Interesting Stuff

This weekend I went to Defcon 0xF with psifer and inferno0069, and it was a blast.

• I stopped at Arby’s for lunch on the way there. I wanted two roast beef sandwiches and a small fries, the total of which came to $7.63. I then looked at their menu, and saw they still do the “5 items for $5.95” thing. So I canceled my original order and instead got two roast beef sandwiches with cheese, a medium fries, potato cakes, and a small shake. My new total: a mere $6.44. I ate about half this food, and threw the rest out. This doesn’t seem like a good business model to me, since I’m giving them less money and taking more of their food (half of which was wasted).
• On the way there, I passed the exit for Zzyzx Road. I also drove past signs for Death Valley, which was kinda cool.
• In order to raise money to help combat AIDS in Africa, the Hacker Foundation was selling red T-shirts which said
  

  HAXO(RED)

  on the front. I wanted to get one, but they were already sold out of my size. Another shirt was too nerdy even for me: it read “chown -R us ./base” Dorks!

• I became a member of the EFF! They had a wonderful panel that covered all kinds of things they’re doing. Unfortunately, this weekend a new law was passed that makes warrantless wiretapping legal, which is something the EFF has been fighting since 2005. I’m not sure how this will fit in with a ruling last year that said that warrantless wiretapping is unconstitutional, but this is certainly a dark day for freedom.
• I watched macdaddyfrosh, mtbg, and magicpacket valiantly lose at Hacker Jeopardy. but I won a T-shirt from Hack A Day.
• Mike Andrews was there incognito, but I recognized him and talked to him for a bit. He might come to give a talk at my office at some point.
• I entered the lockpicking contest and picked 15 of the easier locks (so I finished the contest in the middle of the pack with 71 out of ≈300 points). I’m pretty proud of myself, since I had never picked a lock with “real” tools before the con (though I have raked Masterlocks with a safety pin and street sweeper bristle).
• Bruce Schneier held a Q&A session! That’s right: Bruce “I am a security fucking god” Schneier. [1] It was as amazing as I had hoped. That guy is so cool. I should point out that his blog has an RSS feed on LiveJournal, to which you can subscribe.
• There were several talks this year discussing the influence the hacker community has on mainstream perception of stuff, which was pretty cool. Besides the annual “internet wars overview,” there was a talk which reviewed the recent cyberwar waged against Estonia by the Russian mob. DarkTangent himself (creater of both Defcon and the Black Hat security conventions) gave his account of the infamous Ciscogate scandal. Jennifer Granick (author of that article) also gave a talk about legal case studies; she is leaving her work at Stanford next month to join the EFF. There was also a talk about the effect that the locksport community has had on improving lock mechanisms.
• There were so many amazing talks, I’m not going to discuss them all. but here’s a list of some of the cooler topics that were discussed: encrypted VoiP clients, timing attacks for botnets, digital forensics, social engineering and NLP, stopping jerks online, the basics of hardware hacking, and XSS in social networks.
• Michelle Madigan was found to be an undercover reporter (link includes video of the incident) with a secret camera. She was outed from the conference. I wasn’t there when she was caught, but I did hear about it later that day. Press at Defcon are fine when they wear their press badges, but Michelle was apparently trying to covertly get anyone at the con to admit to a felony on her secret camera so she could do a shock report on the horrible, criminal hackers at the con (I don’t think there were many criminals there, but some reporters seem to have a penchant for fabricating stories/threats to get ratings).
• I saw an OLPC XO-1 (more information on Wikipedia). It’s smaller than I expected, but the keyboard is child-sized, which makes sense. The screen is very readable (but very small). The touchpad/stylus area is pleasantly large, though.

[1] Yes, he’s so awesome that even his tmesis gets tmesis. [2]
[2] I admit, I’ve been looking for an excuse to use the word “tmesis” for a while now.

There is an exploit in the Adobe PDF plugin for web browsers. Adobe has already fixed the vulnerability, so you should all update your plugins. This vulnerability affects users of Internet Explorer and Firefox, on Windows and Linux (and any other browser/OS combination that uses the Adobe plugin).

