Blackhat/Defcon: The final report

36

Author: Joe Barr

DEFCON 12, LAS VEGAS, NEVADA — The week-long Defcon 12 and Blackhat Briefings ended Sunday. Taking center stage in our final report are Google, a video history of bulletin board systems, a healthy dose of “lessons not learned” by our federal bureaucracy, anarchy, and the threat of physical violence. If you missed the earlier reports from these security conferences, you might want to read these:

Blackhat Briefings: Forget the borders, guard the goodies,

Blackhat Briefings: Hacker Court 2004,

Blackhat Briefings: It’s the stupidity, stupid, and

DefCon 12: Opening Day.

Google hacking

Johnny Long — whose day job is as a researcher at CSC — gave his presentation on Google hacking at both shows. He raced through more than 130 slides, each showing another twist in the game of learning passwords, credit card numbers, and other personal data using nothing but the Google search engine. I was impressed by what I saw. Others? Well, not so much. “O’Reilly has a book out on the subject,” I was told by someone who was clearly implying a talk on the subject didn’t deserve to be done at Defcon.

The one constant in Google hacking seems to be that there are some real idiots out there who can be harvested using these techniques. Most of them are designed to find default installation pages, error pages, or administration pages for a long list of applications, from MySQL to Apache to MyPHPAdmin.

One thing I want to to research further is Google’s Numrange advanced operator. Long said he couldn’t talk about it and expect to keep his day job. Hmm.

Before moving on, I would like to point out that there is a very good application for Google hacking. Have you ever needed to convince a PHB where you work that better security is needed? This is a great way to illustrate why.

BBS documentary

I went into Jason Scott’s session on his in-production video history of the BBS world about halfway through. My purpose was two-fold: to learn more about the documentary, and to be in the room — and more importantly in a chair — when the following session, Meet the Feds, began. The BBS documentary project and presentation proved to be interesting in its own right.

Jason showed several segments of the video, including an interview with Ward Christensen. He used “baud” in a way even purists would have to agree was correct. Early movers, early users, early hackers: Scott has them all, from Christensen through modern-day Fidonet. Jason promised the video would be completed by the end of the year.

Meet the Feds

Defcon goons made an effort to empty the room between presentations, but some of us managed to simply move from one seat to another. This left me in perfect position for the start of Meet the Feds. The panel was led by Jim Christy, chief of the Air Force OSI’s computer crime investigations, and included representatives from the NSA, post office, IRS, Department of Defense, and the FBI. Christy may be best known for a case he worked on a few years ago. He told Robert Morris — also on the panel — that they had met before, when Christy was investigating the famous worm that his son had unleashed on the world.

After a brief introduction of each of the panelists, Christy opened the session up to handling questions from the floor. In his opening remarks, Christy had mentioned that one of the things they were doing at Defcon was recruiting. He went on to tell the crowd that if they were interested, and “had not gone over the line,” to talk to him afterwards. The “had not gone over the line” comment became one of the hottest topics during the Q&A.

It appears that the lessons the intelligence community has learned from 9/11 have not yet trickled all the way down through the federal bureaucracy — particularly that bit about the failure of our intelligence pre-9/11 being primarily because of our loss of vital HUMINT owing to both budget and moral directives. When the CIA was told it could only use politically correct HUMINT operatives, it lost its most vital flow of intelligence.

Maybe it’s not as bad as it seems. Maybe Christy was only speaking for federal police agencies, not intelligence agencies. One can only hope we’re not repeating the same mistakes today that crippled us in the past: that our most experienced group of info-warriors is not automatically excluded from becoming vital intelligence assets because they’ve violated the DMCA.

The Patriot Act was also called into question by attendees. The FBI representative asserted that just because the act had been passed didn’t mean they had carte blanche to surveil anyone they wanted, that judges still had approve their requests. That reasoning only flew so far, however, as the questioner pointed out that such requests by the FBI are always approved, never denied.

Christy agreed to participate in a dunking booth after the talk, but only if the money did not go to the EFF, who was sponsoring the booth. The EFF allowed the proceeds from his dunkings to go to the charity he preferred instead.

Hacktivism

I never got to the final session I planned on attending Saturday. I went into a presentation on Hacktivism led by a young man who asked to be referred to as “CrimeThinc” for the same reason I went into the BBS documentary presentation: to be sure to have a seat for the following talk, which was being given by acquaintances of mine from the Austin LUG. But a little controversy — which almost sparked physical violence — got in the way.

As a member of the press later said, the speaker’s rhetoric will undoubtably improve once his braces come off. The problem began when the speaker began to encourage the crowd to “fuck up their shit” at the Republican National Convention in New York City later this month. At that point, a Defcon goon approached the stage and asked him not to tell the crowd to commit illegal acts.

But CrimeThinc continued to ask attendees to deface the Republican National Committee Web sites, to launch denial of service attacks against their servers, to harass delegates in the street, to prevent buses carrying delegates from running, and so on. “By any means necessary,” he said.

Politics at Defcon is risky business. This particular speaker seemed to expect to be arrested at the end of his talk. Perhaps that was his goal. Instead, he started to get flak from the audience in response to his unrelenting spiel on the evils of capitalism and American politics. When a voice in the back asked, “So there is no place for dissenting opinions in your ideology?” the question was greeted with applause.

Suddenly one of the conference organizers who goes by the name Priest appeared with two or three additional goons. They made their way to the stage and Priest took a chair not far from the speaker’s. He was heard to tell the young man, “We are here for your protection.” After listening for a couple of minutes, Priest took a mic and announced that Defcon did not advocate criminal activity of any kind.

The talk ended shortly thereafter and a swell of people crowded near the stage to engage the speaker. One attendee got right in the speaker’s face — literally only inches apart — and the two exchanged heated words. It looked like there was going to be physical violence. Priest told the goons to take the speaker out of the room the back way and to take him to a safe place until things calmed down a bit. The removal of the speaker was quick, deft, and probably the only thing that prevented a bad situation from becoming a lot worse. Kudos to Priest and his goons for their quick action. I mention this only because the speaker and one of his crew seemed not to appreciate having been hustled out of the area.

I spoke briefly with Priest an hour later and asked how he happened to come upon the scene so quickly. He said:

We got the call for trouble in the room. The gentleman, I was told, was preaching sedition. I knew that we had to take some steps quickly preventing that. Defcon is definitely for free speech, definitely for legal civil disobedience. But not anarchy, not psychopathic destruction of property.

Conclusion

Like the security community itself, it is easy to use labels like white hat and black hat to differentiate between the Blackhat Briefings and Defcon. If you are a corporate or government security admin, you will probably get a lot more out of the Blackhat Briefings. If you are a “freelance security auditor/researcher,” or a federal narc, you might find Defcon more enjoyable or rewarding. While there are parties at both events, Defcon continues the con tradition of drunken revelry, full or partial nudity, and non-stop hacking and pranking.

All in all, the two events provide an informative and entertaining week which provides glimpses into the darker sides of network security.