Rick Lax tries gaming the gamers at DEFCON
Every year, thousands of hackers descend on Las Vegas for scavenger hunts, social engineering and more
Thu, Aug 9, 2012 (midnight)
Photo: Sam Morris
Usually, I feel like the smartest guy in the room. Maybe I’m truly clever or maybe I’m dumb and egotistical, but either way, I walk around seeing idiocy like Haley Joel Osment sees dead people.
Not at DEFCON. At DEFCON, I feel like the dumbest guy in the room. The Asian girl with the pink hair, the white girl with the furry rabbit ears, the guy in the cheap suit and the gas mask, the guy in the Pedobear mask—I get the sense that each one of them is smarter than I am. I get the sense I’ll be working for them one day. That I’ll be lucky to work for them.
But for now, I’m just writing about them. At least, I’m trying to. Getting my press badge was no problem; I strolled into the “INHUMAN REGISTRATION” room and flashed my credentials, but everything that comes after that is proving tricky. The badge isn’t made of paper. It’s made of, uh, computer parts. (That’s the technical term, yes?) And DEFCON conference badges are meant to hacked. Last year, a guy who lectured on hacking infrared altered his badge such that when he came within a couple yards of a TV, its channel would change.
“One night,” the infrared hacker says, “I went out to a bar in the hotel here, and they had a bunch of TVs set up. Everybody was going nuts.”
This year, the attendees’ badges are white and gold. My badge is dark blue and gold. The attendees’ badges have a blue LED light that goes up and down; mine has a light that starts at the top, grows in intensity, and then shoots down. Each attendee’s badge features a drawing of a single Egyptian soldier; mine has a threesome: There’s an Egyptian guy in the middle holding a curved cane, and there are women on either side of him. They’re embracing.
Looking at my badge, everybody assumes I’m a speaker, a master hacker, a Jedi. Everybody wants to “sync badges” with me. (Think iPhone bump.) And as we sync, the attendees ask, “What does your badge mean?”
“It means I’m with the press,” I say.
And with that, the conversations end. For some reason, nobody at a computer hacker convention wants to talk to a journalist. Go figure.
In the lecture room, everybody is wearing T-shirts with computer jokes I don’t understand. Ten percent of the guys have colorful mohawks. One hundred percent of the chairs in the room are taken. So I sit on the ground, against the wall, in the corner. To my right, a teenage boy sits and takes notes. To my left, the same. Onstage, a bald guy between two white screens lectures about hexadecimal literals.
You know, hexadecimal literals.
The white screens beside him read, “NULL PGSQL.” Then they change to: “1e1 vs 1e1.0?”
“Floating point numbers—I didn’t write them in true expression format,” the speaker says. “If you do, you’ll get a ton of false positives.”
The kids on either side of me jot this down. I take a note, too: “WTF?!”
Twenty years back, DEFCON was more of a pure, underground hacker convention, but it’s grown into something bigger. It’s still centered around computer hacking, but now, almost half the events are comprehensible to inhumans like me. I walk into the “Track 1” lecture hall, where Siviak, a known personality in the hacker world, is discussing “The Cerebral Source Code.” I’ll let you read the first paragraph of the program’s lecture blurb: YOU: are part of the problem. You should count yourself among the ranks of the unprepared. You are under-educated and fooling yourself. You are sheep, you just don’t know any better … but ignorance is no excuse. You know that much.
You, in this scenario, are Neo to Siviak’s Morpheus. Only Siviak doesn’t look or sound like Laurence Fishburne; he looks like an ’80s movie villain and sounds like Tom Hanks. And Siviak’s really talking about Social Engineering (SE). It’s like hacking, if you substitute the computer for a person. Jedi mind tricks, essentially. SE covers both obtaining information and persuasion. And right now, Siviak is talking about what you should do if you get caught breaking into a building—how you might convince somebody that you belong there.
“Always look like you know what you’re doing,” Siviak says. “Always look like you’re supposed to be there. If somebody tries to stop you, don’t be afraid to tell them, ‘I don’t have time for this.’ Ever seen Ferris Bueller’s Day Off?”
