July 27, 2009
As Internet lawyers, we deal with h*ckers all the time. Usually chasing them, to be totally frank. We had a chance to pick the brain of some exceptionally talented and knowledgeable government security types recently, and both were in complete praise of the Black Hat conference immediately prior to DEFCON. And both refuse to attend DEFCON because they are ridiculed and harassed by young adults acting like kids. You'll recall the chase video on YouTube in which attendees "out" a reporter in a most inappropriate and threatening way.
As DEFCON starts its conference this week, the rallying cries of those trying to defend the annual "conference for h*ckers" grows louder. Last year, the Dozier Internet Law website came under attack during the conference. You may also recall the Dozier Internet Law 2008 Defcon blog posting. Out of the blue, defenders of DEFCON's "business expensed" veritable fantasyfest in Vegas chimed in, pointing out that the vast majority of attendees are information security professionals. Of course, that's like saying that almost all of the attendees at a bomb making workshop are not terrorists. Great. As an Internet lawyer, We'll never run into the "vast majority" of the attendees. How about the "others", though?
Here is an excerpt from the official description of a featured program from this year:
"Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. In this presentation we are going to present an Oracle Pentesting Methodology and give you all the tools to break the 'unbreakable' Oracle as Metasploit auxiliary modules."
In other words, they have pulled together public and not so public hacks and are organizing them under one tent for ease of access and use for hacking into Oracle databases. Now, there are two ways this can go. The information security attendees can use this information to identify risks and implement fixes for security holes. And the other way? Attendees learn how to more easily h*ck into databases and steal information and identities. And at the same time create catastrophic loss to a business even if the h*cker just accesses the data and looks around.
The good news is that anyone with US $120 can attend. No real names, please. Just use your moniker. Anonymity is paramount. There is even an annual game for embarrassing the federal authorities in attendance. Rooms are $109 per night, but no more than four in a room, please.
This conference has a long history of problems: Anyone can attend, unless, as real life experience tells us, you are a SPEAKER arrested by the Feds, a REPORTER "outed" by the Conference management and pursued by a mob of attendees, or a registrant intercepted at our border before getting into the US. Couple that with the session last year on how to hack a Boston public transit system and get "free fares for life", and the MSBlast Worm and Virus fiasco of several years ago where the Department of Homeland Security had to issue a global alert the day before the conference, and the many, many other incidents that are recorded for posterity online. And then lay on top of that the Electronic Frontier Foundation's prominent and high profile attendance and involvement at the conference attacking our computer crime laws as "absurd"...laws passed and strengthened post 9/11 by the US Congress.
Is there a Free Speech right, protected by our First Amendment, to describe in detail ways to hack into computer systems when it is a federal and state crime to h*ck into a protected computer? At Traverse Internet Law, we know this issue is yet to be fleshed out fully but we expect that criminal conspiracy laws could come into play at some point. It wouldn't matter, though, if someone would use some basic common sense and get rid of the 15 year old using an assumed name and learning the finer points of how to h*ck. A conference for security professionals? This is not found anywhere on the DEFCON website. And while it clearly meets that definition to some, and likely most, attendees...that's not good enough.
Here are some suggestions: Tighten up the rules of admission, use real names, bar convicted felons and known "black hat" h*ckers, and stop intimidating the legal authorities and reporters. Maybe then you'll become legitimate and not an unacceptable risk to society. Oh, and get your head out of the sand. It may be all fun and games, but trust me: The wolves in sheep's clothing are there. You either don't know how to spot them, or you don't care.
DEFCON, if you don't change, you need to be shut down.