I stroll past a room at the end of a long hallway, out the front of which stood a cardboard cutout of giant cartoon sheep. Inside is a dark room filled with mostly young men, headphones on, hunched over their laptop screens. The front wall was lined lit up by a giant projector screen displaying hundreds and hundreds of of usernames and passwords of users connecting via the DEFCON wi-fi network.
It’s called Wall of Sheep, an interactive demonstration of what happens when internet users let their guard down.
Welcome to DEFCON, the annual hacker’s conference held in Las Vegas, Nevada.
You’d think the info-sec types that come to these kinds of events would know better than to use public wi-fi, or if they must, at least take care to hide their information. If this collection of some of the world’s top level security heavies are getting sloppy, just think what ordinary internet users are letting leak into the virtual void.
“Christ,” I think to myself. “I wonder if my email address and password are in there somewhere.” I make a mental note to ask the app’s inventor whether 3G or 4G mobile phone networks could be accessed too. (They’re not. It’s illegal), and thank myself mentally for deciding not to take my laptop to the event, and for bringing along a phone case that blocks my signal when it’s not being used. Preventing any prying eyes.
To an outsider, a program like Wall of Sheep may look nefarious, but actually the hackers here are providing a public service. A public shaming, maybe, but this is one of many contradictions of DEFCON.
Attending press— known as tourists, hacker groupies, or unhumans to the hackers—may find it ironic that a community so obsessed with anonymity and privacy has a conference.
And is having some of the world’s top hackers descend upon Las Vegas, Nevada really good idea?
Won’t the authorities be watching?
Ah contraire. A lot of the people here are doing the watching either for, or on-behalf-of law enforcement on both local, federal and international levels.
Chris P, a senior incident response analyst at a prominent corporation told PC Mag Australia that he and his team of hackers-for-hire frequently share information with the FBI which he says has vastly improved its sharing and reporting capabilities when it comes to potential security violations.
According to another unnamed member of Chris’s team, many corporations actually have a pay-per-report system where they pay hackers to report security flaws. How much depends on the severity of the glitch.
DEFCON is where some of the world’s most urgent security problems are solved. And where wheeling and dealing is done between companies, and hackers. Tesla is here on a recruiting binge. I’m told Google is here too. Facebook threw some kind of party so I’m guessing they’re not just here for a weekend of excess.
The kind of technology being sold here, for about $20 a pop could be used to steal your entire life, and then some.
On sale in the vendors room is a nifty little device that looks like a wireless router called a “Hak 5 Pineapple”, a rogue wireless access point that lets you dupe users into thinking it is a trusted and verified hotspot.
“Using the Pineapple I can see the webpage you’re browsing, the graphics on the page, the images you took, the passwords you use and more, all on my laptop” says Ryan, a security and operations lead at a prominent and undisclosed corporation.
Then you’ve got a Software Defined Radio, which is basically a TV tuner that lets you listen in on phone calls.
“You can use it to tune into Police, Fire and all kinds of other stuff with it,” says Chris.
There is a keyboard emulator, which, basically is the fun extension of a hack on user systems. Once they’re in, the hacker uses the keyboard to type in whatever commands he needs to get the job done. Or just snoop around.
And a device known as "The Rubber Ducky" gave the team hours of high jinx fun, giving them back door access to people's computers.
“‘Somebody’ may have coded up something that plugs into a Mac computer and put a backdoor into one of their coworkers’ computers, and then loaded some scripts that made his background change to say things like ‘I’ve been hacked’,” joked Chris, about his teams’ penchant for office pranks.
“Of course he started freaking out”.
This is the kind of cutting edge technology purchased by droves of hackers, security analysts, anyone with an interest in keeping themselves - or the companies they represent - from “getting fucking screwed”, according to one attendee.
“To a degree the NSA and CIA and other intelligence agencies are probably using very similar things”, Chris says.
“It’s referred to by our community as the ‘NSA play set’,” says Ryan.
They’re not kidding. Just yesterday celebrity hacker, Michael Ossmann unveiled a tool which gave users access to encrypted police bands and all sorts of other encryption protocols.
This means yet again the security community has to up its game. If I learned nothing else this weekend, it’s that there’s a continual back-and-forth relationship between these hackers - both script kiddies and the gainfully employed - and the world’s top security vendors.
Just in the last two days at this conference, Brian Markus, chief executive of Aries Security - and the cofounder of Wall of Sheep, told me exclusively that he has discovered a major security flaw in hundreds of health devices being worn around the wrists of attendees of the conference, and anyone else in the casino with a health device around their wrist, though he refused to disclose exactly which devices were causing the problems.
Your doctor could get banned from practicing medicine for sharing your health information and yet there it is for all the world to see, just because it’s a consumer device, it doesn’t have the same security standards or protocols as medical institutions.
Of course all of these tools could - and probably are - being used for less than legitimate activities, but as Chris puts it: "The evil you find is only as good as the infrastructure and protocols you have detecting it."
Touché.
Just recently Chris discovered a major police database sitting out in the open containing all sorts of information up to and including reports of operational procedures, phone calls, even criminal records. He sent it on to the mayor of the town and arranged to have that patch fixed before anyone could know about it.
More importantly, DEFCON is a recruitment drive, not just for jobs but for potential new relationships, and new intell.
“It’s an invite only thing,” says Chris.
For such a technologically advanced community, the people here are pretty old school. Sure there’s plenty of online vetting they could do of each other, but what better opportunity than to grill potential employees once a year, face-to-face, in Vegas?
“You have to be trusted and vetted by someone and brought into the fold,” he says.
Missing DEFCON could mean “a potential loss of trade secrets for companies”.
“If you lose business you end up looking like a fool.”
“It’s about the things we learn in the conversations we have in-between the talks. There are just those ‘Oh shit!’ moments. Everyone’s like ‘Oh shit! that guy just switched on the televisions in more than 200 hotel rooms in Shanghai from his wireless connection on his iPad! That’s fucked up’.”
Another member of Chris’s team who failed to be identified chimed in: “There are a lot of talks that I go to and half-way through I’m like ‘ok when I go back to work on Monday, I’m working on this’.”
Defcon is not a Comic Con, or some sort of trollfest. Serious business gets done here. And those who don’t take it seriously, or live up to the strict moral code best beware.
Just a few years ago a Dateline reporter was run out of town after trying to get people to admit to a crime all while she was filming with a hidden camera.
I’m told she was chased all the way to the parking lot.
"It’s also an opportunity to connect with people," says Chris.
"A lot of people in this culture aren’t necessarily the most sociable people on the planet, so it’s an opportunity to have a social interaction, to see the face behind the screen name of the person that’s helped you out.
“I can’t tell you the amount of times I’ve run into people here, that are like, 'Are you so and so? Hey, holy crap, thank you so much with that issue I sent you an email or posted something on your blog about'."
You get the opportunity to buy the guy a beer, say thanks and form some friendships.
You really start to learn the human side of everybody here.”