DefCon 9 - What I did on my summer vacation


By Opcom of the DFWCUG
copyright 2001, facts, opinion, and rumor. not responsible for inaccuracies.. go away.

You'll know them when you see them..

This advice was spoken in hushed tones as we approached the yearly Mecca of hackers, the DEFCON in Las Vegas, NM.

The fact that the con is held in Las Vegas should have given me a clue.. Las Vegas is a truly insane city, a madhouse where Dallas and L.A. drivers seem reserved by comparison, and in retrospect, DefCon9, with its own surface ripple of bedlam concealing a howling vortex of activity, seemed to be right at home in this fast-moving, bizarre place.

Before I get ahead of myself, the scenario should be laid out so that this really thrilly careen through scared air and errant data packets, and the purposes behind our part in it, will make some kind of sense.

It began with the decision of our group to take on a project, to create and operate a bastion host, a sort of internet bunker, and join in the hacking festivities at DEFCON 9. DefCon is yearly hackers' convention during which computer enthusiasts from all over the USA and other places can meet, socialize, present hard earned as well as basic knowledge, and of course, hack. Our part in this grand scheme would be to participate in a contest during which our battle-hardened Alpha running OpenVMS would be subjected to the most severe attempts at security and availability violations. We would offer several services, just like any real ISP. We chose inbound telnet, FTP, and webservice, which would include a prestigious VMS user account where anyone could create a web page. An additional opportunity for diversion during the event would be the annual `DEFCON Shoot' at the Boulder City Gun Club's public range.

Driving from Dallas, Texas at 3 PM on Tuesday, July 10th, our trek took us out Hwy. 287 to Amarillo, and then out I-40 all the way to Nevada. We spent Wednesday night in Las Vegas at the circus circus, a wild and riotous place, filled with children and gamblers. The layout of the hotel is such that one must pass through at least one casino to get to one's room, or to the buffet, which, it turned out, served up a healthy dose of what I suspect was staphylococcusaureaus. The usual time to become sick from the poisonous excrement of this microorganism is about 8-12 hours, and so by ten p.m., I didn't feel so well, and by 1 a.m., I was indeed worshipping before and upon the porcelain idol. The remainder of the stay was at the St. Trpoez hotel, which is a 5 minute walk to the Alexis park hotel where the `con was to be held. The San Tropez was nice and quiet, a contrast to the Alexis Park, in which more of the fun-loving attendees which would party all night.

We did get a chance to do the "Star Trek Experience" which is like being *in* STTNG itself, and it was well worth it. While on the last part of the 'wild' part of the experience, in the shuttlecraft, which wildly pitched and shook while evading, by mere inches, Klingon warships and other dangerous objects objects like the real flight simulator it is, the system experienced an "emergency stop". I tried to claim "first hack!" but only skeptical looks were returned from my co-conspirators..

We showed up early for DefCon registration, and as we waited, the halls of the Alexis Park hotel began to fill with what appeared to be a young cross-section of America, the average age being about 25. Did I know the hackers when I saw them? How to tell the veeblefesters from the feds from the hackers? Let's just say that you can't tell a hacker by looking. Sure, the black t-shirts with f* microsoft and/or novell, and the preponderance of notebook computers emblazoned with hackish stickers and various hazard labels might have given one a sense that these were indeed a special people, but stripped of this symbology, you'd never know. Makes ya kind of want to be polite to strangers, eh?

DefCon, like DECUS lugs, is run mostly by a staff of volunteers, which at the `con, are affectionately known as `the goons'. These hardworking people manage the event, keep the NOC (network operations center) up, and handle many of the security and procedural issues, as well as answering questions, chairing sessions, and expelling troublemakers (but not until after a warning or two.. more about how to get thrown out of DefCon later).

One of the first things I saw was what looked like a beat-up old suitcase sitting on a table, with a young man sitting behind it. A hastily scrawled sign taped to the edge of the open lid proclaimed the suitcase to be an MP3 server with 32GB storage. The young man was pleased to show the machine to me, and I was impressed by the fact that inside the suitcase was an Intel motherboard, and several hard disks, all attached to the inside of the thing. Musical luggage. Make no bones about it, the O/S was linux. A DefCon goon happened to be sitting there, and we had a fascinating discussion ranging from kernels to politics. I didn't miss the chance to do some VMS and hobbyist proselytizing, and soon had traded contact info with these guys, towards the end of getting them hooked up with some vaxen or alphas to play with. The goon, a consultant, recalled vaxen and VMS from his earlier days, and the youngster was fascinated by yet another platform, which could be added to his extensive home network.

