DEFCON day 2

not sure if it’s the 50 shades of grey effect or what, but man is there more chippendale’s ads than last year.

keynote was this morning and it was delivered by the head of the NSA / head of US cyberdefense. if you combine that with the talk given by the former assistant executive director of the FBI (i think i got that right), a former anti-hacker prosecutor, and the usual mix of recruiting talks by the standard 3 letter agencies, this might have been the single most government heavy DEFCON in history. more like FEDCON amirite?

NSA guy’s talk was in general “you guys are wonderful, we are all americans (even the ones of you who are not american) and should therefore help america. please do not sell exploits to anyone else, please work for the NSA 143 143”. only two notably points is that during the softball q/a session (all questions asked by DT) he said that NSA has no dossiers on any american unless it’s incidental to their conversation with other-nationals, and when asked if he’d prefer a safer but more limited internet to a less-safe but more creative, he admitted to preferring the first in order to protect IP.

fun fact i learned though: NSA is tasked with protecting .mil, FBI is tasked with protecting .gov, any other tld and you’re on your own. or in theory anyways, in practice if there’s enough millions on the line, the FBI can still run in and perform hardware seizure on your behalf to remove an attacker, especially if you happen to hire an ex-FBI security consultant with everyone in the bureau still on quick-dial HINT HINT

some rundown of other stuff from the con:

  • WEP cracking is considered not worthy of discussion anymore while WPA/WPA2 are best attacked with password bruteforcers, and in current keyspace given a single aggressing computer and strong signal, the average attack length for a perfectly configured WPA2 is 1.5 months.
  • if you’re using regex’s as your sole method of detecting SQL-insertions then you’re living in a state of sin, even more than before
  • drones are cheap and getting cheaper. everyone should have a dozen to monitor everyone around you. good drones make good neighbors
  • if you have vmware server running and it’s not patched to 4.1 then there’s a metasploit module out to hack you. if you are fully patched, there still might be a way to string together a mess of bugs involving windows permissions, vmware orchestrator, jetty web server, unicode escaping of strings, arp spoofing, and an MD5 hash break for good measure, that will take over your mini-cloud. the weird russian claimed this was a 0-day.

oh, and there’s a DEFCON documentary coming, from the guy who made Get Lamp and the BBS documentary. looks very Get Lamp-y, which is not bad.

good talk from a guy who used to test systems for US defense contractors to make sure they were secure enough for secret and top-secret documents. long story short: the guidelines are written by 15 defense contractors, you don’t have to do anything at all for 9 months or so, the new “partners in industry” program makes it next to impossible to fail, he’s not allowed to touch the computer during an inspection (the employee drives while he watches), and windows is the only system that has actual security guidelines for it. the linux guidelines, as of now, are limited to monitoring a few directories and seeing if a new file shows up. bonus factoid 1: in case the DoD learns that a contractor got hacked, the DoD has no right to tell the contractor who did it, how they did it, or how to fix it; they can only say “hey, you got hacked, sorry”. bonus factoid 2: in he found a print out of the locations of the current active US nuclear missile silos (clearance top secret) hanging out in a filing cabinet in a public hallway. upon moving it to secure storage on a nearby base (per guidelines), he got yelled at for interfering with the contractor’s work.

different good talk from a ACLU-NorCal guy pointing out that while SOPA/PIPA is definitely a worry, a second and very real danger is tiny encroachment by local law enforcement. it’s not the feds currently who are developing omnipresent license plate scanners, but local police departments under municipal law. if things like cell-phone privacy laws fall, it probably won’t be from federal guidelines, but from people not managing to successfully challenge their adoption by smaller law enforcement groups.

which leads me to the first entry into this year’s DEFCON “slippery slope of doom” talk, which was the “automated law enforcement will lead to killbots on our streets (maybe)” panel. decent talk, other than the alarmism, pointing out that we are in fact automating away a lot of the processes of societal safety, including traffic cameras, facial recognition of crowds, full biometrics in some places like India, license plate recognition, crowd sourcing of suspect identification (like websites for identifying looters), and that south korea did literally actually use actual literal killbots on their DMZ with north korea. american flying killbots not mentioned at this particular talk for some odd reason.

that was a strong contender for second place in the “slippery slope of doom” contest since first place will doubtlessly go to Cory Doctorow who will give his standard sales pitch on the death of general computing tomorrow, and it’s unlikely that he won’t at least call for the overthrow of government if not all out civil war.

so yeah, that’s day 2. i’m seriously missing the 7/11 that was within walking distance of the riviera, at least i could buy a banana there. i’m drinking naked juice’s from starbucks to try and keep away vitamin deficiency.