Alexander, also at the helm of the U.S. military’s Cyber Command, gave a presentation Wednesday at the Black Hat corporate security conference in Las Vegas, after a series of revelations about an extensive NSA spying program left many angered.
Outreach to the hacking community is paramount to national security; his efforts last year at the DEF CON show were less frosty.
Wearing dressed-down jeans and a T-shirt, Alexander spoke in 2012 at DEF CON, which runs immediately after the buttoned-down Black Hat conference. At DEF CON, which runs Aug. 1 – 4 in Las Vegas, the fun side of security, hackers and cryptographers hang out alongside criminals and law-enforcement agents alike.
Backlash from the Snowden scandal inflamed tensions in the hacking community this year, however and in July the event founder said the government might not be welcome at DEF CON this year.
But the hackers? They’re coming.
Founded in 1993 by hacker legend The Dark Tangent, the conference is held at The Rio hotel and costs $180 — cash only, no credit cards, checks, money orders or travelers checks. DEF CON takes that unusual step to protect the anonymity of participants and discourage government fishing expeditions for information on attendees.
A record-breaking 13,000 security experts gathered last year, attracting many suitors beyond the U.S. government. Every year, squads appear hoping to woo the elite cyber talent. Facebook, for example, sought keyboard bounty hunters offering to pay for those who identify security flaws in their site.
What happens inside DEF CON?
There are many competing definitions of hacker, but DEF CON is for the sort of rock star hackers with serious technical interests who also like to party.
Like your average conference, DEF CON features speeches – but these are anything but ordinary. Past lecture topics have ranged from assailing an airport with a fleet of ghost planes to Google product risks.
Some participants remain glued to their computers for the duration, playing a social engineering take on capture the flag. This version makes behemoth American companies the target. Last year, the list included FedEx, Target and AT&T.
Contestants prepare researching the targets in the weeks leading up to the competition. Fodder for mining information include company websites and profiles on LinkedIn.
A cautionary tale for these companies, competitors reveal vulnerabilities but they also limit themselves. Contestants do not try to obtain things like social-security numbers or passwords.
During Capture the Flag 2012, the contest winner demonstrated in front of a large crowd how he hacked into Walmart within 20 minutes. Underscoring how humans can represent a key vulnerability in security apparatus, this hacker was able to gain information about both physical security such as shift and break info to the type of computer systems and antivirus software used.
Even badges and scavenger hunts are taken to the next level. DEF CON’s iconic badges contain scavenger hunts within them.
Last year, Ryan Clarke designed these hackable IDs, embedded with an LED, a multi-core processor, IR transmitter and a hieroglyphic graphic. Buried in the software was a game encoded with a multitude of mathematical, linguistic and cryptographic layers.
There are also music events, movie marathons and contests for shirts and posters.
And there’s the lock picking event as well.
Physical security challenges and training are always very popular with this crowd.
Last year, researchers demonstrated how safes popular to hold weapons at home could be readily picked by children using readily available items like straws, paperclips and hangers.
One traditionally popular sport at DEF CON is the self-explanatory Spot the Fed.
Participants are also encouraged to create their own events that may eventually become official events. Hackers interested in attending should check out the DEF CON Forums for information on emerging events or to recruit hackers for new events.
DEF CON is manned by a select team carefully chosen called “Goons” and earn admittance through trust and experience. They play a range of roles from security to network operations. Security Goons tend to be demarcated by a specific colored shirt, while the others wear black.
As you would expect, DEF CON is completely network-enabled and for the past few years has deployed WPA2 encrypted over-the-air, with a direct trunk out to the Internet to make sure participants feel safe.
This approach means no sniffing or peer-to-peer, just straight to the net and internal servers.
There is a lot of young hacking talent in the United States and some are tempted to “run away from home” to attend. While there is no age limit, it is an adult atmosphere. DEF CON cooperates with concerned parents and points out that one needs to be 18 to reserve a room in the hotel.
DEF CON Kids has become THE place for young talent. While they must be accompanied by an adult, they still get to have a lot of fun and share their skills.