Registration opened and a queue was formed and a table set up with four volunteers who would, in exchange for the sum of $50, hand you a badge for the event. No names or other information was recorded, although some of the attendees held the belief that FBI agents with fiber optic cameras roamed about taking pictures of everyone. A little paranoia goes a long way, especially when you are talking about instances of hacking with someone you do not know.

A guy in front of me by a couple places seemed to be having some trouble with the registration clerk a couple places down the table. As it turned out, he was short on greenbacks, but he did have about $47 worth of Belgian francs.. Unfortunately, the registration desk didn't seem to be too interested in perfectly good Belgian francs, much to the indignation of the gentleman. Having been to Belgium, I recognized the money, and traded him out for a $50-spot. This man turned out to be none other than Cedric Zool, the notorious Belgian hacker. This was a stroke of luck, as we fell into a conversation, and I discovered that VMS was one of his favorite operating systems, and the only one he really trusted for his important data. I asked him if he was going to play Capture the Flag, and my friends needed little convincing to join the same team as he. (Team Green -the theoretical color of the thick bundle of cat5 network cables snaked to one of several 30' long tables in a ballroom).


Capture The Flag


The CTF contest is a game where teams are formed, having a ratio of bastion hosts to hackers of from 1-8 to 1-100 (very flexible roolz which sometimes change during play), and the teams compete for points by having their members achieve certain things. The system managers and admins run their hosts and provide services, which include webservice, telnet, pop3 and smtp mail, news, ftp, and whatever else they want to throw on the fire. The hackers on the same team as the particular host tries to find and hack whatever hosts are online at other teams IP allocations. For instance, one team had 10.255.10.xxx, and another team had 10.255.20.xxx, and so on. Another class of participants known as the The Bastard operators from hell [BOFH] run their hardened systems in another IP allocation known as the Grey network, and offer services to the DefCon intranet users including the hackers of all teams, and anyone is welcome to take a shot at those systems. The Gray BOFH and hackers also freely hack any system on the network. No `points' are awarded to the gray BOFH and they pretty much wreak havoc on whatever they can. Keep in mind, this is a *game*, where every participant agrees to endure whatever fate their computer o/s or programs may suffer. The idea is to display prowess at finding weaknesses in computer systems. One cannot fix weaknesses if they are not known, after all.

The game began at 10 a.m. on Friday. The VMS machine on the Green team was configured with Apache web server. As we are aware, VMS is an extremely secure operating system. While many of the other boxes in the room, mostly Unix, linux, and forms of windows, and even a Macintosh, were compromised and subsequently attended to by their masters, the VMS system remained intact. Here is where a real security issue comes into play.

We were very confident of the VMS box, and a lot of interest was generated by it. In the spirit of spreading the good word and educating the people about VMS, we ended up answering a lot of questions about VMS, and showing how the machine automagically added user accounts, and demonstrated the various terminal games and web pages which had been created. We were also aware that, in this crowd of 5000+ hackers, someone might be able to weasel their way into the machine if any security measures were taken lightly.

As events would have it, we had an issue, which we did not understand, with the operation of the serial port used as the operators' console. At 2:00 a.m. Saturday morning the system manager decided to telnet to the box in order to do some routine checks. Using Telnet in an environment with 5000 hackers on your network is an insecure method of administering a computer system. A lot of people were fascinated by the VMS system, and had asked many questions about it, shoulder-surfing the console operator, who of course answered their questions in this friendly game of an environment.

One of the hackers who had been showing a lot of interest in the VMS box happened to be sniffing packets from the system manager's PC. He discovered the password to the account, a simple procedure any 13 year old kid can pull off with ease after a little social engineering. The hacker logged in, and placed a couple text files (his mark for points) in the manager's user directory, and then notified the system manager in order to claim the points. There were no points for hacking the machine because the files were placed in a user directory instead of the `root' VMS directory. He was awarded 10 points for social engineering.

Was this an instance of VMS being hacked? No, it was just a circumstance where a privileged login session was passed in plaintext over a network with 5000 mechanics, social engineers, and hackers on it. By using a telnet session on an open network, the system managers' login information was freely made available to any who cared to record it. Giving away your login info in this way to a hacker who subsequently uses it does not constitute being hacked, it constitutes an error in security procedure. The thought of improved security, such as some level of encryption for telnet on VMS, immediately comes to mind. Be very afraid.

