The Trade Show Floor: Def Con 0xB Posted on Tuesday, August 12, 2003 by Darth Elmo

Today Darth Elmo is unusually vexed by heat, dehydration and fatigue. But somehow he's smiling, and sporting a brand new black T-shirt with a cryptic yet discernibly rude slogan on the back. What could this mean? Only one thing: it's time for this year's Darth Elmo Def Con Dispatch!

Def Con, of course, is the biggest and best annual hacker convention in the US. Def Cons take place in Las Vegas, Nevada, and span a three-day weekend in early August or late July. The convention is attended by thousands of information security professionals, hackers of all shapes and UNIX affiliations, law enforcement officers both federal and not, and journalists both clueful and clueless. Def Con is part security convention, part family reunion, part flea market and 100% party. This year's Def Con, the eleventh, didn't disappoint in the fun or socializing departments, and it delivered pretty well on interesting ideas and discourse, too.

Def Con Events

Before Darth Elmo describes the Deep Thoughts of Def Con 0xB, let's consider some of Def Con's amusements and contests of skill. Many are offered, but several stand out in the Furry Lil' Sith Lord's mind.

First, the Def Con 11 Scavenger Hunt. Run by rootcompromise.org and 2600SLC, this year's hunt featured many challenging and arcane items and tasks on its official List. Some of Darth Elmo's favorites were:

• Person wearing a bow tie (30 points)
• Get a member of the Blue Man Group to talk (40 points, video evidence required)
• A cannonball (very big, very heavy, very real) (100 points)
• Any Smurf merchandise (15 points)
• Picture of a team member in a Las Vegas Metro (jail) cell (100 points)
• Kaypro computer (60 points)
• A cheese wheel and some mittens (20 points)
• Get in a (loud) fight with a team member about whether the volcano outside The Mirage is real (45 points, video evidence required)

Darth Elmo has no idea which team won (his flight left before the Awards Ceremony on Sunday), but he's sure they all had a great deal of fun trying. (Darth also is now much less confused as to why, at various times, he saw people fishing in the moat at the Bellagio, filling a beer-keg with brake fluid and eating dangerous quantities of Sweet 'n Low while being filmed.)

Besides the Scavenger Hunt, Def Con attendees also sought diversion in the annual Spot the Fed contest (STFC). Each year more US Federal agents of various kinds attend Def Con, but they also get harder to spot due to the large crowds. This year, Priest (the Def Con Goon in charge of the STFC, among other things) ruled that "because there are so many feds at DEF CON this year, the only feds that count are the kind that don't want to be identified". Off-duty military and civilian contractors, in other words, did not qualify.

Priest held impromptu Spot the Fed sessions at various times and locations over the course of Def Con, but in none of the ones Darth Elmo participated in did he see an actual, qualified Fed identified. Everyone had fun, however, listening to Priest's gentle interrogation of the various researchers, consultants and other suspiciously clean-cut types whom audience members fingered. Luckily, in the official Spot the Fed Contest rules, Priest said "if you survive unmolested and undetected, but would still secretly like an I am the Fed! shirt to wear around the office or when booting in doors, please contact me when no one is looking."

The last Def Con 11 contest Darth Elmo will mention here was, arguably, the most important of them all: the Capture the Flag (DTF) contest, aka Root Fu, aka The Hacking Contest. In this year's CTF, run for the second year in a row by three-time champions Ghetto Hackers, each competing team was given a CD-ROM containing server software created especially for the contest. Over the course of Def Con, each team had to defend and figure out how to operate its server properly, while simultaneously attacking those of the other teams. Darth Elmo's good friend Jay Beale participated on the Immunix team this year. They nearly won, but victory was snatched from their jaws by Anomaly.

Def Con Content

So, what about actual Def Con content? What pearls of wisdom did Def Con presenters bestow upon your humble hacking correspondent? Oh, this and that. Here's a completely arbitrary selection of notes, based not on merit but on which memories have somehow survived Darth Elmo's post-Def Con, sleep-deprivation-induced stupor.

Darth Elmo first attempted to attend "A Conversation With Phil Zimmerman". Phil Zimmerman, of course, is the creator of PGP (Pretty Good Privacy) and a longtime advocate of and pioneer in digital privacy. But Darth Elmo and his pals were refused entry: the hall was full when we arrived, and the Las Vegas Fire Marshal had decreed there could be no standing in the back. Standing room had been abolished at Def Con 0xB. Fair enough, thought Darth Elmo, at which time he toddled over to Bruce Potter's "Bluetooth" presentation. But again, he was forbidden to enter the filled hall.

