Monday August 02, 2004 (01:00 AM GMT)
By: Joe Barr
DEFCON 12, LAS VEGAS, NEVADA -- The week-long Defcon 12
and Blackhat Briefings ended Sunday. Taking center stage in our final
report are Google, a video history of bulletin board systems, a healthy
dose of "lessons not learned" by our federal bureaucracy, anarchy, and
the threat of physical violence. If you missed the earlier reports from
these security conferences, you might want to read these: Blackhat Briefings: Forget the borders, guard the goodies,
Blackhat Briefings: Hacker Court 2004,
Blackhat Briefings: It's the stupidity, stupid, and
DefCon 12: Opening Day.
Johnny Long -- whose day job is as a researcher at CSC
-- gave his presentation on Google hacking at both shows. He raced
through more than 130 slides, each showing another twist in the game of
learning passwords, credit card numbers, and other personal data using
nothing but the Google search engine. I was impressed by what I saw.
Others? Well, not so much. "O'Reilly has a book out on the subject," I was told by someone who was clearly implying a talk on the subject didn't deserve to be done at Defcon.
The one constant in Google hacking seems to be that
there are some real idiots out there who can be harvested using these
techniques. Most of them are designed to find default installation
pages, error pages, or administration pages for a long list of
applications, from MySQL to Apache to MyPHPAdmin.
One thing I want to to research further is Google's Numrange advanced operator. Long said he couldn't talk about it and expect to keep his day job. Hmm.
Before moving on, I would like to point out that there
is a very good application for Google hacking. Have you ever needed to
convince a PHB where you work that better security is needed? This is a great way to illustrate why.
I went into Jason Scott's session on his in-production video history of the BBS world
about halfway through. My purpose was two-fold: to learn more about the
documentary, and to be in the room -- and more importantly in a chair
-- when the following session, Meet the Feds, began. The BBS
documentary project and presentation proved to be interesting in its
Jason showed several segments of the video, including an interview with Ward Christensen.
He used "baud" in a way even purists would have to agree was correct.
Early movers, early users, early hackers: Scott has them all, from
Christensen through modern-day Fidonet. Jason promised the video would be completed by the end of the year.
Meet the Feds
Defcon goons made an effort to empty the room between
presentations, but some of us managed to simply move from one seat to
another. This left me in perfect position for the start of Meet the
Feds. The panel was led by Jim Christy, chief of the Air Force OSI's
computer crime investigations, and included representatives from the
NSA, post office, IRS, Department of Defense, and the FBI. Christy may
be best known for a case he worked on a few years ago. He told Robert
Morris -- also on the panel -- that they had met before, when Christy
was investigating the famous worm that his son had unleashed on the world.
After a brief introduction of each of the panelists,
Christy opened the session up to handling questions from the floor. In
his opening remarks, Christy had mentioned that one of the things they
were doing at Defcon was recruiting. He went on to tell the crowd that
if they were interested, and "had not gone over the line," to talk to
him afterwards. The "had not gone over the line" comment became one of
the hottest topics during the Q&A.
It appears that the lessons the intelligence community
has learned from 9/11 have not yet trickled all the way down through
the federal bureaucracy -- particularly that bit about the failure of
our intelligence pre-9/11 being primarily because of our loss of vital HUMINT
owing to both budget and moral directives. When the CIA was told it
could only use politically correct HUMINT operatives, it lost its most
vital flow of intelligence.
Maybe it's not as bad as it seems. Maybe Christy was
only speaking for federal police agencies, not intelligence agencies.
One can only hope we're not repeating the same mistakes today that
crippled us in the past: that our most experienced group of
info-warriors is not automatically excluded from becoming vital
intelligence assets because they've violated the DMCA.
The Patriot Act was also called into question by
attendees. The FBI representative asserted that just because the act
had been passed didn't mean they had carte blanche to surveil anyone
they wanted, that judges still had approve their requests. That
reasoning only flew so far, however, as the questioner pointed out that
such requests by the FBI are always approved, never denied.
Christy agreed to participate in a dunking booth after
the talk, but only if the money did not go to the EFF, who was
sponsoring the booth. The EFF allowed the proceeds from his dunkings to
go to the charity he preferred instead.
I never got to the final session I planned on attending
Saturday. I went into a presentation on Hacktivism led by a young man
who asked to be referred to as "CrimeThinc" for the same reason I went
into the BBS documentary presentation: to be sure to have a seat for
the following talk, which was being given by acquaintances of mine from
the Austin LUG. But a little controversy -- which almost sparked
physical violence -- got in the way.
As a member of the press later said, the speaker's
rhetoric will undoubtably improve once his braces come off. The problem
began when the speaker began to encourage the crowd to "fuck up their
shit" at the Republican National Convention in New York City later this
month. At that point, a Defcon goon approached the stage and asked him
not to tell the crowd to commit illegal acts.
But CrimeThinc continued to ask attendees to deface the
Republican National Committee Web sites, to launch denial of service
attacks against their servers, to harass delegates in the street, to
prevent buses carrying delegates from running, and so on. "By any means
necessary," he said.
Politics at Defcon is risky business. This particular
speaker seemed to expect to be arrested at the end of his talk. Perhaps
that was his goal. Instead, he started to get flak from the audience in
response to his unrelenting spiel on the evils of capitalism and
American politics. When a voice in the back asked, "So there is no
place for dissenting opinions in your ideology?" the question was
greeted with applause.
Suddenly one of the conference organizers who goes by
the name Priest appeared with two or three additional goons. They made
their way to the stage and Priest took a chair not far from the
speaker's. He was heard to tell the young man, "We are here for your
protection." After listening for a couple of minutes, Priest took a mic
and announced that Defcon did not advocate criminal activity of any
The talk ended shortly thereafter and a swell of people
crowded near the stage to engage the speaker. One attendee got right in
the speaker's face -- literally only inches apart -- and the two
exchanged heated words. It looked like there was going to be physical
violence. Priest told the goons to take the speaker out of the room the
back way and to take him to a safe place until things calmed down a
bit. The removal of the speaker was quick, deft, and probably the only
thing that prevented a bad situation from becoming a lot worse. Kudos
to Priest and his goons for their quick action. I mention this only
because the speaker and one of his crew seemed not to appreciate having
been hustled out of the area.
I spoke briefly with Priest an hour later and asked how he happened to come upon the scene so quickly. He said:
We got the call for trouble in the room. The gentleman,
I was told, was preaching sedition. I knew that we had to take some
steps quickly preventing that. Defcon is definitely for free speech,
definitely for legal civil disobedience. But not anarchy, not
psychopathic destruction of property.
Like the security community itself, it is easy to use
labels like white hat and black hat to differentiate between the
Blackhat Briefings and Defcon. If you are a corporate or government
security admin, you will probably get a lot more out of the Blackhat
Briefings. If you are a "freelance security auditor/researcher," or a
federal narc, you might find Defcon more enjoyable or rewarding. While
there are parties at both events, Defcon continues the con tradition of
drunken revelry, full or partial nudity, and non-stop hacking and
All in all, the two events provide an informative and
entertaining week which provides glimpses into the darker sides of
< You don't have to use free software until you're ready
| Securing Web services: PKI basics >