Everybody applauds. They’ve seen it. “Just remember the line, ‘If I get caught, it’s not going to be by a guy like that.’”
It’s time for audience Q&A:
Audience Member No. 1: “My friend and I snuck into a building to scan for vulnerabilities. We were trapped there for seven hours. They locked the doors on us. I was the pretend supervisor, and I got cornered. What was I supposed to say to get out?
Siviak: “A Navy SEAL once told me, ‘If you’re in a situation you can’t think your way out of, scream, “Oh my God! This parachute is a knapsack!” And run.’ What he meant is, do something unpredictable.”
Audience Member No. 2: “Women in their 40s and 50s—they seem to have great bullsh*t detectors. Any icebreakers you should use with them?”
Siviak: “Ask them about something on their desk. And remember, only ever be half-full of sh*t. Always know enough about any subject to change the subject.”
Audience Member No. 3: “Will you be my friend? Can I get a hug?”
DEFCON has an ongoing SE contest that works like this: A contestant receives a target company, steps into a soundproof booth and puts on a telephone headset. The contest moderator uses the phone—it’s outside the booth—to dial the company. Then the contestant attempts to persuade the customer support representative who picks up the phone into surrendering secret information about the company. After Siviak’s speech, I enter the SE contest room as a new contestant is starting a call. He’s a young guy in a black T-shirt and khaki shorts. He’s got a black notebook with him, which, presumably, contains a list of information goals like, “Find out which antivirus software Company X uses,” and, “Find out whether Company X’s employees have unrestricted Internet access.” I’m not allowed to reveal the targeted company’s identity, but I can tell you it’s a major computer manufacturer.
Those of us in the audience, about 200, hear the call over loudspeakers. And here’s how it goes down:
The phone rings. An automated voice says, “If you wish to speak to a customer support associate, press 1.” The contestant in the booth holds up his index finger to signal that he wants the 1 button pushed.
“Hello, this is Cindy. How may I help you?”
“Cindy! What’s up! This is Jake.”
(Jake, I should point out, is a made-up name. I can’t reveal the contestant’s real name.)
“Cindy, listen, listen, I’ve got a whole bunch of questions for you. Basically, the situation is, I’m going to the San Diego Art School in the fall and I need to get a computer, and I’m trying to figure out which one I should get.”
“Jake” is posing as a student—that’s his in. It proves to be a successful one … unlike that of the guy who called a phone company posing as a government security official. Apparently he said, “There’s a hacker convention in town, and I want to keep you safe from them.” Disastrous, I’m told.
Jake plays dumb, saying things like, “I’ve heard about VPN. Does that stand for Very Personal Network?” Of course, this gets a giant laugh from the audience. That’s what the soundproof booth is for. His general strategy is this: He asks a question: “Do I need antivirus software?” Then he personalizes the question: “Do you use an antivirus program? Which one do you use?” Then he asks the question he really wants answered: “What about Computer Company X? Which one do they use?”
Works like a charm.
He gets all sorts of information out of Cindy. Everything from whether Computer Company X employees are allowed unrestricted access to the Internet (yes) to whether Computer Company X has an in-building cafeteria (also yes). The conversation ends with the line, “Cindy, you’ve helped me a lot today” and a giant round of applause.
Then it hits me: I should compete in the SE contest. I’d be great at it, I think. After all, I’m a journalist. I’m used to asking questions and getting people to open up. So I approach a contest assistant and ask whether I can compete.
“No way,” he tells me. “All the slots filled up weeks ago.”
“But I could write about it,” I say. “It’d make for a great story.”
“You can’t. There’s just no way. If you don’t believe me, you can ask him.” The assistant points to the guy in charge. “But I can tell you right now: The answer will be no.”
Just then, another guy pulls me aside. He’s an SE expert. He’s won SE contests like this in the past. He tells me that my real SE assignment should be this: Come back tomorrow and convince the guy in charge that I deserve a spot in the contest.
“If you can do that,” the SE master tells me, “you can consider yourself a true Social Engineer.”
