News

BlackHat, DefCon Pranks Underlie Larger Security Message

The middle-aged G-men who wear crisp suits and consort with teenage hackers sporting purple hair can make the two conferences that will converge in Las Vegas this week look like a scene from a science-fiction movie.

In fact, the gatherings are the most important in the world of computer security, drawing a "who's who" list of leaders from companies such as Microsoft Corp. and Cisco Systems Inc., government agencies including the FBI and underground groups that act as a neighborhood watch for the Internet.

The motley band of researchers, federal agents and cyber hobbyists come to learn how to fortify networks against the latest attacks, share research on new vulnerabilities and recruit people in a field where competition for talent is growing increasingly fierce.

Laced with an abundance of raucous parties and high-tech pranks, the five-day event is equal parts boot camp, hard-core technical forum and carnival of bacchanal proportions.

"This is a circus with many rings," said Richard Thieme, whose book "Islands in the Clickstream" explores the effect computers and other machines have on society and individuals. "There's a constant exchanging of energy and information, morning, noon and night, and that's what is so powerfully attractive to hackers and anyone who wants to learn."

Black Hat, which runs Wednesday and Thursday, is more the university: In its 10th year, it is a corporate-driven event, with an admission fee as high as $2,500.

By contrast, Defcon is the fraternity party. Held every year since 1993, the Friday-Sunday show thrives on chaos, loud parties and a crowd that's decidedly more antiestablishment.

True to the insatiable curiosity at the heart at the hacker ethos, the events keep participants on their toes, lest they fall victim to high-tech pranks of fellow attendees.

In past years, pay phones have been said to disappear off hotel walls and hotel TV billing systems and wireless computer networks have been penetrated, allowing those with the technical know-how to one up their fellow attendees.

Bo Holland, the founder of several startups that work with large financial services companies, said he was cruising the floor of last year's Defcon when he came upon an automated teller machine that had a skull and crossbones and the conference logo displayed on its monitor. Upon closer inspection, he noticed someone had attached alligator clips to the cable on the ATM's backside and run a wire into the ceiling.

"I lost a real sense of security," said Holland, who had long assumed ATM networks were invulnerable. "I came away with a real appreciation for the powers these hackers had developed."

Other pranks have included dye that, in different years, has turned hotel pools purple, orange and blue. A large "wall of sheep" displays names and partial passwords sniffed from unsecured computers that connected to wireless networks.

A few years ago someone disguised a wireless network to look like the one officially sanctioned by Defcon. When unwitting attendees connected to the rogue network, their Web pages were appended with vulgar images.

"An awful lot of what you will see is people gleefully poking holes in things," said Jon Callas, a longtime attendee and chief technology officer of encryption software maker PGP Corp. "It's a cross between a computer security conference and a punk rock concert."

Although some of the events clearly cross the line into illegality and good taste -- past pranks have included pouring cement into toilets, setting off smoke bombs and stealing hotel satellite dishes -- the conferences have been known to expose weaknesses in products made by some of the world's most powerful companies.

At last year's Black Hat, Cisco Systems Inc. tried to stop researcher Michael Lynn from speaking about a vulnerability that he said could let hackers virtually shut down the Internet.

Cisco managed to get pages documenting the flaw torn out of all 2,000 conference binders, but ultimately the biggest maker of Internet routing and switching equipment was unable to squelch Lynn's talk.

The tension between hacker activism and corporate interests may generate more friction this year as two researchers demonstrate ways to hijack some of the most popular brands of laptop computers by exploiting a flaw in their wireless connections.

A third researcher plans to demonstrate software that can drop undetectable programs for snooping into computers running Windows Vista, the next generation of Microsoft's operating system.

But there are signs that technology companies may be getting more comfortable discussing the security of their flagship products. Microsoft scheduled a day of talks for Thursday on new approaches to hardening its products; it also wants feedback from participants.

And a Cisco executive is scheduled to sit in on a panel that includes people who have criticized the company in the past.

Adam Laurie, chief security officer of Thebunker.co.uk., a U.K.-based site for storing sensitive information, said past conferences are partly to thank for the growing willingness of Microsoft and Cisco in disclosing potential weaknesses in their key products.

"We are having this stuff forced upon us, and you can't choose not to have it," said Laurie, who goes by "Major Malfunction." "If they don't do it properly, that puts me at risk."

Featured