As Internet lawyers, we deal with h*ckers all the time. Usually chasing them, to be totally frank. We had a chance to pick the brain of some exceptionally talented and knowledgeable government security types recently, and both were in complete praise of the Black Hat conference immediately prior to DEFCON. And both refuse to attend DEFCON because they are ridiculed and harassed by young adults acting like kids. You'll recall the chase video on YouTube in which attendees "out" a reporter in a most inappropriate and threatening way.
As DEFCON starts its conference this week, the rallying cries of those trying to defend the annual "conference for h*ckers" grows louder. Last year, the Dozier Internet Law website came under attack during the conference. You may also recall the Dozier Internet Law 2008 Defcon blog posting. Out of the blue, defenders of DEFCON's "business expensed" veritable fantasyfest in Vegas chimed in, pointing out that the vast majority of attendees are information security professionals. Of course, that's like saying that almost all of the attendees at a bomb making workshop are not terrorists. Great. As an Internet lawyer, We'll never run into the "vast majority" of the attendees. How about the "others", though?
Here is an excerpt from the official description of a featured program from this year:
"Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. In this presentation we are going to present an Oracle Pentesting Methodology and give you all the tools to break the 'unbreakable' Oracle as Metasploit auxiliary modules."
In other words, they have pulled together public and not so public hacks and are organizing them under one tent for ease of access and use for hacking into Oracle databases. Now, there are two ways this can go. The information security attendees can use this information to identify risks and implement fixes for security holes. And the other way? Attendees learn how to more easily h*ck into databases and steal information and identities. And at the same time create catastrophic loss to a business even if the h*cker just accesses the data and looks around.
The good news is that anyone with US $120 can attend. No real names, please. Just use your moniker. Anonymity is paramount. There is even an annual game for embarrassing the federal authorities in attendance. Rooms are $109 per night, but no more than four in a room, please.
This conference has a long history of problems: Anyone can attend, unless, as real life experience tells us, you are a SPEAKER arrested by the Feds, a REPORTER "outed" by the Conference management and pursued by a mob of attendees, or a registrant intercepted at our border before getting into the US. Couple that with the session last year on how to hack a Boston public transit system and get "free fares for life", and the MSBlast Worm and Virus fiasco of several years ago where the Department of Homeland Security had to issue a global alert the day before the conference, and the many, many other incidents that are recorded for posterity online. And then lay on top of that the Electronic Frontier Foundation's prominent and high profile attendance and involvement at the conference attacking our computer crime laws as "absurd"...laws passed and strengthened post 9/11 by the US Congress.
Is there a Free Speech right, protected by our First Amendment, to describe in detail ways to hack into computer systems when it is a federal and state crime to h*ck into a protected computer? At Traverse Internet Law, we know this issue is yet to be fleshed out fully but we expect that criminal conspiracy laws could come into play at some point. It wouldn't matter, though, if someone would use some basic common sense and get rid of the 15 year old using an assumed name and learning the finer points of how to h*ck. A conference for security professionals? This is not found anywhere on the DEFCON website. And while it clearly meets that definition to some, and likely most, attendees...that's not good enough.
Here are some suggestions: Tighten up the rules of admission, use real names, bar convicted felons and known "black hat" h*ckers, and stop intimidating the legal authorities and reporters. Maybe then you'll become legitimate and not an unacceptable risk to society. Oh, and get your head out of the sand. It may be all fun and games, but trust me: The wolves in sheep's clothing are there. You either don't know how to spot them, or you don't care.
DEFCON, if you don't change, you need to be shut down.
You've outlined current DEFCON policies, procedures, and culture with which you take issue. You've also listed some remedies that you think will move DEFCON away from being "an unacceptable risk to society."
I didn't come away with any sense of what would change, even if DEFCON restructured itself. It would just be friendlier to a particular segment of attendees.
Posted by: Frank Wither | July 28, 2009 at 11:47 AM
Mr Dozier, will you be in Las Vegas later this week? I can introduce you to anyone you'd like a meaningful conversation with.
Posted by: John | July 28, 2009 at 11:58 AM
Frank, thanks for your thoughts. This is the effect of what I am suggesting as a starting point. Removing anonymity is a first step towards accountability. And that alone will discourage the scofflaw attendees from showing up. Show respect for the rule of law by welcoming law enforcement and not violating state and federal hacking laws or encouraging others to do so under a guise of "research". Welcome the press into the fold in any way they see fit without mandating a "press credential" to be worn as a scarlet letter to incite contempt and ridicule and preclusion. And bar the crooks, thieves, and scofflaws from the premises. That's what I am suggesting as a starting point. At least it shows some good faith. Does it solve all the problems? No. But it is a start in the right direction.
Posted by: John W Dozier Jr | July 28, 2009 at 12:26 PM
Mr Dozier,
If I may be so bold as to suggest that the entire point of Defcon has always been a neutral ground of both good guys and bad guys. Don't underestimate the amount of valuable intel gleaned by good guys into the mind and tool set of the bad guys. Whether admitted or not, defense is reactive by definition. So in order to be more proactively defensive, intel must be gathered. What better way than to bring them all together. You must understand that it is widely speculated that this is the very reason our own government may have provided the initial funding for the conference in the first place. When your enemy is hidden all over the place, bring them together in the open, observe and you will understand them...
