On Saturday, an unnamed “senior administration official” told Reuters that the US government is considering using visa restrictions to keep Chinese hackers from attending DefCon and Black Hat, two major hacking conferences that take place in August in Las Vegas.
The move would be “part of a broad effort to curb Chinese cyber espionage,” Reuters reported. The news comes after five members of the Chinese military were indicted by the US on Monday for allegedly hacking into US companies and stealing trade secrets. It was the first time ever that the US has formally accused another government of hacking.
Jeff Moss, founder of both the DefCon and Black Hat conferences, and Chris Wysopal, a member of the Black Hat board that reviews presentations, were both skeptical of the move. Wysopal noted that Black Hat talks are taped and sold after the conference, and preventing Chinese hackers from being physically there would not appreciably affect China's hacking abilities. "It seems symbolic to me," Wysopal told Reuters of the move. Several Chinese nationals are booked to speak at the Black Hat conference, although none are booked to speak at DefCon.
Since its founding in 1992, DefCon has been a venue where anarchists, geeks, and employees of three-letter federal agencies became unlikely comrades under a live-and-let-live credo that placed the love of computer tinkering above almost everything else. No more. As tensions mount over the broad and indiscriminate spying of Americans and foreigners by the National Security Agency, DefCon organizers are asking feds to sit out this year's hacker conference.
"For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory," Jeff Moss, aka The Dark Tangent, wrote in a blog post published Wednesday night. "Our community operates in the spirit of openness, verified trust, and mutual respect."
Gen. Keith Alexander, head of the NSA and U.S. Cyber Command appearing at the 2012 DefCon hacker conference in Las Vegas on Friday. Photo: Kim Zetter/Wired
LAS VEGAS — NSA chief Gen. Keith Alexander, appearing for the first time at the DefCon hacker conference, told the crowd of hackers and security professionals that his agency “absolutely” does not maintain files on Americans.
Responding to a question from DefCon founder Jeff Moss asking “does the NSA really keep a file on everyone?,” Alexander replied, “No, we don’t. Absolutely no. And anybody who would tell you that we’re keeping files or dossiers on the American people knows that’s not true.”
Alexander went on to say that the NSA’s job was foreign intelligence, not domestic and that the agency is constantly monitored in everything it does.
“We get oversight by Congress, both intel committees and their congressional members and their staffs,” he continued, “so everything we do is auditable by them, by the FISA court … and by the administration. And everything we do is accountable to them…. We are overseen by everybody. And I will tell you that those who would want to weave the story that we have millions or hundreds of millions of dossiers on people is absolutely false.”
Unstated in both Moss’s question and Alexander’s answer, however, is whether the NSA monitors and collects the communications of millions of Americans en masse, something that is very different from keeping a “file” on individual Americans.
Alexander did touch on the collection of data in his answer, but denied that this involved Americans. Under the FISA Amendment Act, he said, the NSA is authorized “to collect foreign targets — think of terrorists — outside the United States.
“And that law allows us to use some of our infrastructure to do that. We may, incidentally, in targeting a bad guy, hit on somebody from a good guy. [But] we have requirements from the FISA court and the attorney general to minimize that, which means nobody else can see it unless there’s a crime that’s been committed…. And so from my perspective, the people who would say that we’re [targeting Americans] should know better.”
Alexander is likely referring to recently published comments by former NSA officials, who told author James Bamford that the NSA’s future $2 billion data center being built in Utah will be used to store “all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital ‘pocket litter.’”
According to one unnamed former NSA official, “Everybody’s a target; everybody with communication is a target.”
Dressed casually in blue jeans and a t-shirt, Alexander was deferential to the packed auditorium of hackers and security professionals, telling them that DefCon was “the world’s best cyber community,” and appealed to the audience for help in solving some of the problems of the internet.
“In this room … is the talent our nation needs to secure cyberspace,” he told the audience. “You folks understand cybersecurity. You know that we can protect the networks and have civil liberties and privacy, and you can help us get there.”
In discussing the need to develop better methods to protect networks from intrusions, Alexander said, “Some of you . . . can help us show the world that you can actually do intrusion detection and prevention systems and ensure civil liberties and privacy. Showing that to the world is absolutely important because we can do both and we need to do both.”
LAS VEGAS — Is a plastic drinking straw from McDonald’s the only thing keeping a thief — or worse, a child — from accessing the loaded weapon in your closet safe?
