A surprisingly well-written tech article for a source like CNN: clear to non-technical people, and yet not chock full of gross inaccuracies. Mainstream journalists have gotten me used to much lower quality.
It sounds like maybe you haven't been to Defcon. This article wasn't much better than an article about burning man would be if someone wrote one that focused on the fact that it was in the desert and didn't bother mentioning anything about the artwork or the other things that happen when a community of interesting people spend time together.
Defcon isn't about being scared. It's about blood drives, teaching anyone interested how to solder and I think this year it was about the new Defcon kids event that included a 10 year old speaker teaching others about her game hacking techniques. Defcon makes me feel better about the world most years.
everyone freaks out because "oh man your computer will get hacked in N seconds on the defcon wifi". lets dissect this a little bit.
if i put a computer on the defcon wifi, it'll probably be say, modern linux (ubuntu, debian, or redhat) running either a minimal subset of services (ssh) or perhaps nothing, with firewall policy applied, or a modern windows (windows7) with the firewall on. i'll be using a modern, fully patched web browser, also perhaps with some additional mitigation technology (thought nothing out of the ordinary) think perhaps noscript and EMET.
and also this is the one time of the year when i'm ready for this. every other day of the year i go to the coffee shop i don't know anything about the other randoms there but i assume they're drifting office droids hacking on their excel macros or recruiters cruising linkedin in between meetings.
so, if someone exploits me on the defcon wifi ... where else will that exploit work? everywhere, probably! it's probably a super awesome exploit that has super awesome properties that targets super popular software and is also unpatched. someone owns my openssh 5.3 on my laptop on the defcon wifi ... if i pcap that ... i'm a rich man. i can own boxes like mine.
so ... as a hypothetical attacker, why would i do this? i'm surrounded by people like me. they're alert. they're cautious. and they are the most capable people in the world to detect what i am doing and reveal it to everyone. oh and there are a whole bunch of law enforcement people there too, AND the entire thing happens in a casino which has heavy security and is already wired for sound and audio everywhere you go.
... anyone who is smart enough to be able to own your box at defcon, is also going to be smart enough to realize that they might as well wait until the week after when you're sitting at a coffee shop.
I don't think it's your computer joining the network that's the issue; the network itself is likely tainted. By extreme example, a rogue cell tower was demonstrated last year which monitored outgoing SMS messages. Your phone would automatically join it because its signal strength was greater and it had all required information.
The issue with Defcon Wi-Fi is that you should assume all outbound traffic is captured. Are you sure your mail notifier, Dropbox client, IM client, etc, aren't sending credentials or some kind that can be (at least temporarily) exploited?
You make the mistake of assuming that all networks are created equal and that just because you could potentially be vulnerable on a network that this vulnerability would have manifest itself to you by now.
For example, signin for this very website is done in cleartext. Do you have "big problems" right now? No, I hardly expect you do. Would you expect to if you jumped onto your standard open coffeeshop wifi? Realisticly no. It is fairly unlikely that anyone in your average starbucks gives half a shit about your HNs account.
Now, if you went to DEFCON and didn't take additional precautions? Well, I'm not going to say anyone will really happen to care about your account even then, but you can be damned sure they'll log it anyway.
My point is 1) "any other network" on average is probably not as hostile as the open networks as DEFCON, and 2) your vulnerability will not necessarily manifest visibly as "big problems".
> if i put a computer on the defcon wifi, it'll probably be say, modern linux (ubuntu, debian, or redhat) running either a minimal subset of services (ssh) or perhaps nothing, with firewall policy applied, or a modern windows (windows7) with the firewall on. i'll be using a modern, fully patched web browser, also perhaps with some additional mitigation technology (thought nothing out of the ordinary) think perhaps noscript and EMET.
The first time I went to DEFCON, I got to hear Roger Dingledine complain about how Ubuntu had been shipping a version of Tor with a known remote root vulnerability for months. Modern Linux distribution != magical instant application of all patches.
