INSIDE THE 
NEWS + ADVICE
DEFCON 22 Insider’s Report
DEFCON is the world’s longest running and largest underground hacking conference, held annually in Las Vegas. We asked DEFCON veteran Ivy Thomas to share her experiences with us.
At DEFCON it’s hard to get any sleep. It’s hard to get everything done. You’ll want to, but you can’t. If you try to do all the things, at least get 3 hours of sleep per 24 hours. That’s the DEF CON rule. A full menu of state-of-the-art lectures, technology demonstrations, lock picking toolkits and radio hardware sales, parties until dawn, and “Capture the Flag” competitive hacking events are just the beginning of DEFCON’s vast gamut. Tailing a week of corporate lectures and advanced training featured at Black Hat Las Vegas, the first week/weekend in August at Las Vegas, NV, is an annual week of paradise for the global hacker and computer network security professional community.
4.5 hours and no badge later…
My husband and I roll up to the Rio just after brunch on Thursday. We’d been up late Wednesday night, networking at Black Hat Las Vegas’ myriad of corporate after parties, including IOActive’s IOasis and the CISCO Speakeasy. We’re greeted by a wall of hackers awaiting their badges. The line wrapped around the Conference Center hallways. It continued through a quarter mile of casino landscaping and outdoors to the pool. We find our places and I greet two young hackers who’d just picked up their badges. “How long was the wait?” I query. “Four and half hours,” he replies. James and I settle in and greet our neighbors, determined to get into the conference before dinner time.
10-57-10-57: Don’t miss the point in curious codes
We move forward mere inches when my cell phone buzzes. It’s my good friend da_667, of Northern Virginia Hackers Association (NoVAHA), “Hey Ivy, Some hackers from Unallocated Space and NoVAHa are chowing righteous noms over here at the Honey Pig Korean BBQ in Chinatown. We’ve filled 30 seats and the octopus is on the grill! Come on over!” With empty hands and bellies, James and I desert the (over-the-top) DEFCON badge line for a precious seat at the Hacker BBQ. We rationalize that presentations will be available online after the con (from https://DEFCON.org/); that the line will be shorter upon return. Minutes later a sleek black car drops us off in the corner of a dusty strip mall far off the Las Vegas Strip. Sun cracked bells adorning the entrance to Honey Pig jingle as I pull open the door. The tiny restaurant is alight, packed with hackers in neon orange and black conference swag, including custom circuit board necklaces and blinking LED lights.
Glyph Cracking
Over sizzling pork belly, I admire unique badges worn by dinner guests, and learn about the DEFCON 22 Badge Challenge. The requirements include that all 8 variants of the badge lanyards must be latticed together to decode a message. Interestingly enough, gathering 30 decorated DEFCON goers at the Korean BBQ for lunch offered us a strategic advantage. Our Korean American waitress leans in to examine the myriad of eastern characters printed on the badge lanyards. “This is a Korean character and it means Horizontal. This is Chinese, it means Skull. This one is North and this one means Key.”
Kurt, a radio hacker and visiting diplomat from the Philippines pipes in to offer us another clue. Then quickly she laughs, exclaiming, “OOPS I wasn’t supposed to tell anyone because I want to win this year!”
DEFCON is cancelled this year
I rush back to the Rio determined to catch the tail end of day one at DEFCON. The lines are gone and the halls are all but empty. I eagerly run up to the counter to pick up my badge. A tall lean woman with a sea-green mohawk and black goggles distractedly chews gum while thumbing through a book titled “Black Hat Python.” She looks up for long enough to inform me, “Oh. Didn’t you know that DEFCON was canceled this year?” For a moment, I’m taken aback. A smile breaks across her face. From under the counter, she hands over my badge and booklet, “$225 cash please.” (Hackers prize their anonymity, so credit cards are not accepted. And in most areas, photography is not allowed.) Still in a state of shock, I hand over my cash, and walk the wrong way twice before finally entering the conference. That old prank. It’s a part of the DEFCON culture, but it still manages to trick me every time.
