network actually spanned from Utah into Nevada).

Technically, the world distance record for maintaining a wireless connection was achieved in 2002 when a Swedish group established a connection to a WiFi access point attached to a weather balloon nearly 200 miles away. But most folks I spoke with at the conference say the Cincinnati team's record is the more meaningful, in part because the Swedish team used amplification. Critics of the Swedish record also note that there are far more things that can obstruct or interfere with a signal in a ground-based connection than with an aerial setup.

Plenty of other ingenuity was on display at DefCon's many competitions. In the much-anticipated "Beverage Cooling Competition," one team constructed an elaborate cooling system complete with electric pumps, funnels, and coil-based cooling system. Other contestants took elegant, if rather crude, shortcuts. One team filled a cooler with ice and isopropyl alcohol, a liquid that has an absurdly low freezing point. The result was that beer cans submerged in the soupy goo quickly cooled to minus 62 degrees Fahrenheit. Yet another team simply poured liquid nitrogen over the beer cans. In both cases, the beers exploded. (See my previous post about more drinking-related innovation.)

Ingenuity also was evident in the DefCon 13 Scavenger Hunt.  Teams could score points in "the creative use of a Slinky" category. One team converted a slinky to create one of the items on the scavenger hunt list: nunchaku (a martial arts weapon pronounced nun-chucks) made out of salami. Another team used a Slinky to complete the task of picking a lock.

Everyone at DefCon was required to wear a badge at all times while on the conference grounds; this year's badges were made of thick, colored plexiglass -- designed to confound badge counterfeiters. Alas, at one party Saturday night, each attendee were given perfectly forged badges in a variety of new colors.

Most of the attendees were considered mere "humans," designated as such by the word drilled into the neon-green badges. Reporters, on the other hand, were not human but "press." In all, however, I'd say the people I spoke with were fairly receptive and open with me (as far as I know, anyway). Still, quite a few folks complained of being burned by some reporter in the past. This, sadly, became a common refrain, an experience shared by a fellow reporter and good friend who attended DefCon -- Reuters's Andy Sullivan. In most cases, the "burning" had to do with a misunderstanding about what information could be attributed to a source. As such, Andy and I discussed with receptive conference organizers the prospect of returning to DefCon next year to perhaps co-present a session on talking with the media.

I especially liked the fact that most conference attendees were extraordinarily generous and giving of their time and resources. Many people make it to the conference with little more than the clothes on their bodies (one young lady was walking around with handmade sign offering kisses for a dollar apiece; she said she spent all her money getting to DefCon and was trying to raise money to make it back home to California. Last year, she said, she raised more than $100 kissing Defcon attendees). This sort of informal barter system has evolved over the years at DefCon. For example, after the conference had officially ended Sunday evening, my generic, yellow DefCon press badge was eagerly accepted in exchange for a Department of Homeland Security pin. At the urging of veteran DefCon attendees, I came to the conference with a few pieces of washingtonpost.com swag (pens, a few stickers and a squishy ball), which came in handy bartering for other things I wanted, including a T-Shirt.

Overall, Black Hat and DefCon were a great opportunity to meet and talk with some of the brightest minds in information and computer security. Given the opportunity, I would most certainly go again next year, but it's good to be back home -- Las Vegas starts to feel like a giant shakedown after a few days, and hackers keep late hours, so I didn't get more than 4 hours sleep on average during my 5 days there.

One more thing: I need to make a correction to a previous blog post, where I mentioned that more than 15 reporters from Wired were laid off. I was set straight today by someone close to the situation, who wrote me in an e-mail to say that while all Wired News reporting positions were eliminated, there were only five reporters among the 17 people on staff at Wired News. "Out of those five reporters, three were laid off completely, one became a part-time editor and the other reporter's position was converted into an editing position."  Thanks for the clarification.

By Brian Krebs  |  August 1, 2005; 5:30 PM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: DefCon Day 2: Patching Your Hacker Toolkit
Next: Cisco Warns of Hacker Break-In

Comments

Thanks for a great rundown, Brian! I'd say all in all, you're pretty close to human... :)

http://dubiousprofundity.com/

Posted by: DubiousChrisJ | August 2, 2005 10:30 AM | Report abuse

I bet it smelled bad- hanging out with the unwashed nerds. A cross between Wayne's World and X-files.

Posted by: WhiteHatPro | August 2, 2005 12:24 PM | Report abuse

Great write up, wish I could have made it this year.

Posted by: Murd0c | August 2, 2005 12:28 PM | Report abuse

"One team filled a cooler with ice and isopropyl alcohol..." should be 'dry ice' since you can't cool something using ice (+32F) to -62F, and it wasn't the beer that was cooled to that point, it was the slurry that into which the cans were submerged.

Posted by: Luwenth | August 2, 2005 12:43 PM | Report abuse

"One team filled a cooler with ice and isopropyl alcohol..." should be 'dry ice' since you can't cool something using ice (+32F) to -62F, and it wasn't the beer that was cooled to that point, it was the slurry that into which the cans were submerged.

I also got burned by press last year, but it wasn't a factual or quotation that was misused. My picture was taken and published. The reporter claimed to be willing to send me a copy of the picture but I still haven't received it and the reporter stopped responding to me after our initial email exchange on the matter.

Posted by: Luwenth | August 2, 2005 12:46 PM | Report abuse

Nice reporting job, I enjoyed the reading.
It also seems that certain companies need to restructure their CEO's and CIO's or at least get some advice from Kenneth Lay on how to deny knowing anything.

Posted by: WaterJoe | August 2, 2005 12:51 PM | Report abuse

If you think you can't cool below +32 using ice, try mixing ice, water and salt in glass and check the temp. the salt forces the ice to change phase endothermically, you can get +25 easily

Posted by: icy! | August 2, 2005 2:24 PM | Report abuse

The melting point of ice is 32. Doesn't mean ice can't be below that, it just means that an ice-water mixture won't go below that. But dry-ice might make a bit more sense.

Posted by: Oudeis | August 2, 2005 4:25 PM | Report abuse

Interesting stuff, Mr. Krebs...I'd really like to hear your thoughts on the content of the presentations you were able to attend at both conferences, though.
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Posted by: H. Carvey | August 2, 2005 4:51 PM | Report abuse

I think the kisses for a dollar people may be doing research for a sociology or psychology project. There was a very pretty girl doing that at a recent HOPE con, one day in normal clothing, the next in a red dress with makeup. She was wandering around with people who looked like ivy leaguers (tall, thin, delicate). I didn't see any takers at HOPE, I bet the drunken teens of DefCon were more enthusiastic.

Posted by: hy3na | August 2, 2005 4:55 PM | Report abuse

Actually, it was Renderman's team that used the dry ice and isopropyl alcohol method. I enjoyed myself again this year, and will be going back for many years to come. If only more people would attend with open minds instead of preconcieved notions.

Posted by: SkyDog | August 2, 2005 5:01 PM | Report abuse

"In previous posts, I mentioned my reluctance to go online at DefCon, after more than a few people warned me that using the WiFi connections there could be hazardous to my computer's health and to my privacy."

Wish I had seen this sooner. You can hook up to hotspotvpn and encrypt all of your online sessions, wireless or not. Let the evil twins sniff, they can't break AES256 encryption! Great post. Whis I could have gone this year. I'll just wait for the local shmooCon.

Posted by: ScaredStraights | August 2, 2005 6:24 PM | Report abuse

The only thing dumb about using the wireless network, is using it unencrypted. Next year i encourage you to stop by the Wall of Sheep and ask us to help you check your settings to make sure you can stay off of the wall. We are always happy to help people fix their configurations. Our job is to educate and help people understand where people are giving away their personal information and how they can be more secure.

All of the press people we spoke with this year were very friendly. We hope you make it back next year to stop in and say hello.

Posted by: Cbyter | August 2, 2005 11:51 PM | Report abuse

I should follow up with the comment that our only annoyance with press reports was the reporters not stopping by and doing some fact checking. The AP story mentions a Harvard professor and several Apple employees. While I need to backtrack through our data now that I've gotten some sleep, I would venture to guess that those accounts were a Harvard law student and some Apple customers using their free email service.

Posted by: cbyter | August 2, 2005 11:56 PM | Report abuse

please, please, please. do not encourage behavior of the $1 kisses girl or similar kinds of people by giving her this kind of publicity.

this is the same girl that was at hope, and has been at other cons. no, she wasn't too poor to get home. as far as i know, no, she wasn't doing a sociology project.

she's doing a great job of lowering the image of women at cons and giving the "hacker scene" more of a bad image. i have female friends who are honestly embarassed when they see her, especially when she's completely straightforward about how she's just doing it to make some easy money at a hacker con.

Posted by: shardy | August 3, 2005 9:45 AM | Report abuse

Hey Brian,

I read your blog (and the complaint about about the press being mistrusted
due to attributing information wrongly), and I had to think of a few things
related
to that:

1. My brother happens to be a journalist with a large financial newspaper,
and in germany there's a pretty fine-tuned (if informal) system for making it
clear at the beginning of an interview how the information is to be used:

"under one" means the information must not be disclosed, but is intended to provide the journalist with more background information so he can put the other things into context

"under two" means the information can be published, but the source has to be kept anonymous ("a source close to the ministry of defence")

"under three" means that the information and the source can be identified Having a fairly strict code like this massively helps in communcation
between sources and journalists :)

2. Hackers and journalists tend to have diverging goals. In many cases,
hackers have an instinct (or even a legitimate need) to keep things quiet, whereas journalists need to put a strong "spin" on a story so it has an impact. Now, a strong media reaction forces companies to respond, oftentimes to the disadvantage of a hacker who would've preferred the status quo.

3. Hackers and journalists tend to treat information differently. Most hackers almost instinctively consider information to be a currency, to be exchanged against
other (useful) information. A lot of security information "dies" very quickly when exposed to the sun. Journalists on the other hand work with information in a less
"greedy" manner, and tend to expose information to the public (with the effect that the "currency" is then devalued).

Posted by: #2 | August 3, 2005 10:18 AM | Report abuse

Speaking about Wendy (aka kisses),
1) Home for her is chicago, not california,
2) She made over a hundred last year at HOPE, not Defcon. (Yes, it was the same girl,)
3) Actually she made far more at HOPE, not defcon, i think she made around 20 at defcon
4) She's actually quite interested in computers/security in general....but her background is far more on the psych/sociology side.
5) At hope she was trying to get money to make it to defcon, at defcon she was trying to get money to pay the money back she owed for getting to defcon in the first place.
Beyond that, if anyone has any other questions, they can drop her a line direct at Kisses@AJollyLife.com, or me at Jolly@AJollyLife.com

Jolly

Posted by: Jolly | August 6, 2005 1:48 AM | Report abuse

"Active RFID -- the kind being integrated into foreign passports, for example -- differs from passive RFID in that it emits its own magnetic signal and can only be detected from a much shorter distance."

Just a minor correction, active RFID can typically be read at much *greater* distances than passive RFID and the passport systems are passive. Active or passive, most RFID systems are not magnetically coupled but instead use capacitive, inductive or backscatter coupling. Magnetically coupled tags are usually just one-bit Electronic Article Surveillance tags.

Posted by: Bill | August 24, 2005 9:53 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company