(In Depth, 08/04/97)
How do you distinguish DEF CON from Comdex or Share or any other information technology gathering? DEF CON is the one to which attendees are merrily encouraged to bring firearms.
About a dozen did just that. One day they went deep into the desert to shoot large-caliber rounds at full cans of Mountain Dew and a paper likeness of Bill Gates. Nobody thought to bring clay pigeons, so for skeet shooting, they made do with America Online CDs.
I'm an Internet consultant from Minneapolis. I like to think I'm an upstanding member of the mainstream information systems community. So I was nervous about attending DEF CON V, held last month at the Aladdin Hotel and Casino in Las Vegas [CW, July 21].
But I was also drawn by the opportunity to learn network security techniques from the very hackers who break in to computer systems. DEF CON's organizer, known as Dark Tangent, touted the fifth annual event as (among other things) the conference for computer hackers, password crackers, virus coders and phone phreaks.
I was uncomfortable because computer hacking and wire fraud aren't generally discussed by us polite corporate IS types, and we normally don't come in contact with those who participate in such activities. At least, that's what I thought before the conference. Now I'm convinced we have contact with hackers all the time. We just don't notice them - and that's the way they like it.
But there are times when hackers go out of their way to get noticed. One day during DEF CON, a group traveled three hours north of Las Vegas to a government facility known as Area 51. This is the place - very much in the news lately - where it's long been rumored that the government is conducting research with technology recovered from a crashed alien spacecraft.
When the hackers reached the security fence surrounding the compound, th ey lofted aluminum foil attached to helium balloons and watched the devices float within the scan of Area 51's radar. Minutes later they were asked to kindly leave the premises.
And the duck sang 'Blue Suede Shoes'
You expect vendors at any computer conference. At DEF CON V, entrepreneurs peddled logo parody T-shirts, books on hacker culture and piles of used telephone and computer hardware.
Even here, though, there was a hack. I felt sorry for the T-shirt salesman who lost much of his inventory when the sign that originally said "$20 each" was replaced by one that read "Free, take one."
And there was a vendor-sponsored scavenger hunt. Items on the list included the following:
A security camera (60 points)
A foreign Web page "redecorated" by the hunter (15 points)
A live duck (20 points)
The hacker with the most points got to grab items from a box filled with used computer and telephone components.
And yes, somebody found a duck.
Did you say root beer jugs?
One guy showed up with a handmade rail gun. A rail gun moves a lot of electrical energy down a conductive track. Along the way, it can fire a projectile at speeds approaching 10,000 meters per second. It discharges so much power, the designer used graphite disks as projectiles. Anything metal, you see, would have been welded to the gun.
The graphite projectiles were expensive, but the gun was otherwise built from hardware store items and scrap. The major design problem - the need for a large amount of power - was solved with banks of "Tesla-style" high-voltage capacitors made from root beer jugs, salt water, bolts, wire and tin foil.
"I'm doing this to prove that you don't have to be trained in something to do something. Most of the people in this room know that, but the public at large doesn't," the designer said.
That simple truth justified my attendance at DEF CON. I won't be able to convince myself any longer that I lack the training to make a system secure. There should be ways to a secure system, even if the path requires an untraditional route.
Holy Cow, a Las Vegas microbrewery, originally agreed to give a free beer to anybody with a DEF CON badge. The offer was published on DEF CON's Web page (www.defcon.org), and coupons were printed.
But shortly before the convention, Holy Cow changed management. The new boss refused to honor the free beer commitment.
When the bad news was announced, conference attendees jeered. But the mood changed to anticipation, then wild laughter as the announcer said, "So I visited their Web page ..." At this point the crowd started chanting, "What's their URL? What's their URL?"
The lack of free beer didn't stem the flow of alcohol. Drinking games thrived.
In one - "the TCP/IP game" - the goal was to determine how much beer a panel of experts could consume before they became incapable of answering questions on topics such as firewall filtering or bit-level Internet protocols.
Another favorite game was Hacker Jeopardy. Categories included We Still Hate Cyber Movies, Some (Inter)net Security and Aliens Among Us.
And then there was the "Spot the Fed" contest. It's a fact of DEF CON life that federal law enforcement agents attend the conference. Squares like me, the feds hope to learn the latest tricks of the trade. But unlike me, they keep a close eye on who's who at DEF CON - groups, trends and leaders are all monitored.
I was amazed as three consecutive federal agents were spotted and marched sheepishly (but good-naturedly) to the podium. In each case, the agent was correctly identified solely through the social engineering skills of a hacker. Winners received T-shirts and a round of applause.
I can't recall ever seeing an industry show with as much audience participation as DEF CON. A simple question such as, "How many of you hackers program with the keyboard in your lap?" filled the conference room with cheers and whistles. Pleased by the results of his informal demographic study, Doug Hacker (yes, that's his real name) proceeded to toss handfuls of his invention, the Lap Clip, to the audience.
Throwing was the method of choice for distributing prizes - and there
were countless prizes. People would stand on their chairs and dive for copies of books, such as E-mail Addresses of the Rich and Famous or obsolete computer boards. It wasn't uncommon to see CD-ROMs or unprogrammed cellular phones bounce 50 or 100 feet into the audience.
The main door prize was - what else? - a door. It came from a GTE Corp.
service truck. It was not thrown into the audience.