This week we have the DefCon 20 and Black Hat computer security conferences in Las Vegas — reasons enough for me to do 2-3 columns about computer security. These columns will be heading in a direction I don’t think you expect, but first please indulge my look back at the origin of these two conferences, which were started by the same guy, Jeff Moss, known 20 years ago as The Dark Tangent. Computer criminals and vigilantes today topple companies and governments, but 20 years ago it was just kids, or seemed to be. I should know, because I was there — the only reporter to attend Def Con 1.
In those days there were no independent computer security research organizations. There were hackers, or more appropriately crackers, as they were known.
Def Con (notice the different spelling) was a computer criminal’s rave where — for reasons I could never quite understand — the cops were invited to attend. The Dark Tangent can now legally drink at his own show (he couldn’t 20 years ago), he picked up a real name along the way and even an MBA, so of course the show is now supposed to make money. They still play Spot the Fed, with the person who spots the Fed getting a t-shirt that says, “I spotted the Fed,” and the Fed who has been outed receiving a shirt that says, “I am a Fed.” It’s cute, but no longer clever.
Def Con 1 attracted around 150 hackers and crackers to the old Sands Hotel back before ConAir Flight 1 smashed the hotel to bits for a movie. The year was 1993 and InfoWorld, where I worked in those days, wouldn’t pay my way, so I went on my own.
It was surreal. I knew I wasn’t in Kansas anymore when my cellphone rang in a session, setting-off four illegal scanners in the same room. As I left to take my call in the hallway I wondered why I bothered?
There were two high points for me at Def Con 1. First was the appearance of Dan Farmer, then head of data security for Sun Microsystems. Dressed all in black leather with flaming shoulder-length red hair and a groupie on each arm, Dan sat literally making-out in the back row until it was time for his presentation. But that presentation was far more entertaining than the smooching. In a series of rapid-fire slides Farmer showed dozens of ways in which crackers had attacked Sun’s network. He explained techniques that had failed at Sun but would probably have succeeded at most other companies. It was a master class in computer crime and his point, other than to prove that Dan was the smartest guy in the room, was to urge the crackers to at least be more original in their attacks!
But the best part of Def Con 1 was the battle between the kids and hotel security. Contrary to popular belief, breaking into Pentagon computer systems was not very lucrative back then, so many of the participants in that early Def Con did not have money for hotel rooms. The Dark Tangent handled this by renting the single large meeting room 24 hours per day so it could be used after hours for sleeping. Alas, someone forgot to explain this to the 6AM security shift at the Sands. Just as the hardy group of adventurers returned from a late-night break-in at the local telephone company substation, fresh security goons closed the meeting room and threw the kids out.
It is not a good idea to annoy a computer cracker, but it is a very bad idea to annoy a group of computer crackers bent on impressing each other.
The meeting reconvened at 9 or 10 with the topic suddenly changed to Revenge on the Sands. Gail Thackeray, then a U. S. Attorney from Arizona who at that moment had approximately half the room under indictment, rose to offer her services representing the kids against the hotel management.
Thackeray had been invited to speak by the very people she wanted to put in jail. I told you this was surreal.
Adult assistance might be nice, but a potentially more satisfying alternative was offered by a group that had breached the hotel phone system, gained access to the computer network, obtained root level access to the VAX minicomputer that ran the Sands casino, and were ready at any moment to shut the sucker down. It came to a vote: accept Thackeray’s offer of assistance or shut down the casino.
There was no real contest: they voted to nuke the casino. Not one to be a party pooper, I voted with the majority.
Gail Thackeray, feeling her lawyer’s oats, was perfectly willing to be a party pooper, though. She explained with remarkable patience that opting en masse to commit a felony was a move that we might just want to reconsider, especially given the three strikes implications for some of the older participants.
We could accept her help or accept a date with the FBI that afternoon. The Sands (now the Venetian), which was ironically owned by the same folks who used to run Comdex, never knew how close it came to being dark.
It was a thrilling moment like you’d never see today. Everyone who was in that room shares a pirates’ bond. And though I can’t defend what we almost did, I don’t regret it.
And like the others, I wish Gail Thackeray had stayed in Arizona and we’d shut the sucker down.
Tomorrow: the surprising future of computer security.
Ah… The good old days….
Yes. The Glory Days.
Now all Americans have to do is to beat up on some poor kid who thinks it is wrong to conceal war crimes.
Bradley Manning. The only decent American.
There are plenty of decent Americans, as there are plenty of terrible Swedes, Dutch, Swiss, and any other cultures conventionally considered as decent. Numerically, I’m sure there are more decent Americans than the others combined.