That’s apparently the case with one model of personal safes that a team of researchers will be cracking at DefCon on Friday.
But the researchers found similar problems with several brands of personal safes that are marketed for securing guns and other valuables. Toby Bluzmanis, Marc Weber Tobias, and Matt Fiddler demonstrated in videos that they were able to swiftly open seven models of safes, using household items like paper clips, a wire hanger and a drinking straw. In one case, they opened a safe simply by lightly bouncing it on a floor once.
The safes the researchers looked at are sold at Walmart and sporting good stores and Amazon.com. Many of them are certified as being compliant with California penal code standards for securing firearms. But Tobias notes in one of the videos that the companies that make the safes “do not understand security engineering,” and that “every one of these safes should be pulled from the market until they’re fixed … before someone else gets hurt or killed.”
The researchers began examining the safes six months ago after Tobias was contacted by a former detective named Ed Owens from the Clark County Sheriff’s office in Vancouver, Washington. Owens’s 3-year-old son was accidentally shot to death in September 2010 after his 11-year-old step-sister retrieved the detective’s loaded handgun from a Stack-On safe in which it had been stored.
Stack-On safes had been issued to all deputies in the sheriff’s department to secure service revolvers at home after a previous shooting incident in 2003 in which another child was killed with a deputy’s gun. Owens asserted that the safe his employers gave him was not working properly, and that the sheriff’s department knew this before the shooting occurred but did not recall the safes. The sheriff’s department accused Owens of failing to report the malfunctioning safe.
In 2004, Stack-On had recalled 1,320 of the model of safes that was purchased by the sheriff’s department, because the safes could be opened by simply jiggling the doorknob, though the sheriff’s department maintains that the recalled safes were not from the same lot number as the ones the law enforcement agency bought.
In either case, the researchers were called in to test the model of safe connected with the shooting, and found that a magnetic pin that moves up and down when someone enters the correct combination was superfluous. They could simply move the pin by bouncing the safe, causing the door to swing open. In a video the researchers made showing the vulnerability, a 3-year-old boy lifted the safe a couple of inches off the floor and set it down, causing the door to spring open.
“This is what happens when you have a defective design,” Tobias says. “The sheriff’s department didn’t have a clue what they were buying and didn’t know how to evaluate them.”
The researchers decided to test six other models of safe to see if they had similar problems.
They tested four models of safes made by Stack-On, a leading seller based in Illinois, and others made by Bulldog, GunVault and Amsec. All of them were easily opened. Some of them could be opened in ways that were undetectable, so that anyone just looking at the safe afterward would never know that it had been opened and its contents removed. Some of the safes are used by the TSA to store papers and evidence at airports.
Among the safes they examined were three models of Stack-On PS Biometric safes with a combination keypad, biometric fingerprint reader and key bypass. The researchers examined three models of the biometric safe because, as Tobias says in the video, “we could not believe the first one that we opened how simple it was, so we wanted to confirm our findings with three different versions, and they’re all vulnerable.”
The safes are made of solid steel and are supposed to be pry-resistant, but the researchers opened them easily with a paper clip in two seconds. The fingerprint reader was irrelevant except to provide them a hole through which to get to the locking mechanism. They simply pushed the fingerprint reader in, and used the hole for the reader to insert a wire and move the solenoid responsible for opening the lock.
They also examined a Stack-On PC650, which has an electronic lock and, according to Stack-On, meets TSA airline firearms guidelines. The safe is opened by pressing buttons in a combination. The researchers were able to open the safe in several ways – first through a small space around one of the buttons on the top of the safe. The buttons have a rubber plate on top of them, which is easily removed. The researchers inserted a small pick in the button recess and manipulated the latch open in seconds.
The safe also has a reset button for the combination inside the safe, which the researchers accessed by simply inserting a screwdriver to slip a metal shank into the safe and reset the combination.
Stack-On’s PDS-500, a high-security strongbox drawer safe with an electronic combination lock and key bypass, was also hacked. The safe has a soft plastic plate on the front. The researchers simply tore a small hole in the plastic with a screwdriver, then inserted a wire to manipulate the solenoid inside and open the safe. They also opened the bypass lock with a paper clip.
“This is really a serious problem because, believe me, any kid can do this,” Tobias says.
Stack-On’s QAS1200B, a biometric lock with a fingerprint reader similar to one used on laptops, was also easily defeated. The safe has a rubber plate on top that can be removed, as can the fingerprint reader beneath the plate. This provides access to a small hole through which they were able to slip a pick to trip a locking mechanism and open the safe. By putting the fingerprint reader and rubber plate back in place, no one would know the safe had been opened.
A $100 Stack-On QAS 710 strongbox safe, with motorized electronic lock and keypad as well as key bypass, was opened by slipping a flat piece of brass into a space around the safe door and manipulating the locking mechanism. They did the same trick with a drinking straw from McDonald’s. The safe could also be opened by putting a little pressure with a screwdriver on the key bypass lock and turning it.
“It really looks good,” Tobias. says. “It’s heavy metal. But you can take a brass shim or a straw … and pop it open in five seconds,” Tobias says. “This is what’s protecting kids.”
Tobias notified Stack-On about the problems with its safes three months ago.
Asked this week if it planned to recall the safes or fix them, Stack-On said in a statement to Wired that its products provide “secure solutions that are certified to meet the California Department of Justice (DOJ) standards…. This certification involves testing, by an independent laboratory approved by California DOJ, for compliance with their adopted standards. In addition, our Portable Cases comply with TSA airline firearm guidelines. We are proud of this designation and the protection we provide.”
And, finally, a Bulldog BD1500 Deluxe Digital Pistol Vault safe could be opened simply by inserting a piece of flat brass stock and pushing the lock mechanism to pop open the door. They also opened the door by inserting a coathanger wire into the battery port, creating a short that popped open the door.
As talks at the DefCon hacker conference have become increasingly sophisticated and technical over the con’s two decades, the conference badge has evolved to keep pace, morphing from simple PVC and metal plates into electronic gizmos with chips, circuit boards and games begging to be hacked.
This year’s badge, designed and produced by Ryan Clarke (aka LostboY, or LosT for short) continues that tradition, with some new twists.
Clarke, who’s also the creator behind DefCon’s annual Mystery Box Challenge, is a crypto and puzzle master who has been involved in DefCon for 13 years.
He felt that previous badges required hardware hacking skills that raised the bar too high for attendees whose talents were focused on software hacking.
So this year he’s designed an electronic badge that includes an embedded game. But figuring out the badge’s secrets requires hardware and software hacking skills, as well as puzzle and crypto acumen appealing to the math and language geeks in the crowd. His plan is to force attendees with different skills to combine their talents to crack the badge’s mysteries.
“Those doing the hardware hacks will have to find someone to do the puzzle side,” Clarke says. “It will drive them to find someone from the other side of the house.”
Each year, several badges are produced for different categories of conference attendees and participants – attendees get Human badges, and there are also badges for press, vendors, speakers and goons (the volunteers who are the core of DefCon, managing its network, security and speakers).
The black box in the picture above conceals the Uber badge – Uber badges are the black badges given at the end of the conference each year to winners of the DefCon contests. The badge gives the holder a lifetime of free admission to DefCon. Clarke has embedded a crypto puzzle on the Uber badges that will only be revealed to badge recipients on Sunday – though they may decide to scan the puzzle and put it online.
This year, Clarke has added a new badge for artists, which will be handed out to the artists and musicians who will be performing or participating at the con.
The Goon badges, the red ones (above) with a scarab beetle on them, are designed to affect other badges as the goons pass conference attendees. Clarke’s personal badge, as well as the badge of conference founder Jeff Moss, will also have an effect on other badges in their vicinity.
“In theory,” Clarke says, “it should be possible to figure out where we are by looking at the residual effect on other badges. It’s kind of like you leave behind a wake of information.”
In 1992, former hacker Jeff Moss invited a bunch of hacker friends he’d met primarily on electronic bulletin boards to come to Las Vegas to party in the desert. That party grew into a legendary conference that’s become one of the premiere gatherings for hackers from around the world – as well as for undercover intelligence agents who want to spy on them (or recruit them).
More than 7,000 hackers and security professionals attend annually. Other hacker conferences have tried to copy DefCon’s secret sauce throughout the years, but none have been able to match its successful mix of smart talks, organized chaos and hearty parties. Next month, DefCon will celebrate its 20th year, by bringing back some of the original speakers that made year one so special.
Hackers on Board
Jeff Moss (third from left in second row) packed into a VW with his band of happy hacker friends in Las Vegas during the first year of the DefCon hacker conference. Photo courtesy of DefCon