Jeff Moss was desperately hunting for a back door. But this time, the DEF CON founder wasn’t trying to hack his way into a network — he was seeking an actual back door, a way to avoid the masses at the Las Vegas hacker fair he launched 23 years ago.
This year, attendance would top 20,000 — and all of them seemed to be crammed into the hallways of the Paris hotel, inching their way toward massive conference rooms to learn how things like Android phones and connected cars can be attacked and pwned.
Moss tried to dart through a gift shop in the Champagne Ballroom that was selling DEF CON paraphernalia. The doors were blocked. He looked for a rear exit in the Versailles Ballroom next door. No dice. Rerouting, he attempted to swing wide around an information kiosk in the center of the walkway but ran smack into a wall of humanity.
Moss finally had to wedge his way into the thousands heading in the opposite direction, as DEF CON veterans greeted him with fist bumps and cries of, “Hey DT!” (His hacker handle is Dark Tangent.) At 40, Moss doesn’t look all that different from the teenager who was blown away by the film WarGames and decided to create a conference for like-minded souls. As he tried to hack his way through the crowd, he was verbally debugging the process that had turned his gathering of geeks into the crowd scene from The Day of the Locust.
Jeff Moss, aka Dark Tangent, holding the Uber badge given away at DEF CON 23. (Photo: Dan Tynan/Yahoo Tech)
“This is the first break of the first day in a new hotel — that’s why this is so screwed up,” he muttered. “We’ve got to create lanes flowing in each direction and make sure each track breaks at different times.”
It was yet another sign that hacker culture — even at an enter-at-your-own-peril event like DEF CON — has gone bigtime.
DEF CON started in 1993 as a farewell party in Las Vegas for one of Moss’s hacking friends, who was leaving the country. Moss turned it into a conference/party for roughly 100 fellow hackers he had met via electronic bulletin boards. DEF CON 1 (it got its name from WarGames) debuted with a handful of talks with titles such as “To Hack or Not to Hack” and “Future of the Computer Underground.”
The next year, Moss decided to hold the conference in Vegas again. Attendance doubled. The year after, attendance grew again. By 1997, DEF CON had become so popular among security professionals that Moss created a second conference just for them, called Black Hat. (That name is ironic: In the hacking universe, “black hats” are the bad guys, the ones who launch cyberattacks for personal gain or simply to be destructive.)
In its 23rd year, DEF CON is now recognized as the ultimate meetup for hackers and hacker wannabes. This year’s conference featured more than 100 presentations on a huge range of topics, the public demonstration of several headline-making exploits, and elaborate warnings designed to keep naive newbies at a safe distance.
“It’s wise to consider the public network at DEF CON profoundly hostile,” conference organizers warned in an email, offering a long list of other precautions:
- Do not bring a phone. If you must bring one, make it a disposable “burner” with no personal data on it. If you must bring a smartphone, leave it in airplane mode. Do not attempt to connect it to any networks.
- Do not plug your computer into any randomly placed network cable or your phone into someone else’s charger — they could be rigged to steal your information.
- Do not attempt to log on to the conference Wi-Fi network; you could find your name projected onto the Wall of Sheep, where hackers post unencrypted logins and passwords.
- Bring cash. If you bring a credit card, put it inside a radio-blocking pouch; otherwise, a hacker could use a scanner to read the numbers off its RFID chip. The same goes for your hotel room key.
A security-savvy colleague of mine went even further, warning me that hackers could target me in my own hotel — a solid half-mile from the conference.
“Leave your laptop in your hotel room unplugged and turned off,” he said. “Sleep mode isn’t good enough; it needs to be powered down.”
My DEF CON survival kit: a disposable phone, a credit card shield, my press badge/record, the show guide, and a vanilla laptop containing no personal information of any kind. (Photo: Dan Tynan/Yahoo Tech)
Drink all the booze
For these and other reasons, DEF CON will never be confused with more corporate security conferences. Everything at DEF CON has its own perverse twist, even down to the badges worn by attendees. This year’s model was a 7-inch vinyl record, color-coded to indicate status: red for conference official, blue for speaker, yellow for media, white for everyone else.
Dozens of attendees showed up with turntables to play the badge. (You can listen to the recordings here.) On one side was a voice-altered recitation from the Hacker’s Manifesto followed by a long series of numbers and touchtones. On the flip side, Dual Core’s rap tribute to hacking, “All the Things.”
“This is our world now… the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.”
— The Hacker’s Manifesto
DEF CON is best known for some occasionally dramatic presentations on security vulnerabilities. This year’s talks included “Scared Poopless — LTE and Your Laptop,” “Confessions of a Professional Cyber Stalker,” and “I Will Kill You” (how to hack public records to indicate someone has died).
Beyond that, DEF CON offers a series of “villages,” where attendees can learn how to pick locks, unseal and reseal tamperproof packaging, hack into smart appliances, talk their way out of interrogation rooms, and more. It’s like a Renaissance faire for uber-geeks.
True to its WarGames heritage, the conference is also filled with games and contests — like Capture the Flag, where 15 teams spend 72 hours attempting to commandeer a network server and then defend it against other attackers, or Hacker Jeopardy, where contestants answer nerdy questions while drinking copious amounts of beer and being assaulted with silly string before an audience of 2,000.
