October 23, 2007

San Diego's ToorCon keeps hackers current

Author: Joe Barr

ToorCon 9, a hacker's convention, kicked off with registration and a reception Friday evening in the San Diego Convention Center. Keynotes and the talks were held Saturday and Sunday. This was my first time at ToorCon, and I learned why it is so highly regarded among the hacker community. It's good.

There were probably a few feds in the crowd, but for the most part attendees were hackers or hacker wannabes. ToorCon occupied only a small fraction of the enormous convention center; the whole thing was conducted in three meeting rooms on the upper level.

While we were both waiting to register, I met Scott Moulton, who owns a forensics company in Atlanta and gave a talk on Saturday about recovering data from damaged flash drives. While Moulton and I were talking, Johnny Cache happened to walk by and Moulton pointed him out to me. Cache and David Maynor were vilified by the Apple community's bloggers last year after the shameful fiasco at Black Hat last year, when strong-arm legal tactics by Apple not only made it impossible for them to mention the Apple Wi-Fi card in their taped demo of a Wi-Fi exploit, but also to defend themselves from attacks in the blogosphere. Cache was not at ToorCon to give a talk, but simply to attend.

On Saturday, I spent a few minutes with ToorCon's founder David Hulton (h1kari), event coordinator George Spillman (Geo), and Johnny Cache, and learned a little bit about the history of ToorCon. Hulton said that he and a friend started the con nine years ago, when he was 15. They had just returned from DefCon 4 in Las Vegas and decided to do a local version. His friend couldn't participate the following year, but he continued with it, never dreaming, he said, that it would grow to be as popular as it is today.

I also ran into a couple of DefCon regulars -- part of the CoffeeWars crew -- on Friday evening: students like the one who came to hear one of his teachers give a talk about teaching hacking in college, a college math teacher from Chicago there to learn what he could, a sprinkling of talent from San Diego 2600, and assorted l33t and not-so-l33t attendees ranging in age from their teens to at least their 60s.

The keynotes

ToorCon 9 began Saturday morning with an eye-opening, irreverent, F-bomb-laced keynote entitled "Wolverine, Yo' Mama, Spooks, and Osama" delivered by a security engineer named Beetle, who explained he was a last-minute replacement for a speaker who had to cancel. By the time he finished, I don't think anyone was left feeling shortchanged by the substitution.

Nobody was safe from Beetle's wrath. His rant covered the deciders who dictate the story lines at Marvel Comics, the Slashdot crowd, Google, politicians in Washington, the American public, and the hacker community itself.

After deconstructing the story lines of several comic books over the past year or two, applying criticisms and sarcastic commentary as needed, he paused and asked what some in the audience were wondering: Where he was going with all of this? Then he dived back in and started to work on Slashdot and Google. With graphs showing the number of comments that various stories that appeared on Slashdot got, he illustrated how stories are much more popular on Slashdot before all the facts are known, when opinions are shaped by fanboys and bloggers who opine without the benefit of a clue.

Beetle used the aforementioned story of Johnny Cache and David Maynor to illustrate his point. The truth of the matter was finally revealed when Maynor was freed from the non-disclosure agreement last year, but interest in the matter was basically gone.


As for Google, he began by referencing the NSA and its spooks, and the controversial monitoring and data mining they are doing on American citizens. Then he remarked how Google did much the same thing with our search requests, then sold the results so they could be used for targeted advertising.

Beetle also lampooned America's attitude toward China. He pointed out that we, led by the politicians in DC, were all in an uproar over lead paint on children's toys, but concern about China as the source of spam or Internet attacks on our military and government networks? No uproar over that, so evidently that's no big deal.

Several things had happened by the time Beetle finished: the F-word had become nothing more than punctuation, the crowd almost unanimously had been entertained and won over by his rants, and everyone was wide awake. That's a good way to start a con.

After a second keynote called "Black Ops 2007: Design Reviewing the Web"-- Dan Kaminsky had the misfortune to follow Beetle -- the con was off and running.

The talks

There were only two tracks at ToorCon -- one about hacking things and one about defending things from being hacked. One of the three meeting rooms was labeled Attacks, another Defense. The third room housed a live hacking competition, where teams competed to see how many and how quickly they could own various servers on the LAN. Also in the room were a book publisher hawking its wares, representatives from the Hacker Foundation selling T-shirts and memorabilia, and others.

On Saturday, all the talks were an hour long. On Sunday, the talks were only 20 minutes long, a format which seems to be growing in popularity at hacker cons. Most often, the crowd would stay in the same room when one talk was finished and wait a few minutes for the next to begin.

One of the more popular talks was called "Exposing Stormworm." You may have heard or read some of the buzz about Stormworm this past summer. It's a new generation of botnets that are being used by spammers to make sure you always know about the best deals on penis enhancement and get-rich-quick stock purchase opportunities. Brandon Enright, a network security analyst at the University of California, San Diego, and a code contributor to open source projects such as Nmap, came to ToorCon not to hype the dangers of Stormworm, but to deliver the results of research that monitors its size.

The Stormworm botnet is an impressive phenomenon. Enright displayed graphs of active -- defined as being online and capable of being controlled -- Stormworm nodes based on monitoring the night before his presentation. They numbered about 22,000. That's a powerful force, but far short of some of the estimates that have been seen in print. Enright said that while many millions of Windows systems have been infected by Stormworm, they haven't all stayed infected, as its fingerprints are now well known.

VoIP and Wi-Fi were popular topics, for both tracks. I attended three 20-minute talks on VoIP. The first explained how to hack a VPN used for VoIP and hop into the data network. The speakers suggested I attend another talk, this one on defense side, on the same topic. That one suggested I catch Druid's talk on Context-keyed Payload Encoding. From those three talks it's clear that VoIP, like Wi-Fi, was designed without concern about security. Hopefully, both areas will eventually provide better security, but today they are a collection of vulnerabilities.

I also enjoyed a panel talk on "Building Hackerspaces," hosted by Nick Farr of the Hacker Foundation and Eric Johnson (3ricj), who is involved with a hackerspace in the Seattle area. I learned that a hackerspace is similar to a LUG, but not the same. It's a community-owned and -governed space where people who enjoy hacking can gather and work together on the project of the moment.

ToorCon 9 was a great con. I think I enjoyed it more and learned more than at any other I've attended. It may be smaller in attendance, but not in content and style. A DVD containing all the talks is slated to be for sale, or if you're the patient type, you can wait for the videos to appear on the ToorCon Web site.


  • News
  • Events
Click Here!