(* editors note: That was 2001. SSH/SSL is now included in VMS and there has never been an incident)

The Alpha was disconnected from the haxor network, the serial port issue (our fault alone) was fixed, and the network was reconnected. The incident did not repeat, nor did any hack whatsoever of the VMS system take place during the event. The hackers bombarded the box with telnets and ftp attempts to every bizarre port number imaginable, obscure ports in the 40,000 range and more. The word of the early-morning incident had spread, and those seeking glory and a reputation besieged the box.

Another kind of social engineering, involving a clever lie intended to trap those who would think it cool to hack the NOC was presented in this way: People came by, with an IP address, saying, "here is the IP address for the NOC, have fun". It was really an outside IP address, and this was a ruse to make those who listened loose points for attacking sites outside the defcon network. Hacking outside the CTF network was forbidden.

As the game progressed, the goons announced that there were not enough hackers (huh? The tables were *full* of people). To make it more enticing, the point award for placing your mark in the root directory of a server (bastion host) was increased from 10 to 100 points. We speculated, from the network traffic map we were watching, that the hackers were to a great degree ignoring the fortified servers and trying to bring down each others' PC's. Our team, the Green team, was far in the lead, and had a larger server-to-hacker ratio than the others.

Later, the rules were changed again, allowing teams to merge in order to combine points. When this happened, our lead evaporated. No one wanted to join us because we were mostly BOFH. The Red and Blue teams joined to make Purple. The Ghetto Hackers (who had previously operated on the grey network) and the Digital Revolution teams joined forces. The black team was standalone, but did not want to join the Green team.

Another rule change 'averaged' the server points for each team. This reduced our points.

We viewed all of these changes as solely benefiting the teams with a high percentage of hackers, at the expense of the BOFH-heavy teams. Even though the rules were changed after the game was started, we (the VMS BOFH of the Green team) do not take issue with this or with the effect it had on our points standing. Our mission was to subject our Alpha VMS system to one of the worst possible scenarios and survive unscathed, and this we unfailingly did. While they hacked and reveled, we slept. The moral of the story is twofold:
"VMS will stand up flawlessly to the best hackers the world has to offer", and
"never allow a circumstance where someone can snipe your login".

Near the end of the third day, it was printed in the periodically updated intranet scoreboard, that "the green team's vax is running vms and seems to be unhackable" (not exact quote but real close). After this showed up, the machine was pretty much ignored. Strangely, they kept calling the Alpha a VAX, but it is understandable. Next time we'l get a big sign that says "Alpha" and put it on our machine, or maybe we'll bring a vaxcluster.

We had about 50 user accounts generated, mostly by people trying to find a weak place to pry into. It was amazing how many usernames started with the same four letters. Most people did not take advantage of their webservice, which was a pity, but they were diligently hacking, so it was expected that they would ignore the proper use of the services, and just try to break them. The main system webpage, "Miss Nude Argentina" was undoubtedly the best web page on any server present and it drew much attention as people read the articles. Despite the name, it contained no obscenity of any kind. The DFWCUG has moral standards after all.

At the end, the scores were as tabulated below:

Team Points
Gray (Ghetto Hackers + Digital Revolution) 829
Purple (Red + Blue) 809
Green 402
Black 32

As can be seen, if the rules had not been changed, we may well have had done better in the game. The game rule flow itself was much like hacking. Change should never be a surprise, and the rules are those of the moment, according to periodic announcements by the Goon In Charge. We consider this volatile environment a valid test of VMS security. We will present the highlights of our security logs along with those from two unnamed partners in a white paper at a later time. The Green team was awarded two t-shirts, two ball caps, a 4-port PCI NIC with DEC chips, and $100 in cash. We unanimously decided to donate the cash to the FreeBSD organization.

During the closing session at about 4 PM Sunday, the Ghetto Hackers, which are the most respected and skillful, gave the Green team `props' because our stuff stayed up and our `root' was the only one they did not get. We consider this a positive note and a high compliment, coming from this well-accomplished group.


Other events:

Social engineering Contest:


The winning team took a professional video camera into downtown Las Vegas and proceeded to engineer their way into the prestigious Studio 54 club. One member masqueraded as Jason Biggs from "American Pie", and sought entrance into VIP areas in '54 on the premise of producing an upcoming sequel. He had been assigned an escort by the '54 entertainment manager, and his spoofed `entourage' of manager, agent, cameraman, etc., followed him everywhere, and the starstruck women inside the club were lining up to meet and dance with the famous Jason Biggs. Over three hours of video was captured, and edited into an extremely amusing 15 minute video, leaving no doubt whatsoever that the '54 staff and guests were completely fooled. The most brazen act was when they were about to gain entry, a '54 bouncer wanted to see Biggs' I.D. card. The hacker showed his real drivers license, with the explanation that Jason Biggs is a stage name only!