Manning, as in Snowden, are truly flawed characters and not so easily (and falsely) painted as heroes. Had Manning solely released the video, it would have been whistleblowing (though I don’t think it is clear that those guys were intentionally gunned down – they ran to the van). But releasing 700,000+ State Department cables that have nothing to do with any war crimes is not whistleblowing, it is the symptom of something else, most likely a desire to have a personal affect on history. Well, fine, but you still go to jail for breaking the law. There was no benefit to society to release private cables expressing our diplomats personal views of their counterparts in forging countries and drawing their enmity. Don’t confuse with his one whistleblowing action with the hundreds of thousands of others that weren’t.
Discretion is the better part of valor, to be sure.
But Manning didn’t *release* anything to the public. He didn’t publish anything. David Leigh of the Guardian published the passphrase that released 700k+ cables to the public. Can you please get this part straight?
As to whistleblowing, one’s application of the label to any particular situation depends on one’s own interests, which in turn depend on the degree to which one believes the US government is impartially loyal and responsive to its citizens. As any corporate employee well knows, going outside regular order is occasionally a necessary condition for the success of any endeavor, from at least some participant’s point of view.
You gotta admit the cable dealing with the “dancing boys” that Halliburton provided to Afghani tribal leaders with tax payer money was interesting reading.
Jeff Moss was quite a rebel…http://en.m.wikipedia.org/wiki/Jeff_Moss_(hacker)
The NSA recruiters used these security conferences to pitch the hackers to work for the agencies. Recruiting is easier if you can turn some bright light on a hacker first.
“There was no benefit to society to release private cables expressing our diplomats personal views of their counterparts”
Sunlight is a good disinfectant – Kent Blood was one of 20 members of the US diplomatic corps who signed the dissenting cable ( known as the Blood Telegram) that denounced US complicity in genocide. Treason? I don’t think so.
Pretty sure we aren’t watching the same video because in the video I saw those “suspects” included cameramen and the only reason people were running back to their car was so they could hightail it out of there. I’m fairly certain you would have reacted in the same manner else become cannon fodder.
Innocents lives were lost that day, don’t downplay that fact.
The future is figuring out how to get the government out of everyone’s private affairs. The latest outrage is they are forcing companies to hand over password files. They probably also have copies of all the private encryption keys from certificate authorities.
I’m seriously wondering if computer tech is a curse, and we’d all be better off going back to the 1950s. Better to be a little less efficient, but still be free.
It not only feels surreal, but it also has the feel of an old Bloom County comic.
That conference got a lot of IT departments to start thinking. When we looked into how easy it would be to get into a system it really scared us. It made us rethink a lot of things. One of the things we learned 20+ years ago was the need to control access to the systems that were critical to our business or operation. A few years later when the Internet came along we asked ourselves “do the process control computers that run our chemical plants really need to be on the Internet?” Do our most sensitive HR and financial systems really need to be on the Internet? When we started asking these questions important network design requirements became obvious. To this day, 20 years later I am amazed how many firms now have their critical systems on a network that has access to the Internet. If you don’t make your systems accessible to the whole planet, chances are greatly reduced that a hacker (or cracker) will be able get into your business and cause you a lot of trouble.
…
Giving all your systems access to the Internet is like leaving your house unlocked. You hope the rope you used to secure your possessions will keep someone from taking them. Maybe it will maybe it won’t. Don’t overlook the fact you allowed them access to your house. Data networks are good things — but — do they really need to access the Internet?
Wish I could have made it, but as a – very young – minor, I couldn’t afford airfare to LV and so would just continue to attend HoHoCon, the original phreaker conference. In the scheme of things, I had no accomplishments of my own, but I ran a fairly large Vision-X BB (later switching to Celerity) as I was a courier for INC then USA/Fairlight. Ah nostalgia. I often think of how I could be unknowingly work or interact with folks I only knew by alias when I was younger.
I remember that story, and it’s still a great one! Looking forward to the next …
Yes, this looks familiar:
https://www.cringely.com/2010/08/01/when-men-were-boys-and-boys-were-stupid/
Good catch. Bob could have used a hyperlink for all but the first and last paragraphs.
Computer Security is an oxymoron. Microsoft dealt with questions about NSA_key before 911 – back in 99:
http://en.wikipedia.org/wiki/NSAKEY
I was at Sun during that time, and Farmer used to show up for meetings (always late) that exact same way. He was never “head of data security” but one of a number of black hat flunkies hired by Sun (after being fired from SGI), IMHO, to keep them under thumb. They were brilliant, insuffereable, and in D&D parlance, proudly chaotic neutral.
It’s defcon21
There was no benefit to society to release private cables expressing our diplomats personal views of their counterparts in forging countries and drawing their enmity. Don’t confuse with his one whistleblowing action with the hundreds of thousands of others that weren’t.