For several weeks, I have been pondering the following: speakers and microphones are pretty much the same, in that they’re both bits of piezoelectric material held next to magnets with wires coming out of both sides. The only difference is that current is imposed on one and the other imposes itself on the current instead. Consequently, it seems like you could take your headphones and use them as really crappy microphones to record sound wherever you go with an MP3 player, assuming you made the correct changes to the firmware. Well, it turns out that not only is this possible, but people have already done it. In true hacker form, the first step is to install Linux on your iPod. I don’t think I’m actually going to do this in the foreseeable future, but it’s nice to know that someone else has tried it and it works.

Coming back from DEFCON, I felt like Jack, coming down the beanstalk to announce that “there are giants in the sky! There are big, tall, terrible* giants in the sky!” I was introduced to a whole new world with new ways to look at everything. I had no idea most of that stuff was out there and accessible to me. Everyone seemed more knowledgable about every single topic, but it was exhilerating to see it all.

I met up with Matt, Dan, John, Eric, and two guys I hadn’t met (Chris and Andrew) in Vegas, and we all shared a room intended for 4 people. The first day, everything was delayed by 2 hours because the fire marshall forgot to approve our convention, or something. After that, however, there were talks running continuously from 10am until midnight (yes, you had to miss some talks if you wanted to eat meals). Although most of the stuff was about computer security (hex editors, phishing, the EFF, RFID spoofing, database rootkits, etc) there was a surprising amount of (non-computer) security stuff there too (lock picking, safe cracking, neurolinguistic programming, etc). There was also some (non-security) computer hacking stuff: hard drive repair, steganography, fuzzing, extreme programming, autonomous robotic BB-guns, the list goes on. Late at night, we went to the Hacker Jeopardy sessions. I’m now inclined to say that all game shows would be more interesting if they had strippers.

Here are some more highlights:

• Dan Kaminsky (who is the hacker version of Judiciary Pag), gave an amazing talk about…um…everything. SSL, security problems with DNS, visual bindiffs, security problems with online banking. He’s incredibly relaxed, yet brilliant. His work is amazing, and he drinks beer throughout the talk. In fact, at the end during the question and answer part, he gave me a beer for suggesting the visual bindiff can be used to find duplications in your code! Usually I don’t like beer, but this one kind of tasted like victory. \/\/00T!
• I got to talk to and shake hands with Cindy Cohn, director of the EFF. This was pretty special for me, because they’re one of the greatest organizations I can think of.
• Lots of people were doing crazy hacking in the hotel: pay phones went missing. One of the elevators I rode in had the emergency phone open, and some guy karaoking Sinatra tunes out of it at us. Someone even managed to hack the Hacker Jeopardy display system during the game itself.
• In theory, I learned how to pick locks (both normal picking and bump picking) at the Lockpicking Villiage. The weird thing was that they had a lockpicking contest, and apparently an 11 year old girl did rather well in it.
• They have a Spot The Fed contest every year, where you try to find out which other conference-goers work for federal agencies (DoJ, FBI, USPS, Marines, Washington DC meter maids… any federal employee will do). This was pretty fun to see, but one story will always stick out: a woman brought a man up on stage and claimed he was a fed. She said she knew this because the night before, they hooked up, got drunk, had sex, and while he was asleep she went through his stuff and found his badge.
• There were several games of a unique form of capture the flag going on: on the network was a computer with several security problems purposely put into it. The object of the game was for teams to hack into the box and then keep everyone else out. Not exciting to watch (just a bunch of people busily typing on their laptops), but a fun concept anyway.
• I saw the wall of sheep, which is a computer with a packet sniffer and data mining system on it. It searched the network for unencrypted usernames and passwords, and then projected them up on the wall. A good reminder of how insecure most websites are.

So, DEFCON wasn’t as good as AAAI was, but I still had a great time and got my money’s worth. I’m not yet sure if I’ll be back next year, but I’m glad I went once. As the EFF panel mentioned, it’s really the only conference where the invited speakers can show up for the earliest talks at 10:00, unshaven, hung over, and still get a warm reception.

*Terrible: extreme in extent or degree; intense