May 3, 2007 at 3:35 am #1334Don DonzalKeymaster
Below are the editing reports by Brian Wilson on his last days at Notacon 4:
Notacon Day 2 – 3
Here is Day 2. Then again, Day 2 was really Day 2 and 3, because, once the Saturday evening events started to wrap up around 1:00 AM, the mass drinking and break out sessions began. One thing I do need to mention is that there was a lot of activities outside of the talks going on the whole time of the con.
For example, ‘DOS Man’ had a display of locks and showed us how to pick different kinds of locks (He also had some picks for sale). The cool thing about the lock pick display was that he left all the locks and picks out for anyone to try and assisted with advice on how to pick locks, lock security, and picking prevention. Other cool displays were all over and someone decided to bring a Nintendo Wii with a projection screen for everyone to play.
The discussion in the EH-Net forums for my Day 1 report brought up the fact that this event seemed to be getting a thumbs down from me. Let me clarify. I was a little down on the technical content of the con. Then again, it is named “Not-a-Con” and apparently for good reason. It is not your typical hacker con in the sense of IT security. It is more of a throwback to cons of old where you hack everything… even the after-parties (More on this below). So keep this in mind as we move through the other presentations I attended:
8 Dirty Little Secrets of Information Security (Presenter: Bruce Potter, Shmoocon founder)
This was a funny presentation and was well thought out. I enjoyed the fact that he covered a lot of different technologies and procedures. He was good at relaying complex topics in a way that non-security users could understand. Bruce covered Windows, OS X, Linux, Unix, servers, hardware, software, web appliances and more. His explanation of Application Armor (the act of controlling software to keep it from committing malicious acts) was spot on and really hit home with how security is needed on many layers. He went on to explain how networks and systems are getting more complex, and our ways of securing them have not changed much in the last 35 years. He then showed us a DoD document from 1972 where the Air Force explained that with a fully patched Unix system, they were still being hacked. Furthermore, more controls and procedures need to be implemented to help protect information systems. This is where the talk started getting good. He then talked about the history of security. He also brought up the point the companies that pay for 0-days scare him, because their business is to use the 0-days to make money by claiming that their product has more patches for 0-days than the next vendor. So his point was, “What is the motivation for the security patching/pen testing companies to help fix the issue, since they profit from the issues?” Other valid points he discussed were that the corporate side of 90% of the industries are not concerned about securing networks but just want to keep up with compliance ( SOX, HIPPA, & others). He also brought up points that “you can never train everyone in a network,” so you have to program better code and implement better policies to protect the infrastructure. I enjoyed this talk so much that I paid $15 for a copy of the DVD, just so I could make sure I got all the information from his talk. Well time ran out before he could get though all the security secrets, but this was by far the best session I sat in on. I will add there was little standing room left after he started to talk, and I did not hear a single person at this con have anything bad to say about this session.
Online Communities and the Politics of DDoS (Presenter: Seth Hardy)
Seth started his talk with the mistakes he had made in the past with the free community sites he has run and the fact that there is always users that want to cause problems for others. He also explains the dynamics of dealing with an open community, how to agree on rules and when to enforce them. This is especially hard when you are trying to accept everyone.
He explained the way a botnet is built and controlled on a basic level. He also explained how it is not to easy to find and stop control channels on a IRC network. He also explained how to trend and find bots in IRC, so they can be turned off or stopped.
Next he explained a few different types of attacks and gave details on how each kind of attack works. His explanation of how the attacks functioned was explained very well. He covered:
Types of DDoS (discussed in the talk):
• Ping Flood
• SYN flood
DDoS Counter Measures:
• Quick and easy to do
• Cuts off you connectivity
• Change your IP address (& pray the botnet dose not follow you to your next IP)
Tools to prevent DDoS
• IDS (Intrusion Detection Systems)
• IPS (Intrusion Protection System)
• DDoS Mitigation Devices
• Contacting your ISP
o ISP might not be to helpful if your not a top level customer
o Best they normally offer is to black hole traffic
Basic Response Process
• ID the issues via a traffic capture
• Contact your upstream provider
• Contact providers of the attackers
Other responses to a DDoS Attack
• Determine who the attacker is…
• Persuade the attacker to stop
• Wait it out
• Who is at fault?