Winners of the most difficult contests at DEF CON 23 receive a custom glow-in-the-dark Uber badge, allegedly containing trace elements of uranium 238 and trinitite left over from the first nuclear tests at Los Alamos. They also earn a free pass to all subsequent DEF CONs for the rest of their lives.
Hack all the things
Show DEF CON attendees a lock, and they will pick it. Give them an encrypted password, and they will crack it. Present them with an allegedly secure network, and they will prove that it’s a lot more porous than you think. Whether they’re white hats, black hats, or somewhere in between, DEF CON attendees gleefully embrace their own outlaw image. That has led to a complicated relationship with both government and big business.
In 2001, the FBI arrested Russian hacker Dmitry Sklyarov at DEF CON shortly after he demonstrated how to circumvent the encryption built into Adobe’s e-book reader. In 2005, Cisco attempted to prevent security researcher Michael Lynn from presenting a talk on vulnerabilities inside the company’s network routers. Three years later, the Massachusetts Bay Transit Authority sued three MIT students to keep them from revealing how they managed to hack Boston’s transit system to ride for free.
Some corporations — but not all — have realized it’s better to have these people as friends than as potential enemies, and now reward researchers for identifying security bugs inside their products.
In October 2014, after security researchers Charlie Miller and Chris Valasek successfully gained control of a 2014 Jeep Cherokee via the Internet, they privately broke the news to executives from Fiat Chrysler Automobiles (FCA). Months later, after FCA had done nothing to address the problem, the pair shared their findings with Wired journalist Andy Greenberg. Within a week of the Wired story appearing, FCA issued a recall for the 1.4 million cars affected by the vulnerability. Miller and Valasek presented their findings at both DEF CON 23 and its more buttoned-down sibling, Black Hat.
At last year’s DEF CON, the duo revealed a list of 16 Chrysler and GM cars that could be vulnerable to attack; the Jeep was the most promising candidate.
“If Chrysler had attended DEF CON a few years ago, they could have saved themselves a boatload of money [from the recall],” says Winn Schwartau, a security consultant and author who says he’s attended every DEF CON since the first in 1993.
After the Tesla Model S was hacked, the company worked with researchers to patch the holes they found. (Photo: Dan Tynan/Yahoo Tech)
By contrast, when Marc Rogers and Kevin Mahaffey demonstrated how to hack the internal network of a Tesla Model S, the electric carmaker proved far more welcoming. The company loaned a Model S to this year’s Car Hacking Village, and Chief Technical Officer JB Straubel shared a celebratory shot of whiskey on stage with the researchers — a DEF CON ritual normally reserved for first-time speakers.
The show’s relationship with the federal government is even more complex. After years of encouraging the game “Spot the Fed,” where attendees would identify government employees quietly lurking in their midst, the show became fertile recruiting territory for three-letter federal agencies seeking to boost their cyber-IQ. In 2012, former National Security Agency Director Gen. Keith Alexander even delivered a keynote address. A year later, after Edward Snowden revealed that the agency spied on millions of American citizens, Moss politely requested that the feds refrain from attending.
Lately, Uncle Sam’s wary relationship with hackers appears ready to thaw, at least at some agencies. This year, the Federal Trade Commission presented a talk titled “How to Hack Government: Technologists as Policy Makers.” For the past two years, the agency also asked DEF CON attendees to help them develop apps to monitor and trace robocalls.
“Technologists can and should play a vital role in shaping tech policy,” says FTC Commissioner Terrell McSweeny. “A lot of people who attend DEF CON and are in the security research community connect with the FTC’s mission to protect consumers. So we made a pitch to them to either join us (literally, apply for a job) or help us (come tell us about their research).”
Hackers uber alles
During his keynote, Moss asked a packed room how many were there for the first time. Roughly a third of us raised our hands. In fact, attendance was 25 percent higher than last year, according to show organizers.
The fact is, hacking has gone mainstream — at least in pop culture. But the image of hackers that comes out of Hollywood is, Moss says, highly romanticized.
“In the early days, any time a movie or TV show had a hacking reference we all got really excited about it — ‘Oh my gosh, somebody knows what we’re doing,’” he says. “Now there’s a token hacker in every show who’s just there to tap on a keyboard and move the plot along.”
In Mr. Robot, actor Rami Malek plays Elliot Alderson, a socially awkward security engineer turned hacker vigilante. (Photo: USA Network)
(The exception, says Moss: USA Network’s Mr. Robot, which features a vigilante hacker who makes up in social conscience what he lacks in social skills. That, Moss says, is probably the closest the entertainment industry has come to getting it right.)
And while the network at DEF CON may be “profoundly hostile,” the attendees are not. It’s still a relatively small tribe, but it’s growing, with membership open to anyone with intense curiosity and a high tolerance for geekiness.
“The world needs to quit being so scared of these guys,” says Schwartau. “The perception that this group is the one doing the breaches at Home Depot or Sony or Target is just wrong, wrong, wrong. The people who go to DEF CON are the cyberpriests, trying to keep things honest.”
In short, hackers deserve respect. And if they’re not careful, one day they may even get it.
More stories about security: