OSTG | ThinkGeekSlashdotIT Manager's JournalLinux.comSourceForge.netfreshmeatNewslettersTechJobsBroadband
Click Here
August 25, 2004


Top Story

Blackhat/Defcon: The final report

Monday August 02, 2004 (01:00 AM GMT)
By: Joe Barr

  Printer-friendly   Email story  

DEFCON 12, LAS VEGAS, NEVADA -- The week-long Defcon 12 and Blackhat Briefings ended Sunday. Taking center stage in our final report are Google, a video history of bulletin board systems, a healthy dose of "lessons not learned" by our federal bureaucracy, anarchy, and the threat of physical violence. If you missed the earlier reports from these security conferences, you might want to read these: Blackhat Briefings: Forget the borders, guard the goodies, Blackhat Briefings: Hacker Court 2004, Blackhat Briefings: It's the stupidity, stupid, and DefCon 12: Opening Day.

Click Here

Johnny Long -- whose day job is as a researcher at CSC -- gave his presentation on Google hacking at both shows. He raced through more than 130 slides, each showing another twist in the game of learning passwords, credit card numbers, and other personal data using nothing but the Google search engine. I was impressed by what I saw. Others? Well, not so much. "O'Reilly has a book out on the subject," I was told by someone who was clearly implying a talk on the subject didn't deserve to be done at Defcon.

The one constant in Google hacking seems to be that there are some real idiots out there who can be harvested using these techniques. Most of them are designed to find default installation pages, error pages, or administration pages for a long list of applications, from MySQL to Apache to MyPHPAdmin.

One thing I want to to research further is Google's Numrange advanced operator. Long said he couldn't talk about it and expect to keep his day job. Hmm.

Before moving on, I would like to point out that there is a very good application for Google hacking. Have you ever needed to convince a PHB where you work that better security is needed? This is a great way to illustrate why.

BBS documentary

I went into Jason Scott's session on his in-production video history of the BBS world about halfway through. My purpose was two-fold: to learn more about the documentary, and to be in the room -- and more importantly in a chair -- when the following session, Meet the Feds, began. The BBS documentary project and presentation proved to be interesting in its own right.

Jason showed several segments of the video, including an interview with Ward Christensen. He used "baud" in a way even purists would have to agree was correct. Early movers, early users, early hackers: Scott has them all, from Christensen through modern-day Fidonet. Jason promised the video would be completed by the end of the year.

Meet the Feds

Defcon goons made an effort to empty the room between presentations, but some of us managed to simply move from one seat to another. This left me in perfect position for the start of Meet the Feds. The panel was led by Jim Christy, chief of the Air Force OSI's computer crime investigations, and included representatives from the NSA, post office, IRS, Department of Defense, and the FBI. Christy may be best known for a case he worked on a few years ago. He told Robert Morris -- also on the panel -- that they had met before, when Christy was investigating the famous worm that his son had unleashed on the world.

After a brief introduction of each of the panelists, Christy opened the session up to handling questions from the floor. In his opening remarks, Christy had mentioned that one of the things they were doing at Defcon was recruiting. He went on to tell the crowd that if they were interested, and "had not gone over the line," to talk to him afterwards. The "had not gone over the line" comment became one of the hottest topics during the Q&A.

It appears that the lessons the intelligence community has learned from 9/11 have not yet trickled all the way down through the federal bureaucracy -- particularly that bit about the failure of our intelligence pre-9/11 being primarily because of our loss of vital HUMINT owing to both budget and moral directives. When the CIA was told it could only use politically correct HUMINT operatives, it lost its most vital flow of intelligence.

Maybe it's not as bad as it seems. Maybe Christy was only speaking for federal police agencies, not intelligence agencies. One can only hope we're not repeating the same mistakes today that crippled us in the past: that our most experienced group of info-warriors is not automatically excluded from becoming vital intelligence assets because they've violated the DMCA.

The Patriot Act was also called into question by attendees. The FBI representative asserted that just because the act had been passed didn't mean they had carte blanche to surveil anyone they wanted, that judges still had approve their requests. That reasoning only flew so far, however, as the questioner pointed out that such requests by the FBI are always approved, never denied.

Christy agreed to participate in a dunking booth after the talk, but only if the money did not go to the EFF, who was sponsoring the booth. The EFF allowed the proceeds from his dunkings to go to the charity he preferred instead.


I never got to the final session I planned on attending Saturday. I went into a presentation on Hacktivism led by a young man who asked to be referred to as "CrimeThinc" for the same reason I went into the BBS documentary presentation: to be sure to have a seat for the following talk, which was being given by acquaintances of mine from the Austin LUG. But a little controversy -- which almost sparked physical violence -- got in the way.

As a member of the press later said, the speaker's rhetoric will undoubtably improve once his braces come off. The problem began when the speaker began to encourage the crowd to "fuck up their shit" at the Republican National Convention in New York City later this month. At that point, a Defcon goon approached the stage and asked him not to tell the crowd to commit illegal acts.

But CrimeThinc continued to ask attendees to deface the Republican National Committee Web sites, to launch denial of service attacks against their servers, to harass delegates in the street, to prevent buses carrying delegates from running, and so on. "By any means necessary," he said.

Politics at Defcon is risky business. This particular speaker seemed to expect to be arrested at the end of his talk. Perhaps that was his goal. Instead, he started to get flak from the audience in response to his unrelenting spiel on the evils of capitalism and American politics. When a voice in the back asked, "So there is no place for dissenting opinions in your ideology?" the question was greeted with applause.

