DefCon - All in good fun

There are no rules at DefCon, the world's largest computer hacker convention. Earlier last month, about 5,000 folks - including network and security folks of every ilk - attended the show, held annually at the Alexis-Park Hotel in Las Vegas.

Between the conference's "vendor area" and "hacking zone" were a few dozen round banquet tables, loaded with innumerable laptops, monitors, routers, cabling - and at least 23 antennas. Cheating is allowed at DefCon. In fact, it's expected.

I've hosted Hacker Jeopardy for 10 years, and part of the ritual is to catch people cheating, getting remote help from the audience or a distant room with wireless earphones. One year they tried to hack the answers out of my computer. Then they tried to download the memory files from the hotel computer that I had used to make hard copy printouts. It was all in good fun - with reasonable paranoia.

The lack of rules at DefCon includes massive violations of dozens of federal felonies: password theft, telecom interception, system penetration. If you go to DefCon, caveat emptor: Your mere presence makes you a target - all in good fun. The last thing you want is to see your name and passwords projected onto "The Wall of Shame."

So there you are, a fine upstanding corporate network type and you need to get a bit of work done. What do you do? Use the free high-bandwidth 802.11 wireless networks, right? Think again: Those 23 antennas are sniffing and air-snorting every digital broadcast stream for hundreds of yards. That's a real easy way to end up on the Wall of Shame.

You could elect to use the hard-wired LAN DefCon offers instead. But what dangers lurk? Is the DefCon system administrator storing traffic for later analysis? Will your communications become part of DefCon history and a question in next year's Hacker Jeopardy? Maybe, if you use the supplied network.

You could use your hotel room dial-up. It's slow, but it's secure, right?

DefCon is a hacker convention. In past hacker conventions, attendees have completely taken over the hotel phone systems. Yes, DefCon and the Alexis-Park Hotel have a strong d‚tente in place, but I wouldn't advise using the hotel's telephone company networks for anything important. There's a better than even chance that the phones are compromised, too.

I found a method to communicate securely at high speed for free, and I never used the 802.11 networks except for the most mundane surfing. Nor did I need VPNs or tons of special gear. What I used is part of my usual travel and communications gear. (If you think you know how I did it, e-mail me. The first person with the correct answer will get a free copy of my latest book.)

Surviving DefCon requires a bit of stamina and knowledge, but therein is a tremendous unrecognized value to corporate security types. Everyone must be assumed to be a bad guy (all in good fun, though), and you can hack and break tons of laws legally.

Say you want to hone your wireless security skills. You get some tools from the 'Net, collect your 802.11 gear and listen. You find a network connection, identify computers on it, notice that many have file shares open, ports unclosed, and in you go! The rule at DefCon is if you're stupid enough to let someone break into your PC, then you deserve it.

Corporate security personnel can gain tons of hands-on experience in a few days for the $75 admission price. Set up network attacks. Set up honey pots and invite attacks by baiting the hackers. It's all in good fun.

Anything goes. Learn about the latest in attacks, meet the creators of the tools you find on the Internet and practice in a real environment, without worrying the feds are going to come breathing down your neck; they're at the show, too, for the same reasons.

At DefCon, chaos rules, you're on your own, and you win or lose by your wits. It's all in good fun and highly educational.

Schwartau is president of Interpact, a security awareness consulting firm, and author of 14 books, including the recent Pearl Harbor Dot Com. He can be reached at winn@thesecurityawarenesscompany.com.

Join the newsletter!

Or
Error: Please check your email address.

More about Interpact

Show Comments