Politics. Politics! There was really no polite way to avoid the topic if you were at DEF CON 22 this year, hosted at the Rio Hotel & Convention Center in Las Vegas, and why even bother trying? It’s interesting regardless of personal beliefs, particularly for me (y’know, from a socio-politico-anthropological perspective).
On a somewhat lighter note, the sheer variety of mohawks alone was also rather entertaining; it gave me the opportunity to coin a new term, FroHawk, which is exactly what it sounds like.
Truths Through Fiction
Anyway, I sat down to watch author and columnist (and former priest) Richard Thieme give his presentation, The Only Way to Tell the Truth is in Fiction: The Dynamics of Life in the National Security State. He took people down a rabbit hole of sorts, with the overarching theme: The only way to tell the truth is through fiction, claiming that fiction propagates lies at a higher level of enforcement.
He stated that his friend that worked at the National Security Agency (NSA) told him as such, prompting his writing of short stories and a novel-in-progress about his experiences in the world of intelligence professionals, hackers and encounters with other intelligent life forms (yup, UFOs).
He also referenced how the government has appointed itself a ministry of culture, and how they are the biggest supporter of arts and media, as they are attempting to exercise their control through entertainment - the classic story of propaganda being distributed through soft means.
Not only does the government continue its spread via cleverly disguised means, but other governments also uphold their time-honored traditions and legacy of brutality and torture, turning ‘their people’ against us (here, he references “the Chinese and the Russians”).
He also referenced a pseudo-journalist that works with the CIA as a propagator of propaganda, stating that the media and government work in ‘close cahoots.’ He points out the example of journalists scheduling programs that debunked the verifiability of UFOs on behalf of state actors.
Another popular topic is the FOIA (Freedom of Information Act) - he stated that the FOIA is actually flawed as the information gathered is deliberately obfuscated by the government; files are intentionally misfiled and they take a long time to recover.
Hack the FBI: Literally
A different talk I went to, given by MIT PhD candidate Ryan Shapiro was heavily focused on his personal frustrations and experiences with the FOIA system; aptly titled Hacking the FBI: How & Why to Liberate Government Records. According to his talk (and bio), he currently has over 700 active FOIA requests in progress filed with the CIA, DIA and NSA - in addition to lawsuits against the agencies (one against the FBI, who is attempting to shut down his research on the grounds that his dissertation on FOIA research is a threat to national security).
He said he started testing the system by submitting FOIAs on people and events he knew they had files on, and yet he would continually get replies stating they did not have any files on record to release.
After that, he actually started submitting FOIA requests about his pending FOIA requests, including requests on information about how they actually processed a FOIA request - after which they put a rule in place to disallow those types of requests. At this point, he concluded that the FBI was continually in non-compliance of FOIA.
In his abstract, he describes how he set out to conduct research on the criminalization of political dissent in a post 9/11 America, which led to his discovery of a broken FOIA system. However, he acknowledged that even the best FOIA can only go so far. In a few strongly worded statements, he argued that the hacking of the FBI and other agencies was essential to the viability of American democracy. And, as a historian, he called for hackers to release the records.
There was really nothing metaphorical or even remotely figurative here, he was literally asking hackers to help him, with their technical prowess, to hack the FBI. The guy sitting next to me asked me in almost painful disbelief, after the cheers of an appreciative audience, if Ryan had, in fact, actually asked us to “hack the FBI.”
Others ran up to the open Q&A microphones to challenge his methodology. One asked if, perhaps, the failed FOIA requests were the result of using the ‘wrong keywords,’ and that he could have been the one that was mistaken? I couldn’t help recalling Richard Thieme’s talk from earlier that morning - people reject things that make them uncomfortable, even if it’s reality, even if it’s the truth…
The theme of government surveillance carried strong throughout other talks at DEF CON, including a highly-attended talk in the Penn & Teller theater that I waited for half an hour to get into in a line that wound throughout the hotel convention center. Titled Am I Being Spied On? Low-tech Ways Of Detecting High-tech Surveillance, it was presented by Dr. Phil Polstra, Associate Professor of Digital Forensics.
When I was finally let into the theater and directed to my nosebleed seat, I listened to a few slides on how to tell you’re being trailed by an undercover cop, FBI, or anyone really. One of the bullet points included - just pull over and see if they drive past you (low-tech). He also covered how to disguise your own surveillance van. For example, don’t choose ‘Tony’s Pizza’ as your cover up logo on that infamous white van without windows because duh, pizza delivery guys don’t just hang out in neighborhoods for hours at a time.
Stolen Data Markets
Another more academic (and even government-funded) talk was given by an MSU (Michigan State University) professor Thomas Holt - Stolen Data Markets: An Economic and Organizational Assessment. Their research, funded by the National Institute of Justice, was on the data dumps and exchanges in underground markets, essentially, what thieves may attempt to do after a breach.
According to their data, the United States and United Kingdom boasted the cheapest per dump prices than any other country, which Thomas said may be a result of the U.S. & U.K.’s less stringent standards for POS/online sales than other countries. They also estimated that a seller could, potentially, make an estimated 2.6 million profit on data dumps.
Security & the Internet of Things
Duo Security’s own Senior Researcher Zach Lanier and Security Evangelist Mark Stanislav presented to a very full crowd their talk, The Internet of Fails: Where IoT Has Gone Wrong and How We're Making It Right on Saturday morning.
They shed some light on how there wasn’t enough security standardization in the Internet of Things (IoT) industry, as well as how the ubiquity of cheap hardware speeds the rate of innovation, and can make nearly anyone an IoT developer with little attention to the security side of the equation.
Security is a major issue with the IoT industry in particular because agility, quick and lower power consumption are the goals of IoT hardware, meaning security features are not the main focus. Plus, the prevalence of the same components used makes one vulnerability potentially affect many different components.
Another security issue lies in the use of remote support accounts that may be used for support or other updates - hardcoded passwords for device support can present a security issue, obviously, if someone gets access to the credentials that shouldn’t have them. The same goes for those that set up quick and dirty cloud infrastructures to run the devices on; default credentials for web app services is also a security problem.
They ended with a callout to BuildItSecure.ly, their initiative to bring security knowledge and resources to smaller and crowd-sourced companies that may not have the security knowledge to test their products and find bugs. They are also the ones that are likely to move faster and provide innovative technology first to consumers that demand it. Part of the BuildItSecure.ly initiative is to have security researchers do pre-production testing of hardware before it actually goes to market to reduce the prevelance of vulnerabilities found after the fact.
It was cool to see the difference between the more corporate Black Hat crowd versus the unabashedly radical libertarian viewpoints of the DEF CON attendees - both presented valuable data and information in their own particular style.
Also, we raised $240 in donations for the EFF (Electronic Frontier Foundation) at the Duo Security vendor table. Here’s more about them:
The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows.