By DAN GOODIN
The Associated Press
The middle-aged G-men who wear crisp suits and consort with teenage
hackers sporting purple hair can make the two conferences that will
converge in Las Vegas this week look like a scene from a science-fiction
In fact, the gatherings are the most important in the world of computer
security, drawing a "who's who" list of leaders from companies such as
Microsoft Corp. and Cisco Systems Inc., government agencies including the
FBI and underground groups that act as a neighborhood watch for the
The motley band of researchers, federal agents and cyberhobbyists come to
learn how to fortify networks against the latest attacks, share research
on new vulnerabilities and recruit people in a field where competition for
talent is growing increasingly fierce.
Laced with an abundance of raucous parties and high-tech pranks, the
five-day event is equal parts boot camp, hard-core technical forum and
carnival of bacchanal proportions.
"This is a circus with many rings," said Richard Thieme, whose book
"Islands in the Clickstream" explores the effect computers and other
machines have on society and individuals. "There's a constant exchanging
of energy and information, morning, noon and night, and that's what is so
powerfully attractive to hackers and anyone who wants to learn."
Black Hat, which runs Wednesday and Thursday, is more the university: In
its 10th year, it is a corporate-driven event, with an admission fee as
high as $2,500.
By contrast, Defcon is the fraternity party. Held every year since 1993,
the Friday-Sunday show thrives on chaos, loud parties and a crowd that's
decidedly more anti-establishment.
True to the insatiable curiosity at the heart at the hacker ethos, the
events keep participants on their toes, lest they fall victim to high-tech
pranks of fellow attendees.
In past years, pay phones have been said to disappear off hotel walls and
hotel TV billing systems and wireless computer networks have been
penetrated, allowing those with the technical know-how to one up their
Bo Holland, the founder of several startups that work with large financial
services companies, said he was cruising the floor of last year's Defcon
when he came upon an automated teller machine that had a skull and
crossbones and the conference logo displayed on its monitor. Upon closer
inspection, he noticed someone had attached alligator clips to the cable
on the ATM's backside and run a wire into the ceiling.
"I lost a real sense of security," said Holland, who had long assumed ATM
networks were invulnerable. "I came away with a real appreciation for the
powers these hackers had developed."
Other pranks have included dye that, in different years, has turned hotel
pools purple, orange and blue. A large "wall of sheep" displays names and
partial passwords sniffed from unsecured computers that connected to
wireless networks. Click Here!
A few years ago someone disguised a wireless network to look like the one
officially sanctioned by Defcon. When unwitting attendees connected to the
rogue network, their Web pages were appended with vulgar images.
"An awful lot of what you will see is people gleefully poking holes in
things," said Jon Callas, a longtime attendee and chief technology officer
of encryption software maker PGP Corp. "It's a cross between a computer
security conference and a punk rock concert."
Although some of the events clearly cross the line into illegality and
good taste - past pranks have included pouring cement into toilets,
setting off smoke bombs and stealing hotel satellite dishes - the
conferences have been known to expose weaknesses in products made by some
of the world's most powerful companies.
At last year's Black Hat, Cisco Systems Inc. tried to stop researcher
Michael Lynn from speaking about a vulnerability that he said could let
hackers virtually shut down the Internet.
Cisco managed to get pages documenting the flaw torn out of all 2,000
conference binders, but ultimately the biggest maker of Internet routing
and switching equipment was unable to squelch Lynn's talk.
The tension between hacker activism and corporate interests may generate
more friction this year as two researchers demonstrate ways to hijack some
of the most popular brands of laptop computers by exploiting a flaw in
their wireless connections.
A third researcher plans to demonstrate software that can drop
undetectable programs for snooping into computers running Windows Vista,
the next generation of Microsoft's operating system.
But there are signs that technology companies may be getting more
comfortable discussing the security of their flagship products.
Microsoft scheduled a day of talks for Thursday on new approaches to
hardening its products; it also wants feedback from participants.
And a Cisco executive is scheduled to sit in on a panel that includes
people who have criticized the company in the past.
Adam Laurie, chief security officer of Thebunker.com, a U.K.-based site
for storing sensitive information, said past conferences are partly to
thank for the growing willingness of Microsoft and Cisco in disclosing
potential weaknesses in their key products.
"We are having this stuff forced upon us, and you can't choose not to have
it," said Laurie, who goes by "Major Malfunction." "If they don't do it
properly, that puts me at risk."
On the Net:
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.