Leaving Las Vegas: So Long DefCon and Blackhat
For better or for worse, the annual Black Hat and DefCon gatherings were largely overshadowed by the Michael Lynn/Cisco scandal. In talking with dozens of speakers and attendees about this over the past week, the overwhelming consensus was that Cisco and Internet Security Systems committed a public relations blunder by trying to silence Lynn and destroy all trace of his research into flaws in Cisco's widely used Internet routers.
As the conference wound down, someone was distributing a mini-disc containing the slides and audio recording of Lynn's talk, distribution of which was supposed to have been quashed under terms of a settlement agreed to by all parties involved. I, for one, do not understand how the two companies could reasonably expect that Lynn's research would remain a secret after it was presented to a security community that prides itself on sharing information. The Lynn materials have since been posted on numerous Web sites, and are now being traded on Internet file-swapping sites.
The legal actions by Cisco and ISS against Black Hat and Lynn -- coupled with news of an FBI investigation into Lynn's actions -- certainly riled some of the hackers who were in Las Vegas for DefCon and Black Hat. Some claim to be determined to duplicate Lynn's work and create computer code that could successfully exploit the flaw that Lynn went to great pains not to detail. (Incidentally, Wired has a decent Q&A with Lynn that goes into a bit more detail about the background leading up to last week's legal mess.) It also remains unclear whether the legal actions against Lynn could have a chilling effect on security researchers' future willingness to approach and ultimately confront software and hardware vendors about flaws in their products.
Nearly every expert I spoke with about Lynn's research said it was a matter of "when" -- not "if" -- an exploit would be found, given that Cisco vulnerabilities present a highly attractive target for attackers (a majority of Web and e-mail traffic is routed through Cisco devices). The other widely-held view I heard was that due to the complexity of patching Cisco routers (think network downtime), a great many companies using vulnerable Cisco products will wait until an exploit is out to apply the latest Cisco patches to fix the problem. By then, however, it may be too late; the emergence of an Internet worm that leveraged such an exploit could very well result in widespread and sustained Internet outages.
In previous posts, I mentioned my reluctance to go online at DefCon, after more than a few people warned me that using the WiFi connections there could be hazardous to my computer's health and to my privacy. Sure enough, that advice was not unfounded: During the awards ceremony on Sunday, conference organizers said they spotted more than 130 "rogue" WiFi networks set up to lure unsuspecting users into logging on, giving the networks' owners a chance to steal personal information.
DefCon 13 also was notable for being the location where two new world records were set -- both involved shooting certain electronic signals unprecedented distances. Los Angeles-based Flexilis set the world record for transmitting data to and from a "passive" radio frequency identification (RFID) card -- covering a distance of more than 69 feet. (Active RFID -- the kind being integrated into foreign passports, for example -- differs from passive RFID in that it emits its own magnetic signal and can only be detected from a much shorter distance.)
The company's feat is also a reminder of the security and privacy issues presented by RFID technology, which is increasingly being used by companies like Wal-Mart to store information about their products. Using a device like the one Flexilis built, someone could conceivably sit out in the parking lot and peer inside the shopping bag of a customer leaving a store, or use the RFID tags to keep tabs on that person's movements. Using slightly different methods, attackers could send signals that effectively jam or manipulate a store's RFID readers, tricking the devices into reading a $99 item as a 99-cent item, for example.
The second record set this year at DefCon was pulled off by some teens from Cincinnati, who broke the world record they set last year by building a device capable of maintaining an unamplified, 11-megabit 802.11b wireless Internet connection over a distance of 125 miles (the network actually spanned from Utah into Nevada).
Technically, the world distance record for maintaining a wireless connection was achieved in 2002 when a Swedish group established a connection to a WiFi access point attached to a weather balloon nearly 200 miles away. But most folks I spoke with at the conference say the Cincinnati team's record is the more meaningful, in part because the Swedish team used amplification. Critics of the Swedish record also note that there are far more things that can obstruct or interfere with a signal in a ground-based connection than with an aerial setup.
Plenty of other ingenuity was on display at DefCon's many competitions. In the much-anticipated "Beverage Cooling Competition," one team constructed an elaborate cooling system complete with electric pumps, funnels, and coil-based cooling system. Other contestants took elegant, if rather crude, shortcuts. One team filled a cooler with ice and isopropyl alcohol, a liquid that has an absurdly low freezing point. The result was that beer cans submerged in the soupy goo quickly cooled to minus 62 degrees Fahrenheit. Yet another team simply poured liquid nitrogen over the beer cans. In both cases, the beers exploded. (See my previous post about more drinking-related innovation.)