If you're blackhat, sure. But I'd venture to guess that a good portion, as greyhats, are there to do just what this article suggests: raise awareness of new potential threats, claim bragging rights, and improve security for all.
Defcon is cheap to attend. You should go sometime and get a feel for the event. If a trip to Vegas is out of your price range, go check visit Hot Topic. You'll get the proper feel.
The Defcon crowd is awfully touristy. I mean that professionally.
In fact, it's far more the marketing success of defcon that should get attention from hacker news. They have been building quite an empire over the last 19 years.
On the other hand, they might just PCAP all of _your_ traffic, and wait until some flaw like DSA-1571-1 surfaces, and go back a week, a month, a year later to recover the plaintext of all your encrypted sessions.
By way of disclosure, I'm one half of the founders of http://www.44con.com/ and my co-founder is a DEF CON goon.
I can't talk about the wifi there, but what we're doing for 44Con is reason enough not to use the wifi. We will be logging everything on that network and running it through netwitness gear. We won't have a wall of sheep, but unless you're certain your transport is encrypted, your details will be captured and stored.
At DEF CON it's worse - you can't assume that your GSM or any form of RF connection is secure. Fake ATMs, Rogue cell towers and RFID hacking have all been done before there. It's the nature of the atmosphere there.
Wow, that's impressively well-written. And it's about computer security. And it's about hackers, who are hacking. That's like a perfect storm of news-writer fail, and they did a pretty good job through it all.
I love that they included this quote, it sums up security very very very well:
>It's not about breaking the lock, he said, it's about learning the lock can be broken.
I've found ways to open most combination locks in a second or two, without even looking suspicious. It's easier than entering the combination, usually. Those $20k-insured round-keyed laptop locks? Takes about 30 seconds on average, 5 or less if you're lucky. My dad lost a $20 bet with me on that, with the one his employer supplied (and expected him to use) - it took me 5 minutes on the first attempt, and less than a minute each time after that.
Security isn't about stopping people from breaking in. It's about not being the low-hanging fruit.
The DefCon wireless is nowhere near as scary as people make it out to be. Making people believe that something is scary is part of the fun of it for those of us that help run the con.
Currently at con, on my laptop with OpenVPN and tethered to my phone because the DefCon wireless is overloaded and not handing out an IP address.
If you value your sanity, I'd suggest steering clear of the comments on this article. Although I guess you could say that for comments on most article on CNN.
If I ever have a site which posts content, or if I ever finally make a blog, the first thing I will do is turn off the comments. If you want to talk to me, you can email me, or write your own post in response.
Walking around the CTF room, it looked to be about 1/2 Mac and 1/2 non-mac, with about 1/2 of the non-macs running some unix variant (assuming people aren't running linux with a windows looking window manager or vice versa).
I'm pretty sure any hacker worth his weight in microchips doesn't have a problem. I've been to def con and always take a *nix system with a solid firewall and a way to ssh/vpn home to do all my logging into websites from.
DEF CON doesn't scare hackers. It gives us a chance to see if our setups are actually secure and if we get pwnd we deserved it and learn from the experience.
Defcon is much more like a family reunion than a scary thing. This year hundreds of hackers literally opened their veins to give blood in honor of one of our own who needed it. The hacking of other attendees that goes on has more of a prank feel to it (much like a lot of the con!) than a scary thing. It's just a bunch of people getting together to talk, do interesting things and/or get drunk together.
They ran out of neck holder things for the badges so a lot of people aren't wearing them. As a result, they're not really looking for badges. My friend went around (saturday) and he was able to get in even though he didn't pay.
Bury your room key...-why LV hotels dont use RFID for room keys.
Scan your credit card remotely - not if they are mag stripe.
FUD articles like this is why people dont know to use VPN or HTTPS, what a waste of CNN's money sending him there for this - sorry but it has to be said could have been a much better more accurate article covering actual security issues.
