The Hacker Factor Blog

I'm finally back and recovered from Defcon 18 (and caught up with my workload). This is definitely my favorite conference. I caught up with a bunch of old friends, made a few new friends, and learned a thing or two.

The conference seemed much more crowded this year. I couldn't get into some of the talks that I wanted to hear. And the sea of people... Everyone was polite, well behaved, and orderly, but there were still very long lines as much as 30 minutes before some talks began.

Relative Perspective

Back when I first attended Defcon (Defcon 9 in 2001), the crowd was about a third whitehats, a third blackhats, and a third feds trying to inventory the other two groups. Over the years, the blackhats and anarchists have dropped off and more feds attend the conference. (As Omar the cabbie once told me, feds don't take taxis. If the parking lot is full, then those are the feds.)

Last year, there were a few blackhats, but most of the attendees were whitehats or feds. (Hint: If you tell people about your military background, run out to your car to take a sudden phone call, or refuse to say where you work, then you're a fed.) This year, I saw nobody that I knew was a true blackhat. (And yes, I know who some of them are.) Nearly everyone was a fed or whitehat from industry or academia. At the end of the conference, Priest (the big Goon) even congratulated the audience -- this was the first Defcon ever that wasn't marred by vandalism or sheer acts of stupidity.

Next year ought to be very entertaining: Defcon is moving to the Rio. Unlike the Riviera, the Rio has a wide selection of restaurants, a great buffet, and rooms that are better than a La Quinta. The Rio should also have more space, so the crowds won't seem as extreme.

Talks

I attended a few of the panel talks. This year, they split the Meet The Fed panel into two parts: Forensics (CSI:TCP/IP) and Arresting Authority (Policy, Privacy, Deterrence, and Cyber War). This was a really good switch -- the panel was more focused and the questions to them were more interesting. Only the Forensics panel played "Spot the Lamer" (the fed's take on Spot the Fed). Ironically, my friend Kristen was selected as a contestant. She didn't win (how lame is that?).

I also attended the Internet Wars panel. (I got to meet Paul Vixie in person. Very cool. He looks more like Charlie Brown than I expected.) While most of the Q&A were interesting, I think the best part was when I convinced Elise to take a picture of Dan Kaminsky...


"Look, Dan's asleep! Take his picture!"


"No, I mean walk over there and take his picture" The audience applauded after she took this. This picture really sums up Defcon. I really like the "Dedicated" t-shirt, empty beers, and the Corona box that says "Relax Responsibly" during the Internet Wars panel.

By and far, the best talk was "Jackpotting Automated Teller Machines" by Barnaby Jack. At one point, he had an ATM machine spewing money across the stage. Other good talks included "Weaponizing Lady Gaga" by Nurse (Brad Smith -- he really is a registered nurse) and "How I Met Your Girlfriend" by Samy Kamkar. And of course, Richard Thieme is always an entertaining speaker.

Besides the talks, I spent a good amount of time watching the various contests. Defcon had more contests this year than ever before. The new "Tampered Evidence" and "Crack Me If You Can" challenges were really good. However, I was most impressed by this year's Capture the Flag contest. My good friend, Factor, was on the winning team. He's gone by the handle "Factor" for longer than my company (Hacker Factor) has been around (the names are coincidental) -- so I gave him an official Hacker Factor hat. Factor is really an amazing guy. Besides winning the CTF this year, he also mentored team pwnage -- they won the high school category of last year's DC3 Forensic Challenge. Anyway, here's a picture of his black badge, which gives him lifetime free admission to Defcon. (It is much nicer than my black badge, which is nothing more than black paint on metal.)



I'll talk more about this picture in another blog entry...

Books!

I ended up giving away about a dozen copies of my latest book, Ubuntu: Powerful Hacks and Customizations. I included two stipulations with the free book: (1) if you like it, mention it in your blog, and (2) take at least three photos of people with the book. I'm hoping that people actually send in photos.

About Vegas

If it wasn't for Blackhat and Defcon, I would probably never return to Las Vegas. The gambling doesn't interest me. (Perhaps if people smiled...) The shows are expensive and really haven't changed in a decade. The entire place stinks like smoke. The food used to be excellent, but now is just adequate in taste and extremely expensive. Expect to spend about $80 per day on food (unless you like fast food).

I didn't stay at the conference hotel. Instead, I stayed at the Wynn. At one point, I decided to treat myself to a meal. I ate at the Wynn's Strata restaurant. The food tasted wonderful, but wasn't much more than 6oz total -- I spent $21 on food and left the table hungry. While the Wynn's weekday breakfast buffet is good, I'd recommend Denny's and the Peppermill down the street if you are hungry and don't want to spend a fortune. The hotel's security wasn't much better. On two of the days, someone played with the combination lock on my luggage while I was away from the room. I also told hotel security that there was a drugged out woman in the elevator and she was having a really bad trip as she was fading out of consciousness. It is suffice to say, the Wynn is a five star hotel with one star amenities. For a better experience, try Planet Hollywood.

I used to go to Vegas 2-3 times a year (various business trips). Now I'm down to once a year. However, in my literally dozens of visits over the years, this is the first time I have ever found a cabbie who did not know the hotels on the Strip. I was about to step out of the car when the bellhop gave the driver directions. (No, I didn't tip.) The other cabbies complained about low numbers of riders, but they no longer blamed Obama. Now they blame the hotels for not catering to anyone except the drug/party people. (Explains my elevator experience...)

Home Again

Overall, I still don't think much of Las Vegas. However, Defcon is definitely fun. I am already looking forward to next year.

The two largest computer security conferences are coming up! The Black Hat Briefings (frequently referred to simply as Blackhat) and Defcon are at the end of the month. If you've never gone and have an interest in computer security, then consider going this year or plan for next year. I learn more from three days of chatting with people in the hallways at Defcon than I do from a year of reading forums and news postings.

Blackhat has a more professional aura. The audience are generally well-behaved, professional, and very interested in the presentations. A few people even wear suits!

In contrast, Defcon is commonly called the after-party. It is billed as the world's largest underground security conference. But with nearly 10,000 people in attendance, is it really "underground"? T-shirts, shorts or jeans, and a very informal environment is the norm.

All Blackhat attendees get free admission to Defcon, and many of the Blackhat speakers also present the same material at Defcon.

Changing Reputations

In the early days, Defcon was a smaller conference and had a very different atmosphere. It was a neutral place where good guys (whitehats) and bad guys (blackhats) could mingle and meet-your-enemy. Due to the large number of anarchists that attended the conference, Defcon got a reputation for destruction. However, Defcon 9 was really the last of the destructive years. Last year (Defcon 17) was really pretty tame. Sure, a few idiots got arrested while they were trying to bungee jump off the roof, but the crowd is really pretty tame today.

And "crowd" is an understatement. With between 8,000 and 10,000 attendees, the hallways at Defcon are totally packed. In the good old days, you could get into any talk you wanted. (Even if it meant sitting in a steaming tent on a roof.) Today, the rooms are air-conditioned, but the rooms are so packed that you should plan on attending every-other talk.

Today, there are very few truly destructive people at Defcon. Where did the anarchists go? Defcon increase the entrance fee and the anarchists stopped coming. Today, it is $140 for all three days. You will likely spend more per day on a hotel room and food in Vegas than on Defcon's admission free.

At Defcon 9 (the first year I attended), the crowd was evenly divided among three types of people. There were whitehats that varied from law enforcement to corporate security professionals and academic researchers, true blackhat evil hackers, and feds who were trying to inventory the other two groups.

Each year, there are fewer and fewer blackhats who attend. (I suspect that it is the feds who scare them off.) Last year I recognized a total of two (2) true blackhat hackers. Everyone else was corporate, academic, or fed. As Omar the cabbie once told me, "feds rent cars and don't take taxis." So spotting a fed in the parking lot is pretty easy. The joke for the last couple of years has been around the "Spot the Fed" game. With so many government and law enforcement people in attendance, they should really change the name to "Spot the Hacker". (The Meet the Fed panel has a game they play: Spot the Lamer.)

Spotting Hackers by the Book

I've decided to do something new this year... I'm going to Defcon and will be giving away 10 copies of my new book, Ubuntu: Powerful Hacks and Customizations. To get the free book, you'll need to:

1. Find me. I'm short and look like a computer geek. (I blend in well...) But I always wear my "Hacker Factor" cap and will be carrying a bunch of books!
   
2. Mention that you read this on my blog.
   
3. After getting the book: if you like the book, mention it on Twitter or in your blog.
   
4. To show that hackers are everywhere, take at least 3 photos of people (or yourself) reading the book around Vegas. If you are in a cab, snap a picture of the cabbie reading the book. Riding a roller coaster at New York? How about a photo of you reading it upside down! Eating at a restaurant? Get a picture of yourself ordering from the book instead of a menu.

Each book will have a small instruction sheet with the two rules (blog/tweet it and take three photos) and an email address for sending your photos. I'll put the photos up on a web page.

I won't be giving away all of the books at once. However, 10 books are heavy, so they will be given away pretty quickly. Probably 3 books on Thursday and the rest on Friday. (I'm also not opposed to bribes.)

I'm back from the 2010 Department of Defense Cyber Crime Conference. This year, it was held in frozen St. Louis, Missouri. The conference was definitely not what I expected. With a title like "Cyber Crime Conference", I really expected more how-to talks about crime. However, this was more of a "how to catch" conference with a focus on law enforcement.

One big topic seemed to be present in more than half of the talks I attended: child pornography. I chatted with a couple of speakers... It isn't that child porn is the most common online crime (I think fraud and identity theft are bigger), but considering the effort to catch the criminals, physical harm to the victims, and success in prosecuting, child porn is like low hanging fruit. It's a big win for law enforcement. Moreover, the techniques used to catch these perverts can be applied to other types of crime.

About the Conference

The conference itself was an eight-day marathon. (I was only there for the last 3 days.) It starts off with training session and ends with presentations. I presented on "Digital Image Analysis" -- in hindsight, I should have called it "Photo Forensics" since most people there think "dd disk copy" when they hear "image". I did a little rework on my slides before my presentation -- after my first day there, I realized that my talk was far too mathematical for most of the attendees.

The lectures covered a variety of tracks: legal, law enforcement, forensics, information assurance, defense industrial base, and research and development. As far as I can tell, no two speakers presented on the same topic. There was a really great variety of topics. Some talks did have restricted access.

One of the really novel things at the conference was the Tools Demo. Basically, there was a hallway with a bunch of poster sessions (think "science fair") but instead of posters, there were a dozen monitors and people showing off different types of computer forensic tools. Very cool. (Defcon should consider doing this kind of thing... if the Defcon hallways were not so crowded.)

Shoutz and Greetz

I spent much of the conference hanging out with Bryan Hatton (aka Factor). Factor is a serious bad influence on me. I ended up getting kicked out of the vendor area twice (I was really hoping for three times) and I was booted from one talk.

Now for clarity: At the end of the day, they close down the vendor area. All of the vendors left (but they don't empty their booths) and all attendees were ushered out of the vendor room. Then they close the doors and lock them. One woman (employee, security) did a final check: she went door to door, making sure all were closed and locked.

That's when it happened... She tested the door right next to where Factor and I were talking. It was locked. Then she moved on. About 10 seconds after she left, the janitor inside opened the door so he could take out the trash. That's when I walked in. Factor was a good boy -- he stood in the doorway. I, on the other hand, walked all the way to the end, turned around, and walked back. I was almost to the door when the security woman showed up and told me the area was closed. Then she kicked me out of the area.

About a minute later, one vendor guy came by in a frenzy. His jacket was still in the locked vendor area and it was freezing outside. So... I felt it was my duty to help him. We asked the nearby janitor (different guy collecting trash) and he recommended the employee entrance. Thus, all three of us entered the employee-only hallway. A half-dozen employees saw us, and nobody said anything. We went right into the vendor area via the unlocked employee doors. The vendor guy got his jacket... and I got caught by the same security woman. "How many times do I have to kick you out!" she joked. Meanwhile, Factor was taking pictures of everything. It is amazing how insecure the vendor area is when all of the vendors leave...

Oh, and the talk that booted me: It was a "law enforcement only" talk. I didn't know that (sounded like an interesting topic). As soon as they asked every attendee for their badges, I had to leave.

I also spent some time chatting with the DoD Forensic Challenge winners of the SANS award for the highest scoring High School team: Team Pwnage (Ian and Teagan; Jordan couldn't make it to the conference). Man, these guys were sharp! They wanted to learn a new computer language, so they decided to learn Python for the forensic challenge. Later, they decided that their homemade python-based password cracker was too slow, so they wrote a parallel version of it. (Parallel Python from guys just learning the language? Wow!) Factor was their mentor for the challenge.