Ingenuity also was evident in the DefCon 13 Scavenger Hunt. Teams could score points in "the creative use of a Slinky" category. One team converted a slinky to create one of the items on the scavenger hunt list: nunchaku (a martial arts weapon pronounced nun-chucks) made out of salami. Another team used a Slinky to complete the task of picking a lock.
Everyone at DefCon was required to wear a badge at all times while on the conference grounds; this year's badges were made of thick, colored plexiglass -- designed to confound badge counterfeiters. Alas, at one party Saturday night, each attendee were given perfectly forged badges in a variety of new colors.
Most of the attendees were considered mere "humans," designated as such by the word drilled into the neon-green badges. Reporters, on the other hand, were not human but "press." In all, however, I'd say the people I spoke with were fairly receptive and open with me (as far as I know, anyway). Still, quite a few folks complained of being burned by some reporter in the past. This, sadly, became a common refrain, an experience shared by a fellow reporter and good friend who attended DefCon -- Reuters's Andy Sullivan. In most cases, the "burning" had to do with a misunderstanding about what information could be attributed to a source. As such, Andy and I discussed with receptive conference organizers the prospect of returning to DefCon next year to perhaps co-present a session on talking with the media.
I especially liked the fact that most conference attendees were extraordinarily generous and giving of their time and resources. Many people make it to the conference with little more than the clothes on their bodies (one young lady was walking around with handmade sign offering kisses for a dollar apiece; she said she spent all her money getting to DefCon and was trying to raise money to make it back home to California. Last year, she said, she raised more than $100 kissing Defcon attendees). This sort of informal barter system has evolved over the years at DefCon. For example, after the conference had officially ended Sunday evening, my generic, yellow DefCon press badge was eagerly accepted in exchange for a Department of Homeland Security pin. At the urging of veteran DefCon attendees, I came to the conference with a few pieces of washingtonpost.com swag (pens, a few stickers and a squishy ball), which came in handy bartering for other things I wanted, including a T-Shirt.
Overall, Black Hat and DefCon were a great opportunity to meet and talk with some of the brightest minds in information and computer security. Given the opportunity, I would most certainly go again next year, but it's good to be back home -- Las Vegas starts to feel like a giant shakedown after a few days, and hackers keep late hours, so I didn't get more than 4 hours sleep on average during my 5 days there.
One more thing: I need to make a correction to a previous blog post, where I mentioned that more than 15 reporters from Wired were laid off. I was set straight today by someone close to the situation, who wrote me in an e-mail to say that while all Wired News reporting positions were eliminated, there were only five reporters among the 17 people on staff at Wired News. "Out of those five reporters, three were laid off completely, one became a part-time editor and the other reporter's position was converted into an editing position." Thanks for the clarification.
Posted by: DubiousChrisJ | August 2, 2005 10:30 AM | Report abuse
Posted by: WhiteHatPro | August 2, 2005 12:24 PM | Report abuse
Posted by: Murd0c | August 2, 2005 12:28 PM | Report abuse
Posted by: Luwenth | August 2, 2005 12:43 PM | Report abuse
Posted by: Luwenth | August 2, 2005 12:46 PM | Report abuse
Posted by: WaterJoe | August 2, 2005 12:51 PM | Report abuse
Posted by: icy! | August 2, 2005 2:24 PM | Report abuse
Posted by: Oudeis | August 2, 2005 4:25 PM | Report abuse
Posted by: H. Carvey | August 2, 2005 4:51 PM | Report abuse
Posted by: hy3na | August 2, 2005 4:55 PM | Report abuse
Posted by: SkyDog | August 2, 2005 5:01 PM | Report abuse
Posted by: ScaredStraights | August 2, 2005 6:24 PM | Report abuse
Posted by: Cbyter | August 2, 2005 11:51 PM | Report abuse
Posted by: cbyter | August 2, 2005 11:56 PM | Report abuse
Posted by: shardy | August 3, 2005 9:45 AM | Report abuse
Posted by: #2 | August 3, 2005 10:18 AM | Report abuse
Posted by: Jolly | August 6, 2005 1:48 AM | Report abuse
Posted by: Bill | August 24, 2005 9:53 PM | Report abuse
The comments to this entry are closed.