Hacker Jepoardy:


The team "CTAK" (?spelling) won, and accounted their success to Teamwork, Intelligence, and Arrogance.

Cyber Ethical Survivor:


A first-time attendee and a beautiful young female as well, "Oklahoma", won this competition, which consisted of placing three teams of five people in situations where ethical challenges related to computer use were presented. Like the TV show, a person is voted out at the end of each round. Oklahoma attributes her success to her parents: "Due in great part to my parents, if they hadn't been such hard-asses and dragged me out of the lamer stage this would never have been done".

The DefCon Shoot:


A shooting experience, a great excercise of our second-ammendment rights, was held on Saturday at the Boulder City Gun Club's courtesy range. The Gun Club was kind enough to allow DefCon attendees to bring their own targets of just about any kind. The only restrictions were no illegal ammo or firearms, no full-auto fire, and no .50 caliber fire. Needless to say, no trash to be left, no glass, etc.

Saftey was of first priority and the rules for fire, cease fire, etc., were clearly laid out and simple to follow. The Range Master called the shoot, assisted by three helpers to supervise the event and watch for/help with any unsafe conditions which might arise. None did.

An invitation was made for anyone unfamiliar with firearms to get help with saftey and shooting techniques.

Shooting, a gentlemans'/gentlewomans' sport, is a well-respected part of our American heritage, and, as Texans, we could not pass up the opportunity to test our aim against various woden pallets, beer kegs, clay pigeons, plastic jugs, bowling pins hung from tall 'sawhorses', expired fruits, and other sundry items. The DFWCUG participated with our SPAS-12 semiautomatic shotgun and one of our USA-made AK-47's (no Chi-Com weapons here!). The DFWCUG expended approximately 120 rounds of 12 ga. slugs and 320 rounds of Russian 7.62x39 ammunition. It was very challenging to hit the bowling pins at 25 yards with slugs from the 12-guage. The planks of the wooden pallets at the same distance did not fare so well against the shotgun, several neat but large holes being punched through them by the slugs.


Notes:


Possible advisory:
It looks like Windows 2000 puts the system name and version of IIS in the returned data from "ping".

Odd Things that were noticed:


A payphone was stolen, and after the thief was arrested, a 'treasure hunt' was conducted to find it and return it to the hotel. It makes no sense to piss the hotel off! A cellphone was found in the bottom of the pool. A drunk attendee was tied up with Cat5 cable and used as an IRC portal, with his permission!. Someone "tripped" over the power cable to the Green team's VMS box (sore Luser?). A floppy disk was created that, when inserted into a LINUX box, took over the root and in some cases messed the pc up as well. Several people were walking around, casually sitting down at a table, and using this attack. Gothic Chicks! Some guy wearing a dress (oh well..). A wallet was stolen. The CTF network gateway was hacked or taken down for a bit (a dumb thing to do, since it's needed for the game play). Other teams enlisted various Lusers and minor minions to walk along the tables and shoulder surf the hackers and BOFH. A payphone was covered with stickers until you couldn't see the phone. The buttons were covered, but the vandal politely scored the stickers so that the buttons could be used. Alot of the systems had no case covers, and several consisted of a bunch of parts just laying together. Stickers with rude sayings were freely distributed and found their way onto PC's and monitors. A battery-operated clandestine 20 watt FM radio station was operated and played MP3's. An online MP3 server was built inside a suitcase from individual PC components, screwed or glued in place, and connected to the network for the enjoyment of all.

Who should attend?


DEFCON is truly an event for all adult ages. It would be best to accompany your younger son or daughter to the event. In case of a daughter, an vicious chaperone wouldn't be a bad idea. If it were a movie, it would be rated R for language. Most of the people are really cool, but as with any large cross-section, there were a very few nasties about. I came away from the event with a great deal more knowledge of computer networking and security, and made some good contacts. Would I do it again? Yes. It was the most fun I have had since the VMS Hobbyist License Program was instituted.

How to get kicked out of DefCon:


Taking pictures or videos of people without permission.
Damaging the hotel infrastructure.
Getting caught stealing.
Generally being an a**hole, such as spreading hate stuff, getting in people's faces, cheating at the games, etc..

Results availability:


DEFCON details - check about July 29 2001 or so at shmoo.org
Green team details - some details will be available at deadly.org later. Just keep checking!