• Why are you being attacked?
• What did you do?
• Do you use IRC?
Squarewave to Heaven (Presenter: Nullsleep)
Nullsleep was using old Midi and squareway devices to make music. It was amazing to see the different kinds of music made from these older platforms. The complexity of the sounds made and mixed sounded very high tech, and it was interesting to see older 8 bit technology being used in this way. I could easily see this music in a techno club or even used as dance music. Unfortunately I can only convey that I liked this talk/demonstration, since you would have to be there to truly enjoy it. Below are the different devices used to make the music:
• Commodore 64
• Atari ST
• Game Boy
• NES / Famicom
Here are some links to sites that feature this kind of music:
Telco Q & A (Speakers: Paul Timmins & Co)
First thing to say is that the room was full as this was a very popular talk. The way this talk worked was that they passed out notepads, and the audience wrote down questions they wanted answered, and the speakers tried to answer them. The talk started with the different speakers explaining their role in the telecom industry and sharing their experiences. After the brief introduction the room started passing the question notes up. Most of the questions where about how to be the 10th caller in a radio contest, but there were a lot of good questions about different services and how much should you pay for them. The biggest issue with questions like “how much should I pay” is that it all depends on where you live and how much competition is in the area. Other good questions where about PRI & BRI (PRI 23B channels [for voice] and 1D channel [for signaling] BRI 2B channels and 1D channel). There was also a lot of talk about how bad this service provider verses that one. Another interesting thing was the talk on Caller ID spoofing. The speakers made it sound like it could not be done and also pushed that it’s a bad idea (I agree it’s not good to screw with the public telephone service). I did raise my hand and tell them you can spoof caller ID, and that it is very easy. I then went to explain that there are companies that use this as a business model. I got the idea at this point that they did not want the group to understand how caller ID spoofing worked (for good reason again because if you spoof called ID you can trash the call routing and cause 911 trucking issues for you and possibly your area). I did explain that there is http://www.spoofcard.com and a lot of international SIP providers that allow you to send custom (spoofed) caller ID. After that the speakers ran out of time and the questions poured into the hallway. It seams this is a hot topic and the old days of Phone Phreaking might be coming back.
Final Thoughts on Notacon 4
Saturday night, Irongeek, a few others and I went to the bar for drinks. We talked about hardware key loggers and a lot of other geek stuff and finished off a few drinks. Around midnight the Block Party started, and it was like an alternative art festival. I would just like to say a Demo Party is very fun and has all kinds of cool computer generated entertainment. About 1:00 AM the Block Party started to fade out and the micro parties began. Room by room and floor by floor you could jump into and out of smaller parties. I ended up not going to sleep that night and just kept partying with the rest of the con until the next day. I will say that when Day 3 started, about half the con was asleep or hung over.
The last day was more like a big farewell and was kind of depressing. This was not an effect of the all night sessions, but because everyone was preparing to go home. That was the one big takeaway from this event. It is a people event. For this reason, the ending celebrations & closing ceremonies were cool, because we found out that Notacon was finely in the black. With Notacon now debt free, it was guaranteed that there would be a Notacon 5 next year. I hope you enjoyed my attempt at reporting this con for all of you, and we’ll see you next year.
Be sure to add your comments,
May 3, 2007 at 9:21 am #12685AnonymousParticipant
well it definitely seems like Day 2 was much better. Those talks looked alot more interesting. Bruce Potter is a really sharp guy and i am looking forward to moving back to the DC area because he does alot of talks with the local security groups in the area. i remember Defcon 10 when he talked about how bad it was going to get with 802.11 and pretty much everything he talked about came true. not to mention all his work with aircrack when that was the only tool doing what it did.
good writeup Brian.
You must be logged in to reply to this topic.