By Joe Barr
October 23, 2007
ToorCon 9, a hacker's convention, kicked off with registration and a
reception Friday evening in the San Diego Convention Center. Keynotes
and the talks were held Saturday and Sunday. This was my first time at
ToorCon, and I learned why it is so highly regarded among the hacker
community. It's good.
There were probably a few feds in the crowd, but for the most part
attendees were hackers or hacker wannabes. ToorCon occupied only a small
fraction of the enormous convention center; the whole thing was
conducted in three meeting rooms on the upper level.
While we were both waiting to register, I met Scott Moulton, who owns a
forensics company in Atlanta and gave a talk on Saturday about
recovering data from damaged flash drives. While Moulton and I were
talking, Johnny Cache happened to walk by and Moulton pointed him out to
me. Cache and David Maynor were vilified by the Apple community's
bloggers last year after the shameful fiasco at Black Hat last year,
when strong-arm legal tactics by Apple not only made it impossible for
them to mention the Apple Wi-Fi card in their taped demo of a Wi-Fi
exploit, but also to defend themselves from attacks in the blogosphere.
Cache was not at ToorCon to give a talk, but simply to attend.
On Saturday, I spent a few minutes with ToorCon's founder David Hulton
(h1kari), event coordinator George Spillman (Geo), and Johnny Cache, and
learned a little bit about the history of ToorCon. Hulton said that he
and a friend started the con nine years ago, when he was 15. They had
just returned from DefCon 4 in Las Vegas and decided to do a local
version. His friend couldn't participate the following year, but he
continued with it, never dreaming, he said, that it would grow to be as
popular as it is today.
I also ran into a couple of DefCon regulars -- part of the CoffeeWars
crew -- on Friday evening: students like the one who came to hear one of
his teachers give a talk about teaching hacking in college, a college
math teacher from Chicago there to learn what he could, a sprinkling of
talent from San Diego 2600, and assorted l33t and not-so-l33t attendees
ranging in age from their teens to at least their 60s.
ToorCon 9 began Saturday morning with an eye-opening, irreverent,
F-bomb-laced keynote entitled "Wolverine, Yo' Mama, Spooks, and Osama"
delivered by a security engineer named Beetle, who explained he was a
last-minute replacement for a speaker who had to cancel. By the time he
finished, I don't think anyone was left feeling shortchanged by the
Nobody was safe from Beetle's wrath. His rant covered the deciders who
dictate the story lines at Marvel Comics, the Slashdot crowd, Google,
politicians in Washington, the American public, and the hacker community
After deconstructing the story lines of several comic books over the
past year or two, applying criticisms and sarcastic commentary as
needed, he paused and asked what some in the audience were wondering:
Where he was going with all of this? Then he dived back in and started
to work on Slashdot and Google. With graphs showing the number of
comments that various stories that appeared on Slashdot got, he
illustrated how stories are much more popular on Slashdot before all the
facts are known, when opinions are shaped by fanboys and bloggers who
opine without the benefit of a clue.
Beetle used the aforementioned story of Johnny Cache and David Maynor to
illustrate his point. The truth of the matter was finally revealed when
Maynor was freed from the non-disclosure agreement last year, but
interest in the matter was basically gone.
As for Google, he began by referencing the NSA and its spooks, and the
controversial monitoring and data mining they are doing on American
citizens. Then he remarked how Google did much the same thing with our
search requests, then sold the results so they could be used for
Beetle also lampooned America's attitude toward China. He pointed out
that we, led by the politicians in DC, were all in an uproar over lead
paint on children's toys, but concern about China as the source of spam
or Internet attacks on our military and government networks? No uproar
over that, so evidently that's no big deal.
Several things had happened by the time Beetle finished: the F-word had
become nothing more than punctuation, the crowd almost unanimously had
been entertained and won over by his rants, and everyone was wide awake.
That's a good way to start a con.
After a second keynote called "Black Ops 2007: Design Reviewing the
Web"-- Dan Kaminsky had the misfortune to follow Beetle -- the con was
off and running.
There were only two tracks at ToorCon -- one about hacking things and
one about defending things from being hacked. One of the three meeting
rooms was labeled Attacks, another Defense. The third room housed a live
hacking competition, where teams competed to see how many and how
quickly they could own various servers on the LAN. Also in the room were
a book publisher hawking its wares, representatives from the Hacker
Foundation selling T-shirts and memorabilia, and others.
On Saturday, all the talks were an hour long. On Sunday, the talks were
only 20 minutes long, a format which seems to be growing in popularity
at hacker cons. Most often, the crowd would stay in the same room when
one talk was finished and wait a few minutes for the next to begin.
One of the more popular talks was called "Exposing Stormworm." You may
have heard or read some of the buzz about Stormworm this past summer.
It's a new generation of botnets that are being used by spammers to make
sure you always know about the best deals on penis enhancement and
get-rich-quick stock purchase opportunities. Brandon Enright, a network
security analyst at the University of California, San Diego, and a code
contributor to open source projects such as Nmap, came to ToorCon not to
hype the dangers of Stormworm, but to deliver the results of research
that monitors its size.
The Stormworm botnet is an impressive phenomenon. Enright displayed
graphs of active -- defined as being online and capable of being
controlled -- Stormworm nodes based on monitoring the night before his
presentation. They numbered about 22,000. That's a powerful force, but
far short of some of the estimates that have been seen in print. Enright
said that while many millions of Windows systems have been infected by
Stormworm, they haven't all stayed infected, as its fingerprints are now
VoIP and Wi-Fi were popular topics, for both tracks. I attended three
20-minute talks on VoIP. The first explained how to hack a VPN used for
VoIP and hop into the data network. The speakers suggested I attend
another talk, this one on defense side, on the same topic. That one
suggested I catch Druid's talk on Context-keyed Payload Encoding. From
those three talks it's clear that VoIP, like Wi-Fi, was designed without
concern about security. Hopefully, both areas will eventually provide
better security, but today they are a collection of vulnerabilities.
I also enjoyed a panel talk on "Building Hackerspaces," hosted by Nick
Farr of the Hacker Foundation and Eric Johnson (3ricj), who is involved
with a hackerspace in the Seattle area. I learned that a hackerspace is
similar to a LUG, but not the same. It's a community-owned and -governed
space where people who enjoy hacking can gather and work together on the
project of the moment.
ToorCon 9 was a great con. I think I enjoyed it more and learned more
than at any other I've attended. It may be smaller in attendance, but
not in content and style. A DVD containing all the talks is slated to be
for sale, or if you're the patient type, you can wait for the videos to
appear on the ToorCon Web site.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com