Suddenly one of the conference organizers who goes by the name Priest appeared with two or three additional goons. They made their way to the stage and Priest took a chair not far from the speaker's. He was heard to tell the young man, "We are here for your protection." After listening for a couple of minutes, Priest took a mic and announced that Defcon did not advocate criminal activity of any kind.

The talk ended shortly thereafter and a swell of people crowded near the stage to engage the speaker. One attendee got right in the speaker's face -- literally only inches apart -- and the two exchanged heated words. It looked like there was going to be physical violence. Priest told the goons to take the speaker out of the room the back way and to take him to a safe place until things calmed down a bit. The removal of the speaker was quick, deft, and probably the only thing that prevented a bad situation from becoming a lot worse. Kudos to Priest and his goons for their quick action. I mention this only because the speaker and one of his crew seemed not to appreciate having been hustled out of the area.

I spoke briefly with Priest an hour later and asked how he happened to come upon the scene so quickly. He said:

We got the call for trouble in the room. The gentleman, I was told, was preaching sedition. I knew that we had to take some steps quickly preventing that. Defcon is definitely for free speech, definitely for legal civil disobedience. But not anarchy, not psychopathic destruction of property.


Like the security community itself, it is easy to use labels like white hat and black hat to differentiate between the Blackhat Briefings and Defcon. If you are a corporate or government security admin, you will probably get a lot more out of the Blackhat Briefings. If you are a "freelance security auditor/researcher," or a federal narc, you might find Defcon more enjoyable or rewarding. While there are parties at both events, Defcon continues the con tradition of drunken revelry, full or partial nudity, and non-stop hacking and pranking.

All in all, the two events provide an informative and entertaining week which provides glimpses into the darker sides of network security.

  Printer-friendly   Email story  


  Related Links      

You don't have to use free software until you're ready | Securing Web services: PKI basics  >


Top  |  16 comments  |  Search Discussion  |  

Clarification ... (Score:0)
By Anonymous Reader on 2004.08.03 13:14 (#96596)
The Crimethinc speaker was a government provocateur.

Crimethinc does try to take people out of apathy, but their most important weapon is language:

http://www.crimethinc.com/library/english/contents .html

http://www.crimethinc.com/library/english/libselec t.html

And so much for free speech. Why should somebody be stopped from saying whatever he wants to say? Speaking about something isn't ilegal; doing it might be.

Rock on...
[ Reply to This ]
defcon cop-out (Score:0)
By Anonymous Reader on 2004.08.03 13:58 (#96600)
"Defcon is definitely for free speech, definitely for legal civil disobedience"


there is no such thing as LEGAL civil disobedience


[ Reply to This ]
What I'd say, in Christy's shoes: (Score:0)
By Anonymous Reader on 2004.08.03 16:45 (#96612)
HUMINT-- Human intelligence. One of the greatest failures in the war on terrorism was the failure to extort correct information from morally unacceptable sources. But the US government doesn't care, and they shouldn't. Those of us on the ground read the news about this failure, just like our critics; so do our bosses, and their bosses, all the way to the highest levels of government. But we are not going to hand taxpayer money to human filth in hopes of attaining correct information instead of lies, because doing so is expensive, wrong, and above all shortsighted: the US intelligence community may have a poor reputation for blowback, stupidity, rank opportunism and gross negligence, but we are not the KGB, and there are miles to fall from here.

We are here to recruit as well as inform, and if you're interested, please seek me out later at the conference and talk to me. However, be aware that the interview process includes a very thorough legal examination of your history with computers. If we don't trust you, we don't hire you. And even if we do trust you to be predictable, and obey your employers, we may decide the justice of pursuing you as a criminal for past misdeeds outweighs any technical skills you have to offer.

Stepping back out of the fed voice, I disagree with the author of the column: "scumbags need not apply" is indeed the best compromise for government hiring, and I seriously doubt Christy's "line" referred to piddling reverse-engineering tricks that violated the DMCA.
[ Reply to This ]
Politically incorrect operatives (Score:0)
By Anonymous Reader on 2004.08.03 20:26 (#96618)
Know what you mean, but the details matter.

CIA agents were still allowed to recruit criminals. The change was that they had to get management approval first.

That could cut either way. It could have a chilling effect on an operative who wanted to hire a war criminal. On the other hand it also meant that an operative who did would have high-level protection against any resulting flak. The logical question is how management handled requests from the field for scum recruitment.

Published reports were that they never turned down a request. The next logical question is how many requests were never made, which is almost unknowable.
[ Reply to This ]
    oxymoronic? (Score:1)
    By aminorex (1157) on 2004.08.03 20:50 (#96619)
    "legal civil disobedience" would appear to be a contradiction in terms.
    [ Reply to This ]
      Slight correction... (Score:0)
      By Anonymous Reader on 2004.08.03 21:44 (#96622)
      "The FBI representative asserted that just because the act had been passed didn't mean they had carte blanche to surveil anyone they wanted, that judges still had approve their requests. That reasoning only flew so far, however, as the questioner pointed out that such requests by the FBI are always approved, never denied."

      I didn't ask the original question, merely responded to the FBI guy's BS answer. Also, I referred specifically to the FISA court. Actual numbers of PATRIOT Act and terrorism case warrants issued/denied are unknown because every FOIA request asking for the numbers has come back so redacted that they're going to need to up the Federal budget next year to give black ink its own section.
      [ Reply to This ]
        Click Here
        Click Here


        Sign up for the weekly newsletter.
        Email Address:

          Special Offers      

        Get news and special offers on:
        Internet Security

        Click Here

        © Copyright 2004 - OSTG, Inc., All Rights Reserved
        About NewsForge  •  Privacy Statement  •  Terms of Use  •  Advertise  •  Contact Us
        Add our feed to your site