Posted by: Zack | July 28, 2009 at 01:04 PM
Zack: I understand the value of the good guys/bad guys approach in staying on the leading edge of developments, techniques and tactics. But there needs to be some balance. While government infosec types learn how to better execute and defend a cyberterrorist attack, DEFCON is educating scofflaws on how to ruin small businesses in minutes. I'm putting an audio up on our website shortly from a speech an infosec executive and I gave to Internet Retailer attendees in June. The solution is about striking a balance, and if a comfortable accommodation cannot be reached, finding an alternative approach for sharing knowledge and information away from the public eye.
Posted by: John W Dozier Jr | July 28, 2009 at 01:14 PM
Mr. Dozier,
If you have an opportunity, please come to Defcon. You might learn that there are other reasons than the ones you blow out of proportion in your article.
1) You state that your website "came under attack" last year and that was in retaliation of some article. Do you have any proof of this? Or are we supposed to take this as gospel because you say it?
2) You reference the incident where a female reporter tried to break the RULES of Defcon, and was caught and vilified. Yes, Virginia, there are RULES at Defcon.
3) You mention the talk (that was canceled due to lawyers chest thumping) that show the weaknesses of the Boston transit system, and don't reference the WHOLE story, that the Boston Transit System was notified of the weakness and refused to address it.
4) You state, "There is even an annual game for embarassing the federal authorities in attendance", when it fact, it is NOT to embarrass them, it is to see if someone can spot a Fed. The "Fed" is given a chance to decline to be publicly named, and all law enforcement personnel are treated with the utmost respect.
5) Because you haven't and don't plan on attending, you really have NO idea of the information exchange, the dynamics of what this type of conference brings the entire community, and why there are MORE Professional Security people at Defcon than there are at BlackHat.
What about Johnny Long and all the good things that go on at Defcon?
You ignore the talks such as:
Effective Information Security Career Planning - How to further your Career
Defending Yourself @ DEFCON - How to protect yourself while at Defcon
DC Network Session - Learning how to build a network to hold up to Defcon
Perspective of the DoD Chief Security Officer - Mr. Lentz, a Deputy Assistant Secretary of Defense in both the Bush and Obama administrations.
H*cking the Wiimote and Wii Fit to Help the Disabled - Don't tell me you don't like people with Disabilities...
Q & A with Bruce Schneier - do you know who Bruce is?
Meet the Feds 2009 - An entire panel of Feds, who WANT to be there, and expose themselves (figuratively you perv), to the Defcon attendees.
I would like to invite you out to Defcon, I'll even pay for your entrance. You need to experience it first hand to truly understand the purpose, people, and knowledge that is shared by the community.
Take a real look at the convention and stop being an Internet Troll. Read the actual content, http://defcon.org/html/defcon-17/dc-17-schedule.html.
As respectful as I care to be.
And yes, this is my real name.
Posted by: Jim Noble (aka dc0de) | July 28, 2009 at 02:07 PM
All of the information presented at the conference is available for free, via the Internet, during or shortly after the convention. Anyone can download it or use the tools published at the convention, without using a real name, regardless of their intent or industry. How would changing Defcon to hold attendees more 'accountable' really protect anyone?
Posted by: Jared E. Richo | July 28, 2009 at 02:10 PM
The reporter that was "Outed" Refused press badges and credentials. If you are advocating people should play by the rules & go Legit, that isn't a good example of why. That reporter clearly wasn't playing by the rules and suffered the consequences of her actions. Her Employers even had a history of Chasing down people in the same manor.
Also, you should fact check your posts. Room rate is 89/night not 109/night. Little thing, but is also one of the first things yous see when you look at the defcon page, and lessens your creditability in regards to this article. (Think I'm wrong on that? Think about how a judge would view you getting provable facts wrong. You're a lawyer shouldn't be to hard for you to answer that.)
Posted by: Becky | July 28, 2009 at 02:16 PM
You know what the problem is with the internet ... too many lawyers! Seriously, how can one just sit on the sidelines and act as if they have some notion as to what is going on at an event, but never attend. At the end of the day, I view this article as just another part of the DHS paranoia machine that thinks we are all better off with more government and handing over more control to others. Sorry, but I do not trust the government or lawyers ... I guess we all know where we stand (FYI - I use to work for the government ... I guess I joined the 'darkside' out of frustration with fools and bureaucrats .. and NO, I do not do illegal activities - it is morally and ethically wrong!)
Posted by: FatherofMaddog | July 28, 2009 at 02:32 PM
I agree with Zack, and to advance the discussion further - the research that is presented at these conferences is only a very small part of the overall security research being conducted by criminal elements. If there was no public forum for this information then it would stay unknown and therefor small businesses would have no way of protecting themselves out of a lack of information.
I would personally love to see governments sponsor these types of events for this reason alone - but in the private sector it is the responsibility of the organizations to ensure they are able to digest the information into meaningful intelligence to protect themselves. The only way to get this information is to hire advice from blackhats - or hire advice from well-informed whitehats who are the majority of the people attending the conferences.
Away from the public eye means secret and secrets make us less secure as a whole.
Posted by: Mark | July 28, 2009 at 02:50 PM