« Internet Lawyer: Dismissal of MySpace Criminal Case | Main | Internet Lawyer: $675,000 Copyright Infringement Judgment »

July 27, 2009


Re-read the post and the room pricing and I think you will find my math correct.

The YouTube video of the reporter is available for all to see and judge.

As one who works in the financial industry in a security role (keeping the unauthorized bad guys out of your mutual funds -- you are very welcome, no applause needed) and as one who's been attending this conference on and off for more than a decade, I can say that sensationalism reigns supreme. For the one or two shady incidents that might arise out of DefCon every year, there are tens of thousands of learning experiences happening and friendships forged. The good always far and away outweighs the bad. Always. Year after year.

Also, check out the annual "Meet The Feds" panel. You'll see the attendees do not ridicule those who are open about what they do -- coming from either the attack or the defense side of the game. So, while an angry crowd chases down a stealth reporter who intends to slander attendees might get front-page news, it really can't be used to justify a total paradigm shift of the convention.

Pseudonymous cash-only attendance affords everyone the chance to interact with others without the fear of being profiled, judged or added to some watch list -- there isn't an us or a them. There's a we. Without attending, it might be hard for you to fathom that we all have more in common than not, but it's the truth.

Mr. Dozier,
>I understand the value of the good guys/bad guys approach in >staying on the leading edge of developments, techniques and >tactics. But there needs to be some balance. ..The solution is >about striking a balance, and if a comfortable accommodation >cannot be reached, finding an alternative approach for sharing >knowledge and information away from the public eye.

This topic can become complex given the context of Defcon, and how long it has been going on, coupled with the fact that Defcon has become an organic culmination of various social groups colliding over the years.

How long have you been going to Defcon? Have you even attended?

Shifting gears,
When the idea of 'balance' is being preached I would have to assume your making this an intellectual exercise at best. There is no balance in this space(information security) (period), the 'good guys' are heavily outnumbered by the 'bad guys', but knowing your enemy is knowing the game...

It seems you are making great assumptions about the value of defcon, and the signal to noise ratio of the conference. Sure tons of kids goto it now days, but there are still a select few valuable people to meet up with.

If your worry is about 'h*ckers', I would have to conclude that this is one of the tamest cons as far as "true h*cker activity" is concerned.

Defcon is painted with kiddies, and wanna be's , but in the midst of all of this you must weigh the question "Do the ends justify the means?", which I think was the main perspective Zack was stating.

If your post was to be a moralistic exercise, what other topics are you wanting to draw the line on? Is gathering and talking about 'code' and vulnerabilities worse than people talking about same sex marriage, or child pedophile's meeting, or followed by the question "where is your line drawn?" or is all of this just posturing on your part to get more media PR?

-Daniel Clemens

Imagine you are in charge of infosec for a large bank, running Oracle. There are 3,000 developers - most of them contractors - working with various databases inside your firewall. It's you, with nothing, versus 3,000 people you don't know backed potentially by 22,000 Russian and Chinese criminals with the latest 0day exploits. What are you going to do?

Well, first, you are going to go to Defcon, where without telling them which bank you work for you will learn the latest on these exploits from h*ckers who would be glad to give the information away nearly for free (since Oracle rarely does anything about them). This way, you know what you are faced with from the people who aren't so open. We usually call those people the criminals. I am sure you have heard the term.

Second, you are going to use Metasploit to test said database. Why? Because it is a framework for penetration testing with all of those exploits already in place. You can make sure that your database can't be compromised by those nameless criminals (there's that word again), all due to the VERY hard work of just a few extremely smart ... wait for it ... h*ckers.

You, my "internet lawyer" friend, have completely failed to get the point. You mention "finding an alternative approach for sharing knowledge and information away from the public eye." All of this information is already out there for those who care to find it. Defcon makes it available to the overwhelmed many who are tasked with protecting what we have. And that's a bad thing exactly how?

