(aka the much-awaited post from Dave!!)
Last month I went to Black Hat and Def Con in Las Vegas. Mary was intrigued. A conference and convention about hacking! So I promised to do a blog post about them.
Now I understand a lot more about writers’ block. The problem here wasn’t that I didn’t have enough to write about; on the contrary, there is too much, and I didn’t even know where to begin. So I am giving myself permission to leave a lot out and just post some random thoughts.
Black Hat is a computer security conference and is very legitimate. It’s also expensive, as all computer conferences tend to be these days. It has been held at Caesar’s Palace for the last several years. I got to go on the taxpayer’s dime, but I registered far in advance so I got the best deal on both the conference and the hotel. I even emailed the conference to get a special alumni discount. But even with all the discounts, the conference registration was about $1100. Ouch.
Def Con is a computer hacker convention that occurs right after Black Hat. It’s a lot cheaper, and it is generally held in a much less fancy venue. The venue also seems to change every year, as the Def Con people are maybe not worth the trouble they cause.
|view from my hotel room|
My conference-rate hotel room was pretty nice. It had a great view of the fountain in front of the Bellagio, which was fun to watch, especially at night. It was a good 10-minute walk from the room to the conference; casinos are not exactly known for efficient travel. We eventually came up with a “shortcut” that avoided the casino floor entirely and went between the pool and the buffet. It also turned out to pass by the spot they were using to interview potential employees. Every day there were chairs along the sides of the halls filled with hopeful applicants. Clearly, the casino is a big business. Just as clearly, no special space is set aside for the ongoing task of interviews. Weird.
Black Hat was an interesting conference, as always. There is a vendor hall and enterprising attendees can get themselves invited to parties after the conference every night. I didn’t do any of those, as I find geocaching more fun than drinking, and we went out late every night do that instead. There is also swag, which is an important part of any computer conference. I got a couple of cool things, including a T-shirt from a company that was offering a $1000 prize to the first group to break their encoded message.
We wasted about 5 hours trying to break it, and gave up after dinner. Turns out it was such a stupid encoding that we had passed right over it. Typical.
Anyway, I learned more about cross-site scripting attacks and a really cool thing called “bitsquatting” where you get domain names that differ by one bit from popular domains (such as mic2soft.com for microsoft.com) and wait for people to have memory errors and come to your site instead. You would think that it would be incredibly rare, but the guy who gave the talk got 31 domain names and got something like 50,000 hits in 6 months. And there is no way to defend against it.
|the line for getting a Def Con badge|
Black Hat attendees get first shot at Def Con badges, assuming that they prepaid. Def Con badges are awesome and they usually run out of them. In the past, they have generally been electronic and hackable, and I was really looking forward to playing with mine, as I have recently been doing some hardware hacking of my own with an Arduino (maybe another blog post on that, if I can get to it). So I went to get in line about a half-hour before the announced time they were going to start giving them out.
The line was about 1,000 people long already. Wow. So I found the end and figured I would wait it out. It turns out I was right next to a great guy from Oak Ridge and we knew a lot of the same people and had a fine conversation. By the time the badges started getting handed out, the line was probably 3,000 people long and completely filled the top floor of the convention center. But it moved quickly and I got my badge. This year there was no electronics to it. It was titanium, instead. They did run out, as usual, but not until the first day of Def Con. Everybody who pre-registered got one.
Def Con was at the Rio this year. We found a parking structure that turned out to be at the other end of the complex and sent about 15 minutes walking in. Black Hat was big (about 4,000 attendees) but paled in comparison with Def Con, which I think hit 12,000 this year.. Not the greatest place for somebody who doesn’t like crowds, but I had prepared myself and managed not to freak out. At least not until Saturday when I lost my rental car keys and had to try to sort that out in the midst of a mob.
|The “wall of sheep”|
I didn’t go to many talks at Def Con; other stuff was way more interesting. The ones I did attend were pretty disappointing. People-watching was incredible; some mohawks and lots and lots of black. We went to the lock-picking practice room and spent some time there; I wandered through the Capture The Flag room where there were several groups of tables with people madly working 24/7 to be first to hack a supposedly “secure” system and solve a series of incredibly difficult puzzles on the way. I went to the contests room and decided not to do the geocaching contest; it would have taken all our time. Some of the other contests looked like fun.The “Wall of Sheep” was there; the passwords of anyone stupid enough to log on to anything over the network in the clear are displayed for all to see.
You would have to be very brave or very stupid to use the Def Con wifi network, which is offered to all for free. I thought I was being safe by turning off wifi and bluetooth on my Android phone. Hah! It turns out that wasn’t enough. Within 5 minutes of each other, my friend and I both experienced spontaneous reboots of our Verizon Android phones. We were pretty sure we’d been hacked. There is some information out there that it was a man-in-the-middle attempt, and it’s not clear whether the attack on me was successful or not, but just to be sure I wiped my phone and re-installed everything when I got home.
I spent another hour or so in the hardware hacking room, talking with a guy who is making cheap sound effects processors using ARM chips. Then I discovered my car keys were missing and my Def Con was over.
It was an enlightening trip. I understand a lot more about hacker culture; heck, turns out I am a part of hack culture without even knowing it. I learned some interesting lessons and got some new insights, but those will have to wait because I promised myself I wouldn’t put everything into one post!
Great post, Dave! Of COURSE you are a part of hack culture. I wonder who stole your car keys? Were you "hacked" in a more real-world way?