It turns out, Factor found these kids in the trash. Literally. They were dumpster diving for hardware and got caught. Factor decided to take them under his wing. According to Factor, these guys have never bought networking hardware. They dig in the trash and fix what they can. Awesome.

Other great people I chatted with: Randy from the DC3 (I'm going to nickname him "Super-flirt" since no woman walked away without blushing), Jim Christy from the DC3 (who rode a Segway the entire time -- I think I saw him take a total of 15 steps during the entire conference), and the list of people I had hallway chats with is just too long to list. To the DC3 staff, conference coordinators, people I chatted with, and other attendees: This was a blast.

One evening had a keynote by comedian and engineer Don McMillan. It has been a long time since I've laughed that hard. I chatted with him afterwards and he's even a great guy off stage. (Binary high five! 1-0-1.)

Final Note

I've learned that it is best to buy conference swag right when things are closing down. Vendors usually discount items rather than schlep stuff home. I bought a conference sweatshirt. (I did mention that it was freezing outside, right?) The sweatshirt has a sheriff star on the chest and the words "Cyber Crime Conference" around the star.

Flying out, there was no line at the TSA security checkpoint. And when I say "no line", I mean "I woke up the TSA employee as I walked up." She checked my ID and then they turned on the X-Ray machine. Now for the fun: the guy on the other side of the metal detector clearly saw my sweatshirt with the sheriff logo on it. I didn't get a pat-down or anything. Big baggy clothing with a sheriff's logo seems to mean "nothing could be hidden here!" And I always travel with electronics. The X-ray person at other airports always stops the machine and stares at my bags for 10-30 seconds. This time? The X-ray technician locked eyes on my sweatshirt and didn't stop the belt at all. This was the fastest I have ever gone through security, and the least secure I have ever felt. Next time, I'll also buy a T-shirt with the logo on it for when I fly during the summer.

Between Defcon and other conferences, I've been to Las Vegas nearly two dozen times in the last ten years. During that time, I've seen a lot of changes and few have been are positive. Basically, I truly believe that Las Vegas is dying.

Hotels

I rarely stay at the same hotel twice. It isn't that there are not some really nice hotels, but rather, I want to experience different locations.

The MGM Grand tops my list of really nice hotels. After all of the noise and lights from the casinos and The Strip, it is nice to go into a spartan room that just oozes "calm". The MGM actually has two types of rooms (that I know of). The first are big rooms with beige walls. The second, found in the West Wing, are really creepy -- mirrors line all the walls and all are aimed at the bed. This might be nice for an attractive couple who want to party all night, but it was way too creepy for me.

Caesar's Palace is more of a hit-and-miss hotel. You'll either get a very nice room, similar to the MGM Grand's nice rooms, or something creepy with mirrors over the bed and frosted glass walls around the toilet.

Aladdin/Planet Hollywood reminded me of a La Quinta. That's not bad, it's just not outstanding. (But when I forgot to pack my dress shirts from the closet, they mailed them to me for free -- so they get a gold star for that.) Then again, when the architecture conferences come to Vegas, they always tour this hotel. It is a perfect example of how NOT to layout a casino. (In contrast, Caesars, MGM, and Mandalay Bay are all laid out very well. Between off-track betting, slots, tables, shopping, and hotel, it's hard to get lost at Caesars.)

On the low-quality end are places like the Luxor. I'm sure the Luxor was really nice when it was built in 1993. Unfortunately, it hasn't aged well. I don't like waiting 10 minutes for an elevator, or having cigarette burns all over the carpet in a non-smoking room. It really struck me as a one-star hotel with a three-star price.

But nothing beats the Casino Royale for inadequacy. It's a hole in the wall between the Venetian and Harrahs. It has a good location and it's cheap, but it's a dump. The door locks were broken, the door didn't close right, tiles in the bathroom were chipped, and there were exposed pipes in the hallways. The only pleasant surprise was when I didn't find bugs in the bed or drug dealers down the halls. (I really expected both.)

I can understand why Vegas blows up casinos rather than remodels. For the cost to remodel, it is cheaper to destroy and rebuild. Unfortunately, I think more casinos need to be destroyed soon. Most places really have not aged well.

But Are They Happy?

