Defcon Recap 2009: Adventures of a Hacker Groupie

by Luna Flesher

As I so enthusiastically tweeted, Defcon 2009 was the best con I've been to since Radcon 1997. Here are a few highlights.

Getting There

The fun began at Sea-Tac airport, where we barely caught our flight by a thin margin. Getting to the airport 1.5 hours early only leaves room for one mistake, mishap, or other difficulty. We encountered several:

First, my iPhone fell out of my pocket and was back in the car. At the parking facility. To compound the issue, I hopped the wrong shuttle to fetch it. A shuttle that was going the wrong way. However a couple of helpful shuttle drivers got me to the right place, and I was back at the airport -- just in time to make the flight assuming no other mishaps occurred. I've just got to say: Thrifty car rental, FTW.

Back at the airport, I breathlessly found my two traveling companions waiting at the agent. Apparently, two of our tickets have been canceled with no notice. And one of our bags was over 50 lbs.

After waiting forever, repacking the bags, rushing through security, running down halls, finding out there was no room for us on the plane, then finding out there was, we boarded the plane with -5 minutes to spare.

Fake ATMs Skim Vegas

Since I was getting news mainly from Twitter and hallway rumor, I'm not too clear on all of the details. From what I gather, the first fake ATM was discovered at the Riviera Friday. Someone suspected something, and decided to investigate. Shining a flashlight down the hole where there should have been a camera instead revealed what looked like a PC. The machine was skimming mag stripes and PINs. It was quickly hauled away by police.

Most of us at first assumed it was some kind of hacker trick. We were after all attending Defcon. It turned out however to have probably been planted by a Las Vegas criminal ring. This rumor is substantiated by what happened Sunday.

@ChrisPaget was attending the Penn and Teller show offsite at the Rio. A great idea, given that I was attending the same show. He noticed something wasn't quite right when he used an ATM to get cash, ironically, for the "Bill of Rights: Security Edition" from the Penn and Teller gift shop.

After being skimmed, he called every authority he could think of: The Rio's security, the Nevada Gaming Commission, Las Vegas Metro PD, the FBI, the Secret Service. Rio security refused to turn off the machines, more people got skimmed, the case got bounced around between all the agencies, and now both the Riveria and the Rio are denying there was ever a problem. According to @sirspamsalot, as of Tuesday, the machines are still there, and someone has removed the out of order signs. Which shouldn't matter, since people were apparently ignoring the signs anyway.

Killer Bees Thwart Swimmers

The pool at the Riv was closed for a day, due to African Killer Bees. Here's a picture. According to our cab driver, this sort of thing happens all the time. And here I was suspecting a biohacker sneaked in a tailor-made pheromone. Yes, Defcon really does make you paranoid.

Bungee Jumpers

Some hoodlums were arrested after picking the roof locks so they could bungee jump off the building. Apparently, Darwinian-style suicide is illegal, even in Nevada.

Wall of Sheep

Much to my shame, I got pwned. My twitter account appeared on the wall of sheep along with the first three letters of my password. Kudos to the Wall of Sheep team for bringing security awareness to the world. The same team also skimmed RFID data. Your security probably sucks, too.


As always, Queercon ruled, in spite of the horribly incompetent hotel staff bartender.

We also manged to snag two of the 200 Facebook +1 passes that let us into the private party at Studio 54. Facebook really knows how to throw a party and generate social media buzz. I got to squeal like a geeky fan girl when YTCracker and MCLars took the stage for some Nerdcore rap. I'd never heard of DualCore but he was pretty good and generating lots of new fans.


All fun aside, education is the real reason to attend Defcon.

The Biohacking talk by Richard Thieme was by far the most interesting. Thieme claims that we are the last generation to be "born". He also said hackers have become too serious. Hacking never "grows up".

On the topic of brain wiring, a university student rigged himself to a belt with directional vibrators, like those from a cell phone. Which ever side of him faced north, he would "feel". The student's brain re-wired to account to the new artificial sense. He was given a migrational super-sense to find his way to anywhere. After he removed the device, it felt as if he had gone blind. It kind of reminded me of the time Ainmer and I glued rare earth magnets to our fingertips to give ourselves electromagnetic senses.

Next, Thieme predicted that bioengineering will be decentralized the same way computer engineering was moved from centralized universities and corporations. Computer hobbyists invented PCs, not governments or scientists. He sees a world where pharma and genetic engineering be put into the hands of hackers. This trend is already starting. "Yeah, the thing may jump out of the disk and eat your hand, but you have to take risks." I'm not sure what I think of that.

He concluded that lives in the present. "Since most people live in the past, I sound like a futurist." What a guy.

The talk on Hacking Your Tastebuds was highly participatory. I learned the difference between expensive balsamic vinegar and the cheap stuff from the grocery store. I also got to play with Miracle Fruit. It didn't work as well on me, but it really did make sweet things taste sour.

Death of Anonymous Travel covered all the many ways people know where you are, from the obvious "Papers please!", to RFID tracking, cellphone tracking, and ubiquitous cameras. Since reading Transparent Society by David Brin, I'm not really too concerned about this loss of privacy. Much.

Adam Savage (Mythbusters fame) spoke on failure. I'd already seen a version of this talk online, but he told the stories in new ways, and it was a lot of cool to be in the same very large room with him. Made the line worth it.

The FOE project (Feeding Controversial News to Censored Countries) was interesting, but the speaker was very dull. Their system involves encapsulating RSS feeds inside email over SSL. It can completely bypass packet filtering (SSL). They can't block the site or port without blocking major email services like Gmail. It seems brilliant, but the focus is on one-way communication, getting news into the censored country, rather than out. It isn't perfect, so it's intended as a supplement for existing systems, such as TOR and proxies. I'd like to see them modify for getting info out of the country, or to other people within the country, which would have fit the situation in Iran better. Like a server-side app that would take FOE packaged emails and tweet them via the Twitter API. Likewise for Youtube. Date verification could be part of this, since verifying authenticity is so important.

Manipulation and Abuse of Credit Reporting Agencies... interesting. This information has been available on "finance hacks" websites for some time. You can "freeze" a credit report. Which means if you apply for credit, the agency has to call you to get one-off approval. If you don't give approval, there is no hard inquiry made to your report, therefore no negative impact to your credit. Many creditors just fail over to the next report. This can be gamed in a number of ways.

They also gave details for gaming the system to borrow lots of $ on zero interest, for the purpose of reinvestment. In a better economy, some people were earning tens of thousands of dollars a year this way.

I also attended a talk on sleep labs, con game theater, and the legal status of your mind and its rights. When one talk was canceled, so we played Spot the Fed for a bit. What fun!

Peace, Love, and Internets. Out.

No comments:

Post a Comment