This happened to a lot of people at Def Con 0xB, especially on Friday and Saturday. So strict was the enforcement of fire code that the Goons, for a while at least, required people who wanted to attend two consecutive sessions in the same hall to exit along with everyone else and then get in line to return to the hall they'd just exited--in order to give others a fair chance at entry. On the one hand, Darth Elmo is a big supporter of fire safety. But on the other hand, Def Con's planners clearly will need to limit the amount of admissions they sell next time or find a much bigger venue.

Having been turned away twice, Darth Elmo retreated with some friends to a chum's hotel room (thanks, tmns!), where we finally were able to watch some Def Con sessions via closed-circuit TV.

Brian Glancey's talk on "PDA Insecurity" was most enlightening. As a general rule, both Pocket PCs and PalmOS devices generally have poor security. Passwords and PINs are user-chooseable and therefore particularly susceptible to brute-force and dictionary attacks. Glancey said that even the HP iPAQ 5455, which has a thumbprint scanner, is vulnerable. The scanner is, in fact, a simple camera, meaning it's trivially easy to fool with a photograph or other forgery of authorized thumbprints.

Sensepost, an information security consultancy in South Africa, gave an interesting presentation entitled "Putting the 'Tea' Back Into Cyberterrorism". In a nutshell, Sensepost described hypothetical attacks using multi-exploit worms that could infiltrate the internal computer systems of, say, a national government, circumventing firewalls and other perimeter defenses. In close coordination with other attacks, such worms could cause unprecedented levels of mayhem.

Naturally, researchers and other experts have said for a long time now that the worms, viruses and so forth that we've seen so far, even highly disruptive ones like SQL Slammer and Melissa, could have been much worse had their creators been less restrained (or more skilled). But the notion of using what we normally think of as a highly indiscriminate attack vector--that is, malware--in conducting a tightly targeted attack was novel.

Two talks on Sunday stood out for Darth Elmo, possibly because both were given by longtime cohorts. The first was "Locking Down Mac OS X", in which Jay Beale related his experiences and observations on porting his important Bastille OS-hardening tool to Mac OS X. Mac OS X was much in evidence at Def Con: many, many attendees and speakers were carrying iBooks and PowerBooks. Among the geek elite, the combination of cool Apple hardware with the powerful, BSD-based OS X, has a strong appeal. Accordingly, Jay's talk was well attended and enthusiastically received.

The talk that immediately followed Jay's is of no small interest to Linux Journal readers: Paranoid Penguin columnist Mick Bauer delivered "Self-Abuse For Smarter Log Monitoring", an introduction to the simple and fun technique of attacking one's own systems for the purpose of learning what attacks look like in one's logs. Mick appeared free and easy in his jaunty black kilt, matching dress shirt and motorcycle boots. ("Does the kilt facilitate self-abuse?", inquired one audience member. "I'm not prepared to answer that", answered Mick, "but I will say that the sporran [the pouch that accompanies kilts] is really useful. It keeps yer stuff close at hand, and if while looking for something you need a discrete scratch, no one's the wiser!")

Kilt jokes aside, Mick clearly had fun describing and demonstrating his attacks and their resulting log trails. Sometimes, the audience had fun, too. When he invited audience members to attack his victim machine themselves ("you be the K1d10t!"), he gave prizes for several entertaining log messages caused by participants. The final winner: erroneous characters after protocol string: HTTP GET /Bauer_upkilt_13.jpg.

Randomly Selected Resources

Def Con Home Page

Nomad Mobile Research Center. Although unjustly neglected in the above article, Simple Nomad and his crew unveiled NMRC-OS (a new secure Linux distro) and a few other new tools at Def Con 11.

Sensepost Home Page

Richard Thieme is another speaker neglected in the above dispatch, but whose home page is still worth checking out. He spoke about "Hacker Generations" at Def Con 11.

Mick Bauer's slides from "Self-Abuse For Smarter Log Monitoring", in handy HTML format.

Darth Elmo has been Linux Journal's Special Hacking Correspondent since Def Con 9. He won't say whether he wears kilts.