DEF CON: The event that scares hackers

A surprisingly well-written tech article for a source like CNN: clear to non-technical people, and yet not chock full of gross inaccuracies. Mainstream journalists have gotten me used to much lower quality.

everyone freaks out because "oh man your computer will get hacked in N seconds on the defcon wifi". lets dissect this a little bit.<p>if i put a computer on the defcon wifi, it'll probably be say, modern linux (ubuntu, debian, or redhat) running either a minimal subset of services (ssh) or perhaps nothing, with firewall policy applied, or a modern windows (windows7) with the firewall on. i'll be using a modern, fully patched web browser, also perhaps with some additional mitigation technology (thought nothing out of the ordinary) think perhaps noscript and EMET.<p>and also this is the one time of the year when i'm ready for this. every other day of the year i go to the coffee shop i don't know anything about the other randoms there but i assume they're drifting office droids hacking on their excel macros or recruiters cruising linkedin in between meetings.<p>so, if someone exploits me on the defcon wifi ... where else will that exploit work? everywhere, probably! it's probably a super awesome exploit that has super awesome properties that targets super popular software and is also unpatched. someone owns my openssh 5.3 on my laptop on the defcon wifi ... if i pcap that ... i'm a rich man. i can own boxes like mine.<p>so ... as a hypothetical attacker, why would i do this? i'm surrounded by people like me. they're alert. they're cautious. and they are the most capable people in the world to detect what i am doing and reveal it to everyone. oh and there are a whole bunch of law enforcement people there too, AND the entire thing happens in a casino which has heavy security and is already wired for sound and audio everywhere you go.<p>... anyone who is smart enough to be able to own your box at defcon, is also going to be smart enough to realize that they might as well wait until the week after when you're sitting at a coffee shop.

Wow, that's impressively well-written. And it's about computer security. And it's about <i>hackers</i>, who are <i>hacking</i>. That's like a perfect storm of news-writer fail, and they did a pretty good job through it all.<p>I love that they included this quote, it sums up security very very very well:<p>&#62;<i>It's not about breaking the lock, he said, it's about learning the lock can be broken.</i><p>I've found ways to open most combination locks in a second or two, without even looking suspicious. It's easier than entering the combination, usually. Those $20k-insured round-keyed laptop locks? Takes about 30 seconds on average, 5 or less if you're lucky. My dad lost a $20 bet with me on that, with the one his employer supplied (and expected him to use) - it took me 5 minutes on the first attempt, and less than a minute each time after that.<p>Security isn't about <i>stopping</i> people from breaking in. It's about not being the low-hanging fruit.

One of the most insightful points in the article, summing up much of DEF CON, got buried near the end of the article; it's worth emphasizing:<p><i>It's not about breaking the lock [...] it's about learning the lock can be broken.</i>

The DefCon wireless is nowhere near as scary as people make it out to be. Making people believe that something is scary is part of the fun of it for those of us that help run the con.<p>Currently at con, on my laptop with OpenVPN and tethered to my phone because the DefCon wireless is overloaded and not handing out an IP address.

If you value your sanity, I'd suggest steering clear of the comments on this article. Although I guess you could say that for comments on most article on CNN.

I'd love to know the OS usage stats here and how they differ from HN.

I'm pretty sure any hacker worth his weight in microchips doesn't have a problem. I've been to def con and always take a *nix system with a solid firewall and a way to ssh/vpn home to do all my logging into websites from.<p>DEF CON doesn't scare hackers. It gives us a chance to see if our setups are actually secure and if we get pwnd we deserved it and learn from the experience.

Defcon is much more like a family reunion than a scary thing. This year hundreds of hackers literally opened their veins to give blood in honor of one of our own who needed it. The hacking of other attendees that goes on has more of a prank feel to it (much like a lot of the con!) than a scary thing. It's just a bunch of people getting together to talk, do interesting things and/or get drunk together.

That memo of things to do/not do, is a great list for everywhere 24/7, not just def con.<p>If you can be hacked there, you can be hacked anywhere, and some damage cannot be recovered from (ie. losing google account).

I'm in Vegas. Anyone have an extra badge they wanna sell me? I wanna stop by tomorrow. #meetup

Bury your room key...-why LV hotels dont use RFID for room keys. Scan your credit card remotely - not if they are mag stripe.<p>FUD articles like this is why people dont know to use VPN or HTTPS, what a waste of CNN's money sending him there for this - sorry but it has to be said could have been a much better more accurate article covering actual security issues.