These are very good points about the value infosec people receive in attending Defcon. I have never questioned that it is an extremely valuable resource for large businesses and the government. The problem is not with the infosec attendees, of course. The mega bank (and since I was the architect of some of the first electronic commerce solutions back in the mid 1990s for Sears, American Express, and Citicorp I know where you are coming from) has its somewhat unique challenges. But small businesses who cannot afford high end information security resources are now the most targeted sites and businesses for h*ckers to access personally identifiable information. The consequences of such an access often put the business under financially. Every unauthorized access triggers notice requirements to the entire database, followed by direct exposure to individual lawsuits, class actions, FTC and state Attorney General investigations, fines from credit card companies, and online attacks on the business' reputation. This almost always leads to the business closing down. Defcon, by training these youngsters and scofflaws the tricks of the trade, hands over the tools that might not crack a major bank's database or a government computer system, but puts at direct risk the small businesses that are today the primary subject of cyber-attacks. That's the problem. How many small business retailers are attending in order to gain insider knowledge of how to protect their information? And how many can afford quality infosec services? I think we all know the answers to those questions. Is the proper balancing act the benefit on one hand to banks and large corporations weighed against the risk to that organization? Or the benefits to society as opposed to the risk visited upon the backbone of our economy, the small business, and the individuals whose identity is placed at risk?

Yes, depending upon the hat you wear, the issue can become very complex. Measured judgment and a true appreciation for the inherent risk in educating our youth on how to break the law and cause immediate, irreparable catastrophic damage is what is needed.

I have never attended Defcon, and may come out this weekend. But as an Internet lawyer, I have been involved in representing former attendees. I'll probably run into some of them. Most are out of prison now.

Re Bill,
What do you do?
You hire a professional to look at things for your or outsource your security. Or as a customer of Oracle you demand that they change their development life cycle or hire a lawyer to hold them liable for writing code that in turn impacts your bottom line.

By hiring a professional you can mitigate the immediate and obvious problems that affect the operational aspects of your business.

Your correct that small business probably don't have super h*ckers on staff, but this is the beauty of commerce. Others can provide services for you that are equally or more skilled than the common attacker.

Most businesses if they practiced a few things differently would experience a world of difference with the availability and general health of their network, thus expanding their overall profitability by many margins. The key question I think that you need to ask is do I hire a few smart people to run my IT infrastructure, or do I hire the right outsourced resources that can aid in building the technical aspects of your business.

Operational, financial and reputation risks are valid concerns for every business, but pleading 1st degree victimization 'because its just not fair' isn't the greatest perspective on any topic.

For the record the founder of Defcon (Jeff Moss) is a good friend of mine and is one of the most ethical people I know in the business.

I'm sure if you guys wanted to continue this discussion we could all schedule a time and place for a good cup of coffee.

Also, almost every consultant I have had the privilege of working with over the years who have had great amounts of talent also had great amounts of honesty and dignity behind them. Just because most of the 'defcon' scene doesn't look like your normal social group and their are bands of teenage wanna be's pronouncing their false sense of masculinity through breaking , there are far few individuals sharing 0day exploit code for the masses.

The primary reason behind this is they make money on sharing this with their criminal friends, so even though it sounds like tons of 0day action is going on at these conferences with _anyone_ who attends , this can be summed up as sensational reporting by people who don't know what they are talking about and merely want to make 'security' another sexy buzzword on the 5pm news.

-Daniel Clemens
P.S. As far as oracle is concerned, the problem is more with oracle than h*ckers, yet oracle plays the 'victim' card when they need it and the we are 'unbreakable' card when they need it. Bottom line, they take over a year and a half to fix some vulnerabilities. Researchers have no other recourse than to publish their findings knowing that other independent researchers have already discovered the bug and sold it, all the while oracle was not fixing the bug they privately knew about nor fixing their sdlc.

So small businesses do an insufficient job of protecting sensitive data (data about you, data about me, data about DEFCON attendees, etc) and it is the fault of a few h*ckers?

So, John, I'm curious: Did you manage to put your frothing-at-the-mouth contempt for DefCon aside long enough to venture out this past weekend and discover that most of what you've been saying here is utter nonsense? A few bits in particular:

"Anyone can attend, unless, as real life experience tells us, you are a SPEAKER arrested by the Feds..."

The charges were dropped against him in exchange for testimony against his company, and despite the testimony, a jury still found the company not guilty. So, what's your point, really? If you were trying to make the point that sometimes the feds make bad busts, job well done.

"...a REPORTER "outed" by the Conference management and pursued by a mob of attendees"

And you think this is a bad thing...why? Do reporters have some inalienable right to have their identities kept secret, particularly in an environment the reporter willfully entered knowing full well that it is expressly forbidden to operate incognito as a reporter?

What she did was against the rules of the convention. The convention organizers offered to bring her into compliance with the rules on 4 separate occasions, and she refused to obey the rules every time. It seems rather hypocritical of you to incessantly wax on about "scofflaws" while simultaneously thinking it's somehow outrageous that a reporter was ejected (Even then, she really wasn't even ejected - merely exposed. She chose to leave on her own.) from the convention for breaking the rules.