When I first went to Vegas (more than 20 years ago), it was like Disneyland for adults. Everyone was smiling and everyone was having fun. But over the years, there are fewer and fewer smiling people.

This year, as I checked into the Monte Carlo, I got a bad vibe. A newlywed couple were ending their honeymoon and got onto the elevator to leave. She said to him, "I can't wait to leave here and go some place fun." It isn't that the Monte Carlo was a bad hotel. Quite the contrary, the room was very nice, virtually no wait at the elevators, the place did not reek of smoke (unlike Caesars), and even the breakfast buffet was cheaper than most other casinos ($12 vs Planet Hollywood's $14 for weekday breakfasts). Rather, it wasn't a happy place. I would walk past the table games and the dealers would look down or look away -- no eye contact, and nobody smiled. And it wasn't just me -- a craps table would be packed with people and none of the players and none of the employees would be smiling. It lacked "fun". In fact, in the week I was there, the only employees who I ever saw smiling were the registration clerks.

Looking at the visitors, I really only saw three types of people. First, there were the really old people. If they were alone, then they would not smile. But put three or more of them together and they were clearly having fun. Whether it was slots or just walking, old people were happy in groups.

The second type were the party crowd. Either a bunch of frat-boys celebrating together, or a bunch of party girls looking to get drunk. But I think their smiles were fake -- I would see a frat-boy look around the casino without a smile, then put on the smile to address the group.

The third type were the individuals. There were a good number of people wandering around alone. These people were likely there for a conference or meeting, or were just separated from their group. None smiled.

Now, let's look at this with regards to long-term revenue. Old people die -- no long-term clientele. The party goers might return one time for a conference, decide it is boring, and never return again. In fact, the real people with money are the individuals -- and they were not happy.

As an individual, I found the casinos to be boring. If I wasn't there for a conference, then I wouldn't go there.

What Do People Want?

In Vegas, meals are expensive, shows are expensive, and gambling is expensive, but I don't mind the expense if I'm having fun.

What really got me were the nickle-and-dime spending for everything. For example, my hotel room only had about a dozen channels (ABC, NBC, ESPN, etc.), but no "extras" for free -- no movie channels like TNT, AMC, or even HBO. In fact, any La Quinta in California has better TV selections than any place I have stayed in Las Vegas. In LV, you can purchase a movie on demand, but otherwise, they don't want you to relax and watch TV at night.

With everyone getting overweight, I've taken up walking on a treadmill, biking, and doing weights. I know, with all of the walking around, you'd think I wouldn't want to exercise at the hotel -- but I've become used to it and it makes me happy. At the Monte Carlo, they have a fitness center, but it isn't free. If you want to use a treadmill or go spinning, it will cost $19 per day. I can join a full health club for $35 per month, so $20 per day is outrageous. But more amazing were the hours -- they open late and close early (I think the hours were 9am - 9pm). If you're into exercising, then you probably do it in the morning, or at night. So the fitness center isn't even available.

And then there is Internet access... In today's always-connected world, everyone needs Internet access. Even when on vacation, you need to stay connected. Yet, none of the casinos offer free network access. It is usually $12 - $15 per day. Now, keep in mind, T-Mobile offers unlimited Internet access for $5 a month, so $15 a day is unrealistic. Then again, T-Mobile doesn't offer a hotspot on The Strip (not even at the plethora of Starbucks locations). I ended up walking to Planet Hollywood's Coffee Bean and Tea Leaf (coffee shop), or Krispy Kreme in Excalibur, which both offer free access (when their connectivity was not offline).

One feature at Defcon is the Wall of Sheep, where they sniff usernames and passwords for anyone using the network. Twitter was really popular this year and was constantly at least half of the sheep traffic.

Ignoring the security aspect of it (Twitter has no security), Twitter is popular. At many casinos that I visited, I saw kids (well, people younger than me) congregated around doors or anywhere there was good cell phone coverage, and tweeting or IM'ing. In fact, you're not allowed to use a cell phone, blackberry, or other electronic device when you are in the gambling areas. These kids have money, and the casinos are not catering to them.

Hey Taxi!

I always chat with taxi drivers. They know everything. But this year, things were interesting... I asked every cab driver the same question: Is Vegas slower this year? Everyone said yes, but the reasons differed.

