This year I was lucky to have the opportunity to attend DEFCON, a gathering of security professionals, hackers, enthusiasts, and dorks like me that find this stuff fun. Having been to technology, software, and academic conferences before I was prepared for big crowds, long lines, and migrating from one Vegas property to another multiple times a day but nothing could have prepared me for the unique culture and community vibe at DEFCON. Everyone I spoke with was really nice and excited to talk about whatever we were waiting in line for or to speculate on the badge’s inner workings. I can’t wait to go back next year.
I spent most of my time this year attending various talks and presentations that covered a huge range of topics. One that stood out was “The TOR Censorship Arms Race: The Next Chapter” where a member of the Tor project spoke about how various governments tried to identify Tor users, deny them access, and how they constantly work to keep their users anonymous. Another pair of outstanding talks were “Can you track me now? Why The Phone Companies Are Such a Privacy Disaster” by US Senator Ron Wyden (Oregon) and “How To Buy … Real-Time Location Data On The Black Market” by Joseph Cox. Both address problems that are (finally) of growing concern to the public. To distill them both down into one message; we carry around these devices in our pockets all the time and even without listening to us, the location and metadata collected by service providers can tell a lot about our lives. Government officials have been quoted saying “we kill people based on metadata”. We, the public, need to hold service providers and the government accountable for how they collect, store, share, and act on that information. This is not a new story but for some reason we have yet to act. The talk that had the most impact for me was “Information Security In The Public Interest” by Bruce Schneier. He spoke about a need for trained security professionals to work with government, non-profits, advocacy groups, and elsewhere to help shape policy and public awareness of technology.
One of my favorite talks was Douglas McKee and Mark Bereza’s “HVACing: Understand the difference between security and reality!” They used BACnet, a standard protocol for building controller networks, to send enough packets to crash a device and create write-what-where conditions. From there they wrote to memory and used a known attack style to gain a reverse shell. Once on the device they were able to run persistent code to discover and monitor all devices connected to the network and self-wipe to the origional state to avoid detection. Their team found that there are hundreds of these devices exposed to the internet worldwide. Any of those devices using the default credentials could be hacked remotely. Just imagining the impact of a remote attacker controlling the HVAC or other build systems, especially where technology or goods are temperature sensitive, is crazy.
One of the highlights of the conference was getting my amateur radio license with the help of some awesome volunteers at the HAM Village. It is something I have wanted to do for a while but hadn’t had the opportunity to do. They also had a couple cool displays and next year I plan on participating in the fox hunt (finding hidden transmitters). Unfortunately I didn’t have time to get involved in any of the other villages but I’m looking forward to spending time at the lockpicking, recon, and packet hacking villages.
I wish I had more time to explore, talk with people, participate in more activities, and check out the demos. Next time, I guess.