
DEF CON: The event that scares hackers - alexmr
http://www.cnn.com/2011/TECH/web/08/05/def.con.hackers/index.html?hpt=hp_abar
======
swombat
A surprisingly well-written tech article for a source like CNN: clear to non-
technical people, and yet not chock full of gross inaccuracies. Mainstream
journalists have gotten me used to much lower quality.

~~~
SwellJoe
This is especially true when security is involved.

------
munin
everyone freaks out because "oh man your computer will get hacked in N seconds
on the defcon wifi". lets dissect this a little bit.

if i put a computer on the defcon wifi, it'll probably be say, modern linux
(ubuntu, debian, or redhat) running either a minimal subset of services (ssh)
or perhaps nothing, with firewall policy applied, or a modern windows
(windows7) with the firewall on. i'll be using a modern, fully patched web
browser, also perhaps with some additional mitigation technology (thought
nothing out of the ordinary) think perhaps noscript and EMET.

and also this is the one time of the year when i'm ready for this. every other
day of the year i go to the coffee shop i don't know anything about the other
randoms there but i assume they're drifting office droids hacking on their
excel macros or recruiters cruising linkedin in between meetings.

so, if someone exploits me on the defcon wifi ... where else will that exploit
work? everywhere, probably! it's probably a super awesome exploit that has
super awesome properties that targets super popular software and is also
unpatched. someone owns my openssh 5.3 on my laptop on the defcon wifi ... if
i pcap that ... i'm a rich man. i can own boxes like mine.

so ... as a hypothetical attacker, why would i do this? i'm surrounded by
people like me. they're alert. they're cautious. and they are the most capable
people in the world to detect what i am doing and reveal it to everyone. oh
and there are a whole bunch of law enforcement people there too, AND the
entire thing happens in a casino which has heavy security and is already wired
for sound and audio everywhere you go.

... anyone who is smart enough to be able to own your box at defcon, is also
going to be smart enough to realize that they might as well wait until the
week after when you're sitting at a coffee shop.

~~~
matthew-wegner
I don't think it's your computer joining the network that's the issue; the
network itself is likely tainted. By extreme example, a rogue cell tower was
demonstrated last year which monitored outgoing SMS messages. Your phone would
automatically join it because its signal strength was greater and it had all
required information.

The issue with Defcon Wi-Fi is that you should assume _all_ outbound traffic
is captured. Are you sure your mail notifier, Dropbox client, IM client, etc,
aren't sending credentials or some kind that can be (at least temporarily)
exploited?

~~~
munin
yes. i'd have big problems on any other network i'd join if i wasn't sure,
wouldn't i?

~~~
dlss
being 100% sure is 100% impossible

~~~
etherael
are you sure?

~~~
zackattack
evidently he isn't

------
Groxx
Wow, that's impressively well-written. And it's about computer security. And
it's about _hackers_ , who are _hacking_. That's like a perfect storm of news-
writer fail, and they did a pretty good job through it all.

I love that they included this quote, it sums up security very very very well:

> _It's not about breaking the lock, he said, it's about learning the lock can
> be broken._

I've found ways to open most combination locks in a second or two, without
even looking suspicious. It's easier than entering the combination, usually.
Those $20k-insured round-keyed laptop locks? Takes about 30 seconds on
average, 5 or less if you're lucky. My dad lost a $20 bet with me on that,
with the one his employer supplied (and expected him to use) - it took me 5
minutes on the first attempt, and less than a minute each time after that.

Security isn't about _stopping_ people from breaking in. It's about not being
the low-hanging fruit.

------
jwatzman
One of the most insightful points in the article, summing up much of DEF CON,
got buried near the end of the article; it's worth emphasizing:

 _It's not about breaking the lock [...] it's about learning the lock can be
broken._

~~~
marshray
For me, breaking the lock is fun too though.

------
X-Istence
The DefCon wireless is nowhere near as scary as people make it out to be.
Making people believe that something is scary is part of the fun of it for
those of us that help run the con.

Currently at con, on my laptop with OpenVPN and tethered to my phone because
the DefCon wireless is overloaded and not handing out an IP address.

~~~
ddol
Damn sorry I'm missing it this year, but I'd be useless for a sold 2 days
after it.

I can't remember using the internet much at DEFCON. It was pretty solid
partying. Now CCC, that's a different story...

~~~
mahcuz
Solid, dude.

------
Pewpewarrows
If you value your sanity, I'd suggest steering clear of the comments on this
article. Although I guess you could say that for comments on most article on
CNN.

~~~
hugh3
_Although I guess you could say that for comments on most article on CNN._

I would say that for most comments _on the internet_.

~~~
num1
If I ever have a site which posts content, or if I ever finally make a blog,
the first thing I will do is turn off the comments. If you want to talk to me,
you can email me, or write your own post in response.

------
swah
I'd love to know the OS usage stats here and how they differ from HN.

~~~
drivebyacct2
I'd bet there are more Mac users on HN than there are at DEF CON.

~~~
swah
There could also be more Windows users if they agree with the line of thinking
that says you should run the same system as your targets.

~~~
mahmud
Virtualization.

------
overshard
I'm pretty sure any hacker worth his weight in microchips doesn't have a
problem. I've been to def con and always take a *nix system with a solid
firewall and a way to ssh/vpn home to do all my logging into websites from.

DEF CON doesn't scare hackers. It gives us a chance to see if our setups are
actually secure and if we get pwnd we deserved it and learn from the
experience.

~~~
rdl
I stick to VPN over 3G / 4G just because it would be embarrassing to get
hacked.

------
djcapelis
Defcon is much more like a family reunion than a scary thing. This year
hundreds of hackers literally opened their veins to give blood in honor of one
of our own who needed it. The hacking of other attendees that goes on has more
of a prank feel to it (much like a lot of the con!) than a scary thing. It's
just a bunch of people getting together to talk, do interesting things and/or
get drunk together.

------
ck2
That memo of things to do/not do, is a great list for everywhere 24/7, not
just def con.

If you can be hacked there, you can be hacked anywhere, and some damage cannot
be recovered from (ie. losing google account).

------
zackattack
I'm in Vegas. Anyone have an extra badge they wanna sell me? I wanna stop by
tomorrow. #meetup

~~~
steveeq1
They ran out of neck holder things for the badges so a lot of people aren't
wearing them. As a result, they're not really looking for badges. My friend
went around (saturday) and he was able to get in even though he didn't pay.

------
DeanCollinsLCC
Bury your room key...-why LV hotels dont use RFID for room keys. Scan your
credit card remotely - not if they are mag stripe.

FUD articles like this is why people dont know to use VPN or HTTPS, what a
waste of CNN's money sending him there for this - sorry but it has to be said
could have been a much better more accurate article covering actual security
issues.