The first two cabbies blamed Obama. The administration has decided that bailout companies cannot hold conferences in Vegas. The reason is pretty simple: this is TAXPAYER MONEY. Vegas is expensive and the casinos hold onto most of the revenue. So for the cab drivers, ask yourself this: do you want $1 of your taxes to go to Vegas, where less than $0.05 will come back to you? Of course not.

One cabbie said that Vegas has become a party and drug town (more so than ever). Kids go to the clubs for sex and/or drugs, and that's where the money stays. But then again, these are not long-term clients; after a year or two, they will get burned out, arrested, or dead. I asked this cabbie about long-term clients and she laughed; Vegas used to cater to business people and vacationers, but that stopped years ago.

Then again, the cost of a cab ride has increased. I used to be able to travel from one end of the strip to the other for $15 (including tip). Now it is $20. That's $40 round-trip. For $40 a day, renting a car is cheaper and more convenient.

Insult To Injury

As I previously wrote about airports, I measure success based on the cost of orange juice. At the Las Vegas airport, a small bottle of OJ costs $5. It is the single most expensive price I have ever seen for orange juice.

So after all my complaints about the cost for network access, fitness, food, shows, and entertainment, I get hit with a $5 cost for OJ. And I want to return to Vegas because...

I usually go to Vegas at least once and sometimes three times a year. I have already canceled my next trip to Vegas -- the conference is not worth the additional costs. And if Defcon wasn't held there, then I probably would not go again.

I'm finally back from Defcon 17. This was my 7th year at the conference (I've attended DC 9, 10, 11, 12, 15, 16, and 17.) Much of the conference was similar to previous years: some talks rocked, some were meh, and a few sucked. However, there were also many differences.

The Crowd

Back at Defcon 9, the crowd was really divided evenly into three groups. One third were industry, academics, and other whitehat hackers who were there to learn. One third were true blackhat hackers (brilliant, but evil), grayhat hackers (doing good via evil methods), and general anarchists. And the final third were feds, trying to inventory the other two groups.

Over the years, the blackhat group has dwindled, while the fed and industry groups have increased. This year, I gut-estimate that the crowd was 60%-70% feds or people who work with feds, and the rest were industry (like me) or academics. There was only one person who I knew was a blackhat hacker, and no obvious anarchists. This was a relatively tame crowd.

And speaking of estimates... Jeff Moss (aka Dark Tangent -- he is the face behind Black Hat and Defcon) originally voiced that he expected the conference to be about 2000 people smaller (or 25% smaller) than last year, due to the economy. He was grossly mistaken. The conference sold out of the 8000 badges in less than a day. I'm gut-estimating that there was probably 2000 more people than last year. The economy may be hurting, but this conference was too important to miss.

As a comparison, the World Shoe Association holds their annual conference in Las Vegas at the same time as Defcon. As I understand it (from chatting with cab drivers), WSA was a bust. They had more vendors than visitors. Defcon actually had more attendees than WSA.

Other things I saw and heard at Defcon:

• I saw at least a half-dozen fat men walking down the halls while eating salads. In all my years attending Defcon, I have never seen anything like it.
  
• I overheard a guy on his cell phone saying "No, I'm not in Virginia right now." Fed! When I asked if I could spot him, he covered his phone and walked away.
  
• There were way more goons (Defcon security) this year than ever before. And the hotel security were actually checking badges and acting friendly, instead of sleeping or being *ssholes.

The Talks

A few of the talks were informative, but not earth-shattering. For example, Roger Dingledine gave a good talk titled "Why Tor Is Slow, and What We're Doing About It". Why is it slow? Bandwidth and architecture. Increasing the number of nodes will not alleviate the problem. And they had to put in a number of limits in order to prevent abuse (abuse being anonymity breaches, and not the number of people who use Tor to download porn). Don't get me wrong -- the talk was well done, it just wasn't remarkable content.

Similarly, my friend Richard Thieme gave two excellent talks. One was on UFOlogy, continuing his coverage of UFO-related information. (While most UFO people are true-believers and nuts, Richard is definitely sane. And even Richard agrees that more than 95% of the stuff out there is fraudulent -- it's that remaining sliver that is really interesting.) His other talk was on Hacking and Biohacking -- new material and very cool stuff.

