Adam and I just got back from a few days in Las Vegas to see the (astonishingly young!) face of the computer security, ahem, ‘adversary’ community at the 12th annual DEFCON. We found several useful sessions on the fringes of electronic commerce (‘real-time penetration of credit card networks’, ‘the farmer’s market model of pseudonymous dealing’, debates about the broadcast flag and other DRM), as well as several object lessons in how insecure today’s economy already is — from Googling up lists of cc#s to seeing a CommerceNet mail password compromised on the spot (hint: let’s turn on IMAP over SSL already! ;-)

The best technical content is actually released a few days earlier, at the more “official” Black Hat briefings. The best single presentation I attended was the release of a practical toolkit for SSH-over-DNS. That’s right, DNS name lookup queries form perfectly useful covert channels to send and receive data through all manner of firewalls. And it’s that way by design: the whole point is that DNS provides a way to invoke a small RPC at the remote end, namely lookup("symbol"). An even better hack that takes further advantage of DNS’s caching semantics is ‘DNS Radio’ — audio streaming! For more info, see NomDe (either as in ‘Plume’ or ‘Guerre,’ your pick :-).

Another warning that decentralized systems require tracking the conflicting interests of external agencies: not every other computer on the network is necessarily ‘helpful’ when it answers back!

A sign of how paranoid they were about not keeping records: Defcon 12 FAQs

$80 USD covers the entire 3 days of the conference
Cash only. Absolutely no checks, credit cards, money orders, traveler’s checks or foreign currency will be accepted. There is no on-line pre-registration. Everyone must register on-site.

By far the most intriguing single session was hearing about the state of post-9/11 computer security investigation priorities from the horse’s, well, choose the equine body part of your choice: DEFCON 12: Feds Yes, Anarchy No.

DEFCON 12’s de facto guest of honor was Robert Morris, National Security Agency’s Chief Scientist from 1986 to 1994. With his scraggly beard and unfiltered Camels, Morris would have blended in well with the retirees pumping quarters in the slot machines over at Sam’s Town. Morris was quite happy wandering about talking to the gawking youth and dropping hints that he didn’t really like John Ashcroft.

Morris was one of a group of current and former U.S. government employees that appeared on the “Meet the Fed” panel on Saturday afternoon. It was the first time in several years Feds had officially spoken at DEFCON and the panelists used the first half of their presentation as an ad hoc recruiting pitch. Uncle Sam wants talented and clean (i.e. no arrests or documented bad behavior) computer security people. “You can get up to 70 or 75 percent of your students loans forgiven,” repeated one official. The U.S. government has a large number of open computer sec positions to fill and has a tough time retaining employees. Entry-level employees join up, learn the ropes, and then end up departing 3 to 4 years later for more lucrative private sector positions.

Another lesson we learned: far too many businesses have decided to place WiFi networks between point-of-sale machines that take credit card information, and the gateways or front-end-processors that do the credit card auth, so hackers discovering sensitive stuff on wireless networks is going to become an ever-more-common occurrence. It’s not that WiFi is any less secure than a wire; rather, because accessing open wireless networks is a lot easier than cracking a physical line, these kinds of cracks become a lot easier. The fact that most Internet applications still don’t use encryption on the wire makes such systems more vulnerable in the environment where anyone can access what gets sent over the air.