What I learned at DEF CON



Now in its 23rd year, DEF CON is an annual convention for hackers and information security (“infosec”) experts held in Las Vegas, Nevada. It immediately follows Black Hat, another celebrated computer security conference that’s more of a trade show for vendors. DEF CON is focused on the hacking community and welcomes everyone – including people from three-letter agencies like the FBI and the NSA.

This year, I attended for the first time. Here is what I learned.

1. Have an infosec plan

Hackers gonna hack. If you’re coming to DEF CON, you will be surrounded on all sides by very talented hackers. Most are there to have a good time, but some arrive with a more malicious intent. You need to be secure. One of the more infamous attractions at DEF CON is the Wall of Sheep, where organizers post the usernames and passwords of those unfortunate souls who connect to the public Wi-Fi.

The first part of creating an infosec plan is to establish your threat model. What is it you are trying to protect, and from whom? Are you worried about a global adversary, a nation state, an advanced persistent threat, a criminal, or a bored hacker looking for “lulz”?

I take security measures whenever I connect to the internet (and you should too), but given the talent at DEF CON, I knew I’d need to be more vigilant. My first idea was to leave my computer and smartphone at home and rely on a dumb burner phone. I quickly realized that would be boring, and possibly overkill. I determined the level of risk I was willing to accept and then made a plan to mitigate that risk. (I didn’t end up on the Wall of Sheep.) What I learned through that process will stick with me, and I’ve added a couple new precautions to my daily routine.

2. Defense requires offense

Creating my personal infosec plan specifically for DEF CON meant that I had to consider what data I wanted to protect, and how someone might access that data. This is the theme that most pervaded DEF CON. Hackers, at least in the media, are often thought of as criminals. But the truth is, that you cannot protect a network or your data without knowing how it might be attacked. If we want to build secure networks, we absolutely need people thinking about ways to break in.

3. If we outlaw hacking, only criminals will know how to hack

It might seem counterintuitive if you only read mainstream media, but hackers are making networks more secure. The headline might say, “car hacked,” but the hacker didn’t create the vulnerability. The hacker found the vulnerability and exposed it, and we cannot fix what we don’t know is there. By punishing the researcher practicing responsible disclosure, we remove incentive for security researchers to share the results of their research. Vulnerability reporting allows companies to patch holes (though they don’t always follow through, which is an independent problem). These patches keep users secure. And this is absolutely critical, because if a vulnerability is not patched, it is likely that a malicious actor will find and exploit it. In many of the cases presented at DEF CON, the researchers not only found a vulnerability, but also evidence that the vulnerability was being exploited by less altruistic actors.

There is a difference between offensive security research and malicious hacking, but we cannot make the problem disappear by ignoring it and persecuting the researchers. Which leads me to…

4. You are vulnerable

You are vulnerable. Your computer is vulnerable. Your phone is vulnerable. Your car is vulnerable. In a few years, even your toaster and your refrigerator will be vulnerable. We are not designing systems with security and privacy in mind as we develop the “internet of things,” and we could all end up paying the price.

One of the talks at DEF CON was “I Will Kill You,” by Chris Rock (no, not that Chris Rock). Governments around the world want to keep track of their citizens. They want to know who is born and who died. In the United States, a doctor must declare a person dead and a funeral director must then declare that a person’s body has been buried or cremated. These two certifications are all that is needed to legally “kill” someone off – and once a person is legally dead, their assets, including bank accounts, are at risk. Even more troubling, in the United States, if it’s been more than three years since you’ve been declared dead, the government is no longer even able to recognize you – even if you stand before a judge.

Mr. Rock discovered that a criminal or a fraudster could easily fill out the forms to become the doctor, the funeral director, and the next of kin – all anonymously online. Even without a technical background, anyone could declare someone dead and seize his or her assets. A person can also make up a fictional birth to create false identities.

It is pretty easy to see how this could make you a lot of money. The short-term gain would be to “kill” off people and seize their assets. A long-term strategy would involve creating fake people and taking out loans or committing crimes for profit. The longer this vulnerability exists, the more devastating the problem could become. Sessions like this one at DEF CON show us our vulnerabilities and allow course corrections back toward a more secure ecosystem. Without them, we are exposing ourselves to far greater risk.

5. We desperately need more hackers in policy centers

With rare exceptions, there aren’t many technological experts in Washington D.C. Or Brussels. Or New Dehli. Or Manila. Or Brasilia. You get the picture. Yet, policies are created and laws are passed that have a huge impact on the hacker community and the security of our networks. Right now, the U.S. Congress is debating harmful information sharing legislation, regressive amendments to the Computer Fraud and Abuse Act, and the U.S. Implementation of the Wassenaar Arrangement, to name just a few things coming down the pike.

Around the world, governments are looking to increase penalties related to hacking and to criminalize activity that serves the public interest. (And to be fair, there are certainly plenty of bad actors.) But to criminalize security research or outlaw strong encryption is the functional equivalent of locking up the messenger who tells the emperor that he is naked.

Society needs the hackers. And we need to explain that to the decision makers. It is at conferences like DEF CON that we see the value of this research fully demonstrated.

6. Our fundamental rights are at risk

If we criminalize the kind of offensive security research presented at DEF CON (with responsible disclosure), we put at risk people who are especially vulnerable. Nations around the world exploit vulnerabilities in technology to surveil citizens, track dissidents, spy on journalists, and restrict the fundamental rights of the people. In some situations, having secure technology to communicate can be a matter of life or death. By exposing these vulnerabilities at DEF CON, we are able to address them and ensure that our fundamental rights and freedoms are protected.

Now, if you’ll excuse me, I need to go change all of my passwords.

Photo credit: Nate Grigg