So it was on. I made it my goal to get a slot in the competition. Not to compete; just get in. To game the gamers.
Somebody is willing to talk to me. Finally. He’s a hacker and a Las Vegas native. Warlord—that’s his handle. First, I ask him about Siviak.
“Siviak’s a Goon,” Warlord replies. “It’s not a bad thing. The Goons are like DEFCON security—they step in before the real security or the police get involved. And they defend the DEFCON ethos—the idealism.”
The DEFCON ethos is not what the media might have you believe. It’s not, “F*ck the government and big corporations.” Far from it. Many people here are on the light side of the Force. Hackers, from all I saw at DEFCON, are some of the most annoyingly moral people in Vegas. The bone marrow table, the blood donation table—both were always full. Hell, the whole point of the SE competition was to educate, to teach large businesses about their vulnerabilities.
“How do you get to be a Goon?” I ask.
“You have to have the right attitude, have charisma,” Warlord says. “Oh, you have to be really good at drinking and yelling, too. And you have to help support and protect the key figures that the feds might want.”
One year, apparently, the feds showed up to DEFCON uninvited. They wanted the guy on the stage. They stood up and walked down the aisles. But once everybody in the audience figured out what was going on, they stood up, too. And they chased the feds out. Today, things are different. This year, General Keith Alexander, National Security Agency director, was actually invited to speak at DEFCON. And he accepted.
“Do you want to talk to Siviak?” Warlord asks. “I think he’s running the scavenger hunt right now.”
Warlord and I walk through the merchants’ room, past the lock picks, past the spy cameras and the quarters that unscrew to hold memory chips and arrive at the hunt booth.
“It’s your traditional, average, everyday scavenger hunt,” Siviak tells me, with deadpan sarcasm.
Items on the list: 1,437.
Siviak hands me an unwanted cup of Jäger, staring me down when I try to refuse. He makes it clear that if I want him to keep talking, I need to drink. So I drink. Then I look down at the endless scavenger hunt list, spread across the table:
• Working Dvorak keyboard
• German telephone book
• Cow head
“How are you supposed to find these things at the Rio?”
“Somebody drove to the butcher shop to get a cow head,” Siviak says. “And the phone book—you have the Internet, right? You could look there.”
A girl interrupts our conversation. She’s got red hair and Where’s Waldo? glasses. She’s wearing a bathrobe. (“Greet the judges in a robe and beauty mask.” Check.) Under the robe, she’s wearing a duct tape bikini. (“Skinny Hacker in Duct Tape.” Check.) She wants Siviak’s attention. Her friends tip her upside down and give her a water bottle filled with orange liquid. She drinks it, and Siviak takes note. When she’s tipped right-side up, she tells me that this is her second DEFCON, that she took second in last year’s hunt.
“I want first this year because if you win, you get a black badge. It means you can get into DEFCON for free, for the rest of your life,” she says. “Do you want to know our team name?”
“It’s Reengineering Sex Toys: A Subsidiary of Psychoholics. Can you put that in your story?”
“I can try.”
“Do it. You better.”
“I’ll do it.”
Did I just get socially engineered?
I’m back at the se competition room, about to ask the big guy for a slot. This is the moment. Everything I’ve learned at DEFCON has led up to this.
I ask to speak to the guy in charge, and I’m granted an audience. I’ve got prepackaged speeches ready, excuses prepared, topic-changers on deck. And so I begin: “Hi. My name is Rick Lax, and I write for Las Vegas Weekly. I was wondering if there was any way I could get a slot in the competition. I know they’re all filled, but I really think it’d make for a great story, and I—.”
“Sure. We can fit you in.”
Ha! Wasn’t prepared for that. But maybe that’s what computer hacking is like for DEFCON attendees: a walk in the park. I like to imagine hacking as a near-impossible task—one that strains the brain and the soul. But maybe, for Siviak, for Warlord, for the guy in the Pedobear mask, it’s easy. I mean, if some guy can hack a name badge to change the channel on a TV, who knows what he could make my computer do.
Thank God these people are on the light side. Well, most of them. At least, I hope they are …