Lockpicks, Antennas and GNU/Unix, Oh my!
The map indicates a wide selection of events: Lockpick Village, Vendors (of books and equipment), Lecture Tracks 1-3, Wireless Village, and the Packet Hacking Village to start. (A packet is a discrete unit of information on a computer network.) I head first for the Vendors’ hall. There, I find lock picking tools, even a cufflink with a handcuff key, designed by Sparrows Lockpicks, called the “Uncuff link.” Kev Fiddler of Serepick offers me a neat SEREPICK patch to place on my backpack, which I do proudly. I pick up a few more to pass onto the beginner lock pickers in training at the LockPick Village.
A shifty eyed ram wearing a trenchcoat, greets all who dare enter the darkened walls of the Packet Hacking Village. Here is the infamous “Wall of Sheep”, curated by Aries Security company. The hall is dark and cavernous. From deep within echoes bass-heavy trance-inducing techno music timed to a pulsing melee of ambient lights. At the front of the room is emblazoned a mammoth projection screen actively chronicling exposed names and passwords of insecure internet accounts. These are the victims of the Wall of Sheep, herded in real time by DEFCON hackers. Every ten seconds, the flock is refreshed with new credentials picked fresh off the local conference room airwaves.
Is Airplane Mode Enough
As my eyes slowly adjust, I make out glinting lenses of bespectacled hackers reflecting from the deepest corners of the cavernous room. I shudder, realizing those who I barely see in the darkness of the Village are still visible to me. However, it’s what I can’t see concerns me the most. The invisible toolkits probing for unencrypted data over the airwaves. The constant surveillance and reconnaissance conducted by participants who hunt for lost sheep. For the third time since entering the DEFCON 22 arena, I ask myself, “Is my cellular data turned off?” Desperately I fumble for my handheld device, verifying I’ve toggled Airplane Mode; that my Data, Bluetooth and Wi-Fi are all switched off.
Rolling up my sleeves to dive in
As a technology consumer, I feel utterly useless against the state of the art toolkits used by the DEFCON hackers. My data, too, could be herded onto the Wall of Sheep. It’s not unusual to feel concern that one’s silent and “secure enough” mobile device may be broadcasting radio whispers identifying “this is who I am” and “these are my vulnerabilities.”
The first way to figure out how vulnerable you are is to learn the toolkits that exploit those vulnerabilities. If you’re curious, then look inside the walled villages of DEFCON for places of consent where you can begin to learn. For those interested in beginning here, it’s advisable to configure an inexpensive laptop with the Linux build “Kali.” It’s not advisable to bring a computer with any valuable private data to DEFCON. And, it’s always advisable to ask first, to make sure you are hacking in the right place.
With this awareness, I open up my laptop and log in to the Wall of Sheep’s wireless network. There, I passively wander, looking for unencrypted virtual artifacts left by wifi users logging into email, web applications, or other network services. After posting a few trophies of my own, and helping the beginner hacker next to me get a handle on his toolkits, I pack up and move on to the dinner time corporate networking activities at Black Hat next door.
Sushi and sake with Matt Devost
Just outside of the DEFCON arena my cell phone buzzes again. This time it’s my husband, James Thomas, on the phone, a security consultant for Northern VA based FusionX, LLC. “Ivy,” he says, “I pinged Matt Devost (CEO of FusionX). He expressed interest in meeting with you, regarding his insights on DEFCON for the ClearedJobs.Net article you’re writing. Meet him at Mizuya Sushi at Mandalay Bay, 5:30. Don’t be late,” he winks into the phone, and hangs up.
[Excerpt]
Ivy Thomas This is Ivy Thomas reporting from Las Vegas. I’m meeting with visionist Matt Devost to catch a glimpse of his insights on DEF CON and hot topics in the global computer network security professional community.
Matt, Linked to Terrorism Research Center (http://www.terrorism.org/) website is a document, “Unrestricted Warfare”. The research contained in this document describes how United States wargame is fairly restricted by its own policies. That policies we’ve (US) instilled and expressed to the world also constrains how we should behave in foreign affairs. Yet, I’ve also heard from friends in the industry that while China hacks the US, the US also hacks China back.
