Defcon ends with researchers muzzled, viruses written

Three-day hacker fest ends following a restraining order that killed one talk, a cable TV crew getting thrown out, and general software and hardware hacking tips shared.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

LAS VEGAS -- The Defcon hacker conference ended its 16th year on Sunday, sending about 8,000 attendees home from a weekend of virus writing, discussion of Internet attacks, and general debauchery.

The highlight was most definitely the restraining order which prevented three MIT students from presenting their research on how to hack the Boston subway system. The students attended the event and even gave a news conference after the order came down on Saturday, but did not present their highly anticipated talk.

Instead, journalist and security expert Brenno de Winter took their empty spot and discussed how the cards used in transit system in The Netherlands and London can be hacked just like the ones used in Boston. Both systems, and many around the world, use the Mifare Classic chip technology, whose cryptography was cracked by researchers last year.

Defcon founder Jeff Moss, alias "Dark Tangent" Elinor Mills/CNET News

"I was advised by several lawyers not to go into details of the Mifare Classic, but anybody who has access to Google...," de Winter said.

Breaking the rules is always a theme at Defcon, but while irreverence for established corporate and government protocols is condoned if not exactly encouraged, breaking Defcon rules definitely has its consequences. Defcon officials said they were considering banning film crews from future events after ejecting a team from the G4 cable network on Saturday for allegedly videotaping a crowd. Photographers and videographers are required to get permission to shoot anyone, even from behind, and are forbidden from shooting crowds.

There was a report that police were called in to investigate a Windows-based kiosk that was hacked to display pornographic images in the lobby. And the usual rowdiness and late-night drinking were a nightly, if not daily, activity. However, things did not seem to reach the level of tomfoolery they did in in the early and mid-1990s when elevators were hacked and cement was poured down toilets. Of course, many of the script kiddies from that era are now married with children.

There were, of course, a range of sessions, including ones on evaluating the risks of "good viruses," hijacking outdoor billboard networks, and compromising Windows-based Internet kiosks.

Members of SecureState, a company that does penetration testing of corporate networks, gave a live demo in one session of an automated attack on Microsoft SQL Server-based computer that left the machine vulnerable to attackers installing viruses and other malware. The team used new tools they are offering for download, SA Exploiter and Fast-Track.

One of the more controversial events at the event was a "Race to Zero," in which teams modified samples of viruses and tested them against antivirus software. Four teams managed to complete all the levels and get through the antivirus software.

There were less technical contests as well. "Mike" from Chicago won $3,000 for spending 30 straight hours listening to pitches and marketing buzz from security company Configuresoft and correctly answering questions on periodic quizzes on the presentations. After the announcement, he jumped out of his seat with his arms in the air. Asked how he felt, Mike, who declined to give a last name, said he "felt smelly."

The contest, called "Buzzword Survivor," was not without scandal. Several contestants claimed--and submitted a cell phone photo as evidence to organizers--that one of the contestants had fallen asleep at one point. However, he was allowed to remain in the contest and made it to the very end with all the others, winning $200. The second prize was $1,000.

Gartner analyst Paul Proctor came up with the idea on a whim. It was originally intended to have 10 contestants competing for 36 hours for a $10,000 prize, but the prize was reduced when only one sponsor stepped up.

The contestants had 10 minute breaks every hour, but otherwise were in their seats listening to detailed talks about the company, its products, and the industry.

"We've submitted them to pain," Andrew Bird, a Configuresoft vice president, who served as MC at the end of contest, said mischievously. "We played recorded Webinars at 4 a.m."

Note: In the video below, Defcon founder Jeff Moss, alias "Dark Tangent," discusses the ethics of hacking and disclosure issues that provoke debate, and often lawsuits, at the event.

(Credit: Elinor Mills/CNET News)

Click here for more coverage from Defcon.