There was a special guest this year: Adam Savage from Mythbusters. (Thanks Marcus for getting me a great seat! 3rd row, aisle, within spitting distance -- not that I wanted to spit at Adam. I trained all of the people in the question line to kneel so the rest of us could see.) Adam's presentation was part speech and part Q&A, on the topic of "Failures". He doesn't trust people who have never failed; failure builds character and experience. And people who have never experienced a failure are likely failing constantly but not noticing due to all of the people saving the day behind the scenes. While the topic was related to hacking, it really wasn't a technical talk -- and he didn't blow anything up, even though there was a fire extinguisher on the edge of the stage. It was definitely worth attending, and he said he wouldn't mind presenting again next year.

Beyond the regular stuff, there were a few "WOW" presentations. The big ones that I attended:

• "I am walking through a city made of glass and I have a bag full of rocks" by Jayson Street. This was truly an unexpected WOW. He discussed cyber warfare, and who is really doing what. He named names, and gave a clear story. Wow, Wow, Wow.
  
• "Weaponizing the Web" by Shawn Moyer and Nathan Hamiel. Last year they attacked social networks. This year they attacked automated redirection systems and exposed serious weaknesses from Cross-Site Request Forgery attacks (CSRF). Imagine Site A (e.g., USAToday) attacking Site B (e.g., Wikipedia) who attacks Site C (e.g., CNN) who is attacking Site A (e.g., back to USAToday) -- all initiated with one specially crafted URL. This talk was informative, eye opening, and very entertaining; exactly what I'd expect from Shawn and Nathan.
  
• "Advanced Video Application Attacks with Video Interception, Recording, and Replay" by Jason Ostrom and Arjun Sambamoorthy. They demonstrated the ability to intercept video and audio between two VOIP devices (like Cisco video phones), and how to inject or hijack content. The talk was good, but the demo sealed the deal as a Wow talk.
  
• "Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data" by Chema Alonso and Jose "Palako" Palazon. Programs like exiftool and libextractor only find a little of the available meta data. Their tool, call FOCA, extracts so much more. It not only extracts meta data, it also cross-file correlates and does deep data mining. For example, they can extract email and IP addresses from DOC files and then correlate addresses between documents to determine who is creating what. Using it, they scared the hell out of their own government (Spain) and the CIA -- both of whom pulled all of their docs, cleaned the meta data, then re-released their documents. And I enjoyed their motto: Spanish is better.

The Stupidity

Every year, people do some really stupid things. But let's face it... if you put a bunch of geeks in one place then you are certain to hit a critical mass for stupidity.

Most of the conference was pretty tame, even compared to previous years. (That's what you get for having more than 50% feds in attendance.) However, there were four felony arrests. Three people got the bright idea to bungee jump off the roof of the Riviera Hotel and Casino. The fourth person picked the lock to the roof. Normally, these would be regular crimes... Except, they happened at a Casino. That makes them felonies. (And no, they didn't get to jump, but they did get to the roof.)

A swarm of killer bees (yes, really) attacked people lounging by the pool. When I saw the swarm, they were resting on the side of the building. Some other guy said that the swarm was about twice the size 30 minutes earlier. (Does anyone have pictures???)

And one guy broke his foot. He was a pervert who grabbed my friend's rump. Now, Page is not a petite woman, and she certainly was not dress provocatively. Yet some guy walked up behind her and did a two-handed grab. Page, being a rugby player, reacted instinctively -- she stomped backwards with her foot. As she put it "I felt a crack and he yelped". "You broke my foot", he exclaimed. "That's the idea", she replied. If anyone knows the identity of the guy who broke his foot at Defcon on Saturday (Aug 1), let me know and we'll devote a wall-of-shame to the pervert. (As an aside, Page's boyfriend -- my buddy Mike -- is a very big guy. The perv was lucky Mike wasn't around or a broken foot would have been the least of his problems.)

For any women debating on attending Defcon 18: In all my years at the conference, I have never heard of anything like this happening before. (And I know many women who attend the conference, and none have mentioned being molested.) This was an isolated incident and most likely, he was the same kind of perv who would grab stewardesses on airplanes and shoppers in grocery stores. Most male geeks have trouble talking to women who's names don't end in ".JPG", and they may act dorky, but they are very polite to women.

And to the pervert: we will find you, and we will make you public.

Next Up?

I always find something new when I go to conferences. In my next blog entry, I'll cover the looming death of Vegas.