Matt Devost Oh yeah, I’m sure — It’s a multi-faceted, complex problem. But the keys are in where and whether or not it fits for the job, the level of activity, wrong, right, things of that sort – and there are cultural differences with regard to what is wrong and what is right anyway.
That’s one key thing that I’ve triggered on several times in the past couple of days. Focusing on intellectual property theft as a core diplomatic tenet is fundamentally flawed, because our view of intellectual property and other countries’ views of intellectual property are misaligned. For example, the Chinese will look at it and say: “For 2,000 years we invented all these great things, and other societies got the benefit of our inventions. And then, over the past 100 years, you’ve decided that intellectual property is important, and that just happens to coincide with when the US and other governments had periods of innovation. So, why was it okay for you to use our intellectual property for 2,000 years, but it’s not right for us to use yours over these 100 years? You need to pay, we’re trying to better our society. You were trying to better your society when we invented gunpowder and all these other innovations that came from the Chinese culture.”
IT That’s a very good point. Eastern practice observes a much longer timeline, as their civilization has been established so much longer. Another great difference between Western and Eastern strategy is exemplified by the strategy games that we play. Here in the United States we play chess and poker, over in China and Korea they play the game of go [Chinese: wei-qi, Korean:baduk], which is much more complex in terms of strategy. I’ve heard it said that “if chess is a battle, go is a war.” In the endgame, it all comes down to the ability to read ahead. The number of moves that players must assess in the game of go is so much greater. In that sense, I can see the ethic mentioned in the game.
MD It’s interesting, and we discussed it in my talk that I did here at Black Hat this afternoon, how in the West we don’t have a lexicon for strategies associated with deception and things of that sort, whereas the Chinese have lexicons and strategies that go back centuries or thousands of years. So it recurs over and over again: in documents, in strategies, they relate back to fundamental concepts that exist, where we don’t have a correlation for that in the United States. It gives you two completely different approaches and perspectives. That, and time. They look at time from a generational standpoint, whereas to us, five years is long term.
IT That actually brings to mind another quote that I read from your website, which is that 2009 was the “year of living cyberdangerously,” simply stating that by 2010, that was when we should really start implementing real change.
MD I wrote that blog post (http://www.devost.net/) as kind of a recognition of trends that I saw, to identify a flashpoint where things would turn in a different direction. And if you look at what happened in the next year, we had the Operation Aurora attacks and the increased prevalence of the nation state focus, and it’s been incredibly dynamic for the past five years.
So yeah, I put that down, which I will from time to time. I consider myself a quasi-futurist. I’ll be thinking, okay, there’s an important change taking place, an interesting dynamic that I want to recognize. I hope that also means that there’ll be some sort of sea change of defense strategy, which hasn’t quite occurred yet, but will possibly.
The interview with Matt Devost that follows is worth reading in full.
The DEFCON Community
So, where do these hackers hail from? Who are the mystery fellowship of women and men adorned in the hacker uniform of security themed black t-shirts, tactical pants, mohawks, kilts and boots?
First, DEFCON is known for being highly inclusive and welcoming to all. At DEFCON, you may meet the co-hosts of your favorite security podcast or even the prolific directors of Electronic Frontier Foundation (EFF) or NSA. You may encounter unnamed members of faceless criminal and vigilante “hacktivist” groups or even plains-clothed civilians and soldiers from the top-secret US Cyber Command.
With this in mind, DEFCON is a great networking and recruitment opportunity for all involved. It’s also a great place to catch up with old friends because most of us, globally, have welcomed DEFCON as our mecca at some time or another. News is out that DEFCON 23 is scheduled to take place July 30 – August 2, 2015. Perhaps, if DEFCON isn’t cancelled next year, I’ll see you there!
Ivy Thomas is a DEFCON veteran and Founder of Information Security Society of the Nation’s Capital. She researches Mac OS X Security and is organizer of #LadiesLunchCon. Follow Ivy on Twitter @ivydigital.
