Skip to main content

DEF CON: The event that scares hackers

John D. Sutter
The "Wall of Sheep" displays partially obscured usernames and passwords obtained by DEF CON hackers.
The "Wall of Sheep" displays partially obscured usernames and passwords obtained by DEF CON hackers.
  • DEF CON is a hacker conference in Las Vegas
  • Attendees pay only in cash and don't register with real names
  • The event is said to be one of the most dangerous places to use computers
  • Hacking
  • Las Vegas
  • Internet

Las Vegas, Nevada (CNN) -- In the Masquerade wing of the Rio Hotel and Casino in the gambling capital of the world, there's a giant statue of a head hanging over a lobby of slot machines.

The masked figure has two faces and four digital eyes -- clairvoyant blue -- that track back and forth constantly, as if recording the movements of everyone who enters.

That awkwardly self-conscious -- even slightly paranoid -- feeling you get from seeing being watched by that enormous casino head is pretty much a steady-state for most of the hackers who attend the DEF CON hacker event, taking place at the Rio this weekend.

Started 19 years ago as an underground gathering of sometimes-nefarious computer wizards, DEF CON has sprawled into a 15,000-person, four-day convention where anyone with $150 -- in cash only, please, lest these hackers give up their identities -- can learn the latest tricks and trade of computer hacking, lock picking and security breaching.

The aim of the event is to better inform both insiders and everyday people about the risks of operating in our increasingly digital world and to work on solutions. But the practical result of gathering this many highly skilled hackers in one building -- in a Las Vegas casino, no less -- is that everyone here is experiencing some level of terror.

Insiders say there's no place on Earth where you're more likely to get hacked.

"You're on the most hostile network in the world. If you can perform business here, you can do it anywhere," said Brian Markus, referring to the public Wi-Fi network at DEF CON, which veterans know to steer clear of.

Unlike at other tech events, which tend to focus on Facebook-like concepts such as "sharing" and "connecting," DEF CON is all about who can stay the most private, and therefore, who will remain the most secure in this digital war zone.

Those who don't are shamed into doing so.

Markus, for example, sits in a dark room in the Rio's conference center watching Internet traffic. When he sees a password fly across the connection, which is often, he posts part of it, along with the user's log-in name and the site he or she was using, on a large projection screen, which he calls the "Wall of Sheep."

Within an hour of watching for passwords on Friday morning, his team from Aries Security had racked up 10 half-shaded passwords. (The team, and others, can see the full passwords and usernames, but they choose to protect the victims by only displaying the first three characters of each password. Kind of them, huh?)

So, how does one avoid the "Wall of Sheep"?

Markus suggests scrambling your Internet connection.

There are several free services that will do this, including OpenVPN and Ace VPN. That way, if someone like him is "sniffing" the Wi-Fi connection you're using, they won't be able to see exactly what you're up to.

Another method: Type in "https" instead of "http" in your browser bar. That puts you on a more secure version of many major websites.

Plenty of people, however, are subjected to more sophisticated hacks.

Dan Kaminsky, one of the world's most notable do-gooder hackers, said he had his personal passwords, e-mails and instant messages with a girlfriend dumped out into the public domain at a previous DEF CON event.

"If you walk onto a battlefield, you might get shot," he said.

People still try to dodge the bullets, though.

As he darted through a mob of black-T-shirt-wearing convention attendees, Eli, better known by his hacker handle "Dead Addict," told me how much he hates crowds.

Not only is there the social anxiety, there's also the chance someone with an RFID reader and an antenna in their backpack could swipe your credit card info right out of your pocket.

The readers are the size of an old Walkman and, with a proper antenna, can grab data right off of credit cards that use quick-swipe technology (you can tell if you have one of these cards by looking for a little radio-wave symbol).

Eli, who started hacking in his teens and stopped breaking into corporate sites after all of his friends got arrested for doing the same thing, carries a metal-lined wallet to block this attack.

Other DEF CON veterans said they purchase junk computers they can throw away after the convention because they figure they're going to get infected. Eli says he just leaves the laptop at home.

Most of the attendees carry cash. No one uses the ATMs after an incident in 2009 in which someone rolled a fake ATM machine into the event, according to Wired, and apparently used it to collect credit card information instead of dispensing money.

There's also the anonymity of it all. Some hackers only go by their handles. Others don't want digital records they attended the event, which does not require attendees to register or give their real names.

I got an e-mail warning me about some of these security idiosyncrasies before I got on a plane for Vegas. Written by a DEF CON spokeswoman, and reprinted with her permission, the note was full of jaw-dropping advice:

Hi John,

Great talking with you!

You are about to enter one the most hostile environments in the world. Here are some safety tips to keep in mind ...

- Your hotel key card can be scanned by touch, so keep it deep in your wallet.

- Do not use the ATM machines anywhere near either conference. Bring cash and a low balance credit card with just enough to get you through the week.

- Turn off Fire Sharing, Bluetooth and Wi-Fi on all devices. Don't use the Wi-Fi network unless you are a security expert; we have wired lines for you to use.

- Don't accept gifts, unless you know the person very well - a USB device for instance.

- Make sure you have strong passwords on ALL your devices. Don't send passwords "in the clear," make sure they are encrypted. Change your passwords immediately after leaving Vegas.

- Don't leave a device out of sight, even for a moment.

- People are watching you at all times, especially if you are new to the scene.

- Talk quietly. Conduct confidential phone calls off site ...

That is it for now.

For now?

After seeing that, I left my credit cards, debit card and company laptop in my hotel room -- hidden, of course, since I'm on this newly paranoid kick. I kept my iPhone on "airplane" mode for most of Friday, turning it on only to send a couple texts.

I was particularly concerned about this phone hacking stuff, so I asked Austin Steed, another security researcher-slash-hacker about that.

He said mischievous hackers can install their own cell phone towers to intercept your calls before passing them on to the real mobile carrier. These "man-in-the-middle attacks," he said, let hackers eavesdrop, but they can also alter the conversation you're having, without your knowledge.

"You send a text saying 'I love you,' and he (the hacker) says, 'I want to break up with you.'" Or worse than that, Markus said, you could be doing business -- maybe the hacker would change "sell it all" to "buy it all," with potentially huge ramifications.

The hackers who attend DEF CON -- now in their thirties instead of their teens as they were at the start of the hacker movement -- hope, in a strange way, that by teaching people about hacking they will make the tech world safer.

DEF CON is their playground of sorts. Many of the hacks aren't necessarily malicious. They are people toying around just to see what's possible.

If they don't do it, then the really bad guys will, they say. There are sessions on cracking Google, PayPal, Apple -- even cars and prison cells.

DEF CON attendees can also learn how to pick locks. On Friday, 17-year-old Cherry Rose de los Reyes picked her first lock while her dad, Roselito, an IT professional, watched admiringly.

"I think I got it," she said, turning a key she had reverse-engineered.

"There, now I don't have to pay Home Depot no more!" her dad said with a laugh.

Some parents might cringe at a dad helping his teenage daughter learn a skill that could be used for breaking and entering. But Roselito de los Reyes says they'd be missing the point.

It's not about breaking the lock, he said, it's about learning the lock can be broken.

"If you educate them not to have a false sense of security just because you have a lock, then being able to open a lock might teach them to use a barbell on the door at home."

So maybe there's a point to the paranoia after all.


Most popular Tech stories right now