As for the "mob" of people who so viciously "pursued" her - it was a handful of people with some cameras. Nobody so much as touched her. She left at a brisk walking pace, and she was obviously embarrassed and upset about being caught, but she clearly didn't feel threatened.

You really seem to beat the Michelle Madigan incident to death - came up a couple of times in this post, as well as your post about last year's DefCon. Is that really the best criticism you can muster? That a reporter was verbally heckled by the same people she was trying to assemble a "Gotcha" film-reel of in violation of the convention's rules? Is that somehow illegal or unethical? She was attempting to take advantage of them for a nice shock-value scare piece, and in returned she was... teased. That poor woman - I can't even imagine the horror of being teased.

"Show respect for the rule of law by welcoming law enforcement and not violating state and federal h*cking laws or encouraging others to do so under a guise of "research". Welcome the press into the fold in any way they see fit without mandating a "press credential" to be worn as a scarlet letter to incite contempt and ridicule and preclusion."

This, quite frankly, is what really demonstrates that you're fairly clueless about DefCon. Really, if you didn't make it out this weekend, you should next year. The press credential is not, by any means, a "scarlet letter". It's simply a matter of informed consent. Most attendees are perfectly comfortable speaking to the press, and many even crave doing so, while some would rather not engage the press. The press badge merely allows all attendees to decide if they would prefer to keep their private matters private, or share with the world.

At no point did I ever witness anyone wearing a press credential being attacked, mocked, ridiculed, harassed, bothered, or otherwise mistreated. Furthermore, every press badge holder I introduced myself to this past weekend seemed to be having a wonderful time at the convention.

And, by the way, John - you do realize there are entire panels of law enforcement present, correct? How, exactly, could they be any more welcome than they already are?

Here is what CNet.com (Elinor Mills) just reported about DefCon 2009:

"On July 27, Web sites belonging to a handful of security researchers and groups were h*cked and passwords, private e-mails, IM chats, and potentially sensitive documents were exposed on the vandalized site of security golden boy Dan Kaminsky. (Mitnick, whose jailing in the '90s for computer crimes made him a cause celebre at "Free Kevin" benefits at Defcon at the time, was among those attacked.)

There were more widespread threats at the shows, too. Anyone using the Wi-Fi networks at the events had better be careful lest they get their password sniffed and posted on the Wall of Sheep. Then there was the USB thumb drive that was passed around among attendees of Black Hat that was found to be infected with the Conficker virus.

Reporters who aren't nearly as geeky as the sources they interview are always easy prey. One reporter was concerned about being h*cked via the local area network in the press room after a rare Blue Screen of Death crashed his laptop.

Last year, three French men were expelled for sniffing the press room LAN at Black Hat. They said they had obtained eWeek's and CNET's passwords but failed to prove the CNET allegation.

This year, three South Koreans registered as press were ejected for asking questions that led organizers to believe were on an intelligence-gathering mission instead of merely reporting, according to the IDG News Service.

(See "Defcon: What to leave at home and other do's and don'ts" for tips on how to best protect yourself.)

At least I didn't use any automatic teller machines at the hotel. Defcon organizers confirmed on Monday that a fake ATM was discovered in a lobby of the Riviera Hotel where the event was held, right near the hotel security office. The ruse was up after someone looked through the camera hole using a flashlight and saw a PC inside.

Meanwhile, Chris Paget, a security expert who works at Google, reported on Twitter that he lost $200 from a compromised ATM at the Rio Hotel over the weekend. There are multiple Diebold ATMs with the skimmers inside at the Rio casino, he tweeted, later adding: 'Secret Service just called back. They're taking it seriously, reading between the lines it seem(s) like there's more going on here.'"

Me Thinks Ye Doth Protest Too Much...

John, I would think an internet super-lawyer such as yourself would be capable of actually responding to the points I made, instead of leaping into an extremely distant (and Ric Romero-esque - are we engaged in a state the obvious contest or something?) tangent that can basically summarized as, "h*cking takes place at a h*cker convention!"

None of what you just said had the first thing to do with the speaker who was arrested (and had the charges dropped, and whose company was later exonerated despite his testimony), the vicious teasing of Michelle Madigan, the fact that press badge holders are not ostracized (as you assert), nor the fact that law enforcement are quite welcome there (as evidenced by the fact that federal agents speak at panels annually at DefCon).

I'll be glad to address what you said above, but there doesn't seem to be much point in engaging someone who is merely going to change the subject every time he runs into a point he can't effectively argue against.

The comments to this entry are closed.