DEF CON: Fear and fascination in Las Vegas
(Editor's note: ZDNet News reporter Rob Lemos holed up in Las Vegas for three days of fun and games at DEF CON, the mother of all hacker and computer security conventions. Considering how in its six years of existence, DEF CON has never been invited back to any of the hosting hotels, this promised to be a reporter's paradise. And so it was.)
If information is a virus, DEF CON 6 attendees were a crowd looking to get infected.
From breaking smart card codes to taking over Windows 9x machines, from knowing your rights when face-to-face with law enforcement to picking mechanical locks, DEF CON 6 offered something to everyone.
And very few of the attendees matched the renegade stereotype inspired by notorious tales of hacking carried out by the likes of Kevin Mitnick, Robert Morris and others. This crowd varied from "legitimate" hackers in the know to kids looking for pointers to security professionals and government officials watching from the sidelines.
Despite a crowd close to 2,000, the conference was fairly tame this year -- the hotel is even considering asking them back, according to the manager of Jackie Gaughan's Plaza Hotel. "There were a few pranks, but nothing malicious," he said. At one point, a few attendees found the hotel security radio frequency and were harassing the guards over the air. "It wasn't a bad group," said the manager on Monday.
Last year, the activities leaned more towards vandalism, when several kids from the conference stole one of the hotel satellite dishes from the roof of the Aladdin. Two other hackers, who became embroiled a fistfight arising out of a professional disagreement, got booted from the event. Needless to say, that hotel didn't invite DEF CON back.
If the Plaza decides to again roll out the welcome wagon, it will mark a signal event in the history of DEF CON. For the last six years, the conference has worn out its welcome and has had to change venues.
Many of the actual hackers were clustered around local area network connections attempting to break into six servers that the DEF CON über hackers had set up for that purpose. This "capture the flag" contest would go to the team that took control of the largest number of servers. None of them knew which servers had which operating systems beforehand. Other groups traded information, access and techniques away from the main conference room and the clusters of media and government workers. While speakers occasionally stabbed at the media, the hackers recognised their love-hate relationship with publicity. "We hope they can get it right this time," said one member of the Cult of the Dead Cow, a media-oriented hacker group that released a program that has the potential to control remote Windows 9x computers.
On the other hand, digs at the government were the rule. The best way to win instant recognition was to "Spot the Fed" -- an annual game in which contestants attempted to find federal officials who came to DEF CON to observe. When found, the agents were brought up on stage and asked to prove they are not federal agents. Employees from the low-profile National Security Agency, the Federal Bureau of Investigation and the Department of Defence all suffered from jeers after being unmasked.
The usually packed conference room was also overflowing with government-wary paranoia. Ian Goldberg, a graduate student at University of California at Berkeley who analysed the shortcomings of the encryption on GSM cell phones, found that one company's system used 54 bits rather than the full 64 bits that it could have used. This significantly weakened the security of the cell phone system. His loaded question: "Someone had an interest in undermining the crypto -- I wonder who that was?" Another speaker, Michael Peros, a Florida-based electronics counter-surveillance consultant, told attendees of a case of illegal wiretapping by police and state officials involving more than 65,000 individual incidents of wiretapping. His warning: "You had a situation where the government had no accountability for their actions." After intense interest from the attending hackers, Peros plans to post the evidence shown during his presentation on his company's Web site.